Professional Documents
Culture Documents
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
With Microsoft's access and information protection solutions, you can deploy and configure access to corporate
resources across your on-premises environment and cloud applications. And you can do it while protecting
corporate information.
Access and Information Protection
GUIDE H O W C A N T H IS GUIDE H EL P Y O U
Secure access to company resources from any location on This guide shows how to allow employees to use personal
any device and company devices to securely access corporate
applications and data.
Join to Workplace from Any Device for SSO and Seamless Employees can access applications and data everywhere, on
Second Factor Authentication Across Company Applications any device. Employees can use Single Sign-On in browser
applications or enterprise applications. Administrators can
control who has access to company resources that are based
on application, user, device, and location.
Manage Risk with Additional Multi-Factor Authentication for In this scenario, you enable MFA based on the user's group
Sensitive Applications membership data for a specific application. In other words,
you will set up an authentication policy on your federation
server to require MFA when users that belong to a certain
group request access to a specific application that is hosted
on a web server.
Manage Risk with Conditional Access Control Access control in AD FS is implemented with issuance
authorization claim rules that are used to issue a permit or
deny claims that will determine whether a user or a group of
users will be allowed to access AD FS-secured resources or
not. Authorization rules can only be set on relying party
trusts.
Configuring Certificate Enrollment Web Service for certificate This article provides step-by-step instructions to implement
key-based renewal on a custom port the Certificate Enrollment Web Service (or Certificate
Enrollment Policy (CEP) / Certificate Enrollment Service (CES))
on a custom port other than 443 for certificate key-based
renewal to take advantage of the automatic renewal feature
of CEP and CES.
Dynamic Access Control: Scenario Overview
3/5/2021 • 7 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
In Windows Server 2012 , you can apply data governance across your file servers to control who can access
information and to audit who has accessed information. Dynamic Access Control lets you:
Identify data by using automatic and manual classification of files. For example, you could tag data in file
servers across the organization.
Control access to files by applying safety-net policies that use central access policies. For example, you
could define who can access health information within the organization.
Audit access to files by using central audit policies for compliance reporting and forensic analysis. For
example, you could identify who accessed highly sensitive information.
Apply Rights Management Services (RMS) protection by using automatic RMS encryption for sensitive
Microsoft Office documents. For example, you could configure RMS to encrypt all documents that contain
Health Insurance Portability and Accountability Act (HIPAA) information.
The Dynamic Access Control feature set is based on infrastructure investments that can be used further by
partners and line-of-business applications, and the features can provide great value for organizations that use
Active Directory. This infrastructure includes:
A new authorization and audit engine for Windows that can process conditional expressions and central
policies.
Kerberos authentication support for user claims and device claims.
Improvements to the File Classification Infrastructure (FCI).
RMS extensibility support so partners can provide solutions that encrypt non-Microsoft files.
In this scenario
The following scenarios and guidance are included as part of this content set:
Scenario: Central Dynamic Access Plan: A Central Deploy a Central - Modeling a central
Access Policy Control: Scenario Access Policy Access Policy access policy
Creating Central Overview Deployment (Demonstration
access policies for Deploy Claims - Process to map Steps)
files allow Across Forests a business Deploy Claims
organizations to request to a Across Forests
centrally deploy central access (Demonstration
and manage policy Steps)
authorization - Delegating of
policies that administration
include for Dynamic
conditional Access Control
expressions using - Exception
user claims, Mechanisms for
device claims, Planning Central
and resource Access Policies
properties. These
polices are based Best Practices for
on compliance Using User
and business Claims
regulatory - Choosing the
requirements. right
These policies are configuration to
created and enable claims in
hosted in Active your user
Directory, domain
therefore making - Operations to
it easier to enable user
manage and claims
deploy. - Considerations
Deploying for using user
Claims Across claims in the file
Forests server
discretionary
In Windows ACLs without
Server 2012 , the using Central
AD DS maintains Access Policies
a 'claims
dictionary' in Using Device
each forest and Claims and
all claim types in Device Security
use within the Groups
forest are defined - Considerations
at the Active for using static
Directory forest device claims
level. There are - Operations to
many scenarios enable device
where a principal claims
may need to
traverse a trust Tools for
boundary. This Deployment
scenario - Data
describes how a Classification
claim traverses a Toolkit
trust boundary.
SC EN A RIO EVA L UAT E PLAN DEP LO Y O P ERAT E
Scenario: File Scenario: File Access Plan for File Access Deploy Security - Monitor the Central
Access Auditing Auditing Auditing Auditing with Central Access Policies that
Security auditing Audit Policies Apply on a File
is one of the (Demonstration Server
most powerful Steps) - Monitor the Central
tools to help Access Policies
maintain the Associated with Files
security of an and Folders
enterprise. One - Monitor the
of the key goals Resource Attributes
of security audits on Files and Folders
is regulatory - Monitor Claim
compliance. For Types
example, - Monitor User and
industry Device Claims During
standards such Sign-in
as Sarbanes - Monitor Central
Oxley, HIPAA, Access Policy and
and Payment Rule Definitions
Card Industry - Monitor Resource
(PCI) require Attribute Definitions
enterprises to - Monitor the Use of
follow a strict set Removable Storage
of rules related Devices.
to data security
and privacy.
Security audits
help establish the
presence or
absence of such
policies; thereby,
they prove
compliance or
noncompliance
with these
standards.
Additionally,
security audits
help detect
anomalous
behavior, identify
and mitigate
gaps in security
policy, and deter
irresponsible
behavior by
creating a record
of user activity
that can be used
for forensic
analysis.
NOTE
Dynamic Access Control is not supported on ReFS (Resilient File System).
See also
C O N T EN T T Y P E REF EREN C ES
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Central access policies for files enable organizations to centrally deploy and manage authorization policies that
include conditional expressions that use user groups, user claims, device claims, and resource properties.
(Claims are assertions about the attributes of the object with which they are associated). For example, to access
high-business-impact (HBI) data, a user must be a full-time employee, obtain access from a managed device,
and log on with a smart card. These policies are defined and hosted in Active Directory Domain Services (AD
DS).
Organizational access policies are driven by compliance and business regulatory requirements. For example, if
an organization has a business requirement to restrict access to personally identifiable information (PII) in files
to only the file owner and members of the human resources (HR) department who are allowed to view PII
information, this policy applies to PII files wherever they are located on file servers across the organization. In
this example, you need to be able to:
Identify and mark the files that contain PII.
Identify the group of HR members who are allowed to view PII information.
Create a central access policy that applies to all files that contain PII wherever they are located on file
servers across the organization.
The initiative to deploy and enforce an authorization policy can come for many reasons and apply to multiple
levels of the organization. The following are some example policy types:
Organization-wide authorization policy. Most commonly initiated from the information security
office, this authorization policy is driven by compliance or a high-level organization requirements, and it
is relevant across the organization. For example, HBI files are accessible to only full-time employees.
Depar tmental authorization policy. Each department in an organization has some special data-
handling requirements that they want to enforce. For example, the finance department might want to
limit access to finance servers to the finance employees.
Specific data-management policy. This policy usually relates to compliance and business
requirements, and it is targeted at protecting the correct access to the information that is being managed.
For example, financial institutions might implement information walls so that analysts do not access
brokerage information and brokers do not access analysis information.
Need-to-know policy. This authorization policy type is typically used in conjunction with the previous
policy types. For example, vendors should be able to access and edit only files that pertain to a project
they are working on.
Real-life environments also teach us that every authorization policy needs to have exceptions so that
organizations can quickly react when important business needs arise. For example, executives who cannot find
their smart cards and need quick access to HBI information can call the Help Desk to get a temporary exception
to access that information.
Central access policies act as security umbrellas that an organization applies across its servers. These policies
enhance (but do not replace) the local access policies or discretionary access control lists (DACL) that are applied
to files and folders. For example, if a DACL on a file allows access to a specific user, but a central policy that is
applied to the file restricts access to the same user, the user cannot obtain access to the file. If the central access
policy allows access, but the DACL does not allow access, the user cannot obtain access to the file.
A central access policy rule has the following logical parts:
Applicability. A condition that defines which data the policy applies to, such as
Resource.BusinessImpact=High.
Access conditions. A list of one or more access control entries (ACEs) that define who can access the
data, such as Allow | Full Control | User.EmployeeType=FTE.
Exceptions. An additional list of one or more ACEs that define an exception for the policy, such as
MemberOf(HBIExceptionGroup).
The following two figures show the workflow in central access and audit policies.
In this scenario
The following guidance is available to you for central access policies:
Plan a Central Access Policy deployment
Deploy a Central Access Policy (Demonstration Steps)
Dynamic Access Control: Scenario Overview
Active Directory Domain Services role AD DS in Windows Server 2012 introduces a claims-based
authorization platform that enables the creation of user
claims and device claims, compound identity, (user plus
device claims), new central access policy (CAP) models, and
the use of file-classification information in authorization
decisions.
File and Storage Services Server role File and Storage Services provides technologies that help
you set up and manage one or more file servers that
provide central locations on your network where you can
store files and share them with users. If your network users
need access to the same files and applications, or if
centralized backup and file management are important to
your organization, you should set up one or more
computers as a file server by adding the File and Storage
Services role and the appropriate role services to the
computers.
Windows client computer Users can access files and folders on the network through
the client computer.
Deploy a Central Access Policy (Demonstration
Steps)
6/17/2021 • 19 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
In this scenario, the finance department security operations is working with central information security to
specify the need for a central access policy so that they can protect archived finance information stored on file
servers. The archived finance information from each country can be accessed as read-only by finance
employees from the same country. A central finance admin group can access the finance information from all
countries.
Deploying a central access policy includes the following phases:
P H A SE DESC RIP T IO N
Plan: Identify the need for policy and the configuration Identify the need for a policy and the configuration required
required for deployment for deployment.
Implement: Configure the components and policy Configure the components and policy.
Maintain: Change and stage the policy Policy changes and staging.
Plan: Identify the need for policy and the configuration required for
deployment
This section provides the high-level series of steps that aid in the planning phase of your deployment.
ST EP # ST EP EXA M P L E
1.6 Determine the servers on which to Apply the policy on all finance file
apply this policy servers.
ST EP # ST EP EXA M P L E
2.3 Configure a central access rule Create a Finance Documents rule that
includes the policy determined in the
previous section.
2.4 Configure a central access policy (CAP) Create a CAP called Finance Policy and
add the Finance Documents rule to
that CAP.
2.5 Target central access policy to the file Publish the Finance Policy CAP to the
servers file servers.
2.6 Enable KDC Support for claims, Enable KDC Support for claims,
compound authentication and compound authentication and
Kerberos armoring. Kerberos armoring for contoso.com.
In the following procedure, you create two claim types: Country and Department.
To create claim types
1. Open Server DC1 in Hyper-V Manager and log on as contoso\administrator, with the password
pass@word1 .
2. Open Active Directory Administrative Center.
3. Click the Tree View icon , expand Dynamic Access Control , and then select Claim Types .
Right-click Claim Types , click New , and then click Claim Type .
TIP
You can also open a Create Claim Type: window from the Tasks pane. On the Tasks pane, click New , and then
click Claim Type .
4. In the Source Attribute list, scroll down the list of attributes, and click depar tment . This should
populate the Display name field with depar tment . Click OK .
5. In Tasks pane, click New , and then click Claim Type .
6. In the Source Attribute list, scroll down the list of attributes, and then click the c attribute (Country-
Name). In the Display name field, type countr y .
7. In the Suggested Values section, select The following values are suggested:, and then click Add .
8. In the Value and Display name fields, type US , and then click OK .
9. Repeat the above step. In the Add a suggest value dialog box, type JP in the Value and Display name
fields, and then click OK .
TIP
You can use the Windows PowerShell History Viewer in Active Directory Administrative Center to look up the Windows
PowerShell cmdlets for each procedure you perform in Active Directory Administrative Center. For more information, see
Windows PowerShell History Viewer
The next step is to create resource properties. In the following procedure you create a resource property that is
automatically added to the Global Resource Properties list on the domain controller, so that it is available to the
file server.
To create and enable pre-created resource properties
1. In the left pane of Active Directory Administrative Center, click Tree View . Expand Dynamic Access
Control , and then select Resource Proper ties .
2. Right-click Resource Proper ties , click New , and then click Reference Resource Proper ty .
TIP
You can also choose a resource property from the Tasks pane. Click New and then click Reference Resource
Proper ty .
3. In Select a claim type to share its suggested values list , click countr y .
4. In the Display name field, type countr y , and then click OK .
5. Double-click the Resource Proper ties list, scroll down to the Depar tment resource property. Right-
click, and then click Enable . This will enable the built-in Depar tment resource property.
6. In the Resource Proper ties list on the navigation pane of the Active Directory Administrative Center,
you will now have two enabled resource properties:
Country
Department
The next step is to create central access rules that define who can access resources. In this scenario the business
rules are:
Finance documents can be read only by members of the Finance department.
Members of the Finance department can access only documents in their own country.
Only Finance Administrators can have Write access.
We will allow an exception for members of the FinanceException group. This group will have Read access.
The administrator and document owner will still have full access.
Or to express the rules with Windows Server 2012 constructs:
Targeting: Resource.Department Contains Finance
Access Rules:
Allow Read User.Country=Resource.Country AND User.department = Resource.Department
Allow Full control User.MemberOf(FinanceAdmin)
Allow Read User.MemberOf(FinanceException)
To create a central access rule
1. In the left pane of the Active Directory Administrative Center, click Tree View , select Dynamic Access
Control , and then click Central Access Rules .
2. Right-click Central Access Rules , click New , and then click Central Access Rule .
3. In the Name field, type Finance Documents Rule .
4. In the Target Resources section, click Edit , and in the Central Access Rule dialog box, click Add a
condition . Add the following condition: [Resource ] [Depar tment ] [Equals ] [Value ] [Finance ], and
then click OK .
5. In the Permissions section, select Use following permissions as current permissions , click Edit ,
and in the Advanced Security Settings for Permissions dialog box click Add .
NOTE
Use the following permissions as proposed permissions option lets you create the policy in staging. For
more information on how to do this refer to the Maintain: Change and stage the policy section in this topic.
6. In the Permission entr y for Permissions dialog box, click Select a principal , type Authenticated
Users , and then click OK .
7. In the Permission Entr y for Permissions dialog box, click Add a condition , and add the following
conditions: [User ] [countr y ] [Any of ] [Resource ] [countr y ] Click Add a condition . [And ] Click [User ]
[Depar tment ] [Any of ] [Resource ] [Depar tment ]. Set the Permissions to Read .
8. Click OK , and then click Add . Click Select a principal , type FinanceAdmin , and then click OK .
9. Select the Modify, Read and Execute, Read, Write permissions, and then click OK .
10. Click Add , click Select a principal , type FinanceException , and then click OK . Select the permissions
to be Read and Read and Execute .
11. Click OK three times to finish and return to Active Directory Administrative Center.
IMPORTANT
In the above cmdlet example, the security identifiers (SIDs) for the group FinanceAdmin and users is determined at
creation time and will be different in your example. For example, the provided SID value (S-1-5-21-1787166779-
1215870801-2157059049-1113) for the FinanceAdmins needs to be replaced with the actual SID for the FinanceAdmin
group that you would need to create in your deployment. You can use Windows PowerShell to look up the SID value of
this group, assign that value to a variable, and then use the variable here. For more information, see Windows PowerShell
Tip: Working with SIDs.
You should now have a central access rule that allows people to access documents from the same country and
the same department. The rule allows the FinanceAdmin group to edit the documents, and it allows the
FinanceException group to read the documents. This rule targets only documents classified as Finance.
To add a central access rule to a central access policy
1. In the left pane of the Active Directory Administrative Center, click Dynamic Access Control , and then
click Central Access Policies .
2. In the Tasks pane, click New , and then click Central Access Policy .
3. In Create Central Access Policy:, type Finance Policy in the Name box.
4. In Member central access rules , click Add .
5. Double-click the Finance Documents Rule to the add it to the Add the following central access
rules list , and then click OK .
6. Click OK to finish. You should now have a central access policy named Finance Policy.
To apply the central access policy across file servers by using Group Policy
1. On the Star t screen, in the Search box, type Group Policy Management . Double-click Group Policy
Management .
TIP
If the Show Administrative tools setting is disabled, the Administrative Tools folder and its contents will not
appear in the Settings results.
TIP
In your production environment, you should create a File Server Organization Unit (OU) and add all your file
servers to this OU, to which you want to apply this policy. You can then create a group policy and add this OU to
that policy..
2. In this step, you edit the group policy object you created in Build the domain controller section in the Test
Environment to include the central access policy that you created. In the Group Policy Management Editor,
navigate to and select the organizational unit in the domain (contoso.com in this example): Group Policy
Management , Forest: contoso.com , Domains , contoso.com , Contoso , FileSer verOU .
3. Right-click FlexibleAccessGPO , and then click Edit .
4. In the Group Policy Management Editor window, navigate to Computer Configuration , expand
Policies , expand Windows Settings , and click Security Settings .
5. Expand File System , right-click Central Access Policy , and then click Manage Central access
policies .
6. In the Central Access Policies Configuration dialog box, add Finance Policy , and then click OK .
7. Scroll down to Advanced Audit Policy Configuration , and expand it.
8. Expand Audit Policies , and select Object Access .
9. Double-click Audit Central Access Policy Staging . Select all three check boxes and then click OK . This
step allows the system to receive audit events related to Central Access Staging Policies.
10. Double-click Audit File System Proper ties . Select all three check boxes then click OK .
11. Close the Group Policy Management Editor. You have now included the central access policy to the Group
Policy.
For a domain's domain controllers to provide claims or device authorization data, the domain controllers need
to be configured to support dynamic access control.
To enable support for claims and compound authentication for contoso.com
1. Open Group Policy Management, click contoso.com , and then click Domain Controllers .
2. Right-click Default Domain Controllers Policy , and then click Edit .
3. In the Group Policy Management Editor window, double-click Computer Configuration , double-click
Policies , double-click Administrative Templates , double-click System , and then double-click KDC .
4. Double-click KDC Suppor t for claims, compound authentication and Kerberos armoring . In the
KDC Suppor t for claims, compound authentication and Kerberos armoring dialog box, click
Enabled and select Suppor ted from the Options drop-down list. (You need to enable this setting to use
user claims in central access policies.)
5. Close Group Policy Management .
6. Open a command prompt and type gpupdate /force .
Deploy the central access policy
ST EP # ST EP EXA M P L E
3.1 Assign the CAP to the appropriate Assign the central access policy to the
shared folders on the file server. appropriate shared folder on the file
server.
3.2 Verify that access is appropriately Check the access for users from
configured. different countries and departments.
In this step you will assign the central access policy to a file server. You will log onto a file server that is receiving
the central access policy that you created the previous steps and assign the policy to a shared folder.
To assign a central access policy to a file server
1. In Hyper-V Manager, connect to server FILE1. Log on to the server by using contoso\administrator with
the password: pass@word1 .
2. Open an elevated command prompt and type: gpupdate /force . This ensures that your Group Policy
changes take effect on your server.
3. You also need to refresh the Global Resource Properties from Active Directory. Open an elevated
Windows PowerShell window and type Update-FSRMClassificationpropertyDefinition . Click ENTER, and
then close Windows PowerShell.
TIP
You can also refresh the Global Resource Properties by logging on to the file server. To refresh the Global Resource
Properties from the file server, do the following
1. Logon to File Server FILE1 as contoso\administrator, using the password pass@word1 .
2. Open File Server Resource Manager. To open File Server Resource Manager, click Star t , type file ser ver
resource manager , and then click File Ser ver Resource Manager .
3. In the File Server Resource Manager, click File Classification Management , right-click Classification
Proper ties and then click Refresh .
4. Open Windows Explorer, and in the left pane, click drive D. Right-click the Finance Documents folder,
and click Proper ties .
5. Click the Classification tab, click Countr y , and then select US in the Value field.
6. Click Depar tment , then select Finance in the Value field and then click Apply .
NOTE
Remember that the central access policy was configured to target files for the Department of Finance. The
previous steps mark all documents in the folder with the Country and Department attributes.
7. Click the Security tab, and then click Advanced . Click the Central Policy tab.
8. Click Change , select Finance Policy from the drop-down menu, and then click Apply . You can see the
Finance Documents Rule listed in the policy. Expand the item to view all of the permissions that you
set when you created the rule in Active Directory.
9. Click OK to return to Windows Explorer.
In the next step, you ensure that access is appropriately configured. User accounts need to have the appropriate
Department attribute set (set this using Active Directory Administrative Center). The simplest way to view the
effective results of the new policy is to use the Effective Access tab in Windows Explorer. The Effective
Access tab shows the access rights for a given user account.
To examine the access for various users
1. In Hyper-V Manager, connect to server FILE1. Log on to the server by using contoso\administrator.
Navigate to D:\ in Windows Explorer. Right-click the Finance Documents folder, and then click
Proper ties .
2. Click the Security tab, click Advanced , and then click the Effective Access tab.
3. To examine the permissions for a user, click Select a user , type the user's name, and then click View
effective access to see the effective access rights. For example:
Myriam Delesalle (MDelesalle) is in the Finance department and should have Read access to the
folder.
Miles Reid (MReid) is a member of the FinanceAdmin group and should have Modify access to the
folder.
Esther Valle (EValle) is not in the Finance department; however, she is a member of the
FinanceException group and should have Read access.
Maira Wenzel (MWenzel) is not in the Finance department and is not a member of either the
FinanceAdmin or FinanceException group. She should not have any access to the folder.
Notice that the last column named Access limited by in the effective access window. This column tells
you which gates are effecting the person's permissions. In this case, the Share and NTFS permissions
allow all users full control. However, the central access policy restricts access based on the rules you
configured earlier.
4.1 Configure Device Claims for Clients Set the group policy setting to enable
device claims
4.2 Enable a claim for devices. Enable the country claim type for
devices.
4.3 Add a staging policy to the existing Modify the Finance Documents Rule to
central access rule that you would like add a staging policy.
to modify.
4.4 View the results of the staging policy. Check for Ester Velle's permissions.
Set-ADCentralAccessRule
-Identity:
"CN=FinanceDocumentsRule,CN=CentralAccessRules,CN=ClaimsConfiguration,CN=Configuration,DC=Contoso.com"
-ProposedAcl: "O:SYG:SYD:AR(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1301bf;;;S-1-21=1426421603-1057776020-1604)"
-Server: "WIN-2R92NN8VKFP.Contoso.com"
NOTE
In the above cmdlet example, the Server value reflects the Server in the test lab environment. You can use the Windows
PowerShell History Viewer to look up the Windows PowerShell cmdlets for each procedure you perform in Active
Directory Administrative Center. For more information, see Windows PowerShell History Viewer
In this proposed permissions set, members of the FinanceException group will have Full Access to files from
their own country when they access them through a device from the same country as the document. Audit
entries are available in the File Servers security log when someone from the Finance department attempts to
access files. However, security settings are not enforced until the policy is promoted from staging.
In the next procedure, you verify the results of the staging policy. You access the shared folder with a user name
that has permissions based on the current rule. Esther Valle (EValle) is a member of FinanceException, and she
currently has Read rights. According to our staging policy, EValle should not have any rights.
To verify the results of the staging policy
1. Connect to the File Server FILE1 in Hyper-V Manager and log on as contoso\administrator, with the
password pass@word1 .
2. Open a Command Prompt window and type gpupdate /force . This ensures that your Group Policy
changes will take effect on your server.
3. In Hyper-V Manager, connect to server CLIENT1. Log off the user who is currently logged on. Restart the
virtual machine, CLIENT1. Then log on to the computer by using contoso\EValle pass@word1.
4. Double-click the desktop shortcut to \\FILE1\Finance Documents. EValle should still have access to the
files. Switch back to FILE1.
5. Open Event Viewer from the shortcut on the desktop. Expand Windows Logs , and then select
Security . Open the entries with Event ID 4818 under the Central Access Policy Staging task
category. You will see that EValle was allowed access; however, according to the staging policy, the user
would have been denied access.
Next Steps
If you have a central server management system such as System Center Operations Manager, you can also
configuring monitoring for events. This allows Administrators to monitor the effects of central access policies
before enforcing them.
Scenario: File Access Auditing
3/5/2021 • 3 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Security Auditing is one of the most powerful tools to help maintain the security of an enterprise. One of the key
goals of security audits is regulatory compliance. Industry standards such as Sarbanes Oxley, Health Insurance
Portability and Accountability Act (HIPAA), and Payment Card Industry (PCI) require enterprises to follow a strict
set of rules related to data security and privacy. Security audits help establish the presence of such policies and
prove compliance with these standards. Additionally, security audits help detect anomalous behavior, identify
and mitigate gaps in security policies, and deter irresponsible behavior by creating a trail of user activity that can
be used for forensic analysis.
Audit policy requirements are typically driven at the following levels:
Information security. File access audit trails are often used for forensic analysis and intrusion detection.
Being able to get targeted events about access to high-value information lets organizations considerably
improve their response time and investigation accuracy.
Organizational policy. For example, organizations regulated by PCI standards could have a central
policy to monitor access to all files that are marked as containing credit card information and personally
identifiable information (PII).
Depar tmental policy. For example, the finance department may require that the ability to modify
certain finance documents (such as a quarterly earnings report) be restricted to the finance department,
and thus the department would want to monitor all other attempts to change these documents.
Business policy. For example, business owners may want to monitor all unauthorized attempts to view
data that belongs to their projects.
Additionally, the compliance department may want to monitor all changes to central authorization policies and
policy constructs such as user, computer, and resource attributes.
One of the biggest considerations of security audits is the cost of collecting, storing, and analyzing audit events.
If the audit policies are too broad, the volume of audit events collected rises, and this increases costs. If the audit
policies are too narrow, you risk missing important events.
With Windows Server 2012 , you can author audit policies by using claims and resource properties. This leads
to richer, more targeted, and easier-to-manage audit policies. It enables scenarios that, until now, were
impossible or too difficult to perform. The following are examples of audit policies that administrators can
author:
Audit everyone who does not have a high-security clearance and tries to access an HBI document. For
example, Audit | Everyone | All-Access | Resource.BusinessImpact=HBI AND
User.SecurityClearance!=High.
Audit all vendors when they try to access documents that are related to projects that they are not
working on. For example, Audit | Everyone | All-Access | User.EmploymentStatus=Vendor AND
User.Project Not_AnyOf Resource.Project.
These policies help regulate the volume of audit events and limit them to only the most relevant data or users.
