Поделиться через


Windows Server 2008 and 2008 R2 LDF Schema Extensions

Windows Server 2003 R2 extended the Windows Server 2003 schema from schema version 30 to 31.  The update from 30 to 31 was schema file sch31.ldf which included support for DFS Replication (DFSr).  An upgrade from Windows Server 2003 to Windows Server 2008 schema transitions the schema to schema version 44.  This includes sch32.ldf through sch44.ldf. 

If an upgrade is performed from a domain that is currently schema version 30, the Windows Server 2008 ADPREP /forestprep command will include sch31.ldf in the schema update process.

Note: Windows Server 2008 R2 transitions the Active Directory Schema to schema version 47.

The updates to the Active Directory schema are:

Sch32.ldf

This adds new attributes of:

  • msDS-KrbTgtLink: Used with RODCs to define which krbtgt_XXXX account corresponds to each RODC
  • msDS-RevealedUsers: Used with RODCs to identify the user objects whose secrets have been disclosed to that RODC
  • msDS-RevealedList: Identifies security principals whose current computer account passwords have been replicated to the RODC
  • msDS-hasFullReplicaNCs: Identifies the partitions held as full replicas
  • msDS-NeverRevealGroup: Used with RODCs to define which users, computers, and groups are not allowed to have their passwords cached on a RODC
  • msDS-RevealOnDemandGroup: Used with RODCs to define which users, computers, and groups are allowed to have their passwords cached on a RODC
  • msDS-SecondaryKrbTgtNumber: Identifies the protocol identification number associated with the secondary domain
  • msDS-RevealedDSAs: Backlink For ms-DS-Revealed-Users and identifies which RODC holds that user's secret
  • msDS-KrbTgtLinkBl: Backlink for the KrbTgtLink attribute
  • msDS-IsDomainFor: Backlink for ms-DS-Has-Domain-NCs and identifies which DCs hold that partition as their primary domain
  • msDS-IsFullReplicaFor: Backlink for ms-Ds-Has-Full-Replica-NCs and identifies which DCs hold that partition as a full replica
  • msDS-IsPartialReplicaFor: Backlink for has-Partial-Replica-NCs and identifies which DCs hold that partition as a partial replica

After the addition of these attributes, Sch32.ldf then modifies the systemMayContain values of certain objects that may contain any or all of these new attributes.

The schema version is then increased to schema version 32.

 

Sch33.ldf

This adds new attributes of:

  • msDS-isGC: Identifies the state of the Global Catalog on the DC
  • msDS-isRODC: Shows whether a DC is a RODC
  • msDS-SiteName: Lists the site name that corresponds to the DC
  • msDS-AuthenticatedAtDC: Forwardlink for ms-DS-AuthenticatedTo-Accountlist and identifies which DC a user has authenticated to
  • msDS-PromotionSettings: For a Computer, contains a XML string to be used for delegated DSA promotion
  • msDS-SupportedEncryptionTypes: The encryption algorithms supported by user, computer or trust accounts
    • Note: The KDC uses this information while generating a service ticket for this account. Services/Computers may automatically update this attribute on their respective accounts in Active Directory, and therefore need write access to this attribute.
    • msDS-AuthenticatedToAccountlist: Backlink for ms-DS-AuthenticatedAt-DC and identifies which users have authenticated to this Computer

After the addition of these attributes, Sch33.ldf then modifies the msDS-Never-Reveal-Group and the msDS-Reveal-OnDemand-Group attributes and marks them as multi-valued.  It then modifies the systemMayContain values of certain objects that may contain any or all of these new attributes.

The schema version is then increased to schema version 33.

