The Active Directory schema is AD’s blueprint. It controls what kinds of objects
can exist in the schema db and what the object’s attributes can be. You can
customize the schema using the MMC snap-in called the Active
Directory Schema. You should not have to modify the schema. But should
you have to, there are significant barriers Microsoft put in place to make sure
this is not a casual task. By default, domain controllers have read-only access
to the schema, irregardless of the account attempting the access. To jump
into the world of schema customization, you will have to use the following
Windows 2000 registry hack:
Name: Schema Update Allowed
Schema Update Allowed value to 1 to allow write access to the schema.
To modify the schema, you must be logged on as a member of the Schema Administrators group. The other bit
of info of interest is that the schema uses a floating single-master
model. Active Directory uses a multiple-master system. This means that updates
can occur simultaneously on multiple domain controllers and the changes will
replicate across the domain. Schema modifications can not be performed
simultaneously on multiple domain controllers. The update can be performed on
any domain controller but when the schema is opened for update, the schema
databases on the all the other domain controllers are set to read-only.
The biggest difficulty with Active DIrectory schema is that changes can not
be undone. Microsoft in its Windows 2002 Server is supposed to introduce the
ability to delete objects and attributes in the directory schema. The feature,
Schema Delete, should be included in Windows 2002 when it ships early next year.
Novell’s eDirectory and IPlanet’s Directory Server 5.0 already lets you delete