2.7.3.1 Add a New Class to the Schema - Client Application

In this use case, the administrator realizes that the set of classes in the base Active Directory schema does not meet the requirements of an application on the client. The administrator extends the schema by adding a new class to the schema; that is, by creating a new object of the classSchema class. After the new class is successfully added to the schema, the administrator can create objects of the newly defined class.

Goal

The client application adds a new class to the schema of the Active Directory system.

Context of Use

When the set of classes in the base Active Directory schema does not meet the requirements of a client application, the administrator can extend the schema by adding new objects of the classSchema class.

Use case diagram for adding a new class to the Active Directory schema

Figure 26: Use case diagram for adding a new class to the Active Directory schema

Actors

  • Client application

    The client application is the primary actor. It is the entity that prepares the connection to the directory server, submits the request to add a new class, and relays the response to the administrator.

  • Windows Authentication Services

    The Windows Authentication Services [MS-AUTHSOD] is the supporting actor that authenticates the administrator's identity so that the Active Directory system can make access-control decisions.

  • Directory server

    The directory server is the supporting actor that receives the request and adds the new class.

Stakeholders

  • Administrator

    The administrator initiates the addition of a new class to the schema. The administrator primarily wants to receive information that the class was successfully added or receive an error message if it was not added.

  • Directory

    The directory is the entity that contains the additional class.

Preconditions

  • The system-wide preconditions described in section 2.6 are satisfied. The Active Directory system completes initialization, as described in section 2.6.

  • The client application has connectivity to a directory server to which it can establish a connection, if it is not already connected, and send the request.

Main Success Scenario

  1. Trigger: The administrator provides the mandatory attributes ([MS-ADTS] section 3.1.1.2) for the new class, along with credentials, as input to the client application, and then invokes the operation that adds a new class to the schema.

  2. The client application establishes a connection to the directory server that owns the Schema Master FSMO role ([MS-ADTS] section 3.1.1.5.1.8). Windows Authentication Services uses the supplied credentials to authenticate the client application ([MS-AUTHSOD] section 2).

  3. The client application sends a request to the directory server to create a new class, specifying the values of the attributes that are present on the classSchema object for the new class.

  4. The directory server verifies that the credentials that are supplied through the client application have the necessary access-control rights to complete the operation ([MS-ADTS] section 3.1.1.2.5).

  5. The directory server verifies that it owns the Schema Master FSMO role ([MS-ADTS] section 3.1.1.2.5).

  6. The directory server validates the constraints on the new class attributes, as specified in [MS-ADTS] section 3.1.1.2.5.

  7. The directory server creates an object in the directory that represents the new class with the attributes supplied by the client application. The directory object is additionally populated with attributes that are mandated by the server's processing rules and constraints ([MS-ADTS] sections 3.1.1.2.5, 3.1.1.5.1, and 3.1.1.5.2.)

  8. The directory server sends a response to the client application indicating that the new class has been successfully added to the schema.

Postcondition

The new object of class classSchema is created and ready for use.

Extensions

  • If the credentials that are supplied through the client application have insufficient access-control rights to add the new schema class:

    1-4. Same as Main Success Scenario.

    5. The directory server sends a response to the client application indicating that the supplied credentials have insufficient access-control rights to add the new class to the schema.

  • If the directory server to which the client application connects does not own the Schema Master FSMO role ([MS-ADTS] section 3.1.1.2.5):

    1-5. Same as Main Success Scenario.

    6. The directory server sends a response to the client application with a referral to the directory server that does own the Schema Master FSMO role.

  • If the class name that is supplied through the client application is not unique:

    1-6. Same as Main Success Scenario.

    7. The directory server sends a response to the client application that the object name to be created is already in use.

  • If the attributes that the client application provides do not meet consistency checks ([MS-ADTS] section 3.1.1.2.5.1.1):

    1-6. Same as Main Success Scenario.

    7. The directory server sends a response to the client application that it cannot perform the operation.