 

Sch34.ldf

Sch34.ldf adds the following attributes to the Schema:

  • msDFSR-ReadOnly: Specifies whether the content is read-only or read-write
  • msDFSR-Priority: Priority level
  • msDS-AzObjectGuid: The unique and portable identifier of AzMan objects
  • msDS-AzGenericData: AzMan specific generic data
  • msDFSR-CachePolicy: On-demand cache policy options
  • msDFSR-DeletedPath: Full path of the Deleted directory
  • msFVE-RecoveryGuid: Contains the GUID associated with a Full Volume Encryption (FVE) recovery password
  • msDS-SeniorityIndex: Contains the seniority index as applied by the organization where the person works
  • msTPM-OwnerInformation: This attribute contains the owner information of a particular TPM
  • msPKIDPAPIMasterKeys: Storage of encrypted DPAPI Master Keys for user
  • msDS-PhoneticLastName: Contains the phonetic last name of the person
  • msPKIRoamingTimeStamp: Time stamp for last change to roaming tokens
  • msDFSR-DeletedSizeInMb: Size of the Deleted directory in MB
  • msDS-PhoneticFirstName: Contains the phonetic given name or first name of the person
  • msFVE-RecoveryPassword: Contains the password required to recover a Full Volume Encryption (FVE) volume
  • msDS-PhoneticDepartment: Contains the phonetic department name where the person works
  • msPKIAccountCredentials: Storage of encrypted user credential token blobs for roaming
  • msRADIUS-FramedIpv6Route: Provides routing information to be configured for the user on the NAS
  • msDS-PhoneticDisplayName: The phonetic display name of an object. In the absence of a phonetic display name the existing display name is used
  • msDS-PhoneticCompanyName: Contains the phonetic company name where the person works
  • ms-net-ieee-8023-GP-PolicyData: Contains all of the settings and data which comprise a Group Policy configuration for 802.3 wired networks
  • ms-net-ieee-8023-GP-PolicyGUID: Contains a GUID which identifies a specific 802.3 Group Policy object on the domain
  • msDFSR-MaxAgeInCacheInMin: Maximum time in minutes to keep files in full form
  • ms-net-ieee-80211-GP-PolicyData: Contains all of the settings and data which comprise a Group Policy configuration for 802.11 wireless networks
  • msRADIUS-FramedIpv6Prefix: Indicates an IPv6 prefix (and corresponding route) to be configured for the user
  • ms-net-ieee-80211-GP-PolicyGUID: Contains a GUID which identifies a specific 802.11 Group Policy object on the domain
  • msRADIUS-FramedInterfaceId: Indicates the IPv6 interface identifier to be configured for the user
  • msDS-NC-RO-Replica-Locations: A linked attribute on a cross ref object for a partition and lists the DC which should host the partition in a readonly manner
  • msDS-NC-RO-Replica-Locations-BL: Backlink attribute for ms-DS-NC-RO-Replica-Locations
  • msDFSR-MinDurationCacheInMin: Minimum time in minutes before truncating files
  • ms-net-ieee-8023-GP-PolicyReserved: Reserved for future use
  • msRADIUS-SavedFramedIpv6Route: Provides routing information to be configured for the user on the NAS
  • ms-net-ieee-80211-GP-PolicyReserved: Reserved for future use
  • msRADIUS-SavedFramedIpv6Prefix: Indicates an IPv6 prefix (and corresponding route) to be configured for the user
  • msRADIUS-SavedFramedInterfaceId: Indicates the IPv6 interface identifier to be configured for the user
  • samDomainUpdates: Contains a bitmask of performed SAM operations on active directory

Sch34.ldf then adds the following classes to the Active Directory Schema:

  • ms-net-ieee-8023-GroupPolicy: This class represents an 802.3 wired network Group Policy object. This class contains identifiers and configuration data relevant to an 802.3 wired network
  • ms-net-ieee-80211-GroupPolicy: This class represents an 802.11 wireless network Group Policy object. This class contains identifiers and configuration data relevant to an 802.11 wireless network
  • msFVE-RecoveryInformation: This class contains a Full Volume Encryption recovery password with its associated GUID
  • nTDSDSARO: A subclass of Directory Service Agent which is distinguished by its reduced privilege level

After the addition of these attributes and classes, Sch34.ldf then modifies the systemMayContain values of certain objects that may contain any or all of these new attributes.

The schema version is then increased to schema version 34.

 

Sch35.ldf

Sch35.ldf adds the following attributes to the Schema:

  • msDS-LastSuccessfulInteractiveLogonTime: The time that the correct password was presented during a Ctrl+Alt+Delete logon
  • msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon: The total number of failed interactive logons up until the last successful Ctrl+Alt+Delete logon
  • msDS-FailedInteractiveLogonCount: The total number of failed interactive logons since this feature was turned on
  • msDS-LastFailedInteractiveLogonTime: The time that an incorrect password was presented during a Ctrl+Alt+Delete logon

After the addition of these attributes, Sch35.ldf then modifies the systemMayContain values of the object CN=User,CN=Schema,CN=Configuration,DC=X (where DC=x is the Distinguished Name of the forest root domain) to include these new attributes.

The schema version is then increased to schema version 35.

 

Sch36.ldf

Then Sch36.ldf makes the following addition to the Schema:

  • msDS-RevealedListBL: Backlink attribute for ms-DS-Revealed-List

After the addition of this one attribute, Sch36.ldf modifies the Search Flags value of the following attributes:

  • CN=From-Server,CN=Schema,CN=Configuration,DC=X
  • CN=msNPAllowDialin,CN=Schema,CN=Configuration,DC=X
  • CN=msNPCallingStationID,CN=Schema,CN=Configuration,DC=X
  • CN=msNPSavedCallingStationID,CN=Schema,CN=Configuration,DC=X
  • CN=msRADIUSCallbackNumber,CN=Schema,CN=Configuration,DC=X
  • CN=msRADIUSFramedIPAddress,CN=Schema,CN=Configuration,DC=X
  • CN=msRADIUSFramedRoute,CN=Schema,CN=Configuration,DC=X
  • CN=msRADIUSServiceType,CN=Schema,CN=Configuration,DC=X
  • CN=msRASSavedCallbackNumber,CN=Schema,CN=Configuration,DC=X
  • CN=msRASSavedFramedIPAddress,CN=Schema,CN=Configuration,DC=X
  • CN=msRASSavedFramedRoute,CN=Schema,CN=Configuration,DC=X
  • CN=ms-RADIUS-FramedInterfaceId,CN=Schema,CN=Configuration,DC=X
  • CN=ms-RADIUS-SavedFramedInterfaceId,CN=Schema,CN=Configuration,DC=X
  • CN=ms-RADIUS-FramedIpv6Prefix,CN=Schema,CN=Configuration,DC=X
  • CN=ms-RADIUS-SavedFramedIpv6Prefix,CN=Schema,CN=Configuration,DC=X
  • CN=ms-RADIUS-FramedIpv6Route,CN=Schema,CN=Configuration,DC=X
  • CN=ms-RADIUS-SavedFramedIpv6Route,CN=Schema,CN=Configuration,DC=X
  • CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
  • CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
  • CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X

The schema version is then increased to schema version 36.

 

Sch37.ldf

The LDF file Sch37.ldf modifies adds the following attributes to the schema:

  • msDS-UserPasswordExpiryTimeComputed: Contains the expiry time for the user's current password
  • msDS-PrincipalName: Account name for the security principal (constructed)
  • msDFSR-OnDemandExclusionDirectoryFilter: Filter string applied to on demand replication directories
  • msDFSR-DefaultCompressionExclusionFilter: Filter string containing extensions of file types not to be compressed
  • msTSHomeDrive: Terminal Services Home Drive specifies a Home drive for the user
  • msTSProperty01: Placeholder Terminal Server Property 01
  • msTSProperty02: Placeholder Terminal Server Property 02
  • msTSAllowLogon: Specifies whether the user is allowed to log on to the Terminal Server. The value is 1 if logon is allowed, and 0 if logon is not allowed.
  • msTSExpireDate: TS Expiration Date
  • msTSManagingLS: TS Managing License Server
  • msDFSR-Options2: Object Options2
  • msTSProfilePath: Terminal Services Profile Path specifies a roaming or mandatory profile path to use when the user logs on to the Terminal Server. The profile path is in the following network path format: \\servername\profiles folder name\username
  • msTSMaxIdleTime: Terminal Services Session Maximum Idle Time is maximum amount of time, in minutes, that the Terminal Services session can remain idle
  • msTSHomeDirectory: Terminal Services Home Directory specifies the Home directory for the user
  • msTSRemoteControl: Terminal Services Remote Control specifies the whether to allow remote observation or remote control of the user's Terminal Services session
  • msTSWorkDirectory: Terminal Services Session Work Directory specifies the working directory path for the user
  • msTSInitialProgram: Terminal Services Session Initial Program specifies the Path and file name of the application that the user wants to start automatically when the user logs on to the Terminal Server
  • msTSLicenseVersion: TS License Version
  • msTSMaxConnectionTime: Terminal Services Session maximum Connection Time is Maximum duration, in minutes, of the Terminal Services session
  • msTSReconnectionAction: Terminal Services Session Reconnection Action specifies whether to allow reconnection to a disconnected Terminal Services session from any client computer
  • msTSConnectClientDrives: Terminal Services Session Connect Client Drives At Logon specifies whether to reconnect to mapped client drives at logon
  • msDFSR-CommonStagingPath: Full path of the common staging directory
  • msTSMaxDisconnectionTime: Terminal Services Session Maximum Disconnection Time is maximum amount of time, in minutes, that a disconnected Terminal Services session remains active on the Terminal Server
  • msTSDefaultToMainPrinter: Terminal Services Default To Main Printer specifies whether to print automatically to the client's default printer
  • msTSConnectPrinterDrives: Terminal Services Session Connect Printer Drives At Logon specifies whether to reconnect to mapped client printers at logon
  • msTSBrokenConnectionAction: Terminal Services Session Broken Connection Action specifies the action to take when a Terminal Services session limit is reached
  • msDFSR-DisablePacketPrivacy: Disable packet privacy on a connection
  • msDFSR-CommonStagingSizeInMb: Size of the common staging directory in MB
  • msDFSR-OnDemandExclusionFileFilter: Filter string applied to on demand replication files
  • msDFSR-StagingCleanupTriggerInPercent: Staging cleanup trigger in percent of free disk space

 

After these attributes have been added, Sch37.ldf modifies security on Terminal Services objects and then updates the mayContain values of Terminal Services and DFSr objects.

The schema version is then increased to schema version 37.

 

Sch38.ldf

Sch38.ldf only makes one change.  This change is to the CN=ms-DS-AuthenticatedAt-DC,CN=Schema,CN=Configuration,DC=X attribute.  The modification that is made to this attribute is to mark this attribute as systemOnly.

After this change, the schema version is still increased to version 38.

 

Sch39.ldf

Sch39.ldf begins by modifying the following attributes:

  • msFVE-KeyPackage: Contains a volume's BitLocker encryption key secured by the corresponding recovery password
  • msFVE-VolumeGuid: Contains the GUID associated with a BitLocker-supported disk volume
  • msDS-HABSeniorityIndex: Contains the seniority index as applied by the organization where the person works

Sch39.ldf then modifies the adminDescription, searchFlags, and rangeUppper of the attributes:

  • CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
  • CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
  • CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
  • CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
  • CN=msSFU-30-Posix-Member,CN=Schema,CN=Configuration,DC=X

Lastly, Sch39.ldf also updates the systemMayContain and mayContain values of additional objects in the Schema which could contain any of these attributes.

The schema version is then increased to schema version 39.

