Tag Archives: schema

Step-by-Step guide to create custom Active Directory Attributes

In active directory schema, it is allowed to add custom attributes. In organizations, there are situations where this option is useful. It is most of the time related to application integration requirements with active directory infrastructure. In modern infrastructures, applications are decentralizing identity management. Organization’s identities can sit on active directory as well as applications. Some may in in-house infrastructures and some may even in public cloud. If these applications are integrated with active directory it’s still provides central identity management but it’s not always. Some applications have their own way of handling its user accounts and privileges. Similar to active directory attributes, these applications can also have their own attributes defined by its database system to store the data. These application attributes most of the time will not match the attributes on active directory. As an example, HR system uses employee ID to identify an employee record uniquely from others. But active directory use username to identify a unique record. Each system’s attributes hold some data about the objects even its referring to same user or device. If there is another application which required to retrieve data from both system’s attributes how we can facilitate such without data duplication?

One’s a customer was talking to me regarding similar requirement. They have active directory infrastructure in place. They also maintaining a HR system which is not integrated with active directory. They got a new requirement for an employee collaboration application which required data input in specific way. It has defined its fields in the database and we need to match the data on that order. Some of these required data about users can retrieve from active directory and some of user data can retrieve from the HR system. Instead of keeping two data feeds to the system we decided to treat the active directory as the trustworthy data source for this new system. If active directory need to hold all the required data, it somehow need to store the data comes from HR system as well. The final solution was to add custom attributes to active directory schema and associate it with the user class. Instead of both system operate as data feeds, now HR system pass the filtered values to Active directory and it exports all the required data in CSV format to the application.  

In order to create custom attributes, go to active directory schema snap-in, right click on attributes container and select create attribute

Tip – In order to open active directory schema snap-in you need to run command regsvr32 schmmgmt.dll from the Domain Controller. After that you can use MMC and add active directory schema as snap-in. 

Then system will give a warning about the schema object creation and click OK to continue. 

It will open up a form and this is where we need to define the details about custom attribute. 

1) Common Name – This is the name of the object. It is only allowed to use letters, numbers and hyphen for the CN. 

2) LDAP Display Name – When object is referring in script, program or command line utility it need to call using the LDAP Display name instead of the Common Name. when you define the CN, it will automatically create the LDAP Display name. 

3) X500 Object ID – Each and every attribute in active directory schema has unique OID value. There is script develop by Microsoft to generate these unique OID valves. It can be found in https://gallery.technet.microsoft.com/scriptcenter/Generate-an-Object-4c9be66a#content it also can directly run using following PowerShell command. 

 

#--- 

$Prefix="1.2.840.113556.1.8000.2554" 

$GUID=[System.Guid]::NewGuid().ToString() 

$Parts=@() 

$Parts+=[UInt64]::Parse($guid.SubString(0,4),"AllowHexSpecifier") 

$Parts+=[UInt64]::Parse($guid.SubString(4,4),"AllowHexSpecifier") 

$Parts+=[UInt64]::Parse($guid.SubString(9,4),"AllowHexSpecifier") 

$Parts+=[UInt64]::Parse($guid.SubString(14,4),"AllowHexSpecifier") 

$Parts+=[UInt64]::Parse($guid.SubString(19,4),"AllowHexSpecifier") 

$Parts+=[UInt64]::Parse($guid.SubString(24,6),"AllowHexSpecifier") 

$Parts+=[UInt64]::Parse($guid.SubString(30,6),"AllowHexSpecifier") 

$OID=[String]::Format("{0}.{1}.{2}.{3}.{4}.{5}.{6}.{7}",$prefix,$Parts[0],$Parts[1],$Parts[2],$Parts[3],$Parts[4],$Parts[5],$Parts[6]) 

$oid 

#---

 

4) Syntax – It define the storage representation for the object. It is only allowed to use syntaxes defined by Microsoft. One attribute can only associate with one syntax. In below I listed few common used syntaxes in attributes. 

 

Syntax

Description

Boolean

True or False 

Unicode String

A large string

Numeric String

String of digits

Integer

32-bit Numeric value

Large Integer

64-bit Numeric value

SID

Security Identifier Value

Distinguished Name

String value to uniquely identify object in AD

Along with the syntax we also can define the minimum or maximum values. If it’s not defined it will take the default values. 

In following demo, I like to add a new attribute called NI-Number and add it to the User Class

attri1

As the next step, we need to add it to the user class. In order to do that go to classes container, double click on user class and click on attributes tab. In there by clicking the add button can browse and select the newly added attribute from the list. 

attri2

Now when we open a user account we can see the new attribute and we can add the new data to it. 

attri3

Once data been added we can filter out the information as required. 

Get-ADuser “tuser4” -Properties nINumber | ft nINumber

attri4

Note – To add the attributes to the schema you need to have schema administrator privileges or enterprise administrator privileges. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.  

