The aim of this article is to gives you the key points to extend the AD DS schema to add new class/new attributes or add new attributes to existing Active Directory classes.
- To request private entreprise number: www.iana.org/cgi-bin/assignments.pl
- AD schema conflict analyzer: http://gallery.technet.microsoft.com/ScriptCenter/0672d181-ab2c-4c92-8466-d93a67412207/
- Troubleshooting AD schema: http://technet2.microsoft.com/WindowsServer/en/Library/6008f7bf-80de-4fc0-ae3e-51eda0d7ab651033.mspx
- Deprecated: OIDGen: http://go.microsoft.com/fwlink/?LinkId=110453
- Extending the Schema: http://msdn.microsoft.com/en-us/library/ms676900(v=VS.85).aspx
- What You Must Know Before Extending the Schema: http://msdn.microsoft.com/en-us/library/ms677995(v=VS.85).aspx
- How to Extend the Schema: http://msdn.microsoft.com/en-us/library/ms676929(v=VS.85).aspx
- Example Code for Extending the Schema Programmatically: http://msdn.microsoft.com/en-us/library/ms676735(v=VS.85).aspx
- Obtaining a Root OID from an ISO Name Registration Authority: http://msdn.microsoft.com/en-us/library/ms677621.aspx
- Obtaining an Object Identifier from Microsoft: http://msdn.microsoft.com/en-us/library/ms677620.aspx
- Generates an object identifier (OID) using a GUID and the OID prefix 1.2.840.113556.1.8000.2554 (script)http://gallery.technet.microsoft.com/ScriptCenter/en-us/56b78004-40d0-41cf-b95e-6e795b2e8a06(Do not use oidgen.exe but use uuidgen.exe)
- Generate UUID for each new classes/attributes: UUID generator: http://www.somacon.com/p113.php
How to Extend the Schema
When the existing classes and/or attributes do not fit with the type of data that you want to store, you might want to extend the schema. For more information on deciding when to
extend the schema, see Extending the Schema. When you have decided that schema extension is required, use the following procedure to extend the schema.
Verify Active Directory functionality before you apply any schema extensions
Verify Active Directory functionality before you update the schema to help ensure that the schema extension proceeds without error. At a minimum, ensure that all domain
controllers for the forest are online and performing inbound replication.
To verify Active Directory functionality before you apply the schema extension
- Log on to an administrative workstation that has the Windows Support Tool Repadmin.exe installed.
Open a command prompt, and then change directories to the folder in which the Windows Support Tools are
- At a command prompt, type the following, and then press ENTER:
repadmin /replsum /bysrc /bydest /sort:delta
All domain controllers should show 0 in the Fails column, and the largest deltas (which indicate the number of changes that have been made to the Active
Directory database since the last successful replication) should be less than or roughly equal to the replication frequency of the site link that is used by
the domain controller for replication. The default replication frequency is 180 minutes.
For more information about additional steps that you can take to verify Active Directory functionality before you apply the schema extension, see article 325379 in
the Microsoft Knowledge Base.
Extend the Schema
- Create a backup of the schema master domain controller’s system state using the NTBACKUP utility. To start the NTBACKUP utility, click Start, click Run
and type ntbackup.
- Ensure that you are logged on to the schema master domain controller with an account that is a member of the Schema Admins security group.
must be logged on as a member of the Schema Admins security group in order to
successfully extend the schema.
- Next, in most cases, you’d be better off by doing this on the Domain Controller that is holding the Schema Master FSMO role (read more about Understanding
FSMO Roles in Active Directory).
Open the Run command and type: regsvr32 schmmgmt.dll
Next, open Run and type mmc.exe. Press Enter.
In the new MMC window, click File > Add/Remove Snap-in.
Click Add, then, in the Add Standalone Snap-in window, select the Active Directory Schema snap-in from the list. Next click Add again.
Determine the method of extension. Once you have carefully designed your schema changes, the next step is to decide which method to use to extend the schema. You can
use one of the following methods:
- Manually, using import files. See the documentation Using the LDIFDE Tool.
Note Do not use LDIFDE to import Windows Sch*.ldf files. Those files are required to extend the Active Directory schema in order to install domain controllers that run a newer version of Windows Server than the version that is running on the current schema master. When you need to extend the schema in order to install a new domain controller, use
- Obtain an Object Identifier (OID) for your new attributes and/or classes, as described in Obtaining an Object Identifier.
- Generate UUID for each new classes/attributes (using uuidgen.exe) or
- UUID generator: http://www.somacon.com/p113.php
- Follow this step by step to add new classes and attributes to the Active Directory schema.
you extend your Active Directory schema, test the schema extensions for
conflicts with your current Active Directory schema. For information on
testing the Active Directory schema extensions, see Testing for Active Directory Schema Extension Conflicts.
- Verify that the schema extension was successful.
- If the schema extension procedure was successful, reconnect the schema master domain controller to the network and allow it to replicate the schema extensions to the global catalog servers throughout the Active Directory forest.
- If the schema extension procedure was unsuccessful, restore the schema master’s previous system state from the backup created in step 1. This will reverse the schema extension actions before reconnecting the schema master domain controller to the network.
restore the system state on a Windows domain controller, the system must be
restarted in Directory Services Restore Mode. For more information about
Directory Services Restore Mode, see Restart the Domain Controller in
Directory Services Restore Mode Locally http://go.microsoft.com/fwlink/?LinkId=75622
When we define a new attribute object, we need to define a list of properties for attributeSchema objects along with information about them at http://go.microsoft.com/fwlink/?LinkId=110445
One of these properties is mandatory object identifier (OID), which is defined against governsID for classSchema objects and attributeID for attributeSchema objects. These are unique numeric values supplied by certain issuing authorities to identify the objects. The numbering is governed by definition of the LDAP protocol (RFC 2251). Some of
the OIDs in the Active Directory schema are issued by the International Organization for Standardization (ISO) and some are issued by Microsoft. An OID
must be unique for an object within the directory.
The OID is a string of numbers, for instance 1.2.840.113556.1.y.z. Thus an OID for a user classSchema object, for example, is 1.2.840.1135220.127.116.11.
When an organization intends to extend the schema, it ensures that the OID is unique by obtaining its own OID root number, which is then branched off to provide unique IDs to the new object classes and attributes that the organization creates. The OID root may be obtained directly from an ISO National Registration Authority (NRA), which in the United States, is the American National Standards Institute (ANSI).
You can get the procedure and fee schedule for obtaining a root OID at ansi.org. For other regions, contact the corresponding ISO member organization; ISO offers a list at http://iso.org/iso/about/iso_members.htm. For Europe, contact the IANA registration authority, http://pen.iana.org/pen/PenApplication.page
Organizations used to be able to obtain an OID from Microsoft by sending e-mail to firstname.lastname@example.org. However, that now results in an automated reply prompting the requester to download and run the VBScript from http://go.microsoft.com/fwlink/?LinkId=110453.
After obtaining a valid OID, you can start extend domain schema through graphical user interface (GUI) tools, command-line tools, and through scripting. The easiest way to modify the schema is by using the Active Directory Schema snap-in in Microsoft Management Console (MMC), which is a GUI tool for schema management. For information about usage of schema
administration tools, see: Extending the User Class in the AD Schema: http://windowsitpro.com/Web/article/articleid/9738/extending-the-user-class-in-the-ad-schema.html
Modifying the schema through scripting requires programming knowledge and familiarity with the Active Directory Service Interfaces (ADSI). For more information, see the Active Directory Programmer’s Guide and Extending the Schema at: Extend AD schema: http://msdn.microsoft.com/zh-cn/library/ms676900(en-us).aspx
You have to extend the AD schema. You can use adsiedit.msc or schmmgmt.msc to modify the properties of an AD object. Please refer to the following links for more information regarding the extension of the schema and the tools that can be used to accomplish this:
Extending the Active Directory Schema: http://technet.microsoft.com/en-us/magazine/cc462798.aspx?pr=blog
How can I add additional attributes to the users objects in Active Directory? http://www.petri.co.il/add_additional_attributes_to_user_objects.htm
Active Directory Schema Tools and Settings: http://technet.microsoft.com/en-us/library/cc757747.aspx