Contents Overview 1 Identifying Business Needs 2 Schema Fundamentals 3 Implications of Modifying the Schema 9 Planning for Schema Modification 11 Lab A: Modifying the Schema 20 Review 27 Module 4: Designing a Schema Policy Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2000 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows NT, Active Directory, BackOffice, PowerPoint, Visual Basic, and Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. Project Lead: Andy Sweet (S&T OnSite) Instructional Designers: Andy Sweet (S&T OnSite), Ravi Acharya (NIIT), Sid Benavente, Richard Rose, Kathleen Norton Instructional Design Consultants: Paul Howard, Susan Greenberg Program Managers: Lorrin Smith-Bates (Volt), Megan Camp (Independent Contractor) Technical Contributors: Angie Fultz, Lyle Curry, Brian Komar (3947018 Manitoba, Inc.), Jim Clark (Infotec Commercial Systems), Bill Wade (Excell Data Corporation), David Stern, Steve Tate, Greg Bulette (Independent Contractor), Kathleen Cole (S&T OnSite) Graphic Artist: Kirsten Larson (S&T OnSite) Editing Manager: Lynette Skinner Editor: Jeffrey Gilbert (Wasser) Copy Editor: Patti Neff (S&T Consulting) Online Program Manager: Debbi Conger Online Publications Manager: Arlo Emerson (Aditi) Online Support: Eric Brandt (S&T Consulting) Multimedia Development: Kelly Renner (Entex) Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T OnSite) Compact Disc and Lab Testing: Testing Testing 123 Production Support: Ed Casper (S&T Consulting) Manufacturing Manager: Rick Terek (S&T OnSite) Manufacturing Support: Laura King (S&T OnSite) Lead Product Manager, Development Services: Bo Galford Lead Product Managers: Dean Murray, Ken Rosen Group Product Manager: Robert Stewart Module 4: Designing a Schema Policy iii Instructor Notes This module discusses modifications to the Microsoft ® Windows ® 2000 Active Directory ™ directory service schema. You should emphasize to students that schema modification, while one of the most powerful features of Active Directory, has a significant impact on the entire network. Focus on the need to understand the implications of schema modification and the need to develop a network-wide policy to manage schema modification. At the end of this module, the student will be able to: ! Identify organizational needs that require schema modification. ! Describe schema components and fundamentals of schema modification. ! Describe the implications that result from modifying the schema. ! Design policies for governing schema modifications. Lab A, Modifying the Schema, is a hands-on lab in which students will use the Active Directory Schema snap-in to create a new object class with appropriate attributes. Students will modify an existing object class by adding a new attribute and modifying the behavior of an existing attribute. The students will then verify their changes. Materials and Preparation This section provides you with the materials and preparation tasks that are needed to teach this module. Required Materials To teach this module, you need the Microsoft PowerPoint ® file win1561b_04.ppt. Preparation Tasks To prepare for this module, you should: ! Read all of the materials for this module. ! Complete the lab. ! Read the following topic located in the Distributed Systems Guide in the Microsoft Windows 2000 Server Resource Kit: • Active Directory Schema Presentation: 60 Minutes Lab: 30 Minutes iv Module 4: Designing a Schema Policy Instructor Setup for a Lab This section provides setup instructions required to prepare the instructor computer or classroom configuration for a lab. Ensure that the schema is in write mode. No other setup is needed for this lab. Make sure that the students are aware that when they modify the schema by creating a new schema class object or a new schema attribute object, they will not be able to use the class or attribute in the default Active Directory management tools. In order to use a new class or attribute the interface itself must be modified. You can utilize new objects and attributes by using scripts. For more information on modifying the interface and using scripts, see the Active Directory Programmer’s Guide (http://msdn.microsoft.com/library/psdk/adsi/glns2(1)_5kit.htm). Module Strategy Use the following strategy to present this module: ! Identifying Business Needs Describe the business situations that require changing the schema, and offer guidelines for deciding when changes are necessary. ! Schema Fundamentals Explain strategies for designing a schema policy, including determining when, how, and by whom a schema change can be performed. Describe the basic components of a schema and explain how the schema can be modified. Explain how object identifiers are obtained and extended in the schema. Finally, explain how to deactivate classes and attributes in the schema. ! Implications of Modifying the Schema Explain how modifying the schema can affect other objects in Active Directory, replication, and network performance. ! Planning for Schema Modification This topic identifies considerations for planning schema modification. Explain the situations when a schema modification will be required. Also explain how other factors, such as using directory enabled applications or using software such as Exchange 2000, can affect your schema modification plan. Finally explain the considerations for testing the schema and how to develop a schema modification policy. Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The lab in this module includes a script to be run at the beginning and end of the lab, creating and returning the computer to the default configuration for the course. As a result, there are no lab setup requirements or configuration changes that affect replication or customization. Module 4: Designing a Schema Policy 1 Overview ! Identifying Business Needs ! Schema Fundamentals ! Implications of Modifying the Schema ! Planning for Schema Modification The Microsoft ® Windows ® 2000 Active Directory ™ directory service schema contains the definitions of all objects, such as computers, users, and printers, that are stored in Active Directory. The definitions contained within the schema define the classes of objects a directory may contain, and the types of attributes each object may or must have. Schema modification includes adding or changing object class or attribute definitions to fit the needs of your network. This is a powerful feature of Active Directory that can also have a significant impact on the entire network. You need a carefully designed policy for modifying the schema that includes controlling when and how you implement schema modifications. At the end of this module, you will be able to: ! Identify business needs that require schema modification. ! Describe the schema components and the fundamentals of schema modification. ! Explain how modifying the schema impacts Active Directory. ! Create a management policy to control schema modification. Slide Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn how to plan for schema modification when designing an Active Directory infrastructure. 2 Module 4: Designing a Schema Policy Identifying Business Needs Primary Reasons for Schema Modification: ! Enabling Schema to Address Business Needs ! Installing Directory-Enabled Applications Schema Because the default Active Directory schema in Windows 2000 contains hundreds of classes and attributes, the need to change the schema is rare. However, modification may be necessary when an organization’s business needs are not addressed by the preexisting definitions in the schema. For example, an organization may require Active Directory to track a unique user attribute, such as Cost Center, not included in the schema. In this case the schema can be modified intentionally to include the new attribute. Organizations may also plan to use directory-enabled applications. These applications may modify the schema as they are installed so that the applications can fully interact with the directory. Because a schema change impacts the entire forest, try to avoid unnecessary schema modification. Always identify the importance of the business need, and also determine if the need can be satisfied in a way that does not require schema modification. Slide Objective To describe the primary business needs that require schema modification. Lead-in While the Active Directory Schema contains many preset classes and attributes, changes to the schema may be necessary. Key Points Students should carefully consider the business needs of the organization and the capabilities of the schema before planning any modifications. Delivery Tip Ask the students for examples of information an organization may want to include in Active Directory. Module 4: Designing a Schema Policy 3 # ## # Schema Fundamentals ! Schema Components ! Modifying the Schema ! Obtaining and Extending Object Identifiers ! Deactivating Schema Components The Active Directory schema consists of different objects, or components, that control the classes and attributes maintained by Active Directory. Modifying these components changes the definitions of the objects in Active Directory and directly affects how Active Directory operates. Active Directory schema can be changed in several different ways. You can add or modify components within the schema, but you cannot delete unused components. Unused schema components can only be deactivated. Slide Objective To introduce the basic components of the schema, and how the schema can be modified. Lead-in Modifying the schema means making changes to the schema components. Key Points Schema components can be added, modified, or deactivated, but never deleted. 4 Module 4: Designing a Schema Policy Schema Components Class Class - - Schema Schema Objects Objects Examples: Examples: Users Users Computers Computers Some possible User Class Attributes : Some possible User Class Some possible User Class Attributes : Attributes : accountExpires badPasswordTime mail name accountExpires badPasswordTime mail name Attribute Definition includes Attribute Definition Attribute Definition includes includes Object Name Object Identifier Syntax Optional Range Limits Object Name Object Identifier Syntax Optional Range Limits Class Definition includes Class Definition includes Class Definition includes Object Name Object Identifier “May Contain” Attributes “Must Contain” Attributes Object Name Object Identifier “May Contain” Attributes “Must Contain” Attributes List of Attributes List of Attributes List of Attributes accountExpires badPasswordTime