Active Directory Schema Management
Active Directory consists of objects (users, computers, printers, groups, etc.) and their attributes (properties). Schema is an important component of the Active Directory because it defines all the objects and attributes that are used to store data. Active Directory is divided in several partitions. Schema is stored in the schema partition and then replicated to all the domain controllers (DCs) in the entire forest. Whenever you make a change to the schema, all the DCs in the forest receive that change.
Important Fundamentals of Schema
Some programs that integrate with Active Directory will make the appropriate changes to the schema for you. For example, if you install Microsoft Exchange, the setup programs updates the schema and the change is replicated to all the DCs so they know about the new Exchange server. It’s rare that you would have to manually make changes to the schema. Only individuals who are Active Directory experts and are very familiar with Active Directory schema are qualified to make changes to the schema. You must be a member of the Active Directory Schema Admins group to make changes to the schema. Manually making changes to the schema is like doing a brain surgery on the Active Directory. One serious mistake can potentially burn down your entire forest. Here are some important concepts that you mind helpful when working with Active Directory schema.
When you install Microsoft Active, the setup program creates the schema which includes objects and their definitions. You can create new object definitions in schema, and then create objects based on those definitions, but you cannot delete the Active Directory schema objects or the object definitions. Yes, that’s right. You can only add object definitions to schema, but you cannot delete them. There is a reason for that, but that discussion is beyond the scope of this article. What if you make a mistake when creating object definitions? That’s too bad. I told you modifying schema manually is like doing a brain surgery. The best you can do is deactivate the object definition so it can’t be used to create new Active Directory objects. Microsoft uses the term defunct for objects whose definitions have been deactivated.
Another thing to keep in mind is that you can only deactivate the schema objects that were added to the default Active Directory schema. You cannot, however, deactivate the original schema objects that are part of the default schema because it may negatively impact the Active Directory behavior. Let’s summarize these important points.
- Only members of Schema Admins group can modify the schema.
- You would rarely need to modify the schema manually.
- Schema should only be modified by trained schema professionals.
- You cannot delete schema objects.
- You cannot deactivate schema objects that are part of the default schema.
- You cannot remove object definitions from the schema.
- You can deactivate schema objects that were added to the default schema.
- You can deactivate object definitions in the schema so they cannot be used to create new objects in Active Directory.
- If a schema object is deactivated it will continue to exist in the Active Directory, but you won’t be able to create new instances of that object.
- You can reactivate a deactivated schema object.
Registering the AD Schema MMC Snap-In
You can use the Active Directory Schema snap-in to manage Active Directory schema. Because schema is not something that Microsoft wants us to play around, Microsoft decided not to add the Schema management console in the Windows Administrative Tools section on the Windows server. That was a smart move to prevent Active Directory administrators from poking around in the console and accidentally making harmful changes to the Active Directory schema.
If you start a new MMC and look for Active Directory Schema snap-in, you won’t find it because it doesn’t exist. However, you can first register the Active Directory Schema snap-in. This step makes the Active Directory Schema snap-in available to the MMC so you can add it and manage the schema.
Here’s how you can register and then add the Active Directory Schema snap-in to the MMC console.
- To register the schema snap-in, start a command prompt with administrative credentials and type the following command:
regsvr32.exe schmmgmt.dll
- Click OK.
- Type MMC at the command prompt and then press Enter to start a blank MMC console.
- In the MMC, on the File menu select Add/Remove Snap-in.
- From the available snap-ins, select the Active Directory Schema snap-in, click Add, and then click OK.
- Now you can manage your Active Directory schema. You essentially have just created a schema management console.
There are several tools available to modify the schema. Some are included in Windows server, others are third-party tools. Of course, you can also use PowerShell to modify the schema. No matter which tool you use, you can only modify the schema on the server that has the Schema Master role. This is one of the five Operations Master roles assigned to a server. These roles are referred to as FSMO roles. By default, the first domain controller in the forest hosts all five of these FSMO roles. However, you can move these roles to other servers if necessary.
Schema Master Role
Only one server in the enterprise performs the Schema Master role. This role allows modifications to the schema. The Active Directory Schema snap-in can be used to move the Schema Master role from one domain controller to another. This option is available when you right click the Active Directory Schema folder.
You can also use PowerShell to move the Operations Master role from one server to another. In general, PowerShell is the preferred way and is recommended over the GUI tools.
Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com for information on my professional background. |
Copyright © 2018 SeattlePro Enterprises, LLC. All rights reserved.