Active Directory Schema

Even if you are an administrator rather than a professional programmer, you might still need to know the basics of the Active Directory schema. For example, using various administrative tools (such as Ldp.exe or ADSI Edit) for troubleshooting or tuning Active Directory may require some knowledge about attribute syntax, the values range, etc. Among many other things, the schema indicates whether an attribute is indexed or replicated to Global Catalog. Understandably, if you want to modify or extend the schema, knowing its essentials is very important. Extending the schema is the same operation as creating new attributes and classes. It is not a very sophisticated process, and even a non-programmer can manage it. You need to know only some basic rules and requirements.

Note 

You can obtain a lot of information about the schema (both Windows 2000 and Windows.NET versions are covered), including descriptions of all attributes and classes, on the web page http://msdn.microsoft.com/certification/schema/.

The Abstract Schema

All definitions of a forest's classes and attributes (the classSchema and attributeSchema objects) are located in the Schema partition. This partition also contains an object of the subSchema class. This object, named Aggregate, is known as the abstract schema.

The abstract schema contains an "extract" from class and attribute definitions. It provides a simple and efficient mechanism for retrieving frequently used information about classes and attributes, such as the optional and mandatory attributes of an object class, or the value range of a numeric attribute.

Listing 17.1 in the next chapter presents a script that reads the abstract schema. The listing also contains some samples of information that can be obtained.

Extending the Schema

When extending the schema, you must specify a unique Object Identifier (OID) for every new attribute or class. A base OID for your organization can be requested from an International Standards Organization (ISO) Name Registration Authority, or obtained by using a command-line utility, OID Generator (OidGen.exe), that is included in the Windows 2000 Server Resource Kit. This utility generates two base OIDs: one for attributes and one for classes. You must run it only once. (Do not use different root OIDs in the same Active Directory installation.) New OIDs for your attributes and classes are generated by adding "suffixes" (i.e., the unique numbers separated by a period from the base part) to the appropriate base OID. It is your responsibility to manage these suffixes.

See examples of creating a new attribute and class in the next chapter (Listings 17.25 and 17.26).

Caution 

It is not possible to delete an attribute or class. You can only deactivate it in the Active Directory Schema Manager snap-in. The status of deactivated objects is indicated as Defunct. In Windows.NET you can also redefine attribute or class and activate it again.

Note 

You may wonder how to create a UI for custom classes and attributes, or how to add new tabs to existing administrative snap-ins for editing new attributes. This is a rather sophisticated topic, which requires, in addition, using non-scripting programming languages, such as C/C++. See the "Extending the User Interface for Directory Objects" section in the ADSI SDK Help, or search for the "display specifier" string on the Microsoft website. You may also wish to look up one of the "Step-by-Step" articles related to this topic.

Creating a New Attribute

When creating an attribute, you must define the following properties of a new attributeSchema object:

  • attributeID (OID)

  • Naming properties — cn, IDAPDisplayName

  • Syntax properties — attributeSyntax, oMSyntax (see Table 16.2)

  • isSingle Valued

Table 16.2: Some Basic Syntaxes of Active Directory attributes

Name

oMSyntax

attributeSyntax

Description


Boolean (Boolean)

1

2.5.5.8

Boolean (isDeleted, isMemberOfPartialAttributeSet.

Integer (Integer)

2

2.5.5.9

32-bit integer (flags, groupType, primaryGroupID, rangeLower, rangeUpper, userAccountControl).

Large Integer/Interval (INTEGER8)

65

2.5.5.16

64-bit integer (accountExpires, lastLogon, maxPwdAge, uSNCreated, uSNChanged).

Octet String (OctedString)

4

2.5.5.10

Array of bytes (objectGuid). Use OctetString to store binary data.

NT Security Descriptor (ObjectSecurityDescriptor)

66

2.5.5.15

Octet string containing a security descriptor (nTSecurityDescriptor).

Distinguished Name (DN)

127

2.5.5.1

String containing a distinguished name (DN) (member, memberOf, objectCategory).

Active Directory automatically keeps up-to-date distinguished names stored in strings of this syntax, i.e., if the object referenced by the distinguished name is renamed or moved, Active Directory tracks all changes. Consider, for example, the relationships of a group and its members. If a user is renamed, it does not lose group membership.

Unicode String (DirectoryString)

64

2.5.5.12

String: Unicode, case-insensitive (description, displayName, name, sn, location).

Generalized Time (GeneralizedTime)

24

2.5.5.11

Time string format (whenCreated, whenChanged. For example: 01/11/2002 10:34:28 AM.

Object Identifier

6

2.5.5.2

String containing OIDs (objectClass. The OID is a string containing digits (0-9) and decimal points(.).

