Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Active Directory Schema

All databases have a schema which is a formal definition (set of rules) which govern the database structure and types of objects and attributes which can be contained in the database. The schema contains a list of all classes and attributes in the forest.

The schema keeps track of:

  • Classes
  • Class attributes
  • Class relationships such as subclasses (Child classes that inherit attributes from the super class) and super classes (Parent classes).
  • Object relationships such as what objects are contained by other objects or what objects contain other objects.

There is a class Schema object for each class in the Active Directory database. For each object attribute in the database, there is an attributeSchema object.


Active Directory objects are stored in the Directory Information Tree (DIT) which is broken into the following partitions:

  • Schema partition - Defines rules for object creation and modification for all objects in the forest. Replicated to all domain controllers in the forest. Replicated to all domain controllers in the forest, it is known as an enterprise partition.
  • Configuration partition - Information about the forest directory structure is defined including trees, domains, domain trust relationships, and sites (TCP/IP subnet group). Replicated to all domain controllers in the forest, it is known as an enterprise partition.
  • Domain partition - Has complete information about all domain objects (Objects that are part of the domain including OUs, groups, users and others). Replicated only to domain controllers in the same domain.
    • Partial domain directory partition - Has a list of all objects in the directory with a partial list of attributes for each object.

The DIT holds a subset of Active Directory information and stores enough information to start and run the Active Directory service.

Schema Container

The schema container is a special container at the top of the schema partitionand is an object created from the directory Management Domain (dMD). It can be viewed using the MMC "Active Directory Schema" console or the Active Directory Services Interface (ADSI) edit utility from the installation CDROM. The distinguished name schema container address is:

/CN=schema/CN=configuration/DC=forest root <domain_name>

Classes and attributes are stored in classSchema objects and attributeSchema objects respectively.

attributeSchema Mandatory Attributes

These attributes provide information about attributes of another Active Directory object.

  • attributeID - Identifies the attribute with a unique value.
  • attributeSyntax - Identifies the object which defines the attribute type.
  • cn - A unicode string name of the attribute.
  • isSingleValued - A boolean variable which when true indicates there is only one value for the attribute. If false, the attribute can have several values.
  • LDAPDisplayName - LDAP unicode name string used to identify the attribute.
  • NTSecurityDescriptor - The object security descriptor.
  • ObjectClass - Is always attributeSchema.
  • OMSyntax - Identifies the object syntax specified by the open object model.
  • SchemaIDGUID - Unique global ID value of the attribute.

classSchema Mandatory Attributes

These attributes provide information about another Active Directory object.

  • cn - A unicode string name of the object.
  • DefaultObjectCategory - A distinguished name of where the object belongs.
  • GovernsID - A unique number identifying the class.
  • LDAPDisplayName - LDAP unicode name string used to identify the object.
  • NTSecurityDescriptor - The object security descriptor.
  • ObjectClass - Is always classSchema.
  • ObjectClassCategory - An integer describing the object class type. The class type is one of the following with values in "()" indicating the integer value used to signify them:
    • Abstract class (2) - A class that can't be an object, but is used to pass attributes down to subclasses.
    • Auxillary class (3) - Used to provide structural or abstract classes with attributes
    • Structural class (1) - These classes can have objects created from them and are the class type that is contained as objects in the directory.
    • Type 88 class (0) - These classes don't have a type and they are class types created before 1993 before class types were established in the X.500 standard.
  • SchemaIDGUID - Unique global ID value of the class.
  • SubClassOf - Identifier of the class parent class.

System Attributes

These system attributes can only be changed by the Directory System Agent (DSA) which manages the Active directory database.

  • systemAuxillaryClass - Identifies the auxiliary protected classes that compose the class.
  • systemMayContain - Optional system protected class attributes.
  • systemMustContain - Required system protected class attributes.
  • systemPossSuperiors - Parent system protected classes.

SAM Read Only Attributes

The SAM is the Security Access Manager.

  • badPasswordCount
  • badPasswordTime
  • creationTime
  • domainReplica
  • isCriticalSystemObject
  • lastLogoff
  • lastLogon
  • LockoutTime
  • modifiedCount
  • ntPwdHistory
  • PrimaryGroupName
  • revision
  • SAMAccountName
  • SAMAccountType

Schema Modifications

The schema should only be modified when absolutely necessary. Control mechanisms include:

  • The schema operations master domain controller is the only controller that the schema can be changed from.
  • The Schema console must have schema modification set to enabled.
  • Each schema object has permissions set through the Windows 2000 security model.

Ways to modify the schema include:

  • Using an application programming interface (API).
  • Lightweight Directory Interface Format (LDIF) scripts.
  • LDIFDE bulk schema modification tool.
  • CSVDE bulk schema update tool.

Document the following when changing the schema:

  • Object issuing authority
  • Object ID
  • Class heirarchy
  • NT security descriptor
  • LDAP display name
  • Common name
  • Class attributes

When the schema is changed, the following checks are done by Active Directory:

  • Consistency - Makes sure identifiers are unique and mandatory attributes exist. Also existance of superclasses in the schema is checked.
  • Safety - Check to be sure Active Directory functionality is not disrupted. Checks the following object types:
    • Category 1
    • Category 2