Schema
The Active Directory schema is a set of definitions for all object types in the directory and their related attributes. The schema determines the way that all user, computer, and other object data are stored in AD and configured to be standard across the entire Active Directory structure. Secured by the use of Discretionary Access Control Lists (DACLs), the schema controls the possible attributes to each object within Active Directory. In a nutshell, the schema is the basic definition of the directory itself and is central to the functionality of your domain environment. Care should be taken to delegate schema control to a highly selective group of administrators because schema modification affects the entire AD environment.
Schema Objects
Objects within the Active Directory structure such as Users, Printers, Computers, and Sites are defined in the schema as objects. Each object has a list of attributes that define it and that can be used to search for that object. For example, a User object for the employee named Ranjit Kumar will have a FirstName attribute of Ranjit and a LastName attribute of Kumar. In addition, there may be other attributes assigned, such as departmental name, e-mail address, and an entire range of possibilities. Users looking up information in Active Directory can make queries based on this information, for example, searching for all users in the Sales department. To give you an idea how many attributes Active Directory has, a fresh install will assign more than 1,000 attributes per object.
Extending the Schema
One of the major advantages to the Active Directory structure is the ability to directly modify and extend the schema to provide for custom attributes. A common attribute extension occurs with the installation of the latest version of Microsoft Exchange, which extends the schema, effectively doubling it in size. An upgrade from Windows 2000 Active Directory to Windows .NET Active Directory also extends the schema to include attributes specific to Windows .NET.
Schema Modification with Active Directory Service Interfaces
An interesting method of actually viewing the nuts and bolts of the Active Directory schema is by using the Active Directory Service Interfaces (ADSI) utility. This utility was developed to simplify access to the Active Directory and can also view any compatible foreign LDAP directory. Great care should be taken before schema modifications are undertaken because problems in the schema can be difficult to fix.
How the schema is stored
Each forest can contain only one schema, which is stored in the schema directory partition. The schema directory partition, along with the configuration directory partition, is replicated to all domain controllers in a forest. However, a single domain controller, the schema master, controls the structure and content of the schema. For more information about the schema master
Schema cache
To improve performance on schema operations (such as new object validation), each domain controller holds a copy of the schema in memory (in addition to the copy it holds on disk). This cached version is automatically updated (after a small time interval) each time you update the schema. Or, you can reload the updated schema to cache manually for immediate effect.
Securing the schema
Like every object in Active Directory, schema objects are protected from unauthorized use by access control lists (ACLs). By default, only members of the Schema Admins group have write access to the schema. So, to extend the schema you must be a member of the Schema Admins group. The only default member of the Schema Admins group is the administrator account in the root domain of the forest. You should restrict membership in the Schema Admins group because extending the schema improperly can have serious consequences to your network.
Schema object names
When extending the schema, you need to know how to reference schema objects. Both class and attribute schema objects can be referenced in several ways:
| • | Lightweight Directory Access Protocol (LDAP) display name |
| • | common name |
| • | object identifier |