After administrators have created and applied the audit policies, the next consideration for them is gleaning
meaningful information from the audit events that they collected. Expression-based audit events help reduce the
volume of audits. However, users need a way to query these events for meaningful information and ask
questions such as, "Who is accessing my HBI data?" or "Was there an unauthorized attempt to access sensitive
data?"
Windows Server 2012 enhances existing data access events with user, computer, and resource claims. These
events are generated on a per-server basis. To provide a full view of events across the organization, Microsoft is
working with partners to provide event collection and analysis tools, such as the Audit Collection Services in
System Center Operation Manager .
Figure 4 shows an overview of a central audit policy.
In this scenario
The following topics provide additional guidance for this scenario:
Plan for File Access Auditing
Deploy Security Auditing with Central Audit Policies (Demonstration Steps)
Active Directory Doman Services role AD DS in Windows Server 2012 introduces a claims-based
authorization platform that enables creating user claims and
device claims, compound identity, (user plus device claims),
new central access policies (CAP) model, and the use of file
classification information in authorization decisions.
File and Storage Services role File servers in Windows Server 2012 provide a user interface
where administrators can view the effective permissions for
users for a file or folder and troubleshoot access issues and
grant access as required.
Plan for File Access Auditing
6/17/2021 • 4 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The information in this topic explains the security auditing enhancements that are introduced in Windows
Server 2012 and new audit settings that you should consider as you deploy Dynamic Access Control in your
enterprise. The actual audit policy settings that you deploy will depend on your goals, which can include
regulatory compliance, monitoring, forensic analysis, and troubleshooting.
NOTE
Detailed information about how to plan and deploy an overall security auditing strategy for your enterprise is explained in
Planning and Deploying Advanced Security Audit Policies. For more information about configuring and deploying a
security audit policy, see the Advanced Security Audit Policy Step-by-Step Guide.
The following security auditing capabilities in Windows Server 2012 can be used with Dynamic Access Control
to extend your overall security auditing strategy.
Expression-based audit policies . Dynamic Access Control enables you to create targeted audit
policies by using expressions based on user, computer, and resource claims. For example, you could
create an audit policy to track all Read and Write operations on files classified as high-business impact by
employees who do not have a high-security clearance. Expression-based audit policies can be authored
directly for a file or folder or centrally through Group Policy. For more information, see Group Policy
using Global Object Access Auditing.
Additional information from object access auditing . File access auditing is not new to Windows
Server 2012 . With the right audit policy in place, the Windows and Windows Server operating systems
generate an audit event each time a user accesses a file. Existing File Access events (4656, 4663) contain
information about the attributes of the file that was accessed. This information can be used by event log
filtering tools to help you identify the most relevant audit events. For more information, see Audit Handle
Manipulation and Audit Security Accounts Manager.
More information from user logon events . With the right audit policy in place, Windows operating
systems generate an audit event every time a user signs in to a computer locally or remotely. In Windows
Server 2012 or Windows 8, you can also monitor user and device claims associated with a user's security
token. Examples can include Department, Company, Project, and Security clearances.Event 4626 contains
information about these user claims and device claims, which can be leveraged by audit log management
tools to correlate user logon events with object access events to enable event filtering based on file
attributes and user attributes. For more information about user logon auditing, see Audit Logon.
Change tracking for new types of securable objects . Tracking changes to securable objects can be
important in the following scenarios:
Change tracking for central access policies and central access rules . Central access
policies and central access rules define the central policy that can be used to control access to
critical resources. Any change to these can directly impact the file access permissions that are
granted to users on multiple computers. Therefore, tracking changes to central access policies and
central access rules can be important for your organization. Because central access policies and
central access rules are stored in Active Directory Domain Services (AD DS), you can audit
attempts to modify them, like auditing changes to any other securable object in AD DS. For more
information, see Audit Directory Service Access.
Change tracking for definitions in the claim dictionar y . Claim definitions include the claim
name, description, and possible values. Any change to the claim definition can impact the access
permissions on critical resources. Therefore, tracking changes to claim definitions can be
important to your organization. Like central access policies and central access rules, claim
definitions are stored in AD DS; therefore, they can be audited like any another securable object in
AD DS. For more information, see Audit Directory Service Access.
Change tracking for file attributes . File attributes determine which central access rule applies
to the file. A change to the file attributes can potentially impact the access restrictions on the file.
Therefore, it can be important to track changes to file attributes. You can track changes to file
attributes on any computer by configuring the authorization policy change auditing policy. For
more information, see Authorization Policy Change auditing and Object Access auditing for File
Systems. In Windows Server 2012 , Event 4911 differentiates file attribute policy changes from
other authorization policy change events.
Chang tracking for the central access policy associated with a file. Event 4913 displays
the security identifiers (SIDs) of the old and new central access policies. Each central access policy
also has a user friendly name that can be looked up using this security identifier. For more
information, see Authorization Policy Change auditing.
Change tracking for user and computer attributes . Like files, user and computer objects can
have attributes, and changes to these attributes can impact the user's ability to access files.
Therefore, it can be valuable to track changes to user or computer attributes. User and computer
objects are stored in AD DS; therefore, changes to their attributes can be audited. For more
information, see DS Access.
Policy change staging . Changes to central access policies can impact the access control decisions on all
computers where the policies are enforced. A loose policy could grant more access than desired, and an
overly restrictive policy could generate an excessive number of Help Desk calls. As a result, it can be
extremely valuable to verify changes to a central access policy before enforcing the change. For that
purpose, Windows Server 2012 introduces the concept of "staging." Staging enables users to verify their
proposed policy changes before enforcing them. To use policy staging, proposed policies are deployed
with the enforced policies, but staged policies do not actually grant or deny permissions. Instead,
Windows Server 2012 logs an audit event (4818) any time the result of the access check that uses the
staged policy is different from the result of an access check that uses the enforced policy.
Deploy Security Auditing with Central Audit Policies
(Demonstration Steps)
3/5/2021 • 3 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
In this scenario, you will audit access to files in the Finance Documents folder by using the Finance Policy that
you created in Deploy a Central Access Policy (Demonstration Steps). If a user who is not authorized to access
the folder attempts to access it, the activity is captured in the event viewer. The following steps are required to
test this scenario.
TA SK DESC RIP T IO N
Configure Global Object Access In this step, you configure the global object access policy on
the domain controller.
Update Group Policy Settings Sign in to the file server and apply the Group Policy update.
Verify that the global object access policy has been applied View the relevant events in the event viewer. The events
should include metadata for the country and document
type.
NOTE
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then
click Yes .
Verify that the global object access policy has been applied
After the Group Policy settings have been applied, you can verify that the audit policy settings were applied
correctly.
To verify that the global object access policy has been applied
1. Sign in to client computer, CLIENT1 as Contoso\MReid. Browse to the folder HYPERLINK
"file:///\\\\ID_AD_FILE1\\Finance" \\ FILE1\Finance Documents, and modify Word Document 2.
2. Sign in to the file server, FILE1 as contoso\administrator. Open Event Viewer, browse to Windows Logs ,
select Security , and confirm that your activities resulted in audit events 4656 and 4663 (even though
you did not set explicit auditing SACLs on the files or folders that you created, modified, and deleted).
IMPORTANT
A new logon event is generated on the computer where the resource is located, on behalf of the user for whom effective
access is being checked. When analyzing security audit logs for user sign-in activity, to differentiate between logon events
that are generated because of effective access and those generated because of an interactive network user sign in, the
Impersonation Level information is included. When the logon event is generated because of effective access, the
Impersonation Level will be Identity. A network interactive user sign in typically generates a logon event with the
Impersonation Level = Impersonation or Delegation.
See also
Scenario: File Access Auditing
Plan for File Access Auditing
Dynamic Access Control: Scenario Overview
Scenario: Access-Denied Assistance
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Users will get an access-denied message when they try to access shared files and folders on a file server for
which they do not have permissions. Administrators often do not have the appropriate context to troubleshoot
the access issue, which makes it hard to resolve the issue.
Scenario description
Access-denied assistance is a new feature in Windows Server 2012 , which provides the following ways to
troubleshoot issues that are related to access to files and folders:
Self-assistance. If a user can determine the issue and remediate the problem so that they can get the
requested access, the impact to the business is low, and no special exceptions are needed in the central
access policy. Access-denied assistance provides an access-denied message that file server administrators
can customize with information specific to their organizations. For example, an administrator could set
the message so that users can request access from a data owner without involving the file server
administrator.
Assistance by the data owner. You can define a distribution list for shared folders, and configure it so
that the folder owner receives an email notification when a user needs access. If the data owner does not
know how to help the user get access, the owner can forward this information to the file server
administrator.
Assistance by the file ser ver administrator. This type of assistance is available when the user cannot
fix an issue and the data owner cannot help. Windows Server 2012 provides a user interface where file
server administrators can view the effective permissions for a user on a file or folder so that it is easier to
troubleshoot access issues.
Access-denied assistance in Windows Server 2012 provides file server administrators the relevant access details
so that they can determine the issue and appropriate tools so that they can make configuration changes to
satisfy the access request. For example, a user might follow this process to access a file that they currently do
not have access to:
The user attempts to read a file in the \\financeshares shared folder, but the server displays an access-
denied message.
Windows Server 2012 displays the access-denied assistance information to the user with an option to
request assistance.
If the user requests access to the resource, the server sends an email with the access request information
to the folder owner.
You can find planning information for configuring access-denied assistance in Plan for Access-Denied
Assistance.
You can find steps about configuring access-denied assistance in Deploy Access-Denied Assistance
(Demonstration Steps).
In this scenario
This scenario is part of the Dynamic Access Control scenario. For additional information about Dynamic Access
Control, see:
Dynamic Access Control: Scenario Overview
Practical applications
Access-denied assistance in Windows Server 2012 contributes to Dynamic Access Control by giving users the
ability to request access to shared files and folders directly from an access-denied message.
File Server Resource Manager Overview Access-denied assistance can be configured by using the File
Server Resource Manager console on the file server.
File and Storage Services Overview File Server Resource Manager is a File and Storage Services
role service, and it is comprised of a set of features that can
be used to administer the file servers on your network.
Deploy Access-Denied Assistance (Demonstration
Steps)
6/17/2021 • 7 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic explains how to configure access-denied assistance, and verify that it is working properly.
In this document
Step 1: Configure access-denied assistance
Step 2: Configure the email notification settings
Step 3: Verify that access-denied assistance is configured correctly
NOTE
This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described.
For more information, see Using Cmdlets.
Alternatively, you can configure access-denied assistance individually on each file server by using the File Server
Resource Manager console.
Do this step using Windows PowerShell
To configure access-denied assistance by using File Server Resource Manager
1. Open File Server Resource Manager. In Server Manager, click Tools , and then click File Ser ver
Resource Manager .
2. Right-click File Ser ver Resource Manager (Local) , and then click Configure Options .
3. Click the Access-Denied Assistance tab.
4. Select the Enable access-denied assistance check box.
5. In the Display the following message to users who are denied access to a folder or file box,
type a message that users will see when they are denied access to a file or folder.
You can add macros to the message that will insert customized text. The macros include:
[Original File Path] The original file path that was accessed by the user.
[Original File Path Folder] The parent folder of the original file path that was accessed by the
user.
[Admin Email] The administrator email recipient list.
[Data Owner Email] The data owner email recipient list.
6. Click Configure email requests , select the Enable users to request assistance check box, and then
click OK .
7. Click Preview if you want to see how the error message will look to the user.
8. Click OK .
Set-FSRMAdrSetting -Event "AccessDenied" -DisplayMessage "Type the text that the user will see in the error
message dialog box." -Enabled:$true -AllowRequests:$true
After you configure the access-denied assistance, you must enable it for all file types by using Group Policy.
Do this step using Windows PowerShell
To configure access-denied assistance for all file types by using Group Policy
1. Open Group Policy Management. In Server Manager, click Tools , and then click Group Policy
Management .
2. Right-click the appropriate Group Policy, and then click Edit .
3. Click Computer Configuration , click Policies , click Administrative Templates , click System , and
then click Access-Denied Assistance .
4. Right-click Enable access-denied assistance on client for all file types , and then click Edit .
5. Click Enabled , and then click OK .
You can also specify a separate access-denied message for each shared folder on a file server by using the File
Server Resource Manager console.
Do this step using Windows PowerShell
To specify a separate access-denied message for a shared folder by using File Server Resource Manager
1. Open File Server Resource Manager. In Server Manager, click Tools , and then click File Ser ver
Resource Manager .
2. Expand File Ser ver Resource Manager (Local) , and then click Classification Management .
3. Right-click Classification Proper ties , and then click Set Folder Management Proper ties .
4. In the Proper ty box, click Access-Denied Assistance Message , and then click Add .
5. Click Browse , and then choose the folder that should have the custom access-denied message.
6. In the Value box, type the message that should be presented to the users when they cannot access a
resource within that folder.
You can add macros to the message that will insert customized text. The macros include:
[Original File Path] The original file path that was accessed by the user.
[Original File Path Folder] The parent folder of the original file path that was accessed by the
user.
[Admin Email] The administrator email recipient list.
[Data Owner Email] The data owner email recipient list.
7. Click OK , and then click Close .
Set-FSRMMgmtProperty -Namespace "folder path" -Name "AccessDeniedMessage_MS" -Value "Type the text that the
user will see in the error message dialog box."
IMPORTANT
If you want to verify access-denied assistance by having a user who is running Windows Server 2012 , you must install
the Desktop Experience before connecting to the file share.
See also
Scenario: Access-Denied Assistance
Plan for Access-Denied Assistance
Dynamic Access Control: Scenario Overview
Scenario: Classification-Based Encryption for Office
Documents
3/5/2021 • 3 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Protection of sensitive information is mainly about mitigating risk for the organization. Various compliance
regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry
Data Security Standard (PCI-DSS), dictate encryption of information, and there are numerous business reasons
to encrypt sensitive business information. However, encrypting information is expensive, and it might impair
business productivity. Thus, organizations tend to have different approaches and priorities for encrypting their
information.
Scenario description
Windows Server 2012 provides the ability to automatically encrypt sensitive Microsoft Office files, based on
their classification. This is done through file management tasks that invoke Active Directory Rights Management
Services (AD RMS) protection for sensitive documents a few seconds after the file is identified as being a
sensitive file on the file server. This is facilitated by continuous file management tasks on the file server.
AD RMS encryption provides another layer of protection for files. Even if a person with access to a sensitive file
inadvertently sends that file through email, the file is protected by the AD RMS encryption. Users who want to
access the file must first authenticate themselves to an AD RMS server to receive the decryption key. The
following figure shows this process.
In this scenario
Following is the guidance that is available for this scenario:
Planning Considerations for Encryption of Office Documents
Deploy Encryption of Office Files (Demonstration Steps)
Dynamic Access Control: Scenario Overview
Active Directory Domain Services role (AD DS) AD DS provides a distributed database that stores and
manages information about network resources and
application-specific data from directory-enabled applications.
In this scenario, AD DS in Windows Server 2012 introduces a
claims-based authorization platform that enables the
creation of user claims and device claims, compound identity
(user plus device claims), a new central access policies model,
and the use of file-classification information in authorization
decisions.
File and Storage Services role File and Storage Services provides technologies to help you
File Server Resource Manager set up and manage one or more file servers that provide
central locations on your network where you can store files
and share them with users. If your network users need
access to the same files and applications, or if centralized
backup and file management are important to your
organization, you should set up one or more computers as a
file server by adding the File and Storage Services role and
the appropriate role services to the computers. In this
scenario, file server administrators can configure file
management tasks that invoke AD RMS protection for
sensitive documents a few seconds after the file is identified
as being a sensitive file on the file server (continuous file
management tasks on the file server).
Active Directory Rights Management Services (AD RMS) role AD RMS enables individuals and administrators (through
Information Rights Management (IRM) policies) to specify
access permissions to documents, workbooks, and
presentations. This helps prevent sensitive information from
being printed, forwarded, or copied by unauthorized people.
After permission for a file has been restricted by using IRM,
the access and usage restrictions are enforced no matter
where the information is, because the permission to a file is
stored in the document file itself. In this scenario, AD RMS
encryption provides another layer of protection for files.
Even if a person with access to a sensitive file inadvertently
sends that file through email, the file is protected by the AD
RMS encryption. Users who want to access the file must first
authenticate themselves to an AD RMS server to receive the
decryption key.
Deploy Encryption of Office Files (Demonstration
Steps)
3/5/2021 • 10 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Contoso's Finance Department has a number of file servers that store their documents. These documents can be
general documentation or they can have a high-business impact (HBI). For example, any document that contains
confidential information is deemed, by Contoso, to have a high-business impact. Contoso wants to ensure that
all their documentation has a minimum amount of protection and that their HBI documentation is restricted to
the appropriate people. To accomplish this, Contoso is exploring using the File Classification Infrastructure (FCI)
and AD RMS that is available in Windows Server 2012 . By using FCI, Contoso will classify all of the documents
on their file server, based on the content, and then use AD RMS to apply the appropriate rights policy.
In this scenario, you'll perform the following steps:
TA SK DESC RIP T IO N
Create classification rules Create the following classification rules: HBI Classification
Rule and PII Classification Rule .
Use file management tasks to automatically protect Create a file management task that automatically used AD
documents with AD RMS RMS to protect documents with high personally identifiable
information (PII). Only members of the FinanceAdmin group
will have access to documents that contain high PII.
View the results Examine the classification of documents and observe how
they change as you change the content in the document.
Also verify how the document gets protected by AD RMS.
Verify AD RMS protection Verify that the document is protected with AD RMS.
Update-FSRMClassificationPropertyDefinition
$date = Get-Date
$AutomaticClassificationScheduledTask = New-FsrmScheduledTask -Time $date -Weekly @(3, 2, 4, 5,1,6,0) -
RunDuration 0;
Set-FsrmClassification -Continuous -schedule $AutomaticClassificationScheduledTask
New-FSRMClassificationRule -Name "High Business Impact" -Property "Impact_MS" -Description "Determines if
the document has a high business impact based on the presence of the string 'Contoso Confidential'" -
PropertyValue "3000" -Namespace @("D:\Finance Documents") -ClassificationMechanism "Content Classifier" -
Parameters @("StringEx=Min=1;Expr=Contoso Confidential") -ReevaluateProperty Overwrite
NOTE
This expression will allow invalid Social Security numbers. This allows us to use fictitious Social Security numbers in
the demonstration.
12. Click the Evaluation Type tab. Select Re-evaluate existing proper ty values , Over write the existing
value, and then click OK to finish.
New-FSRMClassificationRule -Name "High PII" -Description "Determines if the document has a high PII based on
the presence of a Social Security Number." -Property "PII_MS" -PropertyValue "5000" -Namespace @("D:\Finance
Documents") -ClassificationMechanism "Content Classifier" -Parameters
@("RegularExpressionEx=Min=1;Expr=^(?!000)([0-7]\d{2}|7([0-7]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$")
-ReevaluateProperty Overwrite
NOTE
You may need to wait 30 seconds for the classification to occur.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Reliance on data and storage resources has continued to grow in importance for most organizations. IT
administrators face the growing challenge of overseeing larger and more complex storage infrastructures, while
simultaneously being tasked with the responsibility to ensure that total cost-of-ownership is maintained at
reasonable levels. Managing storage resources is not only about the volume or availability of data; it is also
about enforcing company policies and knowing how storage is consumed to enable efficient utilization and
compliance to mitigate risk. File Classification Infrastructure provides insight into your data by automating
classification processes so that you can manage your data more effectively. The following classification methods
are available with File Classification Infrastructure: manual, programmatic, and automatic. This topic focuses on
the automatic file classification method.
Scenario description
File Classification Infrastructure uses classification rules to automatically scan files and classify them according
to the contents of the file. Classification properties are defined centrally in Active Directory so that these
definitions can be shared across file servers in the organization. You can create classification rules that scan files
for a standard string or for a string that matches a pattern (regular expression). When a configured classification
parameter is found in a file, that file is classified as configured in the classification rule. Some examples of
classification rules include:
Classify any file that contains the string "Contoso Confidential" as having high business impact
Classify any file that contains at least 10 social security numbers as having personally identifiable
information
When a file is classified, you can use a file management task to take action on any files that are classified a
specific way. The actions in a file management task include protecting the rights associated with the file, expiring
the file, and running a custom action (such as posting information to a web service).
You can find planning information for configuring automatic file classification in Plan for Automatic File
Classification.
You can find steps for how to automatically classify files in Deploy Automatic File Classification (Demonstration
Steps).
In this scenario
This scenario is part of the Dynamic Access Control scenario. For additional information about Dynamic Access
Control, see:
Dynamic Access Control: Scenario Overview
Practical applications
File Classification Infrastructure in Windows Server 2012 contributes to Dynamic Access Control by enabling
business data owners to easily classify and label data. The classification information that is stored in the central
access policy allows you to define access policies for data classes that are critical to business.
File Server Resource Manager Overview File Classification Infrastructure is a feature that is included in
File Server Resource Manager.
File and Storage Services Overview File Server Resource Manager is a feature that is included
with the File Services server role.
Deploy Automatic File Classification (Demonstration
Steps)
6/17/2021 • 6 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic explains how to enable resource properties in Active Directory, create classification rules on the file
server, and then assign values to the resource properties for files on the file server. For this example, the
following classification rules are created:
A content classification rule that searches a set of files for the string 'Contoso Confidential.' If the string is
found in a file, the Impact resource property is set to High on the file.
A content classification rule that searches a set of files for a regular expression that matches a social
security number at least 10 times in one file. If the pattern is found, the file is classified as having
personally identifiable information and the Personally Identifiable Information resource property is set to
High.
In this document
Step 1: Create resource property definitions
Step 2: Create a string content classification rule
Step 3: Create a regular expression content classification rule
Step 4: Verify that the files are classified
NOTE
This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described.
For more information, see Using Cmdlets.
NOTE
You can also choose a dynamic name space for the scope. For more information about dynamic name spaces for
classification rules, see What's New in File Server Resource Manager in Windows Server 2012 [redirected].
$date = Get-Date
$AutomaticClassificationScheduledTask = New-FsrmScheduledTask -Time $date -Weekly @(3, 2, 4, 5,1,6,0) -
RunDuration 0;$AutomaticClassificationScheduledTask
Set-FsrmClassification -Continuous -schedule $AutomaticClassificationScheduledTask
New-FSRMClassificationRule -Name 'Contoso Confidential' -Property "Impact_MS" -PropertyValue "3000" -
Namespace @('D:\Finance Documents') -ClassificationMechanism "Content Classifier" -Parameters
@("StringEx=Min=1;Expr=Contoso Confidential") -ReevaluateProperty Overwrite
See also
Scenario: Get Insight into Your Data by Using Classification
Plan for Automatic File Classification
Dynamic Access Control: Scenario Overview
Scenario: Implement Retention of Information on
File Servers
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
A retention period is the amount of time that a document should be kept before it is expired. Depending on the
organization, the retention period can be different. You can classify files in a folder as having a short, medium, or
long-term retention period, and then assign a timeframe for each period. You may want to keep a file
indefinitely by putting it on legal hold.
Scenario description
File Classification Infrastructure and File Server Resource Manager uses file management tasks and file
classification to apply retention periods for a set of files. You can assign a retention period on a folder and then
use a file management task to configure how long an assigned retention period is to last. When the files in the
folder are about to expire, the owner of the file receives a notification email. You can also classify a file as being
on legal hold so that the file management task will not expire the file.
You can find planning information for configuring retention in Plan for Retention of Information on File Servers.
You can find steps for classifying files for legal hold and configuring a retention period in Deploy Implementing
Retention of Information on File Servers (Demonstration Steps).
NOTE
That scenario only discusses how to manually classify a document for legal hold. However, it is possible in Windows Server
2012 to automatically classify documents for legal hold. One way to do this is to create a Windows PowerShell classifier
that compares the file owner to a list of user accounts that are under legal hold. If the file owner is a part of the user
account list, the file is classified for legal hold.
In this scenario
This scenario is part of the Dynamic Access Control scenario. For additional information about Dynamic Access
Control, see:
Dynamic Access Control: Scenario Overview
File Server Resource Manager Overview File Classification Infrastructure is a feature that is included in
File Server Resource Manager.
File and Storage Services Overview File Server Resource Manager is a feature that is included
with the File Services server role.
Deploy Implementing Retention of Information on
File Servers (Demonstration Steps)
6/17/2021 • 5 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
You can set retention periods for folders and put files on legal hold by using File Classification Infrastructure and
File Server Resource Manager.
In this document
Prerequisites
Step 1: Create resource property definitions
Step 2: Configure notifications
Step 3: Create a file management task
Step 4: Classify a file manually
NOTE
This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described.
For more information, see Using Cmdlets.
Prerequisites
The steps in this topic assume you have a SMTP server configured for file expiration notifications.
See also
Scenario: Implement Retention of Information on File Servers
Plan for Retention of Information on File Servers
Dynamic Access Control: Scenario Overview
Deploy Claims Across Forests
3/5/2021 • 3 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
In Windows Server 2012 , a claim type is an assertion about the object with which it's associated. Claim types
are defined per forest in Active Directory. There are many scenarios where a security principal may need to
traverse a trust boundary to access resources in a trusted forest. Cross-forest claims transformation in Windows
Server 2012 enables you to transform egress and ingress claims that traverse forests so that the claims are
recognized and accepted in the trusting and trusted forests. Some of the real-world scenarios for transformation
of claims are:
Trusting forests can use claim transformation as a guard against elevation of privilege by filtering the
incoming claims with specific values.
Trusting forests can also issue claims for principals coming over a trust boundary if the trusted forest
does not support or issue any claims.
Trusted forests can use claim transformation to prevent certain claim types and claims with certain values
from going out to the trusting forest.
You can also use claim transformation to map different claim types between trusting and trusted forests.
This can be used to generalize the claim-type, the claim value, or both. Without this, you need to
standardize the data between the forests before you can use the claims. Generalizing claims between the
trusting and trusted forests reduces the IT costs.
In this scenario
The following guidance is available for this scenario:
Deploy Claims Across Forests (Demonstration Steps)
Claims Transformation Rules Language
Active Directory Domain Services In this scenario, you are required to set up two Active
Directory forests with a two-way trust. You have claims in
both forests. You also set central access policies on the
trusting forest where the resources reside.
File and Storage Services role In this scenario, the data classification is applied to the
resources on the file servers. The central access policy is
applied to the folder where you want to grant user access.
After transformation, the claim grants user access to
resources based on the central access policy that is applied
to the folder on the file server.
