Platform SDK: Active Directory, ADSI, and Directory Services

Schema Implementation

In Microsoft® Active Directory™, class and attribute definitions are stored in the directory as instances of the classSchema and attributeSchema classes, respectively. classSchema and attributeSchema are themselves classes defined in the schema. This means that to manipulate the Active Directory schema, you can use the same LDAP operations that you use to manipulate any other object. Since the schema is a key part of the directory that affects the entire forest, there are special restrictions on schema extensions.

To summarize the schema implementation:

Instances of the classSchema class are used to define every object class supported by Active Directory. The attributes of a classSchema object (for instance, its mayContain and mustContain attributes) describe an object class, the same way the attributes of a user object (for instance, its userPrincipalName and telephoneNumber attributes) describe that user. See Characteristics of Object Classes.
Instances of the attributeSchema class are used to define every attribute supported by Active Directory. The attributes of an attributeSchema object (for instance, its attributeSyntax and isSingleValued attributes) describe an attribute, the same way the attributes of a user object describe that user. See Characteristics of Attributes.
Instances of the attributeSchema and classSchema classes are stored in a well-known place in the directory, the schema container. The schema container always has a distinguished name of the form:
```
CN=Schema,CN=Configuration,<DC=forestroot>
```
where <DC=forestroot> is the distinguished name of the root of the forest, for example, DC=Microsoft,DC=Com.
To get the distinguished name of the schema container, read the schemaNamingContext property of rootDSE. For more information on rootDSE and its properties, see Serverless Binding and RootDSE.

When thinking about the schema, it is very important to remember two key points:

Schema changes are global. There is a single schema for an entire forest. The schema is globally replicated: a copy of the schema exists on every domain controller in the forest. When you extend the schema, you do so for the entire forest.
Schema additions are not reversible. Once a new class or attribute has been added to the schema, it cannot be removed. An existing attribute or class can be disabled, but not removed (see Disabling Existing Classes and Attributes). Disabling a class or attribute does not affect existing instances of the class or attribute, but it prevents new instances from being created. You cannot disable an attribute if it is included in any class that is not disabled.