Active Directory Schema Changes (SP1)

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007 SP1

This topic provides information about the Active Directory schema changes that occur when you install Microsoft Exchange Server 2007 Service Pack 1 (SP1). Exchange 2007 adds new attributes to the Active Directory directory service schema and makes other modifications to existing classes and attributes. This topic only describes the Active Directory schema changes that are included in SP1.

For information about Active Directory schema changes that are made by the initial release of Exchange 2007, see Active Directory Schema Changes.

New Attributes Added to Active Directory

Exchange 2007 SP1 adds the following attributes to Active Directory:

  • ms-Exch-Foreign-Forest-Public-Folder-Admin-USG-Sid,<SchemaContainerDN>

  • ms-Exch-Internal-NLB-Bypass-Host-Name,<SchemaContainerDN>

  • ms-Exch-Mobile-Additional-Flags,<SchemaContainerDN>

  • ms-Exch-Mobile-Allow-Bluetooth,<SchemaContainerDN>

  • ms-Exch-Mobile-Allow-SMIME-Encryption-Algorithm-Negotiation,<SchemaContainerDN>

  • ms-Exch-Mobile-Approved-Application-List,<SchemaContainerDN>

  • ms-Exch-Mobile-Max-Calendar-Age-Filter,<SchemaContainerDN>

  • ms-Exch-Mobile-Max-Email-Age-Filter,<SchemaContainerDN>

  • ms-Exch-Mobile-Max-Email-Body-Truncation-Size,<SchemaContainerDN>

  • ms-Exch-Mobile-Max-Email-HTML-Body-Truncation-Size,<SchemaContainerDN>

  • ms-Exch-Mobile-Min-Device-Password-Complex-Characters,<SchemaContainerDN>

  • ms-Exch-Mobile-Require-Encryption-SMIME-Algorithm,<SchemaContainerDN>

  • ms-Exch-Mobile-Require-Signed-SMIME-Algorithm,<SchemaContainerDN>

  • ms-Exch-Mobile-Unapproved-In-ROM-Application-List,<SchemaContainerDN>

  • ms-Exch-Standby-Copy-Machines,<SchemaContainerDN>

The ms-Exch-Foreign-Forest-Public-Folder-Admin-USG-Sid attribute is similar in functionality to the following existing attributes:

  • ms-Exch-Foreign-Forest-Org-Admin-USG-Sid

  • ms-Exch-Foreign-Forest-Recipient-Admin-USG-Sid

  • ms-Exch-Foreign-Forest-Read-Only-Admin-USG-Sid

All these attributes support cross-forest delegation of Exchange administration roles. The new attribute supports the new Public Folder Admin role.

The ms-Exch-Internal-NLB-Bypass-Host-Name attribute supports the ability to proxy between computers that are running Exchange 2007 that have the Client Access server role installed.

The ms-Exch-Mobile-* attributes support additional mobility synchronization features.

The ms-Exch-Standby-Copy-Machines attribute supports the new standby continuous replication (SCR) feature. This feature can be used with both local continuous replication (LCR) and cluster continuous replication (CCR) to configure additional replicas of a database, typically for a site resilience system recovery solution.

No new classes have been added to Active Directory.

Changes to Existing Class-Schema and Attribute-Schema Classes

For information about changes to the Active Directory schema, refer to the .ldf files. The .ldf files are located in the \amd64\Setup\Data\ folder on the Exchange 2007 installation DVD.

Modified Active Directory Schema Classes

All Active Directory schema class modifications support the setting of new attributes on existing objects. The addition of the delivContLength attribute to Site-Link objects supports a new feature that allows for the limiting of the size of messages that are sent between Active Directory sites. Only one change affects a non-Exchange object.

The following table lists the modifications to the Active Directory schema classes.

Active Directory schema class modifications

Class Change Attribute/Class

ms-Exch-Mobile-Mailbox-Policy

add: mayContain

msExchMobileAdditionalFlags

ms-Exch-Mobile-Mailbox-Policy

add: mayContain

msExchMobileAllowBluetooth

ms-Exch-Mobile-Mailbox-Policy

add: mayContain

msExchMobileAllowSMIMEEncryptionAlgorithmNegotiation

ms-Exch-Mobile-Mailbox-Policy

add: mayContain

msExchMobileApprovedApplicationList

ms-Exch-Mobile-Mailbox-Policy

add: mayContain

msExchMobileMaxCalendarAgeFilter

ms-Exch-Mobile-Mailbox-Policy

add: mayContain

msExchMobileMaxEmailAgeFilter

ms-Exch-Mobile-Mailbox-Policy

add: mayContain

msExchMobileMaxEmailBodyTruncationSize

ms-Exch-Mobile-Mailbox-Policy

add: mayContain

msExchMobileMaxEmailHTMLBodyTruncationSize

ms-Exch-Mobile-Mailbox-Policy

add: mayContain

msExchMobileMinDevicePasswordComplexCharacters

ms-Exch-Mobile-Mailbox-Policy

add: mayContain

msExchMobileRequireEncryptionSMIMEAlgorithm

ms-Exch-Mobile-Mailbox-Policy

add: mayContain

msExchMobileRequireSignedSMIMEAlgorithm

ms-Exch-Mobile-Mailbox-Policy

add: mayContain

msExchMobileUnapprovedInROMApplicationList

ms-Exch-Organization-Container

add: mayContain

msExchForeignForestPublicFolderAdminUSGSid

ms-Exch-Storage-Group

add: mayContain

msExchStandbyCopyMachines

ms-Exch-Virtual-Directory

add: mayContain

msExchInternalNLBBypassHostName

Site-Link

add: mayContain

delivContLength

Modified Active Directory Schema Attributes

The following table lists the modified Active Directory schema attributes.

