Extending the schema

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Extending the schema

When the set of classes and attributes in the base Active Directory schema do not meet your needs, you can extend the schema by modifying or adding classes and attributes. You should only extend the schema when absolutely necessary. The easiest way to extend the schema is through the Schema Microsoft Management Console (MMC) snap-in. You should always develop and test your schema extensions in a test lab before moving them to your production network.

Before extending the schema

Before extending the schema, review these key points:

Check the base schema first

Verify that no existing class or attribute in the base schema meets your application or data needs. For the complete set of classes and attributes in the base schema, see the Microsoft Web site.

Review schema documentation

For detailed information about extending the schema, see the Active Directory Programmer's Guide at the Microsoft Web site and "Active Directory Schema" at the Microsoft Windows Resource Kits Web site.

Schema modifications are global

When you extend the schema, the changes apply to every domain controller in the entire forest.

Schema classes related to the system cannot be modified

You cannot modify default system classes (those classes required for Windows to run) within the schema. However, directory-enabled applications that modify the schema may add new classes that you can modify.

Schema extensions are not reversible

Attributes or classes cannot be removed after creation. At best, they can be modified or deactivated. For more information, see Deactivating a class or attribute.

Obtain valid object identifiers

Every class and attribute in the schema must have a unique and valid object identifier (also known as OID). Do not create arbitrary object identifiers or recycle old object identifiers. For information about obtaining valid object identifiers, see Schema object names.

Document your changes

If you do decide to extend the schema, be sure to document your changes.

How to extend the schema

You can modify the schema through graphical user interface (GUI) tools, command-line tools, and through scripting. The easiest way to modify the schema is by using the Active Directory Schema snap-in in Microsoft Management Console (MMC), which is a GUI tool for schema management. For information about installing the Active Directory Schema snap-in, see Install the Active Directory Schema snap-in. Modifying the schema through scripting requires programming knowledge and familiarity with the Active Directory Service Interfaces (ADSI). For more information, see the Active Directory Programmer's Guide and Extending the Schema at the Microsoft MSDN Web site.

For more information about schema administration tools, see Administration tools for the Active Directory schema.

For more information about extending the schema, see Modify an existing schema class or attribute definition and Add a new schema class or attribute definition. For information about deactivation and reactivation, see Deactivating a class or attribute, Deactivate a class or attribute and Reactivate a class or attribute.

Using a test forest

A very simple way to avoid damaging or costly schema mistakes in your production forest is to first test your schema extensions on a test forest. By using a test environment, you can identify any potential problems in your plan before they affect your users and your production environment.

After making schema changes in a test forest, you can reinstall the default schema by demoting each domain controller in the test forest to which the schema changes have replicated. Then, use the Active Directory Installation Wizard to reinstall Active Directory on the servers. This procedure is practical only in a test environment.