3.1.1.2 Active Directory Schema

  • Article

In Active Directory, the schema contains definitions for the objects that can be stored in the directory, and it enforces the rules that govern both the structure and the content of the directory. The schema consists of a set of classes, attributes, and syntaxes. A class is a category of objects that share a set of common characteristics. It is a formal description of a discrete, identifiable type of object that can be stored in the directory. Each object in the directory is an instance of one or more classes in the schema. Attributes define the types of information that an object can hold. For each class, the schema specifies the mandatory attributes and optional attributes that constitute the set of shared characteristics of the class. A syntax is the data type of a particular attribute. Syntaxes determine what data type an attribute can have. Active Directory uses a set of predefined syntaxes. The predefined syntaxes do not actually appear in the directory, and new syntaxes cannot be added.

The schema itself is represented in Active Directory by a set of objects known as schema objects. For each class in the schema, there is a schema object that defines the class. This object is a classSchema object. For each attribute in the schema, there is a schema object that defines the attribute. This object is an attributeSchema object. Therefore, every class is actually an instance of the classSchema class, and every attribute is an instance of the attributeSchema class. Administrators and applications can extend the schema by adding new attributes and classes and by modifying existing ones.

A schema object cannot be deleted, but it can be made defunct by setting the isDefunct attribute to TRUE. A schema object that is not defunct is active. The primary effect of the defunct state is to prevent the schema object from being used in the creation or modification of new objects. For instance, attempts to perform an LDAP Add of an object with a defunct class fails, just as an attempt to perform an LDAP Add of a nonexistent class fails. The full effects of the defunct state are specified later in this section.