After you've designed a forest model for your organization, the next step in creating a forest plan is to plan any schema modifications necessary for meeting the needs of your organization. Because Active Directory provides all the directory services most organizations will ever need, you will rarely consider modifying the schema. However, there are valid reasons why your organization may need to change the schema. Modifying the schema is a complex operation that requires an understanding of how the schema functions and detailed planning. This lesson walks you through the steps necessary to plan schema modifications, including creating a schema modification policy, assessing an organization's schema needs, and determining whether to modify the schema.
After this lesson, you will be able to
Estimated lesson time: 20 minutes
Recall that the Active Directory schema is a list of objects that define the kinds of objects and the types of information about those objects that can be stored in Active Directory. The schema is stored in the schema table as part of the NTDS.DIT file. There are two types of objects in the schema: schema class (classSchema) objects and schema attribute (attributeSchema) objects. Schema class objects describe the possible Active Directory objects that can be created, functioning as a template for creating new Active Directory objects. Schema class objects are arranged in a hierarchy of classes, subclasses, and superclasses and consist of mandatory (mustContain) schema attributes and optional (mayContain) schema attributes. Each schema attribute is defined only once and can be used in multiple schema object classes. Schema class objects and attribute objects are defined in separate lists within the schema.
A basic set of schema classes and attributes, often called the base schema or base directory information tree (DIT), is shipped with Windows 2000 Server. There are nearly 200 schema class objects and more than 900 schema attribute objects provided in the base schema. By adding objects to a Windows 2000 deployment, you create additional instances of existing base schema classes.
If the base schema doesn't meet the needs of your organization, you must consider modifying the schema or creating additional schema class and/or attribute objects; this process is called extending the schema. Because schema that you add cannot be deleted, but only deactivated, and a schema is automatically replicated, you must plan and prepare carefully before extending the schema. Inconsistencies in the schema brought about by modifications can cause problems that may impair or disable Active Directory. Before it becomes necessary to extend the schema, your organization must create a schema modification policy that outlines the process for extending the schema. Having a schema modification policy in place can prevent potential problems when extending the schema.
To determine whether the base schema meets the needs of your organization, you must familiarize yourself with the base schema class and attribute objects. If you know the types of data that Active Directory will hold, you can more effectively determine whether you need to change the base schema and whom the changes will impact.
You can find lists of the base schema class objects in Appendix B, "Base Schema Class Objects" and base schema attribute objects in Appendix C, "Base Schema Attribute Objects."
To view the base schema in Windows 2000, you must first install the Active Directory Schema snap-in, which is available only after you install all of the Windows 2000 administration tools. After installing the administration tools, you need to add the snap-in to Microsoft Management Console (MMC) by using the Add/Remove Snap-in dialog box accessible from the Console menu. You can then access the Active Directory Schema snap-in using the MMC.
Because of the serious consequences of modifying the schema, the schema is set for read-only access by default. If you decide to follow along with this lesson by opening the Active Directory Schema snap-in, verify with your administrator that schema modification has not been enabled.
Viewing Schema Class Objects
After you open the Classes folder in the Active Directory Schema snap-in, you can scroll through the list of schema class objects, shown partially in Figure 3.3 and included in its entirety on the Supplemental Course Materials CD-ROM. Each class has a name, type, and description. The type—abstract, auxiliary, or structural— is used to create the hierarchical structure of the schema class objects.
Figure 3.3 Schema class objects in Active Directory
An abstract class provides a basic definition of a class that can be used to form structural classes. An auxiliary class is used to group schema attributes that you want to apply as a group to a structural class. It can be used to extend the definition of a class that inherits from it, but cannot be used to form a class by itself. Structural classes use a hierarchy that begins with an object class called top. All schema class objects of structural type are descendants of top and inherit the attributes of top. The example in Figure 3.4 shows how the user class inherits sample attributes from its parent classes, organizationalPerson, person, and top. It also inherits sample attributes from its auxiliary classes, mailRecipient and securityPrincipal. You can view the parent class and auxiliary classes for a schema class object on the Relationship tab in the Properties dialog box for the class object. If you want to create a new class in the schema, the classSchema class object defines which objects are required and which are optional.