SID (Sid)

4

2.5.5.17

Octet string containing a security identifier (SID) (objectSid, sIDHistory). Use this syntax to store SID values only.

If omitted, the schemaIDGUID and adminDisplayName properties are generated by the system (the last one is copied from the cn property). If the searchFlags and isMemberOfPartialAttributeSet properties are not defined, the new attribute is neither indexed nor replicated to Global Catalog.

Optional properties: rangeLower, rangeUpper, linkID, adminDescription. (It is a good idea to always define the last property, since this is very useful information for browsing the schema.)

Creating a New Class

When creating a class, you must define the following properties of a new classSchema object:

  • governsID (OID)

  • Classes from which the new class inherits — subClassOf

  • objectClassCategory (Structural, Auxiliary, or Abstract; remember that only structural classes can be instantiated in the directory)

  • Naming properties — cn, IDAPDisplayName

  • Mandatory and/or optional attributes of the new class—mustContain, systemMustContain, mayContain, systemMayContain

  • Possible parents (if, for example, you specify organizationalUnit, the instances of the new class will only be created in OUs) — possSuperiors, systemPossSuperiors

If omitted, the schemaIDGUID and adminDisplayName properties are generated by the system (the last one is copied from the cn property). By default, the naming attribute for the new class is CN. The rDnAttId property allows one to define a different value (but this is discouraged).

Optional properties: auxiliaryClass, systemAuxiliaryClass, defaultSecurityDescriptor, adminDescription. (It is advisable that you always define the last property.) The defaultHidingValue property of the new class (TRUE, by default) specifies that new instances of this class will be hidden from the Active Directory Users and Computers snap-in (and the My Network Places folder—xon Windows 2000). This means that the showInAdvancedViewOnly attribute of new instances will be set to TRUE.

Naming Attributes and Classes

Microsoft recommends that you use some naming conventions for new Active Directory attributes and classes. You should also explicitly specify the IDAPDisplayName for all custom attributes and classes. Meeting these conventions ensures the consistency of names used by different software vendors, convenient browsing of the schema, and the possibility of using documentation programs (see later).

According to these recommendations, the Common-Name must consist of the following parts:

  • DNS domain name of the company

  • Four-digit year indicating when the DNS name was registered

  • Company's product name

  • Attribute or class description

Each part in the name begins with an uppercase letter and is separated by a hyphen.

To derive the LDAP-Display-Name from the Common-Name, use the following rules:

  • Make the first character lowercase.

  • Capitalize the first character immediately following each hyphen.

  • Remove all hyphens except those immediately following the company and product components of the name.

Here are a few examples of names:

Common-Name (cn)

LDAP-Display-Name (IDAPDisplayName)


Microsoft-Com-1999-DS-Consistency-GUID

microsoftCom1999-DS-ConsistencyGUID

Microsoft-Com-1999-RRAS-Attribute

microsoftCom1999-RRAS-Attribute

MyCorp-Com-2002-TEST-User-ID

myCorpCom2002-TEST-UserID


For development or testing purposes, you may also add a version suffix to the cn and IDAPDisplayName attributes.

Syntaxes of Active Directory Attributes

Table 16.2 contains a list of some frequently used attribute syntaxes. This vital information is used for creating attributes (either programmatically or by using such tools as LDIFDE, CSVDE). The Name column of the table contains two syntax names: the first name is used in the Active Directory Schema Manger snap-in, the second one (in parentheses) is used in the Windows 2000-version ADSI Edit snap-in. The Description column also contains examples of Active Directory attributes that have the given syntax.

Useful Tools for Working with the Schema

SchemaDiff.vbs Script

The Windows 2000 Server Resource Kit (the Remote Administration Scripts section) contains the SchemaDiff.vbs script, which allows an administrator to compare the schema of two different forests. This script checks the schema version number, the number of classes, the mandatory and optional attributes for each class, and the syntax and range for each attribute. You can also use the script as an example of manipulations with schema objects when composing your own scripts or learning ADSI programming basics.

SchemaDoc Program

The Schema Documentation Program (SchemaDoc.exe) is used to document the schema extensions made in your Active Directory installation. The program copies the information from the classes and attributes into an XML-file. To use SchemaDoc, it is necessary to comply with Microsoft recommendations on attribute and class names, i.e., use the same prefix on all created names. SchemaDoc will search Active Directory based on this prefix.

You can see the program's documentation on the web page http://www.microsoft.com/TechNet/win2000/schema.asp.



Windows  .NET Domains & Active Directory
Windows .NET Server 2003 Domains & Active Directory
ISBN: 1931769001
EAN: 2147483647
Year: 2002
Pages: 154

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net