Home » Active Directory Schema

Active Directory Schema

The Active Directory Schema is the component that defines all the objects and attributes that are used to store data. It is a blueprint for the Active Directory.

Information is collected into the active directory from various applications and services. Active Directory Schema determines what kind of data can be stored in the directory and how it can be used

In this article, we will discuss the active directory schema, how it stores data, define objects and attributes, and some common terms related to the active directory schema.

What are the benefits of using standard schema?

Active Directory follows a standard set of rules so that it can store and replicate data from a number of sources. By following a standard the directory service can retrieve, update and replicate data while maintaining the integrity of the data.

Objects are controlled by a set definition so that certain data types can be stored as well as the syntax of the data.

Using the standard schema, it ensures that all objects follow their standard definitions. By doing so, Active Directory can store, retrieve, and validate the data it manages, regardless of its source.

Active Directory can only store data for existing object definitions, if a new object needs to be stored it will need to be first defined in the schema.

How Does Active Directory Schema Store Data?

Active Directory uses objects as units of storage; these objects are defined in the directory schema. Each object has a unique name and set of attributes. The attributes store the data for the object.

For example, an active directory user object that stores the user account information has many attributes such as name, email address, phone number, city, etc… Each one of the attributes contains the metadata about the information that it stores. All of the multiple attributes define the characteristics of the user account attribute.

The directory queries the schema for object information each time the directory handles data.

How are the attributes related to each other?

The Active Directory object in the schema list defines all the object attributes and how these attributes relate to each other. Some objects within the directory only contain a few attributes, while other objects contain hundreds of attributes.

The schema contains a definition for every object in the directory. When new objects are defined, smaller objects are associated with one another to build the needed attributes for the new object.

Many objects have attributes that are in common. For example, the security descriptor is common in many objects which defines who is allowed to access and change their contents.

Instead of creating a new security descriptor definition for each object, the schema defines a single security descriptor object that all the other objects’ definitions refer to.

This allows for every object that needs a security descriptor to have one security descriptor while only defining one within the Active Directory Schema.

Cool Tip: Learn more about rDirectory active directory tool!

What are the different ways to extend the active directory schema?

When Active Directory is installed it creates a default schema. Once installation is complete the default schema will replicate to other domain controllers in the forest.

The default schema contains all the standard object definitions for Active Directory to function in a standard deployment.

If a Domain Controller needs to create a new object, it will need to write access to the directory. The Domain Controller must also have access to the object definition that is needed to create the new object.

All Domain Controller that exists in a forest maintains a copy of the schema. This design makes it possible for each Domain Controller to have access to the object’s definitions.

Some application requires new objects to be created for them to function properly within the Domain. For these applications that require new objects, the schema will need to be extended to support the new objects. This process is referred to as extending the schema.

What are the risks associated with extending the Active Directory Schema?

When you extend the active directory schema it will replicate to all domain controllers in the forest which can have an effect on network performance.

How to extend the Active Directory Schema safely?

When extending the active directory schema, have the procedure in place. This procedure includes backing up and following proper documentation of the application.

Cool Tip: How to use the ADModify tool to make bulk changes in Active Directory!

What are some common terms related to Active Directory Schema?

Below are some common terms related to the Active Directory Schema.

• Object Classes. Defines objects that can show up in the Directory and the attributes that are associated with it.

• Class Derivations. Define a method for building new object classes out of existing object classes.

• Object Attributes. Attributes that are available

• Structure Rules. Tree arguments that are possible within the directory

• Syntax Rules. Determine the type of value an attribute is capable of storing.

• Content Rules. Attributes that can be associated with a given class

• Extensible schema. Adding additional classes and attributes.

• Dynamic class assignments. Dynamically assigning specific classes to an object rather than an entire class of objects.

Cool Tip: How to use ADSI Edit utility in PowerShell!


I hope the above article on introduction to the Active Directory Schema is helpful to you.

The schema defines a standard definition of all object classes and the attributes that make up those object classes.

When installing Active Directory a default schema is included, this defines many object classes such as computers, users, groups, domains, and many other objects. The schema can be extended to include objects that are required for applications.

You can find more topics about Active Directory tools and PowerShell basics on the ActiveDirectoryTools home page.