Appendix I: Default Container Hierarchy for Active Directory Partitions
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This appendix contains the default container hierarchy for all Active Directory partitions.
Configuration Directory Partition
The configuration directory partition root object has the following child objects:
DisplaySpecifiers
Contains the objects that define different user interfaces for each object class in the schema that requires a graphical user interface (for example, right-click menus and property pages).
Extended-Rights
Stores objects of class controlAccessRight that can be used by applications to extend standard access control.
ForestUpdates
Stores operation objects that are generated by forest preparation tasks (when you run adprep /forestprep) so that the system can check for the tasks that have and have not been completed when you are upgrading the first domain controller in the forest to Windows Server 2003. The child object CN=Operations contains the objects that represent each update operation. These objects are named for the GUID of the operation. The child object CN=Windows2003Update is created to indicate that all adprep operations have run.
LostAndFoundConfig
Provides storage for global configuration objects that have been created in or moved to a location that no longer exists after replication.
NTDS Quotas
Stores objects (class msDS-QuotaControl) that contain object ownership quota assignments for the configuration directory partition. Quotas limit the number of objects that a user (including inetOrgPerson), group, computer, or service can own in a domain, configuration, or application directory partition.
Note
This container only exists in Windows Server 2003 Active Directory.
Partitions
Stores the cross-references to every directory partition in the forest, including the configuration partition, the schema partitions, and all domain directory partitions.
Physical Locations
Serves no purpose in Windows 2000 Server or Windows Server 2003. It is reserved for future use.
Services
Stores network-wide, service-specific information that applications use to connect to instances of services in the forest.
Note
The Services node in Active Directory Sites and Services is hidden by default. To reveal the Services node, right-click Active Directory Sites and Services, point to View, and then click Show Services Node.
Sites
Stores all of the site objects in the enterprise network, objects that represent replicating domain controllers in those sites, and objects that define the replication topology.
Well-Known Security Principals
Contains the special identities that are defined by the security system, such as Everyone, LocalSystem, Principal Self, Authenticated User, and Creator Owner.
Schema Directory Partition
Similarly, there is only one schema directory partition per forest. The schema directory partition contains the definitions of all objects that can be instantiated in Active Directory. It also stores the definitions of all attributes that can be a part of objects in Active Directory. Every domain controller has one fully writeable copy of the schema directory partition, although schema updates are allowed only on the domain controller that is the schema operations master.
The schema directory partition root object contains one child object for each class of objects that can be instantiated in the Active Directory forest and contains one object for each attribute that can be part of an object in the Active Directory forest.
Domain Directory Partitions
The domain directory partition root object has the following child objects:
Builtin
Stores built-in groups. All built-in groups have a well-known security identifier (SID).
Computers
Default storage area for new computer objects that were originally created through legacy APIs that are not Active Directory–aware.
Domain Controllers
Default container for new domain controllers. The Domain Controllers container cannot be renamed.
ForeignSecurityPrincipals
Proxy objects for security principals that are from Microsoft® Windows NT® version 4.0 operating system domains or Windows NT® 3.51 domains, or that are from different forests, and that have been added to Windows® 2000 or Windows Server 2003 groups.
LostAndFound (Advanced Features)
Storage area for new domain-wide objects whose containers were deleted elsewhere at the same time that the object was created. The LostAndFoundConfig container in the configuration directory partition serves the same purpose for forest-wide objects.
NTDS Quotas (Advanced Features)
Storage area for objects of class msDS-QuotaControl, which contain object ownership quotas for the domain directory partition. Quotas limit the number of objects that a user, group, computer, or service can create in a directory partition.
Note
This container only exists in Windows Server 2003 Active Directory.
Program Data (Advanced Features)
Empty container that is available for applications to store application-specific data in the domain directory partition.
System (Advanced Features)
Built-in system settings for the various system service containers and objects.
Users
Default storage area for new user accounts that are created through legacy APIs that are not Active Directory–aware.
Note
The Users container, the Computers container, and several other special containers, called “well-known” containers, can be dependably located by applications.
Deleted Objects
A special container, not visible in the user interface (UI), to which objects are moved when they are deleted.
Infrastructure
An object of class infrastructureUpdate that identifies the NTDS settings object of the domain controller that holds the infrastructure master role for the domain.
Note
(Advanced Features) above refers to the fact that, when using the Active Directory Users and Computers MMC snap-in, this container is only visible if the snap-in if the Advanced Features option is checked.