Active Directory Cookbook for Windows Server 2003 and Windows 2000-Active Directory Cookbook for Windows Server 2003 and Windows 2000

Recipe 10.2 Enabling Schema Updates

This is necessary only when the Schema FSMO role owner is running Windows 2000.

10.2.1 Problem

You want to enable schema modifications on the Schema FSMO. This is a necessary first step before you can extend the schema.

10.2.2 Solution

10.2.2.1 Using a graphical user interface

Open the Active Directory Schema snap-in.
Click on Active Directory Schema in the left pane.
Right-click on Active Directory Schema and select Operations Master.
Check the box beside Allow schema modifications.
Click OK.

10.2.2.2 Using a command-line interface

To enable modifications to the schema, use the following command:

> reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters /t[RETURN] 
REG_DWORD /v "Schema Update Allowed" /d 1

To disable modifications to the schema, use the following command:

> reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters /v[RETURN] 
"Schema Update Allowed" /f

10.2.2.3 Using VBScript

' This code enables or disables schema mods on Schema FSMO.
' ------ SCRIPT CONFIGURATION ------
' TRUE to enable schema mods and FALSE to disable 
boolSetReg  = TRUE    

' Name of the Schema FSMO or "." to run locally
strDC = "<SchemaFSMOName>"  
' ------ END CONFIGURATION ---------

const HKEY_LOCAL_MACHINE = &H80000002
set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv")
strKeyPath   = "System\CurrentControlSet\Services\NTDS\Parameters"
strValueName = "Schema Update Allowed"

if boolSetReg = TRUE then
   strValue = 1
   intRC = objReg.SetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath, _
                                strValueName,strValue)
   if intRC > 0 then
      WScript.Echo "Error occurred: " & intRC
   else
      WScript.Echo strValueName & " value set to " & strValue
   end if
else
   intRC = objReg.DeleteValue(HKEY_LOCAL_MACHINE,strKeyPath,strValueName)
   if intRC > 0 then
      WScript.Echo "Error occurred: " & intRC
   else
      WScript.Echo strValueName & " value deleted"
   end if
end if

10.2.3 Discussion

When the Schema FSMO role owner is running Windows 2000, you must explicitly enable schema modifications on the server before extending the schema. To enable this, you need to create a key value called Schema Update Allowed with a value of 1 under the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

To disable schema modifications, set the value to 0 or delete it from the registry.

This is no longer necessary when the Schema FSMO owner is running Windows Server 2003. Microsoft removed this registry hack as a requirement for extending the schema.

10.2.4 See Also

MS KB 285172 (Schema Updates Require Write Access to Schema in Active Directory)

[ Team LiB ]