🧬AD Schema
Definition of the AD Schema
Definition of the AD Schema
The Active Directory (AD) Schema is a critical component of Microsoft's Active Directory service, serving as the blueprint that defines the structure, content, and rules for all objects and their attributes within an AD forest.
The AD Schema is a formal, hierarchical set of metadata definitions that governs the types of objects that can be created and stored in Active Directory, as well as the attributes (properties) these objects can have. It acts as a centralized framework that ensures consistency, integrity, and interoperability across all domain controllers in an AD forest.
The schema defines "what" can exist in the directory (users, computers, groups) and "how" these entities are structured ( what data fields they include, such as names or email addresses).
Key Characteristics
Centralized and Replicated: The schema is stored in a dedicated partition called the schema partition (
CN=Schema,CN=Configuration,DC=mycorp,DC=com) and is replicated across all domain controllers in the forest to maintain a consistent directory structure.Extensible: Administrators can add custom object classes and attributes to support specific organizational or application needs, such as integrating with third-party software.
Immutable and Forest-Wide: Schema changes are permanent (objects can only be deactivated, not deleted) and apply to the entire forest, making modifications high-impact and requiring careful planning.
Controlled Access: Only members of the Schema Admins group can modify the schema, and changes are processed by the Schema Master, a single domain controller holding the Flexible Single Master Operation (FSMO) role for schema updates.
Components of the AD Schema
The schema is composed of two primary elements: classes and attributes, which are defined as objects within the schema partition. These components work together to define the structure and content of the directory.
1. Classes
Classes define the types of objects that can be created in AD. Each object in the directory is an instance of a class, and classes are categorized into three types:
Structural Classes: These are concrete objects that can be instantiated. Examples include:
User: Represents a user account (an employee named Alice Johnson).
Attributes:
cn (common name)userPrincipalName,givenName,sn (surname).Example
DN: CN=Alice Johnson,OU=Employees,DC=mycorp,DC=com.
Group: Represents a collection of users or computers for access control or distribution.
Attributes:
cn, member (multivalue, listing members),groupType.Example
DN: CN=SalesTeam,OU=Groups,DC=mycorp,DC=com.
Computer: Represents a device joined to the domain.
Attributes:
cn,operatingSystem,servicePrincipalName.Example
DN: CN=WS001,OU=Workstations,DC=mycorp,DC=com.
OrganizationalUnit (OU): A container for organizing objects.
Attributes:
ou, description.Example
DN: OU=Marketing,DC=mycorp,DC=com.
Abstract Classes: These cannot be instantiated but serve as templates for inheritance. Example:
Top: The root class from which all structural classes inherit, providing common attributes like
objectClass, objectCategory, and name.
Auxiliary Classes: These add attributes to structural classes without creating new object types. Example:
securityPrincipal: Adds security-related attributes (
objectSid,sAMAccountName) to classes like user and computer.mailRecipient: Used by Exchange to add email-related attributes (
mail,proxyAddresses).
Each class is represented by a classSchema object in the schema partition, with properties such as:
governsID: The OID uniquely identifying the class (1.2.840.113556.1.5.9 for user).
lDAPDisplayName: The name used by LDAP clients (user).
subClassOf: The parent class for inheritance (user inherits from organizationalPerson).
mustContain: Mandatory attributes (cn for all classes).
mayContain: Optional attributes (
telephoneNumber,description).schemaIDGUID: A globally unique identifier (GUID) for the class.
Last updated