Step-by-Step Guide to migrate FSMO roles from windows 2003 server to windows 2012 R2 server

Even its been over decade after windows server 2003 release , It’s no wonder that still organizations using windows server 2003 / windows server 2003 R2 as their domain controllers. Microsoft has announced that windows server 2003 / windows server 2003 R2 supports ends on 2015, July 14th (http://support2.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Microsoft+Windows+Server+2003&Filter=FilterNO). So the day has come to plan out for the upgrades if you still running those versions in infrastructure.

This guide will explain how we can transfer DC FSMO roles from windows server 2003 to windows server 2012 R2 which is latest. In Windows DC environment FSMO roles holds all the information about DC and its necessary to have all this 5 roles working correctly to maintain proper DC environment. The 5 FSMO roles as following,

•    Schema master
•    Domain naming master
•    RID master
•    PDC emulator
•    Infrastructure master

You can find more information about this roles from http://support.microsoft.com/kb/197132

For the demonstration I am using the following setup

Server Name

Operating System

Server Roles

canitpro-dc2k3.canitpro.local

Windows server 2003 SP2 x86

Active Directory FSMO roles, DNS

CANITPRO-DC2K12.canitpro.local

Windows server 2012 R2 x64

Additional Domain Controller, DNS

So in here I already added windows 2012 r2 server to domain and make it additional domain controller. Currently it do not hold any FSMO roles. My plan is to migrate all the FSMO roles in to windows 2012 r2 server.

role1

Note : In before if we adding windows 2008 server to windows 2003 environment, first we need to prepare the forest and domain schema by running adprep \forestprep and adprep \domainprep  from windows 2008 source files \ support \ adprep. But in windows 2012 you do not need to worry about it when adding 2012 as additional domain controller. When you run the dcpromo it will automatically update it in windows 2003 remotely.

Transfer RID master, PDC emulator, Infrastructure master Roles

As the first step let’s look how we can transfer these 3 roles over to new server.

•    Log in to the windows 2012 R2 server as domain administrator
•    Click on Server Manager > Tools > Active Directory Users and Computers

role2

•    In MMC, right click on the domain name > click on “Operation Masters”

role3

•    In next window it will show the 3 FSMO roles. The default is “PDC”. In there it shows the current PDC holder. Then it is asking if need to change it to new windows 2012 r2 server click on change. There for lets go ahead and click on “Change”

role4

•    Then it’s asking for confirmation. Click yes to continue.

role5

•    Once its confirm as operation completed we can see the window shows the current PDC role holder as new windows 2012 r2 server.

role6

•    Please repeat the same steps to transfer the RID master and Infrastructure master Roles

Transfer domain naming master role

•    Log in to the windows 2012 R2 server as domain administrator.
•    Click on Server Manager > Tools > Active Directory Domains and Trusts.

role8

•    In MMC right click on Active Directory Domains and Trusts > click on Operation Master.

role9

•    In here it shows the current domain naming master role holder (canitpro-dc2k3.canitpro.local) and its asking if we need to move it to windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local). Click on change to move the role over.

role10

•    Then it’s asking for confirmation and click yes to continue.

role11

•    Once its confirm about task completion we can see current domain naming master is windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local).

role12

Transfer schema master role

•    Log in to the windows 2012 R2 server as domain administrator.
•    Open “Run” window in server (Windows key + R) and type regsvr32 schmmgmt.dll and press enter.

role13

•    It will give the confirmation message and click on ok to continue.

role14

•    Then again open “Run” window and type mmc and click ok

role15

•    Then in mmc window click on File > Add-Remove snap-in

role16

•    Then from snap in select “Active Directory Schema” and click on “Add” button

role17

•    Then click on Ok button to continue

role18

•    Then right click on “Active Directory Schema” and click on “Change Active Directory Domain Controller”

role19

•    In Next window select the windows server 2012 R2 DC (CANITPRO-DC2K12.canitpro.local) and click ok.

role20

•    It will give information message and click ok to continue. 

role21

•    Then right click on “Active Directory Schema” and click on “Operation Master”

role22

•    In here it shows the current schema master role holder (canitpro-dc2k3.canitpro.local) and its asking if we need to move it to windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local). Click on change to move the role over.

role23

•    Then it’s asking for confirmation and click yes to continue.

role24

•    Once it’s confirm about task completion we can see current schema master is windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local).

role25

Now we successfully move all 5 fsmo roles over to new windows server 2012 R2. To confirm it open command prompt in new server and type command netdom query fsmo and press enter.

role26

Yipeeee!!! Its shows as all fsmo roles moved successfully.

It will take some time to move all the data over. After that it’s safe to demote the DC role from the windows 2003 server.
Once its demote 2003 DC make sure you raise the forest functional level and domain functional level in to windows server 2012 R2 to experience new changes.
If you have any questions regarding the post feel free to contact me on rebeladm@live.com