Active Directory : Schema

 image



What is Schema?


Schema is a collection of Objects , Object classes and their attributes. If you see in the image above “Administrator” is a user object in Active Directory, and the properties of that user object are called as Attributes. Here Remote control is an attribute, COM+ is an attribute. Further every attribute again has more attributes like Dial-in attribute has Allow Access, Deny Access and so on.... This is called as “Schema”.



Where this Schema information Stored?


It is stored in NTDS.DIT(DIT stands for Data Information Tree) file. NTDS.DIT is main db file for Active Directory and this data will be divided into 3 partitions namely Domain Partition, Configuration Partition and Schema Partition.


These partitions can be visually seen using REPLMON (a deprecated GUI tool from windows 2003 resource kit)


image


       image from google images





  • Schema partition - Defines rules for object creation and modification for all objects in the forest. Replicated to all domain controllers in the forest. Replicated to all domain controllers in the forest, it is known as an enterprise partition.


  • Configuration partition - Information about the forest directory structure is defined including trees, domains, domain trust relationships, and sites (TCP/IP subnet group). Replicated to all domain controllers in the forest, it is known as an enterprise partition.


  • Domain partition - Has complete information about all domain objects (Objects that are part of the domain including OUs, groups, users and others). Replicated only to domain controllers in the same domain. Partial domain directory partition - Has a list of all objects in the directory with a partial list of attributes for each object.


What happens to schema when we integrate a new application like Exchange or SQL  into Active Directory?


Schema gets extended when we integrate a new application into AD, in other words AD Schema will have a set of  pre-defined attributes for all objects, those are like samAccountName, userAccountExpired etc. But it doesn’t have exchange specific attributes such as msExchAddressBookFlags, msExchDelegateListLink etc.


So before we install exchange we do the preparation of AD using ADprep and Forestprep commands. This will introduce new attributes into the Active Directory, so every object will be having new attributes related to that specific application.


If you read the documentation for respective application, they will describe about extending the schema before installing the application. This can be done by issuing switches like to Setup.


 "Setup.exe /ADprep" "Setup.exe /Forestprep"



How this Schema will be replicated ?


As mentioned above it will be replicated to all DC's in the forest (that’s why its called as enterprise partition). We can replicate Schema Partition using repadmin command.




repadmin /syncall /AeFD



How to Manage Schema?


By default there is no management console for Schema. If you want to take a look at Schema, you need to register a dll first using " regsvr32 schmmgmt.dll ", and then open a blank MMC from run prompt using "mmc" command. In the mmc, click on file menu, select Add/Remove Snap-in. There you will find Schema Management option, select it and click on Add. Save the console as Schema Management to your Administrative Tools folder or Desktop. Now you can watch all your schema attributes and attribute classes. Do not alter or change anything in Schema, which may corrupt Active Directory.



 image




image


WHAT IS SCHEMA MASTER?


Schema master is one of the FSMO role. Its  a forest level role and it maintains all the schema information across the forest. To take a look open previously saved mmc and right click on the Active Directory Schema and Select Operation Masters.



Conclusion


Schema is backbone for Active Directory, it contains all objects and their attributes information. Its called as enterprise partition because its information gets replicated to all domains in the forest. Schema contains very important information about each and every object in the Active Directory, messing with it corrupts entire Active Directory.


I hope this is informative for you.


Please subscribe and share using below social channels.


Mail me to charan@isupportyou.net if you have any queries...


Related Posts



Comments

  1. A Simple and Good Explanation about Schema :)

    Thanks.

    ReplyDelete

Post a Comment

Popular posts from this blog

VMWare Interview Questions & Tips

Windows: 2012 Server: Restoration of server from ransomware brute force attack – Real time experience

Windows and VMware : System Admin Responsibilities