1 00:00:06,490 --> 00:00:14,620 Now when we are done with all the ads components overview, let's take a closer look at each of these 2 00:00:14,620 --> 00:00:15,600 components. 3 00:00:15,610 --> 00:00:17,470 For example, schema. 4 00:00:17,500 --> 00:00:20,980 What is the Active Directory schema? 5 00:00:21,010 --> 00:00:29,830 A schema defines the rules and syntax of the Active Directory database and provides the blueprint for 6 00:00:29,830 --> 00:00:32,020 the objects within it. 7 00:00:32,050 --> 00:00:41,860 So the Active Directory schema is a component that defines all the object classes and attributes that 8 00:00:41,860 --> 00:00:45,220 Active Directory uses to store data. 9 00:00:45,250 --> 00:00:52,270 All domains in a forest contain a copy of the schema that applies to that forest. 10 00:00:52,300 --> 00:00:58,900 Any changes in the schema replicates to every domain controller in the forest. 11 00:00:58,930 --> 00:01:07,030 From the schema master, which is typically the first domain controller in the forest, adds towards 12 00:01:07,030 --> 00:01:13,210 and retrieves information from a wide variety of applications and services. 13 00:01:13,240 --> 00:01:23,350 It does this in part by standardizing how the Active Directory stores data, by standardizing data storage. 14 00:01:23,380 --> 00:01:33,340 Active Directory can retrieve, update and replicate data while helping to maintain the data integrity. 15 00:01:33,370 --> 00:01:37,090 Now let me demonstrate how schema looks like. 16 00:01:37,120 --> 00:01:41,770 First off, to add schema, snap in. 17 00:01:41,800 --> 00:01:50,320 In MSI console, you have to perform several steps because by default the Active Directory schema MSI 18 00:01:50,320 --> 00:01:58,960 snapping is not registered on domain controllers or machines with the remote server administration tools. 19 00:01:58,960 --> 00:02:07,360 So to use the snap pin for the first time on a new machine, you'll need to register the DLL to do this. 20 00:02:07,360 --> 00:02:09,090 Follow these steps. 21 00:02:09,100 --> 00:02:18,310 You have to open an elevated command prompt by typing cmd, run as administrator and then run the following 22 00:02:18,310 --> 00:02:19,210 command. 23 00:02:19,240 --> 00:02:22,400 Reg SVR 32. 24 00:02:22,450 --> 00:02:33,490 Schema Management Dot DLL Only after this you have to open MSI console and in the MSI console go to 25 00:02:33,490 --> 00:02:39,880 file, add, remove snap and add Active Directory schema snip in. 26 00:02:39,880 --> 00:02:47,470 And after this you can expand Active Directory schema on your computer. 27 00:02:47,500 --> 00:02:54,400 As you can see, in my case, it's Active Directory schema for a datum dot com domain. 28 00:02:54,580 --> 00:03:03,070 We can expand it and then we can expand classes container and take a look at attributes by clicking 29 00:03:03,100 --> 00:03:05,080 on attributes container. 30 00:03:05,080 --> 00:03:13,840 So as you can see, we've got objects here, lots of objects and you have to know that Active Directory 31 00:03:13,840 --> 00:03:17,650 uses these objects as units of storage. 32 00:03:17,680 --> 00:03:20,830 The schema defines all object types. 33 00:03:20,860 --> 00:03:29,530 Each time the Active Directory handles data, the directory queries the schema for an appropriate object 34 00:03:29,530 --> 00:03:30,550 definition. 35 00:03:30,550 --> 00:03:38,890 And based on the object definition in the schema, the directory creates the object and stores the data. 36 00:03:38,890 --> 00:03:48,790 Object definitions specify both the type of data that the object can store and the syntax of the data. 37 00:03:48,820 --> 00:03:59,140 You can create only objects that the schema defines because objects store data in a rigidly defined 38 00:03:59,140 --> 00:04:08,080 format, Active Directory can store, retrieve and validate the data that it manages, regardless of 39 00:04:08,080 --> 00:04:10,120 which application supplies it. 40 00:04:10,150 --> 00:04:17,260 Now let's talk about relationships among objects, rules, attributes and classes. 