Microsoft Windows Security Resource Kit
Understanding the Active Directory Schema
All the objects that you can create in Active Directory and all their properties are defined in the Active Directory Schema. In Microsoft Windows 2000, the only copy of the schema is hosted by the domain controller that holds the schema flexible single-master operation (FSMO) role, which by default is the first domain controller in the forest. The schema is replicated from the schema master to all domain controllers in the forest through normal Active Directory replication. In the schema, objects and properties are defined as object classes and attributes. Once an object class has been defined and attributes assigned to it, you can instantiate, or create, objects of that class.
Attributes
The attributes defined in the schema represent the possible properties that can be used in object classes. Attributes are defined in the schema only one time and are reused for each object class with which they are associated. For example, nearly every object class includes the attribute cn, which will be populated with the common name of the object in the Lightweight Directory Access Protocol (LDAP) naming convention. Table 4-1 lists the contents of an attribute.
Contents | Description |
Common name | LDAP display name of the attribute. |
Description | Description of the attribute. |
X.500 object ID (OID) | Object identifier for the attribute. |
Globally unique identifier (GUID) | 128-bit randomly generated number that uniquely identifies the attribute. |
Syntax | Data type of the attribute. |
Range | Range of values for the attribute. For integers, range defines the minimum and maximum value; for strings, range defines the minimum and maximum length. |
Multi/single value | Defines whether the attribute will contain one value or more than one value. |
Index | Determines whether the attribute is indexed. |
Global Catalog | Determines whether the attribute is replicated to the Global Catalog for all objects that use it. |
Security descriptor | Defines the base security for the attribute. |
Metadata | Data used by Active Directory for internal processing, such as replication metadata. |
Members of the Schema Admins group can add attributes to the schema of a forest. Attributes cannot be deleted; however, they can de deactivated, which prohibits them from being used in object classes.
Classes
Object classes are collections of attributes that can be instantiated to create objects. Active Directory is based on the X.500 1993 specification for directory services that defines the hierarchal structure of classes. X.509 requires that object classes be assigned to one of three categories:
- Structural classes
Structural classes are the only kind of class from which you can create objects in Active Directory. A structural class can be used in defining the structure of the directory and is derived from either an abstract class or another structural class. A structural class can include any number of auxiliary classes in its definition. For example, user and organizationalUnit are structural object classes.
- Abstract classes
Abstract classes are templates that are used only to derive new structural classes. Abstract classes cannot be instantiated in the directory. This means that no object can belong to an abstract class only; each object of an abstract class must also belong to some nonabstract subclass. A new abstract class can be derived from an existing abstract class. Classes of the abstract category exist for the sole purpose of providing attributes for subordinate classes, referred to as subclasses. A subclass contains all mandatory and optional attributes of the class from which it is derived, known as its superclass, in addition to those attributes specific to the class itself. Likewise, a subclass of a subclass contains all attributes of both its superclasses, and so forth.
- Auxiliary classes
Auxiliary classes are similar to include files in the C programming language; they contain a list of attributes. Adding the auxiliary class to the definition of a structural or abstract class adds the auxiliary class s attributes to the definition. An auxiliary class cannot be instantiated in the directory, but new auxiliary classes can be derived from existing auxiliary classes. For example, the securityPrincipal class is an auxiliary class, and it derives its attributes from the parent abstract class named top. Although you cannot create a security principal object in the directory (because auxiliary classes cannot have instances), you can create an object of the structural class user, which has the securityPrincipal class as an auxiliary. The attributes of the securityPrincipal class contribute to making the user object recognizable to the system as a security account. Similarly, the group class has securityPrincipal as an auxiliary class.
An object class is defined by the attributes that are tagged as either mandatory or optional. Mandatory attributes must be populated with values when an object is created, while optional attributes can have null values.
Security on the Active Directory Schema
Before viewing the Active Directory Schema, you must register the schema management .dll file. You can do this by typing regsvr32 schmmgmt.dll at the command prompt or in the Run command and then adding the Active Directory Schema Microsoft Management Console (MMC) snap-in to a blank MMC. You can also automatically register the schema management .dll file and all other management .dll files by installing the Windows 2000 Adminstrator s Pack. You do this by running Adminpak.msi from any Windows 2000 server or from the Windows 2000 Server CD.The schema FSMO is read-only by default. Only members of the Schema Admins group can mark the schema as writeable. Once the changes to the schema have been made, the schema must replicate to all domain controllers in the forest.
Because modifications to the schema in Windows 2000 are irreversible, you should exercise extreme caution when making modifications or extensions to the schema. You should also ensure that the Schema Admins group has no members unless the schema is in the process of being modified or extended. Only members of the Enterprise Administrators group, which includes Domain Admins from the forest root domain, can manage membership in the Schema Admins group.