The Active Directory Schema
In
Active Directory environments, the schema is the storage location for
the definitions of all objects that can be created in the directory.
All objects stored in Active Directory are associated with object
classes and attributes. An object class is a category of directory
objects that share a common set of characteristics, such as users,
groups, or printers. Each object class is also associated with defined
attributes that are used to describe instances of that class. For
example, when you create a new computer account in Active Directory,
that computer account becomes an instance of the Computer object class. The Computer
object class has attributes associated with it, including location,
operating system, and a DNS host name. In other words, when you are
creating any Active Directory object, you are actually creating an
instance of a particular object class that is already defined in the
schema. The information that you enter about the object (such as its
name) becomes an instance of that attribute. The only types of objects
that can be created in Active Directory are ones that already have
object classes and attributes present in the schema.
In
Windows Server 2003 Active Directory, the schema is stored in a
dedicated directory partition that is replicated to all domain
controllers in the same forest. Although each domain controller stores
a copy of this partition, changes to the schema can be made only on the
domain controller designated as the schema master. By default, the
schema master role is held on the first domain controller installed in
a new Active Directory forest. However, the role can also be moved to a
different domain controller using tools such as the Active Directory
Schema snap-in. To make changes to the schema, a user must be a member
of the Schema Admins group found in the forest root domain or have been
delegated appropriate permissions.
Important
Making
changes to the schema has consequences across an entire forest. Because
of this, membership in the Schema Admins group should be restricted.
Microsoft recommends adding users to this group only for however long a
schema modification will take, and then immediately removing the user
from the group once the modification is completed. By default, only the
Administrator account in the forest root domain is a member of the
Schema Admins group. |
Although
the default schema installed with Windows Server 2003 Active Directory
contains hundreds of common object classes and attributes, there might
still be times when schema modification is necessary. For example, a
company might want to associate additional custom attributes with
existing object classes or define entirely new object classes to meet
its needs. More commonly, the Active Directory schema is extended as
part of installing a directory-enabled application, such as Microsoft
Exchange.
The
primary tool used to view and edit the Active Directory schema is the
Active Directory Schema snap-in. However, the following tools and
utilities can also be used to administer the schema:
Ldifde.exe.
This command-line tool is the preferred method for deploying tested
extensions to the schema into a production environment.
ADSI Edit snap-in. This MMC snap-in acts as a low-level editor for Active Directory.
Ldp.exe. This GUI-based utility supports LDAP operations against any LDAP-compatible directory.
Csvde.exe.
This command-line utility is used to import and export data from Active
Directory by using comma-separated text files.
Planning Schema Changes
Prior
to making any changes to the Active Directory schema, you absolutely
must consider all issues associated with schema modification. With a
standard Active Directory installation, schema modifications are not
generally required, except as dictated by directory-enabled
applications in use. As a general rule, you should make changes to the
schema only when absolutely necessary, keeping in mind that an
incorrect configuration setting can potentially affect systems
throughout an Active Directory forest.
The Windows Server 2003 Active Directory schema can be modified in a variety of ways. These include:
Extending the schema to include new object classes or attributes
Modifying existing classes or attributes
Deactivating and reactivating existing classes or attributes
In
each of these cases, the primary tool used to modify the schema is the
Active Directory Schema snap-in. Considerations for each type of
modification are listed in the following sections.
Extending the Schema
Extending
the Active Directory schema involves defining new object classes or
attributes when existing objects classes and attributes in the base
Active Directory schema do not meet your needs. Prior to extending the
Active Directory schema on a production network, it is highly
recommended that you first implement and test your proposed schema
extensions in a lab environment.
The following list outlines some key elements that should be considered prior to extending the Active Directory schema:
Ensure
that the base schema does not meet your needs prior to creating new
object classes or attributes. In cases where an existing object class
or attribute meets your needs, it is better to use these object classes
or attributes rather than to define new ones unnecessarily.
Review
any available Active Directory schema documentation. If new object
classes or attributes are randomly assigned properties, a conflict
might occur. Schema documentation provides the best source of
information about existing object classes and attributes.
Remember that schema modifications are global. When you modify the schema, changes affect the entire forest.
Understand that existing system classes in the schema cannot be modified.
Understand
that schema extensions are not reversible. Although object classes and
attributes can be deactivated, you cannot delete them if an error was
made or they are no longer required.
Valid
object identifiers (OIDs) will need to be obtained. All new objects and
attributes should be assigned valid X.500 OID numbers. These numbers
should not be randomly assigned.
Once
completed, all changes should be documented. Because the schema
consists of many different object classes and attributes, any changes
should be fully documented for future reference and troubleshooting
purposes.
