IT Connect

Information technology tools and resources at the UW

NETID Domain Schema

The current NETID domain schema is documented below.

MI will entertain any schema modification requests. All schema modifications must follow schema best practices. Vendors tend to follow these best practices. Custom schema modifications are also possible. Schema best practice is documented below. Schema modifications that are deemed to follow best practices are likely to be added.

NOTE: At this time, MI does not permit any directory information to be written aside from by MI connectors, except to your own user account, and then only to the “personal” attributes that you have write permission to by default. MI connectors are described in the architecture guide. A full list of all user attributes currently in use, and written to by MI connectors is documented here.

Current Schema

Description (links here take you to our copy of the schema) Schema Vendor Date Added Notes (links here take you to the vendor documentation–which may not exist at a later point in time)
Windows Server 2003 R2 Microsoft Corporation June 29, 2006 Base Schema. See here for vendor documentation
Exchange Server 2003 Microsoft Corporation June 29, 2006
UW Enterprise Directory Services /
Group Directory Services
University of Washington July 20, 2006 Added uwEntity & uwPrincipal classes and attributes
eduPerson Internet2/EDUCAUSE July 20, 2006
Catalyst Labs – Macintosh Support University of Washington July 20, 2006 Added for EPLT labs for Mac authentication. 12/2012: Not used.
Dell Remote Access Controller Dell August 7, 2006 Allows central management of Dell DRAC-enabled devices
Vista Bitlocker TPM Extensions Microsoft Corporation February 1, 2007 See here for vendor documentation
Exchange Server 2007 Microsoft Corporation June 1, 2007 See here for vendor documentation
Office Communications Server 2007 Microsoft Corporation November 1, 2007
Exchange Server 2007 SP1 Microsoft Corporation December 12, 2007 See here for vendor documentation
Group Service Integration View Access Control University of Washington September 17, 2008 Added uwViewAccess to uwDepartmentGroup
Windows Server 2008 Microsoft Corporation March 12, 2009 Not R2. See here for vendor documentation
Exchange Server 2007 SP2 Microsoft Corporation February 23, 2010 See here for vendor documentation
Windows Server 2008 R2 Microsoft Corporation June 17, 2010 See here for vendor documentation
Exchange Server 2007 SP3 Microsoft Corporation August 25, 2010
Exchange Server 2010 SP1 Microsoft Corporation August 25, 2010
Exchange Server 2010 SP2 Microsoft Corporation March 7, 2012
uwReadAccess for uwCourseOffering University of Washington August 23, 2012 Added uwReadAccess to uwCourseOffering
Windows Server 2012 Microsoft Corporation August 23, 2012 See here for vendor documentation
Windows Server 2012 R2 Microsoft Corporation April 2, 2014 See here for vendor documentation
System Center Configuration Manager Microsoft Corporation April 2, 2014 See here for vendor documentation
2014 Custom Schema University of Washington April 2, 2014 Added uwNetIDType, uwEntityType, uwKerberosDelegationSensitiveException, uwDisplayNameOverride, eduPersonAssurance
Exchange Server CU7 Microsoft Corporation December 17, 2014 See here for vendor documentation
Local Administrator Password Solution (LAPS) Microsoft Corporation March 31, 2017 Added ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd to the computer class
Windows Server 2016 Microsoft Corporation August 17, 2017 See here for vendor documentation

Custom Schema Best Practices

  • Unique OIDs are used for every objectclass and attribute. These OIDs belong to the vendor or organization employing the schema modification OR the OIDs are tied to standards-based schema definitions. The UW has an OID space. Contact the NOC to request an OID arc for custom schema definition. The Netid.washington.edu Windows domain has a delegated OID space, which is documented here.
  • Objectclass and attribute names that are not likely to create a future collision. Prepending the vendor or organization’s name to the attribute or objectclass name is recommended to avoid possible collisions. For example, “year” is a poor attribute name choice. “uwYear” is a well-chosen attribute name.
  • Objectclass hierarchy doesn’t break existing functionality. For example, inserting a superior objectclass above the user objectclass or a structural objectclass on top of the user objectclass may introduce changes that break existing functionality.
  • Thoughtful use of attribute indexing. Indexing can introduce a great deal of overhead. Only attributes that are widely used should be indexed.
  • Thoughtful use of when an attribute should be included in the global catalog partition set. Only attributes that are widely used and needed during login should be included in the global catalog.
  • Existing schema objects are not modified. (As the Active Directory vendor, Microsoft has in the past modified existing schema objects, and this is acceptable as an exception.)
  • Appropriate attribute syntax is used for the data to be stored. Poor choice of syntax can result in unnecessary directory overhead.
  • displayName=cn
  • Use auxiliary classes to enhance existing objectclasses.
  • Populate the description attribute with meaningful information.
  • Schema modifications are in LDIF format.

In addition, some thought should be given to the following questions:

  • How volatile is the data that will employ this schema modification?
  • How will objects using this schema be managed and manipulated?
  • What security settings are required to grant applications/users access to read/modify the data?
  • Who are the users of the data?
  • Are there data privacy issues that should be considered?
  • What is the total data size expected to be added to the directory from this schema modification?