 

Sch40.ldf

The LDF file Sch40.ldf adds many attributes to the schema.  Half of these attributes are used with Fine Grained Password policies and the other half are used with Terminal Server Licensing.  This list is all of the attributes that are added to the Active Directory schema:

  • msDS-PasswordReversibleEncryptionEnabled: Password reversible encryption status for user accounts
  • msDS-NcType: A bit field that maintains information about aspects of a NC replica that are relevant to replication
  • msDS-PSOAppliesTo:   Links to objects that this password settings object applies to
  • msDS-PSOApplied: Password settings object applied to this object
  • msDS-ResultantPSO: Resultant password settings object applied to this object
  • msDS-LockoutDuration: Lockout duration for locked out user accounts
  • msDS-LockoutThreshold: Lockout threshold for lockout of user accounts
  • msDS-MinimumPasswordAge: Minimum Password Age for user accounts
  • msDS-MaximumPasswordAge: Maximum Password Age for user accounts
  • msDS-MinimumPasswordLength: Minimum Password Length for user accounts
  • msDS-PasswordHistoryLength: Password History Length for user accounts
  • msDS-LockoutObservationWindow: Observation Window for lockout of user accounts
  • msDS-PasswordComplexityEnabled: Password complexity status for user accounts
  • msDS-PasswordSettingsPrecedence: Password Settings Precedence
  • msTSManagingLS2: Issuer name of the second TS per user CAL
  • msTSManagingLS3: Issuer name of the third TS per user CAL
  • msTSManagingLS4: Issuer name of the fourth TS per user CAL
  • msTSExpireDate2: Expiration date of the second TS per user CAL
  • msTSExpireDate3: Expiration date of the third TS per user CAL
  • msTSExpireDate4: Expiration date of the fourth TS per user CAL
  • msTSLSProperty01: Placeholder Terminal Server License Server Property 01
  • msTSLSProperty02: Placeholder Terminal Server License Server Property 02
  • msTSLicenseVersion2: Version of the second TS per user CAL
  • msTSLicenseVersion3: Version of the third TS per user CAL
  • msTSLicenseVersion4: Version of the fourth TS per user CAL
  • msDS-IsUserCachableAtRodc: For a Read-Only Domain Controller (RODC), Identifies whether the specified user's secrets are cacheable

It is important to note that these password policy related attributes (i.e. msDS-LockoutDuration, msDS-LockoutThreshold, msDS-MinimumPasswordAge, etc.) are not simply an update to the existing Lockout Duration, Lockout Threshold, Minimum Password Age, etc. settings that administrators are used to see in a Password Policy.  Password Policy settings on a Windows 2000 and Windows Server 2003 domain controller are contained in the registry of the domain controller, not as attributes held within Active Directory.

Windows Server 2008 in Domain Functional Level 2008 allows for multiple Fine Grained Password Policies per domain.  For this to exist, attributes that correspond to each setting needed to be introduced to the schema.

Sch40.ldf then modifies attributes that have been created during the schema update and also updates various objects in the schema.  These modifications are searchFlags, mayContain, systemMayContain, and possPosition values.

After these changes, sch40.ldf then creates two new classes that pertain to Fine Grained Password Policies.  These classes are:

  • msDS-PasswordSettingsContainer: Container for password settings objects
  • msDS-PasswordSettings: Password settings object for accounts
    • Note: This classSchema object is created with a list of systemMustContain OIDs. This is a list of attributes that a Password Settings Object (PSO) must contain or else the creation of the PSO will fail.

After the classes are created, the sch40.ldf file then modifies more systemMayContain values of other objects.

The schema version is then increased to schema version 40.

 

Sch41.ldf

Sch41.ldf makes only a few changes to objects that exist in the schema.  First, modifications are made to the systemMayContain values of the objects:

  • CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
  • CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
  • CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
  • CN=ms-DS-PSO-Applied,CN=Schema,CN=Configuration,DC=X
  • CN=ms-DS-Resultant-PSO,CN=Schema,CN=Configuration,DC=X

Second, modifications are made to the rightsGUID values of the objects:

  • CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=X
  • CN=Terminal-Server-License-Server,CN=Extended-Rights,CN=Configuration,DC=X

The schema version is then increased to schema version 41.

