[英语学习]How the Data Store Works.doc

Updated: June 8, 2005Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2In this section · Data Store Architecture · Data Store Protocols · Data Store Interfaces · Data Store Logical Structure · Data Store Physical Structure · Data Store Processes and Interactions · Network Ports Used by the Data Store · Related Information In Active Directory, the data store contains database files and processes that store and manage directory information for users, services, and applications. A copy of the data store runs on each domain controller in the forest. The Active Directory data store is often referred to as the directory. Note In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to Active Directory, but the information is also applicable to Active Directory Domain Services. The ideal environment for the data store includes the following:· A domain controller running an operating system in the Windows Server 2003 or later family and containing hardware that meets the minimum hardware requirements of the edition of the operating system. · For environments consisting of multiple domain controllers, the presence of a fully functioning Active Directory replication topology· For environments consisting of multiple domain controllers, the presence of a fully functioning File Replication Service (FRS) topology· A regular backup schedule· Regular monitoring of Active Directory, either through manual review of event logs or through an automated monitoring solution, such as Microsoft Operations Manager (MOM)This section describes the elements of the Active Directory data store, including its architecture, protocols, interfaces, logical structure, physical structure, processes and interactions, and network ports.Data Store ArchitectureThe Active Directory data store consists of several components that together provide directory services to directory clients and to other directory servers. These components include three service components, four interfaces, and the directory database where data is actually stored. The following figure illustrates the architecture of the data store.Data Store Architecture The following table describes the components of the data store.Data Store Components  Component Description Interfaces: Lightweight Directory Access Protocol (LDAP), replication (REPL) and domain controller management interface, Messaging API (MAPI), Security Accounts Manager (SAM)The data store interfaces provide a way for directory clients and other directory servers to communicate with the data store. Directory System Agent (DSA) (Ntdsa.dll)The DSA, which runs as Ntdsa.dll on each domain controller, provides the interfaces through which directory clients and other directory servers gain access to the directory database. In addition, the DSA enforces directory semantics, maintains the schema, guarantees object identity, and enforces data types on attributes.Database layerThe database layer is an application programming interface (API) that resides in Ntdsa.dll and provides an interface between applications and the directory database to protect the database from direct interaction with applications. Calls from applications are never made directly to the database; they go through the database layer. In addition, because the directory database is flat, with no hierarchical namespace, the database layer provides the database with the abstraction of an object hierarchy.Extensible Storage Engine (ESE) (Esent.dll)The ESE, which runs as Esent.dll, manages the tables of records each with one or more columns that make up the directory database.Database filesThe data store stores directory information in a single database file called Ntds.dit. In addition, the data store also uses log files, to which it temporarily writes uncommitted transactions.The DSA, database layer, and ESE are described in the following sections. For information about the interfaces, see “Data Store Interfaces" later in this section. For information about the database files, see “Data Store Physical Structure” later in this section.DSAThe DSA runs on every domain controller as Ntdsa.dll, and it provides access to the directory database. The DSA runs as part of the Local Security Authority (LSA) process (Lsass.exe), which manages authentication packages and authenticates users and services. Running in Lsass.exe enables Active Directory to securely manage sensitive information, such as account passwords.Clients can use one of the supported interfaces to connect (bind) to the DSA and then search for, read, and write to Active Directory objects and their attributes.A forest-wide object in the directory, the NTDS Settings object (class nTDSDSA), represents the DSA on a domain controller, and this object contains configuration information about the DSA on that domain controller.In addition to providing the interfaces through which directory clients gain access to directory data, the DSA provides the following functionality.Object identificationEvery object in Active Directory has a permanent globally unique identifier (GUID), which is associated with several string forms of the object name (SAMAccountName, user principal name, and distinguished name), as well as a security identifier (SID). The object names and the SID are not permanent; that is, they can be changed. All permanent references to the object are kept in terms of the GUID. The object name is used for hierarchy navigation and display purposes, and the SID is used for access control. The DSA maintains the GUID association with an object when the objects string name or SID changes, for example, when the object is moved to a different folder (the string name changes) or when the object is moved to a different domain (the string name and the SID change).Schema enforcementThe DSA ensures that data in the directory adheres to the data definitions that are provided by the directory schema. The schema is the set of rules that determines what kind of data the directory can hold. Note · In forests, if an update does not produce a conflict with the schema at the originating replica, the update is considered acceptable at all replicas. Therefore, replicated updates do not perform schema checks, and you do not have to wait until the schema replicates before creating instances of a new object or attribute. For more information about replication, see “Active Directory Replication Model Technical Reference”.Access control enforcementThe DSA enforces security limitations in the directory by reading SIDs on the access token. Support for replicationThe API that is called to initiate replication is implemented in the DSA. ReferralsThe DSA manages the directory hierarchy information (referred to as knowledge), which it receives from the database layer. The DSA is responsible for cross-references of Active Directory domain objects. Functional levelsBeginning with Windows Server 2003 and later domain controllers, the DSA has a built-in numeric value that identifies its operating system version and therefore its functional capabilities to other services. Services that rely on the DSA can use this numeric value to determine which of their service features to enable.DSA GUID and Invocation IDBoth the DSA and the Active Directory database are represented uniquely and have their own respective GUIDS. The DSA GUID is the GUID of the NTDS Settings object (class nTDSDSA). The value of the DSA GUID is stored in the objectGUID attribute of the NTDS Settings object of the given domain controller server object, which resides in the Sites container in the configuration directory partition.Domain controllers use the DSA GUID to locate replication partners. Replication uses a special Domain Name System (DNS) name that contains the DSA GUID. This GUID-based DNS name is an alias for the local computer name. The Net Logon service registers this alias resource record in DNS in the form of the CNAME (canonical name) resource record.The DSA GUID is created when the domain controller is initially promoted, that is, when Active Directory is installed. The DSA GUID is destroyed only if Active Directory is removed from the domain controller. The DSA GUID ensures that the DSA remains recognizable when a domain controller is renamed. The DSA GUID is also not affected by the Active Directory backup and restore process.The Active Directory database has its own GUID, which the DSA uses to identify the database instance (the version of the database). The database GUID is stored in the invocationId attribute on the nTDSDSA object. Unlike the DSA GUID, which never changes for the lifetime of the domain controller, the invocation ID changes during the Active Directory restore process to ensure the consistency of the replication process. On domain controllers running Windows Server 2003 or later, the invocation ID also changes when an application directory partition is removed from or added to the domain controller.Database LayerThe database layer is an API that resides in Ntdsa.dll and provides an object view of the directory database, making the data accessible to the DSA as a set of hierarchical containers. By applying schema semantics to database records, the database layer isolates the upper components of the directory service from the underlying database system. The database layer is an internal interface. No database access calls are made directly to the ESE; instead, all database access is routed through the database layer.In the directory database, each object is identified by its relative distinguished name, which is unique in the objects parent container. The relative distinguished name and the chain of successive parent object names make up the objects distinguished name. The database stores the relative distinguished name for each object, as well as a reference to the parent object. The database layer follows these parent references and concatenates the successive relative distinguished names to form distinguished names, thereby defining the object hierarchy.The database layer is also responsible for the creation, retrieval, and deletion of individual records (objects), attributes within records, and values within attributes. To carry out these functions, the database layer uses the schema cache (an in-memory structure in the DSA) to get the information about the attributes that it needs. ESEThe Extensible Storage Engine (ESE) is a Windows component that is used by Active Directory, as well as by several other Windows components, as an interface to the data that is stored in an indexed and sequential access method (ISAM) database. (The Active Directory database is an ISAM database.) The ESE is responsible for indexing the data in the database file and for transferring the data in and out of the database. Its purpose is to enable applications to store and retrieve data by using the ISAM. The ESE provides applications with a consistent data state by means of transacted data update and retrieval. A crash recovery mechanism maintains data consistency, even in the event of a system crash. Transactions in the ESE are highly concurrent, making the ESE suitable for server applications. The ESE caches data intelligently to ensure high-performance access to data. In addition, the ESE is resource efficient, making it suitable for applications that perform auxiliary roles.The version of the ESE that runs on domain controllers is implemented in Esent.dll.The following characteristics of the ESE make it well suited to the storage needs of Active Directory. The ESE: · Supports databases of up to 16 terabytes (TB) in size, and it can hold many millions of objects per domain.· Supports indexing.· Supports multivalued attributes.· Supports update operations that are transacted for stability and integrity across system failures.· Can be backed up while the domain controller is online.· Handles sparsely populated objects well; that is, space in the database is not reserved for attributes that do not have values.Note · The encrypting file system (EFS) enables users to encrypt individual files, folders, or entire data drives. Because EFS initialization and domain controller startup occur in parallel, EFS recovery operations can interfere with the ability of the ESE to start Active Directory and cause domain controller startup to fail.The Active Directory schema defines all the attributes that are required and allowed for a given object. However, the ESE reserves storage only for the space that is used that is, only for the attributes that have values, not for all possible attributes. For example, if a user object has 50 attributes defined in the schema and you create a user with values for only 4 attributes, storage space is allocated only for those 4 attributes. If more attributes are added later, more storage is allocated for them.The ESE implements the search and retrieval functionality of the underlying database. Also, the ESE is able to store attributes that can have multiple values. For example, the database can store multiple phone numbers for a single user without requiring a different phone number attribute for each phone number.ESE provides transactional views of the database. The cost of providing these views is that any object that is modified in a transaction has to be temporarily copied so that two views of the object can be provided: one to the thread inside that transaction and one to threads in other transactions. This copy must remain as long as any two transactions in the process have different views of the object. The repository that holds these temporary copies is called the version store. Because the version store requires contiguous virtual address space, it has a size limit. If a transaction is open for a long time while changes are being made (either in that transaction or in others), eventually the version store can be exhausted. At this point, no further database updates are possible.Note · The percentage of version store space that is available for processing has been significantly increased in Windows Server 2003 and later.Data Store ProtocolsThe primary protocol that is used by the Active Directory data store is Lightweight Directory Access Protocol (LDAP), which runs on top of TCP/IP. In addition, the data store uses remote procedure call (RPC) for MAPI, replication, domain controller management, and SAM-related operations. And, although it is not widely used, the data store also supports the use of Simple Mail Transfer Protocol (SMTP) for replication between