What is AD Schema and how we can export AD schema to LDF file
Hello All,
Hope this post finds you in good health and spirit.
Today we are going to talk about Active Directory Schema, what is the AD schema and how can we view and export it?
AD Schema is most critical component of active directory. AD Schema consist of classes and attributes and contains formal definitions of every object class that can be created in an AD Forest. it also contains formal definitions of every attribute that can exist in an Active Directory object.
Classes: A class in a schema is essentially a blueprint for creating objects. It defines what an object is and the characteristics it can have. In Active Directory, for example, a class could be a user, group, or computer.
Attributes: Attributes are the specific details that describe an object. Attributes can be mandatory or optional, and they hold data like names, addresses, or Employee Number. For a user object in Active Directory, attributes could include first name, last name, and email address.
How to Register Active Directory Schema MMC Snap-In
By default, the Active Directory Schema MMC snap-in is not registered on domain controllers. To use the snap-in for the first time on a new machine, we will need to register the DLL. To do this, follow the steps below:
- Open an elevated command prompt
- Run the following command: regsvr32 schmmgmt.dll
- You should receive a success message:
Command - regsvr32 schmmgmt.dll
Once you have registered the snap-in, you can add it to an MMC by following these steps:
- Open a new MMC Console (Start>Run>mmc)
- In the MMC Console, go to File>Add/Remove Snap-in
- Add the Active Directory Schema snap-in as shown below:
You can use the MMC Console to access the snap-in after you click OK.
Command to check FSMO roles masters
There are five operations master roles in Active Directory: the schema master, domain naming master, relative identifier (RID) master, primary domain controller (PDC) emulator, and infrastructure master.
netdom query fsmo
There is a single schema for an entire forest. The schema is globally replicated; a copy of the schema exists on every Domain Controller in the forest. Schema changes are global, and Schema additions are not reversible. Once a new class or attribute has been added to the schema, it cannot be removed. An existing attribute or class can be disabled, but not removed.
Disabling a class or attribute does not affect existing instances of the class or attribute, but it prevents new instances from being created. An attribute cannot be disabled if it is included in any class that is not disabled.
How to Export AD Schema via command line
We can export the schema configuration (which is same for all domains in a single forest) using the ldifde command, as shown below.
ldifde -f ProdSchema.ldf -d cn=schema,cn=configuration,dc=windowstechno,dc=local
Now, using the Active Directory Schema Analyzer tool or other third-party tools, you can use this file to compare your schema with another schema output or a live schema.
In next Article, Will demonstrate how to compare schemas, export new attributes from a test environment, and use the LDIFDE tool to import them into a production environment.
Active Directory Schema Version List
Below are the list of Windows server versions and Active Directory schema versions. We can check schema version via PowerShell or manually.
| Window Server Version | Schema Version |
| Windows Server 2000 | 13 |
| Windows Server 2003 | 30 |
| Windows Server 2003 R2 | 31 |
| Windows Server 2008 | 44 |
| Windows Server 2008 R2 | 47 |
| Windows Server 2012 | 56 |
| Windows Server 2012 R2 | 69 |
| Windows Server 2016 | 87 |
| Windows Server 2019/2022 | 88 |
Schema is a very important component of AD and its understanding is vital for technicians who use AD. It helps in standardization of data storage in AD and thereby ensures data integrity during various data handling operations of AD.Schema extension is not something that one would perform often.
However, it must be done carefully after great amount of planning as schema extensions are permanent.The only way to rollback a schema extension is by restoring the backup of the old schema. Therefore, the decision on who has access to schema must be made very judiciously.
Also, see last section of this article for know how we can protect AD schema from unauthorized changes.
So, that’s all in this blog. In next Article, Will demonstrate how to compare schemas, export new attributes from a test environment, and use the LDIFDE tool to import them into a production environment. Have a nice day!!!
Guys please don’t forget to like and share the post. Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them.
You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.
