Lesson 2: Designing a Schema Modification Plan

After you've designed a forest model for your organization, the next step in creating a forest plan is to plan any schema modifications necessary for meeting the needs of your organization. Because Active Directory provides all the directory services most organizations will ever need, you will rarely consider modifying the schema. However, there are valid reasons why your organization may need to change the schema. Modifying the schema is a complex operation that requires an understanding of how the schema functions and detailed planning. This lesson walks you through the steps necessary to plan schema modifications, including creating a schema modification policy, assessing an organization's schema needs, and determining whether to modify the schema.


After this lesson, you will be able to

  • Create a schema modification policy
  • Identify the factors in an organization's environment that impact its schema
  • Indicate the reasons for modifying the schema
  • Explain the implications of modifying the schema
  • Analyze an organization's environment to design its schema modification plan

Estimated lesson time: 20 minutes


Understanding the Schema

Recall that the Active Directory schema is a list of objects that define the kinds of objects and the types of information about those objects that can be stored in Active Directory. The schema is stored in the schema table as part of the NTDS.DIT file. There are two types of objects in the schema: schema class (classSchema) objects and schema attribute (attributeSchema) objects. Schema class objects describe the possible Active Directory objects that can be created, functioning as a template for creating new Active Directory objects. Schema class objects are arranged in a hierarchy of classes, subclasses, and superclasses and consist of mandatory (mustContain) schema attributes and optional (mayContain) schema attributes. Each schema attribute is defined only once and can be used in multiple schema object classes. Schema class objects and attribute objects are defined in separate lists within the schema.

A basic set of schema classes and attributes, often called the base schema or base directory information tree (DIT), is shipped with Windows 2000 Server. There are nearly 200 schema class objects and more than 900 schema attribute objects provided in the base schema. By adding objects to a Windows 2000 deployment, you create additional instances of existing base schema classes.

If the base schema doesn't meet the needs of your organization, you must consider modifying the schema or creating additional schema class and/or attribute objects; this process is called extending the schema. Because schema that you add cannot be deleted, but only deactivated, and a schema is automatically replicated, you must plan and prepare carefully before extending the schema. Inconsistencies in the schema brought about by modifications can cause problems that may impair or disable Active Directory. Before it becomes necessary to extend the schema, your organization must create a schema modification policy that outlines the process for extending the schema. Having a schema modification policy in place can prevent potential problems when extending the schema.

To determine whether the base schema meets the needs of your organization, you must familiarize yourself with the base schema class and attribute objects. If you know the types of data that Active Directory will hold, you can more effectively determine whether you need to change the base schema and whom the changes will impact.

NOTE


You can find lists of the base schema class objects in Appendix B, "Base Schema Class Objects" and base schema attribute objects in Appendix C, "Base Schema Attribute Objects."

Viewing the Base Schema

To view the base schema in Windows 2000, you must first install the Active Directory Schema snap-in, which is available only after you install all of the Windows 2000 administration tools. After installing the administration tools, you need to add the snap-in to Microsoft Management Console (MMC) by using the Add/Remove Snap-in dialog box accessible from the Console menu. You can then access the Active Directory Schema snap-in using the MMC.

CAUTION


Because of the serious consequences of modifying the schema, the schema is set for read-only access by default. If you decide to follow along with this lesson by opening the Active Directory Schema snap-in, verify with your administrator that schema modification has not been enabled.

Viewing Schema Class Objects

After you open the Classes folder in the Active Directory Schema snap-in, you can scroll through the list of schema class objects, shown partially in Figure 3.3 and included in its entirety on the Supplemental Course Materials CD-ROM. Each class has a name, type, and description. The type—abstract, auxiliary, or structural— is used to create the hierarchical structure of the schema class objects.

click to view at full size

Figure 3.3 Schema class objects in Active Directory

An abstract class provides a basic definition of a class that can be used to form structural classes. An auxiliary class is used to group schema attributes that you want to apply as a group to a structural class. It can be used to extend the definition of a class that inherits from it, but cannot be used to form a class by itself. Structural classes use a hierarchy that begins with an object class called top. All schema class objects of structural type are descendants of top and inherit the attributes of top. The example in Figure 3.4 shows how the user class inherits sample attributes from its parent classes, organizationalPerson, person, and top. It also inherits sample attributes from its auxiliary classes, mailRecipient and securityPrincipal. You can view the parent class and auxiliary classes for a schema class object on the Relationship tab in the Properties dialog box for the class object. If you want to create a new class in the schema, the classSchema class object defines which objects are required and which are optional.

click to view at full size

Figure 3.4 Attribute inheritance for the user class object

Viewing Schema Attribute Objects

After you open the Attributes folder in the Active Directory Schema snap-in, you can scroll through the list of schema attribute objects, as shown partially in Figure 3.5 and listed in its entirety on the Supplemental Course Materials CD-ROM. Each attribute has a name, syntax, and description. The syntax indicates the format of the attribute. If you want to create a new attribute in the schema, the attributeSchema class object defines which attributes are required and which are optional.

click to view at full size

Figure 3.5 Schema attribute objects in Active Directory.

