Active Directory Forest and Domain Structure
Now that you know about creating and administering trust relationships, we are ready to look at two additional aspects of forest and domain management: schema modifications and UPN suffixes.
Managing Schema Modifications
Manage an Active Directory forest and domain structure
- Manage schema modifications
As discussed in Chapter 1, "Concepts of Windows Server 2003 Active Directory," the schema is a set of rules that define the classes of objects and their attributes that can be created in an Active Directory forest. All domains in a forest share a common schema, which is replicated to all domain controllers in the forest. However, only the schema master contains a writable copy of the schema; all other domain controllers contain a read-only replica of the schema.
Active Directory stores information on the classes and attributes as instances of the classSchema and attributeSchema classes, respectively. The schema defines the attributes that can be held by objects of various types, the various classes that can exist, and the object class that can be a parent of the current object class. When you first install Active Directory, a default schema is created; it includes definitions for the common classes of objects, such as user, computer, and organizationalUnit. It also includes attribute definitions, such as lastName, userPrincipalName, telephoneNumber, and objectSid. Microsoft designed the schema to be extensible; in other words, you can add classes and attributes, together with their definitions, as required. In addition, you can remove classes and attributes that you no longer require, provided the forest is operating at the Windows Server 2003 functional level.
Following are the characteristics of these classes:
- Active Directory uses an instance of the classSchema class to define every object class supported. For example, the mayContain and mustContain attributes describe attributes that an object class may and must contain.
- You can use instances of the attributeSchema class to define every attribute that Active Directory supports. For example, the attributeSyntax and isSingleValued attributes describe an attribute in a similar manner to the way in which attributes of a user object describe the user.
- Active Directory uses a well-defined Schema container as a location in the directory to store the instances of the attributeSchema and classSchema classes. This container has a distinguished name (DN) of the form CN=Schema,CN=Configuration, DC=quepublishing,DC=Com, where the DC items refer to the forest root domain name, using quepublishing.com as an example.
For further information on object classes, their characteristics, and a description of the key attributes of a classSchema object, see "Characteristics of Object Classes" at the following address:
For similar information for attributes, see "Characteristics of Attributes" at this address:
Installing the Schema Snap-In
You can perform schema modifications from any computer running Windows Server 2003 or Windows XP Professional by installing the Active Directory Schema snap-in on a server or installing the Windows Server 2003 Administration Tools Pack on a Windows XP Professional computer. If the computer is not the schema master, it creates a connection to the schema master when you start the snap-in.
The Active Directory schema snap-in is not present by default when you first install Active Directory. Installation of this snap-in is a two-step process: registration and snap-in installation.
Follow Step by Step 3.8 to register the snap-in.
Step by Step 3.8 Registering the Active Directory Schema Snap-In
- Ensure that you are logged on as a member of the Schema Admins group.
- Click Start, Command Prompt.
- Type regsvr32 schmmgmt.dll.
- A message box informs you that the registration succeeded. See Figure 3.24.
Figure 3.24 Windows informs you when you have successfully registered the Active Directory Schema snap-in.
After you have registered the Active Directory Schema snap-in, you can add this snap-in to an empty Microsoft Management Console (MMC). Follow Step by Step 3.9 to install the Active Directory Schema snap-in.
Step by Step 3.9 Installing the Active Directory Schema Snap-in to a New MMC Console
- Click Start, Run.
- Type mmc to open an empty MMC console.
- Click File, Add/Remove Snap-In to open the Add/Remove Snap-In dialog box (see Figure 3.25).
Figure 3.25 Using the Add/Remove Snap-In dialog box, you can add a snap-in to a new or existing MMC console.
- Click Add to display the Add Standalone Snap-In dialog box.
- Select Active Directory Schema, as shown in Figure 3.26, and then click Add.
Figure 3.26 Using the Add Standalone Snap-In dialog box, you can select one or more snap-ins to add to the MMC console.
- Click Close to return to the Add/Remove Snap-In dialog box.
- Click OK. The Active Directory Schema snap-in is added to the MMC console (see Figure 3.27).
Figure 3.27 On completion of this procedure, you have an MMC console containing the Active Directory Schema snap-in.
- Click File, Save, and on the Save As dialog box, type a descriptive name for the console, such as Schema.msc. Then click Save.
The Schema snap-in is now available, and you can locate it from the Administrative Tools folder.
