none
[MS-ADTS] CN=Aggregate is empty RRS feed

  • Question

  • According to MS-ADTS my reading subSchemaSubEntry it is possible for clients to know the schema supported by the server.

    But when I try to see the entries using ADEplorer and also using LDAP Studio I am not able to get any entries in that subSchemaSubEntry DN.

    Is it some thing I misunderstood?

     

    Thank you for the help

    Rajesh

    Friday, May 13, 2011 9:18 AM

Answers

  • Rajesh,

     

    I have completed my research on this question. Please find my answer as follows.

     

    If a client needs to find the schema version, it has to query the objectVersion attribute of the schema container (CN=Schema,…), ref. MS-ADTS 3.1.1.2.1 Schema NC.

     

    In the schema container, Active Directory exposes a subSchema object that is pointed to by the subschemaSubentry attribute on the rootDSE. This is specified in MS-ADTS 3.1.1.3.1.1.1 subSchema.

     

    When a client connects and retrieves the root DSE information, it contains an entry similar to:

    subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com;

     

    It is important to note that the subSchemaSubEntry object is not a container. Rather, the schema in the "CN=Aggregate,…” object is represented as the contents of several attributes on that object, e.g. objectClasses, attributeTypes. Please refer to RFC 2251 for the grammars for parsing the contents of those attributes. They are mainly textual representation of the schema (see examples provided below).

     

    This is different than the Microsoft representation of the schema, which is a set of classSchema and attributeSchema objects located under the CN=Schema,… container.

     

    Both the schema container and the subschema object represent the same schema, with the key difference that the Microsoft representation in the schema container has additional details about the schema that are not included in the subSchemaSubEntry representation (see 3.1.1.3.1.1.1 for attributes that are present in subschema object).

     

    By following RFC2251, my client performed LDAP searches to retrieve attributes from a subschema entry.

     

    Base DN: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    Filter: (objectClass=SubSchema)

    Scope: Base

     

    See below for LDAP searches for these attributes *, objectClasses, attributeTypes, modifyTimeStamp, dITContentRules; results have been truncated for brevity.

     

    References:

     

    RFC2251 http://www.ietf.org/rfc/rfc2251.txt

    3.2.2. Subschema Entries and Subentries

     

    MS-ADTS http://msdn.microsoft.com/en-us/library/cc223122(PROT.10).aspx

     

    3.1.1.2.1 Schema NC

    3.1.1.3.1.1.1 subSchema

     

    -----------

    Base DN: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    Filter: (objectClass=SubSchema)

    Scope: Base

    Attributes: *

    -----------

    Dn: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    cn: Aggregate;

    distinguishedName: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com;

    dSCorePropagationData: 0x0 = (  );

    instanceType: 0x4 = ( WRITE );

    name: Aggregate;

    objectCategory: CN=SubSchema,CN=Schema,CN=Configuration,DC=contoso3,DC=com;

    objectClass (2): top; subSchema;

    objectGUID: 450f626a-4e39-499d-be51-ba6ba1b64153;

    systemFlags: 0x8000000 = ( DOMAIN_DISALLOW_RENAME );

    uSNChanged: 5;

    uSNCreated: 5;

    whenChanged: 2/11/2009 11:37:08 AM Central Daylight Time;

    whenCreated: 2/11/2009 11:37:08 AM Central Daylight Time;

     

    -----------

    Base DN: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    Filter: (objectClass=SubSchema)

    Scope: Base

    Attributes: objectClasses

    -----------

    Dn: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    objectClasses (234): ( 2.5.6.12 NAME 'applicationEntity' SUP top STRUCTURAL MUST (cn $ presentationAddress ) MAY (l $ o $ ou $ supportedApplicationContext $ seeAlso ) ); ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL MUST (cn $ ipNetworkNumber ) MAY (l $ description $ uid $ manager $ msSFU30Name $ msSFU30Aliases $ msSFU30NisDomain $ ipNetmaskNumber $ nisMapName ) ); ….

