Show
Chapter 4. Active Directory SchemaThe schema is the blueprint for data storage in Active Directory. Each object in Active Directory is an instance of a class in the schema. A user object, for example, exists as an instance of the user class. Attributes define the pieces of information that a class, and thus an instance of that class, can hold. Syntaxes define the type of data that can be placed into an attribute. As an example, if an attribute is defined with a syntax of Boolean, it can store True or False as its value, or it can be null. A null value has an implementation-specific meaning; it could mean True or False depending on the application using the value. Active Directory contains many attributes and classes in the default schema, some of which are based on standards and some of which Microsoft needed for its own use. Each release of Active Directory since Windows 2000 has included updates to the default schema. For background information on schema versions, see the sidebar Schema Versions,” next. However, the Active Directory schema was designed to be extensible, so that administrators could add classes or attributes they deemed necessary. In fact, extending the schema is not a difficult task; it is often more difficult to design the changes that you would like to incorporate. Schema design issues are covered in Chapter 14, and in Chapter 26, we cover how to extend the schema programmatically. In this chapter, we’re concerned only with the fundamentals of the schema. Table 4-1. Active Directory default schema versions
Structure of the SchemaThe Schema Container is located in Active Directory under the Configuration Container. For example, the distinguished name of the Schema Container in the http://mycorp.com forest would be NoteThe Active Directory Schema MMC snap-in is not fully enabled by default. In order to enable the schema management
snap-in on a domain controller, you must first register the DLL which it depends on. To do that, run this command: The schema itself is made up of two types of Active Directory objects: classes and attributes. In Active Directory, these are known respectively as Whenever you
need to create new types of objects in Active Directory, you must first create a Before we delve into what makes up an Active Directory class or attribute, we need to explain how each class that you create is unique not just within your Active Directory but also throughout the world. X.500 and the OID NamespaceActive Directory is based on LDAP, which was originally based on the X.500 standard created by the ISO (International Organization for Standardization) and ITU (International Telecommunications Union) organizations in 1988. To properly understand how the Active Directory schema works, you really need to understand some of the basics of X.500; we’ll run through them next. The X.500 standard specifies that individual object classes in an organization can be uniquely defined using a special identifying process. The process has to be able to take into account the fact that classes can inherit from one another, as well as the potential need for any organization in the world to define and export a class of their own design. To that end, the X.500 standard defined an Object Identifier (OID) to uniquely identify every schema object. This OID is composed of two parts:
OID notation uses integers for each branch and object, as in the following example OID for an object: 1.3.6.1.4.1.3385.12.497 This uniquely references object 497 in branch 1.3.6.1.4.1.3385.12. The 1.3.6.1.4.1.3385.12 branch is contained in a branch whose OID is 1.3.6.1.4.1.3385, and so on. NoteEach branch within an OID number also corresponds to a name. This means that the dotted notation 1.3.6.1.4.1, for example, is equivalent to iso.org.dod.internet.private.enterprise. As the names are of no relevance to us with Active Directory, we don’t cover them in this book. This notation continues today and is used in the Active Directory schema. If you wish to create a schema object, you need to obtain a unique OID branch for your organization. Using this as your root, you can then create further branches and leaf nodes within the root, as your organization requires. The Internet Assigned Numbers Authority (IANA) maintains the main set of root branches and defines itself as “the central coordinator for the assignment of unique parameter values for Internet protocols.” The IANA says of its mission:
You can find the IANA web page at http://www.iana.org. You can request an OID namespace—i.e., a root OID number from which you can create your own branches—directly from the IANA if you like. These numbers are known as Enterprise Numbers. The entire list of Enterprise Numbers assigned by the IANA can be found at http://www.iana.org/assignments/enterprise-numbers. This list of numbers is updated every time a new one is added. At the top of the file, you can see that the root that the IANA uses is 1.3.6.1.4.1. If you look down the list, you will see that Microsoft has been allocated branch 311 of that part of the tree, so Microsoft’s OID namespace is 1.3.6.1.4.1.311. Leicester University’s OID namespace is 1.3.6.1.4.1.3385. As each number also has a contact email address alongside it in the list, you can search through the file for any member of your organization that has already been allocated a number. It is likely that large organizations that already have an X.500 directory or that have developed SNMP MIBs will have obtained an OID. NoteIn addition to Enterprise Numbers, country-specific OIDs can be purchased as well. An organization’s Enterprise Number registration has no bearing on whether it has obtained a country-based OID namespace to use. If you don’t see the company listed in the Enterprise Numbers list, don’t be fooled; the organization could still have a number. For example, Microsoft has been issued the Enterprise Number 1.3.6.1.4.1.311, yet all of its new schema classes use a U.S.