Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements
Writer: Joe Davies
On This Page
Abstract
Introduction
Extending Active Directory Schema
Extending the Schema for Wireless Group Policy Settings
Extending the Schema for Wired Group Policy Settings
For More Information
Abstract
Wireless and wired clients running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008 and wired clients running Windows XP with Service Pack 3 support enhancements that can be configured through Group Policy settings that are supported by domain controllers running Windows Server 2008 R2 or Windows Server 2008. To support these enhancements for an Active Directory directory service environment consisting of domain controllers running Windows Server 2003 or Windows Server 2003 R2, the Active Directory schema must be extended. This article describes how to extend the Active Directory schema to support these new features.
|
Note This article requires horizontal scrolling to preserve the contents of the 802.11Schema.ldf and 802.3Schema.ldf schema extension files that are included as text in this article. |
Introduction
Computers running Windows Vista support the following enhancements to Group Policy-based configuration:
-
Wired LAN settings Windows Vista and Windows XP Service Pack 3 now support the configuration of IEEE 802.1X-authenticated wired connections through Group Policy.
-
Mixed security mode You can now configure several profiles with the same SSID with different security methods so that clients with different security capabilities can all connect to a same wireless network.
-
Allow and deny lists for wireless networks You can configure a list of wireless networks to which the Windows Vista wireless client can connect and a list of wireless networks to which the Windows Vista wireless client cannot connect.
-
Extensibility You can import profiles that have specific connectivity and security settings of wireless vendors, such as different EAP types.
Active Directory uses the following schema attributes and attribute values for storing GUID and data relating to wireless Group Policy:
-
ms-net-ieee-80211-GP-PolicyGUID
A unique identifier for the wireless group policy object.
-
ms-net-ieee-80211-GP-PolicyData
Stores the wireless policy settings.
-
ms-net-ieee-80211-GP-PolicyReserved
Reserved for future use.
Active Directory uses the following schema attributes and attribute values for storing GUID and data relating to wired Group Policy:
-
ms-net-ieee-8023-GP-PolicyGUID
A unique identifier for the wired group policy object.
-
ms-net-ieee-8023-GP-PolicyData
Stores the wired policy settings.
-
ms-net-ieee-8023-GP-PolicyReserved
Reserved for future use.
To deploy the Windows Vista wireless and wired Active Directory schema changes, do the following:
-
Extend the Active Directory schema (for wireless, wired, or both) as described in this article.
-
Install Windows Vista on a domain member computer.
-
Configure enhanced wireless or wired Group Policy settings for the appropriate Active Directory containers (site, domain, organizational unit) by using the Group Policy Editor snap-in on the computer running Windows Vista.
The enhanced wireless and wired settings are automatically downloaded to computers running Windows Vista as part of Computer Configuration Group Policy settings. Computers running Windows XP prior to Service Pack 3 or Windows Server 2003 will ignore the enhanced wireless and wired settings. Computers running Windows XP with Service Pack 3 support the enhanced wired settings.
Extending Active Directory Schema
Before extending the schema, you must understand the following:
-
Schema modifications are global When you extend the schema, the changes apply to every domain controller in the entire forest.
-
Schema classes related to the system cannot be modified You cannot modify default system classes (those classes required for Windows to run) within the schema. However, directory-enabled applications that modify the schema may add new classes that you can modify.
-
Schema extensions are not reversible Attributes or classes cannot be removed after creation. At best, they can be modified or deactivated. For more information, see Deactivating a class or attribute.
-
Document your changes If you do decide to extend the schema, be sure to document the changes.
A very simple way to avoid damaging or costly schema mistakes in your production forest is to first test your schema extensions on a test forest. By using a test environment, you can identify any potential problems in your plan before they affect your users and your production environment.
After making schema changes in a test forest, you can reinstall the default schema by demoting each domain controller in the test forest to which the schema changes have replicated. Then, use the Active Directory Installation Wizard to reinstall Active Directory on the servers. This procedure is practical only in a test environment.
For a technical overview of Active Directory schema, see How the Active Directory Schema Works.
Extending the Schema for Wireless Group Policy Settings
To extend the Active Directory schema for Windows Vista wireless Group Policy enhancements, you need to do the following:
-
Create the 802.11Schema.ldf file.
-
Use the Ldifde.exe tool to extend the Active Directory schema.
Creating the 802.11Schema.ldf File
To create the 802.11Schema.ldf file, do the following:
-
From the Windows desktop, click Start, click Programs, click Accessories, and then click Notepad.
-
Select the text of the "Contents of 802.11Schema.ldf" section of this article (not including the section title).
-
Right-click the selected section, and then click Copy.
-
Click the open Notepad window, click Edit, and then click Paste.
-
Click File, click Save As, navigate to the appropriate folder, type 802.11Schema.ldf for the File name, in Save as type, select All files, select ANSI for the Encoding, and then click Save.
Using the Ldifde.exe Tool to Extend the Active Directory Schema
To use the Ldifde.exe tool to extend the Active Directory for wireless settings, do the following:
-
If needed, copy the 802.11Schema.ldf file to a folder on a domain controller running Windows Server 2003 or Windows Server 2003 R2.
-
On a domain controller running Windows Server 2003 or Windows Server 2003 R2, click Start, click Run, type cmd, and then click OK.
-
Change to the folder containing the 802.11Schema.ldf file.
-
At the Windows command prompt, issue the following command:
ldifde -i -v -k -f 802.11Schema.ldf -c DC=X Dist_Name_of_AD_Domain
Dist_Name_of_AD_Domain is the distinguished name of the Active Directory domain whose schema is being modified. An example of a distinguished name is DC=wcoast,DC=microsoft,DC=com for the wcoast.microsoft.com Active Directory domain.
The 802.11Schema.ldf file uses the string "DC=X" to denote the distinguished name of the Active Directory domain. The -c option substitutes the string "DC=X" with the string corresponding to your Active Directory domain name when the 802.11Schema.ldf is imported.
For example, for the Active Directory domain named example.com, the command is:
ldifde -i -v -k -f 802.11Schema.ldf -c DC=X DC=example,DC=com
For more information about the Ldifde.exe tool, see LDIFDE.
The Ldifde.exe tool uses the instructions in the 802.11Schema.ldf file to modify the Active Directory schema to contain the additional attributes and values needed to store the enhancements for wireless Group Policy settings supported by Windows Vista wireless clients.
Contents of 802.11Schema.ldf
# ----------------------------------------------------------------------- # Copyright (c) 2006 Microsoft Corporation # # MODULE: 802.11Schema.ldf # ----------------------------------------------------------------------- # ----------------------------------------------------------------------- # define schemas for these attributes: #ms-net-ieee-80211-GP-PolicyGUID #ms-net-ieee-80211-GP-PolicyData #ms-net-ieee-80211-GP-PolicyReserved # ----------------------------------------------------------------------- dn: CN=ms-net-ieee-80211-GP-PolicyGUID,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaAdd objectClass: attributeSchema ldapDisplayName: ms-net-ieee-80211-GP-PolicyGUID adminDisplayName: ms-net-ieee-80211-GP-PolicyGUID adminDescription: This attribute contains a GUID which identifies a specific 802.11 group policy object on the domain. attributeId: 1.2.840.113556.1.4.1951 attributeSyntax: 2.5.5.12 omSyntax: 64 isSingleValued: TRUE systemOnly: FALSE searchFlags: 0 rangeUpper: 64 schemaIdGuid:: YnBpNa8ei0SsHjiOC+T97g== showInAdvancedViewOnly: TRUE systemFlags: 16 dn: CN=ms-net-ieee-80211-GP-PolicyData,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaAdd objectClass: attributeSchema ldapDisplayName: ms-net-ieee-80211-GP-PolicyData adminDisplayName: ms-net-ieee-80211-GP-PolicyData adminDescription: This attribute contains all of the settings and data which comprise a group policy configuration for 802.11 wireless networks. attributeId: 1.2.840.113556.1.4.1952 attributeSyntax: 2.5.5.12 omSyntax: 64 isSingleValued: TRUE systemOnly: FALSE searchFlags: 0 rangeUpper: 4194304 schemaIdGuid:: pZUUnHZNjkaZHhQzsKZ4VQ== showInAdvancedViewOnly: TRUE systemFlags: 16 dn: CN=ms-net-ieee-80211-GP-PolicyReserved,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaAdd objectClass: attributeSchema ldapDisplayName: ms-net-ieee-80211-GP-PolicyReserved adminDisplayName: ms-net-ieee-80211-GP-PolicyReserved adminDescription: Reserved for future use attributeId: 1.2.840.113556.1.4.1953 attributeSyntax: 2.5.5.10 omSyntax: 4 isSingleValued: TRUE systemOnly: FALSE searchFlags: 0 rangeUpper: 4194304 schemaIdGuid:: LsZpD44I9U+lOukjzsB8Cg== showInAdvancedViewOnly: TRUE systemFlags: 16 # ----------------------------------------------------------------------- # Reload the schema cache to pick up altered classes and attributes # ----------------------------------------------------------------------- dn: changetype: ntdsSchemaModify add: schemaUpdateNow schemaUpdateNow: 1 - # ----------------------------------------------------------------------- # define schemas for the parent class: #ms-net-ieee-80211-GroupPolicy # ----------------------------------------------------------------------- dn: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaAdd objectClass: classSchema ldapDisplayName: ms-net-ieee-80211-GroupPolicy adminDisplayName: ms-net-ieee-80211-GroupPolicy adminDescription: This class represents an 802.11 wireless network group policy object. This class contains identifiers and configuration data relevant to an 802.11 wireless network. governsId: 1.2.840.113556.1.5.251 objectClassCategory: 1 rdnAttId: 2.5.4.3 subClassOf: 2.5.6.0 systemMayContain: 1.2.840.113556.1.4.1953 systemMayContain: 1.2.840.113556.1.4.1952 systemMayContain: 1.2.840.113556.1.4.1951 systemPossSuperiors: 1.2.840.113556.1.3.30 systemPossSuperiors: 1.2.840.113556.1.3.23 systemPossSuperiors: 2.5.6.6 schemaIdGuid:: Yxi4HCK4eUOeol/3vcY4bQ== defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU) showInAdvancedViewOnly: TRUE defaultHidingValue: TRUE systemOnly: FALSE defaultObjectCategory: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=X systemFlags: 16 # ----------------------------------------------------------------------- # Reload the schema cache to pick up altered classes and attributes # ----------------------------------------------------------------------- dn: changetype: ntdsSchemaModify add: schemaUpdateNow schemaUpdateNow: 1 -
Extending the Schema for Wired Group Policy Settings
To extend the Active Directory schema for Windows Vista wired Group Policy enhancements, you need to do the following:
-
Create the 802.3Schema.ldf file.
-
Use the Ldifde.exe tool to extend the Active Directory schema.
Creating the 802.3Schema.ldf File
-
From the Windows desktop, click Start, click Programs, click Accessories, and then click Notepad.
-
Select the text of the "Contents of 802.3Schema.ldf" section of this article (not including the section title).
-
Right-click the selected section, and then click Copy.
-
Click the open Notepad window, click Edit, and then click Paste.
-
Click File, click Save As, navigate to the appropriate folder, type 802.3Schema.ldf for the File name, in Save as type, select All files, select ANSI for the Encoding, and then click Save.
Using the Ldifde.exe Tool to Extend the Active Directory Schema
To use the Ldifde.exe tool to extend the Active Directory for wired settings, do the following:
-
If needed, copy the 802.3Schema.ldf file to a folder on a domain controller running Windows Server 2003 or Windows Server 2003 R2.
-
On a domain controller running Windows Server 2003 or Windows Server 2003 R2, click Start, click Run, type cmd, and then click OK.
-
Change to the folder containing the 802.3Schema.ldf file.
-
At the Windows command prompt, issue the following command:
ldifde -i -v -k -f 802.3Schema.ldf -c DC=X Dist_Name_of_AD_Domain
Dist_Name_of_AD_Domain is the distinguished name of the Active Directory domain whose schema is being modified. An example of a distinguished name is DC=wcoast,DC=microsoft,DC=com for the wcoast.microsoft.com Active Directory domain.
The 802.3Schema.ldf file uses the string "DC=X" to denote the distinguished name of the Active Directory domain. The -c option substitutes the string "DC=X" with the string corresponding to your Active Directory domain name when the 802.3Schema.ldf is imported.
For example, for the Active Directory domain named example.com, the command is:
ldifde -i -v -k -f 802.3Schema.ldf -c DC=X DC=example,DC=com
For more information about the Ldifde.exe tool, see LDIFDE.
The Ldifde.exe tool uses the instructions in the 802.3Schema.ldf file to modify the Active Directory schema to contain the additional attributes and values needed to store the enhancements for wired Group Policy settings supported by Windows Vista wired clients.
