Tag Archive: Schema

Les mises à jour du schéma sont irréversibles. Une fois répliquées vers les autres DCs de la forêt, il ne sera plus possible de revenir en arrière à l’état d’avant la modification. Puisqu’il n’est pas possible de réaliser un authoritative restore de la partition schema, seule la restauration d’une sauvegarde du system state sur tous les DCs de la forêt ayant répliqué la modification du schema permettra de revenir en arrière. Afin d’assurer au maximum le succès de l’opération de mise à jour du schéma et, en même temps, déterminer précisément la volumétrie de la réplication résultante, nous conseillons de maquetter cette opération sur un DC en pré-production. Voici des liens complémentaires, relatifs aux changement opérés lors de la mise à jour du schéma, le déroulement de la mise à jour, les possibilités de troubleshooting, etc. :

Admin Articles recommended:



Special recommendations for ADprep :http://technet.microsoft.com/en-us/library/dd464018(v=WS.10).aspxand go the section called : ” preparing to run adprep /forestprep ” =>make system state backup of DCs of each DOMAIN of the forest.

Another article against isolating schema master:http://blogs.technet.com/b/askds/archive/2010/04/16/friday-mail-sack-i-live-again-edition.aspx#isolate

AD LDS (formally known as ADAM) has an awesome schema analyzer tool that will compare two schemas, and prepare an ldif file so you can actually synchronize the schemas. You should definitely use this tool to otherwise sync the schemas across your production and test environments.

Fellow PFE Ashley McGlone has a cool PowerShell script that will analyze your production schema for other extensions, to help you “remember” any other schema extensions.

Planning FOREST recovery: http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(WS.10).aspx

Version Windows Server Version:
13 Windows 2000 Server
30 Windows Server 2003
31 Windows Server 2003 R2
44 Windows Server 2008
47 Windows Server 2008 R2
56 Windows Server 2012
69 Windows Server 2012 R2


An OID (object identifier) is a numeric string that is used to uniquely identify an object. It is created by self-extending a private enterprise number that an institution has acquired. Typical objects that can be identified using OIDs include attributes in X.500/LDAP-based directories, certificate policies and practice statements, MIBS for network management and encryption algorithms.

In particular, as a university defines attributes for local use within directories, it will need OID’s to identify these attributes. More generally, OIDs are a managed hierarchy starting with ISO (http://www.iso.ch/) and ITU (http://www.itu.ch/). ISO and ITU delegate OID management to organizations by assigning them OID numbers; these organizations can then assign OIDs to objects or further delegate to other organizations.

OIDs are associated with objects in protocols and data structures defined using ASN.1. OIDs that define data structures and protocol elements are generated and processed by client and server software. OIDs are intended to be globally unique. They are formed by taking a unique numeric string (e.g. and adding additional digits in a unique fashion (e.g.,,, etc.) An institution will acquire an arc (eg and then extend the arc (called subarcs) as indicated above to create additional OID’s and arcs.

There is no limit to the length of an OID, and virtually no computational burden to having a long OID. OID’s are only using for “equality-matching”. That is, two objects (e.g. directory attributes or certificate policies) are considered to be the same if they have exactly the same OID. There are no implied navigational or hierarchical capabilities with OID’s (unlike IP addresses, for example); given an OID one can not readily find out who owns the OID, related OID’s, etc. OIDs exist to provide a unique identifier, recognizing that in a decentralized world, organizations may pick the same identical names for objects that they manage.

How Do we Get an OID and How do we use it?

OID’s can be obtained from a number of sources. Two formal mechanisms include IANA and ANSI.

a. To get one from IANA, fill out a form at http://pen.iana.org/pen/PenApplication.page. There is no fee and turnaround appears relatively quick.

b. To get one from ANSI, go to http://web.ansi.org/public/services/reg_org.html . There is a one-time fee and turnaround can take several weeks.

In addition one can get a subarc designated from someone who already has an arc. In such instances it is important to insure that the assigning entity has legitimate claim to their own arc and that they are appropriately diligent in assigning subarcs to insure no duplication.

Once a campus has an OID arc, it will likely create subarcs to be used for particular purposes. Given arc x, a campus may use x.1 for local directory attributes (e.g. x.1.1 for parking location, x.1.2 for residence hall, etc.) and x.2 for certificate policies (e.g. x.2.1 for a low-grade policy, x.2.2 for a high-grade policy, etc.)

The importance of an OID is its uniqueness, not who owns the OID arc to which the specific OID belongs. As long as the holder of an arc is diligent about not re-issuing an OID for a different purpose, an OID should be politically neutral. There should be no political implications about using an OID in a different organization for the same purpose.

For example if SUN were to create an OID for purpose “Z” there should be no technical or valid political reasons for Example.EDU to create a different OID for the exact same purpose. However, many organizations do not publish or promote the assignment of local OIDs.

The practical result is that many sites create different OIDs for the same purpose. In the long run advertising assigned OIDs with details about the intended semantics tends to foster common solutions and reusable code.

Other references



How to extend the AD Schema ?


The aim of this article is to gives you the key points to extend the AD DS schema to add new class/new attributes or add new attributes to existing Active Directory classes.

Web resources

How to Extend the Schema

When the existing classes and/or attributes do not fit with the type of data that you want to store, you  might want to extend the schema. For more information on deciding when to
extend the schema, see Extending the Schema. When you have decided that schema extension is required, use the following procedure to extend the schema.

Verify Active Directory functionality before you apply any schema extensions

Verify Active Directory functionality before you update the schema to help ensure that the schema extension proceeds without error. At a minimum, ensure that all domain
controllers for the forest are online and performing inbound replication.

