架构
Active Directory 架构包含目录中所有对象的定义。每个新创建的目录对象都会在写入该目录之前针对架构中的相应对象定义进行验证。架构由对象类和属性组成。基础(或默认)架构包含一组丰富的对象类别和属性以满足大多数单位的需要,并遵循目录服务的国际标准化组织 (ISO) X.500 标准进行建模。由于这是可扩展的,因此可以在基础架构中修改和添加类别和属性。但是,应仔细考虑所做的每个更改,因为扩展架构会影响整个网络。详细信息,请参阅扩展架构。
如何定义目录对象
在架构中,对象类代表共享一组共同特征的目录对象的类别,比如用户、打印机或应用程序。每个对象类的定义包含一系列可用于描述类的实例的架构属性。例如,User 类别包含 givenName、surname 和 streetAddress 这类属性。在目录中创建新用户时,该用户变成 User 类别的实例,输入的有关用户的信息变成属性的实例。详细信息,请参阅架构类别和属性。
如何存储架构
每个林只能包含一个架构,存储在架构目录分区中。架构目录分区和配置目录分区一起被复制到林中的所有域控制器。但是,单独的域控制器,即架构主机控制着架构的结构和内容。有关架构主机的详细信息,请参阅操作主机角色。
架构缓存
为了提高架构操作(如新对象验证)的性能,每个域控制器都在内存中保留架构的一个副本(在磁盘上保留的副本之外)。每次当您更新架构时,这个缓存版本都会(在一小段时间之后)自动更新。另外,也可以手动将更新的架构重新加载到缓存中以便立即生效。详细信息,请参阅重新加载架构。
保护架构
同 Active Directory 中的每个对象一样,架构对象也受到访问控制列表 (ACL) 以防非授权使用的保护。默认情况下,只有 Schema Admins 组的成员对架构有写访问权。因此要扩展架构,必须是 Schema Admins 组的成员。在林的根域中,Schema Admins 组的默认成员只有 Administrator 帐户。应当限制 Schema Admins 组中的成员身份,因为不正确地扩展架构会对网络造成严重影响。详细信息,请参阅 Active Directory 中的访问控制和默认组。
有关架构的信息,请参阅 Microsoft Windows 资源工具包网站和 Microsoft MSDN 网站上的“Active Directory 架构”。
Updated: January 21, 2005
Schema
The Active Directory schema contains the definitions for all objects in the directory. Every new directory object you create is validated against the appropriate object definition in the schema before being written to the directory. The schema is made up of object classes and attributes. The base (or default) schema contains a rich set of object classes and attributes to meet the needs of most organizations, and is modeled after the International Standards Organization (ISO) X.500 standard for directory services. Because it is extensible, you can modify and add classes and attributes to the base schema. However, you should carefully consider each change you make, because extending the schema affects the entire network. For more information, see Extending the schema.
How directory objects are defined
In the schema, an object class represents a category of directory objects, such as users, printers, or application programs, that share a set of common characteristics. The definition for each object class contains a list of the schema attributes that can be used to describe instances of the class. For example, the User class has attributes such as givenName, surname, and streetAddress. When you create a new user in the directory the user becomes an instance of the User class, and the information you enter about the user becomes instances of the attributes. For more information, see Schema classes and attributes.
How the schema is stored
Each forest can contain only one schema, which is stored in the schema directory partition. The schema directory partition, along with the configuration directory partition, is replicated to all domain controllers in a forest. However, a single domain controller, the schema master, controls the structure and content of the schema. For more information about the schema master, see Operations master roles.
Schema cache
To improve performance on schema operations (such as new object validation), each domain controller holds a copy of the schema in memory (in addition to the copy it holds on disk). This cached version is automatically updated (after a small time interval) each time you update the schema. Or, you can reload the updated schema to cache manually for immediate effect. For more information, see Reload the schema.
Securing the schema
Like every object in Active Directory, schema objects are protected from unauthorized use by access control lists (ACLs). By default, only members of the Schema Admins group have write access to the schema. So, to extend the schema you must be a member of the Schema Admins group. The only default member of the Schema Admins group is the administrator account in the root domain of the forest. You should restrict membership in the Schema Admins group because extending the schema improperly can have serious consequences to your network. For more information, see Access control in Active Directory and Default groups.