All databases have a schema which is a formal definition (set of rules) which govern the database structure and types of objects and attributes which can be contained in the database. The schema contains a list of all classes and attributes in the forest.
The schema keeps track of:
The schema keeps track of:
- Classes
- Class attributes
- Class relationships such as subclasses (Child classes that inherit attributes from the super class) and super classes (Parent classes).
- Object relationships such as what objects are contained by other objects or what objects contain other objects.
Partitions
Active Directory objects are stored in the Directory Information Tree (DIT) which is broken into the following partitions:- Schema partition - Defines rules for object creation and modification for all objects in the forest. Replicated to all domain controllers in the forest. Replicated to all domain controllers in the forest, it is known as an enterprise partition.
- Configuration partition - Information about the forest directory structure is defined including trees, domains, domain trust relationships, and sites (TCP/IP subnet group). Replicated to all domain controllers in the forest, it is known as an enterprise partition.
- Domain partition - Has complete information about all domain objects (Objects that are part of the domain including OUs, groups, users and others). Replicated only to domain controllers in the same domain.
- Partial domain directory partition - Has a list of all objects in the directory with a partial list of attributes for each object.
Schema Container
The schema container is a special container at the top of the schema partitionand is an object created from the directory Management Domain (dMD). It can be viewed using the MMC "Active Directory Schema" console or the Active Directory Services Interface (ADSI) edit utility from the installation CDROM. The distinguished name schema container address is:/CN=schema/CN=configuration/DC=forest root <domain_name>
Classes and attributes are stored in classSchema objects and attributeSchema objects respectively. attributeSchema Mandatory Attributes
These attributes provide information about attributes of another Active Directory object.- attributeID - Identifies the attribute with a unique value.
- attributeSyntax - Identifies the object which defines the attribute type.
- cn - A unicode string name of the attribute.
- isSingleValued - A boolean variable which when true indicates there is only one value for the attribute. If false, the attribute can have several values.
- LDAPDisplayName - LDAP unicode name string used to identify the attribute.
- NTSecurityDescriptor - The object security descriptor.
- ObjectClass - Is always attributeSchema.
- OMSyntax - Identifies the object syntax specified by the open object model.
- SchemaIDGUID - Unique global ID value of the attribute.
classSchema Mandatory Attributes
These attributes provide information about another Active Directory object.- cn - A unicode string name of the object.
- DefaultObjectCategory - A distinguished name of where the object belongs.
- GovernsID - A unique number identifying the class.
- LDAPDisplayName - LDAP unicode name string used to identify the object.
- NTSecurityDescriptor - The object security descriptor.
- ObjectClass - Is always classSchema.
- ObjectClassCategory - An integer describing the object class type. The class type is one of the following with values in "()" indicating the integer value used to signify them:
- Abstract class (2) - A class that can't be an object, but is used to pass attributes down to subclasses.
- Auxillary class (3) - Used to provide structural or abstract classes with attributes
- Structural class (1) - These classes can have objects created from them and are the class type that is contained as objects in the directory.
- Type 88 class (0) - These classes don't have a type and they are class types created before 1993 before class types were established in the X.500 standard.
- SchemaIDGUID - Unique global ID value of the class.
- SubClassOf - Identifier of the class parent class.
System Attributes
These system attributes can only be changed by the Directory System Agent (DSA) which manages the Active directory database.- systemAuxillaryClass - Identifies the auxiliary protected classes that compose the class.
- systemMayContain - Optional system protected class attributes.
- systemMustContain - Required system protected class attributes.
- systemPossSuperiors - Parent system protected classes.
SAM Read Only Attributes
The SAM is the Security Access Manager.- badPasswordCount
- badPasswordTime
- creationTime
- domainReplica
- isCriticalSystemObject
- lastLogoff
- lastLogon
- LockoutTime
- modifiedCount
- ntPwdHistory
- PrimaryGroupName
- revision
- SAMAccountName
- SAMAccountType
Schema Modifications
The schema should only be modified when absolutely necessary. Control mechanisms include:- The schema operations master domain controller is the only controller that the schema can be changed from.
- The Schema console must have schema modification set to enabled.
- Each schema object has permissions set through the Windows 2000 security model.
- Using an application programming interface (API).
- Lightweight Directory Interface Format (LDIF) scripts.
- LDIFDE bulk schema modification tool.
- CSVDE bulk schema update tool.
- Object issuing authority
- Object ID
- Class heirarchy
- NT security descriptor
- LDAP display name
- Common name
- Class attributes
- Consistency - Makes sure identifiers are unique and mandatory attributes exist. Also existance of superclasses in the schema is checked.
- Safety - Check to be sure Active Directory functionality is not disrupted. Checks the following object types:
- Category 1
- Category 2
