Active Directory Logical Structure — Part 2

Active Directory Logical Structure – Part 2





The most basic components of logical structure of Active directory are


a) Leaf objects which do not have any child objects


b) Container objects which has child objects.



The major reason behind these objects is to manage data. The understanding of these logical components helps engineers to

to design active directory and troubleshoot AD efficiently. The logical structure consists of





In Active directory Forest holds the top-level container in which it stores all the domain containers. There can be

any number of domains in a forest so any number of domain containers can be stored in Forest container. Domain containers share common

global catalog, schema , directory configuration , logical structure and two way transitive trust.


Note : First domain in the forest acts as root domain eg:





Domain is a container object which holds millions of objects. These objects share common database.As explained in my earlier post every domain has its own datastore, schema and database.

Domain also defines the security policies for the objects and the trust relationship



Domain Tree :


AD provides flexibility of creating child domains under parent domain / root domain which is called as domain tree. eg:




Organizational Unit :


A company has 1000 users and all these users share different privliges , administrator have tough time identifying

theh priviliges of user, so with the help of OU he can group the users with similar privilges which makes management easy.


OU’s are container objects which helps in arranging different types of objects under it.



Site Objects:


AD replication is achieved by the site objects. They fall into both container object and leaf object. These site objects are top most object to implement

AD replication. The site object stores objects that are used by KCC ( knowledge consistency checker ). Some of the well known objects are

NTDS, subnet objects, connection objects , server objects and site object ( one object per site ) .





In order to view , manage , manipulate the above objects, you can


a) install the AD


b) create a domain


c) manage users using Active directory users and computers MMc


d) Active directory domains and  trust for managing trust


e) Active directory schema MMC



Active Directory Logical Structure – Part 1

Active Directory Logical Structure



Understanding Active directory is just like completing your PHD program. Well I would many administrators would still have the complexity understanding the hierarchy and the placement of the logical structure of AD. So I thought of writing down about the components involved in AD logical structure as we only manipulate the logical structure.








                                              Organization Units






 All the above components are implemented as containers.



There is a important concept which I would like to emphasize. AD – Service . AD stores the information in the form of an object and then make this object available to users with help of forest and domain structures.


Core Components Of AD – logical Structure.


The placement of data from the above diagram gives administrator a flexible authentication and authorization of the network devices. Architects should view this model from security perspective with which they can think what devices need to give which authentication .


But the above diagram doesn’t give you the physical implementation of the Logical structure.


Architects / System engineers only consider about the security and just security. So planning is a vital part of their job , when you drill down the AD / using the AD to its maximum potential you would realize how best you can control devices.


n       File sharing

n       Logon permissions

n       Creating different departments with appropriate permissions

n       Device restrictions

n       VPN access

n       PKI


One has to understand and implement the above concepts to understand the robustness of AD.



Active Directory Basics – Part 2

                                    Active Director Basics – Part 2



Engineers have to understand the major components of active directory with which their life becomes pretty easy. In the upper layer AD is very simple , but when you actually start deploying it or start troubleshooting it , you might find you are lost ! , but when you understand the core components you know where to look in exactly.

I would say Active directory heart is nothing but Data Store , because data store acts as an interface between the schema and the physical directory. It has a two way communication happening between the physical directory and the Schema.



This data store resides on every domain controller in the forest .There is an internal representation of the Data store , in other words, data store consists of sub components communicating with each other.


Simplified Explanation:

In very simplest form to understand the data store , it acts as an firewall which performs allows or denies for the applications. Data store does the same job


–It provides a way for applications to communicate to database.

–It provides a way to filter the communications



Data store is nothing but a collection of interfaces which are used to provide 2 major tasks for applications / clients


a)       Provide interface to communicate to Data store

b)       Provide Access to the physical database using Data store interfaces

c)       Filters the application calls made to the database for data retrieval or data commit



Interfaces In Data Store:


LDAP interface


SAM interface


ESE interface


Replication interface


DSA interface





Did You Know:


DSA (Directory system agent) is the one which does schema related activities. DSA performs the following


a)       Enforce the rules

b)       Checks the schema

c)       Enforce datatypes on attributes.



Example :


Application à Data store à database


Lower View


Application à Uses LDAP à Use DSA for access to Directory à Filters necessary API calls à ESE which communicates directly to database à Physical database.


From the above example you can now have a clear understanding of the data flow


Hope you have enjoyed this article, look for the next session







Active Directory Basics – Part 1

Active Directory Basics


We have to understand the directory structure to get a clear understanding of the Active Directory. Many of us are reluctant to learn AD because it’s just like a pacific ocean to swim. But when you start analyzing the building blocks of AD , you will feel relaxed and then start thinking about Active directory and its implementation.



Every organization today uses Active directory as centralized repository , all that they use AD to store their data. In a very simplest forms you need to understand ( Just remember DOS J )


Directory :  Place where all the data gets stored


Objects :    Application uses objects to store data into the directory


Schema :   In order to use Object , the object should be defined in the schema without

                  Which you cannot use the object to store data to directory


Data Flow


Application à Object à Schema à Directory




This directory is viewed as


a)       Logical Structure : Exposed to users as Forests and Domains

b)       Physical Structure : Implemented as database residing on each and every Domain



Communication to the database is not straight forward, we need to have some means to write data to the directory , so Microsoft used Active directory data store as an interface to write data to the directory. This AD Data store is made up on services and files which decide how to handle I/O operation on to the database.



Data Flow



Application à Object à AD Data Store à Database


                                          Files and Services