Deploy Claims Across Forests (Demonstration Steps)
3/5/2021 • 5 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
In this topic, we'll cover a basic scenario that explains how to configure claims transformations between trusting
and trusted forests. You will learn how claims transformation policy objects can be created and linked to the
trust on the trusting forest and the trusted forest. You will then validate the scenario.
Scenario overview
Adatum Corporation provides financial services to Contoso, Ltd. Each quarter, Adatum accountants copy their
account spreadsheets to a folder on a file server located at Contoso, Ltd. There is a two-way trust set up from
Contoso to Adatum. Contoso, Ltd. wants to protect the share so that only Adatum employees can access the
remote share.
In this scenario:
1. Set up the prerequisites and the test environment
2. Set up claims transformation on trusted forest (Adatum)
3. Set up claims transformation in the trusting forest (Contoso)
4. Validate the scenario
IMPORTANT
When setting up the Contoso and Adatum forests, you must ensure that both the root domains are at the Windows
Server 2012 Domain Functional Level for claims transformation to work.
You need to set up the following for the lab. These procedures are explained in detail in Appendix B: Setting Up
the Test Environment
You need to implement the following procedures to set up the lab for this scenario:
1. Set Adatum as trusted forest to Contoso
2. Create the 'Company' claim type on Contoso
3. Enable the 'Company' resource property on Contoso
4. Create the central access rule
5. Create the central access policy
6. Publish the new policy through Group Policy
7. Create the Earnings folder on the file server
8. Set classification and apply the central access policy on the new folder
Use the following information to complete this scenario:
O B JEC T S DETA IL S
1. Sign in to the domain controller, adatum.com as Administrator with the password pass@word1 .
2. Open an elevated command prompt in Windows PowerShell, and type the following:
New-ADClaimTransformPolicy `
-Description:"Claims transformation policy to deny all claims except Company"`
-Name:"DenyAllClaimsExceptCompanyPolicy" `
-DenyAllExcept:company `
-Server:"adatum.com" `
1. Sign in to the domain controller, adatum.com as Administrator with the password pass@word1 .
2. Open an elevated command prompt in Windows PowerShell, and type the following:
Set-ADClaimTransformLink `
-Identity:"contoso.com" `
-Policy:"DenyAllClaimsExceptCompanyPolicy" `
'"TrustRole:Trusted `
1. Sign in to the domain controller, contoso.com as Administrator with the password pass@word1 .
2. Open an elevated command prompt in Windows PowerShell and type the following:
New-ADClaimTransformPolicy `
-Description:"Claims transformation policy to deny all claims except company" `
-Name:"DenyAllClaimsExceptCompanyPolicy" `
-DenyAllExcept:company `
-Server:"contoso.com" `
1. Sign in to the domain controller, contoso.com as Administrator with the password pass@word1 .
2. Open an elevated command prompt in Windows PowerShell and type the following:
Set-ADClaimTransformLink
-Identity:"adatum.com" `
-Policy:"DenyAllClaimsExceptCompanyPolicy" `
-TrustRole:Trusting `
SC EN A RIO P O L IC Y
Allow all claims that come from Adatum except "Company" Code
and "Department" to go through to Contoso Adatum - New-ADClaimTransformationPolicy `
-Description:"Claims transformation policy to allow all claims
except company and department" `
-
Name:"AllowAllClaimsExceptCompanyAndDepartmentPolicy"
`
-AllowAllExcept:company,department `
-Server:"contoso.com" `
Set-ADClaimTransformLink `
-Identity:"adatum.com" `
-
Policy:"AllowAllClaimsExceptCompanyAndDepartmentPolicy"
`
-TrustRole:Trusting `
-Server:"contoso.com" `
See also
For a list of all Windows PowerShell cmdlets that are available for claims transformation, see Active
Directory PowerShell Cmdlet Reference.
For advanced tasks that involve export and import of DAC configuration information between two
forests, use the Dynamic Access Control PowerShell Reference
Deploy Claims Across Forests
Claims Transformation Rules Language
Dynamic Access Control: Scenario Overview
Claims Transformation Rules Language
6/17/2021 • 12 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The across-forest claims transformation feature enables you to bridge claims for Dynamic Access Control across
forest boundaries by setting claims transformation policies on across-forest trusts. The primary component of
all policies is rules that are written in claims transformation rules language. This topic provides details about this
language and provides guidance about authoring claims transformation rules.
The Windows PowerShell cmdlets for transformation policies on across-forest trusts have options to set simple
policies that are required in common scenarios. These cmdlets translate the user input into policies and rules in
the claims transformation rules language, and then store them in Active Directory in the prescribed format. For
more information about cmdlets for claims transformation, see the AD DS Cmdlets for Dynamic Access Control.
Depending on the claims configuration and the requirements placed on the across-forest trust in your Active
Directory forests, your claims transformation policies may have to be more complex than the policies supported
by the Windows PowerShell cmdlets for Active Directory. To effectively author such policies, it is essential to
understand the claims transformation rules language syntax and semantics. This claims transformation rules
language ("the language") in Active Directory is a subset of the language that is used by Active Directory
Federation Services for similar purposes, and it has a very similar syntax and semantics. However, there are
fewer operations allowed, and additional syntax restrictions are placed in the Active Directory version of the
language.
This topic briefly explains the syntax and semantics of the claims transformation rules language in Active
Directory and considerations to be made when authoring policies. It provides several sets of example rules to
get you started, and examples of incorrect syntax and the messages they generate, to help you decipher error
messages when you author the rules.
C1: [TYPE=="EmployeeType"]
=> ISSUE (TYPE= "EmpType", VALUE = C1.VALUE, VALUETYPE = C1.VALUETYPE);
[TYPE=="EmployeeType"] == Select Condition List with one Matching Condition for claims Type.
ISSUE (TYPE= "EmpType", VALUE = C1.VALUE, VALUETYPE = C1.VALUETYPE) == Rule Action that issues a claims
using string literal and matching claim referred with the Identifier.
Runtime operation
It is important to understand the runtime operation of claims transformations to author the rules effectively. The
runtime operation uses three sets of claims:
1. Input claims set : The input set of claims that are given to the claims transformation operation.
2. Working claims set : Intermediate claims that are read from and written to during the claims
transformation.
3. Output claims set : Output of the claims transformation operation.
Here is a brief overview of the runtime claims transformation operation:
1. Input claims for claims transformation are used to initialize the working claims set.
a. When processing each rule, the working claims set is used for the input claims.
b. The Selection Condition List in a rule is matched against all possible sets of claims from the
working claims set.
c. Each set of matching claims is used to run the action in that rule.
d. Running a rule action results in one claim, which is appended to the output claims set and the
working claims set. Thus, the output from a rule is used as input for subsequent rules in the rule
set.
2. The rules in the rule set are processed in sequential order starting with the first rule.
3. When the entire rule set is processed, the output claims set is processed to remove duplicate claims and
for other security issues.The resulting claims are the output of the claims transformation process.
It is possible to write complex claims transformations based on the previous runtime behavior.
Example: Runtime operation
This example shows the runtime operation of a claims transformation that uses two rules.
Final Output:
{(Type= "EmployeeType"),(Value="FullTime"),(ValueType="String")}
{(Type= "AccessType"),(Value="Privileged"),(ValueType="String")}
3. Empty Select Matching List == Every claim matches the Select Condition List
Example: Empty Matching Conditions
The following rule matches every claim in the working set. This is the basic "Allow-all" rule if it is used
alone.
Security considerations
Claims that enter a forest
The claims presented by principals that are incoming to a forest need to be inspected thoroughly to ensure that
we allow or issue only the correct claims. Improper claims can compromise the forest security, and this should
be a top consideration when authoring transformation policies for claims that enter a forest.
Active Directory has the following features to prevent misconfiguration of claims that enter a forest:
If a forest trust has no claims transformation policy set for the claims that enter a forest, for security
purposes, Active Directory drops all the principal claims that enter the forest.
If running the rule set on claims that enters a forest results in claims that are not defined in the forest, the
undefined claims are dropped from the output claims.
Claims that leave a forest
Claims that leave a forest present a lesser security concern for the forest than the claims that enter the forest.
Claims are allowed to leave the forest as-is even when there is no corresponding claims transformation policy in
place. It is also possible to issue claims that are not defined in the forest as part of transforming claims that
leave the forest. This is to easily set up across-forest trusts with claims. An administrator can determine if claims
that enter the forest need to be transformed, and set up the appropriate policy. For example, an administrator
could set a policy if there is a need to hide a claim to prevent information disclosure.
Syntax errors in claims transformation rules
If a given claims transformation policy has a rules set that is syntactically incorrect or if there are other syntax or
storage issues, the policy is considered invalid. This is treated differently than the default conditions mentioned
earlier.
Active Directory is unable to determine the intent in this case and goes into a fail-safe mode, where no output
claims are generated on that trust+direction of traversal. Administrator intervention is required to correct the
issue. This could happen if LDAP is used to edit the claims transformation policy. Windows PowerShell cmdlets
for Active Directory have validation in place to prevent writing a policy with syntax issues.
Using Regex
Using Regex
c1;[]=>Issue(claim=c1);
This example has an incorrectly used semicolon in place of a colon. Error message: POLICY0002: Could
not parse policy data. Line number: 1, Column number: 2, Error token: ;. Line: 'c1;[]=>Issue(claim=c1);'.
Parser error: 'POLICY0030: Syntax error, unexpected ';', expecting one of the following: ':' .'
2. Example:
c1:[]=>Issue(claim=c2);
In this example, the Identifier tag in the copy issuance statement is undefined. Error message :
POLICY0011: No conditions in the claim rule match the condition tag specified in the
CopyIssuanceStatement: 'c2'.
3. Example:
"bool" is not a Terminal in the language, and it is not a valid ValueType. Valid terminals are listed in the
following error message. Error message: POLICY0002: Could not parse policy data. Line number: 1,
Column number: 39, Error token: "bool". Line: 'c1:[type=="x1",
value=="1",valuetype=="bool"]=>Issue(claim=c1);'. Parser error: 'POLICY0030: Syntax error, unexpected
'STRING', expecting one of the following: 'INT64_TYPE' 'UINT64_TYPE' 'STRING_TYPE' 'BOOLEAN_TYPE'
'IDENTIFIER'
4. Example:
The numeral 1 in this example is not a valid token in the language, and such usage is not allowed in a
matching condition. It has to be enclosed in double quotes to make it a string. Error message:
POLICY0002: Could not parse policy data. Line number: 1, Column number: 23, Error token: 1. Line: 'c1:
[type=="x1", value==1, valuetype=="bool"]=>Issue(claim=c1);'.Parser error: 'POLICY0029: Unexpected
input.
5. Example:
This example used a double equal sign (==) instead of a single equal sign (=). Error message:
POLICY0002: Could not parse policy data. Line number: 1, Column number: 91, Error token: ==. Line: 'c1:
[type=="x1", value=="1", valuetype=="boolean"]=>Issue(type=c1.type, value="0",
valuetype=="boolean");'. Parser error: 'POLICY0030: Syntax error, unexpected '==', expecting one of the
following: '='
6. Example:
This example is syntactically and semantically correct. However, using "boolean" as a string value is bound
to cause confusion, and it should be avoided. As previously mentioned, using language terminals as
claims values should be avoided where possible.
Language terminals
The following table lists the complete set of terminal strings and the associated language terminals that are used
in the claims transformation rules language. These definitions use case-insensitive UTF-16 strings.
ST RIN G T ERM IN A L
"=>" IMPLY
";" SEMICOLON
":" COLON
"," COMMA
"." DOT
"[" O_SQ_BRACKET
ST RIN G T ERM IN A L
"]" C_SQ_BRACKET
"(" O_BRACKET
")" C_BRACKET
"==" EQ
"!=" NEQ
"=~" REGEXP_MATCH
"!~" REGEXP_NOT_MATCH
"=" ASSIGN
"&&" AND
"issue" ISSUE
"type" TYPE
"value" VALUE
"valuetype" VALUE_TYPE
"claim" CLAIM
"[_A-Za-z][_A-Za-z0-9]*" IDENTIFIER
"\"[^\"\n]*\"" STRING
"uint64" UINT64_TYPE
"int64" INT64_TYPE
"string" STRING_TYPE
"boolean" BOOLEAN_TYPE
Language syntax
The following claims transformation rules language is specified in ABNF form. This definition uses the terminals
that are specified in the previous table in addition to the ABNF productions defined here. The rules must be
encoded in UTF-16, and the string comparisons must be treated as case insensitive.
Rule_set = ;/*Empty*/
/ Rules
Rules = Rule
/ Rule Rules
Rule = Rule_body
Rule_body = (Conditions IMPLY Rule_action SEMICOLON)
Conditions = ;/*Empty*/
/ Sel_condition_list
Sel_condition_list = Sel_condition
/ (Sel_condition_list AND Sel_condition)
Sel_condition = Sel_condition_body
/ (IDENTIFIER COLON Sel_condition_body)
Sel_condition_body = O_SQ_BRACKET Opt_cond_list C_SQ_BRACKET
Opt_cond_list = /*Empty*/
/ Cond_list
Cond_list = Cond
/ (Cond_list COMMA Cond)
Cond = Value_cond
/ Type_cond
Type_cond = TYPE Cond_oper Literal_expr
Value_cond = (Val_cond COMMA Val_type_cond)
/(Val_type_cond COMMA Val_cond)
Val_cond = VALUE Cond_oper Literal_expr
Val_type_cond = VALUE_TYPE Cond_oper Value_type_literal
claim_prop = TYPE
/ VALUE
Cond_oper = EQ
/ NEQ
/ REGEXP_MATCH
/ REGEXP_NOT_MATCH
Literal_expr = Literal
/ Value_type_literal
Expr = Literal
/ Value_type_expr
/ (IDENTIFIER DOT claim_prop)
Value_type_expr = Value_type_literal
/(IDENTIFIER DOT VALUE_TYPE)
Value_type_literal = INT64_TYPE
/ UINT64_TYPE
/ STRING_TYPE
/ BOOLEAN_TYPE
Literal = STRING
Rule_action = ISSUE O_BRACKET Issue_params C_BRACKET
Issue_params = claim_copy
/ claim_new
claim_copy = CLAIM ASSIGN IDENTIFIER
claim_new = claim_prop_assign_list
claim_prop_assign_list = (claim_value_assign COMMA claim_type_assign)
/(claim_type_assign COMMA claim_value_assign)
claim_value_assign = (claim_val_assign COMMA claim_val_type_assign)
/(claim_val_type_assign COMMA claim_val_assign)
claim_val_assign = VALUE ASSIGN Expr
claim_val_type_assign = VALUE_TYPE ASSIGN Value_type_expr
Claim_type_assign = TYPE ASSIGN Expr
Appendix A: Dynamic Access Control Glossary
3/5/2021 • 3 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Following are the list of terms and definitions that are included in the Dynamic Access Control scenario.
T ERM DEF IN IT IO N
Central access rule A rule that includes a condition and an access expression.
Central access policy Policies that are authored and hosted in Active Directory.
Claims-based access control A paradigm that utilizes claims to make access control
decisions to resources.
Device claim A claim that is associated with the system. With user claims,
it is included in the token of a user attempting to access a
resource.
Discretionary access control list (DACL) An access control list that identifies trustees who are allowed
or denied access to a securable resource. It can be modified
at the discretion of the resource owner.
Resource property Properties (such as labels) that describe a file and are
assigned to files by using automatic classification or manual
classification. Examples include: Sensitivity, Project, and
Retention period.
File Server Resource Manager A feature in the Windows Server operating system that
offers management of folder quotas, file screening, storage
reports, file classification, and file management jobs on a file
server.
T ERM DEF IN IT IO N
Folder properties and labels Properties and labels that describe a folder and are assigned
manually by administrators and folder owners. These
properties assign default property values to the files within
these folders, for example, Secrecy or Department.
Group Policy A set of rules and policies that controls the working
environment of users and computers in an Active Directory
environment.
Near real time classification Automatic classification that is performed shortly after a file
is created or modified.
Near real-time file management tasks File management tasks that are performed shortly after (a
file is created or modified. These tasks are triggered by the
Near real-time classification.
Security descriptor definition language A specification that describes the information in a security
descriptor as a text string.
System access control list (SACL) An access control list that specifies the types of access
attempts by particular trustees for which audit records need
to be generated.
User claim Attributes of a user that are provided within the user
security token. Examples include: Department, Company,
Project, and Security clearance. Information in the user token
from systems prior to Windows Server 2012 , such as the
security groups that the user is part of, can also be
considered user claims. Some user claims are provided
through Active Directory and others are calculated
dynamically, such as whether the user logged in with a smart
card.
User token A data object that identifies a user and the user claims and
device claims that are associated with that user. It is used to
authorize the user's access to resources.
See Also
Dynamic Access Control: Scenario Overview
Appendix B: Setting Up the Test Environment
6/17/2021 • 26 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic outlines the steps to build a hands-on lab to test Dynamic Access Control. The instructions are meant
to be followed sequentially because there are many components that have dependencies.
Prerequisites
Hardware and software requirements
Requirements for setting up the test lab:
A host server running Windows Server 2008 R2 with SP1 and Hyper-V
A copy of the Windows Server 2012 ISO
A copy of the Windows 8 ISO
Microsoft Office 2010
A server running Microsoft Exchange Server 2003 or later
You need to build the following virtual machines to test the Dynamic Access Control scenarios:
DC1 (domain controller)
DC2 (domain controller)
FILE1 (file server and Active Directory Rights Management Services)
SRV1 (POP3 and SMTP server)
CLIENT1 (client computer with Microsoft Outlook)
The passwords for the virtual machines should be as follows:
BUILTIN\Administrator: pass@word1
Contoso\Administrator: pass@word1
All other accounts: pass@word1
1. Connect the virtual machine to the ID_AD_Network. Sign in to the DC1 as Administrator with the
password pass@word1 .
2. In Server Manager, click Manage , and then click Add Roles and Features .
3. On the Before you begin page, click Next .
4. On the Select installation type page, click Role-based or Feature-based Install , and then click
Next .
5. On the Select destination ser ver page, click Next .
6. On the Select ser ver roles page, click Active Director y Domain Ser vices . In the Add Roles and
Features Wizard dialog box, click Add Features , and then click Next .
7. On the Select features page, click Next .
8. On the Active Director y Domain Ser vices page, review the information, and then click Next .
9. On the Confirm installation selections page, click Install . The Feature installation progress bar on the
Results page indicates that the role is being installed.
10. On the Results page, verify that the installation succeeded, and click Close . In Server Manager, click the
warning icon with an exclamation mark on top right corner of the screen, next to Manage . In the Tasks
list, click the Promote this ser ver to a domain controller link.
11. On the Deployment Configuration page, click Add a new forest , type the name of the root domain,
contoso.com , and then click Next .
12. On the Domain Controller Options page, select the domain and forest functional levels as Windows
Server 2012, specify the DSRM password pass@word1 , and then click Next .
13. On the DNS Options page, click Next .
14. On the Additional Options page, click Next .
15. On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder (or
accept default locations), and then click Next .
16. On the Review Options page, confirm your selections, and then click Next .
17. On the Prerequisites Check page, confirm that the prerequisites validation is completed, and then click
Install .
18. On the Results page, verify that the server was successfully configured as a domain controller, and then
click Close .
19. Restart the server to complete the AD DS installation. (By default, this happens automatically.)
Create the following users by using Active Directory Administrative Center.
C r e a t e u se r s a n d g r o u p s o n D C 1
GRO UP N A M E EM A IL A DDRESS
FinanceAdmin financeadmin@contoso.com
FinanceException financeexception@contoso.com
OU NAME C O M P UT ERS
FileServerOU FILE1
EM A IL C O UN T RY / REGI
USER USERN A M E A DDRESS DEPA RT M EN T GRO UP ON
For more information about creating security groups, see Create a New Group on the Windows Server
website.
To c r e a t e a G r o u p P o l i c y O b j e c t
1. Hover the cursor on the upper right corner of screen and click the search icon. In the Search box, type
group policy management , and click Group Policy Management .
2. Expand Forest: contoso.com , and then expand Domains , navigate to contoso.com , expand
(contoso.com) , and then select FileSer verOU . Right-click Create a GPO in this domain and Link it
here
3. Type a descriptive name for the GPO, such as FlexibleAccessGPO , and then click OK .
To e n a b l e D y n a m i c A c c e ss C o n t r o l fo r c o n t o so .c o m
1. Open the Group Policy Management Console, click contoso.com , and then double-click Domain
Controllers .
2. Right-click Default Domain Controllers Policy , and select Edit .
3. In the Group Policy Management Editor window, double-click Computer Configuration , double-click
Policies , double-click Administrative Templates , double-click System , and then double-click KDC .
4. Double-click KDC suppor t for claims, compound authentication, and Kerberos armoring and
select the option next to Enabled . You need to enable this setting to use Central Access Policies.
5. Open an elevated command prompt, and run the following command:
gpupdate /force
1. Open File Server Resource Manager. To open File Server Resource Manager, click Star t , type file ser ver
resource manager , and then click File Ser ver Resource Manager .
2. In the File Server Resource Manager interface, right-click File Ser ver Resource Manager , and then
click Configure options . The File Ser ver Resource Manager Options dialog box opens.
3. On the E-mail Notifications tab, under SMTP server name or IP address, type the host name or the IP
address of the SMTP server that will forward email notifications.
4. If you want to routinely notify certain administrators of quota or file screening events, under Default
administrator recipients , type each email address such as fileadmin@contoso.com. Use the format
account@domain, and use semicolons to separate multiple accounts.
Create groups on FILE1
To c re a t e s e c u ri t y g ro u p s o n F I L E 1
NOTE
Central access policies are not enabled by default on the system or boot volume C:.
IMPORTANT
In order to install the AD RMS server role the installer account (in this case, CONTOSO\Administrator) will have to
be given membership in both the local Administrators group on the server computer where AD RMS is to be
installed as well as membership in the Enterprise Admins group in Active Directory.
2. In Server Manager, click Add Roles and Features . The Add Roles and Features Wizard appears.
3. On the Before you Begin screen, click Next .
4. On the Select Installation Type screen, click Role/Feature Based Install , and then click Next .
5. On the Select Ser ver Targets screen, click Next .
6. On the Select Ser ver Roles screen, select the box next to Active Director y Rights Management
Ser vices , and then click Next .
7. In the Add features that are required for Active Director y Rights Management Ser vices?
dialog box, click Add Features .
8. On the Select Ser ver Roles screen, click Next .
9. On the Select Features to Install screen, click Next .
10. On the Active Director y Rights Management Ser vices screen, click Next.
11. On the Select Role Ser vices screen, click Next .
12. On the Web Ser ver Role (IIS) screen, click Next .
13. On the Select Role Ser vices screen, click Next .
14. On the Confirm Installation Selections screen, click Install .
15. After the installation has completed, on the Installation Progress screen, click Perform additional
configuration . The AD RMS Configuration Wizard appears.
16. On the AD RMS screen, click Next .
17. On the AD RMS Cluster screen, select Create a new AD RMS root cluster and then click Next .
18. On the Configuration Database screen, click Use Windows Internal Database on this ser ver , and
then click Next .
NOTE
Using the Windows Internal Database is recommended for test environments only because it does not support
more than one server in the AD RMS cluster. Production deployments should use a separate database server.
19. On the Ser vice Account screen, in Domain User Account , click Specify and then specify the user
name (contoso\rms ), and Password (pass@word1 ) and click OK , and then click Next .
20. On the Cr yptographic Mode screen, click Cr yptographic Mode 2 .
21. On the Cluster Key Storage screen, click Next .
22. On the Cluster Key Password screen, in the Password and Confirm password boxes, type
pass@word1 , and then click Next .
23. On the Cluster Web Site screen, make sure that Default Web Site is selected, and then click Next .
24. On the Cluster Address screen, select the Use an unencr ypted connection option, in the Fully
Qualified Domain Name box, type FILE1.contoso.com , and then click Next .
25. On the Licensor Cer tificate Name screen, accept the default name (FILE1 ) in the text box and click
Next .
26. On the SCP Registration screen, select Register SCP now , and then click Next .
27. On the Confirmation screen, click Install .
28. On the Results screen, click Close , and then click Close on Installation Progress screen. When
complete, log off and log on as contoso\rms using the password provided (pass@word1 ).
29. Launch the AD RMS console and navigate to Rights Policy Templates .
To open the AD RMS console, in Server Manager, click Local Ser ver in the console tree, then click Tools ,
and then click Active Director y Rights Management Ser vices .
30. Click the Create Distributed Rights Policy template located on the right panel, click Add , and select
the following information:
Language: US English
Name: Contoso Finance Admin Only
Description: Contoso Finance Admin Only
Click Add , and then click Next .
31. Under the Users and Rights section, click Users and rights , click Add , type
financeadmin@contoso.com , and click OK .
32. Select Full Control , and leave Grant owner (author) full control right with no expiration selected.
33. Click though the remaining tabs with no changes, and then click Finish . Sign in as
CONTOSO\Administrator.
34. Browse to the folder, C:\inetpub\wwwroot\_wmcs\certification, select the ServerCertification.asmx file,
and add Authenticated Users to have Read and Write permissions to the file.
35. Open Windows PowerShell and run Get-FsrmRmsTemplate . Verify that you are able to see the RMS
template you created in the previous steps in this procedure with this command.
IMPORTANT
If you want your file servers to immediately change so you can test them, you need to do the following:
1. On the file server, FILE1, open an elevated command prompt, and run the following commands:
gpupdate /force.
NLTEST /SC_RESET:contoso.com
2. On the domain controller (DC1), replicate Active Directory.
For more information about steps to force the replication of Active Directory, see Active Directory Replication
Optionally, instead of using the Add Roles and Features Wizard in Server Manager, you can use Windows
PowerShell to install and configure the AD RMS server role as show in the following procedure.
To i n s t a l l a n d c o n f i g u re a n A D R M S c l u s t e r i n W i n d o w s Se rv e r 2012 u s i n g W i n d o w s P o w e r Sh e l l
IMPORTANT
In order to install the AD RMS server role the installer account (in this case, CONTOSO\Administrator) will have to
be given membership in both the local Administrators group on the server computer where AD RMS is to be
installed as well as membership in the Enterprise Admins group in Active Directory.
2. On the Server desktop, right-click the Windows PowerShell icon on the taskbar and select Run as
Administrator to open a Windows PowerShell prompt with administrative privileges.
