# AD Architecture ## Physical Components The **Physical** components represent the actual infrastructure and storage mechanisms that make Active Directory work: **Data Store:** * The actual database files `NTDS.dit` that contain all Active Directory information * Stored locally on each Domain Controller * Contains the directory database, transaction logs, and checkpoint files * Uses Extensible Storage Engine (ESE) database technology **Domain Controllers:** * Windows servers that host writable copies of the Active Directory database * Provide authentication and authorization services * Process directory queries and modifications * Participate in multi-master replication * Run essential services like KDC (Key Distribution Center) for Kerberos **Global Catalog Server:** * Special Domain Controllers that maintain a partial replica of all objects in the forest * Enable forest-wide searches and queries * Required for universal group membership resolution * Typically, the first Domain Controller in each site becomes a Global Catalog server **Read-Only Domain Controller (RODC):** * Domain Controllers with read-only copies of the directory database * Designed for branch offices with limited physical security * Cache frequently accessed user credentials locally * Cannot process directory writes - must forward to writable DCs ## Logical Components The **Logical** components represent the organizational and structural elements: **Partitions:** * **Domain Partition**: Contains all objects for a specific domain * **Configuration Partition**: Forest-wide configuration data shared by all DCs * **Schema Partition**: Defines object classes and attributes for the entire forest * **Application Partitions**: Custom partitions for specific applications (like DNS zones) **Schema:** * The blueprint that defines what objects can exist in Active Directory * Specifies object classes (user, computer, group) and their attributes * Controls data validation and structure * Can be extended to support new object types and attributes **Domains:** * Administrative and security boundaries within the forest * Contain users, computers, groups, and other directory objects * Have their own security policies and domain administrators * Minimum unit for authentication and authorization **Domain Trees:** * Hierarchical arrangements of domains with contiguous DNS namespaces * Child domains automatically trust their parent domains * Example: company.com → sales.company.com → west.sales.company.com * Share common schema and configuration **Forests:** * The ultimate security boundary in Active Directory * Collection of one or more domain trees * All domains in a forest share the same schema and configuration * Represents the scope of administrative control and trust **Sites:** * Represent physical network locations with good connectivity * Help optimize replication traffic and authentication * Allow clients to locate nearby Domain Controllers * Control bandwidth usage for replication between locations **Organization Units (OUs):** * Containers within domains for organizing objects logically * Enable delegation of administrative permissions * Primary targets for Group Policy application * Can be nested to create complex organizational hierarchies ## How Do They Work Together? The **Physical** components provide the infrastructure and storage, while the **Logical** components provide the organizational structure and security boundaries. For example: * **Domain Controllers** (physical) host the **Domain Partitions** (logical) * **Global Catalog Servers** (physical) maintain information about all **Domains** in the **Forest** (logical) * **Sites** (logical) determine which **Domain Controllers** (physical) clients will use for authentication * The **Schema** (logical) is stored in the **Data Store** (physical) on every Domain Controller This separation allows Active Directory to scale efficiently while maintaining security boundaries and administrative control.