Active Directory Schema Management

Active Directory provides predefined objects so that directory service manipulation can be uniform across namespaces. However, an Active Directory object in any given directory might have more functionality than that specified by Active Directory. A directory might also contain objects that are not defined at all by Active Directory. In addition, there are extensible directory services that allow their base schema to be modified and their objects to be arbitrarily extended by administrators and independent software vendors.

Object extensions are handled by the Schema Management Active Directory objects. These objects are used to:

• Browse the definitions of objects.
• Extend the definitions of objects.

In Active Directory, there are three ways to extend an Active Directory object:

• Directory extensions for providers that expose more than just the standard objects.
• Provider schema extensions when clients extend the schema by using a provider's extensible schema.
• Third-party schema extensions when software developers attach new properties and methods to an object definition as part of their application.

Schema Management Active Directory objects

The schema management objects can be used to browse and modify the schema of a namespace. These objects are:

• SCHEMA container object, which contains a given schema.
• Class container object, which defines an object class.
• Property object, which describes a property.
• Syntax object, which describes a syntax that can be used in a property definition.

These objects are different from directory service objects like the User component, in that their properties are not subdivided into functional sets.

SCHEMA Container Object.

The SCHEMA container object is used to attach a set of object definitions to a part of a directory tree. Typically, each instance of a directory will have its own schema. Active Directory represents this by placing a SCHEMA container as a child of the directory root.

Figure 4 - The SCHEMA Container

Figure 4 shows the typical layout. However, Active Directory does not limit SCHEMA containers to this level of the tree. A complex directory might allow multiple schemas to exist in a directory instance. In that case, SCHEMA containers might be found in other parts of a tree. There can only be one SCHEMA container in any given Active Directory container.

Figure 5 - Schema Hierarchy

The SCHEMA container itself is a tree that contains class, functional set, property, and syntax definitions. New classes and functional sets can be created in the container to expand the schema.

Functional sets are defined separately from classes so that they can be used in multiple class definitions.

Class Container Object.

The Class container object is used to define a class of objects that can be created in the directory. New classes can be derived from existing classes using the Active Directory model.

Figure 6 - Creating a Class

Figure 6 illustrates how a Class container object relates to other Class objects, Property objects, and Syntax objects to create a definition of a class. A Class object points to Property objects, which point to the Syntax the Property supports.