3. To use Server Manager cmdlets to install the AD RMS server role, type:
4. Create the Windows PowerShell drive to represent the AD RMS server you are installing.
For example, to create a Windows PowerShell drive named RC to install and configure the first server in
an AD RMS root cluster, type:
Import-Module ADRMS
New-PSDrive -PSProvider ADRMSInstall -Name RC -Root RootCluster
5. Set properties on objects in the drive namespace that represent required configuration settings.
For example, to set the AD RMS service account, at the Windows PowerShell command prompt, type:
$svcacct = Get-Credential
When the Windows security dialog box appears, type the AD RMS service account domain user name
CONTOSO\RMS and the assigned password.
Next, to assign the AD RMS service account to the AD RMS cluster settings, type the following:
Next, to set the AD RMS server to use the Windows Internal Database, at the Windows PowerShell
command prompt, type:
Set-ItemProperty -Path RC:\ClusterDatabase -Name UseWindowsInternalDatabase -Value $true
Next, to securely store the cluster key password in a variable, at the Windows PowerShell command
prompt, type:
Type the cluster key password, and then press the ENTER key.
Next, to assign the password to your AD RMS installation, at the Windows PowerShell command prompt,
type:
Next, to set the AD RMS cluster address, at the Windows PowerShell command prompt, type:
Next, to assign the SLC name for your AD RMS installation, at the Windows PowerShell command
prompt, type:
Next, to set the service connection point (SCP) for the AD RMS cluster, at the Windows PowerShell
command prompt, type:
6. Run the Install-ADRMS cmdlet. In addition to installing the AD RMS server role and configuring the
server, this cmdlet also installs other features required by AD RMS if necessary.
For example, to change to the Windows PowerShell drive named RC and install and configure AD RMS,
type:
Set-Location RC:\
Install-ADRMS -Path.
Type "Y" when the cmdlet prompts you to confirm you want to start the installation.
7. Log out as CONTOSO\Administrator and log on as CONTOSO\RMS using the provided password
("pass@word1").
IMPORTANT
In order to manage the AD RMS server the account you are logged on to and using to manage the server (in this
case, CONTOSO\RMS) will have to be given membership in both the local Administrators group on the AD RMS
server computer as well as membership in the Enterprise Admins group in Active Directory.
8. On the Server desktop, right-click the Windows PowerShell icon on the taskbar and select Run as
Administrator to open a Windows PowerShell prompt with administrative privileges.
9. Create the Windows PowerShell drive to represent the AD RMS server you are configuring.
For example, to create a Windows PowerShell drive named RC to configure the AD RMS root cluster, type:
Import-Module ADRMSAdmin `
New-PSDrive -PSProvider ADRMSAdmin -Name RC -Root http://localhost -Force -Scope Global
10. To create new rights template for the Contoso finance administrator and assign it user rights with full
control in your AD RMS installation, at the Windows PowerShell command prompt, type:
New-Item -Path RC:\RightsPolicyTemplate '"LocaleName en-us -DisplayName "Contoso Finance Admin Only"
-Description "Contoso Finance Admin Only" -UserGroup financeadmin@contoso.com -Right ('FullControl')
11. To verify that you can see the new rights template for the Contoso finance administrator, at the Windows
PowerShell command prompt:
Get-FsrmRmsTemplate
Review the output of this cmdlet to confirm the RMS template you created in the previous step is present.
Build the mail server (SRV1)
SRV1 is the SMTP/POP3 mail server. You need to set it up so that you can send email notifications as part of the
Access-Denied assistance scenario.
Configure Microsoft Exchange Server on this computer. For more information, see How to Install Exchange
Server.
Build the client virtual machine (CLIENT1)
To b u i l d t h e c l i e n t v i r t u a l m a c h i n e
IMPORTANT
Joining virtual machines to a domain and deploying claim types across forests require that the virtual machines be able to
resolve the FQDNs of the relevant domains. You may have to manually configure the DNS settings on the virtual
machines to accomplish this. For more information, see Configuring a virtual network.
All the virtual machine images (servers and clients) must be reconfigured to use a static IP version 4 (IPv4) address and
Domain Name System (DNS) client settings. For more information, see Configure a DNS Client for Static IP Address.
1. Connect the virtual machine to the ID_AD_Network. Sign in to the DC2 as Administrator with the
password Pass@word1 .
2. In Server Manager, click Manage , and then click Add Roles and Features .
3. On the Before you begin page, click Next .
4. On the Select Installation Type page, click Role-based or Feature-based Install , and then click
Next .
5. On the Select destination ser ver page, click Select a ser ver from the ser ver pool , click the names
of the server where you want to install Active Directory Domain Services (AD DS), and then click Next .
6. On the Select Ser ver Roles page, click Active Director y Domain Ser vices . In the Add Roles and
Features Wizard dialog box, click Add Features , and then click Next .
7. On the Select Features page, click Next .
8. On the AD DS page, review the information, and then click Next .
9. On the Confirmation page, click Install . The Feature installation progress bar on the Results page
indicates that the role is being installed.
10. On the Results page, verify that the installation succeeded, and then click the warning icon with an
exclamation mark on top right corner of the screen, next to Manage . In the Tasks list, click the Promote
this ser ver to a domain controller link.
IMPORTANT
If you close the installation wizard at this point rather than click Promote this ser ver to a domain controller ,
you can continue the AD DS installation by clicking Tasks in Server Manager.
11. On the Deployment Configuration page, click Add a new forest , type the name of the root domain,
adatum.com , and then click Next .
12. On the Domain Controller Options page, select the domain and forest functional levels as Windows
Server 2012, specify the DSRM password pass@word1 , and then click Next .
13. On the DNS Options page, click Next .
14. On the Additional Options page, click Next .
15. On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder (or
accept default locations), and then click Next .
16. On the Review Options page, confirm your selections, and then click Next .
17. On the Prerequisites Check page, confirm that the prerequisites validation is completed, and then click
Install .
18. On the Results page, verify that the server was successfully configured as a domain controller, and then
click Close .
19. Restart the server to complete the AD DS installation. (By default, this happens automatically.)
IMPORTANT
To ensure that the network is configured properly, after you have set up both the forests, you must do the following:
Sign in to adatum.com as adatum\administrator. Open a Command Prompt window, type nslookup contoso.com ,
and then press ENTER.
Sign in to contoso.com as contoso\administrator. Open a Command Prompt window, type nslookup adatum.com ,
and then press ENTER.
If these commands execute without errors, the forests can communicate with each other. For more information on
nslookup errors, see the troubleshooting section in the topic Using NSlookup.exe
1. Open an elevated command prompt in Windows PowerShell, and paste the following code:
New-ADUser `
-SamAccountName jlow `
-Name "Jeff Low" `
-UserPrincipalName jlow@adatum.com `
-AccountPassword (ConvertTo-SecureString `
-AsPlainText "pass@word1" -Force) `
-Enabled $true `
-PasswordNeverExpires $true `
-Path 'CN=Users,DC=adatum,DC=com' `
-Company Adatum`
New-ADClaimType `
-AppliesToClasses:@('user') `
-Description:"Company" `
-DisplayName:"Company" `
-ID:"ad://ext/Company:ContosoAdatum" `
-IsSingleValued:$true `
-Server:"adatum.com" `
-SourceAttribute:Company `
-SuggestedValues:@((New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Contoso",
"Contoso", "")), (New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Adatum",
"Adatum", ""))) `
gpupdate /force
New-ADClaimType '"SourceTransformPolicy `
'"DisplayName 'Company' `
'"ID 'ad://ext/Company:ContosoAdatum' `
'"IsSingleValued $true `
'"ValueType 'string' `
1. In the left pane of Active Directory Administrative Center, click Tree View . In the left pane, click Dynamic
Access Control , and then click Central Access Rules .
2. Right-click Central Access Rules , click New , and then Central Access Rule .
3. In the Name field, type AdatumEmployeeAccessRule .
4. In the Permissions section, select the Use following permissions as current permissions option,
click Edit , and then click Add . Click the Select a principal link, type Authenticated Users , and then
click OK .
5. In the Permission Entr y for Permissions dialog box, click Add a condition , and enter the following
conditions: [User ] [Company ] [Equals ] [Value ] [Adatum ]. Permissions should be Modify, Read and
Execute, Read, Write .
6. Click OK .
7. Click OK three times to finish and return to Active Directory Administrative Center.
Windows PowerShell equivalent commands
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding
procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across
several lines here because of formatting constraints.
New-ADCentralAccessRule `
-CurrentAcl:"O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;FA;;;SY)(XA;;0x1301bf;;;AU;
(@USER.ad://ext/Company:ContosoAdatum == `"Adatum`"))" `
-Name:"AdatumEmployeeAccessRule" `
-ProposedAcl:$null `
-ProtectedFromAccidentalDeletion:$true `
-Server:"contoso.com" `
Create the central access policy
To c r e a t e a c e n t r a l a c c e ss p o l i c y
1. On the Star t screen, type Administrative Tools , and in the Search bar, click Settings . In the Settings
results, click Administrative Tools . Open the Group Policy Management Console from the
Administrative Tools folder.
TIP
If the Show Administrative tools setting is disabled, the Administrative Tools folder and its contents will not
appear in the Settings results.
2. Right-click the contoso.com domain, click Create a GPO in this domain and Link it here
3. Type a descriptive name for the GPO, such as AdatumAccessGPO , and then click OK .
To a p p l y t h e c e n t r a l a c c e ss p o l i c y t o t h e fi l e se r v e r t h r o u g h G r o u p P o l i c y
1. On the Star t screen, type Group Policy Management , in the Search box. Open Group Policy
Management from the Administrative Tools folder.
TIP
If the Show Administrative tools setting is disabled, the Administrative Tools folder and its contents will not
appear in the Settings results.
NOTE
Central access policies are not enabled by default on the system or boot volume C:.
Set classification and apply the central access policy on the Earnings folder
To a ssi g n t h e c e n t r a l a c c e ss p o l i c y o n t h e fi l e se r v e r
1. In Hyper-V Manager, connect to server FILE1. Sign in to the server by using Contoso\Administrator, with
the password pass@word1 .
2. Open an elevated command prompt and type: gpupdate /force . This will ensure that your Group Policy
changes will take effect on your server.
3. You also need to refresh the Global Resource Properties from Active Directory. Open Windows
PowerShell, type Update-FSRMClassificationpropertyDefinition , and then press ENTER. Close Windows
PowerShell.
4. Open Windows Explorer, and navigate to D:\EARNINGS. Right-click the Earnings folder, and click
Proper ties .
5. Click the Classification tab. Select Company , and then select Adatum in the Value field.
6. Click Change , select Adatum Only Access Policy from the drop-down menu, and then click Apply .
7. Click the Security tab, click Advanced , and then click the Central Policy tab. You should see the
AdatumEmployeeAccessRule listed. You can expand the item to view all of the permissions that you
set when you created the rule in Active Directory.
8. Click OK to return to Windows Explorer.
Configuring Certificate Enrollment Web Service for
certificate key-based renewal on a custom port
3/5/2021 • 10 minutes to read • Edit Online
Authors: Jitesh Thakur, Meera Mohideen, Technical Advisors with the Windows Group. Ankit Tyagi Support
Engineer with the Windows Group
Summary
This article provides step-by-step instructions to implement the Certificate Enrollment Policy Web Service (CEP)
and Certificate Enrollment Web Service (CES) on a custom port other than 443 for certificate key-based renewal
to take advantage of the automatic renewal feature of CEP and CES.
This article also explains how CEP and CES works and provides setup guidelines.
NOTE
The workflow that's included in this article applies to a specific scenario. The same workflow may not work for a different
situation. However, the principles remain the same.
Disclaimer: This setup is created for a specific requirement in which you do not want to use port 443 for the default
HTTPS communication for CEP and CES servers. Although this setup is possible, it has limited supportability. Customer
Services and Support can best assist you if you follow this guide carefully using minimal deviation from the provided web
server configuration.
Scenario
For this example, the instructions are based on an environment that uses the following configuration:
A Contoso.com forest that has an Active Directory Certificate Services (AD CS) public key infrastructure
(PKI).
Two CEP/CES instances that are configured on one server that’s running under a service account. One
instance uses username and password for initial enrollment. The other uses certificate-based
authentication for key-based renewal in renewal only mode.
A user has a workgroup or non-domain-joined computer for which he will be enrolling the computer
certificate by using username and password credentials.
The connection from the user to CEP and CES over HTTPS occurs on a custom port such as 49999. (This
port is selected from a dynamic port range and is not used as a static port by any other service.)
When the certificate lifetime is nearing its end, the computer uses certificate-based CES key-based
renewal to renew the certificate over the same channel.
Configuration instructions
Overview
1. Configure the template for key-based renewal.
2. As a prerequisite, configure a CEP and CES server for username and password authentication. In this
environment, we refer to the instance as "CEPCES01".
3. Configure another CEP and CES instance by using PowerShell for certificate-based authentication on the
same server. The CES instance will use a service account.
In this environment, we refer to the instance as “CEPCES02”. The service account that’s used is
”cepcessvc”.
4. Configure client-side settings.
Configuration
This section provides the steps to configure the initial enrollment.
NOTE
You can also configure any user service account, MSA, or GMSA for CES to work.
As a prerequisite, you must configure CEP and CES on a server by using username and password authentication.
Configure the template for key-based renewal
You can duplicate an existing computer template, and configure the following settings of the template:
1. On the Subject Name tab of the certificate template, make sure that the Supply in the Request and
Use subject information from existing cer tificates for autoenrollment renewal requests
options are selected.
2. Switch to the Issuance Requirements tab, and then select the CA cer tificate manager approval
check box.
3. Assign the Read and Enroll permission to the cepcessvc service account for this template.
4. Publish the new template on the CA.
NOTE
Make sure the compatibility settings on the template is set to Windows Ser ver 2012 R2 as there is a known issue in
which the templates are not visible if the compatibility is set to Windows Server 2016 or later version. For more
informaiton, see Cannot select Windows Server 2016 CA-compatible certificate templates from Windows Server 2016 or
later-based CAs or CEP servers.
NOTE
Make sure that you do not select the “Enable Key-Based Renewal” option if you configure both CEP and CES instances of
username and password authentication.
Method 2
You can use the following PowerShell cmdlets to install the CEP and CES instances:
Import-Module ServerManager
Add-WindowsFeature Adcs-Enroll-Web-Pol
Add-WindowsFeature Adcs-Enroll-Web-Svc
This command installs the Certificate Enrollment Policy Web Service (CEP) by specifying that a username and
password is used for authentication.
NOTE
In this command, <SSLCer tThumbPrint > is the thumbprint of the certificate that will be used to bind IIS.
This command installs the Certificate Enrollment Web Service (CES) to use the certification authority for a
computer name of CA1.contoso.com and a CA common name of contoso-CA1-CA . The identity of the CES is
specified as the default application pool identity. The authentication type is username . SSLCertThumbPrint is
the thumbprint of the certificate that will be used to bind IIS.
St e p 2 C h e c k t h e I n t e r n e t I n fo r m a t i o n Se r v i c e s (I I S) M a n a g e r c o n so l e
After a successful installation, you expect to see the following display in the Internet Information Services (IIS)
Manager console.
Under Default Web Site , select ADPolicyProvider_CEP_UsernamePassword , and then open Application
Settings . Note the ID and the URI .
You can add a Friendly Name for management.
Configure the CEPCES02 instance
St e p 1 : I n st a l l t h e C E P a n d C E S fo r k e y - b a se d r e n e w a l o n t h e sa m e se r v e r.
This command installs the Certificate Enrollment Policy Web Service (CEP) and specifies that a certificate is used
for authentication.
NOTE
In this command, <SSLCertThumbPrint> is the thumbprint of the certificate that will be used to bind IIS.
Key-based renewal lets certificate clients renew their certificates by using the key of their existing certificate for
authentication. When in key-based renewal mode, the service will return only certificate templates that are set
for key-based renewal.
This command installs the Certificate Enrollment Web Service (CES) to use the certification authority for a
computer name of CA1.contoso.com and a CA common name of contoso-CA1-CA .
In this command, the identity of the Certificate Enrollment Web Service is specified as the cepcessvc service
account. The authentication type is cer tificate . SSLCer tThumbPrint is the thumbprint of the certificate that
will be used to bind IIS.
The RenewalOnly cmdlet lets CES run in renewal only mode. The AllowKeyBasedRenewal cmdlet also
specifies that the CES will accept key based renewal requests for the enrollment server. These are valid client
certificates for authentication that do not directly map to a security principal.
NOTE
The service account must be part of IIS_IUSRS group on the server.
St e p 2 C h e c k t h e I I S M a n a g e r c o n so l e
After a successful installation, you expect to see the following display in the IIS Manager console.
NOTE
If the instance is installed on a new server double check the ID to make sure that the ID is the same one that was
generated in the CEPCES01 instance. You can copy and paste the value directly if it is different.
NOTE
You do not have to domain join the client machine. This account comes into picture while doing certificate based
authentication in KBR for dsmapper service.
St e p 2 : C o n fi g u r e t h e se r v i c e a c c o u n t fo r C o n st r a i n e d D e l e g a t i o n (S4 U 2 Se l f )
Run the following PowerShell command to enable constrained delegation (S4U2Self or any authentication
protocol):
NOTE
In this command, <cepcessvc> is the service account, and <CA1.contoso.com> is the Certification Authority.
IMPORTANT
We are not enabling the RENEWALONBEHALOF flag on the CA in this configuration because we are using constrained
delegation to do the same job for us. This lets us to avoid adding the permission for the service account to the CA’s
security.
St e p 3 : C o n fi g u r e a c u st o m p o r t o n t h e I I S w e b se r v e r
140https://cepces.contoso.com:49999/ENTCA_CES_UsernamePassword/service.svc/CES0
181https://cepces.contoso.com:49999/ENTCA_CES_Certificate/service.svc/CES1
following screenshot.
4. Enable Cer tificate Ser vices Client - Cer tificate Enrollment Policy .
a. Click Add to add enrollment policy and enter the CEP URI with UsernamePassword that we edited in
ADSI.
b. For Authentication type , select Username/password .
c. Set a priority of 10 , and then validate the policy server.
NOTE
Make sure that the port number is added to the URI and is allowed on the firewall.
6. Open gpedit.msc again. Edit the Cer tificate Ser vices Client – Cer tificate Enrollment Policy , and
then add the key-based renewal enrollment policy:
a. Click Add , enter the CEP URI with Cer tificate that we edited in ADSI.
b. Set a priority of 1 , and then validate the policy server. You will be prompted to authenticate and choose
the certificate we enrolled initially.
NOTE
Make sure that the priority value of the key-based renewal enrollment policy is lower than the priority of the Username
Password enrollment policy priority. The first preference is given to the lowest priority.
Method 2
Advance the time and date on the client machine into the renewal time of the certificate template.
For example, the certificate template has a 2-day validity setting and an 8-hour renewal setting configured. The
example certificate was issued at 4:00 A.M. on 18th day of the month, expires at 4:00 A.M. on the 20th. The Auto-
Enrollment engine is triggered on restart and at every 8-hour interval (approximately).
Therefore, if you advance the time to 8:10 P.M. on the 19th since our renewal window was set to 8-hour on the
template, running Certutil -pulse (to trigger the AE engine) enrolls the certificate for you.
After the test finishes, revert the time setting to the original value, and then restart the client computer.
NOTE
The previous screenshot is an example to demonstrate that the Auto-Enrollment engine works as expected because the
CA date is still set to the 18th. Therefore, it continues to issue certificates. In a real-life situation, this large amount of
renewals will not occur.
References
Test Lab Guide: Demonstrating Certificate Key-Based Renewal
Certificate Enrollment Web Services
Install-AdcsEnrollmentPolicyWebService
Install-AdcsEnrollmentWebService
See also
Windows Server Security Forum
Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI) Frequently Asked Questions (FAQ)
Windows PKI Documentation Reference and Library
Windows PKI Blog
How to configure Kerberos Constrained Delegation (S4U2Proxy or Kerberos Only) on a custom service account
for Web Enrollment proxy pages
Active Directory Domain Services
11/2/2020 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
You will find links to Active Directory Domain services content on this page.
What's new in Active Directory Domain Services
AD DS Getting Started
AD DS Design and Planning
AD DS Deployment
AD DS Operations
Active Directory Domain Services Virtualization
AD DS Troubleshooting
What's new in Active Directory Domain Services for
Windows Server 2016
3/5/2021 • 5 minutes to read • Edit Online
The following new features in Active Directory Domain Services (AD DS) improve the ability for organizations to
secure Active Directory environments and help them migrate to cloud-only deployments and hybrid
deployments, where some applications and services are hosted in the cloud and others are hosted on premises.
The improvements include:
Privileged access management
Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
Connecting domain-joined devices to Azure AD for Windows 10 experiences
Enable Microsoft Passport for Work in your organization
Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels
NOTE
Expiring links are available on all linked attributes. But the member/memberOf linked attribute relationship
between a group and a user is the only example where a complete solution such as PAM is preconfigured to use
the expiring links feature.
KDC enhancements are built in to Active Directory domain controllers to restrict Kerberos ticket lifetime
to the lowest possible time-to-live (TTL) value in cases where a user has multiple time-bound
memberships in administrative groups. For example, if you are added to a time-bound group A, then
when you log on, the Kerberos ticket-granting ticket (TGT) lifetime is equal to the time you have
remaining in group A. If you are also a member of another time-bound group B, which has a lower TTL
than group A, then the TGT lifetime is equal to the time you have remaining in group B.
New monitoring capabilities to help you easily identify who requested access, what access was granted,
and what activities were performed.
Requirements for Privileged access management
Microsoft Identity Manager
Active Directory forest functional level of Windows Server 2012 R2 or higher.
Azure AD Join
Azure Active Directory Join enhances identity experiences for enterprise, business and EDU customers- with
improved capabilities for corporate and personal devices.
Benefits:
Availability of Modern Settings on corp-owned Windows devices. Oxygen Services no longer require
a personal Microsoft account: they now run off users' existing work accounts to ensure compliance.
Oxygen Services will work on PCs that are joined to an on-premises Windows domain, and PCs and
devices that are "joined" to your Azure AD tenant ("cloud domain"). These settings include:
Roaming or personalization, accessibility settings and credentials
Backup and Restore
Access to Microsoft Store with work account
Live tiles and notifications
Access organizational resources on mobile devices (phones, tablets) that can't be joined to a
Windows Domain, whether they are corp-owned or BYOD.
Single-Sign On to Office 365 and other organizational apps, websites and resources.
On BYOD devices , add a work account (from an on-premises domain or Azure AD) to a personally-
owned device and enjoy SSO to work resources, via apps and on the web, in a way that helps ensure
compliance with new capabilities such as Conditional Account Control and Device Health attestation.
MDM integration lets you auto-enroll devices to your MDM (Intune or third-party).
Set up "kiosk" mode and shared devices for multiple users in your organization.
Developer experience lets you build apps that cater to both enterprise and personal contexts with a
shared programing stack.
Imaging option lets you choose between imaging and allowing your users to configure corp-owned
devices directly during the first-run experience.
For more information see, Introduction to device management in Azure Active Directory.
Applies To: Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Active Directory stores information about objects on the network and makes this information easy for
administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical,
hierarchical organization of directory information.
TO P IC DESC RIP T IO N
Active Directory Domain Services Overview Provides information on basic AD DS features. Includes
technical concepts, links to planning and deployment.
Active Directory Administrative Center Provides information about the Active Directory
Administrative Center that includes enhanced management
experience features. These features ease the administrative
burden for managing Active Directory Domain Services (AD
DS).
Active Directory Domain Services Virtualization Provides overview and technical information on AD DS
Virtualization.
Windows Time Service Provides details on what is the Windows Time Service, the
importance of Time Protocols, and how the Windows Time
Service works.
Active Directory Domain Services Overview
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
A directory is a hierarchical structure that stores information about objects on the network. A directory service,
such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making
this data available to network users and administrators. For example, AD DS stores information about user
accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the
same network to access this information.
Active Directory stores information about objects on the network and makes this information easy for
administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical,
hierarchical organization of directory information.
This data store, also known as the directory, contains information about Active Directory objects. These objects
typically include shared resources such as servers, volumes, printers, and the network user and computer
accounts. For more information about the Active Directory data store, see Directory data store.
Security is integrated with Active Directory through logon authentication and access control to objects in the
directory. With a single network logon, administrators can manage directory data and organization throughout
their network, and authorized network users can access resources anywhere on the network. Policy-based
administration eases the management of even the most complex network. For more information about Active
Directory security, see Security overview.
Active Directory also includes:
A set of rules, the schema , that defines the classes of objects and attributes contained in the directory,
the constraints and limits on instances of these objects, and the format of their names. For more
information about the schema, see Schema.
A global catalog that contains information about every object in the directory. This allows users and
administrators to find directory information regardless of which domain in the directory actually contains
the data. For more information about the global catalog, see The role of the global catalog.
A quer y and index mechanism , so that objects and their properties can be published and found by
network users or applications. For more information about querying the directory, see Finding directory
information.
A replication ser vice that distributes directory data across a network. All domain controllers in a
domain participate in replication and contain a complete copy of all directory information for their
domain. Any change to directory data is replicated to all domain controllers in the domain. For more
information about Active Directory replication, see Replication overview.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The Active Directory Administrative Center (ADAC) in Windows Server includes enhanced management
experience features. These features ease the administrative burden for managing Active Directory Domain
Services (AD DS). The following topics provide an introduction and additional details:
Introduction to Active Directory Administrative Center Enhancements (Level 100)
Advanced AD DS Management Using Active Directory Administrative Center (Level 200)
Introduction to Active Directory Administrative
Center Enhancements (Level 100)
6/17/2021 • 18 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The Active Directory Administrative Center in Windows Server includes management features for the following:
Active Directory Recycle Bin
Fine-Grained Password Policy
Windows PowerShell History Viewer
NOTE
You can use Ser ver Manager to install Remote Server Administration Tools (RSAT) to use the correct version of
Active Directory Administrative Center to manage Recycle Bin through a user interface.
For information about installing RSAT, see the article Remote Server Administration Tools.
NOTE
Membership in the Enterprise Admins group or equivalent permissions is required to perform the following steps.
For the -Identity argument, specify the fully qualified DNS domain name.
Step 2: Enable Recycle Bin
In this step, you will enable the Recycle Bin to restore deleted objects in AD DS.
To enable Active Directory Recycle Bin in ADAC on the target domain
1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.
2. Click Manage , click Add Navigation Nodes and select the appropriate target domain in the Add
Navigation Nodes dialog box and then click OK .
