The directory tree recodesents the hierarchy of Active Directory objects for a given forest. The hierarchy provides the basis both for using names for navigation and for defining the scope of search requests.
For every object in Active Directory, information is stored in the directory database that identifies (references) the parent object; each object has exactly one parent. By virtue of these parent references, the hierarchy of objects managed by Active Directory forms a tree structure in which the vertices are the directory entries (class instances, or objects) and the connecting lines are the parent-child relationships between the entries. The objects that populate the directory create this tree structure according to the rules of the schema, which define what classes of objects are allowed to be created in which positions relative to other objects. For example, the schema might dictate that a given class of object can be the child of one class but not the child of another class.
The following are several architectural restrictions and requirements within the directory tree:
Domain objects, which are containers, can be children only of other domain objects. For example, a domain cannot be the child of an organizational unit.
The root of the directory tree is called rootDSE , or directory root . RootDSE is an "imaginary" object that has no hierarchical name or schema class, but it does have a set of attributes that identify the contents of a given domain controller. Thus, rootDSE constitutes the root of the directory tree from the perspective of the domain controller to which you are connected.
Below the root of the tree, every directory has a root domain , which is the first domain created in a forest. This domain always has a child container called Configuration, which contains configuration data for the forest. The configuration data includes information about all services, sites, and other domains (partitions) in the forest. The Configuration container has a child container called Schema. The domain and the Configuration container, with its child Schema container, recodesent the three default Active Directory directory partitions.
For more information about parent-child relationships, see "Active Directory Schema" and "Active Directory Logical Structure" in this book.
The ** rootDSE (DSA-specific Entry) recodesents the top of the logical namespace for one domain controller, and, therefore, it recodesents the top of the LDAP search tree. There is only one root for a given directory, but the information stored in the root is specific to the domain controller to which you connect. The attributes of rootDSE identify both the directory partitions (the domain, schema, and configuration directory partitions) that are specific to one domain controller and the forest root domain directory partition. Thus, the rootDSE provides a "table of contents" for a given domain controller.
The rootDSE publishes information about the LDAP server, including what LDAP versions it supports, supported Simple Authentication and Security Layer (SASL) mechanisms, and supported controls, as well as the distinguished name for its subschemaSubentry .
The following are the operational attributes on the rootDSE object. All LDAP servers recognize these attribute names, but when the attribute corresponds to a feature that the server does not implement, the attribute is absent.
subschemaSubentry The name of a subschema entry, which is used to administer information about the schema; in particular, the object classes and attribute types that are supported. (For more information about subschemaSubentry , see "Active Directory Schema" in this book.)
namingContexts Naming contexts (directory partitions) that this server masters (stores as a writable replica) or shadows (stores as a read-only replica). This attribute allows a client to choose suitable base objects for searching when the client has contacted a server.
supportedControl Object identifiers that identify the LDAP controls that the server supports. If the server does not support any controls, this attribute is absent.
supportedSASLMechanisms The names of the SASL mechanisms that the server supports. SASL is a standard for negotiating an authentication mechanism and (optionally) an encryption mechanism. If the server does not support either type of mechanism, this attribute is absent.
supportedLDAPVersion The versions of LDAP that the server implements.
supportedExtension Object identifiers (known as "OIDs") that identify the supported extended operations that the server supports. If the server does not support any extensions, this attribute is absent. This attribute is absent by default for Active Directory servers.
altServer The values of this attribute are URLs of other servers that can be contacted when this server becomes unavailable. If the server does not know of any other servers, this attribute is absent. This attribute is absent by default for Active Directory servers.
