The Schema Master is one of the five Flexible Single Master Operations (FSMO) roles found in an Active Directory (AD) forest.
There is only one DC in the entire forest that holds this role. By default, this is the first server that was promoted to a DC in
the root domain. The Schema Master is the only DC that has the permission to WRITE to the schema itself. In addition, while making
changes to the schema, the user must log into the domain as a member of the Schema Admins group. Because of the rights and
permissions given to this group, membership should be very limited or even none, until the schema modification is needed. This
group should be closely monitored, especially with a monitoring product such as System Center Operations Manager which can alert
you if changes to a group’s membership are detected.
When an administrator is a member of the Schema Admins group logs into the schema master, changes to the schema are allowed.
Changes to the schema can be easily made by using the Schema snap-in accessed within a Microsoft Management Console (MMC). Before
the snap-in will be available as a choice within the MMC, you must first register the DLL using the following command:
Using the RUN command, regsvr32 schmmgmt.dll
Once the DLL has been properly registered, the system will display the following message:
In addition to modifying the schema manually, which you shouldn’t do unless you fully understand the risks associated with that
action, a more common method is to run a software package that has been fully tested and will modify the schema automatically.
For instance, when you install Microsoft Exchange, you must modify the schema before you can actually install the product. Another
example may be when you are planning an upgrade of Active Directory to the next revision. Running ADPREP.exe modifies the schema.
After the schema has been updated, the Schema Master will replicate those changes to all DCs in the forest.
Do keep in mind that once the schema is modified, those changes cannot be rolled back. It is possible to disable the
additional objects added to the schema, but they cannot be removed. To completely revert back to a previous state, you would
have to rebuild the infrastructure using backups prior to the schema update.
If the server holding the Schema Role were to fail, you wouldn't see an impact until you attempted to run a transaction that
modified the schema. Therefore, this role can be offline for quite some time since the role is rarely needed. Of course, if you
plan on bringing down the Schema Master for extended maintenance, you should gracefully transfer the role. There are two methods
for transferring the Schema Master role. You can use the Schema snap-in (only if both DCs, source and target, are operational), or
ntdsutil.
Did you find the page informational and useful? Share it using one of your favorite social sites.
Recommended Books & Training Resources