To verify Active Directory functionality before you apply the schema extension

  1. Log on to an administrative workstation that has the Windows Support Tool Repadmin.exe installed.

Open a command prompt, and then change directories to the folder in which the Windows Support Tools are

  1. At a command prompt, type the following, and then press ENTER:

repadmin /replsum /bysrc /bydest /sort:delta

All domain controllers should show 0 in the Fails column, and the largest deltas (which indicate the number of changes that have been made to the Active
Directory database since the last successful replication) should be less than or roughly equal to the replication frequency of the site link that is used by
the domain controller for replication. The default replication frequency is 180 minutes.

For more information about additional steps that you can take to verify Active Directory functionality before you apply the schema extension, see article 325379 in
the Microsoft Knowledge Base

Extend the Schema

  1. Create a backup of the schema master domain  controller’s system state using the NTBACKUP utility. To start the NTBACKUP utility, click Start, click Run
    and type ntbackup.
  2. Ensure that you are logged on to the schema master domain controller with an account that is a member of the Schema Admins security group.
must be logged on as a member of the Schema Admins security group in order to
successfully extend the schema.
  1. Next, in most cases, you’d be better off by doing this on the Domain Controller that is holding the Schema Master FSMO role (read more about Understanding
    FSMO Roles in Active Directory

Open the Run command and type: regsvr32 schmmgmt.dll

Next, open Run and type mmc.exe. Press Enter.

In the new MMC window, click File > Add/Remove Snap-in.

Click Add, then, in the Add Standalone Snap-in window, select the Active Directory Schema snap-in from the list. Next click Add again.

Click Ok.

Determine the method of extension. Once you have carefully designed your schema changes, the next step is to decide which method to use to extend the schema. You can
use one of the following methods:

Note Do not use LDIFDE to import Windows Sch*.ldf files. Those files are required to extend the Active Directory schema in order to install domain controllers that run a newer version of Windows Server than the version that is running on the current schema master. When you need to extend the schema in order to install a new domain controller, use

  1. Follow this step by step to add new classes and attributes to the Active Directory schema.


you extend your Active Directory schema, test the schema extensions for
conflicts with your current Active Directory schema. For information on
testing the Active Directory schema extensions, see Testing for Active Directory Schema Extension Conflicts.
  1. Verify that the schema extension was successful.
  2. If the schema extension procedure was successful, reconnect the schema master domain controller to the network and allow it to replicate the schema extensions to the global catalog servers throughout the Active Directory forest.
  3. If the schema extension procedure was unsuccessful, restore the schema master’s previous system state from the backup created in step 1. This will reverse the schema extension actions before reconnecting the schema master domain controller to the network.
restore the system state on a Windows domain controller, the system must be
restarted in Directory Services Restore Mode. For more information about
Directory Services Restore Mode, see Restart the Domain Controller in
Directory Services Restore Mode Locally http://go.microsoft.com/fwlink/?LinkId=75622

See Also

When we define a new attribute object, we need to define a list of properties for attributeSchema objects along with information about them at http://go.microsoft.com/fwlink/?LinkId=110445

One of these properties is mandatory object identifier (OID), which is defined against governsID for classSchema objects and attributeID for attributeSchema objects. These are unique numeric values supplied by certain issuing authorities to identify the objects. The numbering is governed by definition of the LDAP protocol (RFC 2251). Some of
the OIDs in the Active Directory schema are issued by the International Organization for Standardization (ISO) and some are issued by Microsoft. An OID
must be unique for an object within the directory.

The OID is a string of numbers, for instance 1.2.840.113556.1.y.z. Thus an OID for a user classSchema object, for example, is 1.2.840.113556.1.5.9.

When an organization intends to extend the schema, it ensures that the OID is unique by obtaining its own OID root number, which is then branched off to provide unique IDs to the new object classes and attributes that the organization creates. The OID root may be obtained directly from an ISO National Registration Authority (NRA), which in the United States, is the American National Standards Institute (ANSI).

You can get the procedure and fee schedule for obtaining a root OID at ansi.org. For other regions, contact the corresponding ISO member organization; ISO offers a list at http://iso.org/iso/about/iso_members.htm. For  Europe, contact the IANA registration authority, http://pen.iana.org/pen/PenApplication.page

Organizations used to be able to obtain an OID from Microsoft by sending e-mail to schemreg@microsoft.com. However, that now results in an automated reply prompting the requester to download and run the VBScript from http://go.microsoft.com/fwlink/?LinkId=110453.

After obtaining a valid OID, you can start extend domain schema through graphical user interface (GUI) tools, command-line tools, and through scripting. The easiest way to modify the schema is by using the Active Directory Schema snap-in in Microsoft Management Console (MMC), which is a GUI tool for schema management. For information about usage of schema
administration tools, see: Extending the User Class in the AD Schema: http://windowsitpro.com/Web/article/articleid/9738/extending-the-user-class-in-the-ad-schema.html

Modifying the schema through scripting requires programming knowledge and familiarity with the Active Directory Service Interfaces (ADSI). For more information, see the Active Directory Programmer’s Guide and Extending the Schema at: Extend AD schema: http://msdn.microsoft.com/zh-cn/library/ms676900(en-us).aspx

You have to extend the AD schema. You can use adsiedit.msc or schmmgmt.msc to modify the properties of an AD object. Please refer to the following links for more information regarding the extension of the schema and the tools that can be used to accomplish this:

Extending the Active Directory Schema: http://technet.microsoft.com/en-us/magazine/cc462798.aspx?pr=blog

How can I add additional attributes to the users objects in Active Directory? http://www.petri.co.il/add_additional_attributes_to_user_objects.htm

Active Directory Schema Tools and Settings: http://technet.microsoft.com/en-us/library/cc757747.aspx