mail cAConnect dhcpType eFSPolicy fromServer governsID Name … accountExpires badPasswordTime mail cAConnect dhcpType eFSPolicy fromServer governsID Name … Attribute Attribute - - Schema Schema Objects Examples: Objects Examples: Servers Servers The schema contains two types of components: class-schema objects that define a class, and attribute-schema objects that define an attribute. These two types of objects are defined separately from each other. Schema modification involves changing the schema components. Modifying the schema components should not be confused with modifying or creating objects in Active Directory. When you create a new user in Active Directory, you create an object, or instance, of the class User. Modifying the schema involves creating or modifying the class or attribute definitions themselves. Slide Objective To describe the components of the Active Directory schema. Lead-in When you modify the schema, you make changes to the definitions of schema components. Key Point Creating new objects and supplying values for their attributes is a routine administrative task. Modifying the schema to create new classes or class attributes is not routine. Delivery Tip Point out that attributes in the schema frequently do not map to the same name in the user interface. Start Active Directory Schema and display the attributes of the User class. Module 4: Designing a Schema Policy 5 Class-Schema Objects Classes are definitions for sets of objects that share a set of characteristics, or attributes. For example, Users is a class in Active Directory. Every user created has certain attributes in common with other users, such as a first and last name. Although the value of each user is different, they each possess a first and last name. Each class in Active Directory has a class-schema object corresponding to it in the schema. The class-schema object is made up of attribute-schema objects. The class-schema object specifies which attributes can or may be used in objects created in this class, and defines the following constraints: ! Must-Contains. A list of mandatory attributes that must be present on any object that is an instance of this class. ! May-Contains. A list of optional attributes that can be found on an object that is an instance of this class. ! Hierarchy rules. A rule that determines the possible parents in the directory tree of an object that is an instance of the class. For example, a user cannot have a server as a parent object. An object is only allowed to have an attribute that belongs to either the must-contain or the may-contain list of the class. Attribute-Schema Objects Attributes are used to define objects. A sample attribute for an object of the User class might be the user’s last name. Each user object will have this attribute, but each will hold a different value that is specific to the user. Every attribute has a corresponding attribute-schema object. The attribute-schema object specifies various properties of an attribute, such as the syntax that should be used in it and whether or not it may have multiple values. An attribute- schema object must be defined before it can be added to a class. An attribute- schema object will have the same properties no matter where it is applied, although the value for each property will differ. Syntax Rules Syntax rules state that attributes can hold specific types of information, such as an integer or a date-formatted value. For example, when you create a user object, the syntax rule would be that only numeric values are acceptable for the attribute Telephone-Number. Active Directory defines a set of attribute syntax for specifying the type of data contained by an attribute. The predefined syntax does not actually appear in the directory, and you cannot add new syntax. Note 6 Module 4: Designing a Schema Policy Modifying the Schema ! Schema Modification Occurs When You: $ Use the Active Directory Schema to create, modify, or deactivate classes or attributes $ Write scripts to automate schema modification $ Install software applications that add classes or attributes ! To Control Membership of Schema Admins Group: $ Control Membership of Local Admins, Domain Admins, and Enterprise Admins Groups Schema You can modify the schema by: ! Using the Active Directory Schema snap-in. Members of the Schema Admins group can use the Active Directory Schema snap-in in the Microsoft Management Console (MMC) to manage the schema by creating, modifying, and deactivating classes and attributes. ! Scripting. You can write a script with Active Directory Service Interfaces (ADSI) that will create, modify, or deactivate classes and attributes. Use this method when you want to automate schema modifications. Scripting also requires you to review the script before running it, which reduces the chance of typographical errors that could cause unwanted schema modifications. For sample scripts, see the Windows 2000 Server Resource Kit Distributed Systems Guide. ! Installing software applications. Software applications that add classes or attributes during the application installation process are referred to as directory–enabled applications. Controlling Access to the Schema Admins Group Membership of the Schema Admins group should be carefully monitored, because its members are the only users authorized to change the schema. However, members of the Local Admins, Domain Admins, and Enterprise Admins groups in the forest root domain have the authority to change the membership of the Schema Admins group. Because these groups control membership of the Schema Admins group, they should also be carefully monitored. Membership of these groups can be restricted by using Group Policy. Slide Objective To explain the methods by which the schema can be modified. Lead-in Before you can modify the schema, you must know how and when schema modification can occur. Key Point Tell the students that modifying the schema by using Active Directory Schema in MMC increases the risk of making typographical errors, while scripting requires the user to review the proposed changes before they are made. Note [...]... to deactivate classes and attributes ! Classes and attributes are never actually removed from the schema Key Points The schema objects that are preloaded with Active Directory cannot be deactivated Only objects that have been added after installation can be deactivated Classes and Attributes Are Not Deleted, but Deactivated ! Lead-in Classes and Attributes Can Be Reactivated Classes or attributes are... objects You can only deactivate objects that have been added to the schema after schema installation ! You cannot deactivate attributes that are in use by a Class Schema object, or any objects of that class with values in that attribute ! When a class or attribute is deactivated, it is no longer replicated throughout the network or to the global catalog server ! Deactivating a class does not deactivate existing... that the schema modifications have successfully taken place, and then the traditional application installation proceeds Anyone who has been assigned appropriate permissions can run this part of the installation You should test any application before installing it on a network, but testing is especially important for applications that will modify the schema Module 4: Designing a Schema Policy 15 Anticipating... Lead-in A schema modification policy will ensure that you make only appropriate changes to your schema $ Initiating Schema Modifications $ Testing Schema Modifications $ Schema Schema Modification Modification Committee Committee Performing Schema Modifications Always thoroughly plan and prepare before making schema modifications Inconsistencies in the schema can cause significant problems that impair or... never actually removed from the schema, but are deactivated This feature prevents irreversible mistakes, because classes and attributes can be reactivated You can deactivate and reactivate a class or attribute by using the Properties dialog box for that object in the Active Directory Schema When planning to deactivate a class or attribute, consider the following: ! You cannot deactivate default schema. .. replicate to each global catalog again This can cause significant network traffic Because the installation of Exchange 2000 tags attributes for replication to the global catalog, it will also have the same impact on Active Directory For organizations planning to deploy Active Directory and install Exchange 2000 servers at a future date, it is best to import the Exchangespecific schema changes as soon as... Company-Vehicles 10 Module 4: Designing a Schema Policy If replication failure occurs, Active Directory automatically replicates the schema from the schema operations master, and the schema cache is immediately updated on the target domain controller Active Directory then replicates any object that failed to the target domain controller As a result, the Company-Vehicles class is added into the target domain controller’s... The Department attribute 10 Add Manager as an additional optional attribute a On the Attributes tab of the traineryourservername Properties dialog box, click Add b In the Select Schema Object dialog box, in the Select Schema Object box, click manager, and then click OK Notice that both department and manager are now listed as Optional attributes Mandatory attributes can only be defined for a class when... Directory and are often determined by whether the classes or attributes are part of the default schema or have been added after the original installation ! The set of valid attribute syntax that is recognized by the directory service is also hard-coded and cannot be changed ! The list of mandatory attributes cannot be modified after a class has been created Note For more information about what can and cannot... modifications are applied to a production environment ! Attributes and classes added to your schema can only be deactivated, never deleted Module 4: Designing a Schema Policy Developing a Schema Modification Policy Slide Objective To describe how to develop a schema modification policy ! Creating an Experienced Committee Responsible for Schema Modification ! Establishing Modification Guidelines Lead-in A . class, or create an auxiliary class Create auxiliary class Create auxiliary class Deactivate existing class or attribute Deactivate existing class or attribute . that have been added after installation can be deactivated. Module 4: Designing a Schema Policy 9 Implications of Modifying the Schema Schema Modification