Beruflich Dokumente
Kultur Dokumente
ActiveDirectoryStructureandStorageTechnologies:ActiveDirectory
Note
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the
directory service is named Active Directory Domain Services AD DS. The rest of this topic refers to Active Directory, but the information is also applicable to
Active Directory Domain Services.
Domains can be structured in a forest to provide data and service autonomy but not isolation and to optimize replication with a given region. This separation of
logical and physical structures improves manageability and reduces administrative costs because the logical structure is not affected by changes in the physical
structure. The logical structure also makes it possible to control access to data. This means that you can use the logical structure to compartmentalize data so that
you can control access to it by controlling access to the various compartments.
The data that is stored in ActiveDirectory can come from many diverse sources. With so many different data sources and so many different types of data,
ActiveDirectory must employ some type of standardized storage mechanism so that it can maintain the integrity of the data that it stores. In ActiveDirectory,
objects are used to store information in the directory, and all objects are defined in the schema. The object definitions contain information, such as data type and
syntax, that the directory uses to ensure that the stored data is valid. No data can be stored in the directory unless the objects that are used to store the data are
first defined in the schema. The default schema contains all the object definitions that ActiveDirectory needs to function; however, you can also add object
definitions to the schema.
While the directory is exposed to you through a logical structure that consists of elements such as domains and forests, the directory itself is implemented through a
physical structure that consists of a database that is stored on all domain controllers in a forest. The ActiveDirectory data store handles all access to the database.
The data store consists of both services and physical files. These services and physical files make the directory available, and they manage the processes of reading
and writing the data inside the database that exists on the hard disk of each domain controller.
https://technet.microsoft.com/enus/library/cc759186(d=printer,v=ws.10).aspx
1/5
6/19/2015
ActiveDirectoryStructureandStorageTechnologies:ActiveDirectory
https://technet.microsoft.com/enus/library/cc759186(d=printer,v=ws.10).aspx
2/5
6/19/2015
ActiveDirectoryStructureandStorageTechnologies:ActiveDirectory
Lightweight Directory Access Protocol LDAP
Replication REPL and domain controller management interface
Messaging API MAPI
Security Accounts Manager SAM
Three service components:
Directory System Agent DSA
The database layer
Extensible Storage Engine ESE
The directory database where the data is actually stored
The following figure illustrates the relationships of these components in the data store architecture.
Data Store Architecture
Component
Description
Forest
A forest is the highest level of the logical structure hierarchy. An ActiveDirectory forest represents a single selfcontained directory. A forest is a
security boundary, which means that administrators in a forest have complete control over all access to information that is stored inside the forest
and to the domain controllers that are used to implement the forest.
Domain
Domains partition the information that is stored inside the directory into smaller portions so that the information can be more easily stored on
various domain controllers and so that administrators have a greater degree of control over replication. Data that is stored in the directory is
replicated throughout the forest from one domain controller to another. Some data that is relevant to the entire forest is replicated to all domain
controllers. Other data that is relevant only to a specific domain is replicated only to domain controllers in that particular domain. A good domain
design makes it possible to implement an efficient replication topology. This is important because it enables administrators to manage the flow of
data across the network, that is, to control how much data is replicated and where that replication traffic takes place.
OU
OUs provide a means for administrators to group resources, such as user accounts or computer accounts, so that the resources can be managed
as one unit. This makes it much easier to apply GroupPolicy to multiple computers or to control the access of many users to a single resource.
https://technet.microsoft.com/enus/library/cc759186(d=printer,v=ws.10).aspx
3/5
6/19/2015
ActiveDirectoryStructureandStorageTechnologies:ActiveDirectory
OUs also make it easier to delegate control over resources to various administrators.
ActiveDirectory/DNS
Component
Description
Locator
Locator, which is implemented in the Net Logon service, enables a client to locate a domain controller. Locator contains
InternetProtocol IP/DNScompatible and WindowsNT4.0compatible locators, which provide interoperability in a mixed Active
Directory environment.
ActiveDirectory
domain names in DNS
Every ActiveDirectory domain has a DNS domain name for example, cohovineyard.com, and every domain joined computer has a
DNS name for example, server1.cohovineyard.com. Architecturally, domains and computers are represented both as objects in
ActiveDirectory and as nodes in DNS.
ActiveDirectory DNS
objects
When DNS data is stored in ActiveDirectory, each DNS zone is an ActiveDirectory container object class dnsZone. The dnsZone
object contains a DNS node object class dnsNode for every unique name in that zone. The dnsNode object has a dnsRecord
multivalued attribute that contains a value for every resource record that is associated with that DNS name.
For more information about DNS support for ActiveDirectory, see DNS Support for Active Directory Technical Reference.
Component
Description
classSchema
objects
classSchema objects are object definitions that are stored in the schema, and they are used to define classes. classSchema objects define
groups of attributes that have something in common. For example, an object that is used to store a user account needs to store the users
logon name, first name, last name, and password. It is possible to create a user class that has a logon name attribute, a first name attribute, a
last name attribute, and a password attribute. Anytime a new user account is created, the directory uses the user class as the definition, and
every user account object that is created uses those attributes. classSchema objects can be nested to create more complex objects.
attributeSchema
objects
attributeSchema objects define the individual attributes of a single object. For example, a user account object has a number of attributes that
are used to store and define various pieces of data that are related to a user account, such as a logon name attribute and a password
attribute. Each of these attributes also has its own attributes that specify the type of data that it stores, the syntax of the data that it stores,
and whether or not the attribute is required or optional. The directory service uses attributeSchema objects to store data and verify that the
stored data is valid.
Component
Description
Interfaces
LDAP, REPL,
MAPI, SAM
The data store interfaces provide a way for directory clients and other directory servers to communicate with the data store.
DSA
Ntdsa.dll
The DSA which runs as Ntdsa.dll on each domain controller provides the interfaces through which directory clients and other directory servers
gain access to the directory database. In addition, the DSA enforces directory semantics, maintains the schema, guarantees object identity, and
enforces data types on attributes.
https://technet.microsoft.com/enus/library/cc759186(d=printer,v=ws.10).aspx
4/5
6/19/2015
ActiveDirectoryStructureandStorageTechnologies:ActiveDirectory
Database
layer
The database layer is an application programming interface API that resides in Ntdsa.dll and provides an interface between applications and the
directory database to protect the database from direct interaction with applications. Calls from applications are never made directly to the
database; they go through the database layer. In addition, because the directory database is flat with no hierarchical namespace the
database layer provides the database with an abstraction of an object hierarchy.
ESE
Esent.dll
The ESE which runs as Esent.dll communicates directly with individual records in the directory database on the basis of an objects relative
distinguished name attribute.
Database
files
The data store stores directory information in a single database file. In addition, the data store also uses log files, to which it temporarily writes
uncommitted transactions.
Community Additions
2015 Microsoft
https://technet.microsoft.com/enus/library/cc759186(d=printer,v=ws.10).aspx
5/5