In addition to the operational attributes described in the codeceding paragraphs, Active Directory also supports the following informational attributes:
currentTime. The current time in the generalized time format.
dsServiceName. NTDS settings.
defaultNamingContext. The default naming context (directory partition) for a particular server. This value is the distinguished name of the domain directory partition for which this domain controller is authoritative.
schemaNamingContext. The naming context (directory partition) for the forest schema.
configurationNamingContext. The naming context (directory partition) for the forest Configuration container.
rootDomainNamingContext. The distinguished name for the domain naming context (directory partition) that is the first domain that was created in this forest. This domain functions as the forest root domain.
supportedLDAPPolicies. Supported LDAP management policies.
highestCommittedUsn. Highest update sequence number (USN) committed to the database on this domain controller. (For information about update sequence numbers, see "Active Directory Replication" in this book.)
dnsHostName. The DNS name of this domain controller.
serverName. The fully qualified distinguished name for this domain controller.
supportedCapabilities. The object identifier value (1.2.840.113522.214.171.1240) that indicates the additional capabilities of an Active Directory server, such as dynamic update, integrated DNS zones, and LDAP policies.
LdapServiceName. The service principal name for the LDAP server, which is used for mutual authentication.
isSynchronized. Boolean indicator for whether the domain controller has completed its initial sync with replica partners.
isGlobalCatalogReady. Boolean indicator for whether the domain controller is codepared to advertise itself as a Global Catalog.
For more information about rootDSE and rootDSE attributes, see the Request for Comments (RFC) link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources . Follow the links to RFC 2251 and RFC 2252.
You can use ADSI Edit or Ldp to see the contents of rootDSE for a given domain controller.
To use ADSI Edit and Ldp, install the Support Tools that are located in the Support\Tools folder on the Windows 2000 Server operating system CD. To install the tools, double-click the Setup icon in that folder. For more information about using ADSI Edit and Ldp, see MicrosoftWindows 2000 Support Tools Help. For information about installing and using the Windows 2000 Support Tools and Support Tools Help, see the file Sreadme.doc in the Support\Tools folder of the Windows 2000 operating system CD.
To view rootDSE properties by using ADSI Edit
In ADSI Edit, right-click the ADSI Edit icon, and then click Connect to .
To connect to a different domain controller from the default domain controller (the domain controller for the domain to which you are logged on), click Select or type a domain or server , and then type a domain name or server name.
Under Connection Point , click Naming Context .
In the Naming Context list, click RootDSE and then click OK .
Expand the RootDSE [ServerName ] node.
Right-click the RootDSE folder, and then click Properties .
In the RootDSE Properties dialog box, view a property value by selecting the property in the Select properties to view box.
You can use ADSI Edit to view one rootDSE property value at a time. To view the entire list of properties and their values, use Ldp.
Ldp.exe is a graphical tool that you can use to perform LDAP operations, such as connect, bind, search, modify, add, and delete, against any LDAP-compatible directory, such as Active Directory. When you use Ldp to connect to a domain controller, the tool displays a list of the rootDSE attribute values that are stored on the domain controller to which you connect.
You can open Ldp in any of the following ways: from the Windows 2000 Support Tools menu by selecting Active Directory Administration Tool ; from the Run dialog box by typing ldp ; or from a command prompt by typing ldp .
To connect to a domain controller and view rootDSE attributes by using Ldp
In Ldp, on the Connection menu, click Connect .
In the Server box, either use the current domain controller name or type the name of the domain controller to which you want to connect.
In the Port box, type the port number that you want to use.
Port 389 is the default port for LDAP; port 3268 is the default port for the Active Directory Global Catalog.
Click OK .
The following printout shows the results of an Ldp Connect operation. The rootDSE information is displayed in the Ldp details pane.
ld = ldap_open("sea-rk-dc-01", 389);
Established connection to sea-rk-dc-01.
Retrieving base DSA information...
Result <0>: (null)
Getting 1 entries:
1> currentTime: 10/1/1999 15:49:25 Pacific Standard Time Pacific Daylight Time;
1> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=reskit,DC=com;
1> dsServiceName: CN=NTDS Settings,CN=SEA-RK-DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com;
3> namingContexts: CN=Schema,CN=Configuration,DC=reskit,DC=com; CN=Configuration,DC=reskit,DC=com; DC=reskit,DC=com;
1> defaultNamingContext: DC=reskit,DC=com;
1> schemaNamingContext: CN=Schema,CN=Configuration,DC=reskit,DC=com;
1> configurationNamingContext: CN=Configuration,DC=reskit,DC=com;
1> rootDomainNamingContext: DC=reskit,DC=com;
16> supportedControl: 1.2.840.1135126.96.36.1999; 1.2.840.1135188.8.131.521; 1.2.840.1135184.108.40.2063; 1.2.840.1135220.127.116.118; 1.2.840.113518.104.22.1687; 1.2.840.113522.214.171.1249; 1.2.840.1135126.96.36.1991; 1.2.840.1135188.8.131.529; 1.2.840.1135184.108.40.2065; 1.2.840.1135220.127.116.111; 1.2.840.113518.104.22.1680; 1.2.840.113522.214.171.1248; 1.2.840.1135126.96.36.1994; 1.2.840.1135188.8.131.529; 1.2.840.1135184.108.40.2060; 1.2.840.1135220.127.116.113;
2> supportedLDAPVersion: 3; 2;
11> supportedLDAPPolicies: InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxActiveQueries; MaxNotificationPerConn; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxPoolThreads; MaxDatagramRecv;
1> highestCommittedUSN: 191396;
2> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO;
1> dnsHostName: SEA-RK-DC-01.reskit.com;
1> ldapServiceName: reskit.com:sea-rk-dc-01$@RESKIT.COM;
1> serverName: CN=SEA-RK-DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com;
1> supportedCapabilities: 1.2.840.113518.104.22.1680;
1> isSynchronized: TRUE;
1> isGlobalCatalogReady: TRUE;
The rootDSE attribute values also can be retrieved from an LDAPv3 server by using a base-level search with a null base distinguished name and with the filter (objectClass=*). (For more information about LDAP searches, see "Name Resolution in Active Directory" in this book.)
For more information about rootDSE, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources . Search the SDK on the keyword "rootDSE".
Extended LDAP Controls
Windows 2000 supports several LDAP controls that extend the functionality of the LDAPv3 protocol. Microsoft has defined these LDAP controls to increase the functionality of Active Directory. These controls provide functionality that is not provided by current Internet Engineering Task Force (IETF) RFCs. The rootDSE indicates all controls that are in effect for the contacted server through the object identifier (also known as "OID") values in the supportedControl attribute.
Extended LDAP control functionality is useful to programmers who are using LDAP to perform directory operations. Some of the operations that can be implemented using extended controls are deleting trees, paging and sorting search results, and showing deleted objects. (For more information about showing deleted objects, see "Active Directory Name Resolution" in this book.)
For more information about using LDAP controls, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources . Search the SDK using the keyword "LDAPControl" (one word).
LDAP control object identifiers are required only by the LDAP API. Most developers use ADSI, which uses other mechanisms, such as search codeference flags, to achieve the same functionality. For more information about using ADSI, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources .
Attribute Range Option
The LDAP protocol reads a multivalue attribute as a single entity, which can be inconvenient in the time that it takes when the number of values is large or, in some cases, makes reading the attribute impossible. The Range option can be specified as part of an attribute description to retrieve the values of a multivalue attribute incrementally. An attribute description includes an attribute type (for example, member ) and a list of options, one of which can be the Range option. When codesented in a searchRequest message, the Range option specifies a zero-relative range of elements (for example, 0-9) to be retrieved. By specifying the Range option followed by a range specifier, only the number of values in that range are retrieved.
To retrieve a range of values in Ldp, open a search (on the Browse menu, click Search), and then, in the Search dialog box, click Options . In the Attributes box, specify an attribute and the Range option. The attribute name and the Range option must be enclosed in quotation marks (" ").
For example, to read six members of a group at a time, use the group distinguished name as the search base and type the following in the Attributes box: " member;range=0-5 ". This search will return six values for an object with multiple values in the member attribute.
For more information about using the Range option, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources . Search the SDK using the keywords "range specifier" and "enumerating groups."