NOTE


A detailed discussion about the Active Directory schema is beyond the scope of this training kit. For more information refer to the Microsoft Windows 2000 Server Distributed Systems Guide volume of the Microsoft Windows 2000 Server Resource Kit.

Schema Admins Group

The Schema Admins predefined universal group is the only group authorized to make changes to the Active Directory schema. However, the members of the Schema Admins group are determined by members of the Local Admins, Domain Admins, and Enterprise Admins groups in the forest root domain. To effectively control who can modify the schema, you should monitor the membership of these groups and restrict membership if necessary by using group policy.

Design Step: Designing a Schema Modification Plan

To plan schema modifications for your organization, you must complete the following tasks:

  1. Create a schema modification policy.
  2. Assess the organization's schema needs.
  3. Determine whether to modify the schema.

Creating a Schema Modification Policy

A schema modification policy is a written plan you create to administer schema modifications that affect the entire forest. It outlines who has control of the schema and how modifications are administered. Because these schemas are shared between domains in a forest, changes applied to them affect the entire network and must be carefully planned and controlled. As part of your forest plan document, you should create a schema modification policy for each forest in your forest model.

To create a schema modification policy

  1. List the entity (division, department) that controls the Schema Admins predefined universal group.
  2. List the members of the Schema Admins predefined universal group.
  3. Appoint a schema modification approval committee. List the members.
  4. List the steps required for initiating a schema modification.
  5. List the steps required for testing a schema modification.
  6. List the steps required for implementing a schema modification.

The Schema Modification Policy Worksheet has been created to assist you in setting up a schema modification policy for your organization. The following is an example of a completed worksheet for the fictitious A. Datum Company.

A. Datum Corporation Schema Modification Policy Worksheet

Use this worksheet as a guide for setting up a schema modification policy for your organization.

  1. List the entity (division, department) that controls the Schema Admins predefined universal group.

    IT Management department

  2. List the members of the Schema Admins predefined universal group.

    Fuller, Joanna

    Price, Jeff

  3. Appoint a schema modification approval committee. List the members.

    Martin, Mindy

    Nash, Mike

  4. List the steps required for planning a schema modification.

    Develop a schema modification request for approval by the schema modification approval committee. With your modification request, include

    • a description of the modification
    • a justification for the modification
    • an assessment of the modification's impact on existing objects, network traffic, and the process of creating new objects.

    If you are adding a new schema object class, specify the following:

    • object identifiers (OIDs) for the new class (obtained from your ISO Name Registration Authority)
    • class type
    • the location of the class in the hierarchy
    • whether the new class will pass the system's consistency and safety checks
  5. List the steps required for testing a schema modification.
    1. Test the proposed modification in an approved test environment.
    2. Determine whether the proposed modification meets its intended needs.
    3. Test and plan a recovery method.
    4. Obtain approval to implement the modification from the schema modification approval committee.
  6. List the steps required for implementing a schema modification.
    1. Restrict membership of the Schema Admins group.
    2. Enable a write copy on the schema operations master.
    3. Verify that all domain controllers receive the change.
    4. Return the schema operations master to a read-only copy.

NOTE


A blank copy of the Schema Modification Policy worksheet is located on the Supplemental Course Materials CD-ROM (\chapt03\worksheets\SchemaMod).

Assessing Schema Needs

To determine whether you need to plan schema modifications for your organization, you must identify all the data that the organization needs to store in the Active Directory database. To do this, you should consult the business and technical environment analysis documents compiled earlier by your design team. In addition, you should also consider whether changes currently planned to address growth and flexibility needs and any other changes that would help meet the ideal design specifications for the organization would require schema modifications.

Determining Whether to Modify the Schema

Because the Active Directory schema contains hundreds of the most common object classes and attributes that users of a server system require, the need to change the schema is rare. However, some organizations may require object classes or attributes not anticipated in the default schema. In this case, administrators will need to plan and test schema modifications carefully because any new object class or attribute created in the schema is added permanently. Object classes or attributes can be added to the schema but they cannot be deleted, only deactivated.

The following modifications can be made to the schema:

  • Create a new class
  • Modify an existing class
  • Deactivate classes
  • Create a new attribute
  • Modify an existing attribute
  • Deactivate attributes

Reasons to Modify the Schema

Although you should avoid modifying the schema for your organization, there are some situations that may warrant schema modification. You may need to modify the schema if any of the following are true:

  • An existing schema class object meets your needs with the addition of an attribute or attributes. Adding attributes to an existing schema class object is the easiest type of schema modification. To add attributes, you can create a new attribute and add it to the class, add new attributes directly from the list of attributes available for the class, or you can add a parent to the existing schema object class to provide the functionality your organization needs. You can also create a new subclass that is derived from another class. Add the new attributes to the subclass and it will also inherit attributes from the original class.
  • An existing schema class object requires a new, unique set of attributes. To handle a new, unique set of attributes, create an auxiliary class that is connected to an existing class and add the unique set of attributes to the auxiliary class. Then, add the auxiliary class to the schema class object.
  • None of the existing schema class objects meet your needs. If none of the existing schema class objects meet your needs, you must create a new schema class. Creating a new class is the most complex type of schema modification and requires the following planning activities:
    • Obtaining the object identifiers (OIDs) for your new class from your ISO Name Registration Authority
    • Choosing an appropriate class type
    • Determining the location of your class in the hierarchy
    • Determining the attributes for the class
    • Determining whether the new class will pass the system's consistency and safety checks
  • An existing schema class object or attribute object is no longer relevant to your organization. If a class or attribute object is no longer relevant, you can deactivate it.

