3.2 Configuration Naming Context

The Configuration NC is the primary repository for configuration information for a forest. Every domain controller in the forest replicates the Configuration NC, which is why it is considered forest-wide. The root of the Configuration NC is found in the Configuration container, which is a subcontainer of the forest root domain. For example, the mycorp.com forest would have a Configuration NC located at cn=configuration,dc=mycorp,dc=com.

Table 3-2 contains a list of the default top-level containers found in the Configuration NC.

Table 3-2. Default top-level containers of the Configuration NC

Relative Distinguished Name



Container that holds display specifier objects, which define various properties and functions of the Active Directory MMC Snap-ins.


Container for extended rights (controlAccessRight) objects.


Contains objects that are used to represent the state of forest and domain functional level changes. This container is new in Windows Server 2003.


Container for orphaned objects.

cn=NTDS Quotas

Container to store quota objects, which are used to restrict the number of objects that security principals can create in a partition or container. This container is new in Windows Server 2003.


Contains objects for each naming context, application partition, and external reference.

cn=Physical Locations

Contains location objects (physicalLocation), which can be associated with other objects to denote location of the object.


Store of configuration information about services such as FRS, Exchange, and even Active Directory itself.


Contains all of the site topology and replication objects. This includes site, subnet, siteLink, server and nTDSCconnection objects, to name a few.

cn=WellKnown Security Principals

Holds objects representing commonly used foreign security principals, such as Everyone, Interactive, and Authenticated Users.

    Part II: Designing an Active Directory Infrastructure
    Part III: Scripting Active Directory with ADSI, ADO, and WMI