 

Sch42.ldf

Schema update 42 makes modifications to over 360 objects in the schema.  The modifications that are made to these objects are adding the schemaFlagsEx attribute to each object and setting a value of 1.  The code for each modification looks like this:

changetype: ntdsSchemaModify

add: schemaFlagsEx

schemaFlagsEx: 1

Only the operating system can modify the SchemaFlagsEX value and this value specifies whether an attribute can be part of the filtered attribute set.

After the update to all 360+ attributes, the schema version is increased to schema version 42.

 

Sch43.ldf

Sch43.ldf adds the following attributes to the Active Directory Schema:

  • msDFS-SchemaMajorVersion: Major version of schema of DFS metadata
  • msDFS-SchemaMinorVersion: Minor version of schema of DFS metadata
  • msDFS-GenerationGUIDv2: To be updated each time the entry containing this attribute is modified
  • msDFS-NamespaceIdentityGUIDv2: To be set only when the namespace is created. Stable across rename/move as long as namespace is not replaced by another namespace having same name
  • msDFS-LastModifiedv2: To be updated on each write to the entry containing the attribute
  • msDFS-Ttlv2: TTL associated with DFS root/link. For use at DFS referral time
  • msDFS-Commentv2: Comment associated with DFS root/link
  • msDFS-Propertiesv2: Properties associated with DFS root/link
  • msDFS-TargetListv2: Targets corresponding to DFS root/link
  • msDFS-LinkPathv2: DFS link path relative to the DFS root target share (i.e. without the server/domain and DFS namespace name components). Use forward slashes (/) instead of backslashes so that LDAP searches can be done without having to use escapes
  • msDFS-LinkSecurityDescriptorv2: Security descriptor of the DFS links's reparse point on the filesystem
  • msDFS-LinkIdentityGUIDv2: To be set only when the link is created. Stable across rename/move as long as link is not replaced by another link having same name
  • msDFS-ShortNameLinkPathv2: Shortname DFS link path relative to the DFS root target share (i.e. without the server/domain and DFS namespace name components). Use forward slashes (/) instead of backslashes so that LDAP searches can be done without having to use escapes
  • msDFS-NamespaceAnchor: DFS namespace anchor
  • msDFS-Namespacev2: DFS namespace
  • msDFS-Linkv2: DFS Link in DFS namespace
  • msDFS-DeletedLinkv2: Deleted DFS Link in DFS namespace
  • addressBookRoots2: Used by Exchange. Exchange configures trees of address book containers to show up in the MAPI address book. This attribute on the Exchange Config object lists the roots of the address book container trees
  • globalAddressList2: This attribute is used on a Microsoft Exchange container to store the distinguished name of a newly created global address list (GAL)
  • templateRoots2: This attribute is used on the Exchange config container to indicate where the template containers are stored. This information is used by the Active Directory MAPI provider

Once these attributes have been created the schema version is incremented to schema version 43.

 

Sch44.ldf

Schema Update 44 only does modifications to some objects that already exist.  These modifications are changing systemMayContain, showInAdvancedViewOnly, searchFlags, and adminDescription.  Once this is complete, the schema version is incremented to schema version 44.  At this point, the Windows Server 2008 ADPREP /forestprep is complete

Additional LDF files for Windows Server 2008 R2 ADPREP /forestprep

 

Sch45.ldf

Sch45.ldf adds the following attributes to the Active Directory schema:

