Active Directory Schema Extension example
We have a single forest, single domain environment with all the FSMO roles in one domain controller.
When implementing in production take note of the location of the Schema FSMO role domain controller.
Note that you can perform the change using the mmc.exe console and the Schema Snap-in.
Ensure the AD replication is working fine before changing the schema:
repadmin /replsum /bysrc /bydest /sort:delta
All domain controllers should show 0 in the Fails column, and the largest deltas (which indicate the number of changes that have been made to the Active Directory database since the last successful replication) should be less than or roughly equal to the replication frequency of the site link that is used by the domain controller for replication.
By default, the Active Directory Schema MMC snap-in is not registered on domain controllers or machines with the Remote Server Administration Tools (RSAT) installed. To use the snap-in for the first time on a new machine, you’ll need to register the DLL. To do this, follow the steps below:
- Open an elevated command prompt
- Run the following command:
regsvr32 schmmgmt.dll - You should receive a pop up message that the operation succeeded.
Once you have registered the snap-in, you can add it to an MMC by following these steps:
- Open a new MMC Console (Start>Run>mmc)
- In the MMC Console, go to File>Add/Remove Snap-in
- Add the Active Directory Schema snap-in as shown below:
Once you click OK, you’ll be able to access the snap-in through the MMC Console.
You will need to generate a new OID for the new attribute. Please use the VBScript provided here:
Obtaining an Object Identifier from Microsoft – Win32 apps
You can open an Administrative command prompt and call it using
c:\Scripts>cscript oidgen.vbs
Note that the script will try to register the Schema dll, which we should have already performed and confirmed, and export to a file the information.
It will output a file like this:
Please save this OID for future reference because we will increment it when adding new extended attributes
By default, schema modification is disabled. The ability to update the schema is controlled by the following registry value on the schema master domain controller:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed
The value needs to be set to 1.
Recommended naming convention:
Company-Application-AttributeName
For example: company-sap-CostCenter
Open the schema MMC.
Under Attributes add a new Attribute with the below recommended values:
- Common Name: Company-SAP-SF-CostCenter
- LDAP Display Name: companySAPSFCostCenter
- Unique X500 Object ID: “Add here the OID generated with the script above and the incrementor. For ex: 1.2.840.113556.1.8000.2554.65004.37990.29088.17563.41745.15580546.10748932“
- Description: Company SAP Success Factors Cost Center
- Syntax: Unicode String
- Minimum: 1
- Maximum: 45
Next, locate the User class Under Classes and associate the newly created AD attribute under Optional.
Next we will update the Schema.
- Open ADSI Edit (Run > ADSIEDIT.MS.
- Connect to the Schema naming context . In this case it would be CN=Schema,CN=Configuration,DC=mene,DC=local)
- Right click on Schema container and click “Update Schema now”. This wil update the Schema cache on this Domain Controller (Schema master).
It can take at least 15 minutes to replicate the new attribute but can be longer. Once all the domain controllers have replicated the Schema naming context we will find the attribute on any user.
External resources:
How to extend the schema – Win32 apps
How to Register Active Directory Schema MMC Snap-In
Impact of Schema Changes – Win32 apps
Marius Ene 