3. In the Tasks pane, click Enable Recycle Bin ... in the Tasks pane, click OK on the warning message box,
and then click OK to the refresh ADAC message.
4. Press F5 to refresh ADAC.
4. Enter the following information under Account and then click OK:
Full name: test1
User SamAccountName logon: test1
Password: p@ssword1
Confirm password: p@ssword1
5. Repeat the previous steps to create a second user, test2.
To create a test group and add users to the group
1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.
2. Click Manage , click Add Navigation Nodes and select the appropriate target domain in the Add
Navigation Nodes dialog box and then click OK .
3. In the Tasks pane, click New and then click Group .
4. Enter the following information under Group and then click OK :
Group name:group1
5. Click group1 , and then under the Tasks pane, click Proper ties .
6. Click Members , click Add , type test1;test2 , and then click OK .
4. Navigate to the Deleted Objects container, select test2 and test1 and then click Restore in the Tasks
pane.
5. To confirm the objects were restored to their original location, navigate to the target domain and verify
the user accounts are listed.
NOTE
If you navigate to the Proper ties of the user accounts test1 and test2 and then click Member Of , you will see
that their group membership was also restored.
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure.
Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here
because of formatting constraints.
Windows PowerShell equivalent commands
NOTE
You can use Ser ver Manager to install Remote Server Administration Tools (RSAT) to use the correct version of
Active Directory Administrative Center to manage Recycle Bin through a user interface.
For information about installing RSAT, see the article Remote Server Administration Tools.
1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.
2. Click Manage , click Add Navigation Nodes and select the appropriate target domain in the Add
Navigation Nodes dialog box and then click OK .
3. Click the target domain in the left navigation pane and in the Tasks pane, click Raise the domain
functional level . Select a forest functional level that is at least Windows Server 2008 or higher and then
click OK .
1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.
2. Click Manage , click Add Navigation Nodes and select the appropriate target domain in the Add
Navigation Nodes dialog box and then click OK .
3. In the ADAC navigation pane, open the System container and then click Password Settings Container .
4. In the Tasks pane, click New , and then click Password Settings .
Fill in or edit fields inside the property page to create a new Password Settings object. The Name and
Precedence fields are required.
5. Under Directly Applies To , click Add , type group1 , and then click OK .
This associates the Password Policy object with the members of the global group you created for the test
environment.
6. Click OK to submit the creation.
1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.
2. Click Manage , click Add Navigation Nodes and select the appropriate target domain in the Add
Navigation Nodes dialog box and then click OK .
3. Select a user, test1 that belongs to the group, group1 that you associated a fine-grained password
policy with in Step 3: Create a new fine-grained password policy.
4. Click View Resultant Password Settings in the Tasks pane.
5. Examine the password setting policy and then click Cancel .
Windows PowerShell equivalent commands
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure.
Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here
because of formatting constraints.
Get-ADUserResultantPasswordPolicy test1
1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.
2. Click Manage , click Add Navigation Nodes and select the appropriate target domain in the Add
Navigation Nodes dialog box and then click OK .
3. In the ADAC Navigation Pane , expand System and then click Password Settings Container .
4. Select the fine grained password policy you created in Step 3: Create a new fine-grained password policy
and click Proper ties in the Tasks pane.
5. Under Enforce password histor y , change the value of Number of passwords remembered to 30 .
6. Click OK .
1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.
2. Click Manage , click Add Navigation Nodes and select the appropriate target domain in the Add
Navigation Nodes dialog box and then click OK .
3. In the ADAC Navigation Pane, expand System and then click Password Settings Container .
4. Select the fine grained password policy you created in Step 3: Create a new fine-grained password policy
and in the Tasks pane click Proper ties .
5. Clear the Protect from accidental deletion checkbox and click OK .
6. Select the fine grained password policy, and in the Tasks pane click Delete .
7. Click OK in the confirmation dialog.
NOTE
You can use Ser ver Manager to install Remote Server Administration Tools (RSAT) to use the correct version of
Active Directory Administrative Center to manage Recycle Bin through a user interface.
For information about installing RSAT, see the article Remote Server Administration Tools.
Have a basic understanding of Windows PowerShell. For example, you need to know how piping in
Windows PowerShell works. For more information about piping in Windows PowerShell, see Piping and
the Pipeline in Windows PowerShell.
Windows PowerShell History Viewer step-by-step
In the following procedure, you will use the Windows PowerShell History Viewer in ADAC to construct a
Windows PowerShell script. Before you begin this procedure, remove user, test1 from the group, group1 .
To construct a script using PowerShell History Viewer
1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.
2. Click Manage , click Add Navigation Nodes and select the appropriate target domain in the Add
Navigation Nodes dialog box and then click OK .
3. Expand the Windows PowerShell Histor y pane at the bottom of the ADAC screen.
4. Select user, test1 .
5. Click Add to group... in the Tasks pane.
6. Navigate to group1 and click OK in the dialog box.
7. Navigate to the Windows PowerShell Histor y pane and locate the command just generated.
8. Copy the command and paste it into your desired editor to construct your script.
For example, you can modify the command to add a different user to group1 , or add test1 to a different
group.
See Also
Advanced AD DS Management Using Active Directory Administrative Center (Level 200)
Advanced AD DS Management Using Active
Directory Administrative Center (Level 200)
3/5/2021 • 18 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic covers the updated Active Directory Administrative Center with its new Active Directory Recycle Bin,
Fine-grained Password policy, and Windows PowerShell History Viewer in more detail, including architecture,
examples for common tasks, and troubleshooting information. For an introduction, see Introduction to Active
Directory Administrative Center Enhancements (Level 100).
Active Directory Administrative Center Architecture
Enabling and Managing the Active Directory Recycle Bin Using Active Directory Administrative Center
Configuring and Managing Fine-Grained Password Policies Using Active Directory Administrative Center
Using the Active Directory Administrative Center Windows PowerShell History Viewer
Troubleshooting AD DS Management
Enabling and Managing the Active Directory Recycle Bin Using Active
Directory Administrative Center
Capabilities
The Windows Server 2012 or newer Active Directory Administrative Center enables you to configure and
manage the Active Directory Recycle Bin for any domain partition in a forest. There is no longer a
requirement to use Windows PowerShell or Ldp.exe to enable the Active Directory Recycle Bin or restore
objects in domain partitions.
The Active Directory Administrative Center has advanced filtering criteria, making targeted restoration easier
in large environments with many intentionally deleted objects.
Limitations
Because the Active Directory Administrative Center can only manage domain partitions, it cannot restore
deleted objects from the Configuration, Domain DNS, or Forest DNS partitions (you cannot delete objects
from the Schema partition). To restore objects from non-domain partitions, use Restore-ADObject.
The Active Directory Administrative Center cannot restore sub-trees of objects in a single action. For
example, if you delete an OU with nested OUs, users, groups, and computers, restoring the base OU does
not restore the child objects.
NOTE
The Active Directory Administrative Center batch restore operation does a "best effort" sort of the deleted objects
within the selection only so parents are ordered before the children for the restore list. In simple test cases, sub-
trees of objects may be restored in a single action. But corner cases, such as a selection that contains partial trees
- trees with some of the deleted parent nodes missing - or error cases, such as skipping the child objects when
parent restore fails, may not work as expected. For this reason, you should always restore sub-trees of objects as a
separate action after you restore the parent objects.
The Active Directory Recycle Bin requires a Windows Server 2008 R2 Forest Functional Level and you must be a
member of the Enterprise Admins group. Once enabled, you cannot disable Active Directory Recycle Bin. Active
Directory Recycle Bin increases the size of the Active Directory database (NTDS.DIT) on every domain controller
in the forest. Disk space used by the recycle bin continues to increase over time as it preserves objects and all
their attribute data.
Enabling Active Directory Recycle Bin using Active Directory Administrative Center
To enable the Active Directory Recycle Bin, open the Active Director y Administrative Center and click the
name of your forest in the navigation pane. From the Tasks pane, click Enable Recycle Bin .
The Active Directory Administrative Center shows the Enable Recycle Bin Confirmation dialog. This dialog
warns you that enabling the recycle bin is irreversible. Click OK to enable the Active Directory Recycle Bin. The
Active Directory Administrative Center shows another dialog to remind you that the Active Directory Recycle Bin
is not fully functional until all domain controllers replicate the configuration change.
IMPORTANT
The option to enable the Active Directory Recycle Bin is unavailable if:
The forest functional level is less than Windows Server 2008 R2
It is already enabled
Enable-ADOptionalFeature
For more information about using Windows PowerShell to enable the Active Directory Recycle Bin, see the
Active Directory Recycle Bin Step-by-Step Guide.
Managing Active Directory Recycle Bin using Active Directory Administrative Center
This section uses the example of an existing domain named corp.contoso.com . This domain organizes users
into a parent OU named UserAccounts . The UserAccounts OU contains three child OUs named by
department, which each contain further OUs, users, and groups.
Restoration
Fi l t er i n g
Active Directory Administrative Center offers powerful criteria and filtering options that you should become
familiar with before you need to use them in a real-life restoration. Domains intentionally delete many objects
over their lifetime. With a likely deleted object lifetime of 180 days, you cannot simply restore all objects when
an accident occurs.
Rather than writing complex LDAP filters and converting UTC values into dates and times, use the basic and
advanced Filter menu to list only the relevant objects. If you know the day of deletion, the names of objects, or
any other key data, use that to your advantage when filtering. Toggle the advanced filter options by clicking the
chevron to the right of the search box.
The restore operation supports all the standard filter criteria options, the same as any other search. Of the built-
in filters, the important ones for restoring objects are typically:
ANR (ambiguous name resolution - not listed in the menu, but what is used when you type in theFilter box)
Last modified between given dates
Object is user/inetorgperson/computer/group/organization unit
Name
When deleted
Last known parent
Type
Description
City
Country /region
Department
Employee ID
First name
Job title
Last name
SAMaccountname
State/Province
Telephone number
UPN
ZIP/Postal code
You can add multiple criteria. For example, you can find all user objects deleted on September 24, 2012 from
Chicago, Illinois with a job title of Manager.
You can also add, modify, or reorder the column headers to provide more detail when evaluating which objects
to recover.
For more information about Ambiguous Name Resolution, see ANR Attributes.
Si n g l e O b j e c t
Restoring deleted objects has always been a single operation. The Active Directory Administrative Center makes
that operation easier. To restore a deleted object, such as a single user:
1. Click the domain name in the navigation pane of the Active Directory Administrative Center.
2. Double-click Deleted Objects in the management list.
3. Right-click the object and then click Restore , or click Restore from the Tasks pane.
The object restores to its original location.
Click Restore To... to change the restore location. This is useful if the deleted object's parent container was also
deleted but you do not want to restore the parent.
Mu l t i pl e Peer O bj ec t s
You can restore multiple peer-level objects, such as all the users in an OU. Hold down the CTRL key and click one
or more deleted objects you want to restore. Click Restore from the Tasks pane. You can also select all displayed
objects by holding down the CTRL and A keys, or a range of objects using SHIFT and clicking.
Mu l t i pl e Par en t an d Ch i l d O bj ec t s
It is critical to understand the restoration process for a multi-parent-child restoration because the Active
Directory Administrative Center cannot restore a nested tree of deleted objects with a single action.
1. Restore the top-most deleted object in a tree.
2. Restore the immediate children of that parent object.
3. Restore the immediate children of those parent objects.
4. Repeat as necessary until all objects restore.
You cannot restore a child object before restoring its parent. Attempting this restoration returns the following
error:
The operation could not be performed because the object's parent is either uninstantiated or
deleted.
The Last Known Parent attribute shows the parent relationship of each object. The Last Known Parent
attribute changes from the deleted location to the restored location when you refresh the Active Directory
Administrative Center after restoring a parent. Therefore, you can restore that child object when a parent
object's location no longer shows the distinguished name of the deleted objects container.
Consider the scenario where an administrator accidentally deletes the Sales OU, which contains child OUs and
users.
First, observe the value of the Last Known Parent attribute for all the deleted users and how it reads
OU=Sales\0ADEL:<guid+deleted objects container distinguished name> :
Filter on the ambiguous name Sales to return the deleted OU, which you then restore:
Refresh the Active Directory Administrative Center to see the deleted user object's Last Known Parent attribute
change to the restored Sales OU distinguished name:
Filter on all the Sales users. Hold down the CTRL and A keys to select all the deleted Sales users. Click Restore
to move the objects from the Deleted Objects container to the Sales OU with their group memberships and
attributes intact.
If the Sales OU contained child OUs of its own, then you would restore the child OUs first before restoring their
children, and so on.
To restore all nested deleted objects by specifying a deleted parent container, see Appendix B: Restore Multiple,
Deleted Active Directory Objects (Sample Script).
The Active Directory Windows PowerShell cmdlet for restoring deleted objects is:
Restore-adobject
The Restore-ADObject cmdlet functionality did not change between Windows Server 2008 R2 and Windows
Server 2012.
Se r v e r- si d e F i l t e r i n g
It is possible that over time, the Deleted Objects container will accumulate over 20,000 (or even 100,000) objects
in medium and large enterprises and have difficulty showing all objects. Since the filter mechanism in Active
Directory Administrative Center relies on client-side filtering, it cannot show these additional objects. To work
around this limitation, use the following steps to perform a server-side search:
1. Right click the Deleted Objects container and click Search under this node .
2. Click the chevron to expose the +Add criteria menu, select and add Last modified between given dates .
The Last Modified time (the whenChanged attribute) is a close approximation of the deletion time; in most
environments, they are identical. This query performs a server-side search.
3. Locate the deleted objects to restore by using further display filtering, sorting, and so on in the results, and
then restore them normally.
Fill out all required (red asterisk) fields and any optional fields, and then click Add to set the users or groups that
receives this policy. FGPP overrides default domain policy settings for those specified security principals. In the
figure above, an extremely restrictive policy applies only to the built-in Administrator account, to prevent
compromise. The policy is far too complex for standard users to comply with, but is perfect for a high-risk
account used only by IT professionals.
You also set precedence and to which users and groups the policy applies within a given domain.
The Active Directory Windows PowerShell cmdlets for Fine-Grained Password Policy are:
Add-ADFineGrainedPasswordPolicySubject
Get-ADFineGrainedPasswordPolicy
Get-ADFineGrainedPasswordPolicySubject
New-ADFineGrainedPasswordPolicy
Remove-ADFineGrainedPasswordPolicy
Remove-ADFineGrainedPasswordPolicySubject
Set-ADFineGrainedPasswordPolicy
Fine-Grained Password Policy cmdlet functionality did not change between the Windows Server 2008 R2 and
Windows Server 2012. As a convenience, the following diagram illustrates the associated arguments for
cmdlets:
The Active Directory Administrative Center also enables you to locate the resultant set of applied FGPP for a
specific user. Right click any user and click View resultant password settings... to open the Password
Settings page that applies to that user through implicit or explicit assignment:
Examining the Proper ties of any user or group shows the Directly Associated Password Settings , which
are the explicitly assigned FGPPs:
Implicit FGPP assignment does not display here; for that, you must use the View resultant password
settings... option.
Then, create a user or modify a group's membership. The history viewer continually updates with a collapsed
view of each cmdlet that the Active Directory Administrative Center ran with the arguments specified.
Expand any line item of interest to see all values provided to the cmdlet's arguments:
Click the Star t Task menu to create a manual notation before you use Active Directory Administrative Center to
create, modify, or delete an object. Type in what you were doing. When done with your change, select End Task .
The task note groups all of those actions performed into a collapsible note you can use for better understanding.
For example, to see the Windows PowerShell commands used to change a user's password and remove him
from a group:
Selecting the Show All check box also shows the Get-* verb Windows PowerShell cmdlets that only retrieve data.
The history viewer shows the literal commands run by the Active Directory Administrative Center and you
might note that some cmdlets appear to run unnecessarily. For example, you can create a new user with:
new-aduser
set-adaccountpassword
enable-adaccount
set-aduser
The Active Directory Administrative Center's design required minimal code usage and modularity. Therefore,
instead of a set of functions that create new users and another set that modify existing users, it minimally does
each function and then chains them together with the cmdlets. Keep this in mind when you are learning Active
Directory Windows PowerShell. You can also use that as a learning technique, where you see how simply you
can use Windows PowerShell to complete a single task.
Troubleshooting AD DS Management
Introduction to Troubleshooting
Because of its relative newness and lack of usage in existing customer environments, the Active Directory
Administrative Center has limited troubleshooting options.
Troubleshooting Options
Logging Options
The Active Directory Administrative Center now contains built-in logging, as part of a tracing config file.
Create/modify the following file in the same folder as dsac.exe:
dsac.exe.config
Create the following contents:
<appSettings>
<add key="DsacLogLevel" value="Verbose" />
</appSettings>
<system.diagnostics>
<trace autoflush="false" indentsize="4">
<listeners>
<add name="myListener"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="dsac.trace.log" />
<remove name="Default" />
</listeners>
</trace>
</system.diagnostics>
The verbosity levels for DsacLogLevel are None , Error , Warning , Info , and Verbose . The output file name is
configurable and writes to the same folder as dsac.exe. The output can tell you more about how ADAC is
operating, which domain controllers it contacted, what Windows PowerShell commands executed, what the
responses were, and further details.
For example, while using the INFO level, which returns all results except the trace-level verbosity:
DSAC.exe starts
Logging starts
Domain Controller requested to return initial domain information
[12:42:49][TID 3][Info] Command Id, Action, Command, Time, Elapsed Time ms (output), Number objects
(output)
[12:42:49][TID 3][Info] 1, Invoke, Get-ADDomainController, 2012-04-16T12:42:49
[12:42:49][TID 3][Info] Get-ADDomainController-Discover:$null-DomainName:"CORP"-ForceDiscover:$null-
Service:ADWS-Writable:$null
Get AD forest
Get Schema information for supported encryption types, FGPP, certain user information
Get all information about the domain object to display to administrator who clicked on the domain head.
[12:42:50][TID 3][Info] Get-ADObject
-IncludeDeletedObjects:$false
-LDAPFilter:"(objectClass=*)"
-
Properties:allowedChildClassesEffective,allowedChildClasses,lastKnownParent,sAMAccountType,systemFlag
s,userAccountControl,displayName,description,whenChanged,location,managedBy,memberOf,primaryGroupID,o
bjectSid,msDS-User-Account-Control-
Computed,sAMAccountName,lastLogonTimestamp,lastLogoff,mail,accountExpires,msDS-
PhoneticCompanyName,msDS-PhoneticDepartment,msDS-PhoneticDisplayName,msDS-PhoneticFirstName,msDS-
PhoneticLastName,pwdLastSet,operatingSystem,operatingSystemServicePack,operatingSystemVersion,telepho
neNumber,physicalDeliveryOfficeName,department,company,manager,dNSHostName,groupType,c,l,employeeID,g
ivenName,sn,title,st,postalCode,managedBy,userPrincipalName,isDeleted,msDS-PasswordSettingsPrecedence
-ResultPageSize:"100"
-ResultSetSize:"20201"
-SearchBase:"DC=corp,DC=contoso,DC=com"
-SearchScope:"Base"
-Server:"dc1.corp.contoso.com"
Setting the Verbose level also shows the .NET stacks for each function, but these do not include enough data to
be particularly useful except when troubleshooting the Dsac.exe suffering an access violation or crash. The two
likely causes of this issue are:
The ADWS service is not running on any accessible domain controllers.
Network communications are blocked to the ADWS service from the computer running the Active Directory
Administrative Center.
IMPORTANT
There is also an out-of-band version of the service called the Active Directory Management Gateway, which runs on
Windows Server 2008 SP2 and Windows Server 2003 SP2.
The errors shown when no Active Directory Web Services instances are available are:
ERRO R O P ERAT IO N
"Cannot connect to any domain. Refresh or try again when Shown at start of the Active Directory Administrative Center
connection is available" application
"Cannot find an available server in the domain that is Shown when trying to select a domain node in the Active
running the Active Directory Web Service (ADWS)" Directory Administrative Center application
If those tests fail even though the ADWS service is running, the issue is with name resolution or LDAP
and not ADWS or Active Directory Administrative Center. This test fails with error "1355 0x54B
ERROR_NO_SUCH_DOMAIN" if ADWS is not running on any domain controllers though, so double-check
before reaching any conclusions.
3. On the domain controller returned by NLTest, dump the listening port list with command:
Examine the ports.txt file and validate that the ADWS service is listening on port 9389. Example:
If listening, validate the Windows Firewall rules and ensure that they allow 9389 TCP inbound. By default,
domain controllers enable firewall rule "Active Directory Web Services (TCP-in)". If not listening, validate
again that the service is running on this server and restart it. Validate that no other process is already
listening on port 9389.
4. Install NetMon or another network capture utility on the computer running Active Directory
Administrative Center and on the domain controller returned by NLTEST. Gather simultaneous network
captures from both computers, where you start Active Directory Administrative Center and see the error
before stopping the captures. Validate that the client is able to send to and receive from the domain
controller on port TCP 9389. If packets are sent but never arrive, or arrive and the domain controller
replies but they never reach the client, it is likely there is a firewall in between the computers on the
network dropping packets on that port. This firewall may be software or hardware, and may be part of
third party endpoint protection (antivirus) software.
See Also
AD Recycle Bin, Fine-Grained Password Policy, and PowerShell History
Active Directory Domain Services Virtualization
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic lists resources that are available for using virtualized domain controllers.
Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)
Virtualized Domain Controller Technical Reference (Level 300)
Virtualized Domain Controller Cloning Test Guidance for Application Vendors
Support for using Hyper-V Replica for virtualized domain controllers
Safely virtualizing Active Directory Domain Services
(AD DS)
11/2/2020 • 8 minutes to read • Edit Online
Beginning with Windows Server 2012, AD DS provides greater support for virtualizing domain controllers by
introducing virtualization-safe capabilities. This article explains the role of USNs and InvocationIDs in Domain
Controller replication and discusses some potential issues that can occur.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Registry entry: Dsa Not Writable
Value: 0x4
WARNING
Deleting or manually changing the Dsa Not Writable registry entry value puts the rollback domain controller in a
permanently unsupported state. Therefore, such changes are not supported. Specifically, modifying the value removes the
quarantine behavior added by the USN rollback detection code. The Active Directory partitions on the rollback domain
controller will be permanently inconsistent with direct and transitive replication partners in the same Active Directory
forest.
More information on this registry key and resolution steps can be found in the support article Active Directory
Replication Error 8456 or 8457: "The source | destination server is currently rejecting replication requests".
If a domain controller in a production environment is accidentally reverted to a snapshot, it's advised that you
consult the vendors for the applications, and services hosted on that virtual machine, for guidance on verifying
the state of these programs after snapshot restore.
For more information, see Virtualized domain controller safe restore architecture.
Next steps
For more troubleshooting information about virtualized domain controllers, see Virtualized Domain
Controller Troubleshooting.
Detailed information about Windows Time Service (W32Time)
Virtualized Domain Controller Technical Reference
(Level 300)
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The virtualized domain controller (VDC) technical reference consists of the following topics:
Virtualized Domain Controller Architecture
Virtualized Domain Controller Deployment and Configuration
Virtualized Domain Controller Troubleshooting
Virtualized Domain Controller Technical Reference Appendix
Virtualized Domain Controller Additional Resources
Virtualized Domain Controller Architecture
3/5/2021 • 14 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic covers the architecture of virtualized domain controller cloning and safe restore. It shows the
processes cloning and safe restore with flowcharts and then provides a detailed explanation of each step in the
process.
Virtualized domain controller cloning architecture
Virtualized domain controller safe restore architecture
NOTE
This part of the safe restore overlaps with the cloning process. Although this process is about safe restore of a virtual
domain controller after it boots up following a snapshot restore, the same steps happen during the cloning process.
The following diagram shows how virtualization safeguards prevent divergence induced by USN rollback when
a snapshot is restored on a running virtual domain controller.
NOTE
The preceding illustration is simplified to explain the concepts.
1. At time T1, the hypervisor administrator takes a snapshot of virtual DC1. DC1 at this time has a USN
value (highestCommittedUsn in practice) of 100, InvocationId (represented as ID in the preceding
diagram) value of A (in practice this would be GUID). The savedVMGID value is the VM-GenerationID in
the DIT file of the DC (stored against the computer object of the DC in an attribute named msDS-
GenerationId ). The VMGID is the current value of the VM-GenerationId available from the virtual
machine driver. This value is supplied by the hypervisor.
2. At a later time T2, 100 users are added to this DC (consider users as an example of updates that could
have been performed on this DC between time T1 and T2; these updates could actually be a mix of user
creations, group creations, password updates, attribute updates, and so on). In this example, each update
consumes one unique USN (though in practice a user creation may consume more than one USN). Before
committing these updates, DC1 checks if the value of VM-GenerationID in its database (savedVMGID) is
the same as the current value available from the driver (VMGID). They are same, as no rollback has
happened yet, so the updates are committed and USN moves up to 200, indicating that the next update
can use USN 201. There is no change in InvocationId, savedVMGID, or VMGID. These updates replicate
out to DC2 at the next replication cycle. DC2 updates it high watermark (and UptoDatenessVector )
represented here simply as DC1(A) @USN = 200. That is, DC2 is aware of all updates from DC1 in the
context of InvocationId A through USN 200.
3. At time T3, the snapshot taken at time T1 is applied to DC1. DC1 has been rolled back, so its USN rolls
back to 100, indicating it could use USNs from 101 to associate with subsequent updates. However, at
this point, the value of VMGID would be different on hypervisors that support VM-GenerationID.
4. Subsequently, when DC1 performs any update, it checks whether the value of VM-GenerationId that it
has in its database (savedVMGID) is the same as the value from the virtual machine driver (VMGID). In
this case, it is not the same, so DC1 infers this as indicative of a rollback, and it triggers virtualization
safeguards; in other words, it resets its InvocationId (ID = B) and discards the RID pool (not shown in the
preceding diagram). It then saves the new value of VMGID in its database and commits those updates
(USN 101 - 250) in the context of the new InvocationId B. At the next replication cycle, DC2 knows
nothing from DC1 in the context of InvocationId B, so it requests everything from DC1 associated with
InvocationID B. As a result, the updates performed on DC1 subsequent to the application of snapshot will
safely converge. In addition, the set of updates that were performed on DC1 at T2 (which were lost on
DC1 after the restore of the snapshot) would replicate back into DC1 at the next scheduled replication
because they had replicated out to DC2 (as indicated by the dotted line back to DC1).
