How to Extend the Schema

  • Article

After you have decided that you have to make changes to the schema and you have carefully planned the types of changes you are going to make, you can proceed. Because this is an extremely significant operation, and not without the possibility of causing serious problems, Windows 2000 has three safety features, or interlocks, that control modification of the schema:

  • By default, schema modification is disabled on all domain controllers. Use the Active Directory Schema console on a domain controller to permit write access to the schema on that domain controller.

  • The schema object is protected by the Windows 2000 security model. Therefore, administrators must be given explicit permissions or be a member of the Schema Administrators group ( Schema Admins in the user interface) to effect changes to the schema.

  • Only one domain controller in the enterprise, the one holding the Schema Master Role is allowed to write to the schema. This role is one example of an FSMO role.