Allowing schema changes to take place

Learn how to modify the AD schema.

From Windows 2000 Active Directory by Alistair G. Lowe-Norris, O'Reilly and Associates, 2000.

In order for Active Directory to hold any object, such as a user, it needs to know what the attributes and characteristics of that object are. In other words, it needs a blueprint for that object. Active Directory Schema is the blueprint for all classes, attributes, and syntaxes that potentially can be stored in Active Directory.

There are two safeguards that you have to bypass in order for the system to allow you to modify the schema with either the Schema Manager console or via ADSI. First, the user who is to make the changes has to be a member of the Schema Admins group, which exists in the forest root domain. Second, you need to make a change to the registry on the DC that you wish to make the changes on.

The fastest and probably best solution is to use the checkbox from the Schema Master MMC.

Alternatively, on the DC itself, open up the registry using REGEDT32.EXE or REGEDIT.EXE and locate the following key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters

Now, create a new REG_DWORD value called Schema-Update-Allowed and set the value to 1. That's all you need to do. You can now edit the Schema on that DC.Another alternative method for making the change is to copy the following three lines to a text file with a REG extension and open it (i.e., execute it) on the DC where you wish to enable schema updates. This will automatically modify the registry for you without the need to open the registry by hand:

	REGEDIT4
	[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters]
	"Schema Update Allowed"=dword:00000001

Once you've modified the registry on a particular DC and placed the user account that is to make the changes into the Schema Admins group, any changes that you make to the Schema on that DC will be accepted. If you wish the changes to be accepted on any DC, you need to correspondingly modify the registry on every DC.

Click here to purchase Windows 2000 Active Directory.


This was first published in May 2000

Dig deeper on Windows Operating System Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close