|
You want to enable schema modifications on the Schema FSMO. This is a necessary first step before you can extend the schema.
Open the Active Directory Schema snap-in.
Click on Active Directory Schema in the left pane.
Right-click on Active Directory Schema and select Operations Master.
Check the box beside Allow schema modifications.
Click OK.
To enable modifications to the schema, use the following command:
> reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters /t[RETURN]
REG_DWORD /v "Schema Update Allowed" /d 1
To disable modifications to the schema, use the following command:
> reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters /v[RETURN]
"Schema Update Allowed" /f
' This code enables or disables schema mods on Schema FSMO. ' ------ SCRIPT CONFIGURATION ------ ' TRUE to enable schema mods and FALSE to disable boolSetReg = TRUE ' Name of the Schema FSMO or "." to run locally strDC = "<SchemaFSMOName>" ' ------ END CONFIGURATION --------- const HKEY_LOCAL_MACHINE = &H80000002 set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv") strKeyPath = "System\CurrentControlSet\Services\NTDS\Parameters" strValueName = "Schema Update Allowed" if boolSetReg = TRUE then strValue = 1 intRC = objReg.SetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath, _ strValueName,strValue) if intRC > 0 then WScript.Echo "Error occurred: " & intRC else WScript.Echo strValueName & " value set to " & strValue end if else intRC = objReg.DeleteValue(HKEY_LOCAL_MACHINE,strKeyPath,strValueName) if intRC > 0 then WScript.Echo "Error occurred: " & intRC else WScript.Echo strValueName & " value deleted" end if end if
When the Schema FSMO role owner is running Windows 2000, you must explicitly enable schema modifications on the server before extending the schema. To enable this, you need to create a key value called Schema Update Allowed with a value of 1 under the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
To disable schema modifications, set the value to 0 or delete it from the registry.
|
MS KB 285172 (Schema Updates Require Write Access to Schema in Active Directory)