Sie sind auf Seite 1von 5

6/19/2015

ActiveDirectoryStructureandStorageTechnologies:ActiveDirectory

Active Directory Structure and Storage Technologies


64 out of 75 rated this helpful
Updated: November 19, 2014
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server
2008 R2, Windows Server 2012, Windows Server 2012 R2
Administrators use ActiveDirectory to store and organize objects on a network such as users, computers, devices, and so on into a secure hierarchical containment
structure that is known as the logical structure. Although the logical structure of ActiveDirectory is a hierarchical organization of all users, computers, and other
physical resources, the forest and domain form the basis of the logical structure. Forests, which are the security boundaries of the logical structure, can be structured
to provide data and service autonomy and isolation in an organization in ways that can both reflect site and group identities and remove dependencies on the
physical topology.

Note
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the
directory service is named Active Directory Domain Services AD DS. The rest of this topic refers to Active Directory, but the information is also applicable to
Active Directory Domain Services.

Domains can be structured in a forest to provide data and service autonomy but not isolation and to optimize replication with a given region. This separation of
logical and physical structures improves manageability and reduces administrative costs because the logical structure is not affected by changes in the physical
structure. The logical structure also makes it possible to control access to data. This means that you can use the logical structure to compartmentalize data so that
you can control access to it by controlling access to the various compartments.
The data that is stored in ActiveDirectory can come from many diverse sources. With so many different data sources and so many different types of data,
ActiveDirectory must employ some type of standardized storage mechanism so that it can maintain the integrity of the data that it stores. In ActiveDirectory,
objects are used to store information in the directory, and all objects are defined in the schema. The object definitions contain information, such as data type and
syntax, that the directory uses to ensure that the stored data is valid. No data can be stored in the directory unless the objects that are used to store the data are
first defined in the schema. The default schema contains all the object definitions that ActiveDirectory needs to function; however, you can also add object
definitions to the schema.
While the directory is exposed to you through a logical structure that consists of elements such as domains and forests, the directory itself is implemented through a
physical structure that consists of a database that is stored on all domain controllers in a forest. The ActiveDirectory data store handles all access to the database.
The data store consists of both services and physical files. These services and physical files make the directory available, and they manage the processes of reading
and writing the data inside the database that exists on the hard disk of each domain controller.

Active Directory Structure and Storage Architecture


The Active Directory structure and storage architecture consists of four parts:
Active Directory domains and forests. Forests, domains, and organizational units OUs make up the core elements of the ActiveDirectory logical structure. A
forest defines a single directory and represents a security boundary. Forests contain domains.
Domain Name System DNS support for ActiveDirectory. DNS provides a name resolution service for domain controller location and a hierarchical design
that ActiveDirectory can use to provide a naming convention that can reflect organizational structure.
Schema. The schema provides object definitions that are used to create the objects that are stored in the directory.
Data store. The data store is the portion of the directory that manages the storage and retrieval of data on each domain controller.
The following figure illustrates the ActiveDirectory data structure and storage architecture.
Active Directory Data Structure and Storage Architecture

https://technet.microsoft.com/enus/library/cc759186(d=printer,v=ws.10).aspx

1/5

6/19/2015

ActiveDirectoryStructureandStorageTechnologies:ActiveDirectory

Active Directory Domains and Forests


Domains partition the directory into smaller sections within a single forest. This partitioning results in more control over how data is replicated so that an efficient
replication topology can be established and network bandwidth is not wasted by replicating data where it is not required. OUs make it possible to group resources
in a domain for management purposes, such as applying GroupPolicy or delegating control to administrators.
The following figure illustrates the relationships of OUs, domains, and forests in the logical structure architecture.
Logical Structure Architecture

DNS Support for ActiveDirectory


ActiveDirectory uses DNS as its domain controller location mechanism. When any of the principal ActiveDirectory operations, such as authentication, updating, or
searching, is performed, domain joined computers use DNS to locate ActiveDirectory domain controllers, and these domain controllers use DNS to locate each
other. For example, when a network user with an ActiveDirectory user account logs on to an ActiveDirectory domain, the users computer uses DNS to locate a
domain controller for the ActiveDirectory domain to which the user wants to log on.
To log on to a network that consists of an ActiveDirectory forest, a client workstation must first be able to locate a nearby domain controller. The domain controller
is necessary for initial authentication of both the workstation and the user and for subsequent authorization of the user for the files and resources to which the user
needs access. The support that is provided to ActiveDirectory by DNS enables a client workstation to locate a domain controller.