Active Directory schema attribute modifications

Attribute Change Value

ms-Exch-Schema-Version-Pt

replace: rangeUpper

11116

ms-Exch-Resource-Property-Schema

replace: OID

1.2.840.113556.1.4.7000.102.50881

Exchange 2007 uses the ms-Exch-Schema-Version-Pt attribute to keep track of the Exchange schema version that is installed. This attribute is not actually set on any objects. The rangeUpper for the initial release of Exchange 2007 is 10637; the value for Exchange 2007 SP1 is 11116. This attribute is always modified with changes to the Exchange schema.

An object identifier (also known as OID) collision exists between an attribute that is used in the Defense Messaging System (DMS) version of Microsoft Exchange Server 2003 and the ms-Exch-Resource-Property-Schema attribute in the initial version of Exchange 2007. If you are installing Exchange 2007 SP1 in your forest, this collision will not affect you. If you have installed Exchange 2007 in your forest, the collision will be resolved automatically when you install Exchange 2007 SP1.

The ms-Exch-Resource-Property-Schema attribute is an optional attribute that can be set only on the Resource Schema object in the Global Settings for an Exchange 2007 organization. When you install Exchange 2007 SP1, Setup will detect whether Exchange 2007 has already been installed in the forest and whether this attribute already exists on the Resource Schema object. If the attribute exists, its value will be preserved and then set back on the Resource Schema object after the Active Directory schema is corrected.

The ms-Exch-Resource-Property-Schema attribute lets an administrator define custom properties for resource mailboxes. The custom properties can be one of two types: Rooms and Equipment. For example, an administrator can define Room/16 chairs and Room/8 chairs as custom properties. Resource owners can then select from the custom properties list to identify features of the room. You can use the set-ResourceConfig cmdlet in the Exchange Management Shell to set up the list of available custom properties. You can query defined resources by using the get-ResourceConfig cmdlet in the Exchange Management Shell. Note that loss of the property schema does not affect any properties that are already set on resource mailboxes; it only affects the list of properties that you can select from.

The object identifier for the ms-Exch-Resource-Property-Schema attribute in the initial release of Exchange 2007 is 1.2.840.113556.1.4.7000.102.50329. If it is necessary, Exchange 2007 SP1 Setup will import update_ResourcePropertySchema.ldf to deactivate the attribute and create a new attribute of the same name with a new object identifier of 1.2.840.113556.1.4.7000.102.50881. The new attribute will be functionally identical to the old one. If you have not installed Exchange 2007 in your forest, Exchange 2007 SP1 will create the attribute with the correct object identifier.

No changes have been made to the ADAM schema for the Exchange servers that are running the Edge Transport server role in this release, except for an increase in the ms-Exch-Schema-Version-Pt rangeUpper value to match the Active Directory version.

Exchange-Specific Schema Classes

Exchange 2007 SP1 schema classes and attributes contain no modifications.

Indexed Attributes

No new indexed attributes are added with Exchange 2007 SP1.

Attributes Added to the Global Catalog

No attributes are added to the global catalog with Exchange 2007 SP1.

New Object Identifiers

The following table lists the new attribute object identifiers that are used by Exchange 2007 in an Active Directory forest. Exchange 2007 SP1 does not include any new class identifiers.

New attribute object identifiers

1.2.840.113556.1.4.7000.102.50881

1.2.840.113556.1.4.7000.102.50882

1.2.840.113556.1.4.7000.102.50883

1.2.840.113556.1.4.7000.102.50884

1.2.840.113556.1.4.7000.102.50885

1.2.840.113556.1.4.7000.102.50886

1.2.840.113556.1.4.7000.102.50887

1.2.840.113556.1.4.7000.102.50888

1.2.840.113556.1.4.7000.102.50889

1.2.840.113556.1.4.7000.102.50890

1.2.840.113556.1.4.7000.102.50891

1.2.840.113556.1.4.7000.102.50892

1.2.840.113556.1.4.7000.102.50893

1.2.840.113556.1.4.7000.102.50894

1.2.840.113556.1.4.7000.102.50895

1.2.840.113556.1.4.7000.102.50897

Remarks

Exchange 2007 SP1 does not include the following schema changes:

  • New extended rights

  • Modified extended rights

  • New property sets

  • Modified property sets

  • New MAPI identifiers

  • New classes that have nondefault security descriptors

  • Modified security descriptors for existing classes

Best Practices for Schema Changes

We recommend the following best practices for schema changes:

  1. All schema elements have a valid object identifier from a range of object identifiers that are registered and allocated to the vendor.

  2. The Microsoft-recommended naming conventions for schema elements are observed.

  3. Any attributes that are added to the global catalog are required and are widely populated.

  4. Modifications to existing property sets have been approved by the property set owner.

  5. No single attribute is expected to be more than 500 kilobytes (KB). No single object is expected to be more than 1 megabyte (MB).

  6. Any indexed attributes have unique and widely populated values.

  7. All new attributes and classes contain relatively static and long-lived information.

  8. No Class 88 classes are used.

  9. Schema updating and behavior has been tested in a private forest.

The schema changes that are described in this document comply with these best practices.

See Also

Concepts

Active Directory Schema Changes