AD Architecture

Physical Components

The Physical components represent the actual infrastructure and storage mechanisms that make Active Directory work:

Data Store:

• The actual database files NTDS.dit that contain all Active Directory information

• Stored locally on each Domain Controller

• Contains the directory database, transaction logs, and checkpoint files

• Uses Extensible Storage Engine (ESE) database technology

Domain Controllers:

• Windows servers that host writable copies of the Active Directory database

• Provide authentication and authorization services

• Process directory queries and modifications

• Participate in multi-master replication

• Run essential services like KDC (Key Distribution Center) for Kerberos

Global Catalog Server:

• Special Domain Controllers that maintain a partial replica of all objects in the forest

• Enable forest-wide searches and queries

• Required for universal group membership resolution

• Typically, the first Domain Controller in each site becomes a Global Catalog server

Read-Only Domain Controller (RODC):

• Domain Controllers with read-only copies of the directory database

• Designed for branch offices with limited physical security

• Cache frequently accessed user credentials locally

• Cannot process directory writes - must forward to writable DCs

Logical Components

The Logical components represent the organizational and structural elements:

Partitions:

• Domain Partition: Contains all objects for a specific domain

• Configuration Partition: Forest-wide configuration data shared by all DCs

• Schema Partition: Defines object classes and attributes for the entire forest

• Application Partitions: Custom partitions for specific applications (like DNS zones)

Schema:

• The blueprint that defines what objects can exist in Active Directory

• Specifies object classes (user, computer, group) and their attributes

• Controls data validation and structure

• Can be extended to support new object types and attributes

Domains:

• Administrative and security boundaries within the forest

• Contain users, computers, groups, and other directory objects

• Have their own security policies and domain administrators

• Minimum unit for authentication and authorization

Domain Trees:

• Hierarchical arrangements of domains with contiguous DNS namespaces

• Child domains automatically trust their parent domains

• Example: company.com → sales.company.com → west.sales.company.com

• Share common schema and configuration

Forests:

• The ultimate security boundary in Active Directory

• Collection of one or more domain trees

• All domains in a forest share the same schema and configuration

• Represents the scope of administrative control and trust

Sites:

• Represent physical network locations with good connectivity

• Help optimize replication traffic and authentication

• Allow clients to locate nearby Domain Controllers

• Control bandwidth usage for replication between locations

Organization Units (OUs):

• Containers within domains for organizing objects logically

• Enable delegation of administrative permissions

• Primary targets for Group Policy application

• Can be nested to create complex organizational hierarchies

How Do They Work Together?

The Physical components provide the infrastructure and storage, while the Logical components provide the organizational structure and security boundaries. For example:

• Domain Controllers (physical) host the Domain Partitions (logical)

• Global Catalog Servers (physical) maintain information about all Domains in the Forest (logical)

• Sites (logical) determine which Domain Controllers (physical) clients will use for authentication

• The Schema (logical) is stored in the Data Store (physical) on every Domain Controller

This separation allows Active Directory to scale efficiently while maintaining security boundaries and administrative control.