Friday, July 18, 2008

Active Directory 2008

Active directory for no question is the most important constituent in Microsoft networking. Most people will not even realize all the other applications runs on top of the AD and its .DIT database. Recent AD cleanup work I have done for a large client made me start seeing, AD in a different perspective. Exchange is only one of these applications, which depends heavily or will die without Active directory. Active directory will need healthy DNS in order to function properly or else, it will suffer from many diseases such as not being able to locate the resources client needs or the replication. Below some of good information, I decided to summarize.

Therefore, the equation goes this way

  • Exchange=AD=DNS (=, needs)

The interaction with AD Database for most of the administrator starts with daily operational tasks. This includes creating users, groups and similar task. The fact to matter is every time these type of task is being performed the administrator touches or modifies the .DIT database by using ADUC ( active directory users and computers snaps in)

.DIT database is partitioned database and there are 3 partitions constitute the .DIT database.

  • Domain
  • Configuration
  • Schema

AD DS (Active directory, domain services) database is stored by default in the

  • %Systemroot%/NTDS/NTDS.dit ( Directory information tree)

Below are the components of the .DIT database





ESE (Esent.dll)

Lightweight Directory Access Protocol (LDAP)

LDAP v3 is the most common interface used by directory clients to locate information in the directory store. LDAP v3 is backward compatible with LDAP v2. Clients can use port 389 (the standard LDAP port), port 636 (LDAP secured by SSL), port 3268 (for global catalog lookups), and port 3269 (Global catalog LDAP secured by SSL) to access the LDAP interface. Clients can also use UDP Port 389 for both LDAP and Netlogon (this interface is used to locate domain controllers).

Messaging API (MAPI)

MAPI is used by messaging clients such as Outlook to access the Microsoft Exchange Server data stored in the data store. Exchange Server 2000 and later use the AD DS data store to store all recipient information, and the MAPI interface enables messaging clients to access the Global Address List (GAL). MAPI uses RPC communication.


DSA runs as Ntdsai.dll on each domain controller) provides the data store access interfaces. In addition, the DSA enforces directory semantics, maintains the schema, guarantees object identity, and enforces data types on attributes. When clients or other domain controllers need to access the directory store, they used one of the supported interfaces to connect (bind) to the DSA and then search for, read, and write to AD DS objects and their attributes.

The database layer resides in Ntdsai.dll

It provides an internal interface between the DSA and the directory database. The DSA cannot directly connect to the database; applications go through the database layer. The database layer also provides an object view of the directory database, making the data accessible to the DSA as a set of hierarchical containers.

The database layer is also responsible for the creation, retrieval, and deletion of individual records (objects), attributes within records, and values within attributes.

The Extensible Storage Engine (ESE)

A Windows component is used by AD DS, as well as by several other Windows components, as an interface to the database. The ESE is responsible for indexing the data in the database file and for transferring the data in and out of the database. It also maintains the rows and columns that comprise the database. Its purpose is to enable applications to store and retrieve data. The ESE also implements the transactional process for committing changes to the database.

The data store stores directory information in a single database file. In addition, the data store also uses transaction log files, to which it temporarily writes uncommitted changes, as well as committed transactions prior to committing them to the database.


  • Domain is boundary of replication

  • Domain is boundary of DNS name space.
  • Domain is boundary of administration.
  • Domain is also boundary of authentication

Domain Controller:

  • Authentication server is domain controller.


  • Domain name service/System
  • We use DNS the reference object and locate the services offers by a domain,
  • In addition, DNS is required to locate computer, services and any other information is available in the active directory.

Global Catalog server

  • Global Catalog server is a central repository. The global catalog server has a partial, read-only replica of all other domain directory partitions in the forest .All domains in the Tree share common global catalog server.GC contains references to all objects in active directory regardless, which domain the (objects) are created. That is why global catalog server is very important
  • Without a global catalog, search requests received by a domain controller for an object in a different domain would result in that domain controller referring the query to a domain controller in the object domain
  • Global catalog queries are identical to any other LDAP query against a Windows Server 2008 domain controller. The only difference is that the global catalog query uses TCP port 3268 rather than TCP port 389, which is the standard LDAP port. If a domain controller that is also a global catalog server receives a query on port 389, it will not search the global catalog for objects in other domains.

User Logons

Global catalog servers are also used when processing user logons.

  • Every time a user logs on to a domain, a global catalog server is contacted.
  • This is because nonglobal catalog domain controllers do not contain any information about universal group membership.
  • Universal groups can contain user and group accounts from any domain in a particular forest.
  • Since universal group membership is forest-wide, group membership can only be resolved by a domain controller that has forest-wide directory information

In order for an accurate security token to be generated for the user-seeking authentication, the global catalog must be contacted to determine the user's universal group membership.

Windows Server 2008 supports a feature known as universal group membership caching that makes it possible to log on to a Windows Server 2008 network without contacting a global catalog. Universal group membership can be cached on nonglobal catalog domain controllers after a user has logged on to that domain controller.

After this information is obtained from a global catalog, it is cached on the domain controller for the site indefinitely and is periodically updated (by default every 8 hours). Enabling this feature results in faster logon times for users in remote sites, as the authenticating domain controllers do not have to access a global catalog


Hierarchy of domains forming contiguous name space that maps to the DNS infrastructure. What defines three is contiguous name space.


There are not many differences in AD 2003 versus AD 2008. There are several improvements in AD 2008, but having a good solid base on AD 2003 will cover almost 85 percent of the knowledge in my opinion. The recent book I am reading "Windows serer 2008 Active Directory Resource Kit" Microsoft Press book does have great information in this regard. If you would want to get AD 2008 book this one is highly recommended.

Oz Ozugurlu

MVP (Exchange)


MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +


1 comment:

oracle fusion said...

very informative article.And very well explained about different protocols.keep posting like good content posts.For more details please visit our website..

Oracle Fusion Training Institute