1. Home
  2. Server Administration
  3. Active Directory. Windows server 2003 Windows 2000

Introduction

The Active Directory schema contains the blueprint for how objects are structured and secured, what data they can contain, and even how they can be viewed. Having a thorough understanding of the schema is paramount for any Active Directory administrator. Understanding key concepts, such as class inheritance, class types, attribute syntax, and attribute indexing options, is critical to being able to adequately design an Active Directory infrastructure and should be considered mandatory for any developer that is writing applications or automation scripts that utilize Active Directory.

If you are one of the lucky few who is designated as a schema administrator (i.e., member of the Schema Admins group), then the importance of the schema is already well known to you. This chapter serves a guide to accomplishing many of the day-to-day tasks you will need to do as a schema administrator. If you feel you need more nuts and bolts information on how the schema works, I suggest reading Chapter 4 of Active Directory, Second Edition (O'Reilly).

The Anatomy of Schema Objects

An interesting feature of Active Directory that is not common among other LDAP implementations is that the schema is stored within Active Directory as a set of objects. This means that you can use similar interfaces and programs to manage the schema as you would any other type of object.

All schema objects are stored in the Schema container (e.g., cn=schema,cn=configuration,<ForestRootDN>). The schema is comprised of two classes of objects, classSchema and attributeSchema. Unsurprisingly, the classSchema objects define classes and attributeSchema objects define attributes. The Schema container contains a third type of object called subSchema, also known as the abstract schema, which is defined in the LDAP v3 specification (RFC 2251). There is only a single subSchema object in the Schema container, named cn=Aggregate, and it contains a summary of the entire schema.

Table 10-1 and Table 10-2 contain useful attributes of classSchema objects and attributeSchema objects, respectively.

Table 10-1. Attributes of classSchema objects

Attribute

Description

adminDescription

Description of the class.

auxiliaryClass

Multivalued attribute containing any auxiliary classes defined for the class.

cn

Relative distinguished name of the class.

defaultHidingValue

Boolean that determines whether objects of this class are hidden by default in administrative GUIs.

defaultSecurityDescriptor

Default security descriptor applied to objects of this class.

governsID

Object identifier (OID) for the class.

isDefunct

Boolean that indicates whether the class is defunct (i.e., deactivated).

lDAPDisplayName

Name used when referencing the class in searches or when instantiating or modifying objects of this class.

mayContain

Multivalued attribute that contains a list of attributes that can be optionally set on the class.

mustContain

Multivalued attribute that contains a list of attributes that must be set on the class.

objectClassCategory

Integer representing the class's type. Can be one of 1 (structural), 2 (abstract), 3 (auxiliary), or 0 (88).

possibleInferiors

Multivalued list of other object classes this object can contain.

possSuperiors

Multivalued list of object classes this object can be subordinate to.

rDNAttID

Naming attribute (i.e., RDN) of instances of the class.

schemaIDGUID

GUID of the class.

showInAdvancedViewOnly

Boolean that indicates whether instances of this class should only be shown in Advanced mode in the administrative GUIs.

subClassOf

Parent class.

systemAuxiliaryClass

Multivalued attribute containing any auxiliary classes defined for the class. This can only be modified internally by Active Directory.

systemFlags

Integer representing additional properties of the class.

systemMayContain

Multivalued attribute that contains a list of attributes that can be optionally set on the class. This can only be modified internally by Active Directory.

systemMustContain

Multivalued attribute that contains a list of attributes that must be set on the class. This can only be modified internally by Active Directory.

systemPossSuperiors

Multivalued list of object classes this object can be subordinate to. This can only be modified internally by Active Directory.

Table 10-2. Attributes of attributeSchema objects

Attribute

Description

adminDescription

Description of the attribute.

attributeID

OID for the attribute.

attributeSecurityGUID

GUID to be used to apply security credentials to a set of objects.

attributeSyntax

OID representing the syntax of the attribute. This is used in conjunction with oMSyntax to define a unique syntax.

cn

Relative distinguished name of the attribute.

isDefunct

Boolean that indicates if the attribute is defunct (i.e., deactivated).

isMemberOfPartialAttributeSet

Boolean that indicates if the attribute is a member of the partial attribute set (i.e., the global catalog).

isSingleValued

Boolean that indicates whether the attribute is single valued or multivalued.

linkID

If this is populated, it will contain an integer that represents a link (either forward or backward) to another attribute.

lDAPDisplayName

Name used when referencing the attribute in searches or when populating it on objects. Note that this value may not be the same as cn.

oMSyntax

An integer representing the OM type of the attribute. This is used in conjunction with attributeSyntax to determine a unique syntax for the attribute.

schemaIDGUID

GUID of the attribute.

searchFlags

Integer representing special properties related to searching with the attribute. This includes how the attribute is indexed and if it is used in ANR searches.

systemFlags

Integer representing additional properties of the attribute.



    		Chapter 1. Getting Started
    		Chapter 2. Forests, Domains, and Trusts
    		Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    		Chapter 4. Searching and Manipulating Objects
    		Chapter 5. Organizational Units
    		Chapter 6. Users
    		Chapter 7. Groups
    		Chapter 8. Computers
    		Chapter 9. Group Policy Objects (GPOs)
    		Chapter 10. Schema
    		Introduction
    		Recipe 10.1 Registering the Active Directory Schema MMC Snap-in
    		Recipe 10.2 Enabling Schema Updates
    		Recipe 10.3 Generating an OID to Use for a New Class or Attribute
    		Recipe 10.4 Generating a GUID to Use for a New Class or Attribute
    		Recipe 10.5 Extending the Schema
    		Recipe 10.6 Documenting Schema Extensions
    		Recipe 10.7 Adding a New Attribute
    		Recipe 10.8 Viewing an Attribute
    		Recipe 10.9 Adding a New Class
    		Recipe 10.10 Viewing a Class
    		Recipe 10.11 Indexing an Attribute
    		Recipe 10.12 Modifying the Attributes That Are Copied When Duplicating a User
    		Recipe 10.13 Modifying the Attributes Included with Ambiguous Name Resolution
    		Recipe 10.14 Adding or Removing an Attribute in the Global Catalog
    		Recipe 10.15 Finding the Nonreplicated and Constructed Attributes
    		Recipe 10.16 Finding the Linked Attributes
    		Recipe 10.17 Finding the Structural, Auxiliary, Abstract, and 88 Classes
    		Recipe 10.18 Finding the Mandatory and Optional Attributes of a Class
    		Recipe 10.19 Modifying the Default Security of a Class
    		Recipe 10.20 Deactivating Classes and Attributes
    		Recipe 10.21 Redefining Classes and Attributes
    		Recipe 10.22 Reloading the Schema Cache
    		Chapter 11. Site Topology
    		Chapter 12. Replication
    		Chapter 13. Domain Name System (DNS)
    		Chapter 14. Security and Authentication
    		Chapter 15. Logging, Monitoring, and Quotas
    		Chapter 16. Backup, Recovery, DIT Maintenance, and Deleted Objects
    		Chapter 17. Application Partitions
    		Chapter 18. Interoperability and Integration
    		Appendix A. Tool List