12.4 Wreaking Havoc with Your Schema

There are a number of ways to cause problems in your Active Directory schema. We include a few examples here so that you can be fully aware of the problems.

Let's start by considering the main base classes of attributeSchema, classSchema, and top. Imagine we decide to add a new mandatory attribute to top. As all classes derive from top, the mandatory attribute requirement is suddenly added to every class and attribute throughout the schema in one go. Since none of the existing classes and attributes have this value, they all suddenly become marked as invalid. They still exist and can be used, but they cannot be modified at all. New timestamps cannot be added, USNs cannot be changed, replication stops, and effectively your Active Directory grinds to a halt. The reason that the objects cannot be modified is that Active Directory does a special check when existing instances of objects are modified to make sure that all mandatory attributes have been set. If they have not all been set, which they won't have been in this case, Active Directory will not allow any attribute changes from now on. The only solution is to remove the new mandatory attribute or set a value for the attribute on every single object in every NC in the entire forest.

There are also concurrency problems. Having a Schema FSMO is perfectly fine, but that doesn't necessarily stop members of Schema Admins from attempting to run two schema-modifying applications at the same time. Every time an application or piece of code attempts to write to the schema, it automatically writes a special system attribute at the same time. Two system-attribute writes anywhere in Active Directory cannot occur simultaneously, so one will fail if this is the case. In the scenario of simultaneous applications executing, the changes to the schema may all be handled sequentially and the requests from both applications may be interleaved, but the two applications at some point may attempt to write together. At that point, one of them will fail. If the failed application is rerun, it must be coded to detect the existence of each object (i.e., the previous creation succeeded) prior to creating the object, or else the object-creation process will continually fail.

You can also make instances of objects invalid quite easily. For example, let's say that we define that new class we mentioned earlier called Finance-User, and create an instance of it called cn=SimonWilliams. If we then remove Languages-Spoken from Finance-User's mandatory attributes, the SimonWilliams user becomes invalid because the SimonWilliams instance has an attribute that is not now allowed in the schema definition for Finance-User. Again, it is up to the person or code that makes the Languages-Spoken attribute defunct to go through Active Directory and find all instances of Finance-User and modify them to remove the value in this now-defunct attribute. If this isn't done, any instances of Finance-User with the Languages-Spoken attribute defined (all, in this case, as it was mandatory) remain invalid.

You cannot cause invalid instances by modifying existing attributeSchema objects, as all the key attributes are defined in system attributes. However, you can cause havoc with existing classSchema objects. Ways of doing this are:

  • Removing classes as possible superiors; this can leave instances under invalid parent containers.

  • Adding classes to the list of auxiliary classes; this can change what attributes are now considered mandatory.

  • Removing classes from the list of auxiliary classes; this can change what attributes are now considered mandatory and optional and can thus leave instances with now nonexistent attributes.

  • Directly removing mandatory or optional attributes; this can leave instances with now nonexistent attributes.

If the DC holding the Schema FSMO role unexpectedly disappears, you can force another server to assume the role. But if the original DC ever comes back, you have two Schema FSMOs, and you will need to rectify that by making sure only one server has the role. However, if the original server had some updates applied prior to its crash, and you allow updates to be made on the new Schema Master, the updates from the old DC will eventually propagate around the network. Your problems to be aware of in this scenario are twofold:

  • If the new Schema FSMO created objects that conflict with some created on the original master prior to its departure, some objects will be removed from Active Directory during the conflict-resolution process.

  • If the two DCs are online and both believe they are the Schema FSMO, both will accept schema updates equally.

A simple solution, if you can live with it, is either not to force a FSMO until the old DC returns and assumes its role or to force a FSMO temporarily and remove everyone from the Schema Admins group to prevent changes in the meantime. In the latter case, when the original DC comes back, force the FSMO role onto it.

Finally, the system itself will protect you from some forms of stupidity using the system-only attribute and Access Control Lists (ACLs). These work together to prevent you from deleting the user or group object from Active Directory or removing the securityPrincipal as an auxiliary class of both. While you may be aware of this already from our many examples of the use of the four system attributes, it bears mentioning one final time. For attributeSchema object classes, the attributeId, attributeSyntax, and oMSyntax are marked as system-only attributes and so cannot be changed or deleted. For classSchema objects, the subClassOf, governsId, systemMayContain, systemMustContain, systemAuxiliaryClass, and systemPossSuperiors are marked as system-only attributes and so cannot be changed or deleted. Other very important classes and attributes cannot be deleted as their ACLs are locked to prevent this.

    Part II: Designing an Active Directory Infrastructure
    Part III: Scripting Active Directory with ADSI, ADO, and WMI