Within each NC (excluding the schema NC), there are certain well-known system objects that can be referred to using a well-known GUID (see section 3.1.1.3 for more information). Domain and config NC root objects contain an attribute called wellKnownObjects that lists the well-known system objects within that NC. Each value in this list is an Object(DN-Binary) value where the Binary portion is the well-known GUID in binary form and the DN portion is the DN of the object. The well-known GUID can be used in conjunction with the NC DN to refer to the object (for more information, see section 3.1.1.3).
The following invariants apply to the wellKnownObjects attribute on the NC root object and the referred-to objects:
-
For each of the well-known GUIDs listed below for a given NC, the wellKnownObjects attribute on the NC root object must contain a value such that the binary portion matches the well-known GUID. There must be exactly one such value.
-
If rename of the referred-to object is permitted (based on the value of the systemFlags attribute on each object), the DN portion of the value is updated.
-
The well-known Users container and the well-known Computers container in the domain NC may be redirected, under the following constraints:
-
The modification must be made on a DC that owns the PDC FSMO.
-
The modification removes the reference to the existing object and adds a new reference in the same operation.
-
The new object being referred to must not be in the System container of the domain NC.
-
The new object being referred to must exist, and if different from the currently referred-to Users or Computers containers, it must not have the following bits in the systemFlags attribute: FLAG_DISALLOW_DELETE | FLAG_DOMAIN_DISALLOW_RENAME | FLAG_DOMAIN_DISALLOW_MOVE
-
As part of the redirection, the following flags are added to the new object being referred to and removed from the old object: FLAG_DISALLOW_DELETE | FLAG_DOMAIN_DISALLOW_RENAME | FLAG_DOMAIN_DISALLOW_MOVE
In AD DS, the following well-known objects exist within each domain NC.
RDN | Symbolic name for well-known GUID |
Computers | GUID_COMPUTERS_CONTAINER_W |
Deleted Objects | GUID_DELETED_OBJECTS_CONTAINER_W |
Domain Controllers | GUID_DOMAIN_CONTROLLERS_CONTAINER_W |
ForeignSecurityPrincipals | GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER_W |
Infrastructure | GUID_INFRASTRUCTURE_CONTAINER_W |
LostAndFound | GUID_LOSTANDFOUND_CONTAINER_W |
MicrosoftNote 1 | GUID_MICROSOFT_PROGRAM_DATA_CONTAINER_W |
NTDS Quotas | GUID_NTDS_QUOTAS_CONTAINER_W |
Program Data | GUID_PROGRAM_DATA_CONTAINER_W |
System | GUID_SYSTEMS_CONTAINER_W |
Users | GUID_USERS_CONTAINER_W |
Note 1 The Microsoft container is a child of the Program Data container.
In AD DS, the following well-known objects exist within each application NC.
RDN | Symbolic name for well-known GUID |
Deleted Objects | GUID_DELETED_OBJECTS_CONTAINER_W |
Infrastructure | GUID_INFRASTRUCTURE_CONTAINER_W |
LostAndFound | GUID_LOSTANDFOUND_CONTAINER_W |
NTDS Quotas | GUID_NTDS_QUOTAS_CONTAINER_W |
In AD DS, the following well-known objects exist within the config NC.
RDN | Symbolic name for well-known GUID |
Deleted Objects | GUID_DELETED_OBJECTS_CONTAINER_W |
LostAndFoundConfig | GUID_LOSTANDFOUND_CONTAINER_W |
NTDS Quotas | GUID_NTDS_QUOTAS_CONTAINER_W |
In AD LDS, the following well-known objects exist within each application NC.
RDN | Symbolic name for well-known GUID |
Deleted Objects | GUID_DELETED_OBJECTS_CONTAINER_W |
ForeignSecurityPrincipalsNote 2 | GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER_W |
LostAndFound | GUID_LOSTANDFOUND_CONTAINER_W |
NTDS Quotas | GUID_NTDS_QUOTAS_CONTAINER_W |
Roles | GUID_USERS_CONTAINER_W |
Note 2 The ForeignSecurityPrincipals container is created (and the corresponding value created in the wellKnownObjects attribute) when the first foreignSecurityPrincipal object is created in the NC.
In AD LDS, the following well-known objects exist within the config NC.
RDN | Symbolic name for well-known GUID |
Deleted Objects | GUID_DELETED_OBJECTS_CONTAINER_W |
ForeignSecurityPrincipals | GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER_W |
LostAndFoundConfig | GUID_LOSTANDFOUND_CONTAINER_W |
NTDS Quotas | GUID_NTDS_QUOTAS_CONTAINER_W |
Roles | GUID_USERS_CONTAINER_W |
The following table gives the GUID values for each of the symbolic names of the well-known GUIDs.
Symbolic name for well-known GUID | GUID |
GUID_COMPUTERS_CONTAINER_W | AA312825768811D1ADED00C04FD8D5CD |
GUID_DELETED_OBJECTS_CONTAINER_W | 18E2EA80684F11D2B9AA00C04F79F805 |
GUID_DOMAIN_CONTROLLERS_CONTAINER_W | A361B2FFFFD211D1AA4B00C04FD7D83A |
GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER_W | 22B70C67D56E4EFB91E9300FCA3DC1AA |
GUID_INFRASTRUCTURE_CONTAINER_W | 2FBAC1870ADE11D297C400C04FD8D5CD |
GUID_LOSTANDFOUND_CONTAINER_W | AB8153B7768811D1ADED00C04FD8D5CD |
GUID_MICROSOFT_PROGRAM_DATA_CONTAINER_W | F4BE92A4C777485E878E9421D53087DB |
GUID_NTDS_QUOTAS_CONTAINER_W | 6227F0AF1FC2410D8E3BB10615BB5B0F |
GUID_PROGRAM_DATA_CONTAINER_W | 09460C08AE1E4A4EA0F64AEE7DAA1E5A |
GUID_SYSTEMS_CONTAINER_W | AB1D30F3768811D1ADED00C04FD8D5CD |
GUID_USERS_CONTAINER_W | A9D1CA15768811D1ADED00C04FD8D5CD |