Best Practices for Active Directory Schema changes

Any Post starting with this disclaimer means that this post was not written by me however I liked it and added to my blog to easily find it later. I will also include the link to the original or similar post to provide credit to the original author.

http://chrislehr.com/2009/08/best-practices-on-schema-upgrades.htm

First off, a quick review of AD schema, and what it is and the function it performs. The Schema is essentially the “database” that AD resides in, so when we say things like “extending the schema” we mean the same thing any SQL DBA would mean – we are adding additional objects attributes to AD. These new additions allow for features in products that were not previously there to store their settings in Active Directory. Some of the recent Schema extensions you will see:

  • Exchange 2007 SP2 requires schema extension.
  • Exchange 2010 requires schema extension.
  • OCS 2007 R1 or R2 require schema extension.

Additionally, while not an extension, these best practices also apply before raising your forest or domain functional levels.

Step One – Determine your Schema Master FSMO role holder

  1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
  2. Type roles, and then press ENTER.
  3. Type connections, and then press ENTER.
  4. Type connect to server <servername>, where servername is the name of the server you want to use, and then press ENTER.
  5. At the server connections prompt, type q, and then press ENTER again
  6. At the FSMO maintenance prompt, type Select operation target, and then press ENTER again.
  7. At the select operation target prompt, type List roles for connected server, and then press ENTER again.
  8. This will display all 5 FSMO roles. The one that has Schema is the one we need to back up.
  9. Type q 3 times to exit the Ntdsutil prompt.

Step Two – Ensure you have your DSRM password

  1. Most of the time, even if this is known, it has not been changed in a long time and is likely due.
  2. Follow instructions to reset DSRM password from KB322672
  3. This allows your backup to be authoritatively restored in the case you need to. Without this password being correct, your backup may not be usable. 

Step Three – Take a system state backup (or two)

  1. Take an ntbackup.exe (Windows 2003) or Windows Server Backup (Windows 2008) if you are more comfortable with Microsoft restore procedures.
  2. Take another backup using whatever third party vendor product you typically use, if you are more comfortable with their restore procedures.
  3. It is recommended taking BOTH of the above for the Schema Master FSMO role holder.

While I have YET to run into any issues or problems with Schema extensions, if I ever did, I know I want a really good backup or two!

One thought on “Best Practices for Active Directory Schema changes

  1. Hei.

    Tips til Step One:
    – netdom /query FSMO

    Dette vil returnere hvilke servere som holder hvilke FSMO roller.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s