Manage the Active Directory Domain Services Schema – Part 1

Introduction

The Active Directory Domain Services (AD DS) schema contains formal definitions of every object class that can be created in an AD DS forest. The schema also contains formal definitions of every attribute that can exist in an AD DS object.

This article series describes the steps required to manage the schema.

In part one we will discuss about:

• Install the Active Directory Schema Snap-In
• Apply Active Directory Schema Administrative Permissions
• View Schema Class and Attribute Definitions
• Create Attributes
• Deactivate Attributes

Install the Active Directory Schema Snap-In

To install the Active Directory Schema snap-in, perform the following steps:

1. Log on to a domain controller or a member computer that has Windows Server 2008 Remote Server Administration Tools (RSAT) installed.

2. Click Start, and click Command Prompt.

3. In the Command Prompt window, type the following command and press Enter: regsvr32 schmmgmt.dll

4. You will receive a notification that schmmgmt.dll was registered successfully, as shown in Figure 1. Click OK and close the Command Prompt window.

Figure 1. schmmgmt.dll was registered successfully

5. Click Start, click Run, type mmc /a, and click OK.

6. On the File menu, click Add/Remove Snap-In.

7. In the Add or Remove Snap-ins window, shown in Figure 2, select Active Directory Schema under Available Snap-ins, click Add, and then click OK. The Active Directory Schema snap-in is added to the MMC console, as shown in Figure 3.

Figure 2. Adding the Active Directory Schema snap-in to the MMC console.

Figure 3. The Active Directory Schema snap-in

8. On the File menu, click Save As.

9. In the Save As window, type systemroot%System32schmmgmt.msc in the File name field, and click Save.

10. Close the console.

11. Right-click Start, and click Open All Users

12. Double-click Programs and double-click Administrative Tools.

13. On the File menu, click New; then click Shortcut.

14. In the Create Shortcut Wizard, shown in Figure 4, in the Type the Location of the Item box, type schmmgmt.msc; then click Next.

15. On the Select a Title for the Program page, in the Type a name for this shortcut, type Active Directory Schema; then click Finish.

16. To verify that the Active Directory Schema shortcut was created successfully, click Start, click Administrative Tools, and verify that Active Directory Schema is listed.

View Schema Class and Attribute Definitions

To view schema class and attribute definitions, perform the following steps:
1. Log on to a domain controller or a member computer that has Windows Server 2008 RSAT installed.
2. Click Start, click Administrative Tools, and click Active Directory Schema.
3. In the console tree, expand Active Directory Schema.
4. To view schema class definitions, click the Classes node in the console tree, as shown Below

5. To view schema attribute definitions, click the Attributes node in the console tree, as shown in Figure below

Create Attributes

To create an attribute, perform the following steps:
1. Log on to a domain controller or a member computer that has Windows Server 2008 RSAT installed.
2. Click Start, click Administrative Tools, and click Active Directory Schema.
3. In the console tree, expand Active Directory Schema and then click Attributes.
4. On the Action menu, click Create Attribute.
5. On the Schema Object Creation warning, shown in the next picture, click Continue.

On the Create New Attribute window, shown in Figure below do the following:

Type a common name in the Common Name field.
Type an LDAP display name in the LDAP Display Name field.
Type the OID in the Unique X500 Object ID field.
Type a description in the Description field, if required.
Select the attribute syntax in the Syntax field.
Type a minimum acceptable value in the Minimum field, if required.
Type a maximum acceptable value in the Maximum field, if required.
Select Multi-Valued if the attributed is a multivalued attribute.

7. Click OK to create the new attribute.

Deactivate Attributes

To deactivate an attribute, perform the following steps:
1. Log on to a domain controller or a member computer that has Windows Server 2008 RSAT installed.
2. Click Start, click Administrative Tools, and click Active Directory Schema.
3. In the console tree, expand Active Directory Schema and then click Attributes.
4. In the details pane, right-click the attribute you want to deactivate and click Properties.
5. On the attribute’s properties page, shown in next Figure, deselect the check box next to Attribute is active.

6. On the warning box for making the schema object defunct, shown in next Figure, click Yes.
7. Click OK to save the changes.