From Windows 2000 Active Directory by Alistair G. Lowe-Norris, O'Reilly and Associates, 2000.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
In order for Active Directory to hold any object, such as a user, it needs to know what the attributes and characteristics of that object are. In other words, it needs a blueprint for that object. Active Directory Schema is the blueprint for all classes, attributes, and syntaxes that potentially can be stored in Active Directory.
There are two safeguards that you have to bypass in order for the system to allow you to modify the schema with either the Schema Manager console or via ADSI. First, the user who is to make the changes has to be a member of the Schema Admins group, which exists in the forest root domain. Second, you need to make a change to the registry on the DC that you wish to make the changes on.
The fastest and probably best solution is to use the checkbox from the Schema Master MMC.
Alternatively, on the DC itself, open up the registry using REGEDT32.EXE or REGEDIT.EXE and locate the following key:
Now, create a new REG_DWORD value called Schema-Update-Allowed and set the value to 1. That's all you need to do. You can now edit the Schema on that DC.Another alternative method for making the change is to copy the following three lines to a text file with a REG extension and open it (i.e., execute it) on the DC where you wish to enable schema updates. This will automatically modify the registry for you without the need to open the registry by hand:
REGEDIT4 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters] "Schema Update Allowed"=dword:00000001
Once you've modified the registry on a particular DC and placed the user account that is to make the changes into the Schema Admins group, any changes that you make to the Schema on that DC will be accepted. If you wish the changes to be accepted on any DC, you need to correspondingly modify the registry on every DC.
Click here to purchase Windows 2000 Active Directory.