Active Directory Schema Tools and Settings
Active Directory Schema Tools and Settings
In this section
- Active Directory Schema Tools
- Related Information
When existing class and attribute definitions in the Active Directory schema do not meet the needs of your organization, you can use schema-based administrative tools to modify or add schema objects. You can modify an existing attribute or add a new class or attribute to the schema to store a new type of information in the directory. The process of modifying or updating the schema is often referred to as “extending the schema.” In addition to using schema tools to extend the schema, you can perform most schema extensions by using customized applications or Active Directory Service Interfaces (ADSI) scripts.
Note
- Extending the schema is a major change with implications for the entire directory. Extend the schema only when it is absolutely necessary. Many schema modifications cannot be reversed; therefore, you must thoroughly plan and test changes in an isolated environment before you deploy them in your production forest.
This section contains information about the tools that are associated with the Active Directory schema.
Active Directory Schema Tools
Normally, you do not interact directly with the schema on a daily basis. Active Directory uses the schema to create objects that are stored in the directory. You interact with those objects, not with the schema. You interact directly with the schema when you make modifications to the schema by adding definitions to it or by modifying existing definitions. Only members of the Schema Admins group can make changes to the schema. The two most common scenarios for modifying the schema are as follows:
- You install an application that adds customized object definitions so that it can store information in the directory; for example, you install an e-mail program that stores user e-mail names in the directory.
- You test the development of applications that use the directory for data storage. In this scenario, you add customized object definitions to the schema and modify them throughout their lifetimes as the development process proceeds.
Note
- Changes to the schema must be written only on the schema master. Although all domain controllers have a copy of the schema in their Active Directory database, only the domain controller that holds the schema operations master role (also known as flexible single master operations (FSMO)) is allowed to write changes to the schema.
The following tools are associated with the Active Directory schema.
Adsiedit.exe: ADSI Edit
Category
ADSI Edit is included when you install Support Tools for Windows Server 2003 and later. Version Compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
| Domain controllers running:
|
ADSI Edit is a Microsoft Management Console (MMC) snap-in that uses ADSI, which uses the Lightweight Directory Access Protocol (LDAP). You can use ADSI Edit to view and modify directory objects in the Active Directory database. You can also use it to view schema directory partition objects and properties. When you open ADSI Edit, the Schema container is displayed by default. You can expand the container to view schema classes and attributes. To find more information about ADSI Edit, see “Support Tools Help” in Tools and Settings Collection.
Csvde.exe: Csvde
Category
Csvde is a command-line tool that ships with Windows Server 2003. Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
| Domain controllers running:
|
The comma-separated value (CSV) file format is a simple format whose primary benefit is ease of use. In the CSV file format, each line represents a discrete object in the directory, and the object’s attributes are separated by commas. The first line of the file always contains all of the attribute names. Each subsequent line represents a different entry in the directory. Values for multivalue attributes can also be specified, and they are delimited by semicolons (;). Because this format is compatible with the Microsoft Excel CSV format, you can use Csvde.exe to export directory information to an Excel spreadsheet or to import data from a spreadsheet into Active Directory. You can use this format only for additions to the directory. Csvde.exe cannot be used to modify or delete objects. Csvde.exe also supports batch operations that are based on CSV. The parameters that are used for the Csvde.exe tool are the same as the parameters that are used for the Ldifde.exe tool. However, unlike Ldifde.exe, Csvde.exe can export data from Active Directory into files that can be read by certain applications. For example, if you want to view all Active Directory users in an Excel report, you can use Csvde.exe to export the directory data into the CSV file format, which you can then read in Excel. To find more information about Csvde.exe, see “Command-Line References” in Tools and Settings Collection.
Dsa.msc: Active Directory Users and Computers
Category
Active Directory Users and Computers is an MMC snap-in in Administrative Tools that is installed automatically on all domain controllers running Windows Server 2003. Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
| Domain controllers running:
|
Active Directory Users and Computers is a graphical user interface (GUI) tool that you can use to manage users and computers in Active Directory domains. To modify the schema, you must use an account that is a member of the Schema Admins group. By default, the only member in the Schema Admins group is the Administrator account in the root domain of the enterprise. You must explicitly add other accounts. You can use Active Directory Users and Computers to verify that an account is a member of the Schema Admins group. Restrict membership in the Schema Admins group to prevent unauthorized access to the schema. Improper modification of the schema can have serious consequences. By default, only members of the Schema Admins group have permission to write to the schema. You can assign explicit permissions to use the Active Directory Schema snap-in to specific users; however, this is not recommended.
Ldifde.exe: Ldifde
Category
Ldifde is a command-line tool that ships with Windows Server 2003. Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
| Domain controllers running:
|
Active Directory supports the use of files that are formatted with the LDAP Data Interchange Format (LDIF) for importing and exporting information in the directory. This includes information that is stored in the schema, such as schema modifications. After an LDIF file is created, a tool such as Ldifde.exe performs the import operation by using the LDIF file for input. You can also use Ldifde.exe to add, modify, and delete directory objects; export Active Directory user and group information to other applications or services; and populate Active Directory with data from other directory services. To find more information about Ldifde.exe, see “Command-Line References” in Tools and Settings Collection.
Ntdsutil.exe: Ntdsutil
Category
Ntdsutil is a command-line tool that ships with Windows Server 2003. Version Compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
| Domain controllers running:
|
Ntdsutil.exe provides advanced management capabilities for Active Directory. For the Active Directory schema, you can use Ntdsutil.exe to identify, transfer, or seize the schema operations master role. This tool is intended for use by experienced administrators. To find more information about Ntdsutil, see “Command-Line References” in Tools and Settings Collection.
Schmmgmt.msc: The Active Directory Schema snap-in
Category
The Active Directory Schema snap-in is an MMC snap-in in Administrative Tools that is installed automatically on all domain controllers running Windows Server 2003. However, you must register it manually before you use it for the first time. Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
| Domain controllers running:
|
The Active Directory Schema snap-in is a GUI tool that members of the Schema Admins group can use to manage Active Directory objects and their associated attributes. You can use this tool to create and modify classes and attributes. You can also use it to specify what attributes are indexed and what attributes are replicated to the global catalog. The Active Directory Schema snap-in is not one of the default MMC snap-ins that is provided with Windows Server 2003. To make it appear in the list of available snap-ins, install the Windows Server 2003 Administration Tools Pack (Adminpak.msi). To register the Active Directory Schema snap-in, run Regsvr32 Schmmgmt.dll from the command prompt or from the Run command on the Startmenu.
ADSI and Visual Basic Scripts
Active Directory provides a set of interfaces that you can use programmatically to gain access to directory objects, including schema objects. ADSI conforms to the Component Object Model (COM), and it supports standard COM features. ADSI defines a directory service model and a set of COM interfaces that you can easily use with a variety of programming languages. With Microsoft Visual Basic, Scripting Edition and ADSI, you can write scripts to modify the directory in various ways, including extending the schema. For more information about using ADSI and scripting to modify the schema, see Using Active Directory Service Interfaces in the Microsoft Platform SDK on MSDN. So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!
Recommended contents
RODC Installation Guide- Step by step guide to install read only domain controller
RODC Filtered Attribute Set
Installing and configuring a RODC in Windows Server-2012
How to find the GUID of Domain Controller
Group Policy Understanding Group Policy Preferences
Group Policy Verification Tool GPOTool Exe
Group Policy Health Check on Specific Domain Controller
What is Netlogon Folder in Active Directory
How to Create Custom Attributes in Active Directory
How Can I Check the Tombstone Lifetime of My Active Directory Forest
How to Determine a Computers AD Site From the Command Line
How to Check the Active Directory Database Integrity
How to Check the Active Directory Database Integrity
Disabling and Enabling the Outbound Replication
DFS Replication Service Stopped Replication
What is Strict Replication Consistency
The replication operation failed because of a schema mismatch between the servers involved
Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers
How to export replication information in txt file
Repadmin Replsummary
Enabling the outbound replication
Disabling and enabling replication on schema master domain controller
How to enable strict replication consistency
How to prevent lingering objects replication in active directory
AD replication process overview
How to force active directory replication
Change notification in replication process
How to check replication partner for a specific domain controller
dcdiag test replications
Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .
You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.
