I wanted to create an Active Directory test domain. It was supposed to have the exactly same content as an existing one.
That quickly confronts you with the following problem:
How can I ensure that the test directory has the same LSAP schema as the reference domain?
With board tools you can synchronize or export and import the AD schema. Especially one tool, a part of the server role AD LDS (formerly ADAM), has proven to be very helpful with that. When the role is installed, you can find a program named ADSchemaAnalyzer.exe in the folder C:\Windows\ADAM.
Install AD schema as a copy of productive domain
With the tool ADSchemaAnalyze you can determine the schema difference between two LDAP directories (AD DS / AD LDS) and export them into a LDIF file. This file then has to be imported into the target directory with the tool ldifde.exe. ldifde.exe is a command line tool which exists on every domain controller.
Because some of the used terms could be misleading, I want to explain them first.
The target schema describes the source , reference or original schema. In this case target means that the base schema has to look the same as the target.
The base schema is the schema to be edited, meaning the copy or the test AD domain. It should be expanded so it has the same contents as the target.
Tutorial: Synchronize and install LDAP schema
- Start ADSchemaAnalyzer
- Load schema of the target directoryFile >Load target schema…
Enter user name, password and domain
Confirm with OK
The result could look like this:
- Load schema of the test directoryFile >Load base schema…
After having entered the connection data to the test directory successfully, the schema difference will be determined.
The tool now shows all classes and attributes with their status.
With the option Schema >Hide present elements you can hide already existing entries.
After that, you can manually select the desired classes and attributes.
With Schema >Mark all non present elements as included you can add all missing ones.
- Then, you can create the LDIF import file via File >Create LDIF file.Example file (short):
# This file should be imported with the following command:
# ldifde i u f Fa Schema.ldf s Server Name j . c “cn=Configuration,dc=X” #configurationNamingContext
# LDIFDE.EXE from AD/AM V1.0 or above must be used.
# This LDIF file should be imported into AD or AD/AM. It may not work for other directories.
# Attribute: faAdresse2
# schemaIDGUID: 21d94f36 80d8 408e a8e9 b272a0e1e8c0
In the head, this file already contains the command line command for Ldifde:
ldifde i u f Fa Schema.ldf s Server Name j . c “cn=Configuration,dc=X” #configurationNamingContext
It is important that the target server owns the AD role „Schema Master“ and that the executing user is schema administrator (group schema admins).
Changes to the AD schema cannot be reversed! Check all actions thoroughly!
The author does not assume liability for data loss, undesired side effects or any other guarantees. The risk lies with the user.