3.1.1.2.1 Schema NC

  • Article

msdn link

The schema NC contains all of the objects that define object classes and attributes used in a forest.

The root object of the schema NC, called the schema container, is an instance of class dMD.

The contents of the schema NC are established when a forest is created. To enable a DC of a forest to be upgraded to a newer version of the operating system, a schema upgrade process is first performed. This process updates the portion of the schema that the new operating system depends upon.

The attribute objectVersion on the schema container object stores the schema version of the forest. This attribute is set during the creation of the first domain in a forest and is changed during schema upgrade after the schema is successfully upgraded to a newer version. In AD DS, to add a DC running a particular Windows release to an existing forest, the objectVersion of the forest's schema container MUST be greater than or equal to the value for that Windows release. In AD LDS, this is not a requirement. In AD LDS, to add a DC running a particular Windows release to an existing forest, the objectVersion of the forest's schema container can be less than the value for that Windows release. The correspondence between Windows releases and values of the schema container objectVersion is the following:

  • Windows 2000 Server operating system: 13

  • Windows Server 2003 operating system: 30

  • Windows Server 2003 R2 operating system: 31

  • Windows Server 2008 operating system (AD DS): 44

  • Windows Server 2008 R2 operating system (AD DS): 47

  • Windows Server 2012 operating system (AD DS): 56

  • Windows Server 2012 R2 operating system (AD DS): 69

  • Windows Server 2016 operating system (AD DS): 87

  • Windows Server v1709 operating system (AD DS): 87

  • Windows Server v1803 operating system (AD DS): 88

  • Windows Server v1809 operating system (AD DS): 88

  • Windows Server 2019 operating system (AD DS): 88

  • Active Directory Application Mode (ADAM): 30

  • Windows Server 2008 (AD LDS): 30

  • Windows Server 2008 R2 (AD LDS): 31

  • Windows Server 2012 (AD LDS): 31

  • Windows Server 2012 R2 (AD LDS): 31

  • Windows Server 2016 (AD LDS): 31

  • Windows Server v1709 (AD LDS): 31

  • Windows Server v1803 (AD LDS): 31

  • Windows Server v1809 (AD LDS): 31

  • Windows Server 2019 (AD LDS): 31

Attribute schemaInfo on the schema container stores a String(Octet) value of length 21 bytes. This attribute has no value in a new forest. This attribute is updated on every original schema Add or Modify in the same transaction, and it is replicated to all the domain controllers in the forest upon completion of schema NC replication. The first byte of schemaInfo is 0xFF. The next 4 bytes are a 32-bit integer in big-endian byte order, used as the version of the update. The first update sets the version to 1. For subsequent updates, the version is incremented by one. The last 16 bytes are the invocationId of the DC where the schema change is made. The invocationId attribute is specified in section 3.1.1.1.9.

For example, here is a value of schemaInfo:

0xFF 0x00 0x00 0x07 0xC7 0x20 0x79 0x92 0xE6 0x84 0xB6 0xF6 0x40 0x99 0x47 0x21 0x8B 0xC9 0xE0 0xF1 0xF3

After a schema change is done on the schema master, the following is the new value:

0xFF 0x00 0x00 0x07 0xC8 0x20 0x79 0x92 0xE6 0x84 0xB6 0xF6 0x40 0x99 0x47 0x21 0x8B 0xC9 0xE0 0xF1 0xF3

There is a child of the schema container with RDN cn=Aggregate and class subSchema. This object has several constructed attributes that are compliant with [RFC2251] section 4.5.2, through which the client can retrieve the forest's current schema. See constructed attributes in section 3.1.1.4.5. This object cannot be modified.