A set of rules for Active Directory in Microsoft Windows 2000 that defines which objects can be contained in the directory and what attributes those objects can have. The schema can be considered a formal definition of Active Directory.
Active Directory comes with a default schema that is sufficient in most instances and that defines common network objects in the directory such as users, groups, domains, and computers. You can modify the schema by using the Active Directory Schema, a snap-in for Microsoft Management Console (MMC). The schema is extensible in that new object classes and attribute types can be added to it. Members of the Schema Admins group have the necessary rights for modifying and extending the schema. The built-in Administrator account is included in this group. You can make the following types of modifications to the schema:
Key attributes within the Active Directory schema that are prefixed with “System-” cannot be modified. This ensures consistency of the schema.
The schema is actually stored in Active Directory itself in a container under the RootDSE object.
If you modify the schema, you should wait five minutes for the modifications to be written to the system, whereupon the changes are updated in Active Directory and replicated to all domain controllers. Therefore, if you modify the schema, you should wait until the changes have replicated throughout your entire enterprise before you create new objects that use these modifications.
As a safety measure, domain controllers by default have read-only permissions on the schema. If you want to write changes to the schema, you must first modify a registry setting on the domain controller on which you plan to make modifications. (Make modifications to the schema from only one domain controller at a time.) The Schema Manager MMC snap-in offers a check box that you can use to set or clear the key. To modify the registry manually, you add the parameter Schema Update Allowed with data type REG_DWORD and a nonzero value to the following registry key: