Schema

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Schema

The Active Directory schema contains the definitions for all objects in the directory. Every new directory object you create is validated against the appropriate object definition in the schema before being written to the directory. The schema is made up of object classes and attributes. The base (or default) schema contains a rich set of object classes and attributes to meet the needs of most organizations, and is modeled after the International Standards Organization (ISO) X.500 standard for directory services. Because it is extensible, you can modify and add classes and attributes to the base schema. However, you should carefully consider each change you make, because extending the schema affects the entire network. For more information, see Extending the schema.

How directory objects are defined

In the schema, an object class represents a category of directory objects, such as users, printers, or application programs, that share a set of common characteristics. The definition for each object class contains a list of the schema attributes that can be used to describe instances of the class. For example, the User class has attributes such as givenName, surname, and streetAddress. When you create a new user in the directory the user becomes an instance of the User class, and the information you enter about the user becomes instances of the attributes. For more information, see Schema classes and attributes.

How the schema is stored

Each forest can contain only one schema, which is stored in the schema directory partition. The schema directory partition, along with the configuration directory partition, is replicated to all domain controllers in a forest. However, a single domain controller, the schema master, controls the structure and content of the schema. For more information about the schema master, see Operations master roles.

Schema cache

To improve performance on schema operations (such as new object validation), each domain controller holds a copy of the schema in memory (in addition to the copy it holds on disk). This cached version is automatically updated (after a small time interval) each time you update the schema. Or, you can reload the updated schema to cache manually for immediate effect. For more information, see Reload the schema.

Securing the schema

Like every object in Active Directory, schema objects are protected from unauthorized use by access control lists (ACLs). By default, only members of the Schema Admins group have write access to the schema. So, to extend the schema you must be a member of the Schema Admins group. The only default member of the Schema Admins group is the administrator account in the root domain of the forest. You should restrict membership in the Schema Admins group because extending the schema improperly can have serious consequences to your network. For more information, see Access control in Active Directory and Default groups.

For more information about the schema, see "Active Directory Schema" at the Microsoft Windows Resource Kits Web site and at the Microsoft MSDN Web site.