Active Directory Schema

Previous Topic Next Topic

System Checks and Restrictions Imposed on Schema Additions and Modifications

When you try to add or modify a class or attribute, Active Directory performs some checks to make sure that the changes do not cause inconsistencies or other problems in the schema. The checks can be divided into two classes:

Consistency checks maintain the consistency of the schema. Safety checks reduce the possibility of a schema update by one application breaking another application.

Consistency Checks

For both class and attribute changes, the system makes sure that the values of lDAPDisplayName and schemaIDGUID are unique and also that lDAPDisplayName is valid.

The class-schema object addition and modification extensions are successful only if the new class definition passes all of the following tests as well as the normal extension checks.

For attribute changes, the system also checks the following:


note-icon

Note

A complete syntax specification consists of both the attributeSyntax and the oMSyntax. Hence, whenever more than one oMSyntax can be used with an attributeSyntax, the correct oMSyntax must be used.

Table 4.11 Values of attributeSyntax and Corresponding Syntaxes

attributeSyntax Value1 Matching oMSyntax
2.5.5.1 127 [Object(DN-Binary)]
2.5.5.2 6 [String(Object-Identifier)]
2.5.5.3 27 [String(Case sensitive)]
2.5.5.4 20 [String(Case insensitive)]
2.5.5.5 19 [String(Printable)], 22 [String(IA5)]
2.5.5.6 18 [String(Numeric)]
2.5.5.7 127 [Object(ORName)] or [Object(DNBinary)]. Distinction is oMObjectClass value.
2.5.5.8 1 [Boolean]
2.5.5.9 2 [Integer], 10 [Enumeration]
2.5.5.10 4 [String(Octet)]
2.5.5.11 23 [String(UTC-Time)], 24 [String(Generalized-Time)]
2.5.5.12 64 [String(Unicode)
2.5.5.13 127 [Object(Presentation-Address)]
2.5.5.14 127 [Object(Access-Point)] or [Object(DN-String)]. Distinction is oMObjectClass value
2.5.5.15 66 [String(NT-Sec-Desc)]
2.5.5.16 65 [LargeInteger)]
2.5.5.17 4 [String(Sid)]
1The oMSyntax names are specified with the syntax numbers to enable the correct choice.

For attributes with oMSyntax=127, the oMObjectClass also must be correctly specified according to the attributeSyntax. For attributes with any other oMSyntax value, it is not relevant and need not be specified. Because an oMObjectClass, being a binary value, is somewhat inconvenient to specify and because in most cases there is a one-to-one mapping between the attributeSyntax and oMObjectClass, the value defaults if none is specified by the user. There are a couple of cases where the mapping is not one-to-one, however, and the value defaults to the more common value. Table 4.12 is a list of the oMObjectClass values that correspond to the different attributeSyntax values for attributes with oMSyntax=127.

Table 4.12 Values of attributeSyntax and Corresponding oMObjectClass Values

attributeSyntax oMObjectClass Values1
2.5.5.1 \x2B0C0287731C00854A [Object(DS-DN)].
2.5.5.7 \x56060102050B1D [Object(OR-Name)] or \x2A864886F7140101010B [Object(DN-Binary)].

Defaults to Object(OR-Name) if none specified by the user.

2.5.5.13 \x2B0C0287731C00855C [Object(Presentation-Address)].
2.5.5.14 \x2B0C0287731C00853E [Object(Access-Point)] or \x2A864886F7140101010C [Object(DN-String)].

Defaulted to Object(Access-Point) if none specified by the user.

1The syntax names are specified in brackets for easy reference.

Safety Checks

The purpose of the safety checks is to reduce the possibility of schema updates by one user or application breaking another application. These checks are necessary because multiple applications might share a schema definition.

When you modify existing schema objects, the modifications are subject to certain restrictions enforced by Active Directory. In some cases, these restrictions are determined according to whether the objects are part of the original schema or whether they have been added after the original installation. So the schema objects are really divided into two categories:

Category 1 objects are the default base schema objects that are included with Windows 2000 in the base schema. Category 2 objects are objects that are added subsequently to the schema by administrators or applications. You can determine the category in which an object is located by looking at the second bit (starting at the least significant bit) in the systemFlags attribute. If the bit is set, it has the value FLAG_SCHEMA_BASE_OBJECT, which indicates that the object is part of the base schema, that is, category 1. If this bit is not set or the attribute is not present, the object is category 2.

The following restrictions apply to both category 1 and category 2 schema objects:

The following restrictions apply to category 1 schema objects:

© 1985-2000 Microsoft Corporation. All rights reserved.