Thursday, September 8, 2011

schema


Schema
The Active Directory schema is a set of definitions for all object types in the directory and their related attributes. The schema determines the way that all user, computer, and other object data are stored in AD and configured to be standard across the entire Active Directory structure. Secured by the use of Discretionary Access Control Lists (DACLs), the schema controls the possible attributes to each object within Active Directory. In a nutshell, the schema is the basic definition of the directory itself and is central to the functionality of your domain environment. Care should be taken to delegate schema control to a highly selective group of administrators because schema modification affects the entire AD environment.
Schema Objects
Objects within the Active Directory structure such as Users, Printers, Computers, and Sites are defined in the schema as objects. Each object has a list of attributes that define it and that can be used to search for that object. For example, a User object for the employee named Ranjit Kumar will have a FirstName attribute of Ranjit and a LastName attribute of Kumar. In addition, there may be other attributes assigned, such as departmental name, e-mail address, and an entire range of possibilities. Users looking up information in Active Directory can make queries based on this information, for example, searching for all users in the Sales department. To give you an idea how many attributes Active Directory has, a fresh install will assign more than 1,000 attributes per object.
Extending the Schema
One of the major advantages to the Active Directory structure is the ability to directly modify and extend the schema to provide for custom attributes. A common attribute extension occurs with the installation of the latest version of Microsoft Exchange, which extends the schema, effectively doubling it in size. An upgrade from Windows 2000 Active Directory to Windows .NET Active Directory also extends the schema to include attributes specific to Windows .NET.
Schema Modification with Active Directory Service Interfaces
An interesting method of actually viewing the nuts and bolts of the Active Directory schema is by using the Active Directory Service Interfaces (ADSI) utility. This utility was developed to simplify access to the Active Directory and can also view any compatible foreign LDAP directory. Great care should be taken before schema modifications are undertaken because problems in the schema can be difficult to fix.

How the schema is stored

 

Each forest can contain only one schema, which is stored in the schema directory partition. The schema directory partition, along with the configuration directory partition, is replicated to all domain controllers in a forest. However, a single domain controller, the schema master, controls the structure and content of the schema. For more information about the schema master

Schema cache

 

To improve performance on schema operations (such as new object validation), each domain controller holds a copy of the schema in memory (in addition to the copy it holds on disk). This cached version is automatically updated (after a small time interval) each time you update the schema. Or, you can reload the updated schema to cache manually for immediate effect.

Securing the schema

 

Like every object in Active Directory, schema objects are protected from unauthorized use by access control lists (ACLs). By default, only members of the Schema Admins group have write access to the schema. So, to extend the schema you must be a member of the Schema Admins group. The only default member of the Schema Admins group is the administrator account in the root domain of the forest. You should restrict membership in the Schema Admins group because extending the schema improperly can have serious consequences to your network.

Schema object names

 

When extending the schema, you need to know how to reference schema objects. Both class and attribute schema objects can be referenced in several ways:
Lightweight Directory Access Protocol (LDAP) display name
common name
object identifier

LDAP display name

 

The Active Directory Schema snap-in and other administrative tools display the LDAP display name of objects. Programmers and system administrators use LDAP display names to reference objects programmatically. The LDAP display name typically consists of two or more words combined. When the name consists of multiple words, subsequent words in the name are identified using capitalization. Example LDAP display names are mailAddress and machinePasswordChangeInterval. The LDAP display name is guaranteed to be unique for each object.

Common name

 

The common name is a more readable version of the LDAP display name. The common names of the two attributes used in the previous example are SMTP-Mail-Address and Machine-Password-Change-Interval. Common names are guaranteed to be unique within a container.

Object identifier

 

An object identifier (also known as OID) is issued by an issuing authority such as the International Organization for Standardization (ISO) or the American National Standards Institute (ANSI). For example, the object identifier for the SMTP-Mail-Address attribute is 1.2.840.113556.1.4.786. Every object identifier must be unique

Citrix xen App port Numbers

ICA: 1494 Session reliability: 2598 IMA: 2512 (Server to server) 2513 (Server to console) XML: 80 when integrated with IIS can be configu...