2.7.3.2 Add a New Attribute to the Schema - Client Application
In this use case, an administrator realizes that the set of attributes in the base Active Directory schema does not meet the requirements of an application on the client. To extend the schema, the administrator adds a new attribute to the schema; that is, the administrator creates an object of class attributeSchema. After the new attribute is successfully added to the schema, the administrator can then add the attribute to a class and create objects of that class with the new attribute.
Goal
The client application adds a new attribute to the schema of the Active Directory system.
Context of Use
When the set of attributes in the base Active Directory schema does not meet the requirements of a client application.

Figure 27: Use case diagram for adding a new attribute to the Active Directory schema
Actors
Client application
The client application is the primary actor. It is the entity that prepares the connection to the directory server, submits the request to add a new attribute, and relays the response to the administrator.
Windows Authentication Services
The Windows Authentication Services [MS-AUTHSOD] is the supporting actor that authenticates the administrator's identity so that the Active Directory system can make access-control decisions.
Directory server
The directory server is the supporting actor that receives the request and adds the new attribute.
Stakeholders
Administrator
The administrator initiates the addition of a new attribute to the schema. The administrator primarily wants to receive information that the attribute was successfully added or receive an error message if it was not added.
Directory
The directory is the entity that contains the additional attribute.
Preconditions
The system-wide preconditions described in section 2.6 are satisfied. The Active Directory system completes initialization, as described in section 2.6.
The client application has connectivity to a directory server to which it can establish a connection, if it is not already connected, and send the request.
Main Success Scenario
Trigger: The administrator provides the mandatory attributes ([MS-ADTS] section 3.1.1.2) for the new object, along with credentials, as input to the client application, and then invokes the operation that adds a new attribute to the schema.
The client application establishes a connection to the directory server that owns the Schema Master FSMO role ([MS-ADTS] section 3.1.1.5.1.8). Windows Authentication Services uses the supplied credentials to authenticate the client application ([MS-AUTHSOD] section 2).
The administrator provides the required information for the new schema attribute to the client application.
The client application sends a request to the directory server to create a new attribute (an object of class attributeSchema), specifying the values of the attributes that are present on the attributeSchema object.
The directory server verifies that the credentials that are supplied through the client application have the necessary access-control rights to complete the operation ([MS-ADTS] section 3.1.1.2.5).
The directory server verifies that it owns the Schema Master FSMO role ([MS-ADTS] section 3.1.1.2.5).
The directory server validates the constraints on the new attributeSchema object attributes, as described in ([MS-ADTS] section 3.1.1.2.5).
The directory server creates an object of class attributeSchema in the directory that represents the new attribute with the values of the attributes that the client application supplied. The directory object is additionally populated with attributes that are mandated by the server's processing rules and constraints ([MS-ADTS] sections 3.1.1.2.5, 3.1.1.5.1, and 3.1.1.5.2).
The directory server sends a response to the client application that the new attribute has been successfully added to the schema.
Postconditions
The new object of class attributeSchema is created and ready for use.
Extensions
If the credentials that are supplied through the client application have insufficient access-control rights to add the new attribute to the schema:
1-5. Same as Main Success Scenario.
6. The directory server sends a response to the client application that the supplied credentials have insufficient access-control rights to add the new attribute to the schema.
If the directory server to which the client application connects does not own the Schema Master FSMO role ([MS-ADTS] section 3.1.1.2.5):
1-6. Same as Main Success Scenario.
7. The directory server sends a response to the client application with a referral to the directory server that does own the Schema Master FSMO role.
If the attribute name supplied through the client application is not unique:
1-7. Same as Main Success Scenario.
8. The directory server sends a response to the client application that the object name to be created is already in use.
If the attributes that the client application provides do not meet the consistency checks ([MS-ADTS] section 3.1.1.2.5.1.1):
1-7. Same as Main Success Scenario.
8. The directory server sends a response to the client application that it cannot perform the operation.