The main purpose of the Active Directory (AD) schema is to simply define objects that can be stored in AD. The schema is a list of definitions that determines what kind of objects and the type of information about those objects that can be stored in the AD database. The schema itself is also managed as an object so it can be administered and manipulated.
The schema is defined by two types of objects: classes and attributes. These classes and attributes are stored separately within the schema. When referring to these objects collectively, we simply refer to them as schema objects or metadata (data about data).
Classes describe the AD objects that can be created such as users, computers, groups, etc… The class functions as a template for creating these new objects. The class itself does not contain any information about the user when it’s created. You can think of it as the template that is used to create the object itself.
Classes are made up of attributes. These attributes are used to define the class. For example, the User Class is comprised of many attributes such as displayName
, sAMAccountName
, department
, just to name a few.
Attributes define the class object that they are associated with. Attributes are defined only once in the schema and can belong to more than one class. Take the example of the description
attribute. This attribute is defined in the User class, Computer class, etc… Defining the attribute in the schema only once maintains consistency.
Attributes also enforce the type of information that is accepted for the particular attribute. Take the example of the lastLogon
attribute that you find in the User class. If you attempted to modify the information stored in this attribute for a particular user as text, the system will reject it.
In addition, a set of basic schema classes and attributes are included with Active Directory. If you are an experienced administrator or developer, it is possible for you to access and extend the schema by defining new classes and attributes. If you wanted to store additional information about users, you would extend the schema for the User class, if the attribute does not already exist.
Extending the schema should be done with caution, as new objects cannot be deleted from the schema. They can only be disabled. While extending the schema is rarely done manually, it is very common to extend the schema when upgrading to a new version of Active Directory, or installing other Microsoft applications such as Exchange.