Home > Articles

This chapter is from the book

Active Directory Forest and Domain Structure

Now that you know about creating and administering trust relationships, we are ready to look at two additional aspects of forest and domain management: schema modifications and UPN suffixes.

Managing Schema Modifications

Manage an Active Directory forest and domain structure.

  • Manage schema modifications.

As discussed in Chapter 1, "Concepts of Windows Server 2003 Active Directory," the schema is a set of rules that define the classes of objects and their attributes that can be created in an Active Directory forest. All domains in a forest share a common schema, which is replicated to all domain controllers in the forest. However, only the schema master contains a writable copy of the schema; all other domain controllers contain a read-only replica of the schema.

Active Directory stores information on the classes and attributes as instances of the classSchema and attributeSchema classes, respectively. The schema defines the attributes that can be held by objects of various types, the various classes that can exist, and the object class that can be a parent of the current object class. When you first install Active Directory, a default schema is created; it includes definitions for the common classes of objects, such as user, computer, and organizationalUnit. It also includes attribute definitions, such as lastName, userPrincipalName, telephoneNumber, and objectSid. Microsoft designed the schema to be extensible; in other words, you can add classes and attributes, together with their definitions, as required. In addition, you can remove classes and attributes that you no longer require, provided the forest is operating at the Windows Server 2003 functional level.

WARNING

Take Great Care in Modifying the Schema Improper modifications can cause irreparable harm to Active Directory. For this reason, Microsoft created a global group called Schema Admins, and only members of this group can perform such modifications. As a best practice to avoid unauthorized modifications, you should remove all users from this group and add a user only when it is necessary to modify the schema. In addition, it is strongly advisable to create a test forest in a lab environment and test schema modifications here before deploying them to a production forest.

Following are the characteristics of these classes:

  • Active Directory uses an instance of the classSchema class to define every object class supported. For example, the mayContain and mustContain attributes describe attributes that an object class may and must contain.

  • You can use instances of the attributeSchema class to define every attribute that Active Directory supports. For example, the attributeSyntax and isSingleValued attributes describe an attribute in a similar manner to the way in which attributes of a user object describe the user.

  • Active Directory uses a well-defined Schema container as a location in the directory to store the instances of the attributeSchema and classSchema classes. This container has a distinguished name (DN) of the form CN=Schema, CN=Configuration,DC=quepublishing,DC=Com, where the DC items refer to the forest root domain name, using quepublishing.com as an example.

For further information on object classes, their characteristics, and a description of the key attributes of a classSchema object, see "Characteristics of Object Classes" at the following address:

For similar information for attributes, see "Characteristics of Attributes" at this address:

Installing the Schema Snap-In

You can perform schema modifications from any computer running Windows Server 2003 or Windows XP Professional by installing the Active Directory Schema snap-in on a server or installing the Windows Server 2003 Administration Tools Pack on a Windows XP Professional computer. If the computer is not the schema master, it creates a connection to the schema master when you start the snap-in.

The Active Directory schema snap-in is not present by default when you first install Active Directory. Installation of this snap-in is a two-step process: registration and snap-in installation.

Follow Step by Step 3.8 to register the snap-in.

STEP BY STEP

3.8 Registering the Active Directory Schema Snap-In

  1. Ensure that you are logged on as a member of the Schema Admins group.

  2. Click Start, Command Prompt.

  3. Type regsvr32 schmmgmt.dll.

  4. A message box informs you that the registration succeeded. See Figure 3.23.

Figure 3.23Figure 3.23 Windows informs you when you have successfully registered the Active Directory Schema snap-in.

After you have registered the Active Directory Schema snap-in, you can add this snap-in to an empty Microsoft Management Console (MMC). Follow Step by Step 3.9 to install the Active Directory Schema snap-in.

STEP BY STEP

3.9 Installing the Active Directory Schema Snap-in to a New MMC Console

  1. Click Start, Run.

  2. Type mmc to open an empty MMC console.

  3. Click File, Add/Remove Snap-In to open the Add/Remove Snap-In dialog box (see Figure 3.24).

  4. Figure 3.24Figure 3.24 Using the Add/Remove Snap-In dialog box, you can add a snap-in to a new or existing MMC console.

  5. Click Add to display the Add Standalone Snap-In dialog box.

  6. Select Active Directory Schema, as shown in Figure 3.25, and then click Add.

  7. Figure 3.25Figure 3.25 Using the Add Standalone Snap-In dialog box, you can select one or more snap-ins to add to the MMC console.