Automatic Schema Modification

The schema will be modified automatically if you choose to install a directory-enabled application. A directory-enabled application is software that has the capability to read Active Directory objects (and their attributes) or has the capability to create schema class or attribute objects. These capabilities allow the application to integrate directly with Active Directory, combining services and reducing the total cost of ownership and network overhead. Be sure to test directory-enabled applications that modify the schema before installing them on the network.

Implications of Modifying the Schema

Modifying the schema affects the entire forest. When determining whether to modify the schema, consider how schema modification affects the following:

  • Existing object instances. By modifying the schema, you can make an existing object instance invalid. If a schema attribute object is added to or removed from a schema class object, any existing instances of the class object become invalid because they no longer match the class definition. Although Active Directory will allow you to search for an invalid attribute and remove it from existing object instances, there is no search facility to add attribute objects to existing object instances.
  • Replication. By modifying the schema, you can cause temporary inconsistencies in the schema that will result in replication failure if an instance of a newly created class object is replicated to a domain controller before the newly created class. If schema replication failure occurs, Active Directory automatically replicates the schema from the schema operations master to the target domain controller, and the schema cache is updated. Then, the instance of the newly created class object is replicated to the target domain controller.
  • Network traffic. By modifying the schema and then choosing to replicate attributes to the global catalog, you can negatively affect network performance during replication. Replicating attributes to the global catalog causes all global catalogs to replicate all objects, not just the modified schema attributes, and significantly increases network traffic.

To design a schema modification plan

  1. Create a schema modification policy.
  2. Consider the reasons for modifying the schema and determine whether your organization needs to modify the schema.
  3. If your organization needs to modify the schema, follow the steps you set up for planning a schema modification in your organization's schema modification policy.

Design Step Example: Designing a Schema Modification Plan

The following example describes planning schema modifications at the fictitious A. Datum Company.

A. Datum Company Schema Modification Plan

While gathering information for the Active Directory infrastructure plan, the design team at the A. Datum Company learns that the management of the human resources department for one of its clients (forests) would like to include the languages spoken by its users in the directory. Currently, there is no attribute in the user schema object class that can handle languages spoken, so the design team is considering planning a schema modification. To plan a schema modification, the A. Datum Corporation's schema modification policy requires the team to do the following:

  • Submit schema modification requests to the schema modification approval committee. With the request are included a description of the modification; a justification for the modification; and an assessment of the modification's impact on existing objects, network traffic, and the process of creating new objects.
  • If adding a new schema object class, specify the following: OIDs for the new class (obtained from the ISO Name Registration Authority), class type, the location of the class in the hierarchy, and whether the new class will pass the system's consistency and safety checks.
  • Obtain approval to test the modification from the schema modification approval committee.

Here is the design team's schema modification plan:

  • Modification description. The modification requires a languages spoken attribute to include languages spoken by users in the directory. Because the company's needs can be met by adding a single attribute to an existing schema class object, it's expected that the modification can be attained by adding a languagesSpoken schema attribute object to the existing user schema class object.
  • Modification justification. After discussion with the human resources department it was found that a languages spoken attribute is indeed necessary to meet the A. Datum Corporation's top-priority globalization initiative.
  • Assessment of impact. The new languages spoken attribute cannot be a mandatory attribute; unless it is an optional attribute for the user schema class object, all existing users will become invalid. In addition, if the languages spoken attribute is a mandatory attribute it will no longer be possible to use the Active Directory Users and Computers snap-in to add users. The addition of the languagesSpoken schema attribute should not significantly affect network traffic other than the initial replication to all domain controllers.

Lesson Summary

In this lesson you learned the steps for planning schema modifications, including creating a schema modification policy, assessing an organization's schema needs, and determining whether to modify the schema. A schema modification policy is a plan you create to administer schema modifications that affect the entire forest, outlining who has control of the schema and how modifications are administered. You learned that you must assess all the data that the organization needs to store in the Active Directory schema by consulting the business and technical environment analysis documents compiled by your design team.

You also learned that because the Active Directory schema contains hundreds of the most common object classes and attributes that users of a server system require, the need to change the schema is rare. You learned the types of modifications that can be made to the Active Directory schema and the reasons for making modifications. Finally, you learned to plan schema modifications by following the steps you set up for planning a schema modification in your organization's schema modification policy.



MCSE Training Kit Exam 70-219(c) Designing a Microsoft Windows 2000 Directory Services Infrastructure
MCSE Designing a Microsoft Windows 2000 Directory Services Infrastructure Readiness Review; Exam 70-219 (Pro-Certification)
ISBN: 0735613648
EAN: 2147483647
Year: 2001
Pages: 76

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net