Book Image

Active Directory Administration Cookbook

By : Sander Berkouwer
Book Image

Active Directory Administration Cookbook

By: Sander Berkouwer

Overview of this book

Active Directory is an administration system for Windows administrators to automate network, security and access management tasks in the Windows infrastructure. This book starts off with a detailed focus on forests, domains, trusts, schemas and partitions. Next, you'll learn how to manage domain controllers, organizational units and the default containers. Going forward, you'll explore managing Active Directory sites as well as identifying and solving replication problems. The next set of chapters covers the different components of Active Directory and discusses the management of users, groups and computers. You'll also work through recipes that help you manage your Active Directory domains, manage user and group objects and computer accounts, expiring group memberships and group Managed Service Accounts (gMSAs) with PowerShell. You'll understand how to work with Group Policy and how to get the most out of it. The last set of chapters covers federation, security and monitoring. You will also learn about Azure Active Directory and how to integrate on-premises Active Directory with Azure AD. You'll discover how Azure AD Connect synchronization works, which will help you manage Azure AD. By the end of the book, you have learned about Active Directory and Azure AD in detail.
Table of Contents (16 chapters)

Extending the schema

Some applications require additional object types and/or attributes to store their information in Active Directory. Some good examples of these type of applications are Microsoft Exchange Server and Microsoft's free Local Administration Password Solution (LAPS).

These applications and their schema changes are thoroughly tested, but there's also the option to create your own custom Active Directory schema extension. For instance, you can introduce your own employee or customer ID type attribute to the user object class.

Getting ready

The domain controller holding the Schema Master FSMO role is authoritative for the Active Directory schema throughout an Active Directory forest. Microsoft recommends that you perform the following actions on the domain controller that is holding the Schema Master FSMO role.

To find this domain controller, run the following command on any domain-joined device, member server, or domain controller:

netdom.exe  query fsmo

Alternatively, use the following PowerShell commands on a domain-joined system that has the Active Directory module for Windows PowerShell installed:

Import-Module ActiveDirectory

Get-ADForest | Format-List SchemaMaster

To gain access to the Active Directory schema using Microsoft tools, look on the domain controller holding the Schema Master FSMO role, the Schema MMC Snap-in needs to be registered. By default, this MMC Snap-in is hidden from view, due to its sensitive nature.

Run the following command to register the Schema MMC Snap-in:

regsvr32.exe C:\windows\system32\schmmgmt.dll

Required permissions

To extend the schema, perform the following actions using an account that is a member of the schema admins group.

To request permission to use an official identifier (OID) for your schema attribute or object, you will need to create it as part of your organization's OID branch. The following two websites allow you to view whether your organization has an official OID branch: www.iana.org/assignments/enterprise-numbers and www.alvestrand.no/objectid/.

If your organization does not have an assigned OID, go to your country's national registry to request one. Make sure that the registration is correct, but also leave room for further expansions, relocations, mergers, acquisitions, and divestitures.

OIDs are hierarchical, so you should create it as part of your organization's branch.

How to do it...

Perform these steps to extend the Active Directory schema with a new attribute:

  1. Open a Microsoft Management Console window (mmc.exe).
  2. From the File menu, select Add/Remove Snap-in.
  3. From the left-hand list of Available snap-ins:, select the Active Directory Schema snap-in. Click the Add > button to add it to the right-hand list of Selected snap-ins:
  1. Click OK.
  2. In the left navigation pane, expand Active Directory Schema.
  1. Right-click the Attributes folder and select Create Attribute from the context menu:
  1. Click the Continue button to confirm that you want to extend the schema:
  1. Enter the information for the new attribute.
  2. Click OK when done.

Perform these steps to extend the Active Directory schema with a new object class:

  1. Open the Active Directory Schema snap-in.
  2. In the left navigation pane, expand Active Directory Schema.
  3. Right-click the Classes folder, and select Create Class from the context menu.
  4. Click the Continue button to confirm that you want to extend the schema.
    The Create New Schema Class window appears:
  1. Enter the information for the new class.
  2. Click Next> when done.
  3. Enter any mandatory and optional attributes and click Finish.

There's more...

Any attributes and classes added to Active Directory cannot be removed. However, they can be defunct when they are no longer needed.

It's a best practice to keep the Schema Administrators group in Active Directory as empty as possible for as long as possible. When you're done, remove any accounts that you may have added to the Schema Administrators group.

If you want your Active Directory schema extension attributes to extend into Azure Active Directory as well, make sure it's a single-valued attribute.