Schema Master is another FSMO domain controller role that is responsible for making changes to the Active Directory schema. The schema stores descriptions of all Active Directory classes and attributes. The schema partition is exists on all DCs, its named “schema naming context”, and located in LDAP://cn=schema,cn=configuration,dc=<domain>.
Domain administrators make changes to the AD schema quite rarely: for example, when you need to extend the schema using adprep/forestprep, upgrade the domain functional level, or install Exchange Server, Skype for Business Server, or other enterprise application that store object configuration and properties in AD.
Overview of Schema Master Role in the Active Directory Domain
In the entire AD, there can be only one domain controller with the Schema Master role (it’s an enterprise-level FSMO role). Only this domain controller can make changes to the Active Directory schema (contains a writable schema partition). After updating the forest schema, the changes are replicated from the schema master server to other domain controllers in the AD forest. This role is necessary to prevent conflicting schema changes from two domain controller servers.
The AD schema is a set of objects and their attributes used to store different data. On the screenshot below you can see the user class in the AD schema, that defines all the available attributes of the user account object (like employee ID, phone number, email address, SamAccountName and UserPrincipalName, etc.).
You can fill in all of these attributes for any domain user account. You can check which attributes are filled in for any domain user account and their values using the ADUC console or using ADSIEdit.msc tool.
For example, you want to check the user attribute values for a built-in domain administrator account using the ADSIEdit.
Open the adsiedit.msc console and connect to the Default naming context. In the AD hierarchy, find the user object and open its Properties.
You can see the object has all the attributes that are defined in the user class (you can display only attributes that have values by pressing the Filter button).
Microsoft recommends the following best practices in the placement and administration of the Active Directory schema:
- Always make an AD backup before changing the schema. Before the process of schema changes, you can shut down all domain controllers except the FSMO Schema Master role owner. After that, make a system state backup of the domain controller, perform all the necessary changes, and in case everything is well, simply turn on all DCs. If something went wrong, just restore the running controller from a previous backup, turn on the rest DCs, and then explore the problem;
- It is recommended to keep the Domain Naming Master and Schema Master roles on the same DC (they are rarely used and should be strictly controlled), which should be a Global Catalog (GC) server simultaneously;
- If you have lost the server with the Schema Master role, you can seize this role to any other domain controller. But keep in mind that the original Schema Master should not appear on the network after that;
- Perform manual schema changes only in case of extra need. If it needs to be done in any case, see paragraph 1.
If the DC owner of a Schema Master role is unavailable, it is not possible to change the AD schema. However, the upgrade of the schema is usually not performed often (as a rule, when installing new DCs with a newer Windows Server version or installing some other server products, such as Exchange). In practice, the Schema Master role owner can remain offline for years without noticeable effect.
To manage AD schema and transfer the Schema Master role between domain controllers, use the Active Directory Schema mmc snap-in. However, to enable this console you must register the dynamic library Schmmgmt.dll at first.
- Open the elevated Command prompt;
- Run the command:
Tip. To manage an AD schema you must be a member of the Schema Admin security group.
Moving Schema Master Role to Another Domain Controller
You can find the current FSMO role holders in the domain using the following command:
netdom query fsmo
To identify the FSMO role owners that are not in the current domain, use the command:
netdom query fsmo /domain:<DomainName>
Schema master DC1.theitbros.com
Domain naming master DC1.theitbros.com
RID pool manager DC07.corp.theitbros.com
Infrastructure master DC07.corp.theitbros.com
The command completed successfully.
You can also quickly find the Schema master owner using the following PowerShell command:
Get-ADForest theitbros.com| ft SchemaMaster
То transfer Schema Master FSMO role you need to run the AD Schema console.
- Open mmc.exe;
- Click File > Add/Remove snap-in;
- Select Active Directory Schema item and press Add > Ok;
- Right click on the root of the console, select Change Active Directory Domain Controller, and select the DC on which you want to transfer the role;
- Next, select Operation Masters and press the Change button;
Tip. You can’t change the Schema Master role owner from the source server.
Also, you can use the PowerShell cmdlet Move-ADDirectoryServerOperationMasterRole to transfer any of the FSMO roles in the AD forest. To use this cmdlet you need to install and import the Active Directory for Windows PowerShell module (check this article).
For example, to transfer the Schema Master role to a domain controller DC02, run the command:
Move-ADDirectoryServerOperationMasterRole -Identity "dc2" SchemaMaster
Move-ADDirectoryServerOperationMasterRole -Identity "dc2" –OperationMasterRole 3
To forced seizing of the FSMO role owner with the PowerShell, use the option –Force.
Also, you can transfer the Schema master role with the ntdsutil tool.
- Run the elevated cmd on the DC and type the ntdsutil command;
- Type: roles;
- On the FSMO Maintenance prompt type: connections;
- Specify the DC name on which you want to transfer the FSMO role: connect to server DC2;
- On the server connection prompt type: q;
- To move the Schema master on the current DC: Transfer Schema Master;
- Press Yes in the prompt dialog.
Now you can check the current Schema Master role owner.
- Using Out-File Cmdlet to Redirect Output to File in PowerShell - December 4, 2020
- Fixing This Could be Due to CredSSP Encryption Oracle Remediation Error on Windows - December 4, 2020
- Installing Active Directory Users and Computers MMC Snap-in on Windows 10 - November 26, 2020