Active Directory Schema Update Allowed

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

The Active Directory schema is AD's blueprint. It controls what kinds of objects can exist in the schema db and what the object's attributes can be. You can customize the schema using the MMC snap-in called the Active Directory Schema. You should not have to modify the schema. But should you have to, there are significant barriers Microsoft put in place to make sure this is not a casual task. By default, domain controllers have read-only access to the schema, irregardless of the account attempting the access. To jump into the world of schema customization, you will have to use the following Windows 2000 registry hack:

Key: System\CurrentControlSet\Services\NTDS\Parameters
Name: Schema Update Allowed
Set the Schema Update Allowed value to 1 to allow write access to the schema.

To modify the schema, you must be logged on as a member of the Schema Administrators group. The other bit of info of interest is that the schema uses a floating single-master model. Active Directory uses a multiple-master system. This means that updates can occur simultaneously on multiple domain controllers and the changes will replicate across the domain. Schema modifications can not be performed simultaneously on multiple domain controllers. The update can be performed on any domain controller but when the schema is opened for update, the schema databases on the all the other domain controllers are set to read-only.

The biggest difficulty with Active DIrectory schema is that changes can not be undone. Microsoft in its Windows 2002 Server is supposed to introduce the ability to delete objects and attributes in the directory schema. The feature, Schema Delete, should be included in Windows 2002 when it ships early next year. Novell's eDirectory and IPlanet's Directory Server 5.0 already lets you delete schema.

See Also

Featured Links