Active Directory Schema Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Active Directory Schema Tools and Settings

In this section

  • Active Directory Schema Tools

  • Related Information

When existing class and attribute definitions in the Active Directory schema do not meet the needs of your organization, you can use schema-based administrative tools to modify or add schema objects. You can modify an existing attribute or add a new class or attribute to the schema to store a new type of information in the directory. The process of modifying or updating the schema is often referred to as “extending the schema.” In addition to using schema tools to extend the schema, you can perform most schema extensions by using customized applications or Active Directory Service Interfaces (ADSI) scripts.

Note

In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to Active Directory, but the information is also applicable to Active Directory Domain Services.

Note

  • Extending the schema is a major change with implications for the entire directory. Extend the schema only when it is absolutely necessary. Many schema modifications cannot be reversed; therefore, you must thoroughly plan and test changes in an isolated environment before you deploy them in your production forest.

This section contains information about the tools that are associated with the Active Directory schema.

Active Directory Schema Tools

Normally, you do not interact directly with the schema on a daily basis. Active Directory uses the schema to create objects that are stored in the directory. You interact with those objects, not with the schema. You interact directly with the schema when you make modifications to the schema by adding definitions to it or by modifying existing definitions.

Only members of the Schema Admins group can make changes to the schema. The two most common scenarios for modifying the schema are as follows:

  • You install an application that adds customized object definitions so that it can store information in the directory; for example, you install an e-mail program that stores user e-mail names in the directory.

  • You test the development of applications that use the directory for data storage. In this scenario, you add customized object definitions to the schema and modify them throughout their lifetimes as the development process proceeds.

Note

  • Changes to the schema must be written only on the schema master. Although all domain controllers have a copy of the schema in their Active Directory database, only the domain controller that holds the schema operations master role (also known as flexible single master operations (FSMO)) is allowed to write changes to the schema.

The following tools are associated with the Active Directory schema.

Adsiedit.exe: ADSI Edit

Category

ADSI Edit is included when you install Support Tools for Windows Server 2003 and later.

Version Compatibility

Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

ADSI Edit is a Microsoft Management Console (MMC) snap-in that uses ADSI, which uses the Lightweight Directory Access Protocol (LDAP). You can use ADSI Edit to view and modify directory objects in the Active Directory database. You can also use it to view schema directory partition objects and properties. When you open ADSI Edit, the Schema container is displayed by default. You can expand the container to view schema classes and attributes.

To find more information about ADSI Edit, see “Support Tools Help” in Tools and Settings Collection.

Csvde.exe: Csvde

Category

Csvde is a command-line tool that ships with Windows Server 2003.

Version compatibility

Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

The comma-separated value (CSV) file format is a simple format whose primary benefit is ease of use. In the CSV file format, each line represents a discrete object in the directory, and the object’s attributes are separated by commas. The first line of the file always contains all of the attribute names. Each subsequent line represents a different entry in the directory. Values for multivalue attributes can also be specified, and they are delimited by semicolons (;).

Because this format is compatible with the Microsoft Excel CSV format, you can use Csvde.exe to export directory information to an Excel spreadsheet or to import data from a spreadsheet into Active Directory. You can use this format only for additions to the directory. Csvde.exe cannot be used to modify or delete objects. Csvde.exe also supports batch operations that are based on CSV.

The parameters that are used for the Csvde.exe tool are the same as the parameters that are used for the Ldifde.exe tool. However, unlike Ldifde.exe, Csvde.exe can export data from Active Directory into files that can be read by certain applications. For example, if you want to view all Active Directory users in an Excel report, you can use Csvde.exe to export the directory data into the CSV file format, which you can then read in Excel.

To find more information about Csvde.exe, see “Command-Line References” in Tools and Settings Collection.

Dsa.msc: Active Directory Users and Computers

Category

Active Directory Users and Computers is an MMC snap-in in Administrative Tools that is installed automatically on all domain controllers running Windows Server 2003.

Version compatibility

Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional with Adminpak.msi installed

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

Active Directory Users and Computers is a graphical user interface (GUI) tool that you can use to manage users and computers in Active Directory domains. To modify the schema, you must use an account that is a member of the Schema Admins group. By default, the only member in the Schema Admins group is the Administrator account in the root domain of the enterprise. You must explicitly add other accounts.

You can use Active Directory Users and Computers to verify that an account is a member of the Schema Admins group. Restrict membership in the Schema Admins group to prevent unauthorized access to the schema. Improper modification of the schema can have serious consequences.

By default, only members of the Schema Admins group have permission to write to the schema. You can assign explicit permissions to use the Active Directory Schema snap-in to specific users; however, this is not recommended.

Ldifde.exe: Ldifde

Category

Ldifde is a command-line tool that ships with Windows Server 2003.

Version compatibility

Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

Active Directory supports the use of files that are formatted with the LDAP Data Interchange Format (LDIF) for importing and exporting information in the directory. This includes information that is stored in the schema, such as schema modifications. After an LDIF file is created, a tool such as Ldifde.exe performs the import operation by using the LDIF file for input. You can also use Ldifde.exe to add, modify, and delete directory objects; export Active Directory user and group information to other applications or services; and populate Active Directory with data from other directory services.

To find more information about Ldifde.exe, see “Command-Line References” in Tools and Settings Collection.

Ntdsutil.exe: Ntdsutil

Category

Ntdsutil is a command-line tool that ships with Windows Server 2003.

Version Compatibility

Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Ntdsutil.exe provides advanced management capabilities for Active Directory. For the Active Directory schema, you can use Ntdsutil.exe to identify, transfer, or seize the schema operations master role. This tool is intended for use by experienced administrators.

To find more information about Ntdsutil, see “Command-Line References” in Tools and Settings Collection.

Schmmgmt.msc: The Active Directory Schema snap-in

Category

The Active Directory Schema snap-in is an MMC snap-in in Administrative Tools that is installed automatically on all domain controllers running Windows Server 2003. However, you must register it manually before you use it for the first time.

Version compatibility

Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional with Adminpak.msi installed

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

The Active Directory Schema snap-in is a GUI tool that members of the Schema Admins group can use to manage Active Directory objects and their associated attributes. You can use this tool to create and modify classes and attributes. You can also use it to specify what attributes are indexed and what attributes are replicated to the global catalog.

The Active Directory Schema snap-in is not one of the default MMC snap-ins that is provided with Windows Server 2003. To make it appear in the list of available snap-ins, install the Windows Server 2003 Administration Tools Pack (Adminpak.msi). To register the Active Directory Schema snap-in, run Regsvr32 Schmmgmt.dll from the command prompt or from the Run command on the Start menu.

ADSI and Visual Basic Scripts

Active Directory provides a set of interfaces that you can use programmatically to gain access to directory objects, including schema objects. ADSI conforms to the Component Object Model (COM), and it supports standard COM features. ADSI defines a directory service model and a set of COM interfaces that you can easily use with a variety of programming languages. With Microsoft Visual Basic, Scripting Edition and ADSI, you can write scripts to modify the directory in various ways, including extending the schema.

For more information about using ADSI and scripting to modify the schema, see Using Active Directory Service Interfaces in the Microsoft Platform SDK on MSDN.

The following resources contain additional information that is relevant to this section:

  • “Support Tools Help” in Tools and Settings Collection for information about ADSI Edit

  • “Command-Line References” in Tools and Settings Collection for information about Csvde, Ldifde, and Ntdsutil

  • Microsoft Platform SDK on MSDN for information about using ADSI and scripting to modify the schema (in Using Active Directory Service Interfaces)