  • msDS-USNLastSyncSuccess: The USN at which the last successful replication synchronization occurred
  • isRecycled: Is the object recycled (for use with AD Recycle Bin)
  • msDS-OptionalFeatureGUID: GUID of an optional feature
  • msDS-EnabledFeature: Enabled optional features
  • msImaging-PSPString: Schema Attribute that contains the XML sequence for this PostScan Process
  • msDS-OIDToGroupLink: For an OID, identifies the group object corresponding to the issuance policy represented by this OID
  • msDS-OIDToGroupLinkBl: Backlink for ms-DS-OIDToGroup-Link; identifies the issuance policy, represented by an OID object, which is mapped to this group
  • msImaging-PSPIdentifier: Schema Attribute that contains the unique identifier for this PostScan Process
  • msDS-HostServiceAccount: Service Accounts configured to run on this computer
  • msDS-HostServiceAccountBL: Service Accounts Back Link for linking machines associated with the service account
  • msDS-RequiredDomainBehaviorVersion: Required domain function level for this feature
  • msDS-RequiredForestBehaviorVersion: Required forest function level for this feature
  • msPKI-CredentialRoamingTokens: Storage of encrypted user credential token blobs for roaming
  • msDS-LocalEffectiveRecycleTime: Recycle time of the object in the local DIT
  • msDS-LocalEffectiveDeletionTime: Deletion time of the object in the local DIT
  • msDS-LastKnownRDN: Holds original RDN of a deleted object
  • msDS-EnabledFeatureBL: Scopes where this optional feature is enabled
  • msDS-DeletedObjectLifetime: Lifetime of a deleted object
  • msDS-OptionalFeatureFlags: An integer value that contains flags that define behavior of an optional feature in Active Directory
  • msPKI-Enrollment-Servers: Priority, authentication type, and URI of each certificate enrollment web service
  • msPKI-Site-Name: Active Directory site to which the CA machine belongs
  • msTSEndpointData: This attribute represents the VM Name for machine in TSV deployment.
  • msTSEndpointType: This attribute defines if the machine is a physical machine or a virtual machine.
  • msTSEndpointPlugin: This attribute represents the name of the plugin which handles the orchestration.
  • msTSPrimaryDesktop: This attribute represents the forward link to user's primary desktop.
  • msTSSecondaryDesktops: This attribute represents the array of forward links to user's secondary desktops.
  • msTSPrimaryDesktopBL: This attribute represents the backward link to user.
  • msTSSecondaryDesktopBL: This attribute represents the backward link to user.
  • msImaging-PSPs: Container for all Enterprise Scan Post Scan Process objects.
  • msDS-OptionalFeature: Configuration for an optional DS feature.
  • msImaging-PostScanProcess: Enterprise Scan Post Scan Process object.
  • msDS-ManagedServiceAccount: Service account class is used to create accounts that are used for running Windows services.

Then, modifications are made to various objects in the schema which contain values such as systemMayContain and appliesTo.  Lastly, the objects CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=X and CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=X are created as optional features that can be enabled with Windows Server 2008 R2.

When this is complete the schema version is incremented to 45.

 

Sch46.ldf

The LDF file Sch46.ldf makes one change to the object CN=ms-DS-Managed-Service-Account,CN=Schema,CN=Configuration,DC=X.  The change that is made is to modify the defaultHidingValue and configure it with a value of FALSE.

When this is complete the schema version is incremented to 46.

 

Sch47.ldf

Sch47.ldf modifies only two objects in the schema.  These objects are CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X and CN=ms-DS-Managed-Service-Account,CN=Schema,CN=Configuration,DC=X.  The modification to the first is a modification to the systemMayContain value.  The modification to the second object is a deletion of the systemPossSuperiors value.

When this is complete the schema version is incremented to schema version 47 and the ADPREP /forestprep for Windows Server 2008 R2 is complete.

Comments

  • Anonymous
    August 03, 2011
    Thank you for your work on AD Schema udpates Rich. The formal documentation MSDN for AD Schema is now up to date for Win 2K8 and 2K8 R2. For a time, the docs were not current, as some but not all of the 2K8 updates were in place and none of the R2 updates. Now they are current. For more information  see msdn.microsoft.com/.../ms675085(VS.85).aspx