     

    -----------

    Base DN: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    Filter: (objectClass=SubSchema)

    Scope: Base

    Attributes: attributeTypes

    -----------

    Dn: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    attributeTypes (1314): ( 1.2.840.113556.1.4.149 NAME 'attributeSecurityGUID' SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' SINGLE-VALUE ); ( 1.2.840.113556.1.4.1703 NAME 'msDS-FilterContainers' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ); ( 1.2.840.113556.1.4.655 NAME 'legacyExchangeDN' SYNTAX '1.2.840.113556.1.4.905' SINGLE-VALUE ); ...

     

    -----------

    Base DN: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    Filter: (objectClass=SubSchema)

    Scope: Base

    Attributes: modifyTimeStamp

    -----------

    Dn: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    modifyTimeStamp: 5/17/2011 10:27:17 AM Central Daylight Time;

     

    -----------

    Base DN: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    Filter: (objectClass=SubSchema)

    Scope: Base

    Attributes: dITContentRules

    -----------

    Dn: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    dITContentRules (234): ( 2.5.6.12 NAME 'applicationEntity' AUX ( posixAccount $ mailRecipient $ domainRelatedObject $ bootableDevice $ ieee802Device $ ipHost $ dynamicObject $ simpleSecurityObject $ samDomain $ securityPrincipal $ samDomainBase $ posixGroup $ shadowAccount )); ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' AUX ( posixAccount $ mailRecipient $ domainRelatedObject $ bootableDevice $ ieee802Device $ ipHost $ dynamicObject $ simpleSecurityObject $ samDomain $ securityPrincipal $ samDomainBase $ posixGroup $ shadowAccount )); ...

    -----------

    Wednesday, May 18, 2011 2:55 PM
    Moderator

All replies

  • Hi Rajesh,

    Thank you for your question.  A colleague will follow up with you soon to investigate this issue.

    Regards,
    Mark Miller

    Escalation Engineer

    US-CSS DSC PROTOCOL TEAM

    Friday, May 13, 2011 12:03 PM
  • Rajesh,

    I am researching this and will follow-up as soon i have an update.

    Regards,

    Edgar

    Friday, May 13, 2011 9:01 PM
    Moderator
  • Rajesh,

     

    I have completed my research on this question. Please find my answer as follows.

     

    If a client needs to find the schema version, it has to query the objectVersion attribute of the schema container (CN=Schema,…), ref. MS-ADTS 3.1.1.2.1 Schema NC.

     

    In the schema container, Active Directory exposes a subSchema object that is pointed to by the subschemaSubentry attribute on the rootDSE. This is specified in MS-ADTS 3.1.1.3.1.1.1 subSchema.

     

    When a client connects and retrieves the root DSE information, it contains an entry similar to:

    subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com;

     

    It is important to note that the subSchemaSubEntry object is not a container. Rather, the schema in the "CN=Aggregate,…” object is represented as the contents of several attributes on that object, e.g. objectClasses, attributeTypes. Please refer to RFC 2251 for the grammars for parsing the contents of those attributes. They are mainly textual representation of the schema (see examples provided below).

     

    This is different than the Microsoft representation of the schema, which is a set of classSchema and attributeSchema objects located under the CN=Schema,… container.

     

    Both the schema container and the subschema object represent the same schema, with the key difference that the Microsoft representation in the schema container has additional details about the schema that are not included in the subSchemaSubEntry representation (see 3.1.1.3.1.1.1 for attributes that are present in subschema object).

     

    By following RFC2251, my client performed LDAP searches to retrieve attributes from a subschema entry.

     

    Base DN: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    Filter: (objectClass=SubSchema)

    Scope: Base

     

    See below for LDAP searches for these attributes *, objectClasses, attributeTypes, modifyTimeStamp, dITContentRules; results have been truncated for brevity.

