3.1 Domain Naming Context

Each Active Directory domain is represented by a Domain NC, which holds the domain-specific data. The root of this NC is represented by a domain's distinguished name (DN). For example, the mycorp.com domain's DN would be dc=mycorp,dc=com. Each domain controller in the domain replicates a copy of the Domain NC.

Table 3-1 contains a list of the default top-level containers found in a Domain NC. Note that to see all of these containers with the Active Directory Users and Computers (ADUC) snap-in, you must select View Advanced Features from the menu. Alternatively, you can browse all of these containers with the ADSI Edit tool available in the Windows Support Tools on any Windows Server 2003 or Windows 2000 CD.

Table 3-1. Default top-level containers of a Domain NC

Relative distinguished name



Container for predefined built-in local security groups. Examples include Administrators, Users and Account Operators.


Default container for computer objects representing member servers and workstations.

ou=Domain Controllers

Default organizational unit for computer objects representing domain controllers.


Container for placeholder objects representing members of groups in the domain that are from a domain external to the forest.


Container for orphaned objects.

cn=NTDS Quotas

Container to store quota objects, which are used to restrict the number of objects a security principal can create in a partition or container. This container is new in Windows Server 2003.

cn=Program Data

Container for applications to store data instead of using a custom top-level container. This container is new in Windows Server 2003.


Container for miscellaneous domain configuration objects. Examples include trust objects, DNS objects, and group policy objects.


Default container for user and group objects.

    Part II: Designing an Active Directory Infrastructure
    Part III: Scripting Active Directory with ADSI, ADO, and WMI