After the guest employs virtualization safeguards, NTDS replicates Active Directory object differences inbound
non-authoritatively from a partner domain controller. The up-to-dateness vector of the destination directory
service is updated accordingly. Then the guest synchronizes SYSVOL:
If using FRS, the guest stops the NTFRS service and sets D2 BURFLAGS registry value. It then starts the
NTFRS service, which non-authoritatively replicates inbound, re-using existing unchanged SYSVOL data
when possible.
If using DFSR, the guest stops the DFSR service and deletes the DFSR database files (default location:
%systemroot%\system volume information\dfsr\). It then starts the DFSR service, which non-
authoritatively replicates inbound, re-using existing unchanged SYSVOL data when possible.
NOTE
If the hypervisor does not provide a VM-Generation ID for comparison, the hypervisor does not support virtualization
safeguards and the guest will operate like a virtualized domain controller that runs Windows Server 2008 R2 or earlier.
The guest implements USN rollback quarantine protection if there is an attempt to start replicating with USNs that
have not advanced past the last highest USN seen by the partner DC. For more information about USN rollback
quarantine protection, see USN and USN Rollback
Virtualized Domain Controller Deployment and
Configuration
3/5/2021 • 28 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Installation Considerations
There is no special role or feature installation for virtualized domain controllers; all domain controllers
automatically contain cloning and safe restore capabilities. You cannot remove or disable these capabilities.
Use of Windows Server 2012 domain controllers requires a Windows Server 2012 AD DS Schema version 56 or
higher and forest functional level equal to Windows Server 2003 Native or higher.
Both writable and read-only domain controllers support all aspects of virtualized DC, as do Global Catalogs and
FSMO roles.
IMPORTANT
The PDC Emulator FSMO role holder must be online when cloning begins.
Platform Requirements
Virtualized Domain Controller cloning requires:
PDC emulator FSMO role hosted on a Windows Server 2012 DC
PDC emulator available during cloning operations
Both cloning and safe restore require:
Windows Server 2012 virtualized guests
Virtualization host platform supports VM-Generation ID (VMGID)
Review the table below for virtualization products and whether they support virtualized domain controllers and
VM-Generation ID.
SUP P O RT S VIRT UA L IZ ED DO M A IN C O N T RO L L ERS A N D
VIRT UA L IZ AT IO N P RO DUC T VM GID
Microsoft Windows Ser ver 2012 ser ver with Hyper- Yes
V Feature
Even though Microsoft supports Windows 7 Virtual PC, Virtual PC 2007, Virtual PC 2004, and Virtual Server
2005, they cannot run 64-bit guests, nor do they support VM-GenerationID.
For help with third party virtualization products and their support stance with virtualized domain controllers,
contact that vendor directly.
For more information, review Support policy for Microsoft software running in non-Microsoft hardware
virtualization software.
Critical Caveats
Virtualized domain controllers do not support safe restore of the following:
VHD and VHDX files manually copied over existing VHD files
VHD and VHDX files restored using file backup or full disk backup software
NOTE
VHDX files are new to Windows Server 2012 Hyper-V.
Neither of these operations is covered under VM-GenerationID semantics and therefore do not change the VM-
Generation ID. Restoring domain controllers using these methods could either result in a USN rollback and
either quarantine the domain controller or introduce lingering objects and the need for forest wide cleanup
operations.
WARNING
Virtualized domain controller safe restore is not a replacement for system state backups and the AD DS Recycle Bin.
After restoring a snapshot, the deltas of previously un-replicated changes originating from that domain controller after
the snapshot are permanently lost. Safe restore implements automated non-authoritative restoration to prevent
accidental domain controller quarantine only.
For more information about USN bubbles and lingering objects, see Troubleshooting Active Directory
operations that fail with error 8606: "Insufficient attributes were given to create an object".
NOTE
Windows Server 2012 extends the existing Directory Replication Service (DRS) Remote Protocol (UUID
E3514235-4B06-11D1-AB04-00C04FC2DCD2 ) to include a new RPC method IDL_DRSAddCloneDC
(Opnum 28 ). The IDL_DRSAddCloneDC method creates a new domain controller object by copying attributes
from an existing domain controller object.
The states of a domain controller are composed of computer, server, NTDS settings, FRS, DFSR, and connection
objects maintained for each domain controller. When duplicating an object, this RPC method replaces all references
to the original domain controller with corresponding objects of the new domain controller. The caller must have
the control access right DS-Clone-Domain-Controller on the domain naming context.
Use of this new method always requires direct access to the PDC emulator domain controller from the caller.
Because this RPC method is new, your network analysis software requires updated parsers to include fields for the
new Opnum 28 in the existing UUID E3514235-4B06-11D1-AB04-00C04FC2DCD2. Otherwise, you cannot parse
this traffic.
For more information, see 4.1.29 IDL_DRSAddCloneDC (Opnum 28).
This also means when using non-fully routed networks, vir tualized domain controller cloning
requires network segments with access to the PDCE . It is acceptable to move a cloned domain controller
to a different network after cloning - just like a physical domain controller - as long as you are careful to update
the AD DS logical site information.
IMPORTANT
When cloning a domain that contains only a single domain controller, you must ensure the source DC is back online
before starting the clone copies. A production domain should always contain at least two domain controllers.
Get-adddomaincontroller
Get-adcomputer
If not provided the domain, these cmdlets assume the domain of the computer where run.
The following command returns PDCE and Operating System info:
This example below demonstrates specifying the domain name and filtering the returned properties before the
Windows PowerShell pipeline:
For instance, this adds server DC1 to the group, without the need to specify the distinguished name of the group
member:
1. Open Active Director y Administrative Center , right-click the domain head, click Proper ties , click the
Extensions tab, click Security , and then click Advanced . Click This Object Only .
2. Click Add , under Enter the object name to select , type the group name Cloneable Domain
Controllers.
3. Under Permissions, click Allow a DC to create a clone of itself , and then click OK .
NOTE
You can also remove the default permission and add individual domain controllers. Doing so is likely to cause ongoing
maintenance problems however, where new administrators are unaware of this customization. Changing the default
setting does not increase security and is discouraged.
W i n d o w s P o w e r Sh e l l M e t h o d
Use the following commands in an administrator-elevated Windows PowerShell console prompt. These
commands detect the domain name and add back in the default permissions:
import-module activedirectory
cd ad:
$domainNC = get-addomain
$dcgroup = get-adgroup "Cloneable Domain Controllers"
$sid1 = (get-adgroup $dcgroup).sid
$acl = get-acl $domainNC
$objectguid = new-object Guid 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e
$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule
$sid1,"ExtendedRight","Allow",$objectguid
$acl.AddAccessRule($ace1)
set-acl -aclobject $acl $domainNC
cd c:
Alternatively, run the sample FixVDCPermissions.ps1 in a Windows PowerShell console, where the console starts
as an elevated administrator on a domain controller in the affected domain. It automatically set the permissions.
The sample is located in the appendix of this module.
Step 4 - Remove Incompatible applications or services (if not using CustomDCCloneAllowList.xml)
Any programs or services previously returned by Get-ADDCCloningExcludedApplicationList - and not added to
the CustomDCCloneAllowList.xml - must be removed prior to cloning. Uninstalling the application or service is
the recommended method.
WARNING
Any incompatible program or service not uninstalled or added to the CustomDCCloneAllowList.xml prevents cloning.
Use the Get-AdComputerServiceAccount cmdlet to locate any standalone Managed Service Accounts (MSAs) in
the domain and if this computer is using any of them. If any MSA is installed, use the Uninstall-
ADServiceAccount cmdlet to remove the locally installed service account. Once you are done with taking the
source domain controller offline in step 6, you can re-add the MSA using Install-ADServiceAccount when the
server is back online. For more information, see Uninstall-ADServiceAccount.
IMPORTANT
Standalone MSAs - first released in Windows Server 2008 R2 - were replaced in Windows Server 2012 with group MSAs.
Group MSAs support cloning.
New-ADDCCloneConfigFile
You run the cmdlet on the proposed source domain controller that you intend to clone. The cmdlet supports
multiple arguments and when used, always tests the computer and environment where it is run unless you
specify the -offline argument.
A C T IVEDIREC TO RY
C M DL ET
A RGUM EN T S EXP L A N AT IO N
Stop-computer
Stop-vm
Stop-computer is a cmdlet that supports shutting down computers regardless of virtualization, and is analogous
to the legacy Shutdown.exe utility. Stop-vm is a new cmdlet in the Windows Server 2012 Hyper-V Windows
PowerShell module, and is equivalent to the power options in Hyper-V Manager. The latter is useful in lab
environments where the domain controller often operates on a private virtualized network.
WARNING
Snapshots are differencing disks that can return a domain controller to previous state. If you were to clone a domain
controller and then restore its pre-cloning snapshot, you would end up with duplicate domain controllers in the forest.
There is no value in prior snapshots on a newly cloned domain controller.
Use the Hyper-V Manager snap-in to determine which disks are associated with the source domain controller.
Use the Inspect option to validate if the domain controller uses differencing disks (which requires that you copy
the parent disk also)
To delete snapshots, select a VM and delete the snapshot subtree.
You can then manually copy the VHD or VHDX files using Windows Explorer, Xcopy.exe, or Robocopy.exe. No
special steps are required. It is a best practice to change the file names even if moving to another folder.
NOTE
If copying between host computers on a LAN (1-Gbit or greater), the Xcopy.exe /J option copies VHD/VHDX files
considerably faster than any other tool, at the cost of much greater bandwidth usage.
W i n d o w s P o w e r Sh e l l M e t h o d
To determine the disks using Windows PowerShell, use the Hyper-V Modules:
Get-vmidecontroller
Get-vmscsicontroller
Get-vmfibrechannelhba
Get-vmharddiskdrive
For example, you can return all IDE hard drives from a VM named DC2 with the following sample:
If the disk path points to an AVHD or AVHDX file, it is a snapshot. To delete the snapshots associated with a disk
and merge in the real VHD or VHDX, use cmdlets:
Get-VMSnapshot
Remove-VMSnapshot
To copy the files using Windows PowerShell, use the following cmdlet:
Copy-Item
Combine with VM cmdlets in pipelines to aid automation. The pipeline is a channel used between multiple
cmdlets to pass data. For example, to copy the drive of an offline source domain controller named DC2-
SOURCECLONE to a new disk called c:\temp\copy.vhd without the need to know the exact path to its system
drive:
IMPORTANT
You cannot use passthru disks with cloning, as they do not use a virtual disk file but instead an actual hard disk.
NOTE
For more information about more Windows PowerShell operations with pipelines, see Piping and the Pipeline in Windows
PowerShell.
Exporting the VM
As an alternative to copying the disks, you can export the entire Hyper-V VM as a copy. Exporting automatically
creates a folder named for the VM and containing all disks and configuration information.
H y p e r- V M a n a g e r M e t h o d
Export-vm
NOTE
Windows Server 2012 Hyper-V supports new export and import capabilities that are outside the scope of this training.
Review TechNet for more information.
To create a merged disk from a complex set of parents using the Hyper-V Windows PowerShell module, use
cmdlet:
Convert-vm
For example, to export the entire chain of a VM's disk snapshots (this time not including any differencing disks)
and parent disk into a new single disk named DC4-CLONED.VHDX:
To create a clone domain controller named Clone2 in offline mode with static IPv4 and static IPv6 settings, type:
To create a clone domain controller in offline mode with static IPv4 and dynamic IPv6 settings and specify
multiple DNS servers for the DNS resolver settings, type:
To create a clone domain controller named Clone1 in offline mode with dynamic IPv4 and static IPv6 settings,
type:
To create a clone domain controller in offline mode with dynamic IPv4 and dynamic IPv6 settings, type:
W i n d o w s Ex p l o r e r M e t h o d
Windows Server 2012 now offers a graphical option for mounting VHD and VHDX files. This requires
installation of the Desktop Experience feature on Windows Server 2012.
1. Click the newly copied VHD/VHDX file that contains the source DC's system drive or DSA Working
Directory location folder, and then click Mount from the Disc Image Tools menu.
2. In the now-mounted drive, copy the XML files to a valid location. You may be prompted for permissions
to the folder.
3. Click the mounted drive and click Eject from the Disk Tools menu.
W i n d o w s P o w e r Sh e l l M e t h o d
Alternatively, you can mount the offline disk and copy the XML file using the Windows PowerShell cmdlets:
mount-vhd
get-disk
get-partition
get-volume
Add-PartitionAccessPath
Copy-Item
This allows you complete control over the process. For instance, the drive can be mounted with a specific drive
letter, the file copied, and the drive dismounted.
mount-vhd <disk path> -passthru -nodriveletter | get-disk | get -partition | get-volume | get-partition |
where {$_.partition number -eq 2} | Add-PartitionAccessPath -accesspath <drive letter>
For example:
Alternatively, you can use the new Mount-DiskImage cmdlet to mount a VHD (or ISO) file.
Step 8 - Create the New Virtual Machine
The final configuration step before starting the cloning process is creating a new VM that uses the disks from
the copied source domain controller. Depending on the selection made in the copying disks phase, you have two
options:
1. Associate a new VM with the copied disk
2. Import the exported VM
Associating a New VM with Copied Disks
If you copied the system disk manually, you must create a new virtual machine using the copied disk. The
hypervisor automatically sets the VM-Generation ID when a new VM is created; no configuration changes are
required in the VM or Hyper-V host.
H y p e r- V M a n a g e r M e t h o d
You can use the Hyper-V Windows PowerShell module to automate VM creation in Windows Server 2012, using
the following cmdlet:
New-VM
For example, here the DC4-CLONEDFROMDC2 VM is created, using 1GB of RAM, booting from the c:\vm\dc4-
systemdrive-clonedfromdc2.vhd file, and using the 10.0 virtual network:
Import VM
If you previously exported your VM, you now need to import it back in as a copy. This uses the exported XML to
recreate the computer using all the previous settings, drives, networks, and memory settings.
If you intend to create additional copies from the same exported VM, make as many copies of the exported VM
as necessary. Then use Import for each copy.
IMPORTANT
It is important to use the Copy option, as export preserves all information from the source; importing the server with
Move or In Place causes information collision if done on the same Hyper-V host server.
H y p e r- V M a n a g e r M e t h o d
W i n d o w s P o w e r Sh e l l M e t h o d
You can use the Hyper-V Windows PowerShell module to automate VM import in Windows Server 2012, using
the following cmdlets:
Import-VM
Rename-VM
For example, here the exported VM DC2-CLONED is imported using its automatically determined XML file, then
renamed immediately to its new VM name DC5-CLONEDFROMDC2:
Get-VMSnapshot
Remove-VMSnapshot
For example:
WARNING
Ensure that, when importing the computer, static MAC addresses were not assigned to the source domain controller. If a
source computer with a static MAC is cloned, those copied computers will not correctly send or receive any network
traffic. Set a new unique static or dynamic MAC address if this is the case. You can see if a VM uses static MAC addresses
with the command:
Get-VM -VMName test-vm | Get-VMNetworkAdapter | fl \ *
IMPORTANT
Keeping domain controllers turned off for an extended period of time is not recommended and if the clone is joining the
same site as its source DC, the initial intra and inter-site replication topology may take longer to build if the source
domain controller is offline.
If using Windows PowerShell to start a VM, the new Hyper-V Module cmdlet is:
Start-VM
For example:
Once the computer restarts after cloning completes, it is a domain controller and you can logon on normally to
confirm normal operation. If there are any errors, the server is set to start in Directory Services Restore Mode
for investigation.
Virtualization safeguards
Unlike virtualized domain controller cloning, Windows Server 2012 virtualization safeguards have no
configuration steps. The feature works without intervention as long as you meet some simple conditions:
The hypervisor supports VM-Generation ID
There is a valid partner domain controller that a restored domain controller can replicate changes from
non-authoritatively.
Validate the Hypervisor
Ensure the source domain controller is running on a supported hypervisor by reviewing vendor documentation.
Virtualized domain controllers are hypervisor-independent and do not require Hyper-V.
Review the previous Platform Requirements section for known VM-Generation ID support.
If you are migrating VMs from a source hypervisor to a different target hypervisor, virtualization safeguards
may or may not be triggered depending on whether the hypervisors support VM-Generation ID, as explained in
the following table.
Supports VM-Generation ID Does not support VM-Generation ID Safeguards not triggered (if a
DCCloneConfigFile.xml is present, DC
will boot into DSRM)
IMPORTANT
If all domain controllers are restored at once, use the following articles to set one domain controller - typically the PDC
emulator - as authoritative, so that the other domain controllers can return to normal operation:
Using the BurFlags registry key to reinitialize File Replication Service replica sets
How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS)
WARNING
Do not run all domain controllers in a forest or domain on the same hypervisor host. That introduces a single point of
failure that cripples AD DS, Exchange, SQL, and other enterprise operations each time the hypervisor goes offline. This is
no different from using only one domain controller for an entire domain or forest. Multiple domain controllers on multiple
platforms help provide redundancy and fault tolerance.
Post-Snapshot Replication
Do not restore snapshots until all locally originating changes made since snapshot creation have replicated
outbound. Any originating changes are lost forever if other domain controllers did not already receive them
through replication.
Use Repadmin.exe to show any un-replicated outbound changes between a domain controller and its partners:
1. Return the DC's partner names and DSA Object GUIDs with:
2. Return the pending inbound replication of the partner domain controller to the domain controller to be
restored:
Repadmin.exe /showchanges < Name of partner DC><DSA Object GUID of the domain controller being
restored><naming context to compare>
Repadmin.exe /showchanges <Name of partner DC><DSA Object GUID of the domain controller being restored>
<naming context to compare> /statistics
For example (with output modified for readability and important entries italicized ), here you look at the
replication partnerships of DC4:
Default-First-Site-Name\DC4
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 5d083398-4bd3-48a4-a80d-fb2ebafb984f
DSA invocationID: 730fafec-b6d4-4911-88f2-5b64e48fc2f1
DC=corp,DC=contoso,DC=com
Default-First-Site-Name\DC3 via RPC
DSA object GUID: f62978a8-fcf7-40b5-ac00-40aa9c4f5ad3
Last attempt @ 2011-11-11 15:04:12 was successful.
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 3019137e-d223-4b62-baaa-e241a0c46a11
Last attempt @ 2011-11-11 15:04:15 was successful.
Now you know that it is replicating with DC2 and DC3. You then show the list of changes that DC2 states it still
does not have from DC4, and see that there is one new group:
C:\>repadmin /showchanges dc2.corp.contoso.com 5d083398-4bd3-48a4-a80d-fb2ebafb984f
dc=corp,dc=contoso,dc=com
You would also test the other partner to ensure that it had not already replicated.
Alternatively, if you did not care which objects had not replicated and only cared that any objects were
outstanding, you can use the /statistics option:
***********************************************
********* Grand total *************************
Packets: 1
Objects: 1Object Additions: 1Object Modifications: 0Object Deletions: 0Object Moves:
0Attributes: 12Values: 13
IMPORTANT
Test all writable partners if you see any failures or outstanding replication. As long as at least one is converged, it is
generally safe to restore the snapshot, as transitive replication eventually reconciles the other servers.
Be sure to note any errors in replication shown by /showchanges and do not proceed until they are fixed.
Checkpoint-VM
Export-VMSnapshot
Get-VMSnapshot
Remove-VMSnapshot
Rename-VMSnapshot
Restore-VMSnapshot
Install a new Active Directory forest using Azure CLI
3/5/2021 • 8 minutes to read • Edit Online
AD DS can run on an Azure virtual machine (VM) in the same way it runs in many on-premises instances. This
article walks you through deploying a new AD DS Forest, on two new domain controllers, in an Azure
availability set using the Azure portal and Azure CLI. Many customers find this guidance helpful when creating a
lab or preparing to deploy domain controllers in Azure.
Components
A resource group to put everything in.
An Azure Virtual Network, subnet, network security group, and rule to allow RDP access to VMs.
An Azure virtual machine availability set to put two Active Directory Domain Services (AD DS) domain
controllers in.
Two Azure virtual machines to run AD DS and DNS.
Items that are not covered
Creating a site-to-site VPN connection from an on-premises location
Securing network traffic in Azure
Designing the site topology
Planning operations master role placement
Deploying Azure AD Connect to synchronize identities to Azure AD
VA RIA B L E N A M E P URP O SE
Location Azure location name that you would like to deploy to. List
supported regions for the current subscription using
az account list-locations .
AvailabilitySet Name of the availability set the domain controller VMs will
join.
# Create a subnet
az network vnet subnet create --address-prefix $SubnetAddress \
--name $SubnetName \
--resource-group $ResourceGroupName \
--vnet-name $VNetName \
--network-security-group $NetworkSecurityGroup
az vm create \
--resource-group $ResourceGroupName \
--availability-set $AvailabilitySet \
--name $DomainController2 \
--size $VMSize \
--image Win2019Datacenter \
--admin-username $AdminUsername \
--admin-password $AdminPassword \
--data-disk-sizes-gb $DataDiskSize \
--data-disk-caching None \
--nsg $NetworkSecurityGroup \
--private-ip-address $DC2IP
DNS and Active Directory
If the Azure virtual machines created as part of this process will be an extension of an existing on-premises
Active Directory infrastructure, the DNS settings on the virtual network must be changed to include your on-
premises DNS servers before deployment. This step is important to allow the newly created Domain Controllers
in Azure to resolve on-premises resources and allow for replication to occur. More information about DNS,
Azure, and how to configure settings can be found in the section Name resolution that uses your own DNS
server.
After promoting the new domain controllers in Azure, they will need to be set to the primary and secondary
DNS Servers for the virtual network, and any on-premises DNS Servers would be demoted to tertiary and
beyond. More information on changing DNS Servers can be found in the article Create, change, or delete a
virtual network.
Information about extending an on-premises network to Azure can be found in the article Creating a site-to-site
VPN connection.
NOTE
The Prerequisites Check will warn you that the physical network adapter does not have static IP address(es) assigned, you
can safely ignore this as static IPs are assigned in the Azure virtual network.
Choose Install
When the wizard completes the install process, the VM reboots.
When the VM has completed rebooting, log back in with the credentials used before, but this time as a member
of the domain you created.
NOTE
The first logon after promotion to a domain controller may take longer than normal and this is OK. Grab a cup of tea,
coffee, water, or other beverage of choice.
Azure virtual networks do now support IPv6 , but in case you want to set your VMs to prefer IPv4 over IPv6,
information on how to complete this task can be found in the KB article Guidance for configuring IPv6 in
Windows for advanced users.
Configure DNS
After promoting the first server in Azure, the servers will need to be set to the primary and secondary DNS
Servers for the virtual network, and any on-premises DNS Servers would be demoted to tertiary and beyond.
More information on changing DNS Servers can be found in the article Create, change, or delete a virtual
network.
Configure the second Domain Controller
Connect to AZDC02 using the credentials you provided in the script.
Initialize and format the data disk as F:
Open the Start menu and browse to Computer Management
Browse to Storage > Disk Management
Initialize the disk as MBR
Create a New Simple Volume and Assign the drive letter F: (you can provide a Volume label if you
wish)
Install Active Directory Domain Services using Server Manager
Promote the domain controller
Add a domain controller to an existing domain - CONTOSO.com
Supply credentials to perform the operation
Change the paths from C: to point to the F: drive we created when prompted for their location
Ensure Domain Name System (DNS) server and Global Catalog (GC) are checked on the Domain
Controller Options page
Specify a Directory Services Restore Mode password based on your organizational requirements
Review the selections made in the wizard and choose Next
NOTE
The Prerequisites Check will warn you that the physical network adapter does not have static IP address(es) assigned. You
can safely ignore this, as static IPs are assigned in the Azure virtual network.
Choose Install
When the wizard completes the install process, the VM reboots.
When the VM has completed rebooting, log back in with the credentials used before, but this time as a member
of the CONTOSO.com domain
Azure virtual networks do now support IPv6, but in case you want to set your VMs to prefer IPv4 over IPv6,
information on how to complete this task can be found in the KB article Guidance for configuring IPv6 in
Windows for advanced users.
Wrap up
At this point, the environment has a pair of domain controllers, and we have configured the Azure virtual
network so that additional servers may be added to the environment. Post-install tasks for Active Directory
Domain Services, like configuring sites and services, auditing, backup, and securing the built-in administrator
account, should be completed at this point.
Next steps
Safely virtualizing Active Directory Domain Services (AD DS)
Azure AD Connect
Backup and recovery
Site to site VPN connectivity
Monitoring
Security and policy
Maintenance and updates
Virtualizing Domain Controllers using Hyper-V
6/17/2021 • 37 minutes to read • Edit Online
This topic will be updated in order to make the guidance applicable to Windows Server 2016. Windows Server
2012 introduces many improvements for virtualized domain controllers (DCs), including safeguards to prevent
USN rollback on virtual DCs and the ability to clone virtual DCs. For more information about these
improvements, see Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100).
Hyper-V consolidates different server roles onto a single physical computer. This guide describes running
domain controllers as 32-bit or 64-bit guest operating systems.
Hyper-V requirements
To install and use the Hyper-V role, you must have the following:
An x64 processor
Hyper-V is available in x64-based versions of Windows Server 2008 or later.
Hardware-assisted vir tualization
This feature is available in processors that include a virtualization option, specifically, Intel
Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V).
Hardware Data Execution Protection (DEP)
Hardware DEP must be available and enabled. Specifically, you must enable Intel XD bit (execute
disable bit) or AMD NX bit (no execute bit).
Security considerations
The host computer on which virtual domain controllers are running must be managed as carefully as a
writeable domain controller, even if that computer is only a domain-joined or workgroup computer. This is an
important security consideration. A mismanaged host is vulnerable to an elevation-of-privilege attack, which
occurs when a malicious user gains access and system privileges that were not authorized or legitimately
assigned. A malicious user can use this type of attack to compromise all the virtual machines, domains, and
forests that this computer hosts.
Be sure to keep the following security considerations in mind when you are planning to virtualize domain
controllers:
The local administrator of a computer that hosts virtual, writeable domain controllers should be considered
equivalent in credentials to the default domain administrator of all the domains and forests that those
domain controllers belong to.
The recommended configuration to avoid security and performance issues is a host running a Server Core
installation of Windows Server 2008 or later, with no applications other than Hyper-V. This configuration
limits the number of applications and services that are installed on the server, which should result in
increased performance and fewer applications and services that could be maliciously exploited to attack the
computer or network. The effect of this type of configuration is known as a reduced attack surface. In a
branch office or other locations that cannot be satisfactorily secured, a read-only domain controller (RODC)
is recommended. If a separate management network exists, we recommend that the host be connected only
to the management network.
