Active Directory - Database, Schema

Knowledge Base Questions & Answers

What are AD (Active Directory) Partitions?

- AD Partitions are how and where the AD information logically stored.
- AD database is divided into four partitions:
o Schema
o Configuration
o Domain
o Application
- Each AD Partition is a unit of replication and has its replication topology.
- Minimum two directory partitions exist among all DCs (Doman Controllers) in the same forest:
schema and configuration partitions.
- All DCs, which are in the same domain, in addition to schema and configuration portions, share
a domain partition.

What is Schema Partition?

- Schema Partition contains definitions of all objects and attributes which can be created in the
directory.
- Only one Schema Partition exists per forest.
- Schema Partition replicates to all DCs in a forest.

What is Configuration Partition?

- Configuration Partition stores all the information about the AD. The information includes site,
site-link, subnet, etc..
- There is one Configuration Partition per forest.
- Configuration Partition replicates to all DCs in the forest.

What is Domain Partition?

- Domain Partition stores the information of the domain, which includes users, computers,
groups, OUs (Organizational Units), printers, etc..
- There is one Domain Partition exists in each domain in the forest.
- Domain Partition replicates to all DCs within the domain.

What is Application Partition?

- Application Partition is typically created by the application that will use AD to store and
replicate applications’ data.
- It typically contains DNS (Domain Name System) zone objects and dynamic data from other
network services such as DHCP (Dynamic Host Configuration Protocol) and RAS (Remote Access
Service).
- Application Partition cannot contain security principal objects such as users, groups, and
computers.
- It is not stored in the GC (Global Catalogue).

1
- Replication topology for an Application Partitions is generated by KCC (Knowledge Consistency
Checker).
- To prevent unnecessary replication of the specific “Application Partition,” there are decision
can be made which DCs in a forest will host particular Application Partition.
- By default, Application Partition does not exist, but it can be manually created and managed by
the ntdsutil utility.

What is the AD Schema?

- AD Schema is a set of definitions and attributes that define objects that can be stored in AD.
- It replicates to all DCs.
- AD Schema is made up of two types of objects:
o Attributes
o Classes

What is AD Schema Attributes?

- Attributes contain data that defines the information which is stored in an object.
For example, a user object has attributes that store its information: first name, last name,
password, etc..
- There are various attributes which depend on the type of the object.
For example, the user’s object has a first name attribute, but don’t have the printer model
attribute.
- There are some of the mandatory attributes, and some are optional.
For example, for a new user object, the account is required, and the user telephone number is
optional.

What is the AD Schema Class?

- AD Schema Class determines the attributes for the AD object.
- AD Schema has predefined classes that define all of the different object types that the directory
needs to function correctly.
- For example, when a new computer account is created in the directory, its definition comes
from the “computer” class.

What tables AD Database contains?

AD Database contains the following tables:
- Schema Table - is the type of objects that can be created in the AD, including optional and
mandatory attributes for each type of object. This table is static and much smaller than the
data table.
- Link Table - contains linked attributes, which include values referring to other objects in the AD.
- Data Table - contains users, groups, application-specific data, and any other data stored in the
AD.

What is Garbage Collection?

- Garbage Collection is a process that is used to free space within the AD database.
- It removes previously deleted objects from the database. These objects are known as
tombstones.

2
- Garbage Collection deletes unnecessary log files.
- It starts a defragmentation thread to claim additional free space.
- Garbage Collection is running on all the DCs in an interval of 12 hours.

What is AD Recycle Bin?

- AD Recycle Bin is a feature, which helps to restore accidentally deleted AD objects without
using backup, rebooting DCs, or restarting any services.
- To enable AD Recycle Bin functional level on forest must be Windows Server 2008 R2 or later.

What is Tombstone?
- Tombstone is a container for objects which were deleted from the AD database.
- If objects are removed, they will be kept hidden in the database for a specific period.

What is Tombstone Lifetime?

- Tombstone Lifetime allows configuring setting regarding how long a deleted object is retained
in AD.
- By default, AD uses 180 days of Tombstone Lifetime.

3
What is “LostAndFound” Container?
- “LostAndFound” Container stores orphaned user accounts and other objects.
- In multi-master replication method, there are replication conflicts can happen. Objects with
replication conflicts will be stored in “LostAndFound” Container.

What is Stale?
Stale are references to objects that have been moved or renamed so that the local copy of the
remote object's name is out of date.
4
What is Lingering Object?
- Lingering Object is a deleted AD object that re-appears on the restored DC in its local copy of
AD.
- It can happen if, after the backup was made, the object was deleted on another DC more than
180 days ago.
- Because the tombstone object on the other DCs has been removed, the restored DC will not
receive the tombstone object (via replication), and so it will never be notified of the deletion.
Where does the AD Database is located?
AD Database is located in the folder:
%systemroot%\NTDS

What is Online Defragmentation in AD?

- Online Defragmentation is a method that runs as part of the garbage collection process.
- The advantage of Online Defragmentation method is that the server does not need to be taken
offline for it to run.
- Online Defragmentation does not shrink the AD database file (ntds.dit).

What is Offline Defragmentation?

Offline Defragmentation manually performed by an administrator after taking DC to DSRM
(Directory Services Restore Mode) and running the ntdsutil utility.