Active Directory Schema

Adding and Modifying Schema Objects

Because schema objects are another kind of directory object, you can use the same methods that you would use to add or modify any directory object. Windows 2000 provides an administrative tool called Active Directory Schema that provides a straightforward user interface, and, of course, you have the option of making changes to the schema programmatically.

Adding an Attribute

It is recommended that you try to use existing attributes wherever possible. If you decide that you need to create a new attribute, however, you must adhere to the following guidelines:

Use cn as the name (relative distinguished name) attribute; this is the default for most classes, including those derived directly from top. Because cn is an indexed attribute, it allows an efficient search for your object by name.
Large multivalue attributes are costly to store and retrieve; it is recommended that you avoid using them. Active Directory implements an LDAP control to allow an incremental read of large multivalued attributes, but not all LDAP clients know how to use this control.
Remember that attributes are "flat," which means that there is no implied substructure to an attribute. All attributes in a specific class must relate directly to instances of that class. This is also good data normalization practice.

To add a new attribute to the schema, you must create a new attribute object. First create the Active Directory safety interlocks as described in "How to Extend the Schema" earlier in this chapter. Then do the following:

Choose a name for the attribute.
Obtain a valid object identifier from an issuing authority.
Determine the syntax of the attribute.
Decide whether the attribute needs to be a single-value or multivalue attribute.
Decide whether and how the attribute needs to be indexed.
Decide whether the attribute needs to be replicated to the Global Catalog.

For every attribute that you define, some attributes are mandatory and some are optional; these attributes are listed in Table 4.7 and Table 4.8.

Table 4.7 Mandatory Attributes for New Attribute-Definition Objects

Mandatory Attributes	Default Status
cn	No default. Administrator must specify a name.
objectClass	No default. Administrator must specify as attributeSchema.
attributeID	No default. Administrator must specify as an object identifier string.
attributeSyntax	No default. Administrator must specify one of the syntaxes that are recognized by Active Directory.
oMSyntax	No default. Administrator must specify an oMSyntax that matches the corresponding attribute syntax.
schemaIDGUID	It is defaulted to a value generated by uuidgen if not specified.
nTSecurityDescriptor	Defaults if the administrator does not specify. The default value depends on the defaultSecurityDescriptor attribute of the attributeSchema class.
isSingleValued	Defaults to FALSE if not specified by the administrator.
lDAPDisplayName	Defaults from the common name if not specified by the administrator.

Table 4.8 Optional Attributes for New Attribute-Definition Objects

Optional Attributes	Default Status
rangeLower	No default. The administrator must specify a value.
rangeUpper	No default. The administrator must specify a value.
isMemberOfPartialReplicaSet	Defaults to FALSE if not specified by the administrator.
searchFlags	No default. The four currently defined bits for this attribute are as follows: 1 = Index over attribute only; 2 = Index over container and attribute; 4 = Add this attribute to the Ambiguous Name Resolution (ANR) set (needs to be used in conjunction with 1); 8 = Preserve this attribute on logical deletion (that is, make this attribute available on tombstones).

As an example, suppose you want to add a new attribute called userName. Each instance of a userName attribute stores exactly one Unicode string of at least one character and not more than 1,000 characters. In this case, you would add the following attribute definition:

cn = userName
objectClass = attributeSchema
attributeID = 1.2.567.8901234.5.6.879 (Valid object identifier value)
attributeSyntax = 2.5.5.12 (Syntax value for Unicode string)
oMSyntax = 64 (Syntax value for Unicode string)
isSingleValued = TRUE (The intention is to store exactly one value.)
rangeLower = 1 (Minimum length of the string)
rangeUpper = 1000 (Maximum length of the string)

Modifying an Attribute

To modify an attribute, modify the existing attribute-definition object that represents the class. For reasons of consistency and security, some attributes of each attribute-definition object are designated as system-only. You cannot modify system-only attributes of an attribute object, not even for new classes that you originally created. System-only attributes are designated by having the systemOnly attribute of the attribute set to TRUE.

The following attributes of an attribute-definition object are systemOnly and, thus, cannot be modified:

attributeID
schemaIDGUID
attributeSyntax
oMSyntax
isSingleValued
extendedCharsAllowed
systemOnly
objectClass
instanceType

Adding a Class

To add a new class, you add a new schema-definition object with all the desired attributes. After you remove the Active Directory safety interlocks, as described in "How to Extend the Schema" earlier in this chapter, make sure that you have done the following before you add a class:

Choose a name for the class.
Obtain a valid object identifier from an issuing authority.
Determine the object class category.
Determine the class from which this new class inherits information.

For every class, some attributes are mandatory and some are optional, as shown in Table 4.9 and Table 4.10. If you do not define values for some of these attributes, they are given default values.

Table 4.9 Mandatory Attributes for New Class-Definition Objects

Attribute	Default Status
cn	No default. Administrator must specify a name.
objectClassCategory	Defaults to 88 class because it is assumed to be a class with no category. Other options are Structural, Abstract, or Auxiliary.
governsID	No default. Administrator must specify an object identifier string.
possSuperiors	No default. Administrator must specify the structural class or classes that are legal parents of instances of this class.
subClassOf	No default. Administrator must specify a value.
schemaIDGUID	Defaults if not specified. The default value is automatically generated by the system.
nTSecurityDescriptor	Defaults if not specified. The default value depends on the default SecurityDescriptor of the classSchema class.
lDAPDisplayName	Defaults from the common name if not specified.

Table 4.10 Optional Attributes for New Class-Definition Objects

Optional	Default Status
defaultSecurityDescriptor	If there is no default security descriptor specified, the default security descriptor of the immediate superclass is used.
auxiliaryClass	The list of additional (auxiliary) classes from which this class is derived.

For a new class, you must define cn, objectClass, and governsID. However, to make the new class actually useful, you probably also want to define some attributes in mustContain, mayContain, and possSuperiors. Any attributes you specify when you add a new class must already exist. So, if you want to add a new class with new attributes, you must add the new attributes to the schema first.

When you add a new class, the object identifier specified in governsID must be unique, not only in your enterprise but also globally.

Note

The system imposes rules that restrict the addition of schema objects.

Suppose you want to add a new class "Friend" to store information about a friend. Any Friend object must contain the name of the friend and might also contain her address or phone number. And because a friend is a person, you want objects of the Friend class to have the same mandatory attributes, optional attributes, and directory superiors as the Person class you have already defined. In this case, you add the following class definition:

cn = Friend
objectClass = classSchema
subClassOf = Person
governsID = 1.2.345.678901.2.3.45 (valid object identifier value)
mustContain = givenName, sn
mayContain = Address, phone-number

Modifying a Class

To modify a class, modify the existing class-definition object that represents the class. Some attributes of each class are designated as system-only, for consistency and security reasons. You cannot modify system-only attributes of a class-definition object, not even for new classes that you originally created. System-only attributes are designated by having the systemOnly attribute of the attribute set to TRUE.

The following attributes of a class-definition object are system-only attributes and, thus, cannot be modified:

governsID
schemaIDGUID
rDNAttID
subClassOf
systemMustContain
systemMayContain
systemPossSuperiors
systemAuxiliaryClass
objectClassCategory
systemOnly
objectClass
instanceType