Active Directory Schema


The ActiveDirectory schema contains definitions for all the objects that are used to store information in the directory. There is one schema per forest. However, a
copy of the schema exists on every domain controller in the forest. This way, every domain controller has quick access to any object definition that it might need,
and every domain controller uses the same definition when it creates a given object. The data store relies on the schema to provide object definitions, and the data
store uses those definitions to enforce data integrity. The result is that all objects are created uniformly, and it does not matter which domain controller creates or
modifies an object because all domain controllers use the same object definition.
The following figure illustrates the relationship of the schema to the data store in the schema architecture.
Schema Architecture

Active Directory Data Store


The ActiveDirectory data store is made up of several components that together provide directory services to directory clients. These components include the
following:
Four interfaces:

https://technet.microsoft.com/enus/library/cc759186(d=printer,v=ws.10).aspx

2/5

6/19/2015

ActiveDirectoryStructureandStorageTechnologies:ActiveDirectory
Lightweight Directory Access Protocol LDAP
Replication REPL and domain controller management interface
Messaging API MAPI
Security Accounts Manager SAM
Three service components:
Directory System Agent DSA
The database layer
Extensible Storage Engine ESE
The directory database where the data is actually stored

The following figure illustrates the relationships of these components in the data store architecture.
Data Store Architecture

Active Directory Structure and Storage Components


You can define some components for structure and storage in ActiveDirectory, while others are defined by the system and cannot be modified.
Forests, domains, and OUs are components that constitute the logical structure of ActiveDirectory. You define them during the installation of
ActiveDirectory.
DNS support for ActiveDirectory includes components that are used to locate domain controllers and that use DNS naming schemes. Each domain in a forest
must adhere to DNS naming schemes, and domains are organized in a root and subordinate domain hierarchy.
The schema is a single component that exists inside the directory. The schema contains definitions of the objects that are used to store information in the
directory. These object definitions include two primary components: classSchema objects and attributeSchema objects.
The data store consists of three layers of components. The first layer provides the interfaces that clients need to access the directory. The second layer
provides the services that perform the operations that are associated with reading data from and writing data to the directory database. The third layer is the
database itself, which exists as a single file on the hard disk of each domain controller.

Active Directory Domains and Forests


The logical structure of ActiveDirectory is a hierarchical structure of ActiveDirectory domains and OUs in a forest. The relationships of the components in the logical
structure control access to stored data, and they control how information is replicated between the various domain controllers in the forest. The main components
of the ActiveDirectory logical structure are described in the following table.
Domain and Forest Components

Component

Description

Forest

A forest is the highest level of the logical structure hierarchy. An ActiveDirectory forest represents a single selfcontained directory. A forest is a
security boundary, which means that administrators in a forest have complete control over all access to information that is stored inside the forest
and to the domain controllers that are used to implement the forest.

Domain

Domains partition the information that is stored inside the directory into smaller portions so that the information can be more easily stored on
various domain controllers and so that administrators have a greater degree of control over replication. Data that is stored in the directory is
replicated throughout the forest from one domain controller to another. Some data that is relevant to the entire forest is replicated to all domain
controllers. Other data that is relevant only to a specific domain is replicated only to domain controllers in that particular domain. A good domain
design makes it possible to implement an efficient replication topology. This is important because it enables administrators to manage the flow of
data across the network, that is, to control how much data is replicated and where that replication traffic takes place.

OU

OUs provide a means for administrators to group resources, such as user accounts or computer accounts, so that the resources can be managed
as one unit. This makes it much easier to apply GroupPolicy to multiple computers or to control the access of many users to a single resource.

https://technet.microsoft.com/enus/library/cc759186(d=printer,v=ws.10).aspx

3/5

6/19/2015

ActiveDirectoryStructureandStorageTechnologies:ActiveDirectory
OUs also make it easier to delegate control over resources to various administrators.

DNS Support for ActiveDirectory


In ActiveDirectory, DNS is the means by which directory clients locate, or discover, domain controllers. The primary components of the architecture for DNS support
of ActiveDirectory include the domain controller Locator, ActiveDirectory domain names in DNS, and ActiveDirectory DNS objects.
The following table describes the ActiveDirectory components that help directory clients locate nearby domain controllers.
Active Directory DNS Support Components

ActiveDirectory/DNS
Component

Description

Locator

Locator, which is implemented in the Net Logon service, enables a client to locate a domain controller. Locator contains
InternetProtocol IP/DNScompatible and WindowsNT4.0compatible locators, which provide interoperability in a mixed Active
Directory environment.

ActiveDirectory
domain names in DNS

Every ActiveDirectory domain has a DNS domain name for example, cohovineyard.com, and every domain joined computer has a
DNS name for example, server1.cohovineyard.com. Architecturally, domains and computers are represented both as objects in
ActiveDirectory and as nodes in DNS.

ActiveDirectory DNS
objects

When DNS data is stored in ActiveDirectory, each DNS zone is an ActiveDirectory container object class dnsZone. The dnsZone
object contains a DNS node object class dnsNode for every unique name in that zone. The dnsNode object has a dnsRecord
multivalued attribute that contains a value for every resource record that is associated with that DNS name.

For more information about DNS support for ActiveDirectory, see DNS Support for Active Directory Technical Reference.

Active Directory Schema


Everything that is stored in ActiveDirectory is stored in an object. A definition for every type of object is stored in the schema. The definitions themselves consist of
two types of objects: class objects and attribute objects. Classes define groups of attributes that are used to describe common objects. New object definitions are
created by combining various class objects and attribute objects to make new combinations that contain the necessary attributes to meet the storage requirements
of the new object type. The two main types of object definitions that are stored in the ActiveDirectory schema are described in the following table.
Schema Components

Component

Description

classSchema
objects

classSchema objects are object definitions that are stored in the schema, and they are used to define classes. classSchema objects define
groups of attributes that have something in common. For example, an object that is used to store a user account needs to store the users
logon name, first name, last name, and password. It is possible to create a user class that has a logon name attribute, a first name attribute, a
last name attribute, and a password attribute. Anytime a new user account is created, the directory uses the user class as the definition, and
every user account object that is created uses those attributes. classSchema objects can be nested to create more complex objects.

attributeSchema
objects

attributeSchema objects define the individual attributes of a single object. For example, a user account object has a number of attributes that
are used to store and define various pieces of data that are related to a user account, such as a logon name attribute and a password
attribute. Each of these attributes also has its own attributes that specify the type of data that it stores, the syntax of the data that it stores,
and whether or not the attribute is required or optional. The directory service uses attributeSchema objects to store data and verify that the
stored data is valid.

Active Directory Data Store


The ActiveDirectory data store is implemented on every domain controller in the forest. The data store consists of components that store and retrieve data inside
the directory. The components of the ActiveDirectory data store are described in the following table.
Data Store Components

Component

Description

Interfaces
LDAP, REPL,
MAPI, SAM

The data store interfaces provide a way for directory clients and other directory servers to communicate with the data store.

DSA
Ntdsa.dll

The DSA which runs as Ntdsa.dll on each domain controller provides the interfaces through which directory clients and other directory servers
gain access to the directory database. In addition, the DSA enforces directory semantics, maintains the schema, guarantees object identity, and
enforces data types on attributes.

https://technet.microsoft.com/enus/library/cc759186(d=printer,v=ws.10).aspx

4/5

6/19/2015

ActiveDirectoryStructureandStorageTechnologies:ActiveDirectory

Database
layer

The database layer is an application programming interface API that resides in Ntdsa.dll and provides an interface between applications and the
directory database to protect the database from direct interaction with applications. Calls from applications are never made directly to the
database; they go through the database layer. In addition, because the directory database is flat with no hierarchical namespace the
database layer provides the database with an abstraction of an object hierarchy.

ESE
Esent.dll

The ESE which runs as Esent.dll communicates directly with individual records in the directory database on the basis of an objects relative
distinguished name attribute.

Database
files

The data store stores directory information in a single database file. In addition, the data store also uses log files, to which it temporarily writes
uncommitted transactions.

Community Additions
2015 Microsoft

https://technet.microsoft.com/enus/library/cc759186(d=printer,v=ws.10).aspx

5/5

Das könnte Ihnen auch gefallen