-issued OID namespace of 1.2.840.113556 as their root. The 1.2.840 part is uniquely allotted to the United States. In other words, Microsoft has obtained two OID namespaces that it can use but is choosing to use only the U.S.-issued namespace. If you want to obtain an Enterprise Number, fill in the online form at at http://pen.iana.org/pen/PenApplication.page. If this URL changes, you can navigate to it from the main IANA web page. Microsoft used to issue unique OID namespaces to customers on request; however, they no longer do this. Instead, Microsoft provides a script that will generate a statistically unique OID branch each time it is run. This script is available from http://go.microsoft.com/fwlink/?LinkId=100725. NoteUsing a unique prefix for schema extensions may not seem important at first glance. The benefit of unique prefixes comes into play if a company finds out another company is also using the same prefix. This can become extremely problematic if the other company is an application vendor. For example, say that MyCorp Financial Services is prefixing their schema extensions with the “mycorp” prefix. MyCorp Financial has extended their schema with two new attributes: In this scenario, MyCorp Financial Services would be in a very bad position. MyCorp Financial’s only option would be changing all previous uses of their attributes so that the names could be reused by the application. If MyCorp Financial did not rename their attributes, they would not be able to use the application that they purchased. Once an organization has an OID namespace, it can add unique branches and leaves in any manner desired under the root. For example, Leicester University could decide to have no branches underneath and just give any new object an incrementing integer starting from 1 underneath the 1.3.6.1.4.1.3385 root. Alternatively, they could decide to make a series of numbered branches starting from 1, each corresponding to a certain set of classes or attributes that they wish to create. Thus, the fifth object under the third branch would have an OID of 1.3.6.1.4.1. 3385.3.5. WarningThe range of values in any part of an OID namespace for the Active Directory schema goes from 1 to 268,435,455, i.e., from 20 through 228 – 1. This limitation has caused issues with schema extensions for some companies in Australia. Australia has the OID 1.2.36, and according to the Australia Standards document MP-75, companies may use their Australian Company Number (excluding leading zeros) to formulate their OID without needing to request an OID. Unfortunately the ACN is nine digits, so it could easily exceed the limitation listed above. This has been filed as a bug and Microsoft is aware of the issue. To reinforce this point, let’s look at a couple of examples directly from the Active Directory schema. If you open the Active Directory Schema snap-in, you can look at the schema class OIDs very easily. Navigating through the classes when we open the
property page for the Figure 4-1. printQueue Schema class properties Figure 4-2 shows the property page for the NoteThe OID numbering notation has nothing to do with inheritance. Numbering a set of objects a certain way does nothing other than create a structure for you to reference the objects; it does not indicate how objects inherit from one another. Let’s dissect an example attribute and class to see what they contain. With that information, you will be able to see what is required when you create a new schema object. Figure 4-2. organizationalPerson Schema class properties Attributes (attributeSchema Objects)Just as class information is stored in Active Directory as instances of the class called Dissecting an Example Active Directory AttributeThe NoteActive Directory does not enforce uniqueness of a UPN when it is set. If two different users in the same forest are assigned the same UPN, neither will be able to log on using the UPN. When duplicate UPNs are detected, domain controllers will log an event from source Key Distribution Center (KDC) with event ID 11. Many large organizations implement scripts or other tools to scan their directories on a regular basis to check for duplicate UPNs. To dissect the attribute, we need to find out what values had been set for it. Table 4-2 shows a subset of the values of attributes that have been set for the Table 4-2. userPrincipalName’s attributes
We can see that the name of the attribute is The