41 00:04:17,260 --> 00:04:26,620 In Active Directory, the schema defines the following objects that store data in the directory or rules 42 00:04:26,620 --> 00:04:35,020 that define the structure of the objects and the structure and content of the directory itself. 43 00:04:35,140 --> 00:04:41,710 ADA Schema objects consist of attributes which are grouped together in classes. 44 00:04:41,710 --> 00:04:49,300 Each class has rules that define which attributes are mandatory and which are optional. 45 00:04:49,300 --> 00:04:51,600 For example, the user class. 46 00:04:51,610 --> 00:04:57,910 Let me scroll down in classes container until I find user class. 47 00:04:57,910 --> 00:05:05,800 So this class consists of more than 400 possible attributes, including CM which. 48 00:05:06,450 --> 00:05:15,210 The common name, attribute, given name, display name, object seed, which is security identifier 49 00:05:15,210 --> 00:05:22,650 and manager of these attributes, the scene and object attributes are mandatory. 50 00:05:22,770 --> 00:05:34,140 The scene attribute is a single value unicode string that is form of one through 64 characters lone 51 00:05:34,140 --> 00:05:37,770 and that replicates to the global catalog. 52 00:05:37,800 --> 00:05:41,240 Now let me sort by name and find. 53 00:05:42,120 --> 00:05:47,280 As you can see in type colon, they've got mandatory. 54 00:05:47,310 --> 00:05:55,500 Of course, you can sort here by type to see all the mandatory parameters by clicking up here on the 55 00:05:55,500 --> 00:05:56,970 column name type. 56 00:05:57,000 --> 00:06:00,510 And of course, you can read the description column. 57 00:06:00,690 --> 00:06:09,690 For example, this one object said it is mandatory and the description is object seed, which is security 58 00:06:09,690 --> 00:06:10,770 identifier. 59 00:06:10,800 --> 00:06:13,080 Now who can change this schema? 60 00:06:13,110 --> 00:06:19,210 Only members of schema admins group can modify the added schema. 61 00:06:19,230 --> 00:06:23,340 You cannot remove anything from the added schema. 62 00:06:23,370 --> 00:06:33,330 You can only extend the Active Directory schema by using its schema extensions or by modifying the attributes 63 00:06:33,330 --> 00:06:34,770 of existing objects. 64 00:06:34,770 --> 00:06:42,840 For example, when you are preparing to install Microsoft Exchange Server 2016, you must apply the 65 00:06:42,840 --> 00:06:46,800 exchange server Active Directory Schema changes. 66 00:06:46,800 --> 00:06:52,090 These changes add or modify hundreds of classes and attributes. 67 00:06:52,110 --> 00:07:00,350 You should change the schema only when necessary because the schema controls the storage of information. 68 00:07:00,360 --> 00:07:03,750 Any changes made to the schema effect? 69 00:07:03,750 --> 00:07:07,590 Every domain controller before you change the schema. 70 00:07:07,620 --> 00:07:14,520 You should review the changes and implement them only after you have performed testing. 71 00:07:14,550 --> 00:07:23,400 This will help ensure that the changes will not adversely affect the rest of the forest or any application 72 00:07:23,400 --> 00:07:25,080 that use ads. 73 00:07:25,110 --> 00:07:33,970 The Schema Master is one of the operations master roles hosted on a single domain controller in ads. 74 00:07:33,990 --> 00:07:40,940 We'll cover in more detail the topic operations master roles a bit later. 75 00:07:40,950 --> 00:07:43,380 And now back to Schema Master. 76 00:07:43,380 --> 00:07:51,330 Because it's a single master, you must use the Active Directory schema snapping to make changes to 77 00:07:51,330 --> 00:07:57,390 the schema by targeting the domain controller that holds the schema master. 78 00:07:57,420 --> 00:08:05,190 To target the schema master in a separate forest, you'll need to target the appropriate forest from 79 00:08:05,190 --> 00:08:06,570 within the snipe in.