     

    References:

     

    RFC2251 http://www.ietf.org/rfc/rfc2251.txt

    3.2.2. Subschema Entries and Subentries

     

    MS-ADTS http://msdn.microsoft.com/en-us/library/cc223122(PROT.10).aspx

     

    3.1.1.2.1 Schema NC

    3.1.1.3.1.1.1 subSchema

     

    -----------

    Base DN: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    Filter: (objectClass=SubSchema)

    Scope: Base

    Attributes: *

    -----------

    Dn: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    cn: Aggregate;

    distinguishedName: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com;

    dSCorePropagationData: 0x0 = (  );

    instanceType: 0x4 = ( WRITE );

    name: Aggregate;

    objectCategory: CN=SubSchema,CN=Schema,CN=Configuration,DC=contoso3,DC=com;

    objectClass (2): top; subSchema;

    objectGUID: 450f626a-4e39-499d-be51-ba6ba1b64153;

    systemFlags: 0x8000000 = ( DOMAIN_DISALLOW_RENAME );

    uSNChanged: 5;

    uSNCreated: 5;

    whenChanged: 2/11/2009 11:37:08 AM Central Daylight Time;

    whenCreated: 2/11/2009 11:37:08 AM Central Daylight Time;

     

    -----------

    Base DN: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    Filter: (objectClass=SubSchema)

    Scope: Base

    Attributes: objectClasses

    -----------

    Dn: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    objectClasses (234): ( 2.5.6.12 NAME 'applicationEntity' SUP top STRUCTURAL MUST (cn $ presentationAddress ) MAY (l $ o $ ou $ supportedApplicationContext $ seeAlso ) ); ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL MUST (cn $ ipNetworkNumber ) MAY (l $ description $ uid $ manager $ msSFU30Name $ msSFU30Aliases $ msSFU30NisDomain $ ipNetmaskNumber $ nisMapName ) ); ….

     

    -----------

    Base DN: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    Filter: (objectClass=SubSchema)

    Scope: Base

    Attributes: attributeTypes

    -----------

    Dn: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    attributeTypes (1314): ( 1.2.840.113556.1.4.149 NAME 'attributeSecurityGUID' SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' SINGLE-VALUE ); ( 1.2.840.113556.1.4.1703 NAME 'msDS-FilterContainers' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ); ( 1.2.840.113556.1.4.655 NAME 'legacyExchangeDN' SYNTAX '1.2.840.113556.1.4.905' SINGLE-VALUE ); ...

     

    -----------

    Base DN: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    Filter: (objectClass=SubSchema)

    Scope: Base

    Attributes: modifyTimeStamp

    -----------

    Dn: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    modifyTimeStamp: 5/17/2011 10:27:17 AM Central Daylight Time;

     

    -----------

    Base DN: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    Filter: (objectClass=SubSchema)

    Scope: Base

    Attributes: dITContentRules

    -----------

    Dn: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso3,DC=com

    dITContentRules (234): ( 2.5.6.12 NAME 'applicationEntity' AUX ( posixAccount $ mailRecipient $ domainRelatedObject $ bootableDevice $ ieee802Device $ ipHost $ dynamicObject $ simpleSecurityObject $ samDomain $ securityPrincipal $ samDomainBase $ posixGroup $ shadowAccount )); ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' AUX ( posixAccount $ mailRecipient $ domainRelatedObject $ bootableDevice $ ieee802Device $ ipHost $ dynamicObject $ simpleSecurityObject $ samDomain $ securityPrincipal $ samDomainBase $ posixGroup $ shadowAccount )); ...

    -----------

    Wednesday, May 18, 2011 2:55 PM
    Moderator
  • From your reply 'attributeSecurityGUID' SYNTAX is  '1.3.6.1.4.1.1466.115.121.1.40'.

    But it was never mentioned in any document. In one table it was mearly mentioned that String(Octet) is adapted from Binary of RFC 2252.
    Can you give us the list of SubSchema related SYNTAXs for all ADDS Syntaxes?

    I have asked this question in another post

    http://social.msdn.microsoft.com/Forums/en-US/os_windowsprotocols/thread/064a682e-a621-4a23-b4fd-fafbed047428


    And seems like you have completly misunderstood what I was asking.

     

    Saturday, May 21, 2011 1:41 PM
  • Rajesh,

     

    Thank you for your feedback. Note that the examples provided here are meant to show how to retrieve specific attributes from the subschema object; recall that the subschema CN=Aggregate … is not a container.

    I note your question regarding syntaxes and will be addressing them as part of the other thread you started on SYNTAX.

    For the benefit of the community, and for my case tracking record, let’s keep one thread per question / topic.

     

    Thanks,

    Edgar

    Monday, May 23, 2011 3:21 PM
    Moderator