Active Directory Schema

Finding the Schema Container

Every Active Directory object can be referenced by a unique and unambiguous name known as the distinguished name (also known as a "DN"). The distinguished name identifies the domain that holds the object as well as the complete path through the container hierarchy by which the object is reached. The distinguished name of the Schema container can be expressed as follows:

cn=schema,cn=configuration,dc=< forest root domainname>

For more information about the distinguished name, see "Active Directory Logical Structure" in this book.

You can view the contents of the Schema container by using the Active Directory Schema console in Microsoft Management Console (MMC). You also can bind to the schema directory partition and view schema objects by using the Active Directory Service Interfaces (ADSI) Edit MMC console or the Ldp tool.

Note

The ADSI Edit snap-in is not one of the default MMC snap-ins that is provided with Windows 2000 Server. To use ADSI Edit and Ldp, install the Support Tools that are located in the Support\Tools folder on the Windows 2000 Server operating system CD. To install the tools, double-click the Setup icon in that folder. For more information about using ADSI Edit and Ldp, see Microsoft® Windows® 2000 Support Tools Help. For information about installing and using the Windows 2000 Support Tools and Support Tools Help, see the file Sreadme.doc in the Support\Tools folder of the Windows 2000 operating system CD. For information about diagnosing and troubleshooting problems using the Ldp tool, see "Active Directory Diagnostics, Troubleshooting, and Recovery" in this book.)

It is possible to locate the Schema container without knowing the domain name. Installation scripts and other applications that might not know what domain they are to be used in are able to gain access to the schema because they bind to a special entry at the top of the logical namespace called rootDSE, which provides the schema location. The rootDSE (DSA-specific Entry) represents the top of the logical namespace and, therefore, the top of the Lightweight Directory Access Protocol (LDAP) search tree. The attributes of rootDSE identify, among other things, the directory partitions — that is, the domain, schema, and configuration directory partitions — as well as the forest root domain directory partition. One attribute, schemaNamingContext, provides the location of the schema so that applications that are connecting to any domain controller can find and read the schema. (For more information about the rootDSE, see "Name Resolution in Active Directory" in this book.)

To identify the Schema directory partition by using ADSI Edit

Start the ADSI Edit console in MMC.
Right-click ADSI Edit, and then click Connect to.
The Connection dialog box is displayed.
In the Connection Point check box, make sure Naming Context is selected.
Select RootDSE from the Naming Context box, and then click OK.
In the Console Tree, double-click My Connection.
The RootDSE folder is displayed.
Right-click the RootDSE folder, and then click Properties.
In the Select property to view dialog box, select schemaNamingContext from the list of properties ("attributes").
In Attribute Values, view the Value(s) box to see the distinguished name of the schema directory partition.

Note

The Schema Management snap-in is not one of the default MMC snap-ins that is provided with Windows 2000 Server. To make it appear in the list of available snap-ins, you must install the admin tools package (Adminpak.msi). To register the Schema Management snap-in, open your %SystemRoot%\System32 folder and run Regsvr32 Schmmgmt.dll from the command prompt or from the Run command on the Start menu.