An Active Directory (AD) schema extension adds a class or attribute to the base schema (i.e., the version of the schema that comes with Windows Server 2003 or Windows 2000 Server). Extending the Win2K schema always has required careful planning because Microsoft doesn't support any method of deleting objects from the schema. (The article "Your Mission: Delete from the AD Schema," December 2002, http://www.winnetmag.com, InstantDoc ID 27096, describes a way to delete schema objects, but the method is unsupported and requires caution.) This limitation has often been a showstopper for enterprises that want to use AD to store company-specific information.
You can, however, disable certain classes and attributes in Win2K. Better yet, Windows 2003 lets you deactivate an extension's definition so that the extension seems to disappear from AD; you then can reuse elements (e.g., lDAPDisplayName attribute, Object Identifier—OID) from the deactivated extension. Still, deactivating an AD schema extension demands the same care and planning as creating an extension. You need to consider several factors, including why you want to deactivate the extension, the original design and implementation of the extension, which version of AD you're running (i.e., Windows 2003 or Win2K), and in what mode (aka functional level) you're running AD. (In Windows 2003, the domain and forest functional levels determine which AD features are available. The functional level depends on which OSs your domain controllers—DCs—run. You can configure the Windows Server 2003 forest functional level only when all the DCs in a forest run Windows 2003. This level gives you access to the most new AD features. (For more information about functional levels, see the Microsoft article "HOW TO: Raise Domain and Forest Functional Levels in Windows Server 2003," http://support.microsoft.com/?kbid=322692.) After you've determined the possible ramifications and complications of deactivating the extension, you can use ADSI Edit, the Microsoft Management Console (MMC) Active Directory Schema snap-in (schmmgmt.dll), a Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) file, or a script to carry out the task.
Before you continue with this article, be sure you understand how the schema works. For more information about schema terminology, mechanisms, and the process of creating extensions, see "Extending the AD Schema," November 2001, http://www.winnetmag.com, InstantDoc ID 22540, and "Diving into the AD Schema," September 2001, InstantDoc ID 21839.
Analyze the Existing Extension
The first factor to consider before deactivating a schema extension is your reason for doing so. Typically, you'll base your decision on one of three possible reasons, as the sidebar "Reasons for Deactivation" explains. The reason will affect the level of difficulty and therefore the amount of planning you can anticipate.
Second, be sure you understand the design and implementation of the extension you want to deactivate. Pay special attention to the various classSchema and attributeSchema object links that the extension involves. Because a schema extension's classSchema and attributeSchema object definitions reference one another (i.e., a set of attributes is always associated with a specific class), you need to unlink these objects before you can deactivate the schema extension's schema object definition.
Third, carefully consider the information used to create the schema extension. If you plan to recreate an updated version of the extension, be aware that, depending on the OS and mode under which AD is operating, some information won't be reusable even after you deactivate the original extension. Web Table 1 lists several classSchema attributes that often are involved in the creation of a new classSchema object (i.e., a new class) and that might not be reusable. Web Table 2 lists attributes that are often involved in the creation of a new attributeSchema object (i.e., a new attribute) and that might not be reusable.
You can use several tools to examine existing schema extensions and gather these types of information. Aside from ADSI Edit, the Active Directory Schema snap-in, and LDP (under Windows 2003's Support Tools), you can use Microsoft's Schema Documentation program, which is available at http://msdn.microsoft.com/library/en-us/dnactdir/html/schemadoc.asp. This little-known program, which supports Windows 2003 or Win2K servers, basically extracts a schema extension to an .xml file; you then can review the extension in any XML editor.
Rules and Restrictions
Depending on the AD version and mode, different restrictions will apply regarding which types of AD objects you can deactivate. Regardless of the OS version and mode, the following characteristics are true.
- Microsoft doesn't support the deletion of any classSchema or attributeSchema objects that have been added to the Schema naming context (NC).
- You can't deactivate a Category 1 classSchema or attributeSchema object. (See "Diving into the AD Schema" for more information about schema object categories.)
- You can't deactivate an attributeSchema object that's part of an active classSchema object.
- You can deactivate a classSchema or attributeSchema object by setting the object's IsDefunct attribute to True.
- When you set a classSchema or attributeSchema object's IsDefunct attribute to True, you can't create a new instance of that object. However, existing instances of the object remain intact. A deactivated attributeSchema object is invisible to existing instances.
Previous
Register
