The Schema NC
contains objects representing the classes and attributes that Active
Directory supports. The schema is defined on a forest-wide basis, so
the Schema NC is replicated to every domain controller in the forest.
The root of the Schema NC can be found in the Schema container, which
is a subcontainer of the Configuration container. For example, in the
mycorp.com forest, the Schema NC would be located at
Although the Schema container appears to be a child of the
Configuration container, it is actually a separate naming context in
its own right. Figure 3-1 shows how the Schema and
Configuration NCs are segregated in the ADSI Edit tool.
Figure 3-1. ADSI Edit view of the Configuration and Schema Naming Contexts
You may be wondering why the schema isn't just
contained within the Configuration NC. As we covered in Chapter 2, there is a Schema FSMO role that is the
single master for updates to schema objects. The Schema FSMO role is
necessary due to the highly sensitive nature of the schema and the
fact that two conflicting schema updates could spell disaster for a
forest. Since there is only a single domain controller that schema
changes can be made on, the schema must replicate differently from
the Configuration NC, which can be updated by any domain controller
in the forest.
Unlike the Domain and Configuration NCs, the Schema NC does not
contain a hierarchy of containers or organizational units. Instead it
is a single container that has classSchema, attributeSchema, and
subSchema objects. The classSchema objects define the different types
of classes and their associated attributes. The attributeSchema
objects define all the attributes that are used as part of
classSchema definitions. There is also a single subSchema object that
represents the abstract schema as defined in the LDAPv3 RFC
Chapter 4 and Chapter 12 deal with the schema in more depth.