schema master console rootl

FSMO Role: Schema Master


Schema Master is another FSMO role which is responsible for making changes to the Active Directory schema. The schema stores descriptions of all Active Directory classes and attributes (LDAP://cn=schema,cn=configuration,dc=<domain>).

Changes to the AD schema are rarely made: for example, when you extend the schema using adprep/forestprep, upgrade the domain functional level or install Exchange, Lync (or other enterprise applications that store configuration objects in AD).

Schema Master role

In the entire AD forest, there can be only one domain controller which is the Schema Master role owner. Only this domain controller can make changes to the Active Directory schema. After the schema is updated, it is replicated from the schema master to other domain controllers in the forest.

The AD schema is a set of objects and their attributes, that are used to store data. In this case, the AD schema contains the class user, which defines all the attributes of the user account object.

schema master attributes

Each user account in the domain can have all these attributes. But attribute values may not be specified. You can check which attributes have an account of any domain user and their values (for example, built-in administrator account).

To do this, open the adsiedit.msc console and connect to the Default naming context. In the hierarchy, find the user object and open its Properties.

READ ALSO  How to transfer FSMO Roles From a Failed Domain Controller

schema master adsi

You can see that the object has all the attributes that are defined in the user class (note the Filter button, you may have turned on display only attributes that have values).

schema master notification

Microsoft recommends the following best practices in the placement and administration of the Active Directory schema:

  1. Always make a backup before changing the schema. Before the process of schema changes, you can turn off all the domain controllers, of course except for a one, who is the owner of a Schema Master role. After that, make a backup of the domain controller, perform all the necessary changes and, in case everything is well, simply turn on all DCs. If something went wrong, just restore the running controller from a backup, turn on the rest and then explore the problem.
  2. It is recommended to keep the Domain Naming Master and Schema Master roles on the same DC (they are rarely used and should be tightly controlled), that should simultaneously be a Global Catalog (GC) server.
  3. If you have lost the server with Schema Master role for some reason, you can seize this role to any other domain controller. But keep in mind that the original Schema Master should not appear on the network after that.
  4. Perform schema changes manually only in case of extra need. If this still needs to be done in any case, see paragraph 1.
READ ALSO  How to hide specific OU in Active Directory

If the DC owner of a Schema Master role is unavailable, it is not possible to change the AD schema. However, the upgrade of the schema is usually not done often (as a rule when installing new DCs with a newer Windows Server version or installing some other server products, such as Exchange). In practice, the absence of a schema master can be overlooked for years.

To manage AD schema and transfer the Schema Master role between domain controllers, use the Active Directory Schema mmc snap-in. However, to enable this console you must register the dynamic library Schmmgmt.dll at first.

  1. Open elevated Command prompt.
  2. Execute the command:
    regsvr32 schmmgmt.dll

schema master dll

Tip. To manage an AD schema you must be a member of the Schema Admin group.

То transfer Schema Master FSMO role you need to start AD Schema console.

  1. Open mmc.exe
  2. Click File -> Add/Remove snap-in.
  3. Select Active Directory Schema item and press Add -> Ok.
    schema master console rootl
  4. Right click on the root of the console, select Change Active Directory Domain controller and select the DC on which you want to transfer the role.
  5. Next select Operation Masters and press Change button.

schema master operations

Tip. You can’t change Schema Master role owner from source server.


You may also like:

Active Directory auditing: No simple road to succe... Auditing Active Directory almost always finds place at the top of the administrator’s to-do list. There are a number of pressing needs that make audit...
Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...