Schema Master is another FSMO role which is responsible for making changes to the Active Directory schema. The schema stores descriptions of all Active Directory classes and attributes (LDAP://cn=schema,cn=configuration,dc=<domain>).
Changes to the AD schema are rarely made: for example, when you extend the schema using adprep/forestprep, upgrade the domain functional level or install Exchange, Lync (or other enterprise applications that store configuration objects in AD).
Schema Master role
In the entire AD forest, there can be only one domain controller which is the Schema Master role owner. Only this domain controller can make changes to the Active Directory schema. After the schema is updated, it is replicated from the schema master to other domain controllers in the forest.
The AD schema is a set of objects and their attributes, that are used to store data. In this case, the AD schema contains the class user, which defines all the attributes of the user account object.
Each user account in the domain can have all these attributes. But attribute values may not be specified. You can check which attributes have an account of any domain user and their values (for example, built-in administrator account).
To do this, open the adsiedit.msc console and connect to the Default naming context. In the hierarchy, find the user object and open its Properties.
You can see that the object has all the attributes that are defined in the user class (note the Filter button, you may have turned on display only attributes that have values).
Microsoft recommends the following best practices in the placement and administration of the Active Directory schema:
- Always make a backup before changing the schema. Before the process of schema changes, you can turn off all the domain controllers, of course except for a one, who is the owner of a Schema Master role. After that, make a backup of the domain controller, perform all the necessary changes and, in case everything is well, simply turn on all DCs. If something went wrong, just restore the running controller from a backup, turn on the rest and then explore the problem.
- It is recommended to keep the Domain Naming Master and Schema Master roles on the same DC (they are rarely used and should be tightly controlled), that should simultaneously be a Global Catalog (GC) server.
- If you have lost the server with Schema Master role for some reason, you can seize this role to any other domain controller. But keep in mind that the original Schema Master should not appear on the network after that.
- Perform schema changes manually only in case of extra need. If this still needs to be done in any case, see paragraph 1.
If the DC owner of a Schema Master role is unavailable, it is not possible to change the AD schema. However, the upgrade of the schema is usually not done often (as a rule when installing new DCs with a newer Windows Server version or installing some other server products, such as Exchange). In practice, the absence of a schema master can be overlooked for years.
To manage AD schema and transfer the Schema Master role between domain controllers, use the Active Directory Schema mmc snap-in. However, to enable this console you must register the dynamic library Schmmgmt.dll at first.
- Open elevated Command prompt.
- Execute the command:
Tip. To manage an AD schema you must be a member of the Schema Admin group.
То transfer Schema Master FSMO role you need to start AD Schema console.
- Open mmc.exe
- Click File -> Add/Remove snap-in.
- Select Active Directory Schema item and press Add -> Ok.
- Right click on the root of the console, select Change Active Directory Domain controller and select the DC on which you want to transfer the role.
- Next select Operation Masters and press Change button.
Tip. You can’t change Schema Master role owner from source server.