Modifying Existing Classes or Attributes
Modifying
existing object classes and attributes does not extend the Active
Directory schema, but rather changes various properties associated with
those that already exist. For example, an administrator might decide to
modify an existing object class by changing the description or security
permissions associated with the class. Along the same lines, the goal
might be to associate additional existing attributes with an object
class.
Similarly,
existing schema attributes can also be modified. Common examples of
ways in which attributes are modified include changing their
descriptions, configuring the attribute to be indexed in Active
Directory, or configuring the attributes to be replicated to the global
catalog. If an administrator
wanted additional attributes to be replicated to the global catalog, he
or she would accomplish this by modifying the properties of an existing
attribute, usually via the Active Directory Schema snap-in.
Deactivating and Reactivating Object Classes or Attributes
The
Windows Server 2003 Active Directory schema does not allow you to
delete object classes or attributes. However, both object classes and
attributes can be deactivated if they are no longer required or were
configured incorrectly. Once an object class or attribute has been
disabled, it is considered to be defunct. Although instances of defunct
object classes and attributes can no longer be created, a defunct
object class or attribute can be reactivated if necessary.
Even
after an object class or attribute has been deactivated, the ability to
use that object class or attribute in the future is not necessarily
lost. Because defunct object classes and attributes are never actually
removed from the Active Directory schema, they can be reactivated if
necessary, but only if a variety of conditions are met. For example, a
defunct attribute can be reactivated only if the values of its IDAPDisplayName, attributeID, governsID, schemalDGUID, and mAPIID do not conflict with other existing object classes or attributes that might have been subsequently created or modified.
Active Directory Schema Snap-In
The
primary tool used to manage the schema on a Windows Server 2003 system
is the Active Directory Schema snap-in. This tool is not available on
Windows Server 2003 domain controllers until it is manually installed.
The process for installing the Active Directory Schema snap-in is as
simple as registering the DLL file associated with the snap-in by using
the Regsvr32.exe command, as outlined below:
Once
this command is issued, the Active Directory Schema snap-in can be
added to any new or existing custom MMC console as illustrated in Figure 1.
The Active Directory Schema snap-in can be used to carry out the following tasks:
View and edit existing object classes and attributes
Extend the schema by adding new object classes and attributes
Deactivate and reactivate existing object classes and attributes
Change the domain controller on which the schema master role resides
Reload the schema
The
following sections walk you through the process of installing the
Active Directory Schema snap-in, extending and modifying the schema,
replicating attributes to the global catalog, and finally transferring
the schema master role to a different domain controller.
Installing the Active Directory Schema Snap-In and Adding It to an MMC Console
Perform the following steps to install the Active Directory Schema snap-in and then add it to a new MMC console:
1. | Click Start, and then click Command Prompt.
|
2. | At the command line, type regsvr32 schmmgmt.dll and press ENTER.
|
3. | When the RegSvr32 dialog box appears, click OK.
|
4. | Close the Command Prompt.
|
5. | Click Start, and then click Run. In the Open text box, type mmc and click OK.
|
6. | Click File, and then click Add/Remove Snap-In.
|
7. | Click the Add button.
|
8. | In the Add Standalone Snap-In window, click Active Directory Schema, and then click Add.
|
9. | Click Close to close the Add Standalone Snap-In window.
|
10. | On the Add/Remove Snap-In window, click OK.
|
11. | Click File, and then click Save. Save the new custom MMC console to your desktop using a descriptive name.
|
Extending the Schema Using the Active Directory Schema Snap-In
Perform the following steps to extend the schema to include a new object class and attribute.
1. | Double-click the custom MMC console that includes the Active Directory Schema snap-in to open it.
|
2. | Click the plus sign next to the Active Directory Schema node to expand it.
|
3. | Click the Classes node, as shown in Figure 2, to view the existing object classes defined in the schema.
|
4. | Right-click the Classes node, and click Create Class.
|
5. | In the Schema Object Creation dialog box, shown in Figure 3, click Continue.
|
6. | In the Create New Schema Class dialog box, shown in Figure 4,
provide a Common Name, LDAP Display Name, Unique X500 Object ID, and
Description. After defining the Parent Class of the object (if
applicable) and the Class Type, click Next.
Warning
| Because
an object class cannot be deleted from the schema once it is created,
you must be absolutely certain that the information entered here is
correct and that it does not conflict with the properties of any
existing or future object classes that might need to be defined. For
more information about schema classes, attributes, identifiers, and
syntax, search for Active Directory Schema on the MSDN Web site. |
|
7. | Click
the Add button next to the Mandatory and Optional sections to add any
mandatory or optional attributes for the new object class. An example
of the attributes that can be selected is shown in Figure 5. Once you have completed your selections, click Finish.