  8. Click Close to return to the Add/Remove Snap-In dialog box.

  9. Click OK. The Active Directory Schema snap-in is added to the MMC console (see Figure 3.26).

  10. Figure 3.26Figure 3.26 Upon completion of this procedure, you have an MMC console containing the Active Directory Schema snap-in.

  11. Click File, Save, and on the Save As dialog box, type a descriptive name for the console, such as Schema.msc. Then click Save.

The Schema snap-in is now available, and you can locate it from the Administrative Tools folder.

Using the Schema Snap-In

After you have installed the Schema snap-in, you can make any required modifications. Step by Step 3.10 shows you how to create a new attribute.

TIP

Remember the Prerequisites for Installing and Using the Schema Snap-In! First, you must be a member of the Schema Admins group. Then you must register the Active Directory Schema snap-in to make it available in the Add Standalone Snap-In dialog box.

STEP BY STEP

3.10 Creating a New Schema Attribute

  1. Click Start, Administrative Tools, Schema.msc. If you installed the Schema snap-in according to Step by Step 3.9, this selection opens the Schema snap-in.

  2. Expand the Active Directory Schema container in the console tree. You see two containers: Classes and Attributes.

  3. Expand the Attributes container. As you can see in Figure 3.27, a long list of attributes is available.

  4. Figure 3.27Figure 3.27 By default, the Active Directory Schema snap-in contains a large number of attributes.

  5. Right-click Attributes and select Create Attribute. You are warned that creating schema objects in the directory is a permanent operation (see Figure 3.28).

  6. Figure 3.28Figure 3.28 This warning message informs you that creating schema objects is a permanent operation.

  7. Click Continue. This action displays the Create New Attribute dialog box (see Figure 3.29).

  8. Figure 3.29Figure 3.29 You use the Create New Attribute dialog box to create attributes.

  9. Enter information in the following text boxes to describe the attribute you are creating:

    • Common Name A unique name that is related to the Lightweight Directory Access Protocol (LDAP) display name.

    • LDAP Display Name A unique display name that programmers and system administrators can use to programmatically reference the object.

    • Unique X.500 Object ID A unique X.500 Object ID (OID) is a unique identifier associated with all object classes or attributes in the directory. This identifier is required.

    • Description An optional description for the attribute.

    • Syntax Type of information stored by this attribute, such as a case-insensitive string, distinguished name, integer, numerical string, and so on.

    • Minimum and maximum Depending on the syntax, can be an optional string length, minimum and maximum values of integers, and so on.

  10. Click OK. The attribute is created and displayed in the attributes list. If you have difficulty finding it, click the Name header to arrange the attributes in alphabetical order.

NOTE

Object Identifiers An OID is not randomly generated; standards organizations such as the International Telecommunications Union issue these identifiers to ensure that they are not duplicated. To obtain a unique OID for a class or attribute that you want to create, you should contact one of these standards organizations.

You can also create new classes by right-clicking the Classes container and choosing Create New Schema Class. The procedure is similar to that of Step by Step 3.10. After you have created new attributes and classes, you can easily add attributes to classes, as Step by Step 3.11 shows.

STEP BY STEP

3.11 Adding an Attribute to a Class

  1. In the console tree of the Active Directory Schema snap-in, double-click Classes to expand it. This action displays a long list of available classes (see Figure 3.30).

  2. Figure 3.30Figure 3.30 By default, the Active Directory Schema snap-in contains a large number of classes.

  3. Right-click the class to which you want to add an attribute and select Properties. This action displays the Properties dialog box for the selected class, as shown in Figure 3.31.

  4. Figure 3.31Figure 3.31 In the Properties dialog box for a schema class, you make all modifications to the class.

  5. Select the Attributes tab and then click Add to display the Select Schema Object dialog box, as shown in Figure 3.32.

  6. Figure 3.32Figure 3.32 You use the Select Schema Object dialog box to select the desired attribute.

  7. Scroll down to locate the attribute and then click OK. You return to the Attributes tab of the user Properties dialog box, with the new attribute highlighted.

  8. Click OK.

  9. Close the Active Directory Schema console.

Deactivating Schema Objects

After you have added an object (class or attribute) to the schema, you cannot simply delete it. However, you can deactivate an un-needed schema object by following the procedure outlined in Step by Step 3.12.

STEP BY STEP

3.12 Deactivating a Schema Object

  1. Open the Active Directory Schema snap-in.

  2. In the console tree, select either Classes or Attributes, depending on the type of object you want to deactivate.

  3. In the details pane, scroll to locate the class or attribute you want to deactivate, right-click it, and choose Properties.

  4. Clear the check box labeled Attribute is Active. You receive a message, like the one in Figure 3.33, warning you that if you make the schema object defunct, you will be unable to make further changes to it.

  5. Click Yes to deactivate the object.

Figure 3.33Figure 3.33 You receive a warning when you attempt to deactivate a schema object.

The step-by-step procedures given here provide you with a small example of the possible schema modifications. Other procedures are available to perform such tasks as creating new classes, adding values to a series of attributes, adding attribute display names, conducting searches based on the new attributes, and so on. Many of these procedures involve the use of scripts created using Microsoft Visual Basic for Scripting and are beyond the scope of the 70-294 exam. For additional details, see the first reference in the "Suggested Readings and Resources" section at the end of this chapter. Information is also available from the Windows Server 2003 Help and Support Center.

TIP

You Can Only Deactivate, Not Delete, Improper Schema Objects The exam may present you with a scenario in which an application has created incorrect schema attributes or classes. After objects have been created in the schema, you cannot delete them except by completely reinstalling Active Directory. The proper solution to this problem is to deactivate these objects. This is also another reason to test new applications in a lab network before deploying them to the production network.

Guided Practice Exercise 3.1

Active Directory Schema Attributes and Classes

The widgets.com organization you worked with in Chapter 2 needs to store employees' Social Security numbers in their Properties dialog boxes in Active Directory Users and Computers. Although the Properties dialog box enables you to store a large number of attributes for each user, the Social Security number is not among them.

The object of this exercise is to understand how to add an attribute to the schema and associate this attribute with a schema class. After you have done this, you should be able to create a custom VB script or application that modifies a user's Properties dialog box in Active Directory Users and Computers, thereby enabling you to store employees' Social Security numbers in Active Directory. Note that the unique X.500 Object ID given here was issued to Microsoft and is suitable for the use described in this exercise.

You should try working through this problem on your own first. If you are stuck or need guidance, follow these steps and look back at the Step by Step procedures for more detailed information.

  1. Working from server01.widgets.com, open Active Directory Schema.

  2. Expand the console tree to locate the Classes and Attributes folders, right-click Attributes, and then select Create Attribute.

  3. Click Continue to accept the warning that appears and display the Create New Attribute dialog box.

  4. In the Create New Attribute dialog box, type in the information provided in the following table:

  5. Identifier

    Enter the Following

    Common Name

    SocialSecurityNumber

    LDAP Display Name

    SocialSecurityNumber

    Unique X.500 Object ID

    1.2.840.113556.1.4.7000.142

    Description

    Employee Social Security Number

    Syntax

    -Select Case Insensitive String from the drop- down list.

    Minimum

    0

    Maximum

    11


  6. Click OK to create the attribute and add it to the list in the details pane.

  7. In the console tree, select Classes to display the list of classes in the details pane.

  8. Scroll down to locate the user class, right-click it, and choose Properties.

  9. On the Attributes tab of the user Properties dialog box, click Add to display the Select Schema Object dialog box.

  10. Scroll down to select the SocialSecurityNumber attribute and then click OK. This action adds this attribute to the Optional field of the Attributes tab, as shown in Figure 3.34.

  11. Click OK to exit the user Properties dialog box.

  12. Use any available scripting tools to create a VB script that enables you to enter employees' Social Security numbers and display them in the Properties dialog box in Active Directory Users and Computers. This action is beyond the scope of the 70-294 exam and will not be further described here.

Figure 3.34Figure 3.34 After you have added the new attribute, it appears in the Attributes tab of the user Properties dialog box.

Adding or Removing a UPN Suffix

As described in Chapter 1, a User Principal Name (UPN) is a logon name specified in the format of an email address such as user1@quepublishing.com. It is a convenient means of logging on to a domain from a computer located in another domain in the forest or a trusted forest. Two types of UPNs are available:

  • Implicit UPN This UPN is always in the form user@domain, such as mary@accounts.quepublishing.com. It is defined on the Account tab of a user's Properties dialog box in Active Directory Users and Computers.

  • Explicit UPN This UPN is in the form string1@string2, where an administrator can define values for both strings. For example, a user named Mary in the accounts.quepublishing. com domain could have an explicit UPN in the form mary@accts. Using explicit UPNs is practical when a company does not want to reveal its internal domain structure.

New to Windows Server 2003 is the concept of UPN suffix. This is the portion of the UPN to the right of the at (@) character. By default, the UPN suffix is the DNS domain name of the domain that holds the user account. You can add an additional UPN suffix to simplify administration and user logon processes. Doing so provides the following advantages:

  • A common UPN suffix simplifies logon procedures for all users in the forest. This is especially true for users who have long child domain names. For example, a user with a default UPN of Karen@USA.products.quepublishing.com could be provided with a simpler UPN such as Karen@quepublishing.

  • You can use the UPN suffix to hide the domain structure of the forest from users in external forests and to configure remote access servers for visitor access.

  • You can use the UPN suffix in a case where a company has more than one division that operates under different company names with separate email domains (for example, quepublishing.com or examcram.com) but are all located in a single Active Directory domain. Using an additional UPN suffix, these users can log on using their email addresses.

  • The UPN suffix is also used in mapping a .NET Passport account to an Active Directory user account when setting up Microsoft .NET Passport authentication on a Web site hosted by Internet Information Services (IIS) 6.0.

You can also use the UPN suffix to log on to a domain in a trusting forest, except in the following situations:

  • If more than one forest uses the same UPN suffix, you can use it only to log on to a domain in the same forest.

  • If you are using explicit UPNs and external trusts, you cannot log on to trusting domains in another forest. See the section "Managing Trust Relationships" earlier in this chapter for information on external trusts.

You can use the Active Directory Domains and Trusts MMC console to add or remove UPN suffixes. Follow Step by Step 3.13 to add a UPN suffix.

STEP BY STEP

3.13 Adding a UPN Suffix

  1. Click Start, Administrative Tools, Active Directory Domains and Trusts.

  2. In the console tree, right-click Active Directory Domains and Trusts and choose Properties. The Active Directory Domains and Trusts Properties dialog box opens, as shown in Figure 3.35.

  3. Type the name of the desired UPN suffix (for example, corporation) in the text box and click Add.

  4. The name of the UPN suffix is added to the large field in this dialog box. Click OK.

Figure 3.35Figure 3.35 You can use the Active Directory Domains and Trusts Properties dialog box to add or remove UPN suffixes.

After you have added the UPN suffix, it is available for use when you are adding a new user account (see Figure 3.36) or configuring the properties of an existing user account from the Account tab of its Properties dialog box.

Figure 3.36Figure 3.36 After you have added a UPN suffix, you can assign this suffix to a new user from the New Object—User dialog box.

If you no longer need an added UPN suffix, you can follow a similar procedure to remove it. See Step by Step 3.14.

STEP BY STEP

3.14 Removing a UPN Suffix

  1. At the top of the Active Directory Domains and Trusts snap-in, right-click Active Directory Domains and Trusts and choose Properties. The Active Directory Domains and Trusts Properties dialog box opens (refer to Figure 3.35).

  2. Select the UPN suffix to be removed and click Remove.

  3. You are warned that users who use this UPN suffix will no longer be able to log on with this UPN suffix (see Figure 3.37).

  4. Click OK.

Figure 3.37Figure 3.37 This message box warns you that user accounts referring to the UPN suffix will be unable to log on to the network if you delete the suffix.

If you remove a UPN suffix, you should open the Active Directory Users and Computers console, select any users whose user accounts refer to the removed UPN suffix, and change the suffix in use from the Accounts tab of their Properties dialog box.

Understanding the Directory Forest and Domain Structure

Following are points you should remember about the directory forest and domain structure:

  • All domains in the Active Directory forest share a common schema. Although it is replicated to all domain controllers in the forest, only the schema operations master contains a writable copy of the schema.

  • The schema contains classes of objects and a series of attributes that can be held by objects of various types. It also defines the various classes that can exist and the attributes that can be defined for each specific object.

  • Because improper schema modifications can cause irreparable damage to Active Directory, the following conditions must be met before you can modify the schema: You must be a member of the Schema Admins group, and you must register the Active Directory Schema snap-in before you can install it.

  • A UPN suffix is the portion of the UPN to the right of the at (@) character. You can add an additional UPN suffix to simplify logon procedures for all users in the forest and hide the domain structure of the forest.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020