Introduction
The Active Directory schema contains the blueprint for how objects
are structured and secured, what data they can contain, and even how
they can be viewed. Having a thorough understanding of the schema is
paramount for any Active Directory administrator. Understanding key
concepts, such as class inheritance, class types, attribute syntax,
and attribute indexing options, is critical to being able to
adequately design an Active Directory infrastructure and should be
considered mandatory for any developer that is writing applications
or automation scripts that utilize Active Directory.
If you are one of the lucky few who is designated as a schema
administrator (i.e., member of the Schema
Admins group), then the importance of the schema
is already well known to you. This chapter serves a guide to
accomplishing many of the day-to-day tasks you will need to do as a
schema administrator. If you feel you need more nuts and bolts
information on how the schema works, I suggest reading Chapter 4 of
Active Directory, Second Edition
(O'Reilly).
The Anatomy of Schema Objects
An interesting feature of Active Directory that is not common among other LDAP
implementations is that the schema is stored within Active Directory
as a set of objects. This means that you can use similar interfaces
and programs to manage the schema as you would any other type of
object.
All schema objects are stored in the Schema
container (e.g., cn=schema,cn=configuration,<ForestRootDN>).
The schema is comprised of two classes of objects,
classSchema and
attributeSchema. Unsurprisingly, the
classSchema objects define classes and
attributeSchema objects define attributes. The
Schema container contains a third type of object
called subSchema, also known as the abstract
schema, which is defined in the LDAP v3 specification (RFC 2251).
There is only a single subSchema object in the
Schema container, named cn=Aggregate, and it contains a summary of
the entire schema.
Table 10-1 and Table 10-2
contain useful attributes of classSchema objects
and attributeSchema objects, respectively.
Table 10-1. Attributes of classSchema objects|
adminDescription
|
Description of the class.
|
auxiliaryClass
|
Multivalued attribute containing any auxiliary classes defined for
the class.
|
cn
|
Relative distinguished name of the class.
|
defaultHidingValue
|
Boolean that determines whether objects of this class are hidden by
default in administrative GUIs.
|
defaultSecurityDescriptor
|
Default security descriptor applied to objects of this class.
|
governsID
|
Object identifier (OID) for the class.
|
isDefunct
|
Boolean that indicates whether the class is defunct (i.e.,
deactivated).
|
lDAPDisplayName
|
Name used when referencing the class in searches or when
instantiating or modifying objects of this class.
|
mayContain
|
Multivalued attribute that contains a list of attributes that can be
optionally set on the class.
|
mustContain
|
Multivalued attribute that contains a list of attributes that must be
set on the class.
|
objectClassCategory
|
Integer representing the class's type. Can be one of
1 (structural), 2 (abstract), 3 (auxiliary), or 0 (88).
|
possibleInferiors
|
Multivalued list of other object classes this object can contain.
|
possSuperiors
|
Multivalued list of object classes this object can be subordinate to.
|
rDNAttID
|
Naming attribute (i.e., RDN) of instances of the class.
|
schemaIDGUID
|
GUID of the class.
|
showInAdvancedViewOnly
|
Boolean that indicates whether instances of this class should only be
shown in Advanced mode in the administrative GUIs.
|
subClassOf
|
Parent class.
|
systemAuxiliaryClass
|
Multivalued attribute containing any auxiliary classes defined for
the class. This can only be modified internally by Active Directory.
|
systemFlags
|
Integer representing additional properties of the class.
|
systemMayContain
|
Multivalued attribute that contains a list of attributes that can be
optionally set on the class. This can only be modified internally by
Active Directory.
|
systemMustContain
|
Multivalued attribute that contains a list of attributes that must be
set on the class. This can only be modified internally by Active
Directory.
|
systemPossSuperiors
|
Multivalued list of object classes this object can be subordinate to.
This can only be modified internally by Active Directory.
|
Table 10-2. Attributes of attributeSchema objects|
adminDescription
|
Description of the attribute.
|
attributeID
|
OID for the attribute.
|
attributeSecurityGUID
|
GUID to be used to apply security credentials to a set of objects.
|
attributeSyntax
|
OID representing the syntax of the attribute. This is used in
conjunction with oMSyntax to define a unique
syntax.
|
cn
|
Relative distinguished name of the attribute.
|
isDefunct
|
Boolean that indicates if the attribute is defunct (i.e.,
deactivated).
|
isMemberOfPartialAttributeSet
|
Boolean that indicates if the attribute is a member of the partial
attribute set (i.e., the global catalog).
|
isSingleValued
|
Boolean that indicates whether the attribute is single valued or
multivalued.
|
linkID
|
If this is populated, it will contain an integer that represents a
link (either forward or backward) to another attribute.
|
lDAPDisplayName
|
Name used when referencing the attribute in searches or when
populating it on objects. Note that this value may not be the same as
cn.
|
oMSyntax
|
An integer representing the OM type of the attribute. This is used in
conjunction with attributeSyntax to determine a
unique syntax for the attribute.
|
schemaIDGUID
|
GUID of the attribute.
|
searchFlags
|
Integer representing special properties related to searching with the
attribute. This includes how the attribute is indexed and if it is
used in ANR searches.
|
systemFlags
|
Integer representing additional properties of the attribute.
|
|