To extend the schema for a DSfW server, you can use standard Microsoft Active Directory (AD) methods through the following approaches:
Backup: Schema changes are irreversible. Always back up your domain before making any modifications.
Test in a staging environment: Never apply schema changes directly to a production environment. Use a replica or staging domain for testing.
Document OIDs and GUIDs: Each attribute and class must have a unique Object Identifier (OID) and Global Unique Identifier (GUID). Ensure there are no conflicts to avoid potential issues.
Be precise:Errors in LDIF files can result in schema corruption or unexpected behavior.
The LDAP Data Interchange Format (LDIF) is a standard file format used in LDAP implementations. The LDIF Data Exchange (LDIFDE) tool allows you to import and export Active Directory objects using LDIF-formatted files. LDIFDE is useful for batch operations, enabling you to add, create, or modify multiple Active Directory objects.
Verify the tree root replica is present on all Domain Controllers (DCs). You can verify or configure using the Identity Console.
Join a Windows server or workstation to the DSfW domain.
Prepare an LDIF file based on the attribute or class to be created.
Run the command to extend the schema.
ldifde -i -v -f samplegw.ldf -c "<SchemaContainerDN>""CN=Schema,CN=Configuration,DC=...,DC=..."
For more information, see Using the LDIFDE Tool.
Verify newly added schema classes and attributes.
/usr/bin/ldapsearch -x -b "cn=schema" -s base -LLL -o ldif-wrap=200 | grep "class-name"
Verify newly added schema objects.
ldapsearch -Y EXTERNAL -b "cn=schema,cn=configuration,dc=domainName,dc=com" -s sub dn
dn: CN=NewAttribute,CN=Schema,CN=Configuration,DC=<domainName>,DC=<com> cn: NewAtrribute objectClass: attributeSchema attributeID: 1.2.840.113556.1.4.2993 attributeSyntax: 2.5.5.11 isSingleValued: TRUE showInAdvancedViewOnly: TRUE adminDisplayName: NewAttribute adminDescription: NewAttribute oMSyntax: 24 searchFlags: 1 lDAPDisplayName: newAttribute schemaIDGUID:: 9U4AcMMlakSXyJlq6FZndg== attributeSecurityGUID:: YrwFWMm9KESl4oVqD0wYXg== systemOnly: FALSE systemFlags: 16
dn: CN=NewAttribute,CN=Schema,CN=Configuration,DC=<domainName>,DC=<com> changetype: delete
dn: CN=New-Schema-Class,CN=Schema,CN=Configuration,DC=<domainName>,DC=<com> cn: New-Schema-Class objectClass: classSchema subClassOf: top governsID: 1.2.840.113556.1.5.237 rDNAttID: cn showInAdvancedViewOnly: TRUE adminDisplayName: New-Schema-Class adminDescription: New-Schema-Class objectClassCategory: 1 lDAPDisplayName: newSchemaClass schemaIDGUID:: iBJWfwFT0RGpxQAA+ANnwQ== systemOnly: FALSE systemMayContain: seeAlso defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU) systemFlags: 16 defaultHidingValue: TRUE
dn: CN=New-Schema-Class,CN=Schema,CN=Configuration,DC=<domainName>,DC=<com> changetype: delete
Programmatic schema extension involves modifying the directory schema through code rather than manually using tools like LDIF files. This approach allows administrators to automate schema changes, integrate them into applications, and efficiently manage complex scenarios, offering flexibility and scalability, especially in large or dynamic environments.
Verify the tree root replica is present on all Domain Controllers (DCs). You can verify or configure using the Identity Console.
Join a Windows server or workstation to the DSfW domain.
Install Visual Studio.
Create a new project in Visual Studio.
Run the script to extend the schema
For sample script, see Example Code for Extending the Schema Programmatically.
Verify newly added schema classes and attributes.
/usr/bin/ldapsearch -x -b "cn=schema" -s base -LLL -o ldif-wrap=200 | grep "class-name"
Verify newly added schema objects.
ldapsearch -Y EXTERNAL -b "cn=schema,cn=configuration,dc=domainName,dc=com" -s sub dn