Contents of 802.3Schema.ldf
# ----------------------------------------------------------------------- # Copyright (c) 2006 Microsoft Corporation # # MODULE: 802.3Schema.ldf # ----------------------------------------------------------------------- # ----------------------------------------------------------------------- # define schemas for these attributes: #ms-net-ieee-8023-GP-PolicyGUID #ms-net-ieee-8023-GP-PolicyData #ms-net-ieee-8023-GP-PolicyReserved # ----------------------------------------------------------------------- dn: CN=ms-net-ieee-8023-GP-PolicyGUID,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaAdd objectClass: attributeSchema ldapDisplayName: ms-net-ieee-8023-GP-PolicyGUID adminDisplayName: ms-net-ieee-8023-GP-PolicyGUID adminDescription: This attribute contains a GUID which identifies a specific 802.3 group policy object on the domain. attributeId: 1.2.840.113556.1.4.1954 attributeSyntax: 2.5.5.12 omSyntax: 64 isSingleValued: TRUE systemOnly: FALSE searchFlags: 0 rangeUpper: 64 schemaIdGuid:: WrCnlLK4WU+cJTnmm6oWhA== showInAdvancedViewOnly: TRUE systemFlags: 16 dn: CN=ms-net-ieee-8023-GP-PolicyData,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaAdd objectClass: attributeSchema ldapDisplayName: ms-net-ieee-8023-GP-PolicyData adminDisplayName: ms-net-ieee-8023-GP-PolicyData adminDescription: This attribute contains all of the settings and data which comprise a group policy configuration for 802.3 wired networks. attributeId: 1.2.840.113556.1.4.1955 attributeSyntax: 2.5.5.12 omSyntax: 64 isSingleValued: TRUE systemOnly: FALSE searchFlags: 0 rangeUpper: 1048576 schemaIdGuid:: i5SYg1d0kU29TY1+1mnJ9w== showInAdvancedViewOnly: TRUE systemFlags: 16 dn: CN=ms-net-ieee-8023-GP-PolicyReserved,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaAdd objectClass: attributeSchema ldapDisplayName: ms-net-ieee-8023-GP-PolicyReserved adminDisplayName: ms-net-ieee-8023-GP-PolicyReserved adminDescription: Reserved for future use attributeId: 1.2.840.113556.1.4.1956 attributeSyntax: 2.5.5.10 omSyntax: 4 isSingleValued: TRUE systemOnly: FALSE searchFlags: 0 rangeUpper: 1048576 schemaIdGuid:: xyfF0wYm602M/RhCb+7Izg== showInAdvancedViewOnly: TRUE systemFlags: 16 # ----------------------------------------------------------------------- # Reload the schema cache to pick up altered classes and attributes # ----------------------------------------------------------------------- dn: changetype: ntdsSchemaModify add: schemaUpdateNow schemaUpdateNow: 1 - # ----------------------------------------------------------------------- # define schemas for the parent class: #ms-net-ieee-8023-GroupPolicy # ----------------------------------------------------------------------- dn: CN=ms-net-ieee-8023-GroupPolicy,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaAdd objectClass: classSchema ldapDisplayName: ms-net-ieee-8023-GroupPolicy adminDisplayName: ms-net-ieee-8023-GroupPolicy adminDescription: This class represents an 802.3 wired network group policy object. This class contains identifiers and configuration data relevant to an 802.3 wired network. governsId: 1.2.840.113556.1.5.252 objectClassCategory: 1 rdnAttId: 2.5.4.3 subClassOf: 2.5.6.0 systemMayContain: 1.2.840.113556.1.4.1956 systemMayContain: 1.2.840.113556.1.4.1955 systemMayContain: 1.2.840.113556.1.4.1954 systemPossSuperiors: 1.2.840.113556.1.3.30 systemPossSuperiors: 1.2.840.113556.1.3.23 systemPossSuperiors: 2.5.6.6 schemaIdGuid:: ajqgmRmrRkSTUAy4eO0tmw== defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU) showInAdvancedViewOnly: TRUE defaultHidingValue: TRUE systemOnly: FALSE defaultObjectCategory: CN=ms-net-ieee-8023-GroupPolicy,CN=Schema,CN=Configuration,DC=X systemFlags: 16 # ----------------------------------------------------------------------- # Reload the schema cache to pick up altered classes and attributes # ----------------------------------------------------------------------- dn: changetype: ntdsSchemaModify add: schemaUpdateNow schemaUpdateNow: 1 -
For More Information
For more information about wireless and wired support in Windows Vista, consult the following resources: