NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Active Directory Schema

Active Directory (AD) schema is a blueprint which describes the rules about the type of objects that can be stored in the AD as well as the attributes related to these objects. The schema thus defines the content, and the structure of the object classes and the object attributes used to create an object. While creating a new object, the AD references the classes defined in the schema and utilizes the retrieved information to create the object.

Active Directory Schema Components

Objects, classes, and attributes are the building blocks of the schema object definition. Objects are data storage units of Active Directory. A class is a group of object definitions that can be used for object creation in a directory. An attribute is a data item that defines the information in an object or another attribute.
The Active Directory schema stores the class information in a classSchema object and the attribute information in an attributeSchema object. Classes and attributes in a schema are defined using these schema objects. These classes in the schema are used to define objects created in a directory. The schema, however, does not store the actual objects derived from a class.

Active Directory Schema Structure

The Active Directory schema objects are arranged as a hierarchial directory tree, which is divided into directory partitions. The schema has a separate directory partition that enables it to replicate new schema modifications to other domain controllers, before replicating the objects created using the modified schema. This ensures all domain controllers have identical schema. The topmost object of the schema partition can be referenced using the distinguished name cn=schema, cn=configuration, dc=ForestRootDomain. The domain controllers, however, physically store these different partitions in the same database table called Ntds.dit.

The figure below shows the distinction between the physical and the logical location of the schema. The schema and the schema objects are physically located in the schema partition. However, the logical location of the schema container is under the configuration container. The contents of the schema container can be viewed using the AD schema MMC snap-in or ADSI Edit.

Active Directory Schema Extension

A default schema is created on the domain controller while installing Active Directory. The default schema is also updated whenever a new AD schema version is released by Microsoft. However, there could be a situation where one needs to customize the classes or attributes in order to store a new type of information. For example, if your organization feels the need to add a new “passport number” attribute for user objects, Active Directory schema extension enables modification of the existing schema to fit this new information.

In order to create a new type of object, a classSchema object which defines the new class and its attributes needs to be created first. After adding this class to the schema, new objects that reference this class can be created. Similarly, to customize an attribute, a new attributeSchema object that defines the new attribute needs to be created. This attribute then needs to be added to the appropriate class. Schema can be extended only on the schema master by members of the AD schema admins group.

Thus schema is a very important component of AD and its understanding is vital for technicians who use AD. It helps in standardization of data storage in AD and thereby ensures data integrity during various data handling operations of AD. Schema extension is not something that one would perform often. However, it must be done carefully after great amount of planning as schema extensions are permanent. The only way to rollback a schema extension is by restoring the backup of the old schema. Therefore, the decision on who has access to schema must be made very judiciously.

Related posts
Active Directory Fundamentals

Active Directory Fundamentals

Active Directory Fundamentals

DNS and Active Directory

Active Directory Fundamentals

Microsoft Hello

Active Directory Fundamentals

Active Directory Certificate Services

Leave a Reply

Your email address will not be published. Required fields are marked *