what forward and backlinks in AD are and how group membership is stored in AD

Today I’m gonna explain – shortly – what forward and backlinks in AD are and how group membership is stored in AD. Once we know the tricks behind that, we also know how other attributes like “managed-By” internally work as they use the same techniques.

Let’s pretend we have a user in our domain and this user is a member of a group. What these two connects is called a “link”, we’d call it ”membership” for this particular case. The link between those two objects is created based on something called a “distinguished name tag” (DNT) which basically is something like a row (with a unique number) in every domain controller’s database. The DNT is unique for each object in a DC’s database – pretty much like an ID, but unique for every single DC. The DNT doesn’t get replicated and it doesn’t get exposed somewhere in the UI. It’s just a database thing to make searching and referencing a lot faster. Storing an actual address where to “ring” a bell is faster than writing down the number of the telephone book the person you want to reach is written on (okay, that comparison sucked).

Group membership with the “member” attribute for groups and the corresponding “memberOf” attribute on the user side is stored using these DNTs. Groups store their members using their database-unique DNT (referencing the row, the object is saved at). This is called the forward link. At the other end, users store their group memberships just the other way round, tracking all group’s DNTs they are member of. That’s called the backlink.

There are a number of linked attributes in AD, member/memberOf is only one example. These linked attributes are identified by a linkID, stored in the so-called linkTable in AD. From there, they get, once queried or needed, computed. The linkID of a forward-link is always even whereas a backlink’s linkID is always odd. By this relationship (forward linkID + 1 = back linkID), the partner link can always be found and identified (more on that here).

Not going too deep into the technical details, there’s another thing we need to know when looking at group membership and forward- and backlinks: forward-links are writable and backlinks are read-only. This means that only forward-links changed and the corresponding backlinks are computed automatically. That also means that only forward-links are replicated between DCs whereas backlinks are maintained by the DCs after that.


One questions left (if you kept up and you read carefully): as stated earlier, the DNT is only a local database row number (sort of) and these DNTs are used to identify the members of a group – how does that get replicated? Good questions – I happened to forget the correct answer so I went to the guys at the activedir.org mailing list and they were so friendly to help me. So thanks to Don and joe, I now know (and after reading this – you too) that for replication, DNTs are calculated into a form that contains the object’s SID, GUID and DN string so the DC at the other end can create it’s own DNT entry out of it to store it locally.

We now know that group membership isn’t just a list of DNs that refer to the actual objects (that would be boring, wouldn’t it?) – it’s more a list of row addresses that are stored in the local database that are linked back and forth so referencing is easy. To save replication traffic and trouble, only the forward link, one of those links, is saved – the second can be computed.

Published by jdalbera

IT Pro: 25 years experience for large companies - Technical manager and solution architect: Directory services and Identity Management, Azure AD, Office 365, Azure infrastructures, Microsoft AD Security (ADDS,ADFS,ADCS), PowerShell, Quest solutions architect. Operating systems (Win/Lin). Unix and Microsoft interoperability. Data center Operations. Company integrations. Network architectures. Virtualization and storage infrastructures. HP/Dell servers deployments. Certifications: MCSE, MCPs, MCITS, ITIL, VCP, CCNA, CyberArk

%d bloggers like this: