Enforce Schema Constraints

The originating update is validated for schema constraints as explained in Restrictions on Schema Extensions in section Schema constraints are not enforced for replicated updates.

During an originating update of the Add and Modify operations, the server validates that the object being added or modified is consistent with the schema definition of the object of the objectClass values that are assigned to the object (see section for more information):

  • The mayContain/mustContain constraints that are applicable based on the selected objectClass values are enforced. The computation of the mayContain/mustContain set takes into consideration the complete inheritance chain of the structural objectClass and the 88 object class as well as any auxiliary classes supplied. If any attributes in the mustContain set are not provided, the Add fails with objectClassViolation / <unrestricted>. If any attributes provided are not present in either the mayContain or mustContain sets, the Add fails with objectClassViolation / <unrestricted>. Exception: In AD LDS, the objectSid attribute is present on all application NC roots, even if this violates the schema mayContain/mustContain constraints.

  • All attribute values are formed correctly according to the attribute syntax and satisfy schema constraints, such as single-valuedness, rangeLower/rangeUpper, and so on. See sections through for more information.

  • All attribute values must be compliant with the rangeUpper and rangeLower constraints of the schema (see section If a supplied value violates a rangeUpper or rangeLower constraint, then the Add fails with constraintViolation / <unrestricted>.

  • All attribute values must be compliant with the isSingleValued constraint of the schema (see section If multiple values are provided for an attribute that is single-valued, then the Add fails with constraintViolation / <unrestricted>.

  • The attributeType of the first label of the object DN matches the rDNAttID of the structural object class or the 88 object class. Otherwise, namingViolation / ERROR_DS_RDN_DOESNT_MATCH_SCHEMA is returned. For example, it is not allowed to create an organizationalUnit with CN=test RDN; the correct RDN for an organizationalUnit object is OU=test. If there is no class C for which the attributeType is equal to C!rDNAttID, namingViolation / <unrestricted> is returned.