Figure 3.4 Attribute inheritance for the user class object
Viewing Schema Attribute Objects
After you open the Attributes folder in the Active Directory Schema snap-in, you can scroll through the list of schema attribute objects, as shown partially in Figure 3.5 and listed in its entirety on the Supplemental Course Materials CD-ROM. Each attribute has a name, syntax, and description. The syntax indicates the format of the attribute. If you want to create a new attribute in the schema, the attributeSchema class object defines which attributes are required and which are optional.
Figure 3.5 Schema attribute objects in Active Directory.
A detailed discussion about the Active Directory schema is beyond the scope of this training kit. For more information refer to the Microsoft Windows 2000 Server Distributed Systems Guide volume of the Microsoft Windows 2000 Server Resource Kit.
The Schema Admins predefined universal group is the only group authorized to make changes to the Active Directory schema. However, the members of the Schema Admins group are determined by members of the Local Admins, Domain Admins, and Enterprise Admins groups in the forest root domain. To effectively control who can modify the schema, you should monitor the membership of these groups and restrict membership if necessary by using group policy.
To plan schema modifications for your organization, you must complete the following tasks:
A schema modification policy is a written plan you create to administer schema modifications that affect the entire forest. It outlines who has control of the schema and how modifications are administered. Because these schemas are shared between domains in a forest, changes applied to them affect the entire network and must be carefully planned and controlled. As part of your forest plan document, you should create a schema modification policy for each forest in your forest model.
To create a schema modification policy
The Schema Modification Policy Worksheet has been created to assist you in setting up a schema modification policy for your organization. The following is an example of a completed worksheet for the fictitious A. Datum Company.
A. Datum Corporation Schema Modification Policy Worksheet
Use this worksheet as a guide for setting up a schema modification policy for your organization.
A blank copy of the Schema Modification Policy worksheet is located on the Supplemental Course Materials CD-ROM (\chapt03\worksheets\SchemaMod).
To determine whether you need to plan schema modifications for your organization, you must identify all the data that the organization needs to store in the Active Directory database. To do this, you should consult the business and technical environment analysis documents compiled earlier by your design team. In addition, you should also consider whether changes currently planned to address growth and flexibility needs and any other changes that would help meet the ideal design specifications for the organization would require schema modifications.
Because the Active Directory schema contains hundreds of the most common object classes and attributes that users of a server system require, the need to change the schema is rare. However, some organizations may require object classes or attributes not anticipated in the default schema. In this case, administrators will need to plan and test schema modifications carefully because any new object class or attribute created in the schema is added permanently. Object classes or attributes can be added to the schema but they cannot be deleted, only deactivated.
The following modifications can be made to the schema:
Reasons to Modify the Schema
Although you should avoid modifying the schema for your organization, there are some situations that may warrant schema modification. You may need to modify the schema if any of the following are true:
Automatic Schema Modification
The schema will be modified automatically if you choose to install a directory-enabled application. A directory-enabled application is software that has the capability to read Active Directory objects (and their attributes) or has the capability to create schema class or attribute objects. These capabilities allow the application to integrate directly with Active Directory, combining services and reducing the total cost of ownership and network overhead. Be sure to test directory-enabled applications that modify the schema before installing them on the network.
Implications of Modifying the Schema
Modifying the schema affects the entire forest. When determining whether to modify the schema, consider how schema modification affects the following:
To design a schema modification plan
The following example describes planning schema modifications at the fictitious A. Datum Company.
While gathering information for the Active Directory infrastructure plan, the design team at the A. Datum Company learns that the management of the human resources department for one of its clients (forests) would like to include the languages spoken by its users in the directory. Currently, there is no attribute in the user schema object class that can handle languages spoken, so the design team is considering planning a schema modification. To plan a schema modification, the A. Datum Corporation's schema modification policy requires the team to do the following:
Here is the design team's schema modification plan:
In this lesson you learned the steps for planning schema modifications, including creating a schema modification policy, assessing an organization's schema needs, and determining whether to modify the schema. A schema modification policy is a plan you create to administer schema modifications that affect the entire forest, outlining who has control of the schema and how modifications are administered. You learned that you must assess all the data that the organization needs to store in the Active Directory schema by consulting the business and technical environment analysis documents compiled by your design team.
You also learned that because the Active Directory schema contains hundreds of the most common object classes and attributes that users of a server system require, the need to change the schema is rare. You learned the types of modifications that can be made to the Active Directory schema and the reasons for making modifications. Finally, you learned to plan schema modifications by following the steps you set up for planning a schema modification in your organization's schema modification policy.