Windows Server 2003 : Managing Schema Modifications

The Active Directory Schema

In Active Directory environments, the schema is the storage location for the definitions of all objects that can be created in the directory. All objects stored in Active Directory are associated with object classes and attributes. An object class is a category of directory objects that share a common set of characteristics, such as users, groups, or printers. Each object class is also associated with defined attributes that are used to describe instances of that class. For example, when you create a new computer account in Active Directory, that computer account becomes an instance of the Computer object class. The Computer object class has attributes associated with it, including location, operating system, and a DNS host name. In other words, when you are creating any Active Directory object, you are actually creating an instance of a particular object class that is already defined in the schema. The information that you enter about the object (such as its name) becomes an instance of that attribute. The only types of objects that can be created in Active Directory are ones that already have object classes and attributes present in the schema.

In Windows Server 2003 Active Directory, the schema is stored in a dedicated directory partition that is replicated to all domain controllers in the same forest. Although each domain controller stores a copy of this partition, changes to the schema can be made only on the domain controller designated as the schema master. By default, the schema master role is held on the first domain controller installed in a new Active Directory forest. However, the role can also be moved to a different domain controller using tools such as the Active Directory Schema snap-in. To make changes to the schema, a user must be a member of the Schema Admins group found in the forest root domain or have been delegated appropriate permissions.

Although the default schema installed with Windows Server 2003 Active Directory contains hundreds of common object classes and attributes, there might still be times when schema modification is necessary. For example, a company might want to associate additional custom attributes with existing object classes or define entirely new object classes to meet its needs. More commonly, the Active Directory schema is extended as part of installing a directory-enabled application, such as Microsoft Exchange.

The primary tool used to view and edit the Active Directory schema is the Active Directory Schema snap-in. However, the following tools and utilities can also be used to administer the schema:

• Ldifde.exe. This command-line tool is the preferred method for deploying tested extensions to the schema into a production environment.

• ADSI Edit snap-in. This MMC snap-in acts as a low-level editor for Active Directory.

• Ldp.exe. This GUI-based utility supports LDAP operations against any LDAP-compatible directory.

• Csvde.exe. This command-line utility is used to import and export data from Active Directory by using comma-separated text files.

Planning Schema Changes

Prior to making any changes to the Active Directory schema, you absolutely must consider all issues associated with schema modification. With a standard Active Directory installation, schema modifications are not generally required, except as dictated by directory-enabled applications in use. As a general rule, you should make changes to the schema only when absolutely necessary, keeping in mind that an incorrect configuration setting can potentially affect systems throughout an Active Directory forest.

The Windows Server 2003 Active Directory schema can be modified in a variety of ways. These include:

• Extending the schema to include new object classes or attributes

• Modifying existing classes or attributes

• Deactivating and reactivating existing classes or attributes

In each of these cases, the primary tool used to modify the schema is the Active Directory Schema snap-in. Considerations for each type of modification are listed in the following sections.

Extending the Schema

Extending the Active Directory schema involves defining new object classes or attributes when existing objects classes and attributes in the base Active Directory schema do not meet your needs. Prior to extending the Active Directory schema on a production network, it is highly recommended that you first implement and test your proposed schema extensions in a lab environment.

The following list outlines some key elements that should be considered prior to extending the Active Directory schema:

• Ensure that the base schema does not meet your needs prior to creating new object classes or attributes. In cases where an existing object class or attribute meets your needs, it is better to use these object classes or attributes rather than to define new ones unnecessarily.

• Review any available Active Directory schema documentation. If new object classes or attributes are randomly assigned properties, a conflict might occur. Schema documentation provides the best source of information about existing object classes and attributes.

• Remember that schema modifications are global. When you modify the schema, changes affect the entire forest.

• Understand that existing system classes in the schema cannot be modified.

• Understand that schema extensions are not reversible. Although object classes and attributes can be deactivated, you cannot delete them if an error was made or they are no longer required.

• Valid object identifiers (OIDs) will need to be obtained. All new objects and attributes should be assigned valid X.500 OID numbers. These numbers should not be randomly assigned.

• Once completed, all changes should be documented. Because the schema consists of many different object classes and attributes, any changes should be fully documented for future reference and troubleshooting purposes.

Modifying Existing Classes or Attributes

Modifying existing object classes and attributes does not extend the Active Directory schema, but rather changes various properties associated with those that already exist. For example, an administrator might decide to modify an existing object class by changing the description or security permissions associated with the class. Along the same lines, the goal might be to associate additional existing attributes with an object class.

Similarly, existing schema attributes can also be modified. Common examples of ways in which attributes are modified include changing their descriptions, configuring the attribute to be indexed in Active Directory, or configuring the attributes to be replicated to the global catalog. If an administrator wanted additional attributes to be replicated to the global catalog, he or she would accomplish this by modifying the properties of an existing attribute, usually via the Active Directory Schema snap-in.

Deactivating and Reactivating Object Classes or Attributes

The Windows Server 2003 Active Directory schema does not allow you to delete object classes or attributes. However, both object classes and attributes can be deactivated if they are no longer required or were configured incorrectly. Once an object class or attribute has been disabled, it is considered to be defunct. Although instances of defunct object classes and attributes can no longer be created, a defunct object class or attribute can be reactivated if necessary.

Even after an object class or attribute has been deactivated, the ability to use that object class or attribute in the future is not necessarily lost. Because defunct object classes and attributes are never actually removed from the Active Directory schema, they can be reactivated if necessary, but only if a variety of conditions are met. For example, a defunct attribute can be reactivated only if the values of its IDAPDisplayName, attributeID, governsID, schemalDGUID, and mAPIID do not conflict with other existing object classes or attributes that might have been subsequently created or modified.

Active Directory Schema Snap-In

The primary tool used to manage the schema on a Windows Server 2003 system is the Active Directory Schema snap-in. This tool is not available on Windows Server 2003 domain controllers until it is manually installed. The process for installing the Active Directory Schema snap-in is as simple as registering the DLL file associated with the snap-in by using the Regsvr32.exe command, as outlined below:

regsvr32 schmmgmt.dll

Once this command is issued, the Active Directory Schema snap-in can be added to any new or existing custom MMC console as illustrated in Figure 1.

The Active Directory Schema snap-in can be used to carry out the following tasks:

• View and edit existing object classes and attributes

• Extend the schema by adding new object classes and attributes

• Deactivate and reactivate existing object classes and attributes

• Change the domain controller on which the schema master role resides

• Reload the schema

The following sections walk you through the process of installing the Active Directory Schema snap-in, extending and modifying the schema, replicating attributes to the global catalog, and finally transferring the schema master role to a different domain controller.

Installing the Active Directory Schema Snap-In and Adding It to an MMC Console

Perform the following steps to install the Active Directory Schema snap-in and then add it to a new MMC console:

Extending the Schema Using the Active Directory Schema Snap-In

Perform the following steps to extend the schema to include a new object class and attribute.

Deactivating or Reactivating a Class or Attribute Using the Active Directory Schema Snap-In

Perform the following steps to deactivate and then reactivate an existing schema object class:

Configuring an Attribute to Be Replicated to the Global Catalog

Perform the following steps to configure an existing attribute to be replicated to the global catalog:

Transferring the Schema Master Role

Perform the following steps to transfer the schema master role to a different domain controller: