- Introduction
- Active Directory Trust Relationships
- Active Directory Forest and Domain Structure
- Active Directory Site Topology
- Chapter Summary
Active Directory Forest and Domain Structure
Now that you know about creating and administering trust relationships, we are ready to look at two additional aspects of forest and domain management: schema modifications and UPN suffixes.
Managing Schema Modifications
Manage an Active Directory forest and domain structure.
-
Manage schema modifications.
As discussed in Chapter 1, "Concepts of Windows Server 2003 Active Directory," the schema is a set of rules that define the classes of objects and their attributes that can be created in an Active Directory forest. All domains in a forest share a common schema, which is replicated to all domain controllers in the forest. However, only the schema master contains a writable copy of the schema; all other domain controllers contain a read-only replica of the schema.
Active Directory stores information on the classes and attributes as instances of the classSchema and attributeSchema classes, respectively. The schema defines the attributes that can be held by objects of various types, the various classes that can exist, and the object class that can be a parent of the current object class. When you first install Active Directory, a default schema is created; it includes definitions for the common classes of objects, such as user, computer, and organizationalUnit. It also includes attribute definitions, such as lastName, userPrincipalName, telephoneNumber, and objectSid. Microsoft designed the schema to be extensible; in other words, you can add classes and attributes, together with their definitions, as required. In addition, you can remove classes and attributes that you no longer require, provided the forest is operating at the Windows Server 2003 functional level.
WARNING
Take Great Care in Modifying the Schema Improper modifications can cause irreparable harm to Active Directory. For this reason, Microsoft created a global group called Schema Admins, and only members of this group can perform such modifications. As a best practice to avoid unauthorized modifications, you should remove all users from this group and add a user only when it is necessary to modify the schema. In addition, it is strongly advisable to create a test forest in a lab environment and test schema modifications here before deploying them to a production forest.
Following are the characteristics of these classes:
Active Directory uses an instance of the classSchema class to define every object class supported. For example, the mayContain and mustContain attributes describe attributes that an object class may and must contain.
You can use instances of the attributeSchema class to define every attribute that Active Directory supports. For example, the attributeSyntax and isSingleValued attributes describe an attribute in a similar manner to the way in which attributes of a user object describe the user.
Active Directory uses a well-defined Schema container as a location in the directory to store the instances of the attributeSchema and classSchema classes. This container has a distinguished name (DN) of the form CN=Schema, CN=Configuration,DC=quepublishing,DC=Com, where the DC items refer to the forest root domain name, using quepublishing.com as an example.
For further information on object classes, their characteristics, and a description of the key attributes of a classSchema object, see "Characteristics of Object Classes" at the following address:
For similar information for attributes, see "Characteristics of Attributes" at this address:
Installing the Schema Snap-In
You can perform schema modifications from any computer running Windows Server 2003 or Windows XP Professional by installing the Active Directory Schema snap-in on a server or installing the Windows Server 2003 Administration Tools Pack on a Windows XP Professional computer. If the computer is not the schema master, it creates a connection to the schema master when you start the snap-in.
The Active Directory schema snap-in is not present by default when you first install Active Directory. Installation of this snap-in is a two-step process: registration and snap-in installation.
Follow Step by Step 3.8 to register the snap-in.
STEP BY STEP
3.8 Registering the Active Directory Schema Snap-In
Ensure that you are logged on as a member of the Schema Admins group.
Click Start, Command Prompt.
Type regsvr32 schmmgmt.dll.
-
A message box informs you that the registration succeeded. See Figure 3.23.
Figure 3.23 Windows informs you when you have successfully registered the Active Directory Schema snap-in.
After you have registered the Active Directory Schema snap-in, you can add this snap-in to an empty Microsoft Management Console (MMC). Follow Step by Step 3.9 to install the Active Directory Schema snap-in.
STEP BY STEP
3.9 Installing the Active Directory Schema Snap-in to a New MMC Console
-
Click Start, Run.
-
Type mmc to open an empty MMC console.
-
Click File, Add/Remove Snap-In to open the Add/Remove Snap-In dialog box (see Figure 3.24).
-
Click Add to display the Add Standalone Snap-In dialog box.
-
Select Active Directory Schema, as shown in Figure 3.25, and then click Add.
-
Click Close to return to the Add/Remove Snap-In dialog box.
-
Click OK. The Active Directory Schema snap-in is added to the MMC console (see Figure 3.26).
-
Click File, Save, and on the Save As dialog box, type a descriptive name for the console, such as Schema.msc. Then click Save.
Figure 3.24 Using the Add/Remove Snap-In dialog box, you can add a snap-in to a new or existing MMC console.
Figure 3.25 Using the Add Standalone Snap-In dialog box, you can select one or more snap-ins to add to the MMC console.
Figure 3.26 Upon completion of this procedure, you have an MMC console containing the Active Directory Schema snap-in.
The Schema snap-in is now available, and you can locate it from the Administrative Tools folder.
Using the Schema Snap-In
After you have installed the Schema snap-in, you can make any required modifications. Step by Step 3.10 shows you how to create a new attribute.
TIP
Remember the Prerequisites for Installing and Using the Schema Snap-In! First, you must be a member of the Schema Admins group. Then you must register the Active Directory Schema snap-in to make it available in the Add Standalone Snap-In dialog box.
STEP BY STEP
3.10 Creating a New Schema Attribute
-
Click Start, Administrative Tools, Schema.msc. If you installed the Schema snap-in according to Step by Step 3.9, this selection opens the Schema snap-in.
-
Expand the Active Directory Schema container in the console tree. You see two containers: Classes and Attributes.
-
Expand the Attributes container. As you can see in Figure 3.27, a long list of attributes is available.
-
Right-click Attributes and select Create Attribute. You are warned that creating schema objects in the directory is a permanent operation (see Figure 3.28).
-
Click Continue. This action displays the Create New Attribute dialog box (see Figure 3.29).
-
Enter information in the following text boxes to describe the attribute you are creating:
-
Common Name A unique name that is related to the Lightweight Directory Access Protocol (LDAP) display name.
-
LDAP Display Name A unique display name that programmers and system administrators can use to programmatically reference the object.
-
Unique X.500 Object ID A unique X.500 Object ID (OID) is a unique identifier associated with all object classes or attributes in the directory. This identifier is required.
-
Description An optional description for the attribute.
-
Syntax Type of information stored by this attribute, such as a case-insensitive string, distinguished name, integer, numerical string, and so on.
-
Minimum and maximum Depending on the syntax, can be an optional string length, minimum and maximum values of integers, and so on.
-
Click OK. The attribute is created and displayed in the attributes list. If you have difficulty finding it, click the Name header to arrange the attributes in alphabetical order.
Figure 3.27 By default, the Active Directory Schema snap-in contains a large number of attributes.
Figure 3.28 This warning message informs you that creating schema objects is a permanent operation.
Figure 3.29 You use the Create New Attribute dialog box to create attributes.
NOTE
Object Identifiers An OID is not randomly generated; standards organizations such as the International Telecommunications Union issue these identifiers to ensure that they are not duplicated. To obtain a unique OID for a class or attribute that you want to create, you should contact one of these standards organizations.
You can also create new classes by right-clicking the Classes container and choosing Create New Schema Class. The procedure is similar to that of Step by Step 3.10. After you have created new attributes and classes, you can easily add attributes to classes, as Step by Step 3.11 shows.
STEP BY STEP
3.11 Adding an Attribute to a Class
-
In the console tree of the Active Directory Schema snap-in, double-click Classes to expand it. This action displays a long list of available classes (see Figure 3.30).
-
Right-click the class to which you want to add an attribute and select Properties. This action displays the Properties dialog box for the selected class, as shown in Figure 3.31.
-
Select the Attributes tab and then click Add to display the Select Schema Object dialog box, as shown in Figure 3.32.
-
Scroll down to locate the attribute and then click OK. You return to the Attributes tab of the user Properties dialog box, with the new attribute highlighted.
-
Click OK.
-
Close the Active Directory Schema console.
Figure 3.30 By default, the Active Directory Schema snap-in contains a large number of classes.
Figure 3.31 In the Properties dialog box for a schema class, you make all modifications to the class.
Figure 3.32 You use the Select Schema Object dialog box to select the desired attribute.
Deactivating Schema Objects
After you have added an object (class or attribute) to the schema, you cannot simply delete it. However, you can deactivate an un-needed schema object by following the procedure outlined in Step by Step 3.12.
STEP BY STEP
3.12 Deactivating a Schema Object
Open the Active Directory Schema snap-in.
In the console tree, select either Classes or Attributes, depending on the type of object you want to deactivate.
In the details pane, scroll to locate the class or attribute you want to deactivate, right-click it, and choose Properties.
-
Clear the check box labeled Attribute is Active. You receive a message, like the one in Figure 3.33, warning you that if you make the schema object defunct, you will be unable to make further changes to it.
Click Yes to deactivate the object.
Figure 3.33 You receive a warning when you attempt to deactivate a schema object.
The step-by-step procedures given here provide you with a small example of the possible schema modifications. Other procedures are available to perform such tasks as creating new classes, adding values to a series of attributes, adding attribute display names, conducting searches based on the new attributes, and so on. Many of these procedures involve the use of scripts created using Microsoft Visual Basic for Scripting and are beyond the scope of the 70-294 exam. For additional details, see the first reference in the "Suggested Readings and Resources" section at the end of this chapter. Information is also available from the Windows Server 2003 Help and Support Center.
TIP
You Can Only Deactivate, Not Delete, Improper Schema Objects The exam may present you with a scenario in which an application has created incorrect schema attributes or classes. After objects have been created in the schema, you cannot delete them except by completely reinstalling Active Directory. The proper solution to this problem is to deactivate these objects. This is also another reason to test new applications in a lab network before deploying them to the production network.
Guided Practice Exercise 3.1
Active Directory Schema Attributes and Classes
The widgets.com organization you worked with in Chapter 2 needs to store employees' Social Security numbers in their Properties dialog boxes in Active Directory Users and Computers. Although the Properties dialog box enables you to store a large number of attributes for each user, the Social Security number is not among them.
The object of this exercise is to understand how to add an attribute to the schema and associate this attribute with a schema class. After you have done this, you should be able to create a custom VB script or application that modifies a user's Properties dialog box in Active Directory Users and Computers, thereby enabling you to store employees' Social Security numbers in Active Directory. Note that the unique X.500 Object ID given here was issued to Microsoft and is suitable for the use described in this exercise.
You should try working through this problem on your own first. If you are stuck or need guidance, follow these steps and look back at the Step by Step procedures for more detailed information.
-
Working from server01.widgets.com, open Active Directory Schema.
-
Expand the console tree to locate the Classes and Attributes folders, right-click Attributes, and then select Create Attribute.
-
Click Continue to accept the warning that appears and display the Create New Attribute dialog box.
-
In the Create New Attribute dialog box, type in the information provided in the following table:
-
Click OK to create the attribute and add it to the list in the details pane.
-
In the console tree, select Classes to display the list of classes in the details pane.
-
Scroll down to locate the user class, right-click it, and choose Properties.
-
On the Attributes tab of the user Properties dialog box, click Add to display the Select Schema Object dialog box.
-
Scroll down to select the SocialSecurityNumber attribute and then click OK. This action adds this attribute to the Optional field of the Attributes tab, as shown in Figure 3.34.
-
Click OK to exit the user Properties dialog box.
-
Use any available scripting tools to create a VB script that enables you to enter employees' Social Security numbers and display them in the Properties dialog box in Active Directory Users and Computers. This action is beyond the scope of the 70-294 exam and will not be further described here.
Identifier |
Enter the Following |
Common Name |
SocialSecurityNumber |
LDAP Display Name |
SocialSecurityNumber |
Unique X.500 Object ID |
1.2.840.113556.1.4.7000.142 |
Description |
Employee Social Security Number |
Syntax |
-Select Case Insensitive String from the drop- down list. |
Minimum |
0 |
Maximum |
11 |
Figure 3.34 After you have added the new attribute, it appears in the Attributes tab of the user Properties dialog box.
Adding or Removing a UPN Suffix
As described in Chapter 1, a User Principal Name (UPN) is a logon name specified in the format of an email address such as user1@quepublishing.com. It is a convenient means of logging on to a domain from a computer located in another domain in the forest or a trusted forest. Two types of UPNs are available:
Implicit UPN This UPN is always in the form user@domain, such as mary@accounts.quepublishing.com. It is defined on the Account tab of a user's Properties dialog box in Active Directory Users and Computers.
Explicit UPN This UPN is in the form string1@string2, where an administrator can define values for both strings. For example, a user named Mary in the accounts.quepublishing. com domain could have an explicit UPN in the form mary@accts. Using explicit UPNs is practical when a company does not want to reveal its internal domain structure.
New to Windows Server 2003 is the concept of UPN suffix. This is the portion of the UPN to the right of the at (@) character. By default, the UPN suffix is the DNS domain name of the domain that holds the user account. You can add an additional UPN suffix to simplify administration and user logon processes. Doing so provides the following advantages:
A common UPN suffix simplifies logon procedures for all users in the forest. This is especially true for users who have long child domain names. For example, a user with a default UPN of Karen@USA.products.quepublishing.com could be provided with a simpler UPN such as Karen@quepublishing.
You can use the UPN suffix to hide the domain structure of the forest from users in external forests and to configure remote access servers for visitor access.
You can use the UPN suffix in a case where a company has more than one division that operates under different company names with separate email domains (for example, quepublishing.com or examcram.com) but are all located in a single Active Directory domain. Using an additional UPN suffix, these users can log on using their email addresses.
The UPN suffix is also used in mapping a .NET Passport account to an Active Directory user account when setting up Microsoft .NET Passport authentication on a Web site hosted by Internet Information Services (IIS) 6.0.
You can also use the UPN suffix to log on to a domain in a trusting forest, except in the following situations:
If more than one forest uses the same UPN suffix, you can use it only to log on to a domain in the same forest.
If you are using explicit UPNs and external trusts, you cannot log on to trusting domains in another forest. See the section "Managing Trust Relationships" earlier in this chapter for information on external trusts.
You can use the Active Directory Domains and Trusts MMC console to add or remove UPN suffixes. Follow Step by Step 3.13 to add a UPN suffix.
STEP BY STEP
3.13 Adding a UPN Suffix
Click Start, Administrative Tools, Active Directory Domains and Trusts.
-
In the console tree, right-click Active Directory Domains and Trusts and choose Properties. The Active Directory Domains and Trusts Properties dialog box opens, as shown in Figure 3.35.
Type the name of the desired UPN suffix (for example, corporation) in the text box and click Add.
The name of the UPN suffix is added to the large field in this dialog box. Click OK.
Figure 3.35 You can use the Active Directory Domains and Trusts Properties dialog box to add or remove UPN suffixes.
After you have added the UPN suffix, it is available for use when you are adding a new user account (see Figure 3.36) or configuring the properties of an existing user account from the Account tab of its Properties dialog box.
Figure 3.36 After you have added a UPN suffix, you can assign this suffix to a new user from the New ObjectUser dialog box.
If you no longer need an added UPN suffix, you can follow a similar procedure to remove it. See Step by Step 3.14.
STEP BY STEP
3.14 Removing a UPN Suffix
-
At the top of the Active Directory Domains and Trusts snap-in, right-click Active Directory Domains and Trusts and choose Properties. The Active Directory Domains and Trusts Properties dialog box opens (refer to Figure 3.35).
Select the UPN suffix to be removed and click Remove.
-
You are warned that users who use this UPN suffix will no longer be able to log on with this UPN suffix (see Figure 3.37).
Click OK.
Figure 3.37 This message box warns you that user accounts referring to the UPN suffix will be unable to log on to the network if you delete the suffix.
If you remove a UPN suffix, you should open the Active Directory Users and Computers console, select any users whose user accounts refer to the removed UPN suffix, and change the suffix in use from the Accounts tab of their Properties dialog box.
Understanding the Directory Forest and Domain Structure
Following are points you should remember about the directory forest and domain structure:
All domains in the Active Directory forest share a common schema. Although it is replicated to all domain controllers in the forest, only the schema operations master contains a writable copy of the schema.
The schema contains classes of objects and a series of attributes that can be held by objects of various types. It also defines the various classes that can exist and the attributes that can be defined for each specific object.
Because improper schema modifications can cause irreparable damage to Active Directory, the following conditions must be met before you can modify the schema: You must be a member of the Schema Admins group, and you must register the Active Directory Schema snap-in before you can install it.
A UPN suffix is the portion of the UPN to the right of the at (@) character. You can add an additional UPN suffix to simplify logon procedures for all users in the forest and hide the domain structure of the forest.