Using the Schema Snap-In
After you have installed the Schema snap-in, you can make any required modifications. Step by Step 3.10 shows you how to create a new attribute.
Step by Step 3.10 Creating a New Schema Attribute
- Click Start, Administrative Tools, Schema.msc. If you installed the Schema snap-in according to Step by Step 3.9, this selection opens the Schema snap-in.
- Expand the Active Directory Schema container in the console tree. You see two containers: Classes and Attributes.
- Select the Attributes container. As you can see in Figure 3.28, a long list of attributes is available.
Figure 3.28 By default, the Active Directory Schema snap-in contains a large number of attributes.
- Right-click Attributes and select Create Attribute. You are warned that creating schema objects in the directory is a permanent operation (see Figure 3.29).
Figure 3.29 This warning message informs you that creating schema objects is a permanent operation.
- Click Continue. This action displays the Create New Attribute dialog box (see Figure 3.30).
Figure 3.30 You use the Create New Attribute dialog box to create attributes.
- Enter information in the following text boxes to describe the attribute you are creating:
- Common Name—A unique name that is related to the Lightweight Directory Access Protocol (LDAP) display name.
- LDAP Display Name—A unique display name that programmers and system administrators can use to programmatically reference the object.
- Unique X.500 Object ID—A unique X.500 Object ID (OID) is a unique identifier associated with all object classes or attributes in the directory. This identifier is required.
- Description—An optional description for the attribute.
- Syntax—Type of information stored by this attribute, such as a case-insensitive string, distinguished name, integer, numerical string, and so on.
- Minimum and maximum—Depending on the syntax, can be an optional string length, minimum and maximum values of integers, and so on.
- Click OK. The attribute is created and displayed in the attributes list. If you have difficulty finding it, click the Name header to arrange the attributes in alphabetical order.
You can also create new classes by right-clicking the Classes container and choosing Create New Schema Class. The procedure is similar to that of Step by Step 3.10. After you have created new attributes and classes, you can easily add attributes to classes, as Step by Step 3.11 shows.
Step by Step 3.11 Adding an Attribute to a Class
- In the console tree of the Active Directory Schema snap-in, double-click Classes to expand it. This action displays a long list of available classes (see Figure 3.31).
Figure 3.31 By default, the Active Directory Schema snap-in contains a large number of classes.
- Right-click the class to which you want to add an attribute and select Properties. This action displays the Properties dialog box for the selected class, as shown in Figure 3.32.
Figure 3.32 In the Properties dialog box for a schema class, you make all modifications to the class.
- Select the Attributes tab and then click Add to display the Select Schema Object dialog box, as shown in Figure 3.33.
Figure 3.33 You use the Select Schema Object dialog box to select the desired attribute.
- Scroll down to locate the attribute and then click OK. You return to the Attributes tab of the user Properties dialog box, with the new attribute highlighted.
- Click OK.
- Close the Active Directory Schema console.
Deactivating Schema Objects
After you have added an object (class or attribute) to the schema, you cannot simply delete it. However, you can deactivate an unneeded schema object by following the procedure outlined in Step by Step 3.12.
Step by Step 3.12 Deactivating a Schema Object
- Open the Active Directory Schema snap-in.
- In the console tree, select either Classes or Attributes, depending on the type of object you want to deactivate.
- In the details pane, scroll to locate the class or attribute you want to deactivate, right-click it, and choose Properties.
- Clear the check box labeled Attribute is Active. You receive a message, like the one in Figure 3.34, warning you that if you make the schema object defunct, you will be unable to make further changes to it.
Figure 3.34 You receive a warning when you attempt to deactivate a schema object.
- Click Yes to deactivate the object.
The step-by-step procedures given here provide you with a small example of the possible schema modifications. Other procedures are available to perform such tasks as creating new classes, adding values to a series of attributes, adding attribute display names, conducting searches based on the new attributes, and so on. Many of these procedures involve the use of scripts created using Microsoft Visual Basic for Scripting and are beyond the scope of the 70-294 exam. For additional details, see the first reference in the "Suggested Readings and Resources" section at the end of this chapter. Information is also available from the Windows Server 2003 Help and Support Center.
