Active Directory : How Objects Are Stored and Identified
Data stored within Active Directory is presented to the user in a hierarchical fashion
similar to the way data is stored in a filesystem. Each entry is referred to as an
object. At the structural level, there are two types of objects: containers
and non-containers. Non-container objects are also known as leaf nodes.
One or more containers branch off in a hierarchical fashion from a root container.
Each container may contain leaf nodes or other containers. As the name implies, however,
a leaf node may not contain any other objects.
Although the data in Active Directory is presented hierarchically, it is
actually stored in flat database rows and columns. The directory information
tree (DIT) file is an Extensible Storage Engine (ESE) database file. This
answers the question "Does Active Directory use jet or ESE database technology?"
ESE is a jet technology.
Consider the parent-child relationships of the containers and leaves in Figure 2-1. The
root of this tree has two children, Finance and Sales. Both of these are containers of
other objects. Sales has two children of its own, Pre-Sales and Post-Sales. Only the
Pre-Sales container is shown as containing additional child objects. The Pre-Sales
container holds user, group, and computer objects as an example.
User, group, and computer objects are actually containers, as they can contain other
objects such as printers. However, they are not normally drawn as containers in
diagrams such as this.
Each of these child nodes is said to have the Pre-Sales container as its parent.
Figure 2-1 represents what is known in Active Directory as a domain.
The most common type of container you will create in Active Directory is an organizational
unit (OU), but there are others as well, such as the type called "container". Each
of these has its place, as we'll show later, but the one wee will be using most
frequently is the organizational unit.
Uniquely Identifying Objects
When you are potentially storing millions of objects in Active Directory, each object
has to be uniquely locatable and identifiable. To that end, objects have a globally
unique identifier (GUID) assigned to them by the system at creation. This 128-bit
number is the Microsoft implementation of the universally unique identifier (UUID)
concept from Digital Equipment Corporation. UUIDs/GUIDs are commonly misunderstood
to be guaranteed to be unique. This is not the case; the number is just statistically
improbable to be duplicated before the year 3400 AD. In the documentation for the
GUID creation API function, Microsoft says, "To a very high degree of certainty, this
function returns a unique value". The objects GUID stays with the object until it is
deleted, regardless of whether it is renamed or moved within the directory information
tree (DIT). The objects GUID will also be preserved if you move an object between
domains within a multidomain forest.
A cross-forest move of a security principle using a tool such as the
Microsoft Active Directory Migration Tool (ADMT) will not preserve
the object's GUIOD.
Although an object's GUID is resilient, it is not very easy to remember, nor is it based
on the directory hierarchy. For that reason, another way to reference objects, called a
distinguished name (DN), is more commonly used.