Schema Master is another FSMO role which is responsible for making changes to the
Active Directory schema. The schema stores descriptions of all Active Directory classes and
attributes (LDAP://cn=schema,cn=configuration,dc=<domain>).
Changes to the AD schema are rarely made: for example, when you extend the schema
using adprep/forestprep, upgrade the domain functional level or install Exchange, Lync (or
other enterprise applications that store configuration objects in AD).
The AD schema is a set of objects and their attributes, that are used to store data. In this
case, the AD schema contains the class user, which defines all the attributes of the user
account object.
Each user account in the domain can have all these attributes. But attribute values may not
be specified. You can check which attributes have an account of any domain user and their
values (for example, built-in administrator account).
To do this, open the adsiedit.msc console and connect to the Default naming context. In
the hierarchy, find the user object and open its Properties.
You can see that the object has all the attributes that are defined in the user class (note the
Filter button, you may have turned on display only attributes that have values).
Microsoft recommends the following best practices in the placement and administration of
the Active Directory schema:
1. Always make a backup before changing the schema. Before the process of schema
changes, you can turn off all the domain controllers, of course except for a one, who is
the owner of a Schema Master role. After that, make a backup of the domain controller,
perform all the necessary changes and, in case everything is well, simply turn on all
DCs. If something went wrong, just restore the running controller from a backup, turn on
the rest and then explore the problem.
2. It is recommended to keep the Domain Naming Master and Schema Master roles on
the same DC (they are rarely used and should be tightly controlled), that should
simultaneously be a Global Catalog (GC) server.
3. If you have lost the server with Schema Master role for some reason, you can seize this
role to any other domain controller. But keep in mind that the original Schema Master
should not appear on the network after that.
4. Perform schema changes manually only in case of extra need. If this still needs to be
done in any case, see paragraph 1.
If the DC owner of a Schema Master role is unavailable, it is not possible to change the AD
schema. However, the upgrade of the schema is usually not done often (as a rule when
installing new DCs with a newer Windows Server version or installing some other server
products, such as Exchange). In practice, the absence of a schema master can be
overlooked for years.
To manage AD schema and transfer the Schema Master role between domain controllers,
use the Active Directory Schema mmc snap-in. However, to enable this console you must
register the dynamic library Schmmgmt.dll at first.
1. Open elevated Command prompt.
2. Execute the command:
regsvr32 schmmgmt.dll
Tip. To manage an AD schema you must be a member of the Schema Admin group.
То transfer Schema Master FSMO role you need to start AD Schema console.
1. Open mmc.exe
2. Click File -> Add/Remove snap-in.
3. Select Active Directory Schema item and press Add -> Ok.
4. Right click on the root of the console, select Change Active Directory Domain
controller and select the DC on which you want to transfer the role.
5. Next select Operation Masters and press Change button.
Tip. You can’t change Schema Master role owner from source server.
This wizard will allow you to also create non-transitive trusts and two-way and one-
way outgoing realm trusts. Alternatively, you can use the netdom command to
create a realm trust.
Read full chapter
MCSA/MCSE 70-294 Working with User, Group, and
Computer Accounts
Michael Cross, ... Thomas W. Shinder Dr., in MCSE (Exam 70-294) Study Guide,
2003
Creating Accounts Using Active Directory Users and Computers
Active Directory Users and Computers is a tool that is installed on DCs, and is used
by those with the appropriate access to create domain accounts. Only members of
the Administrators group, Account Operators group, Domain Admins
group, Enterprise Admins group, or someone who’s been delegated authority can
create a user account. When someone is delegated authority to perform a task, it
means that he or she been given administrative credentials to carry out the action.
Responsibility can be delegated through the Delegation of Control Wizard, Group
Policy, or security groups (which we’ll discuss later in this chapter).
Active Directory Users and Computers is started in a number of ways. As we saw
in Chapter 1, the Active Directory Users and Computers snap-in can be loaded
into Microsoft Management Console (MMC). Using the Windows Start menu can
also start this tool by clicking on Start | Administrative Tools | Active Directory Users
and Computers. The final method of starting it is through the Control Panel.
In Control Panel, open Performance and Maintenance | Administrative Tools |
Active Directory Users and Computers.
Once Active Directory Users and Computers is open, expand the domain in which
you have access, and want to create the account. Within the domain, you select the
container in which you want to create the user object. You can create accounts at
the domain level, use an existing default container (such as Users), or use an OU
that you’ve created. Once you’ve selected the container, click Action |
New | User. InetOrgPerson accounts can also be created this way, by
selecting InetOrgPerson instead of User from Action | New.
Once the User menu command has been clicked in the Action | New menu, a
wizard will start that will take you through the steps of creating a new account. As
shown in Figure 2.6, the first screen provides a number of fields in which you can
enter information relating to the new user:
Uninstalling Exchange Server 2007 using the CLI can be done the following way:
1.
Log on to the respective server using an account that belongs to the
Enterprise Admins group.
2.
Click Start | Run, type CMD.exe and click OK.
3.
Now change to the Exchange Bin folder by typing CD C:\Program
Files\Microsoft\Exchange Server\Bin and press Enter.
4.
Type ExSetup.exe /mode:Uninstall.
Removing all server roles from an Exchange 2007 server will also remove
any installation files as well as the Exchange server object and all its child objects
from the Active Directory forest.
Read full chapter
Transitioning from Exchange 2000 or 2003 to Exchange
2007
Henrik Walther, in How to Cheat at Configuring Exchange Server 2007, 2007
Extending the Active Directory
With all prerequisites fulfilled, we can move on and prepare the Active
Directory using the respective Exchange 2007 Setup.exe switches. Exchange 2007
Setup includes several switches; in this section we'll go through each of those
related to preparing the Active Directory.
WARNING
Each of the switches we discuss here will run automatically during the deployment of
the first Exchange 2007 server in the Exchange legacy organization (if the account
you're logged on with has Schema and Enterprise Admin rights!), so it's not
mandatory that you run them before installing Exchange 2007. However, depending
on the size as well as the topology of your environment, it might be wise to prepare
the Active Directory first using these switches before you start the actual deployment
process.
Prepare Legacy Exchange Permissions
The first thing we need to do in deploying an Exchange 2007 into a legacy Exchange
organization is to run Setup.com/PrepareLegacyExchangePermissions, to grant
specific Exchange permissions in the Active Directory domain(s) in which one or
more Exchange 2000 or 2003 Servers exists or where Exchange 2000 or
2003 DomainPrep has been executed. The reason we must
run Setup.com/PrepareLegacyExchangePermissions is that the Exchange 2003 or
Exchange 2000 Recipient Update Service won't otherwise function correctly after
the Active Directory schema has been updated with Exchange 2007-specific
attributes.
TIP
For a detailed explanation of
why Setup.com/PrepareLegacyExchangePermissions must be run in an Active
Directory domain in which one or more Exchange 2000 or 2003 Servers exists or
where Exchange 2000 or 2003 DomainPrep has been executed, search for
“preparing legacy Exchange permissions” in the Exchange 2007 Documentation
found at www.microsoft.com/technet/prodtechnol/exchange/e2k7help.
To run Setup.com /PrepareLegacyExchangePermissions, you must open
a Command Prompt window and navigate to the directory, network share, or DVD
media containing your Exchange 2007 Setup files, then simply
type Setup.com/PrepareLegacyExchangePermissions followed by
pressing Enter, as shown in Figure 10.7. Bear in mind that the account you're logged
on with must be a member of the Enterprise Admins group.
Temporary loss of the Schema Master is not noticeable to domain users. Enterprise
and domain administrators will not notice the loss either, unless they are trying to
install an application that modifies the schema during installation or trying to modify
the schema themselves. You should seize the schema FSMO role to the standby
operations master only if your old Schema master will be permanently offline.
Configuring & Implementing…
Locating the Schema Operations Master
1
Log on as an Enterprise Administrator in the forest you are checking.
2
Click Start | Run
3
Type regsvr32 schmmgmt.dll in the Open box, and click OK. This registers
the Schmmgmt.dll.
4
Click OK in the dialog box showing that the operation succeeded.
5
Click Start | Run, type mmc, and then click OK
6
On the menu bar, click File | Add/Remove Snap-in, click Add, double-
click Active Directory Schema, click Close, and then click OK
7
Expand and then right-click Active Directory Schema in the top-left pane,
and then select Operations Masters to view the server holding the Schema
Master role, as shown in Figure 2.6