All databases have a schema which is a formal definition (set of rules) which govern the database structure and types of objects and attributes which can be contained in the database. The schema contains a list of all classes and attributes in the forest. The schema keeps track of:
There is a class Schema object for each class in the Active Directory database. For each object attribute in the database, there is anattributeSchema object. PartitionsActive Directory objects are stored in the Directory Information Tree (DIT) which is broken into the following partitions:
|
Schema Container
The schema container is a special container at the top of the schema partitionand is an object created from the directory Management Domain (dMD). It can be viewed using the MMC "Active Directory Schema" console or the Active Directory Services Interface (ADSI) edit utility from the installation CDROM. The distinguished name schema container address is:
/CN=schema/CN=configuration/DC=forest root <domain_name>
Classes and attributes are stored in classSchema objects and attributeSchema objects respectively.
attributeSchema Mandatory Attributes
These attributes provide information about attributes of another Active Directory object.
- attributeID - Identifies the attribute with a unique value.
- attributeSyntax - Identifies the object which defines the attribute type.
- cn - A unicode string name of the attribute.
- isSingleValued - A boolean variable which when true indicates there is only one value for the attribute. If false, the attribute can have several values.
- LDAPDisplayName - LDAP unicode name string used to identify the attribute.
- NTSecurityDescriptor - The object security descriptor.
- ObjectClass - Is always attributeSchema.
- OMSyntax - Identifies the object syntax specified by the open object model.
- SchemaIDGUID - Unique global ID value of the attribute.
classSchema Mandatory Attributes
These attributes provide information about another Active Directory object.
- cn - A unicode string name of the object.
- DefaultObjectCategory - A distinguished name of where the object belongs.
- GovernsID - A unique number identifying the class.
- LDAPDisplayName - LDAP unicode name string used to identify the object.
- NTSecurityDescriptor - The object security descriptor.
- ObjectClass - Is always classSchema.
- ObjectClassCategory - An integer describing the object class type. The class type is one of the following with values in "()" indicating the integer value used to signify them:
- Abstract class (2) - A class that can't be an object, but is used to pass attributes down to subclasses.
- Auxillary class (3) - Used to provide structural or abstract classes with attributes
- Structural class (1) - These classes can have objects created from them and are the class type that is contained as objects in the directory.
- Type 88 class (0) - These classes don't have a type and they are class types created before 1993 before class types were established in the X.500 standard.
- SchemaIDGUID - Unique global ID value of the class.
- SubClassOf - Identifier of the class parent class.
System Attributes
These system attributes can only be changed by the Directory System Agent (DSA) which manages the Active directory database.
- systemAuxillaryClass - Identifies the auxiliary protected classes that compose the class.
- systemMayContain - Optional system protected class attributes.
- systemMustContain - Required system protected class attributes.
- systemPossSuperiors - Parent system protected classes.
SAM Read Only Attributes
The SAM is the Security Access Manager.
- badPasswordCount
- badPasswordTime
- creationTime
- domainReplica
- isCriticalSystemObject
- lastLogoff
- lastLogon
- LockoutTime
- modifiedCount
- ntPwdHistory
- PrimaryGroupName
- revision
- SAMAccountName
- SAMAccountType
Schema Modifications
The schema should only be modified when absolutely necessary. Control mechanisms include:
- The schema operations master domain controller is the only controller that the schema can be changed from.
- The Schema console must have schema modification set to enabled.
- Each schema object has permissions set through the Windows 2000 security model.
Ways to modify the schema include:
- Using an application programming interface (API).
- Lightweight Directory Interface Format (LDIF) scripts.
- LDIFDE bulk schema modification tool.
- CSVDE bulk schema update tool.
Document the following when changing the schema:
- Object issuing authority
- Object ID
- Class heirarchy
- NT security descriptor
- LDAP display name
- Common name
- Class attributes
When the schema is changed, the following checks are done by Active Directory:
- Consistency - Makes sure identifiers are unique and mandatory attributes exist. Also existance of superclasses in the schema is checked.
- Safety - Check to be sure Active Directory functionality is not disrupted. Checks the following object types:
- Category 1
- Category 2
0 comments:
Post a Comment