Microsoft KB Archive/326310

= HOW TO: Manage the Active Directory Schema in Windows Server 2003 Enterprise Edition =

PSS ID Number: 326310

Article Last Modified on 11/5/2003

-

The information in this article applies to:


 * Microsoft Windows Server 2003, Enterprise Edition

-



This article was previously published under Q326310



SUMMARY
This article describes how to manage the Active Directory schema in a Windows Server 2003 Enterprise Edition environment. The Active Directory schema is the set of definitions that defines the kinds of objects and the types of information about these objects. These definitions are stored in Active Directory as objects so that Active Directory can manage the schema objects with the same object management operations that are used to manage the rest of the objects in Active Directory. There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as objects or metadata.

You can configure new domain-wide or forest-wide Active Directory features only when all domain controllers in a domain or forest are running Windows Server 2003 and the domain functionality or forest functionality has been set to Windows Server 2003. One of the forest-wide features is Defunct schema objects, which deactivates unnecessary classes or attributes from the schema.

By default, the following Active Directory schema features are configured on any domain controller that is running Windows Server 2003.
 * Selective class creation: This feature creates instances of specified classes in the base schema of a Windows Server 2003 forest. You can create instances of several common classes, including country or region, person, organizationalPerson, groupOfNames, device and certificationAuthority.
 * InetOrgPerson class. The inetOrgPerson class has been added to the base schema as a security principal. You can use this class in the same manner as the user class. You can also use the userPassword attribute to set the account password.

back to the top

Install the Active Directory Schema Snap-in

 * 1) Log on as an administrator.
 * 2) Perform one of the following steps:
 * 3) * On computers that are running Windows XP Professional, insert the Windows Server 2003 installation compact disc (CD) in the CD drive, click Browse this CD, double-click the I386 folder, double-click Adminpak, and then follow the instructions that appear in the Administration Tools Setup Wizard.

-or-
 * 1) * On servers that are running Windows Server 2003, register the Schmmgmt.dll file by using the Regsvr32 command-line tool.
 * 2) Click Start, click Run, type mmc /a, and then click OK.
 * 3) On the File menu, click Add/Remove Snap-in, and then click Add.
 * 4) Under Snap-in, double-click Active Directory Schema, and then click Close.
 * 5) If you do not have any more snap-ins to add to the console, click OK.
 * 6) To save this console, click Save on the File menu.

You can name the saved console Active Directory Schema so that it is easier to identify.

CAUTION: Modifying the schema is an advanced operation that is best performed programmatically by experienced programmers and system administrators. For detailed information about how to modify the schema, see the Active Directory Programmer's Guide. To obtain this guide, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/active_directory_schema.asp

NOTE: To perform this procedure on a domain controller, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory. Microsoft recommends that you consider using the run as command to perform this procedure.

You cannot install the Windows Server 2003 Administration Tools Pack on computers that are running Microsoft Windows 2000 Professional or Microsoft Windows 2000 Server.

back to the top

Add a Member to the Schema Admins Group

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, double-click the forest root domain node, and then click Users.

Alternatively, click the folder that contains the user account that you want to configure.
 * 1) In the details pane, right-click the user account that you want to add, and then click Properties.
 * 2) Click the Member Of tab, and then click Add.
 * 3) In the Name box, type schema admins and then click OK.

NOTE: To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory. Microsoft recommends that you consider using the run as command to perform this procedure.

To add users and computers to a group, you can also select the users and computers that you want to add, click the toolbar, and then click the group into which you want to add them.

back to the top

Remove a Member from the Schema Admins Group

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, double-click the forest root domain node, and then click Users.
 * 3) In the details pane, right-click the Schema Admins group, and then click Properties.
 * 4) On the Members tab, click the members that you want to delete, and then click Remove.

NOTE: To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory. Microsoft recommends that you consider using the run as command to perform this procedure.

back to the top

How to Modify Schema Permissions

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Schema Console.
 * 2) In the console tree, right-click Active Directory Schema, and then click Permissions.
 * 3) On the Security tab, click the group whose permissions you want to change.
 * 4) In the Permissions box, select Allow or Deny for the permissions that you want to change.

NOTE: To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory. Microsoft recommends that you consider using the run as command to perform this procedure.

If the Active Directory schema snap-in is not installed, perform the procedure that is described in the &quot;How to Install the Active Directory Schema Snap-in&quot; section in this article.

back to the top

Add an Attribute to the Global Catalog

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Schema Console.
 * 2) In the console tree, click Attributes.
 * 3) In the details pane, right-click the attribute that you want to add to the global catalog, and then click Properties.
 * 4) Click Replicate this attribute to the global catalog.

WARNING: If the forest functional level is not set to Windows Server 2003 and you add a new attribute to the global catalog, full synchronization of the global catalog occurs. As a result, when you add a new attribute to the global catalog attribute set, all attributes that were previously part of the global catalog and the new attribute are immediately synchronized throughout the forest.

back to the top

Index an Attribute in Active Directory

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Schema Console.
 * 2) In the console tree, click Attributes.
 * 3) In the details pane, right-click the attribute that you want to index, and then click Properties.
 * 4) Click Index this attribute in the Active Directory.

back to the top

Index Attributes for a Containerized Search

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Schema Console.
 * 2) In the console tree, click Attributes.
 * 3) In the details pane, right-click the attribute that you want to index, and then click Properties.
 * 4) Select the Index this attribute for containerized searches in the Active Directory check box.

NOTE: To complete this procedure, you must first index an attribute.

back to the top

Configure the Computer to Extend the Schema

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Schema Console.
 * 2) In the console tree, right-click Active Directory Schema, and then click Operations Master.

NOTE: For more information about extending the schema, search the Help files for &quot;extend schema,&quot; and then review the important points before you extend the schema.

back to the top

Deactivate a Class or Attribute

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Schema Console.
 * 2) Perform one of the following tasks:
 * 3) * To deactivate a class, click Classes in the console tree, right-click the class that you want to deactivate in the details pane, and then click Properties.
 * 4) * To deactivate an attribute, click Attributes in the console tree, right-click the attribute you want to deactivate in the details pane, and then click Properties.
 * 5) On the General tab, click to clear either the Class is active check box or the Attribute is active check box, as appropriate.

NOTE: The status of an attribute or class is displayed in the Status column of the details pane. After a class or attribute has been deactivated, it is considered defunct. To view defunct classes or attributes, click Classes or Attributes, and then click Defunct Objects on the View menu.

You cannot deactivate default schema attributes or classes in the base schema. Only attributes or classes that are added as extensions to the base schema can be deactivated.

You can deactivate classes and attributes that are added to the base schema without raising the forest functional level. However, you can only redefine these items only in forests that have forest functional level set to Windows Server 2003.

back to the top

Reactivate a Class or Attribute

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Schema Console.
 * 2) Perform one of the following tasks:
 * 3) * To reactivate a defunct class, click Classes in the console tree, right-click the class that you want to reactivate in the details pane, and then click Properties.
 * 4) * To reactivate a defunct attribute, click Attributes in the console tree, right-click the attribute you want to reactivate in the details pane, and then click Properties.
 * 5) On the General tab, click to select either the Class is active check box or the Attribute is active check box, as appropriate.

NOTE: The status of an attribute or class is displayed in the Status column of the details pane. After you deactivate a class or attribute, it is considered defunct. To view defunct classes or attributes, click Classes or Attributes, and then click Defunct Objects on the View menu.

You cannot deactivate default schema attributes or classes in the base schema. Only attributes or classes that are added as extensions to the base schema can be deactivated.

back to the top

Reload the Schema

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Schema Console.
 * 2) In the console tree, right-click Active Directory Schema, and then click Reload the Schema.

back to the top

Create an InetOrgPerson Account
Active Directory provides support for the InetOrgPerson object class and its associated attributes as defined in Request for Comments (RFC) 2798. The InetOrgPerson object class is used in several non-Microsoft Lightweight Directory Access Protocol (LDAP) and X.500 directory services to represent people in an organization.

Support for InetOrgPerson makes migrations from other LDAP directories to Active Directory more efficient. The InetOrgPerson object class is derived from the user class and can be used as a security principal just like the user class.
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, double-click the domain node.
 * 3) In the details pane, right-click the organizational unit where you want to add the user account, point to New, and then click InetOrgPerson.
 * 4) In the First name box, type the user's first name.
 * 5) In the Initials box, type the user's initials.
 * 6) In the Last name box, type the user's last name.
 * 7) Modify the Full name box as appropriate.
 * 8) In the User logon name box, type the name that the user logs on with, and then click the user principal name (UPN) suffix that must be appended to the user logon name (after the at symbol [@]).
 * 9) In the Password box and the Confirm password box, type the user's password.
 * 10) Select the appropriate password settings.

back to the top

