Understanding FSMO Roles – 4: Schema Master

By | June 4, 2020

In last post, we understood the Forest and Domain level roles. In this post, we will understand the first Forest level role, the Schema Master. But before that we have to understand what exactly Schema is? This word is one of the scariest words in technical dictionary but actually it’s quite simple. Let’s understand…

The Schema is basically a Skeleton, Blueprint or Template of each and every objects stored in Active Directory, which decides how any object will be created and what all things will be there inside that object. In other words, Schema is the combination of Class & Attributes of any object.

  • Class: Different “Types” of objects. Like User, Group, OU etc., these are different classes of an object.
  • Attributes: Different values within the Class. Like if we talk about User Class, First Name, Last Name, Full Name, Username etc., these all are attributes of User. Similarly Name, Scope, Group Type etc., are different attributes of Groups.

Suppose, we need to add a field called “Father’s Name” under User, which by default not available in AD, we need to add that attribute in the User class. Always remember that Schema is unique for the entire Forest. Means if we change anything in Schema in one domain, will automatically be replicated to all the available domains in that forest. Means if we have three domains in our forest – DevOpsAge.com, US.DevOpsAge.com and IN.DevOpsAge.com and we made schema changes (added Father’s Name in User class) in DevOpsAge.com, it will automatically be available in IN.DevOpsAge.com and US.DevOpsAge.com.

If you understood the concept of Schema, the role of Schema Master is then easy to understand. Schema Master controls all activities related to Active Directory Schema. Means it controls any kind of creation, modification or deletion of any Class or Attribute. Generally any Domain Controller in Root domain holds it, but you can change it to any other DC in the forest. However it’s highly recommend that it should be at Root domain only.

I never did any planned Schema changes in 14 years of my career. Schema modification is really a rare task which we don’t do most often. That’s why Schema Master Role is not mission critical FSMO role.

What is my Schema Master is down? As I told, Schema Master is not mission critical FSMO role so if the DC holding the role goes down, it hardly matter to day to day activities. But if you want to do any kind of Schema modification, your Schema Master must be up and running. Also it’s not necessary that you can do Schema modification manually. If you are trying to install any application which needs to change the Schema, like Microsoft Exchange, SAP or any other application and at time your Schema Master is down, you will not be able to install that app. So before installing such special app, make sure your Schema Master is up.

To do any kind of Schema Modification, you have to be a part of a special group in Active Directory called “Schema Admins”. Even if you are a “Domain Admins”, you will not have control over Schema unless you are part of Schema Admins group. So before doing any manual Schema changes (which I don’t think you will ever do) or installing any application which needs schema changes, make sure your account is listed under Schema Admins group.

One last thing to understand that when I say “role is down”, it means the Domain Controller (Active Directory Server) which holds the Schema Master Role is down. Also Schema changes are generally irreversible and it had impact on the entire forest, so be very careful while playing with Schema. Your one mistake can replicate in the entire forest and you will be in great mess.

This is all for this post, I hope now you are clear about what Schema exactly is and about the Schema Master Role. In next post, we will discuss the second Forest level role – the Domain Naming Master. Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *