interfaces, see ―Data Store Interfaces\" later in this section. For information about the database files, see ―Data Store Physical Structure‖ later in this section.

DSA

The DSA runs on every domain controller as Ntdsa.dll, and it provides access to t he directory database. The DSA runs as part of the Local Security Authority (LSA) process (Lsass.exe), which m anages authentication packages and authenticates users and services. Running in Lsass.exe enables Active Directory to securely m anage sensitive information, such as account passwords.

Clients can use one of the supported interfaces to connect (bind) to the DSA and then search for, read, and write to Active Directory objects and their attributes.

A forest-wide object in the directory, the NTDS Settings object (class nTDSDSA), represents the DSA on a dom ain controller, and this object contains configuration information about the DSA on that dom ain controller.

In addition to providing the interfaces through which directory clients gain access to directory data, the DSA provides the following functionality.

Object identification

Every object in Active Directory has a permanent globally unique identifier (GUID), which is associated with several string forms of the object nam e (SAMAccountNam e, user p rincipal name, and distinguished nam e), as well as a security identifier (SID). The object nam es and the SID are not permanent; that is, they can be changed. All permanent references to the object are kept in term s of the GUID. The object nam e is used for hierarchy navigation and display purposes, and the SID is used for access control. The DSA m aintains the GUID association with an object when the object’s string name or SID changes, for example, when the object is moved to a different folder (the string name changes) or when the object is moved to a different dom ain (the string name and the SID change).