Just update the schema and quit worrying about it!!!

I am a little sick and tired about hearing that people are tentative about modifying the Active Directory schema!  Maybe this is Microsoft's fault since we put so many warnings up about doing this.  I say modify it like crazy.  In fact, I think we should all add a schema attribute called "i-modified-the-AD-schema-try-and-stop-me" to our Active Directory.

Seriously, it is OK to extend the schema as long as you follow the best practices.  Here are some important things to remember:

  1. Even if you are only extending the schema for an internal application (something you are not selling), you should still follow proper practices like you are selling it.  If you use attribute names or OIDs that end up appearing in future Microsoft products or 3rd party products, you could end up with conflict.
  2. Do not store data in AD that is changing frequently.  Frequently changing data belongs in a database.
  3. Prefix your attributes with a lower case company name and a hyphen (e.g. - "fabrikam-shoeSizeEurope").
  4. Obtain an registered OID for your schema changes.  This can be done with various ISO Name Registration Authorities or from Microsoft. Info here.
  5. Select a proper syntax (data type) for your attributes.  If the item is true/false type data, use Boolean and not a text field.  If the data is numeric, use Integer.
  6. For simplicity, keep the cn and the ldapDisplayName of your attribute the same.

Update the schema using one of the following methods:

  1. LDIF scripts.  This is generally the best method.
  2. Programatically.  MSDN has some good samples.
  3. Using the MMC schema mgmt. snap-in.  Let's face it, you might only be adding a couple items and not need to distribute this beyond your company.  This might be the easiest method in some cases.  Keep in mind that you might need to register the "schmmgmt.dll" on the machine if the snap-in is not available.

Want to see your new attributes in ADUC?  You might need to write some code, but it can be done.  More info here.

Go for it! 

...Of course, you should still test things properly and have a good backup.  If you have a complex forest and you are highly concerned, you could isolate a DC schema master (it would have no replication partners) and test your extensions there.  In case of failure, you could kill that DC and seize the schema master role back on the other DC's.  Kind of a complex procedure and I would only attempt this if I was comfortable.  In the end, if you follow best practices, extending the schema should be a safe procedure.

Comments (5)
  1. Anonymous says:

    This has been a question that has come up with several of my customers recently. Therefore I thought

  2. Anonymous says:

    I ran across this advice advocating the decimation of fear in regards to extening the Active Directory…

  3. Anon says:

    I never did any of the extending UI for AD, but when i used to do loads of programming against the AD i extended the schema all the time. It just made so much sence in most of my applications. Never had any problems at all.

  4. I mostly agree, but still:

    Know what you do, and if you have attributes like LinkID or MapiID even more know what to do. Those are not changed easily if you assign them and they need to be unique in AD.

Comments are closed.

Skip to main content