Adding or Removing a UPN Suffix
As described in Chapter 1, a User Principal Name (UPN) is a logon name specified in the format of an email address such as firstname.lastname@example.org. It is a convenient means of logging on to a domain from a computer located in another domain in the forest or a trusted forest. Two types of UPNs are available:
- Implicit UPN—This UPN is always in the form user@domain, such as email@example.com. It is defined on the Account tab of a user's Properties dialog box in Active Directory Users and Computers.
- Explicit UPN—This UPN is in the form string1@string2, where an administrator can define values for both strings. For example, a user named Mary in the accounts.quepublishing.com domain could have an explicit UPN in the form mary@accts. Using explicit UPNs is practical when a company does not want to reveal its internal domain structure.
New to Windows Server 2003 is the concept of the UPN suffix. This is the portion of the UPN to the right of the at (@) character. By default, the UPN suffix is the DNS domain name of the domain that holds the user account. You can add an additional UPN suffix to simplify administration and user logon processes. Doing so provides the following advantages:
- A common UPN suffix simplifies logon procedures for all users in the forest. This is especially true for users who have long child domain names. For example, a user with a default UPN of Karen@USA.products.quepublishing.com could be provided with a simpler UPN such as Karen@quepublishing.
- You can use the UPN suffix to hide the domain structure of the forest from users in external forests and to configure remote access servers for visitor access.
- You can use the UPN suffix in a case where a company has more than one division that operates under different company names with separate email domains (for example, quepublishing.com or examcram.com) but are all located in a single Active Directory domain. Using an additional UPN suffix, these users can log on using their email addresses.
You can also use the UPN suffix to log on to a domain in a trusting forest, except in the following situations:
- If more than one forest uses the same UPN suffix, you can use it only to log on to a domain in the same forest.
- If you are using explicit UPNs and external trusts, you cannot log on to trusting domains in another forest. See the section "Managing Trust Relationships" earlier in this chapter for information on external trusts.
You can use the Active Directory Domains and Trusts MMC console to add or remove UPN suffixes. Follow Step by Step 3.13 to add a UPN suffix.
Step by Step 3.13 Adding a UPN Suffix
- Click Start, Administrative Tools, Active Directory Domains and Trusts.
- In the console tree, right-click Active Directory Domains and Trusts and choose Properties. The Active Directory Domains and Trusts Properties dialog box opens, as shown in Figure 3.36.
Figure 3.36 You can use the Active Directory Domains and Trusts Properties dialog box to add or remove UPN suffixes.
- Type the name of the desired UPN suffix (for example, examprep) in the text box and click Add.
- The name of the UPN suffix is added to the large field in this dialog box. Click OK.
After you have added the UPN suffix, it is available for use when you are adding a new user account (see Figure 3.37) or configuring the properties of an existing user account from the Account tab of its Properties dialog box.
Figure 3.37 After you have added a UPN suffix, you can assign this suffix to a new user from the New Object—User dialog box.
If you no longer need an added UPN suffix, you can follow a similar procedure to remove it. See Step by Step 3.14.
Step by Step 3.14 Removing a UPN Suffix
- At the top of the Active Directory Domains and Trusts snap-in, right-click Active Directory Domains and Trusts and choose Properties. The Active Directory Domains and Trusts Properties dialog box opens (refer to Figure 3.36).
- Select the UPN suffix to be removed and click Remove.
- You are warned that users who use this UPN suffix will no longer be able to log on with this UPN suffix (see Figure 3.38).
Figure 3.38 This message box warns you that user accounts referring to the UPN suffix will be unable to log on to the network if you delete the suffix.
- Click OK.
If you remove a UPN suffix, you should open the Active Directory Users and Computers console, select any users whose user accounts refer to the removed UPN suffix, and change the suffix in use from the Accounts tab of their Properties dialog box.
Understanding the Directory Forest and Domain Structure
Following are points you should remember about the directory forest and domain structure:
- All domains in the Active Directory forest share a common schema. Although it is replicated to all domain controllers in the forest, only the schema operations master contains a writable copy of the schema.
- The schema contains classes of objects and a series of attributes that can be held by objects of various types. It also defines the various classes that can exist and the attributes that can be defined for each specific object.
- Because improper schema modifications can cause irreparable damage to Active Directory, the following conditions must be met before you can modify the schema: You must be a member of the Schema Admins group, and you must register the Active Directory Schema snap-in before you can install it.
- A UPN suffix is the portion of the UPN to the right of the at (@) character. You can add an additional UPN suffix to simplify logon procedures for all users in the forest and hide the domain structure of the forest.