answersLogoWhite

0


Best Answer

Adding items to the Schema, also called "extending the Schema", or even modifying existing objects can be a tricky business, and if done without proper knowledge, can be very destructive to your existing Active Directory infrastructure. This is because the Schema is a forest-wide setting, and any additions or changes to the Schema will be immediately replicated to each and every Domain Controller in each and every domain in your AD Forest. You cannot make any changes to the Schema and yet keep it within your domain's boundaries. Furthermore, changing existing attributes (such as configuring an attribute to replicate itself to the Global Catalog) will cause a forest-wide replication of all the attributes and objects, even if your change was just made on one attribute. Note that this behavior was changed in Windows Server 2003, but even so, you might unintentionally cause a major network load and a lot of overhead by simply clicking one one small checkbox on one small attribute.

1.Open the Run command and type:regsvr32 schmmgmt.dll

You should get a confirmation message.

2.Next, open Run and type mmc.exe. Press Enter.

3.In the new MMC window, click File > Add/Remove Snap-in.

4.Click Add, then, in the Add Standalone Snap-in window, select the Active Directory Schema snap-in from the list. Next click Add again.

5.Click Ok.

Windows 2000 only - Enable write operations to the Schema

If you're running Windows 2000-based AD, you'll probably need to allow the Schema to be written. To do so follow these guidelines (only required for W2K-based DC):

1.In the MC window from the previous procedure, under the Console Root, double-click on the Active Directory Schema snap-in and let it load (you'll know when it has loaded when you will see 2 nodes under the root - Classes and Attributes)

2.Right-click Active Directory Schema (your domain controller name) and

Adding 3 new attributes to the Schema

One method of creating new attributes in the Schema is by using the Active Directory Schema snap-in from an MMC.

In order to use this snap-in you must first register it with the command:regsvr32 schmmgmt.dll

Connecting the new attributes to the User Object Class

One method of creating new attributes in the Schema is by using the Active Directory Schema snap-in from an MMC.

In order to use this snap-in you must first register it with the command:regsvr32 schmmgmt.dll

The results

After adding the new attributes we now need to verify their existence and functionality.

What now?

After the new attributes were successfully added to the Schema and we've verified their functionality, we would now like to begin working with these attributes and begin populating their values.

A very simple way to avoid damaging or costly schema mistakes in your production forest is to first test your schema extensions on a test forest. By using a test environment, you can identify any potential problems in your plan before they affect your users and your production environment.

User Avatar

Wiki User

13y ago
This answer is:
User Avatar
More answers
User Avatar

Wiki User

13y ago

Yes we can..by following way

1.open the Run command and type:

regsvr32 schmmgmt.dll

You should get a confirmation message.

2.Next, open Run and type mmc.exe. Press Enter.

3.In the new MMC window, click File > Add/Remove Snap-in.

4.click Add, then, in the Add Standalone Snap-in window, select the Active Directory Schema snap-in from the list. Next click Add again.

5. Click Ok.

Windows 2000 only - Enable write operations to the Schema

If you're running Windows 2000-based AD, you'll probably need to allow the Schema to be written. To do so follow these guidelines (only required for W2K-based DC):

1.In the MC window from the previous procedure, under the Console Root, double-click on the Active Directory Schema snap-in and let it load (you'll know when it has loaded when you will see 2 nodes under the root - Classes and Attributes)

2.Right-click Active Directory Schema (your domain controller name) and

Adding 3 new attributes to the Schema

One method of creating new attributes in the Schema is by using the Active Directory Schema snap-in from an MMC.

In order to use this snap-in you must first register it with the following command:

regsvr32 schmmgmt.dll

Connecting the new attributes to the User Object Class

One method of creating new attributes in the Schema is by using the Active Directory Schema snap-in from an MMC.

In order to use this snap-in you must first register it with the following command:

regsvr32 schmmgmt.dll

The results

After adding the new attributes we now need to verify their existence and functionality.

This answer is:
User Avatar

Add your answer:

Earn +20 pts
Q: Where can you add additional attributes by modifying the active directory schema?
Write your answer...
Submit
Still have questions?
magnify glass
imp
Related questions

What contains the roles and definition that use for creating and modifying object class and attributes within active direct?

The Active Directory is what contains the roles and definitions. This is what creates and modify object class and attributes.


What does Active Directory use to allow administrators to query and modify users groups and computers?

The DS tools consist of the following commands DSQUERY - search for active directory objects matching criteria DSGET - retrieves selected attributes from active directory objects DSMOD - modify attributes for one or more active directory objects DSADD - create active directory objects DSMOVE - move active directory objects DSRM - removes/deletes active directory objects


What defines the types of information stored in an Active Directory object?

schema attributes


Which object classes are created when Active Directory is installed?

object classes and attributes


What is the schema in AD?

The schema is the Active Directory component that defines all the objects and attributes that the directory service uses to store data.


What is the index and partial replica of frequently used objects and attributes in an active directory structure?

Global Catalog


When did active directory come out?

Active Directory was previewed in 1999, released first with Windows 2000 Server edition, and revised to extend functionality and improve administration in Windows Server 2003. Additional improvements were made in Windows Server 2003 R2. Active Directory was refined further in Windows Server 2008 and Windows Server 2008 R2 and was renamed Active Directory Domain Services. Active Directory was called NTDS (NT Directory Service) in older Microsoft documents. This name can still be seen in some Active Directory binaries.


What is Active Directory Recycle Bin?

Active Directory Recycle Bin is a feature that helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers. When you enable Active Directory Recycle Bin feature, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains. Active Directory Recycle Bin is functional for both AD DS and Active Directory Lightweight Directory Services (AD LDS) environments. Mohannad Hamid


What is the maximum number of custom attributes that can be assigned to a mail or mailbox- enabled recipient with exchange server 2003?

15 custom attributes used to track information not store with active directory objects.


What is the importance of using scripts to manage active directory?

This is the first of a two-part series that will introduce you to using scripts to manage Active Directory Security. This document (Part 1) will discuss extended rights, and demonstrate how you can grant users permission to do such things as change or reset someone else's password. Part 2 discusses Active Directory property sets, and show you can delegate the ability to read and write predefined user attributes (for example, a set of attributes revolving around user logon).


What is directory schema?

The Active Directory schema defines the kinds of objects, the types of information about those objects, and the default security configuration for those objects that can be stored in Active Directory. The Active Directory schema contains the formal definitions of all objects, such as users, computers, and printers that are stored in Active Directory. On domain controllers running either Windows 2000 or Windows Server 2003, there is only one schema for an entire forest. This way, all objects that are created in Active Directory conform to the same rules. The schema has two types of definitions: object classes and attributes. Object classes such as user, computer, and printer describe the possible directory objects that you can create. Each object class is a collection of attributes. Attributes are defined separately from object classes. Each attribute is defined only once and can be used in multiple object classes. For example, the Description attribute is used in many object classes, but is defined only once in the schema to ensure consistency.


What can be used to add delete or modify objects in Active Directory in addition to modifying the schema if necessary?

LDIFDE is a robust utility. This utility enabled you to import/export information from/to Active Directory. LDIFDE queries any available domain controller to retrieve/update AD information. Ldifde creates, modifies, and deletes directory objects on computers running Windows Server 2003 operating systems or Windows XP Professional. You can also use Ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services