Adding items to the Schema, also called "extending the Schema", or even modifying existing objects can be a tricky business, and if done without proper knowledge, can be very destructive to your existing Active Directory infrastructure. This is because the Schema is a forest-wide setting, and any additions or changes to the Schema will be immediately replicated to each and every Domain Controller in each and every domain in your AD Forest. You cannot make any changes to the Schema and yet keep it within your domain's boundaries. Furthermore, changing existing attributes (such as configuring an attribute to replicate itself to the Global Catalog) will cause a forest-wide replication of all the attributes and objects, even if your change was just made on one attribute. Note that this behavior was changed in Windows Server 2003, but even so, you might unintentionally cause a major network load and a lot of overhead by simply clicking one one small checkbox on one small attribute.
1.Open the Run command and type:regsvr32 schmmgmt.dll
You should get a confirmation message.
2.Next, open Run and type mmc.exe. Press Enter.
3.In the new MMC window, click File > Add/Remove Snap-in.
4.Click Add, then, in the Add Standalone Snap-in window, select the Active Directory Schema snap-in from the list. Next click Add again.
5.Click Ok.
Windows 2000 only - Enable write operations to the Schema
If you're running Windows 2000-based AD, you'll probably need to allow the Schema to be written. To do so follow these guidelines (only required for W2K-based DC):
1.In the MC window from the previous procedure, under the Console Root, double-click on the Active Directory Schema snap-in and let it load (you'll know when it has loaded when you will see 2 nodes under the root - Classes and Attributes)
2.Right-click Active Directory Schema (your domain controller name) and
Adding 3 new attributes to the Schema
One method of creating new attributes in the Schema is by using the Active Directory Schema snap-in from an MMC.
In order to use this snap-in you must first register it with the command:regsvr32 schmmgmt.dll
Connecting the new attributes to the User Object Class
One method of creating new attributes in the Schema is by using the Active Directory Schema snap-in from an MMC.
In order to use this snap-in you must first register it with the command:regsvr32 schmmgmt.dll
The results
After adding the new attributes we now need to verify their existence and functionality.
What now?
After the new attributes were successfully added to the Schema and we've verified their functionality, we would now like to begin working with these attributes and begin populating their values.
A very simple way to avoid damaging or costly schema mistakes in your production forest is to first test your schema extensions on a test forest. By using a test environment, you can identify any potential problems in your plan before they affect your users and your production environment.
Yes we can..by following way
1.open the Run command and type:
regsvr32 schmmgmt.dll
You should get a confirmation message.
2.Next, open Run and type mmc.exe. Press Enter.
3.In the new MMC window, click File > Add/Remove Snap-in.
4.click Add, then, in the Add Standalone Snap-in window, select the Active Directory Schema snap-in from the list. Next click Add again.
5. Click Ok.
Windows 2000 only - Enable write operations to the Schema
If you're running Windows 2000-based AD, you'll probably need to allow the Schema to be written. To do so follow these guidelines (only required for W2K-based DC):
1.In the MC window from the previous procedure, under the Console Root, double-click on the Active Directory Schema snap-in and let it load (you'll know when it has loaded when you will see 2 nodes under the root - Classes and Attributes)
2.Right-click Active Directory Schema (your domain controller name) and
Adding 3 new attributes to the Schema
One method of creating new attributes in the Schema is by using the Active Directory Schema snap-in from an MMC.
In order to use this snap-in you must first register it with the following command:
regsvr32 schmmgmt.dll
Connecting the new attributes to the User Object Class
One method of creating new attributes in the Schema is by using the Active Directory Schema snap-in from an MMC.
In order to use this snap-in you must first register it with the following command:
regsvr32 schmmgmt.dll
The results
After adding the new attributes we now need to verify their existence and functionality.
The Active Directory is what contains the roles and definitions. This is what creates and modify object class and attributes.
The DS tools consist of the following commands DSQUERY - search for active directory objects matching criteria DSGET - retrieves selected attributes from active directory objects DSMOD - modify attributes for one or more active directory objects DSADD - create active directory objects DSMOVE - move active directory objects DSRM - removes/deletes active directory objects
schema attributes
object classes and attributes
The schema is the Active Directory component that defines all the objects and attributes that the directory service uses to store data.
Global Catalog
Active Directory was previewed in 1999, released first with Windows 2000 Server edition, and revised to extend functionality and improve administration in Windows Server 2003. Additional improvements were made in Windows Server 2003 R2. Active Directory was refined further in Windows Server 2008 and Windows Server 2008 R2 and was renamed Active Directory Domain Services. Active Directory was called NTDS (NT Directory Service) in older Microsoft documents. This name can still be seen in some Active Directory binaries.
Active Directory Recycle Bin is a feature that helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers. When you enable Active Directory Recycle Bin feature, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains. Active Directory Recycle Bin is functional for both AD DS and Active Directory Lightweight Directory Services (AD LDS) environments. Mohannad Hamid
15 custom attributes used to track information not store with active directory objects.
This is the first of a two-part series that will introduce you to using scripts to manage Active Directory Security. This document (Part 1) will discuss extended rights, and demonstrate how you can grant users permission to do such things as change or reset someone else's password. Part 2 discusses Active Directory property sets, and show you can delegate the ability to read and write predefined user attributes (for example, a set of attributes revolving around user logon).
The Active Directory schema defines the kinds of objects, the types of information about those objects, and the default security configuration for those objects that can be stored in Active Directory. The Active Directory schema contains the formal definitions of all objects, such as users, computers, and printers that are stored in Active Directory. On domain controllers running either Windows 2000 or Windows Server 2003, there is only one schema for an entire forest. This way, all objects that are created in Active Directory conform to the same rules. The schema has two types of definitions: object classes and attributes. Object classes such as user, computer, and printer describe the possible directory objects that you can create. Each object class is a collection of attributes. Attributes are defined separately from object classes. Each attribute is defined only once and can be used in multiple object classes. For example, the Description attribute is used in many object classes, but is defined only once in the schema to ensure consistency.
The Active Directory administrative tools can only be used from a computer with access to a domain. The following Active Directory administrative tools are available on the Administrative Tools menu: Active Directory Users and Computers (dsa.msc) Active Directory Domains and Trusts (domain.msc) Active Directory Sites and Services (dssite.msc)