Information technology tools and resources at the UW
NETID Domain Schema
The current NETID domain schema is documented below.
MI will entertain any schema modification requests. All schema modifications must follow schema best practices. Vendors tend to follow these best practices. Custom schema modifications are also possible. Schema best practice is documented below. Schema modifications that are deemed to follow best practices are likely to be added.
NOTE: At this time, MI does not permit any directory information to be written aside from by MI connectors, except to your own user account, and then only to the “personal” attributes that you have write permission to by default. MI connectors are described in the architecture guide. A full list of all user attributes currently in use, and written to by MI connectors is documented here.
|Description (links here take you to our copy of the schema)||Schema Vendor||Date Added||Notes (links here take you to the vendor documentation–which may not exist at a later point in time)|
|Windows Server 2003 R2||Microsoft Corporation||June 29, 2006||Base Schema. See here for vendor documentation|
|Exchange Server 2003||Microsoft Corporation||June 29, 2006|
|UW Enterprise Directory Services /
Group Directory Services
|University of Washington||July 20, 2006||Added uwEntity & uwPrincipal classes and attributes|
|eduPerson||Internet2/EDUCAUSE||July 20, 2006|
|Catalyst Labs – Macintosh Support||University of Washington||July 20, 2006||Added for EPLT labs for Mac authentication. 12/2012: Not used.|
|Dell Remote Access Controller||Dell||August 7, 2006||Allows central management of Dell DRAC-enabled devices|
|Vista Bitlocker TPM Extensions||Microsoft Corporation||February 1, 2007||See here for vendor documentation|
|Exchange Server 2007||Microsoft Corporation||June 1, 2007||See here for vendor documentation|
|Office Communications Server 2007||Microsoft Corporation||November 1, 2007|
|Exchange Server 2007 SP1||Microsoft Corporation||December 12, 2007||See here for vendor documentation|
|Group Service Integration View Access Control||University of Washington||September 17, 2008||Added uwViewAccess to uwDepartmentGroup|
|Windows Server 2008||Microsoft Corporation||March 12, 2009||Not R2. See here for vendor documentation|
|Exchange Server 2007 SP2||Microsoft Corporation||February 23, 2010||See here for vendor documentation|
|Windows Server 2008 R2||Microsoft Corporation||June 17, 2010||See here for vendor documentation|
|Exchange Server 2007 SP3||Microsoft Corporation||August 25, 2010|
|Exchange Server 2010 SP1||Microsoft Corporation||August 25, 2010|
|Exchange Server 2010 SP2||Microsoft Corporation||March 7, 2012|
|uwReadAccess for uwCourseOffering||University of Washington||August 23, 2012||Added uwReadAccess to uwCourseOffering|
|Windows Server 2012||Microsoft Corporation||August 23, 2012||See here for vendor documentation|
|Windows Server 2012 R2||Microsoft Corporation||April 2, 2014||See here for vendor documentation|
|System Center Configuration Manager||Microsoft Corporation||April 2, 2014||See here for vendor documentation|
|2014 Custom Schema||University of Washington||April 2, 2014||Added uwNetIDType, uwEntityType, uwKerberosDelegationSensitiveException, uwDisplayNameOverride, eduPersonAssurance|
|Exchange Server CU7||Microsoft Corporation||December 17, 2014||See here for vendor documentation|
|Local Administrator Password Solution (LAPS)||Microsoft Corporation||March 31, 2017||Added ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd to the computer class|
|Windows Server 2016||Microsoft Corporation||August 17, 2017||See here for vendor documentation|
Custom Schema Best Practices
- Unique OIDs are used for every objectclass and attribute. These OIDs belong to the vendor or organization employing the schema modification OR the OIDs are tied to standards-based schema definitions. The UW has an OID space. Contact the NOC to request an OID arc for custom schema definition. The Netid.washington.edu Windows domain has a delegated OID space, which is documented here.
- Objectclass and attribute names that are not likely to create a future collision. Prepending the vendor or organization’s name to the attribute or objectclass name is recommended to avoid possible collisions. For example, “year” is a poor attribute name choice. “uwYear” is a well-chosen attribute name.
- Objectclass hierarchy doesn’t break existing functionality. For example, inserting a superior objectclass above the user objectclass or a structural objectclass on top of the user objectclass may introduce changes that break existing functionality.
- Thoughtful use of attribute indexing. Indexing can introduce a great deal of overhead. Only attributes that are widely used should be indexed.
- Thoughtful use of when an attribute should be included in the global catalog partition set. Only attributes that are widely used and needed during login should be included in the global catalog.
- Existing schema objects are not modified. (As the Active Directory vendor, Microsoft has in the past modified existing schema objects, and this is acceptable as an exception.)
- Appropriate attribute syntax is used for the data to be stored. Poor choice of syntax can result in unnecessary directory overhead.
- Use auxiliary classes to enhance existing objectclasses.
- Populate the description attribute with meaningful information.
- Schema modifications are in LDIF format.
In addition, some thought should be given to the following questions:
- How volatile is the data that will employ this schema modification?
- How will objects using this schema be managed and manipulated?
- What security settings are required to grant applications/users access to read/modify the data?
- Who are the users of the data?
- Are there data privacy issues that should be considered?
- What is the total data size expected to be added to the directory from this schema modification?