The Schema Master role is an FSMO domain controller role that is in charge of updating the Active Directory schema. All Active Directory classes and attributes are described in the schema. The schema partition is designated “schema naming context” and may be found via LDAP:/cn=schema,cn=configuration,dc=domain> on all DCs.
Schema Master Role in Active Directory Domain Overview
The Schema Master role (an enterprise-level FSMO role) can only be assigned to one domain controller in the AD forest. The Active Directory schema can only be changed by a domain controller who possesses this role (contains a read-write copy of schema partition). The modifications are replicated from the schema master server to the other domain controllers in the AD forest after the forest schema is updated. This role is required to prevent two domain controller servers from making schema changes that conflict.
The AD schema is a collection of objects and their characteristics that are used to store various types of information. The user class in the AD schema defines all of the available characteristics of the user account object, as shown in the screenshot below (like employee ID, phone number, email address, SamAccountName and UserPrincipalName, etc.).
For each domain user account, you can fill in all of these properties. Using the ADUC console or the ADSIEdit.msc tool, you may see the properties and values for any domain user account. All of the tabs and information about any Active Directory object’s properties are part of the AD schema.
You might want to utilise the ADSIEdit to check the user attribute values for a built-in domain administrator account.
Connect to the Default naming context using the adsiedit.msc console. Open the Properties of the user object in the AD hierarchy.
The object has all of the characteristics defined in the user class, as you can see (you can display only attributes that have values by pressing the Filter button).
When it comes to the placement and administration of the Active Directory schema, Microsoft advises the following best practises:
- Before altering the schema, always make an AD backup. You can shut down all domain controllers except the FSMO Schema Master role owner before starting the schema update procedure. After that, create a system state backup for the domain controller, make all necessary modifications, and then power on all DCs if everything goes well. If something goes wrong, simply restore the running controller from a backup, turn on the rest of the DCs, and then investigate the issue.
2. The Domain Naming Master and Schema Master roles should be kept on the same DC (they are rarely used and should be tightly managed), which should also be a Global Catalog (GC) server.
3. You can grab the Schema Master role from any domain controller if the server having the role has been lost. However, the original Schema Master should no longer be visible on the network after that.
4. Only make manual schema modifications if absolutely necessary. See paragraph 1 if it needs to be done in any instance.
It is not feasible to alter the AD schema if the DC owner of a Schema Master role is unavailable. The upgrade of the schema, on the other hand, is not frequently done on a regular basis (as a rule, when installing new DCs with a newer Windows Server version or installing some other enterprise products, such as Exchange). For domain users, the temporary loss of the DC running FSMO Schema Master is unnoticeable. In practise, the Schema Master role owner can go years without causing any problems. You can easily give the Schema master role to any other online domain controller if the server that is currently running it is down.
Use the Active Directory Schema mmc snap-in to administer AD schema and transfer the Schema Master role between domain controllers. However, you must first register the dynamic library Schmmgmt.dll in order to use this console.
Run the following command from the elevated Command prompt:
To manage an AD schema you must be a member of the Schema Admins security group. By default, only the built-in domain administrator account is a member of this Active Directory group.
For security reasons, Microsoft does not recommend adding other administrator accounts to the Schema Admins group. If you need to make changes to the AD schema, add your account to this group, log in to DC under your account, perform the desired schema modification operation, and remove your account from the group. The Schema Admins group is only needed to modify the AD schema; it doesn’t grant any additional permissions in Active Directory.
You can add or remove the admin account to Schema Admins group using the ADUC console or using PowerShell
Add-ADGroupMember -Identity "Schema Admins" B.Jackson
Remove-ADGroupMember -Identity "Schema Admins" B.Jackson
How do I find out what version of Active Directory my schema is?
The Active Directory schema is updated every time a new domain controller with a new version of Windows Server is added to your domain. All versions of Active Directory schemas are included in the table below:
You can find out the current version of the schema in your domain using PowerShell:
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
In this case, the AD schema version (objectVersion) is 87. It corresponds to the AD version of Windows Server 2016.
Transferring the Schema Master Role to a Different Domain Controller
On the first DC in the first domain in the AD forest, the Schema Master role is installed by default. This FSMO role can be assigned to any domain controller in the forest. However, if the Schema Master is unavailable, no changes to the AD schema will be permitted.
If the DC host running the Schema Master role is broken, you can assign (move) the role to any other online domain controller.
Information about who currently holds the Schema Master FSMO role in the domain is contained in the attribute of the root object CN = Schema – fSMORoleOwner:
You can find the current FSMO role holders in the domain using the following command:
netdom query fsmo
To identify the FSMO role owners that are not in the current domain, use the command:
netdom query fsmo /domain:<DomainName>
Schema master DC1. solutionviews.com
Domain naming master DC1.solutionviews.com
PDC DC07.corp. solutionviews.com
RID pool manager DC07.corp.solutionviews.com
Infrastructure master DC07.corp. solutionviews.com
The command completed successfully.
You can also quickly find the Schema master owner using the following PowerShell command:
Get-ADForest solutionviews.com| ft SchemaMaster
То transfer Schema Master FSMO role you need to run the AD Schema console.
- Open mmc.exe;
- Click File > Add/Remove snap-in;
- Select Active Directory Schema item and press Add > OK;
- Right-click the console’s root, select Change Active Directory Domain Controller, and then choose the DC to which you wish to transfer the role.
- Press the Change button after selecting Operation Masters.
You can’t change the owner of the Schema Master role from the source server.
You may also move any of the FSMO roles in the AD forest using the PowerShell cmdlet Move-ADDirectoryServerOperationMasterRole. The Active Directory for Windows PowerShell module must be installed and imported before you can use this function (check this article).
Run the following command to move the Schema Master role to a domain controller DC02:
Move-ADDirectoryServerOperationMasterRole -Identity "dc2" SchemaMaster
Move-ADDirectoryServerOperationMasterRole -Identity "dc2" –OperationMasterRole 3
Use the –Cause option in the aforementioned PowerShell commands to force the FSMO role owner to be taken over. If the role owner’s domain controller fails to boot, is broken, or cannot be recovered, the FSMO role is forcefully enlarged.
- You can also use the ntdsutil utility to transfer the Schema master role.
- Type the ntdsutil command in the elevated cmd on the DC.
- Roles are of the type.
- Type connections in the FSMO Maintenance prompt.
- Specify the DC name to which the FSMO role should be transferred: connect to DC2 server
- Type q at the server connection prompt.
- Transfer Schema Master; to relocate the Schema master on the present DC:
- In the prompt dialogue, select Yes.
Now you can check the current Schema Master role owner.