Note
| To
improve schema-related performance, each domain controller in a forest
holds a cached copy of the schema in memory. This cached version is
updated a short time after the schema is updated. However, the cached
version can be updated immediately by right-clicking the Active
Directory Schema node in the Active Directory Schema snap-in and
selecting Reload The Schema. |
|
8. | Search
for the LDAP display name that you gave the new object class in step 6.
Double-click the object class to view its properties, and then click OK.
|
9. | Click the Attributes node, as shown in Figure 6, to view the existing attributes defined in the schema.
|
10. | Right-click the Attributes node, and click Create Attribute.
|
11. | In the Schema Object Creation dialog box, click Continue.
|
12. | In the Create New Attribute window shown in Figure 7,
provide a Common Name, LDAP Display Name, Unique X500 Object ID, and
Description. After defining the Syntax and Range information for the
new attribute, click OK.
Warning Because
an attribute cannot be deleted from the schema once it is created, you
must be absolutely certain that the information entered here is
correct, and that it does not conflict with the properties of any
existing or future attributes that might need to be defined. For more
information about schema classes, attributes, identifiers, and syntax,
search for Active Directory Schema on the MSDN Web site. |
|
13. | Search
for the LDAP display name that you gave the new attribute in step 12.
Double-click the attribute to view its properties, and then click OK.
|
14. | Close the MMC console.
|
Deactivating or Reactivating a Class or Attribute Using the Active Directory Schema Snap-In
Perform the following steps to deactivate and then reactivate an existing schema object class:
1. | Double-click the custom MMC console that includes the Active Directory Schema snap-in to open it.
|
2. | Click the plus sign next to the Active Directory Schema node to expand it if necessary.
|
3. | Click the Classes node to view the existing object classes defined in the schema.
Note You
do not need to be a member of the Schema Admins group to view the
properties of an object class or attribute. However, you do need to be
a member of Schema Admins to make any changes to the Active Directory
schema. |
|
4. | Right-click an existing object class, and then click Properties. The properties of the Site class object are displayed in Figure 8. Notice that this particular object class is a system object class; the Class Is Active check box cannot be cleared.
|
5. | Right-click another existing object class that can be deactivated, such as Document,
and then click Properties. To deactivate the object class, clear the
Class Is Active check box. After doing so, you will be presented with
the Active Directory Schema dialog box, as shown in Figure 9. Click Yes, and then click OK.
|
6. | Right-click
the object class that was deactivated in step 5, and then click
Properties. When the Active Directory Schema dialog box shown in Figure 10
appears, click OK.
|
7. | To reactivate the defunct object class, check the Class Is Active check box, and then click OK.
|
8. | Close the Active Directory Schema MMC console.
|
Note
To
deactivate and subsequently reactivate an existing attribute, follow
the previous steps, but access the properties of an existing attribute
rather than an object class. Figure 11 shows the properties of the associatedDomain attribute, which can be deactivated by clearing the Attribute Is Active check box.
|
Configuring an Attribute to Be Replicated to the Global Catalog
Perform the following steps to configure an existing attribute to be replicated to the global catalog:
1. | Double-click the custom MMC console that includes the Active Directory Schema snap-in to open it.
|
2. | Click the plus sign next to the Active Directory Schema node to expand it if necessary.
|
3. | Click the Attributes node to view its contents.
|
4. | Right-click an existing attribute, and click Properties.
|
5. | Select the Replicate This Attribute To The Global Catalog check box if it isn’t already checked, and click OK. Figure 12 shows an example of replicating the accountExpires attribute to the global catalog.
Note To add an attribute to the global catalog, you must be a member of Schema Admins or have been delegated the proper authority. |
|
6. | Close the Active Directory Schema MMC console.
|
Transferring the Schema Master Role
Perform the following steps to transfer the schema master role to a different domain controller:
1. | Double-click the custom MMC console that includes the Active Directory Schema snap-in to open it.
|
2. | Right-click the Active Directory Schema node, and click Change Domain Controller.
|
3. | In
the Change Domain Controller window, click Specify Name and then enter
the name of the domain controller that you ultimately want to transfer
the schema master role to. Click OK.
|
4. | Right-click the Active Directory Schema node, and click Operations Master. The Change Schema Master window appears, as shown in Figure 13.
|
5. | Click the Change button. This will transfer the schema master role to the domain controller specified in step 3.
|
6. | Close the Active Directory Schema MMC console.
|