Share via


AD Schema - Deep Dive..Part-1

Schema is a common word used in the Directory Services world. But how well do we understand the Schema, What is Schema, What are attributes, objects, Classes and so on. Let’s take things a step at a time and look at it.
Schema is as per definition “The schema is the Active Directory component that defines all the objects and attributes that the directory service uses to store data. The physical structure of the schema consists of the object definitions. The schema itself is stored in the directory.”

How well do we understand the above statement?

We are all aware Active Directory (AD) is a directory service model that stores various objects i.e. User, Computers, Group Policies and the list goes on and on.

Whenever an object is created in Active Directory, it uses a framework or a definition based on which the object is created. These are called “object definitions”. And all these object definition put together is the schema. There are predefined object definitions that are installed with AD, this is the Schema in simple terms.

The components that make up Schema – Objects, Attributes and Classes

Objects:

An object is the structure within which the data is stored along with the content and structure and example of an object is a User Account Object along with data regarding the syntax of the User Object. A Part of the data in an object comes from the attribute component.

Attributes:

These define the character of an object; attributes contain data that defines an object. Examples of attributes are the various properties that make up a User Account Object i.e. First Name, Last Name, Logon Name, Telephone, Location etc. Some attributes are mandatory others are not. A User Account object needs a Logon Name (Mandatory attribute) whereas an Telephone is not needed (Optional Attribute) Sometimes there is a Syntax Attribute which is linked to other attributes, the syntax attribute defines what data can be stored under other attributes. This ensures data stored within an attribute is valid.

So a collection of all there various attributes that make up the Object is the underlying framework that makes the object definition

There are few attributes which are commonly applied to any object for example the SID (Security Identifier) attribute defines the permissions to and object. So any object can use this SID attribute with just one object definition in the Schema

Classes:

Now that we understand Object definitions, it’s time to move on to classes.
Classes group various Object definitions under different categories, these are the templates that decide what attributes are needed for different objects including what are mandatory attributes and what are optional.

Every object has a predefined Class in AD, Also Object Definitions contains nested classes. I.E. one class is nested within another, these nested classes are super class and sub class. The sub class inherits properties of the super class. What classes need to be nested is something which is dependent on the attributes needed for a particular Object.

It’s important to note that the schema only stores class information, based on which object are created and then stored in AD database

To summarize a Schema is the master copy of all classes and attributes needed to contain any object in Active Directory. During the AD install the schema.ini file is the one used to build the schema on the First DC, which is subsequently stored in the Schema partition and replicated to all DC in the Forest.

Schema is the one that defines what objects can be used in Active Directory.