What Is the Active Directory Schema?
Updated: November 19, 2014
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
What Is the Active Directory Schema?
In this section
The schema is the Active Directory component that defines all the objects and attributes that the directory service uses to store data.
Active Directory stores and retrieves information from a wide variety of applications and services. So that it can store and replicate data from a potentially infinite variety of sources, Active Directory standardizes how data is stored in the directory. By standardizing how data is stored, the directory service can retrieve, update, and replicate data while ensuring that the integrity of the data is maintained.
The directory service uses objects as units of storage. All objects are defined in the schema. Each time that the directory handles data, the directory queries the schema for an appropriate object definition. Based on the object definition in the schema, the directory creates the object and stores the data.
Object definitions control the types of data that the objects can store, as well as the syntax of the data. Using this information, the schema ensures that all objects conform to their standard definitions. As a result, Active Directory can store, retrieve, and validate the data that it manages, regardless of the application that is the original source of the data. Only data that has an existing object definition in the schema can be stored in the directory. If a new type of data needs to be stored, a new object definition for the data must first be created in the schema.
Using Objects to Store Data
Active Directory uses objects to store information. Objects are data structures that consist of multiple attributes that store both data and its related metadata. Metadata is data that describes the properties of other data. For example, an object that stores a user account has many attributes, including attributes that contain the user’s logon name, first name, last name, and password. Each of those attributes has additional attributes that contain metadata about the information that the attribute stores. The logon name attribute, for example, has multiple attributes of its own. One attribute that is associated with the logon name specifies that the logon name is a required attribute, which means that the user object is not valid unless it contains the logon name attribute. Another attribute that is associated with the logon name specifies the syntax of the value that is stored in the logon name attribute. This ensures that the value that the logon name attribute contains is in a valid format. Both of these attributes contain metadata for the logon name attribute; that is, they define the characteristics of the logon name attribute.
The object definitions in the schema list all the object attributes and define how these attributes relate to each other. Some objects are simple and contain only a few attributes, while other objects are quite complex and contain hundreds of attributes. Attributes themselves are objects, and the schema contains a definition for each one. To define new objects, smaller objects are associated with one another to define the necessary attributes of the new objects.
For a user object, the user’s logon name attribute is a smaller object that contains a number of attributes of its own. Among them are attributes that define the syntax of the logon name and specify whether or not the logon name attribute is optional or required. The first name and last name attributes are also smaller objects whose definitions can be found in the schema. The object definition that defines the user object lists the logon name attribute object, the first name and last name attribute objects, and many other attribute objects, and it defines how these objects relate to each other to store the data that represents a user account.
Defining objects and attributes in this manner gives the schema the ability to efficiently define many different types of objects while retaining the ability to add new types of objects when necessary. Many objects have some attributes in common. For example, many objects have a security descriptor to define who is allowed to access and change their contents. Rather than create a separate security descriptor definition for each object definition, the schema defines a single security descriptor object, and all other object definitions refer to the single security descriptor definition. This makes it possible for every object that needs a security descriptor to have one security descriptor while keeping only one definition for the security descriptor in the schema.
Building the Schema
The Active Directory installation process that creates the forest also generates the default schema. Thereafter, the default schema replicates to each new domain controller during the installation of the directory on that new domain controller. The default schema contains all the standard object definitions that are necessary for Active Directory to function in a standard deployment.
Active Directory uses a multimaster replication topology, which means that any domain controller in a forest can write a change to the directory database and then replicate that change to other domain controllers in the same forest. For a domain controller to create a new object and write it to the directory, the domain controller must have access to the object definition that is needed to create the new object. Every domain controller in a forest maintains a copy of the schema, which makes it possible for domain controllers to have access to the object definitions that they need to store and retrieve information in the directory.
In some situations, the default attributes and object definitions in the schema are insufficient to create new object types that are required by some applications or services that interoperate with the directory. In these situations, it is possible to customize the schema by adding new object definitions to it. The process of adding definitions to the schema is referred to as “extending the schema.”
It is important to plan the deployment of schema extensions carefully. The directory stores the schema and replicates schema changes to every domain controller throughout the forest. Therefore, extending the schema creates replication traffic, which can briefly affect network traffic. For more information about extending the schema, see “How the Active Directory Schema Works.”