In Figure 4-3, you can see many of the values for the UPN attribute. We have indicated which attributes are changed by checking or unchecking each checkbox. Attribute PropertiesThere are several properties on attributes that have significant and varied impact on attribute use and functionality. Here we give a little more detailed information on a few of these attributes that you need to understand when modifying the schema. Figure 4-3. The UPN attribute as viewed by the Active Directory Schema snap-in Attribute SyntaxThe syntax of an attribute represents the kind of data it can hold; people with a programming background are probably more familiar with the term “data type.” Unlike attributes and classes, the supported syntaxes are not represented as objects in Active Directory. Instead, Microsoft has coded these syntaxes internally into Active Directory itself. Consequently, any new attributes you create in the schema must use one of the predefined syntaxes. Whenever you create a new attribute, you must specify its syntax. To uniquely identify the syntax among the total set of 21 syntaxes, you must specify two pieces of information: the OID of the syntax and a so-called OM syntax. This pair of values must be set together and correctly correlate with Table 4-3. More than one syntax has the same OID, which may seem strange; and to uniquely distinguish between different syntaxes, you thus need a second identifier. This is the result of Microsoft requiring some syntaxes that X.500 did not provide. Table 4-3 shows the 21 expanded syntaxes, including the name of the syntax with alternate names followed in parentheses. Table 4-3. Syntax definitions
Most of these are standard programming types. If you’re not sure which syntax to use, take a look at a preexisting attribute and see if you can find an appropriate syntax for the attribute you wish to create. For example, the System FlagsThe Table 4-4. System flag values for class and attributes objects
Constructed attributesMost attributes are directly stored in the Active Directory database. Constructed attributes are the exception, and they are handled by the directory service in order to offer special functionality. This functionality can range from telling you approximately how
many objects are contained directly under a container type object (
Category 1 objectsCategory 1 objects are a subset of the attributes and classes that come with AD LDS or Active Directory. They are marked with a special bit flag so that Microsoft can track and protect them from certain types of modifications. Schema FlagsExThe Table 4-5. schemaFlagsEx values
Search FlagsThe Table 4-6. Search flag bits
Indexed attributesAttribute indexing is available to boost performance of queries. When an attribute is indexed, the values are placed in a special table in a sorted order so that a query using the attribute can be completed by looking at a subset of all the information in the directory. The type of index created can be modified by additional bit flags
configured in the
While indexing attributes can very frequently improve the performance of LDAP queries, it is important to realize that indexes also consume disk space. Adding an index to an attribute that is populated across a large percentage of directory objects may consume a substantial amount of disk space. Domain controller performance will also be impacted while indexes are being generated. Index data is not replicated, so every domain controller in the forest must build its own copy of an index when it detects a new attribute index must be created. The speed at which an index is created is dependent on how much data must be indexed and also the hardware the domain controller is running on. Ambiguous Name ResolutionAmbiguous Name Resolution (ANR) is used for address book look-ups. It allows a single small query to be expanded into searching as many fields as the administrator would like searched so that users can enter a single piece of information and hopefully find all possible “hits” on the value they are interested in. When an ANR query such as
(| (displayName=brian*) (givenName=brian*) (legacyExchangeDN=brian*) (msDS-AdditionalSamAccountName=brian*) (msDS-PhoneticCompanyName=brian*) (msDS-PhoneticDepartment=brian*) (msDS-PhoneticDisplayName=brian*) (msDS-PhoneticFirstName=brian*) (msDS-PhoneticLastName=brian*) (physicalDeliveryOfficeName=brian*) (proxyAddresses=brian*) (name=brian*) (sAMAccountName=brian*) (sn=brian*) ) A Windows Server 2008 Active Directory domain with Exchange Server 2007 SP1 installed would expand the query to: (| (displayName=brian*) (givenName=brian*) (legacyExchangeDN=brian*) (msDS-AdditionalSamAccountName=brian*) (msDS-PhoneticCompanyName=brian*) (msDS-PhoneticDepartment=brian*) (msDS-PhoneticDisplayName=brian*) (msDS-PhoneticFirstName=brian*) (msDS-PhoneticLastName=brian*) (physicalDeliveryOfficeName=brian*) (proxyAddresses=brian*) (name=brian*) (sAMAccountName=brian*) (sn=brian*) (mail=brian*) (mailNickname=brian*) (msExchResourceSearchProperties=brian*) ) As you can see, a very simple query can quickly be expanded into a very large query. For this reason, you should avoid adding additional ANR attributes. Preserve attribute in tombstoneWhen a delete request is processed for an object, the object is not immediately deleted. Instead, the object is stripped of most of its attributes and moved to the Deleted Objects container of the partition the object exists in. Deleted objects that have been moved to the Deleted Objects containers are referred to as tombstones. Tombstones remain in the Deleted Objects container for the length of the tombstone period. The default tombstone periods or lifetimes for new forests are documented in Table 4-7. Tombstoning an object allows the delete operation to replicate to all domain controllers holding a copy of the object. The process of undeleting an object in Active Directory is known as tombstone reanimation. NoteAdministrators can modify the tombstone lifetime for a forest by changing the The attributes that are retained when an object is tombstoned are configured through a combination of the Unfortunately, not all attributes can successfully be added to the tombstone when the proper While some attributes won’t survive the tombstone regardless of what you set, some attributes will survive the tombstone but will not survive the reanimation process. The attribute Unfortunately, Microsoft has not documented what can and cannot survive a tombstone and subsequent reanimation. So make sure you test any attributes you have configured to be retained to make sure they can actually be reanimated. You don’t want to find yourself in a situation where you discover that an attribute didn’t survive reanimation when it comes time to reanimate an object. Table 4-7. Tombstone lifetime values for new forests
Tuple indexWhen you create an index, it is optimized for direct look-ups and, if the attribute syntax supports it, trailing wildcards—e.g., A tuple index is considered an expensive index, and it will increase the Active Directory database (ntds.dit) size more than a “normal” index. In addition, new attribute insertion performance will be impacted slightly. This performance hit will not be noticeable for single attribute insertions, but if you are updating a large number of attributes at once, the performance hit may be more noticeable. ConfidentialA new bit for the The confidential attribute capability was added as a workaround to issues that exist in the current security model in Active Directory. Unfortunately, there are a large number of explicit read property grant permissions on objects in Active Directory that are terribly difficult to override. This new flag allows you to step in despite all the default grant permissions and quickly deny access to an attribute. This new function was welcomed with open arms in the Active Directory community until administrators started to realize that Microsoft purposely crippled the functionality by not allowing you to set Category 1 attributes as confidential. Category 1 attributes are many of the attributes defined in the default AD schema, and that list of attributes contains many of the attributes you probably want to make confidential such as telephone numbers, addresses, employee IDs, and so on. It seems the intent is simply to give AD administrators a way to better secure custom attributes they have added to the directory with schema extensions. This limitation drastically reduces the usefulness of this capability for companies that stick to the default schema. NoteAs mentioned, modification of This new capability is almost wholly underwhelming for AD LDS. The default security descriptors on all AD LDS base schema objects are configured with no explicit Access Control Entries (ACEs). The result is very few explicit read property grant permissions on objects when they are instantiated, which means you can more easily secure attributes with inherited deny permissions and will not need to depend on the confidential attribute functionality. Next, we need to discuss the tools that Microsoft has made available starting with Windows Server 2003 Service Pack 1 to handle managing access to confidential attributes. The answer is easy: none. In order to grant a trustee the ability to view a specific confidential attribute on an attribute, a grant ACE with control access permission for the specific attribute needs to be added to the ACL of the object. For more information on modifying the ACL of an object, see Chapter 13. The GUI tools available for assigning permissions not only do not have the ability to assign this type of permission, but they can’t even display the permission if something else grants it. The command-line tool dsacls.exe is only marginally better; it can display the permission, but cannot grant the permission. The best that the GUI and dsacls.exe tool can do is assign either full control to the object or ALL control access rights to the object, but neither of these is optimal if you prefer to give minimum rights necessary to get the job done. In Windows Server 2003 SP1, the only way to set granular permissions to view a specific confidential attribute is to write a custom program or script to handle the delegation. NoteBeginning with Windows Server 2003 R2, there is a GUI tool to handle this delegation. The new version of LDP that is loaded in the %windir%\adam directory when you install R2 ADAM has a new ACL editor. This version of updated version of LDP is also available in the free download of ADAM SP1. The version of LDP that is installed with Windows Server 2008 also includes this functionality. If you need to modify this delegation, we recommend you use one of the updated versions of the LDP tool. Attribute change auditingThe Windows Server 2008 auditing infrastructure has been substantially updated compared to its predecessors. In Windows 2000 Server and Windows Server 2003, there was a single domain-wide directory service auditing setting called Audit Directory Service Access. When this setting was enabled, all directory services auditing events were enabled. In a busy environment, the consequence of this was a substantial amount of security audit traffic in the event logs, to the point that it could easily become unmanageable and thus impractical to have enabled. Windows Server 2008 domain controllers separate directory services auditing into four subcategories:
Of particular interest to us right now is the Directory Service Changes subcategory. We will discuss the new auditing infrastructure in much more detail in Chapter 13. By default, all attribute changes will continue to be audited
as required by the System ACL (SACL). In order to control noise, however, you can set bit 9 on an attribute’s Filtered attribute setThe filtered attribute set is part of the overall new Read-Only Domain Controller (RODC) functionality in Windows Server 2008 Active Directory. RODCs can be configured to not replicate certain attributes in the Active Directory schema. There is an in depth discussion of the RODC in Chapter 7; however, we will discuss RODCs briefly in the context of the filtered attribute set here. RODCs were designed with the mentality that the server that they are running on is compromised by default. Consequentially there are some attributes that we might not wish to have stored on an RODC as they could contain sensitive information. Examples might be schema extensions that contain application-specific secrets, confidential data such as Social Security numbers, and so forth. You can apply the process illustrated in the sidebar “Controlling Attribute Change Auditing” to control whether or not attributes are included in the filtered attribute set. Instead of toggling bit WarningYou cannot include attributes that are defined as critical in the Property Sets and attributeSecurityGUIDProperty sets are described in our Chapter 13 discussion on Active Directory security. We mention them here because the creation, modification, and identification of property sets involve the schema partition. Part of the information for a property set is maintained in the configuration container in the
The property sets are defined in the Linked AttributesMicrosoft allows distinguished name attributes
with Attributes are linked by setting the You can use any random In order to auto-generate link ID pairs, there are four steps you must follow:
Classes (classSchema Objects)Schema classes are defined as instances of the Object Class Category and InheritanceClasses are special in that they can inherit from one another. For example, let’s say
that we wanted to store two new types of objects in the schema, representing a marketing user and a finance user, respectively. These users both need all the attributes of the existing Figure 4-4. Marketing and Finance subclasses NoteYou have another option when using Windows Server 2003 Forest Functional Mode or ADAM to resolve this issue. First, define the additional attributes and then create two auxiliary classes and assign the attributes to the classes. Then you can dynamically assign the auxiliary classes to users on ad hoc basis. This is far more flexible in that you can easily reconfigure individual users as necessary. If a user moves from Marketing to Finance, using special inherited classes would require deleting the user and recreating the user with the finance-user class. With dynamic auxiliary classes, you would simply clear the marketing attributes, remove the Marketing auxiliary class, and add the Finance auxiliary class and attributes. You can think of the Active Directory schema as a treelike structure, with multiple classes branching down
or inheriting from one base class at the top that has the attributes all objects need to begin with. This class, unsurprisingly enough, is called Structural If a class is structural, you can directly create objects of its type in Active Directory. The user and group classes are examples of structural classes. AbstractIt is possible that you would want to create a class that inherits from other classes and has certain attributes, but that is not one you will ever need to create instances of directly. This type of class is known as abstract. Abstract classes can inherit from other classes and can have attributes defined on them directly. The only difference between abstract and structural classes is that an object that is an instance of an abstract class cannot be created in Active Directory. If you are familiar with an object-oriented programming language, abstract schema classes in Active Directory are analogous to abstract classes in the programming language. AuxiliaryAn auxiliary class is used to store sets of attributes that other classes can inherit. Auxiliary classes are a way for structural and abstract classes to inherit collections of attributes that do not have to be defined directly within the classes themselves. Auxiliary classes are primarily a grouping mechanism. The X.500 specifications indicate that an auxiliary class cannot inherit from a structural class, and an abstract class can inherit only from another abstract class. NoteTo comply with the X.500 standards, there are actually four types of Let’s take a look at the The If you were to use a tool such as ADSI Edit, you could see the inheritance and class relationships quite clearly. For example, looking at the Figure 4-5. The computer class Dissecting an Example Active Directory ClassLet’s now look at the Table 4-8. Partial listing of attributes and values for the user class
