Active Directory Schema

Previous Topic Next Topic

Adding and Modifying Schema Objects

Because schema objects are another kind of directory object, you can use the same methods that you would use to add or modify any directory object. Windows 2000 provides an administrative tool called Active Directory Schema that provides a straightforward user interface, and, of course, you have the option of making changes to the schema programmatically.

Adding an Attribute

It is recommended that you try to use existing attributes wherever possible. If you decide that you need to create a new attribute, however, you must adhere to the following guidelines:

To add a new attribute to the schema, you must create a new attribute object. First create the Active Directory safety interlocks as described in "How to Extend the Schema" earlier in this chapter. Then do the following:

  1. Choose a name for the attribute.
  2. Obtain a valid object identifier from an issuing authority.
  3. Determine the syntax of the attribute.
  4. Decide whether the attribute needs to be a single-value or multivalue attribute.
  5. Decide whether and how the attribute needs to be indexed.
  6. Decide whether the attribute needs to be replicated to the Global Catalog.

For every attribute that you define, some attributes are mandatory and some are optional; these attributes are listed in Table 4.7 and Table 4.8.

Table 4.7 Mandatory Attributes for New Attribute-Definition Objects

Mandatory Attributes Default Status
cn No default. Administrator must specify a name.
objectClass No default. Administrator must specify as attributeSchema.
attributeID No default. Administrator must specify as an object identifier string.
attributeSyntax No default. Administrator must specify one of the syntaxes that are recognized by Active Directory.
oMSyntax No default. Administrator must specify an oMSyntax that matches the corresponding attribute syntax.
schemaIDGUID It is defaulted to a value generated by uuidgen if not specified.
nTSecurityDescriptor Defaults if the administrator does not specify. The default value depends on the defaultSecurityDescriptor attribute of the attributeSchema class.
isSingleValued Defaults to FALSE if not specified by the administrator.
lDAPDisplayName Defaults from the common name if not specified by the administrator.

Table 4.8 Optional Attributes for New Attribute-Definition Objects

Optional Attributes Default Status
rangeLower No default. The administrator must specify a value.
rangeUpper No default. The administrator must specify a value.
isMemberOfPartialReplicaSet Defaults to FALSE if not specified by the administrator.
searchFlags No default. The four currently defined bits for this attribute are as follows: 1 = Index over attribute only; 2 = Index over container and attribute; 4 = Add this attribute to the Ambiguous Name Resolution (ANR) set (needs to be used in conjunction with 1); 8 = Preserve this attribute on logical deletion (that is, make this attribute available on tombstones).

As an example, suppose you want to add a new attribute called userName. Each instance of a userName attribute stores exactly one Unicode string of at least one character and not more than 1,000 characters. In this case, you would add the following attribute definition:

Modifying an Attribute

To modify an attribute, modify the existing attribute-definition object that represents the class. For reasons of consistency and security, some attributes of each attribute-definition object are designated as system-only. You cannot modify system-only attributes of an attribute object, not even for new classes that you originally created. System-only attributes are designated by having the systemOnly attribute of the attribute set to TRUE.

The following attributes of an attribute-definition object are systemOnly and, thus, cannot be modified:

Adding a Class

To add a new class, you add a new schema-definition object with all the desired attributes. After you remove the Active Directory safety interlocks, as described in "How to Extend the Schema" earlier in this chapter, make sure that you have done the following before you add a class:

  1. Choose a name for the class.
  2. Obtain a valid object identifier from an issuing authority.
  3. Determine the object class category.
  4. Determine the class from which this new class inherits information.

For every class, some attributes are mandatory and some are optional, as shown in Table 4.9 and Table 4.10. If you do not define values for some of these attributes, they are given default values.

Table 4.9 Mandatory Attributes for New Class-Definition Objects

Attribute Default Status
cn No default. Administrator must specify a name.
objectClassCategory Defaults to 88 class because it is assumed to be a class with no category. Other options are Structural, Abstract, or Auxiliary.
governsID No default. Administrator must specify an object identifier string.
possSuperiors No default. Administrator must specify the structural class or classes that are legal parents of instances of this class.
subClassOf No default. Administrator must specify a value.
schemaIDGUID Defaults if not specified. The default value is automatically generated by the system.
nTSecurityDescriptor Defaults if not specified. The default value depends on the default SecurityDescriptor of the classSchema class.
lDAPDisplayName Defaults from the common name if not specified.

Table 4.10 Optional Attributes for New Class-Definition Objects

Optional Default Status
defaultSecurityDescriptor If there is no default security descriptor specified, the default security descriptor of the immediate superclass is used.
auxiliaryClass The list of additional (auxiliary) classes from which this class is derived.

For a new class, you must define cn, objectClass, and governsID. However, to make the new class actually useful, you probably also want to define some attributes in mustContain, mayContain, and possSuperiors. Any attributes you specify when you add a new class must already exist. So, if you want to add a new class with new attributes, you must add the new attributes to the schema first.

When you add a new class, the object identifier specified in governsID must be unique, not only in your enterprise but also globally.


note-icon

Note

The system imposes rules that restrict the addition of schema objects.

Suppose you want to add a new class "Friend" to store information about a friend. Any Friend object must contain the name of the friend and might also contain her address or phone number. And because a friend is a person, you want objects of the Friend class to have the same mandatory attributes, optional attributes, and directory superiors as the Person class you have already defined. In this case, you add the following class definition:

Modifying a Class

To modify a class, modify the existing class-definition object that represents the class. Some attributes of each class are designated as system-only, for consistency and security reasons. You cannot modify system-only attributes of a class-definition object, not even for new classes that you originally created. System-only attributes are designated by having the systemOnly attribute of the attribute set to TRUE.

The following attributes of a class-definition object are system-only attributes and, thus, cannot be modified:

© 1985-2000 Microsoft Corporation. All rights reserved.