Friday, November 12, 2004
Part 4: Active Directory Schema
Understanding that all resources in Active Directory are represented by objects, and that all objects have attributes, we can now understand that the schema contains the definitions for all these objects and attributes. Put another way, the schema is the rules that govern what objects can be in the directory, and what attributes those objects can have.
An Active Directory forest can have only one schema, and all domains in that forest share the same schema. This ensures that all objects in the forest conform to the same set of rules. The schema can be changed, or extended, to include new definitions. The schema is protected from unauthorized changes by permissions, similar to other Active Directory objects.
The schema is made up of two things: object classes, and attributes.
Object Classes:We know that there are objects represented in Active Directory, such as the user "Bob," or the printer "Accounting." These objects are examples of the object classes "User" or "Printer." Every object that can be created in AD is an example of a object class. So one of the things that the schema is made up of is a list of all of the possible object classes. Every new object that is created must belong to an object class in this list.
Attributes:A list of all of the possible attributes for object classes is the second part of the schema. These attributes are defined just once in this list, but can be used in multiple object classes. For instance, the attribute "Location" may be used for the object classes of both printers and computers, but it is defined only once in the schema. By defined, we mean that it is given a unique name, as well as a syntax. The syntax tells what data type the attribute is. The schema keeps track of which attributes are used with each object class, so that when a new object of the class "User" is created, it will have all of the same attributes as all the other user objects (full name, telephone, etc.).
The schema itself is actually stored inside Active Directory, as opposed to being read in from a text file, as is common with some databases or directories. According to Microsoft, this has three advantages:
The schema is dynamically available to user applications, so they can read it and discover what object classes and attributes are available for use.
The schema is dynamically updateable, so that an application can extend the schema (add object classes and attributes) "on the fly."
The schema can be protected using DACLs (discretionary access control lists), enabling only authorized users to make schema changes.
The schema can be a challenging concept to understand. Fortunately, it is rarely necessary for changes to be made, and users must have the appropriate permissions to make those changes. For more in-depth information on the schema, particularly regarding extending the schema, look to the Windows 2000 Server Resource Kit books (specifically the Distributed Systems Guide).
An Active Directory forest can have only one schema, and all domains in that forest share the same schema. This ensures that all objects in the forest conform to the same set of rules. The schema can be changed, or extended, to include new definitions. The schema is protected from unauthorized changes by permissions, similar to other Active Directory objects.
The schema is made up of two things: object classes, and attributes.
Object Classes:We know that there are objects represented in Active Directory, such as the user "Bob," or the printer "Accounting." These objects are examples of the object classes "User" or "Printer." Every object that can be created in AD is an example of a object class. So one of the things that the schema is made up of is a list of all of the possible object classes. Every new object that is created must belong to an object class in this list.
Attributes:A list of all of the possible attributes for object classes is the second part of the schema. These attributes are defined just once in this list, but can be used in multiple object classes. For instance, the attribute "Location" may be used for the object classes of both printers and computers, but it is defined only once in the schema. By defined, we mean that it is given a unique name, as well as a syntax. The syntax tells what data type the attribute is. The schema keeps track of which attributes are used with each object class, so that when a new object of the class "User" is created, it will have all of the same attributes as all the other user objects (full name, telephone, etc.).
The schema itself is actually stored inside Active Directory, as opposed to being read in from a text file, as is common with some databases or directories. According to Microsoft, this has three advantages:
The schema is dynamically available to user applications, so they can read it and discover what object classes and attributes are available for use.
The schema is dynamically updateable, so that an application can extend the schema (add object classes and attributes) "on the fly."
The schema can be protected using DACLs (discretionary access control lists), enabling only authorized users to make schema changes.
The schema can be a challenging concept to understand. Fortunately, it is rarely necessary for changes to be made, and users must have the appropriate permissions to make those changes. For more in-depth information on the schema, particularly regarding extending the schema, look to the Windows 2000 Server Resource Kit books (specifically the Distributed Systems Guide).
# posted by e247net : 1:13 AM