You can learn the following about the user class by inspecting these attribute values:
How inheritance affects mustContain, mayContain, possSuperiors, and auxiliaryClassLet’s look at the
Exchange is discussed in more detail in Chapter 19. The attributes that are required when you create a new user are not listed in the WarningDo not mistake attributes that a class must contain with the attributes that you must explicitly set on object instantiation. Unfortunately there is no effective way to programmatically determine what attributes you need to set on an object when you create an instance of the class. Some of the attributes that an object must contain are system-owned and can only be set by the system; other attributes are optional and will be populated automatically; and finally some attributes are actually required to be specified by the objects creator. To confuse the situation even more, various versions of the OS or AD LDS change the requirements. The same
principle applies to the The Viewing the user class with the Active Directory Schema snap-inTake a look at Figure 4-6. This shows the Figure 4-6. User class schema entry general settings Figure 4-7. User class schema entry relationship settings Notice that quite a bit of the user class is not configurable after the initial configuration, including:
To see the so-called relationship settings ( The third and final screen is the Attributes tab for the Dynamically Linked Auxiliary Classes
With Windows 2000, auxiliary classes were statically linked to structural classes via the Figure 4-8. User class schema entry attribute settings WarningDynamic linking of auxiliary classes requires Windows Server 2003 Forest Functional Level, or higher. To dynamically
link an auxiliary class to an object, you only need to modify the Now let’s illustrate why dynamically linking auxiliary classes is a good idea. Assume we have a forest with several domains, each representing divisions within a company. Each division manages its own user objects. One of the divisions, named Toasters, wants to assign additional attributes to their user objects. These new attributes would only apply to employees within the Toasters division. Under Windows 2000, the only
way to accomplish this would be to create the new attributes in the schema, create a new auxiliary class, and include the new attributes in the auxiliary class. At that point, the new auxiliary class could be added to the WarningWhen you dynamically link an auxiliary class to an object, the auxiliary class is listed in the SummaryIn this chapter, we’ve shown you how the internal blueprint for all objects in Active Directory, known as the schema, was derived from the X.500 directory service. We explained the purpose of the OID numbering system and how it can be used as well as the various elements that must be unique in an Active Directory schema extension such as prefix names and link IDs. We then detailed how an attribute and its
syntax are structured in the schema as Chapter 14 builds on what you’ve learned here to demonstrate how you can design and implement schema extensions. Get Active Directory, 4th Edition now with the O’Reilly learning platform. O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers. What Active Directory partition contains the information needed to define objects and object attributes?The schema partition contains information that defines object classes and attributes used within the domain. It determines what objects can exist within Active Directory, and what attributes each can have.
Where are Active Directory objects defined?The Active Directory database (directory) contains information about the AD objects in the domain. Common types of AD objects include users, computers, applications, printers and shared folders. Some objects can contain other objects (which is why you'll see AD described as “hierarchical”).
What are the 3 main components of an Active Directory?The Active Directory structure is comprised of three main components: domains, trees, and forests. Several objects, like users or devices that use the same AD database, can be grouped into a single domain.
What are the types of Active Directory objects that and you can have?Active Directory Objects List. Types of AD objects. There are two types of objects present in an AD network: ... . Container objects: Container objects are AD objects that can contain other AD objects within them. ... . Leaf objects: ... . AD objects list: ... . List of AD objects: ... . User object. ... . Contact object. ... . Printer object.. |