Tip

Allowing schema changes to take place

From Windows 2000 Active Directory by Alistair G. Lowe-Norris, O'Reilly and Associates, 2000.

In order for Active Directory to hold any object, such as a user, it needs to know what the attributes and characteristics of that object are. In other words, it needs a blueprint for that object. Active Directory Schema is the blueprint for all classes, attributes, and syntaxes that potentially can be stored in Active Directory.

There are two safeguards that you have to bypass in order for the system to allow you to modify the schema with either the Schema Manager console or via ADSI. First, the user who is to make the changes has to be a member of the Schema Admins group, which exists in the forest root domain. Second, you need to make a change to the registry on the DC that you wish to make the changes on.

The fastest and probably best solution is to use the checkbox from the Schema Master MMC.

Alternatively, on the DC itself, open up the registry using REGEDT32.EXE or REGEDIT.EXE and locate the following key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters

Now, create a new REG_DWORD value called Schema-Update-Allowed and set the value to 1. That's all you need to do. You can now edit the Schema on that DC.Another alternative method for making the change is to copy the following three lines to a text file with a REG extension and open it (i.e., execute it) on the DC where you wish to enable

    Requires Free Membership to View

schema updates. This will automatically modify the registry for you without the need to open the registry by hand:

	REGEDIT4
	[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters]
	"Schema Update Allowed"=dword:00000001

Once you've modified the registry on a particular DC and placed the user account that is to make the changes into the Schema Admins group, any changes that you make to the Schema on that DC will be accepted. If you wish the changes to be accepted on any DC, you need to correspondingly modify the registry on every DC.

Click here to purchase Windows 2000 Active Directory.


This was first published in May 2000

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.