You can use Bitlocker with your domain controllers, since Windows Server 2016 you can use the virtual TPM
feature to also give the guest key material to unlock the system volume.
Guarded fabric and shielded VMs can provide additional controls to protect your domain controllers.
For information about RODCs, see Read-Only Domain Controller Planning and Deployment Guide.
For more information about securing domain controllers, see Best Practice Guide for Securing Active Directory
Installations.
M A C H IN E C O N F IGURAT IO N 1 C O N F IGURAT IO N 2
RODCs
One benefit of RODCs is the ability to place them at locations where physical security cannot be guaranteed,
such as at branch offices. You can use Windows BitLocker Drive Encryption to protect VHD files themselves (not
the file systems therein) from being compromised on the host through theft of the physical disk.
Performance
With the new microkernel 64-bit architecture, there are significant increases in Hyper-V performance from
previous virtualization platforms. For best host performance, the host should be a Server Core installation of
Windows Server 2008 or later, and it should not have server roles other than Hyper-V installed.
Performance of virtual machines depends specifically on the workload. To guarantee satisfactory
Active Directory performance, test specific topologies. Assess the current workload over a period of time with a
tool such as the Reliability and Performance Monitor (Perfmon.msc) or the Microsoft Assessment and Planning
(MAP) toolkit. The MAP tool can also be valuable if you want to take an inventory of all of the servers and server
roles that currently exist in your network.
To get a general idea of the performance of virtualized domain controllers, the following performance tests were
carried out with the Active Directory Performance Testing Tool (ADTest.exe).
Lightweight Directory Access Protocol (LDAP) tests were run on a physical domain controller with ADTest.exe
and then on a virtual machine that was hosted on a server that was identical to the physical domain controller.
Only one logical processor was used for the physical computer, and only one virtual processor was used for the
virtual machine to easily reach 100-percent CPU utilization. In the following table, the letter and number in
parenthesis after each test indicate the specific test in ADTest.exe. As this data shows, virtualized domain
controller performance was 88 to 98 percent of the physical domain controller performance.
To ensure satisfactory performance, integration components (IC) were installed to allow the guest operating
system to use “enlightenments,” or hypervisor-aware synthetic drivers. During the installation process, it may be
necessary to use emulated Integrated Drive Electronics (IDE) or network adapter drivers. In production
environments, you should replace these emulated drivers with synthetic drivers to increase performance.
When you monitor performance of virtual machines with Reliability and Performance Manager (Perfmon.msc),
within the virtual machine the CPU information will not be entirely accurate as a result of the way the virtual
CPU is scheduled on the physical processor. When you want to obtain CPU information for a virtual machine
that is running on a Hyper-V server, use the Hyper-V Hypervisor Logical Processor counters in the host partition.
For more information about performance tuning of both AD DS and Hyper-V, see Performance Tuning
Guidelines for Windows Server 2016.
Also, do not plan to use a differencing disk VHD on a virtual machine that is configured as a domain controller
because the differencing disk VHD can reduce performance. To learn more about Hyper-V disk types, including
differencing disks, see New Virtual Hard Disk Wizard.
For additional information regarding AD DS in virtual hosting environments, see Things to consider when you
host Active Directory domain controllers in virtual hosting environments in the Microsoft Knowledge Base.
WARNING
Running Sysprep on a domain controller is not supported.
To help prevent a potential update sequence number (USN) rollback situation, do not use copies of a VHD
file that represents an already deployed domain controller to deploy additional domain controllers. For
more information about USN rollback, see USN and USN Rollback.
Windows Server 2012 and newer allows administrators to clone domain controller images if prepared
properly when they want to deploy additional domain controllers
Do not use the Hyper-V Export feature to export a virtual machine that is running a domain controller.
With Windows Server 2012 and newer, an export and import of a Domain Controller virtual guest is
handled like a non-authoritative restore as it detects a change of the Generation ID and it is not
configured for cloning.
Ensure you are not using the guest that you exported anymore.
You may use Hyper-V Replication to keep a second inactive copy of a Domain Controller. If you
start the replicated image, you also need to perform proper cleanup, for the same reason as not
using the source after exporting a DC guest image.
Physical-to-virtual migration
System Center Virtual Machine Manager (VMM) 2008 provides unified management of physical machines and
virtual machines. It also provides the ability to migrate a physical machine to a virtual machine. This process is
known as physical-to-virtual machine conversion (P2V conversion). During the P2V conversion process, the new
virtual machine and the physical domain controller that is being migrated must not be running at the same
time, to avoid a USN rollback situation as described in USN and USN Rollback.
You should perform P2V conversion using offline mode so that the directory data is consistent when the domain
controller is turned back on. The offline mode option is offered and recommended in the Convert Physical
Server Wizard. For a description of the difference between online mode and offline mode, see P2V: Converting
Physical Computers to Virtual Machines in VMM. During P2V conversion, the virtual machine should not be
connected to the network. The network adapter of the virtual machine should be enabled only after the P2V
conversion process is complete and verified. At this point, the physical source machine will be off. Do not bring
the physical source machine back onto the network again before you reformat the hard disk.
NOTE
There are safer options to create new virtual DCs that don't run the risks of creating a USN Rollback. You may setup a new
virtual DC by regular promotion, promotion from Install from Media (IfM), and also using Domain Controller cloning, if
you already have at least one virtual DC. This also helps avoiding problems with hardware or platform-related problems
P2V-converted virtual guests may encounter.
WARNING
To prevent issues with Active Directory replication, ensure that only one instance (physical or virtual) of a given domain
controller exists on a given network at any point in time. You can lower the likelihood of the old clone being a problem:
When the new virtual DC is running, change the computer account password twice using: netdom resetpwd /Server: …
Export and import the new virtual guest to force it becoming a new Generation ID and hence a database invocation
ID.
Time service
For virtual machines that are configured as domain controllers, it is recommended that you disable time
synchronization between the host system and guest operating system acting as a domain controller. This
enables your guest domain controller to synchronize time from the domain hierarchy.
To disable the Hyper-V time synchronization provider, shut down the VM and clear the Time synchronization
check box under Integration Services.
NOTE
This guidance has been recently updated to reflect the current recommendation to synchronize time for the guest domain
controller from only the domain hierarchy, rather than the previous recommendation to partially disable time
synchronization between the host system and guest domain controller.
Storage
To optimize the performance of the domain controller virtual machine and ensure durability of Active Directory
writes, use the following recommendations for storing operating system, Active Directory, and VHD files:
Guest storage . Store the Active Directory database file (Ntds.dit), log files, and SYSVOL files on a
separate virtual disk from the operating system files. Create a second VHD attached to a virtual SCSI
controller and store the database, logs, and SYSVOL on the virtual machine's virtual SCSI disk. Virtual
SCSI disks provide increased performance compared to virtual IDE and they support Forced Unit Access
(FUA). FUA ensures that the operating system writes and reads data directly from the media bypassing
any and all caching mechanisms.
NOTE
If you are planning to use Bitlocker for the virtual DC guest, you need to make sure the additional volumes are
configured for “auto unlock”. More information about configuring auto unlock can be found in Enable-
BitLockerAutoUnlock
Host storage of VHD files . Recommendations: Host storage recommendations address storage of VHD
files. For maximum performance, do not store VHD files on a disk that is used frequently by other
services or applications, such as the system disk on which the host Windows operating system is
installed. Store each VHD file on a separate partition from the host operating system and any other VHD
files. The ideal configuration is to store each VHD file on a separate physical drive.
The host physical disk system must also satisfy at least one of the following criteria to meet the
requirements of virtualized workload data integrity:
The system uses server-class disks (SCSI, Fibre Channel).
The system makes sure that the disks are connected to a battery-backed caching host bus adapter
(HBA).
The system uses a storage controller (for example, a RAID system) as the storage device.
The system makes sure that power to the disk is protected by an uninterruptible power supply (UPS).
The system makes sure that the disk's write-caching feature is disabled.
Fixed VHD versus pass-through disks . There are many ways to configure storage for virtual
machines. When VHD files are used, fixed-size VHDs are more efficient than dynamic VHDs because the
memory for fixed-size VHDs is allocated when they are created. Pass-through disks, which virtual
machines can use to access physical storage media, are even more optimized for performance. Pass-
through disks are essentially physical disks or logical unit numbers (LUNs) that are attached to a virtual
machine. Pass-through disks do not support the snapshot feature. Therefore, pass-through disks are the
preferred hard disk configuration, because the use of snapshots with domain controllers is not
recommended.
To reduce the chance of corruption of Active Directory data, use virtual SCSI controllers:
Use SCSI physical drives (as opposed to IDE/ATA drives) on Hyper-V servers that host virtual domain
controllers. If you cannot use SCSI drives, ensure that write caching is disabled on the ATA/IDE drives that
host virtual domain controllers. For more information, see Event ID 1539 – Database Integrity.
To guarantee the durability of Active Directory writes, the Active Directory database, logs, and SYSVOL must
be placed on a virtual SCSI disk. Virtual SCSI disks support Forced Unit Access (FUA). FUA ensures that the
operating system writes and reads data directly from the media bypassing any and all caching mechanisms.
NOTE
The shielded VM project mentioned previously has a Hyper-V host driven backup as a non-goal for maximum data
protection of the guest VM.
IMPORTANT
To properly restore the domain controller, you must start it in DSRM. You must not allow the domain controller to start in
normal mode. If you miss the opportunity to enter DSRM during system startup, turn off the domain controller's virtual
machine before it can fully start in normal mode. It is important to start the domain controller in DSRM because starting
a domain controller in normal mode increments its USNs, even if the domain controller is disconnected from the network.
For more information about USN rollback, see USN and USN Rollback.
IMPORTANT
You should not consider using the following procedure as a replacement for regularly planned and scheduled backups.
Restores that are performed with the following procedure are not suppor ted by Microsoft and should
be used only when there is no other alternative.
Do not use this procedure if the copy of the VHD that you are about to restore has been started in normal mode by
any virtual machine.
Active Directory has been restored from backup media, or has been configured to host an application
partition.
The invocationID attribute for this directory server has been changed.
The highest update sequence number at the time the backup was created is <time>
The InvocationID is changed when a directory server is restored from backup media or is configured to
host a writeable application directory partition.
USNs
Active Directory Domain Services (AD DS) uses update sequence numbers (USNs) to keep track of replication of
data between domain controllers. Each time that a change is made to data in the directory, the USN is
incremented to indicate that a change has been made.
For each directory partition that a destination domain controller stores, USNs are used to track the latest
originating update that a domain controller introduced to its database, as well as the status of every other
domain controller that stores a replica of the directory partition. When domain controllers replicate changes to
one another, they query their replication partners for changes with USNs that are greater than the USN of the
last change that the domain controller received from each partner.
The following two replication metadata tables contain USNs. Source and destination domain controllers use
them to filter updates that the destination domain controller requires.
1. Up-to-dateness vector : A table that the destination domain controller maintains for tracking the
originating updates that are received from all source domain controllers. When a destination domain
controller requests changes for a directory partition, it provides its up-to-dateness vector to the source
domain controller. The source domain controller then uses this value to filter the updates that it sends to the
destination domain controller. The source domain controller sends its up-to-dateness vector to the
destination at the completion of a successful replication cycle in order to ensure that the destination domain
controller knows that it has synchronized with every domain controllers' originating updates and the
updates are at the same level as the source.
2. High water mark : A value that the destination domain controller maintains to keep track of the most recent
changes that it has received from a specific source domain controller for a specific partition. The high water
mark prevents the source domain controller from sending out changes that by the destination domain
controller has already received from it.
When AD DS is properly restored on a domain controller, the invocationID is reset. As a result of this change,
you will experience an increase in replication traffic – the duration of which is relative to the size of the partition
being replicated
For example, assume that VDC1 and DC2 are two domain controllers in the same domain. The following figure
shows the perception of DC2 about VDC1 when the invocationID value is reset in a proper restore situation.
USN rollback
USN rollback occurs when the normal updates of the USNs are circumvented and a domain controller tries to
use a USN that is lower than its latest update. USN rollback will be detected and replication will be stopped
before divergence in the forest is created, in most cases.
USN rollback can be caused in many ways, for example, when old virtual hard disk (VHD) files are used or
physical-to-virtual conversion (P2V conversion) is performed without ensuring that the physical machine stays
offline permanently after the conversion. Take the following precautions to ensure that USN rollback does not
occur:
When not running Windows Server 2012 or newer, do not take or use a snapshot of a domain controller
virtual machine.
Do not copy the domain controller VHD file.
When not running Windows Server 2012 or newer, do not export the virtual machine that is running a
domain controller.
Do not restore a domain controller or attempt to roll back the contents of an Active Directory database by
any other means than a supported backup solution, such as Windows Server Backup.
In some cases, USN rollback may go undetected. In other cases, it may cause other replication errors. In these
cases, it is necessary to identify the extent of the problem and take care of it in a timely manner. For information
about how to remove lingering objects that may occur as a result of USN rollback, see Outdated Active
Directory objects generate event ID 1988 in Windows Server 2003 in the Microsoft Knowledge Base.
If the Directory Service event log reports Event ID 2095, complete the following procedure immediately.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic provides detailed methodology on troubleshooting the virtualized domain controller feature.
Troubleshooting virtualized domain controller cloning
Troubleshooting virtualized domain controller safe restore
Introduction
The most important way to improve your troubleshooting skills is build a test lab and rigorously examine
normal, working scenarios. If you encounter errors, they are more obvious and easy to understand, since you
then have a solid foundation of how domain controller promotion works. This also allows you to build your
analysis and network analysis skills. This goes for all distributed systems technologies, not just virtualized
domain controller deployment.
The critical elements to advanced troubleshooting of domain controller configuration are:
1. Linear analysis combined with focus and attention to detail.
2. Understanding network capture analysis
3. Understanding the built-in logs
The first and second are beyond the scope of this topic, but the third can be explained in some detail. Virtualized
domain controller troubleshooting requires a logical and linear method. The key is to approach the issue using
the data provided and only resort to complex tools and analysis when you have exhausted the provided output
and logging.
O P ERAT IO N LO G
Promotion - %systemroot%\debug\dcpromo.log
- Event viewer\Applications and services logs\Directory
Service
- Event viewer\Windows logs\System
- Event viewer\Applications and services logs\File Replication
Service
- Event viewer\Applications and services logs\DFS Replication
To turn DSRM boot off using a GUI, use the System Configuration tool:
1. Run msconfig.exe
2. On the Boot tab, under Boot Options , de-select Safe boot (it is already selected with the option Active
Director y repair enabled)
3. Click OK and restart when prompted
R e m o v i n g D SR M w i t h B c d e d i t .e x e
To turn DSRM boot off from the command-line, use the Boot Configuration Data Store Editor:
1. Open a CMD prompt and run:
Shutdown.exe /t /0 /r
NOTE
Bcdedit.exe also works in a Windows PowerShell console. The commands there are:
Bcdedit.exe /deletevalue safeboot
Restart-computer
WARNING
Do not attempt to add the graphical shell back to the computer while it is in DSRM. Windows servicing stack (CBS) cannot
operate correctly while in Safe Mode or DSRM. Attempts to add features or roles while in DSRM will not complete and
leave the computer in an unstable state until it is booted normally. Since a virtualized domain controller clone in DSRM
cannot boot normally, and should not be booted normally under most circumstances, it is impossible to safely add the
graphical shell. Doing so is unsupported and may leave you with an unusable server.
Event ID 2160
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message
Notes and resolution This is a success event and only an issue if unexpected.
Examine the DSA Working Directory, %systemroot%\ntds,
and root of any local or removable disks for the
dcclconeconfig.xml file.
Event ID 2161
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message The local did not find the virtual domain controller cloning
configuration file. The local machine is not a cloned DC.
Notes and resolution This is a success event and only an issue if unexpected.
Examine the DSA Working Directory, %systemroot%\ntds,
and root of any local or removable disks for the
dcclconeconfig.xml file.
Event ID 2162
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
EVEN T S DESC RIP T IO N
Event ID 2163
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution This is a success event and only an issue if unexpected.
Examine the DSA Working Directory, %systemroot%\ntds,
and root of any local or removable disks for the
dcclconeconfig.xml file.
Event ID 2164
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message failed to start the DsRoleSvc service to clone the local virtual
domain controller.
Notes and resolution Examine the service settings for the DS Role Server service
(DsRoleSvc) and ensure its start type is set to manual.
Validate that no third party program is preventing the start
of this service.
Event ID 2165
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
EVEN T S DESC RIP T IO N
Message failed to start a thread during the cloning of the local virtual
domain controller.
Error code:%1
Error message:%2
Thread name:%3
Event ID 2166
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Notes and resolution Examine the System event log and service settings for the
RPC Server service (Rpcss)
Event ID 2168
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message Microsoft-Windows-ActiveDirectory_DomainService
The DC is running on a supported hypervisor. VM
Generation ID is detected.
Current value of VM Generation ID: %1
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2169
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
EVEN T S DESC RIP T IO N
Notes and resolution This is a success event if not intending to clone. Otherwise,
examine the System event log and review hypervisor
product support documentation.
Event ID 2170
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Warning
Event ID 2171
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution This is a success event if not intending to clone, and should
be seen at every reboot of a virtualized DC. Otherwise,
examine the System event log.
Event ID 2172
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Event ID 2173
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution This is a success event if intending to clone and it is the first
VM reboot after cloning has completed. It can also be
ignored on non-virtual Domain controllers. Otherwise,
examine the System event log.
Event ID 2174
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
EVEN T S DESC RIP T IO N
Notes and resolution This is a success event if not intending to clone. Otherwise,
examine the System event log.
Event ID 2175
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Event ID 2176
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution Rename expected when booting a source VM back up,
because the VM Generation ID has not changed. This
prevents the source domain controller from trying to clone.
Event ID 2177
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
EVEN T S DESC RIP T IO N
Notes and resolution Rename attempt expected when booting a source VM back
up, because the VM Generation ID has not changed. This
prevents the source domain controller from trying to clone.
Manually rename the file and investigate installed third party
products that may be preventing the file rename.
Event ID 2178
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution Expected when booting a source VM back up, because the
VM Generation ID has not changed. This prevents the
source domain controller from trying to clone.
Event ID 2179
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2180
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Warning
EVEN T S DESC RIP T IO N
Notes and resolution Examine the System event log and Dcpromo.log. Lookup the
specific error in MS TechNet, MS Knowledgebase, and MS
blogs to determine its usual meaning, and then troubleshoot
based on those results.
Event ID 2182
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2183
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2184
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
EVEN T S DESC RIP T IO N
Notes and resolution A single source domain controller name can only
automatically generate 9999 times if domain controllers are
not demoted, based on the naming convention. Use the
element in the XML to generate a new unique name or clone
from a differently named DC.
Event ID 2191
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2192
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
EVEN T S DESC RIP T IO N
Notes and resolution Examine Application and System event logs. Investigate third
party application that may be blocking registry updates.
Event ID 2193
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2194
-- --
Severity Error
EVEN T S DESC RIP T IO N
Notes and resolution Examine Application and System event logs. Investigate third
party application that may be blocking registry updates.
Event ID 2195
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Notes and resolution Examine Application and System event logs. Investigate third
party application that may be blocking registry updates.
Event ID 2196
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
EVEN T S DESC RIP T IO N
Notes and resolution Examine Application and System event logs. Investigate third
party application that may be blocking privilege usage.
Event ID 2197
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Notes and resolution Examine Application and System event logs. Investigate third
party application that may be blocking privilege usage.
Event ID 2198
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Event ID 2199
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Notes and resolution Validate the dccloneconfig.xml did not specify an existing
domain controller or that copies of the dccloneconfig.xml
have been used on multiple clones without editing the
name. If the collision is still unexpected, determine which
administrator promoted it; contact them to discuss if the
existing domain controller should be demoted, the existing
domain controller metadata cleaned, or if the clone should
use a different name.
Event ID 2203
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message Last virtual domain controller cloning failed. This is the first
reboot since then so this should be a re-try of the cloning.
However, neither virtual domain controller clone
configuration file exists nor virtual machine generation ID
change is detected. Boot into DSRM.
Last virtual domain controller cloning failed:%1
Virtual domain controller clone configuration file
exists:%2
Virtual machine generation ID change is detected:%3
Notes and resolution Expected if cloning failed previously, due to missing or invalid
dccloneconfig.xml
EVEN T S DESC RIP T IO N
Event ID 2210
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Notes and resolution Review the System and Directory Services event logs and the
dcpromo.log for further details on why cloning failed.
Event ID 2211
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2212
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
EVEN T S DESC RIP T IO N
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2213
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2214
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message will create a computer object for the clone domain controller.
Additional data:
Clone Id: %1
Original domain controller: %2
Clone domain controller: %3
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2215
EVEN T S DESC RIP T IO N
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message will add the clone domain controller in the following site.
Additional data:
Clone Id: %1
Site: %2
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2216
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2217
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message will create a server object for the clone domain controller.
Additional data:
Clone Id: %1
Server Object: %2
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2218
EVEN T S DESC RIP T IO N
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message will create a NTDS Settings object for the clone domain
controller.
Additional data:
Clone Id: %1
Object: %2
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2219
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2220
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message will create SYSVOL objects for the clone Read-Only domain
controller.
Additional data:
Clone Id: %1
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2221
Source Microsoft-Windows-ActiveDirectory_DomainService
EVEN T S DESC RIP T IO N
Severity Error
Notes and resolution Examine the system event log for further details on why the
machine account password could not be created.
Event ID 2222
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Notes and resolution Examine the system event log for further details on why the
machine account password could not be set.
Event ID 2223
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution This is a success event and only an issue if unexpected.
EVEN T S DESC RIP T IO N
Event ID 2224
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Notes and resolution Expected when using standalone MSAs (not group MSA). Do
not follow the event advice to remove the account - it is
incorrectly written. Use Uninstall-AdServiceAccount -
https://technet.microsoft.com/library/hh852310.
Standalone MSAs - first released in Windows Server
2008 R2 - were replaced in Windows Server 2012 with
group MSAs (gMSA). GMSAs support cloning.
Event ID 2225
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 2226
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
EVEN T S DESC RIP T IO N
Notes and resolution Examine the System and Directory Services event logs for
further information.
Event ID 2227
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Notes and resolution Examine the System and Directory Services event logs for
further information.
Event ID 2228
Source Microsoft-Windows-ActiveDirectory_DomainService
EVEN T S DESC RIP T IO N
Severity Error
Event ID 29218
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Notes and resolution Review the System and Directory Services event logs and the
dcpromo.log for further details on why cloning failed.
Event ID 29219
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
EVEN T S DESC RIP T IO N
Severity Informational
Notes and resolution This is a success event and only an issue if unexpected.
Event ID 29248
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Event ID 29249
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Notes and resolution Examine the dclconeconfig.xml file for syntax errors using an
XML editor and the DCCloneConfigSchema.xsd schema file.
Event ID 29250
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
EVEN T S DESC RIP T IO N
Severity Error
Event ID 29251
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
EVEN T S DESC RIP T IO N
Notes and resolution Verify the IP information set in the dccloneconfig.xml is valid
and does not duplicate the original source machine.
Event ID 29253
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Notes and resolution Validate the cloned domain controller IP and DNS
information is set. Use Dcdiag.exe /test:locatorcheck to
validate if the PDCE is online, use Nltest.exe /server: /dclist:
to valid RPC, obtain a network capture from the PDCE while
cloning fails and analyze the traffic.
Event ID 29254
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
EVEN T S DESC RIP T IO N
Notes and resolution Validate the cloned domain controller IP and DNS
information is set. Use Dcdiag.exe /test:locatorcheck to
validate if the PDCE is online, use Nltest.exe /server: /dclist:
to valid RPC, obtain a network capture from the PDCE while
cloning fails and analyze the traffic.
Event ID 29255
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Event ID 29256
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Notes and resolution Examine the Directory Services log and dcpromo.log for
details. Examine Application and System event logs.
Investigate third party application that may be blocking
privilege usage.
Event ID 29257
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Notes and resolution Examine Application and System event logs. Investigate third
party application that may be blocking privilege usage.
Event ID 29264
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Notes and resolution Examine the Directory Services log and dcpromo.log for
details. Examine Application and System event logs.
Investigate third party application that may be blocking
privilege usage.
Event ID 29265
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Informational
Event ID 29266
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Event ID 29267
Source Microsoft-Windows-DirectoryServices-DSROLE-Server
Severity Error
Er r o r M e ssa g e s
There are no direct interactive errors for failed virtualized domain controller cloning; all cloning information logs
in the System and Directory Services logs and the domain controller promotion logs in dcpromo.log. However, if
the server boots into DS Restore Mode, investigate immediately, as promotion or cloning failed.
The dcpromo.log is the first place to check for cloning failure. Depending on the failure listed, it may be
necessary to subsequently review Directory Services and System logs for further diagnosis.
Known Issues and Support Scenarios
The following are common issues seen during the Windows Server 2012 development process. All of these
issues are "by design" and have either a valid workaround or more appropriate technique to avoid them in the
first place. Some may be resolved in later releases of Windows Server 2012.
ISSUE C LO N IN G FA IL S, DSRM
Resolution and Notes Validate all steps followed from sections Deploying
Virtualized Domain Controller section and General
Methodology for Troubleshooting Domain Controller
Cloning
Described in KB 2742844.
Resolution and Notes Manually delete the unused address lease in DHCP or allow
it to expire normally. Described in KB 2742836.
Resolution and Notes The cloned computer cannot get a dynamic IP address from
DHCP or SLAAC, or is using a duplicate IP address, or
cannot find the PDC. Multiple retry attempts performed by
cloning lead to the delay. Resolve the networking issue to
allow cloning.
Described in KB 2742844.
Resolution and Notes This is a limitation of the domain controller rename process
in Windows, not just in cloning. Three-part SPNS are not
handled by the renaming logic in any scenario. Most
included Windows services are unaffected by this, as they
recreate any missing SPNs as needed. Other applications
may require manually entering the SPN to resolve the issue.
Described in KB 2742874.
Symptoms Clone boots into Directory Services Repair Mode. There are
general networking errors.
Resolution and Notes Ensure that the new clone does not have a duplicate static
MAC address assigned from the source domain controller;
you can see if a VM uses static MAC addresses by running
this command on the hypervisor host for both the source
and clone virtual machines:
Get-VM -VMName test-vm | Get-VMNetworkAdapter | fl
*
Change the MAC address to a unique static address or
switch to using dynamic MAC addresses.
Described in KB 2742844
C LO N IN G FA IL S, B O OT S IN TO DSRM A S A DUP L IC AT E O F
ISSUE T H E SO URC E DC
C LO N IN G FA IL S, B O OT S IN TO DSRM A S A DUP L IC AT E O F
ISSUE T H E SO URC E DC
Resolution and Notes Examine the service settings for the DS Role Server service
(DsRoleSvc) and ensure its start type is set to Manual.
Validate that no third party program is preventing the start
of this service.
For more information about how to reclaim this
secondary DC while ensuring that updates get replicated
outbound, see Microsoft KB article 2742970.
Resolution and Notes Will happen if the PDC can be discoverable but it has not
performed sufficient replication to allow itself to assume the
role. For example, if cloning is started and another
administrator moves the PDCE FSMO role to a new DC.
Described in KB 2742916.
Symptoms Clone boots into Directory Services Restore Mode. There are
general networking errors.
Resolution and Notes Ensure that the new clone does not have a duplicate static
MAC address assigned from the source domain controller;
you can see if a VM uses static MAC addresses by running
this command on the Hyper-V host for both the source and
clone virtual machines:
Get-VM -VMName test-vm | Get-VMNetworkAdapter | fl
*
Change the MAC address to a unique static address or
switch to using dynamic MAC addresses.
Described in KB 2742844.
ISSUE C LO N IN G FA IL S, B O OT S IN TO DSRM
Resolution and Notes Ensure that the dccloneconfig.xml contains the schema
definition (see sampledccloneconfig.xml, line 2):
<d3c:DCCloneConfig
xmlns:d3c="uri:microsoft.com:schemas:DCCloneC
onfig">
Described in KB 2742844
Resolution and Notes Ensure you logon with the DSRM administrator account, and
not the domain account. Use the left arrow and type a user
name of:
.\administrator
Described in KB 2742908
Resolution and Notes The computer was copied and started but does not contain
a DcCloneConfig.xml file in any of the supported locations,
and did not have a duplicate IP address with the source
domain controller. The DC must be correctly removed in
order to avoid data loss.
Described in KB 2742970
Resolution and Notes Verify connectivity to a GC from the server where you run
New-ADDCCloneConfigFile and verify that the membership
of the source domain controller in the Cloneable Domain
Controllers group has replicated to that GC.
Run the following command as a means of flushing the
DC locator cache for cases where a GC or DC may have
been taken offline recently:
Code - nltest /dsgetdc: /GC /FORCE
Advanced Troubleshooting
This module seeks to teach advanced troubleshooting by using working logs as samples, with some explanation
of what occurred. If you understand what a successful virtualized domain controller operation looks like, failures
become obvious in your environment. These logs are presented by their source, with the ascending order of
expected events (even when they are warnings and errors) related to a cloned domain controller within each log.
Cloning a Domain Controller
In this example, the clone domain controller uses DHCP to get an IP address, replicates SYSVOL using FRS or
DFSR (see the appropriate log as necessary), is a global catalog, and uses a blank dccloneconfig.xml file.
D i r e c t o r y Se r v i c e s Ev e n t L o g
The Directory Services log contains the majority of event-based cloning operational information. The hypervisor
changes the VM-Generation ID and the NTDS service notes it, then invalidates the RID pool and changes the
invocation ID. The new VM-Generation ID is set and the server replicates Active Directory data inbound. The
DFSR service is stopped and its database that hosts SYSVOL is deleted, forcing a non-authoritative sync
inbound. The USN high watermark is adjusted.
Sy st e m Ev e n t L o g
The next indications of cloning operations are in the System Event log. As the hypervisor tells the guest
computer that it was cloned or restored from a snapshot, the domain controller immediately invalidates its RID
pool to avoid duplicating security principals later. As cloning proceeds, various expected operations and
messages appear, mostly around services starting and stopping and some expected errors caused by this. When
completed the System event log notes overall cloning success.
7036 Service Control Manager The Server service entered the running
state.
7036 Service Control Manager The DNS Server service entered the
running state.
7036 Service Control Manager The DS Role Server service entered the
running state.
7036 Service Control Manager The DNS Server service entered the
stopped state.
7040 Service Control Manager The start type of the Active Directory
Domain Services service was changed
from auto start to disabled.
D C P R O M O .L O G
The Dcpromo.log contains the actual promotion portion of cloning that the Directory Services event log does
not describe. Since the log does not provide the level of explanation that the event log entries impart, this
section of the module contains additional annotation.
The promotion process means that the cloning starts, the DC is scrubbed of its current configuration and re-
promoted using the existing AD database (much like an IFM promotion), then the DC replicates inbound change
deltas of AD and SYSVOL, and cloning is complete.
NOTE
The log has been modified in this module for readability, by removing the date column.
For further explanation of the dcpromo.log see the Understand and Troubleshoot AD DS Simplified Administration in
Windows Server 2012.
https://go.microsoft.com/fwlink/p/?LinkId=237244
15:14:01 [INFO] vDC Cloneing: Setting Boot into DSRM flag succeeded.
15:14:01 [WARNING] Cannot get user Token for Format Message: 1725l
15:14:01 [INFO] vDC Cloning: Created vDCCloningUpdate event.
15:14:01 [INFO] vDC Cloning: Created vDCCloningComplete event.
Stop the NetLogon service so that the domain controller does not advertise
15:14:01 [INFO] Stopping service NETLOGON
15:14:01 [INFO] ControlService(STOP) on NETLOGON returned 1(gle=0)
15:14:01 [INFO] DsRolepWaitForService: waiting for NETLOGON to enter one of 7 states
15:14:01 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=3
15:14:02 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=1
15:14:02 [INFO] DsRolepWaitForService: exiting because NETLOGON entered STOPPED state
15:14:02 [INFO] DsRolepWaitForService(for any end state) on NETLOGON service returned 0
15:14:02 [INFO] ControlService(STOP) on NETLOGON returned 0(gle=1062)
15:14:02 [INFO] Exiting service-stop loop after service NETLOGON entered STOPPED state
15:14:02 [INFO] StopService on NETLOGON returned 0
15:14:02 [INFO] Configuring service NETLOGON to 1 returned 0
15:14:02 [INFO] Updating service status to 4
15:14:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:14:02 [INFO] vDC Cloning: Clone config file C:\Windows\NTDS\DCCloneConfig.xml is considered to be a blank
file (containing 0 bytes)
15:14:02 [INFO] vDC Cloning: Parsing clone config file C:\Windows\NTDS\DCCloneConfig.xml returned HRESULT
0x0
Validate that there are no services or programs installed that are not part of the DefaultDCCloneAllowList.xml
or CustomDCCloneAllowList.xml
Enable DHCP on the network adapters, since IP information was not specified by the administrator
Provide the promotion settings, based on previous dccloneconfig.xml or automatic generation rules
Start promotion
Stop and configure all of the AD DS-related services (NTDS, NTFRS/DFSR, KDC, DNS)
NOTE
The DNS service taking a long time to shutdown is expected in this scenario, as it is using AD-integrated zones that were
no longer available even before the NTDS service stopped - see the DNS events described later in this section of the
module.
Force NT5DS (NTP) time synchronization with another domain controller (typically the PDCE)
Contact a domain controller that holds the source domain controller account of the clone
Flush any existing Kerberos tickets
15:15:02 [INFO] Searching for a domain controller for the domain root.fabrikam.com that contains the account
DC2$
15:15:02 [INFO] Located domain controller DC1.root.fabrikam.com for domain root.fabrikam.com
15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #10: Domain Controller cloning is at 26% completion...
15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:02 [INFO] Directing kerberos authentication to DC1.root.fabrikam.com returns 0
15:15:02 [INFO] DsRolepFlushKerberosTicketCache() successfully flushed the Kerberos ticket cache
15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #11: Domain Controller cloning is at 27% completion...
15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:02 [INFO] Using site Default-First-Site-Name for server \\DC1.root.fabrikam.com
15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
Start the promotion process using the existing NTDS database file
Contact the RID Master
NOTE
The AD DS service is not actually installed here, this is legacy instrumentation in the log
Change the existing invocation ID that existed in the source computers database
Create a new NTDS Settings object for this clone
Replicate in AD object delta from the partner domain controller
NOTE
Even though all objects are listed as replicated, this is just metadata needed to subsume the updates. All the unchanged
objects in the cloned NTDS database already exist and do not require replication again, just like using IFM-based
promotion.
15:15:16 [INFO] vDC Cloning: Winlogon UI Notification #15: Domain Controller cloning is at 60% completion...
15:15:16 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:18 [INFO] Completed system volume replication
15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #16: Domain Controller cloning is at 70% completion...
15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:18 [INFO] SetProductType to 2 [LanmanNT] returned 0
15:15:18 [INFO] Set the product type
15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #17: Domain Controller cloning is at 71% completion...
15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #18: Domain Controller cloning is at 72% completion...
15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:18 [INFO] Set the system volume path for NETLOGON
15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #19: Domain Controller cloning is at 73% completion...
15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:18 [INFO] Replicating non critical information
15:15:18 [INFO] User specified to not replicate non-critical data
15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #20: Domain Controller cloning is at 80% completion...
15:15:18 [INFO] Stopped the DS
15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #21: Domain Controller cloning is at 90% completion...
15:15:18 [INFO] Configuring service NTDS
15:15:18 [INFO] Configuring service NTDS to 16 returned 0
15:15:18 [INFO] vDC Cloning: Set DisableDynamicUpdate reg value to 0 to enable dynamic update records
registration.
15:15:18 [INFO] vDC Cloning: Set UseDynamicDns reg value to 1 to enable dynamic update records registration.
15:15:18 [INFO] vDC Cloning: Set RegistrationEnabled reg value to 1 to enable dynamic update records
registration.
A c t i v e D i r e c t o r y W e b Se r v i c e s Ev e n t L o g
While cloning is occurring, the NTDS.DIT database is often offline for extended periods. The ADWS service logs
at least one event for this. After cloning is complete, the ADWS service starts, notes that there is not yet a valid
computer certificate yet (there may or may not be, depending on your environment deploying a Microsoft PKI
with auto-enrollment or not) and then starts the instance for the new domain controller.
D N S Se r v e r Ev e n t L o g
The DNS service will experience brief expected outages while cloning occurs, as the DNS service is still running
while the AD DS database is offline. This occurs if using Active Directory Integrated DNS, but not if using
Standard Primary or Secondary DNS. These errors log multiple times. After cloning completes, DNS comes back
online normally.
F i l e R e p l i c a t i o n Se r v i c e Ev e n t L o g
The File Replication Service synchronizes non-authoritatively from a partner during cloning. Cloning
accomplishes this by deleting the NTFRS database files and leaving the contents of SYSVOL untouched, for use
as pre-seeded data. The two attempts to synchronize are expected.
D F S R e p l i c a t i o n Ev e n t L o g
The DFSR services synchronizes non-authoritatively from a partner during cloning. Cloning accomplishes this
by deleting the DFSR database files and leaving the contents of SYSVOL untouched, for use as pre-seeded data.
The two attempts to synchronize are expected.
O P ERAT IO N LO G
Event ID 2170
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Warning
Notes and resolution This is a success event if the snapshot was expected. If not,
examine the Hyper-V-Worker event log or contact the
hypervisor administrator.
Event ID 2174
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution Expected event when starting physical domain controllers or
virtualized domain controllers not restored from snapshot
Event ID 2181
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution Expected when restoring a snapshot. Transactions track the
VM Generation ID changing
Event ID 2185
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
EVEN T DESC RIP T IO N
Notes and resolution Expected when restoring a snapshot. All SYSVOL data on
this domain controller is replaced with a partner DC's copy.
Event ID 2186
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message failed to stop the FRS or DFSR service used to replicate the
SYSVOL folder.
Service name:%1
Error code:%2
Error message:%3
Active Directory detected that the virtual machine that
hosts the domain controller was reverted to a previous
state. must initialize a non-authoritative restore on the
local SYSVOL replica. This is done by stopping the FRS or
DFSR replication service used to replicate the SYSVOL
folder and then starting it with the appropriate registry
keys and values to trigger the restore. failed to stop the
current running service and cannot complete the non-
authoritative restore. Please perform a non-authoritative
restore manually.
Notes and resolution Examine the System, FRS and DFSR event logs for further
information.
Event ID 2187
Severity Informational
EVEN T DESC RIP T IO N
Notes and resolution Expected when restoring a snapshot. All SYSVOL data on
this domain controller is replaced with a partner DC's copy.
Event ID 2188
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message failed to start the FRS or DFSR service used to replicate the
SYSVOL folder.
Service name:%1
Error code:%2
Error message:%3
Active Directory detected that the virtual machine that
hosts the domain controller was reverted to a previous
state. needs to initialize a non-authoritative restore on
the local SYSVOL replica. This is done by stopping the
FRS or DFSR service used to replicate the SYSVOL and
starting it with appropriate registry keys and values to
trigger the restore. failed to start the FRS or DFSR
service used to replicate the SYSVOL folder and cannot
complete the non-authoritative restore. Please perform
a non-authoritative restore manually and restart the
service.
Notes and resolution Examine the System, FRS and DFSR event logs for further
information.
Event ID 2189
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
EVEN T DESC RIP T IO N
Notes and resolution Expected when restoring a snapshot. All SYSVOL data on
this domain controller is replaced with a partner DC's copy.
Event ID 2190
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Notes and resolution Examine Application and System event logs. Investigate third
party applications that may be blocking registry updates.
Event ID 2200
Source Microsoft-Windows-ActiveDirectory_DomainService
EVEN T DESC RIP T IO N
Severity Informational
Message Active Directory detected that the virtual machine that hosts
the domain controller was reverted to a previous state.
initializes replication to bring the domain controller current.
Event 2201 will be logged when the replication is finished.
Notes and resolution Expected when restoring a snapshot. Marks the beginning of
inbound AD replication.
Event ID 2201
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Message Active Directory detected that the virtual machine that hosts
the domain controller was reverted to a previous state. has
finished replication to bring the domain controller current.
Notes and resolution Expected when restoring a snapshot. Marks the end of
inbound AD replication.
Event ID 2202
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
Message Active Directory detected that the virtual machine that hosts
the domain controller was reverted to a previous state. failed
replication to bring the domain controller up-to-date. The
domain controller will be updated after next periodic
replication.
Notes and resolution Examine the Directory Services and System event logs. Use
repadmin.exe to attempt forcing replication and note any
failures.
Event ID 2204
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
EVEN T DESC RIP T IO N
Notes and resolution Expected when restoring a snapshot. This explains all the
various reset operations that will occur as part of the safe
restore process.
Event ID 2205
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution Expected when restoring a snapshot. The local RID pool
must be destroyed as the domain controller has time
travelled and they may have already been issued.
Event ID 2206
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity ERROR
Notes and resolution Examine the Directory Services and System event logs.
Validate that the RID Master is online can be reached from
this server using Dcdiag.exe /test:ridmanager
Event ID 2207
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity ERROR
Notes and resolution Examine the Directory Services and System event logs.
Event ID 2208
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Informational
Notes and resolution Expected when restoring a snapshot. This guarantees DFSR
non-authoritatively synchronizes SYSVOL from a partner
DC. Note that any other DFSR Replicated Folders on the
same volume as SYSVOL will also non-authoritatively sync
(domain controllers are not recommended to host custom
DFSR sets on the same volume as SYSVOL).
Event ID 2209
Source Microsoft-Windows-ActiveDirectory_DomainService
Severity Error
EVEN T DESC RIP T IO N
Error Messages
There are no direct interactive errors for failed virtualized domain controller safe snapshot restore; all cloning
information logs in the Directory Services event logs. Naturally, any critical replication or server advertising
errors manifest themselves as symptoms elsewhere.
Known Issues and Support Scenarios
The General Methodology for Troubleshooting Domain Controller Safe Restore are usually adequate to
troubleshoot most issues.
Resolution and Notes This issue is caused by the restored computer's stale
knowledge of the RID Master FSMO role. If the role moved
to this or another domain controller after a snapshot was
taken and then later restored, the restored domain
controller will not have knowledge of the RID master until
initial replication has completed.
To resolve the issue, allow AD replication to complete
inbound to the restored domain controller. If still not
working, validate that all domain controllers have the
same correct knowledge of which DC hosts the RID
Master.
Resolution and Notes The DC's upstream partners do not have a working SYSVOL
replica that is correctly replicating with DFSR or FRS. This
issue is unrelated to safe restore but is likely to manifest as a
safe restore issue, because the customer was unaware of the
other replication issue affecting un-restored DCs
Advanced Troubleshooting
This module seeks to teach advanced troubleshooting by using working logs as samples, with some explanation
of what occurred. If you understand what a successful virtualized domain controller operation looks like, failures
become obvious in your environment. These logs are presented by their source, with the ascending order of
expected events related to a cloned domain controller within each log.
Restoring a Domain Controller that Replicates SYSVOL Using DFSR
D i r e c t o r y Se r v i c e s Ev e n t L o g
The Directory Services log contains the majority of safe restore operational information. The hypervisor
changes the VM-Generation ID and the NTDS service notes it, then invalidates the RID pool and changes the
invocation ID. The new VM-Generation ID is set and the servers replicates AD data inbound. The DFSR service is
stopped and its database that hosts SYSVOL is deleted, forcing a non-authoritative sync inbound. The USN high
watermark is adjusted.
Sy st e m Ev e n t L o g
The System event log notes that the machine time that occurs when bringing an offline virtual machine back
online and synchronizing with host time. The RID pool invalidates and the DFSR or FRS services are restarted.
EVEN T ID SO URC E M ESSA GE
A p p l i c a t i o n Ev e n t L o g
The Application event log notes the DFSR database stopping and starting.
D F S R e p l i c a t i o n Ev e n t L o g
The DFSR service is stopped and the database that contains SYSVOL is deleted, forcing a non-authoritative
synchronization inbound.
The FRS service is stopped and restarted with a D2 BURFLAGS value to non-authoritatively synchronize
SYSVOL.
A p p l i c a t i o n Ev e n t L o g
The FRS database stops and starts, and is purged due to the D2 BURFLAGS operation.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Terminology
Snapshot - The state of a virtual machine at a particular point in time. It is dependent on the chain of
previous snapshots taken, on the hardware, and on the virtualization platform.
Clone - A complete and separate copy of a virtual machine. It is dependent on the virtual hardware
(hypervisor).
Full Clone - A full clone is an independent copy of a virtual machine that shares no resources with the
parent virtual machine after the cloning operation. Ongoing operation of a full clone is entirely separate
from the parent virtual machine.
Differencing disk - A copy of a virtual machine that shares virtual disks with the parent virtual machine
in an ongoing manner. This usually conserves disk space and allows multiple virtual machines to use the
same software installation.
VM Copy - A file system copy of all the related files and folders of a virtual machine.
VHD File Copy - A copy of a virtual machine's VHD
VM Generation ID - a 128-bit integer given to the virtual machine by the hypervisor. This ID is stored in
memory and reset every time a snapshot is applied. The design uses a hypervisor-agnostic mechanism
for surfacing the VM-Generation ID in the virtual machine. The Hyper-V implementation exposes the ID in
the ACPI table of the virtual machine.
Impor t/Expor t - A Hyper-V feature that allows the user to save the entire virtual machine (VM files, VHD
and the machine configuration). It then allows users to using that set of files to bring the machine back on
the same machine as the same VM (Restore), on a different machine as the same VM (Move), or a new
VM (copy)
FixVDCPermissions.ps1
# Unsigned script, requires use of set-executionpolicy remotesigned -force
# You must run the Windows PowerShell console as an elevated administrator
## Get Domain NC
$domainNC = get-addomain
## The following object specific ACE grants extended right 'Allow a DC to create a clone of itself' for the
CDC group to the Domain NC
## 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e is the schemaIDGuid for 'DS-Clone-Domain-Controller"
## Add the ACE in the ACL and set the ACL on the object
$acl.AddAccessRule($ace1)
set-acl -aclobject $acl $domainNC
write-host "Done writing new VDC permissions."
cd c:
Virtualized Domain Controller Additional Resources
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic explains what application vendors should consider to help ensure their application continues to work
as expected after the virtualized domain controller (DC) cloning process completes. It covers those aspects of the
cloning process that interest application vendors and scenarios that may warrant additional testing. Application
vendors who have validated that their application works on virtualized domain controllers that have been
cloned are encouraged to list the name of the application in the Community Content at the bottom of this topic,
along with a link to your organization's web site where users can learn more about the validation.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic explains the supportability of using Hyper-V Replica to replicate a virtual machine (VM) that runs as a
domain controller (DC). Hyper-V Replica is a new capability of Hyper-V beginning with Windows Server 2012
that provides a built-in replication mechanism at a VM level.
Hyper-V Replica asynchronously replicates selected VMs from a primary Hyper-V host to a replica Hyper-V host
across either LAN or WAN links. After initial replication is complete, subsequent changes are replicated at an
interval defined by the administrator.
Failover can be either planned or unplanned. A planned failover is initiated by an administrator on the primary
VM, and any un-replicated changes are copied over to the replica VM to prevent any data loss. An unplanned
failover is initiated on the replica VM in response to an unexpected failure of the primary VM. Data loss is
possible because there is no opportunity to transmit changes on the primary VM that might not have been
replicated yet.
For more information about Hyper-V Replica, see Hyper-V Replica Overview and Deploy Hyper-V Replica.
NOTE
Hyper-V Replica can be run only on Windows Server Hyper-V, not the version of Hyper-V that runs on Windows 8.
NOTE
Only AD DS on Windows Server 2012 DCs or newer provide these safety measures resulting from VMGenID; DCs that
run all previous releases of Windows Server are subject to problems such as USN rollback that can occur when a
virtualized DC is restored using an unsupported mechanism, such as snapshot restore. For more information about these
safeguards and when they are triggered, see Virtualized Domain Controller Architecture.
When a Hyper-V replica failover occurs (planned or unplanned), the virtualized DC detects a VMGenID reset,
triggering the aforementioned safety features. Active Directory operations then proceed as normal. The replica
VM runs in place of the primary VM.
NOTE
Given that now there are now two instances of the same DC identity, there is a potential for both the primary instance
and the replicated instance to run. While Hyper-V Replica has control mechanisms in place to ensure the primary and
replica VMs do not run simultaneously, it is possible for them to run at the same time in the event the link between them
fails after replication of the VM. In the event of this unlikely occurrence, virtualized DCs that run Windows Server 2012
have safeguards to help protect AD DS, whereas virtualized DCs that run earlier versions of Windows Server do not.
When using Hyper-V Replica, ensure that you follow best practices for running virtual domain controllers on
Hyper-V. This discusses, for example, recommendations for storing Active Directory files on virtual SCSI disks,
which provides stronger guarantees of data durability.
NOTE
There are no functional level requirements for the domain or forest; there are only operating system requirements for the
DCs that run as VMs that are replicated using Hyper-V Replica. The VMs can be deployed in a forest that contains other
physical or virtual DCs that run earlier versions of Windows Server and may or may not also be replicated using Hyper-V
Replica.
This support statement is based on tests that were performed in a single domain-forest, though multi-domain
forest configurations are also supported. For these tests, virtualized domain controllers DC1 and DC2 are Active
Directory replication partners in the same site, hosted on a server that runs Hyper-V on Windows Server 2012.
The VM guest that runs DC2 has Hyper-V Replica enabled. The Replica server is hosted in another
geographically distant datacenter. To help explain the test case processes outlined below, the VM running on the
replica server is referred to as DC2-Rec (although in practice it retains the same name as the original VM).
Windows Server 2012
The following table explains support for virtualized DCs that run Windows Server 2012 and test cases.
Supported Supported
P L A N N ED FA ILO VER UN P L A N N ED FA ILO VER
Test case: The test case is the same as for a planned failover, with these
- DC1 and DC2 are running Windows Server 2012. exceptions:
- Any AD updates received on DC2 but not yet
- DC2 is shut down and a failover is performed on DC2- replicated by AD to a replication partner before the
Rec. The failover can be either planned or unplanned. failover event will be lost.
- After DC2-Rec starts, it checks whether the value of - AD updates received on DC2 after the time of the
VMGenID that it has in its database is the same as the recovery point that were replicated by AD to DC1 will be
value from the virtual machine driver saved by the replicated from DC1 back to DC2-Rec.
Hyper-V Replica server.
- As a result, DC2-Rec triggers virtualization safeguards;
in other words, it resets its InvocationID, discards its RID
pool, and sets an initial synchronization requirement
before it will assume an operations master role. For
more information about initial synchronization
requirement, see .
- DC2-Rec then saves the new value of VMGenID in its
database and commits any subsequent updates in the
context of the new InvocationID.
- As a result of the InvocationID reset, DC1 will converge
on all AD changes introduced by DC2-Rec even if it was
rolled back in time, meaning any AD updates performed
on DC2-Rec after the failover will safely converge
Supported but not recommended because DCs that run Not supported
these versions of Windows Server do not support VMGenID Note: Unplanned failover would be supported where
or use associated virtualization safeguards. This places them USN rollback is not a risk, such as a single DC in the
at risk for USN rollback. For more information, see USN and forest (a configuration that is not recommended).
USN Rollback.
Applies to: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10 or later
In this guide
Where to find Windows Time Service Configuration Information
What is the Windows Time Service?
Importance of Time Protocols
How the Windows Time Service Works
Windows Time Service Tools and Settings
NOTE
In Windows Server 2003 and Microsoft Windows 2000 Server, the directory service is named Active Directory directory
service. In Windows Server 2008 R2 and Windows Server 2008 , the directory service is named Active Directory Domain
Services (AD DS). The rest of this topic refers to AD DS, but the information is also applicable to Active Directory Domain
Services in Windows Server 2016.
The Windows Time service, also known as W32Time, synchronizes the date and time for all computers running
in an AD DS domain. Time synchronization is critical for the proper operation of many Windows services and
line-of-business applications. The Windows Time service uses the Network Time Protocol (NTP) to synchronize
computer clocks on the network so that an accurate clock value, or time stamp, can be assigned to network
validation and resource access requests. The service integrates NTP and time providers, making it a reliable and
scalable time service for enterprise administrators.
IMPORTANT
Prior to Windows Server 2016, the W32Time service was not designed to meet time-sensitive application needs. However,
updates to Windows Server 2016 now allow you to implement a solution for 1ms accuracy in your domain. See Windows
2016 Accurate Time and Support boundary to configure the Windows Time service for high-accuracy environments for
more information.
WARNING
Some applications may require their computers to have high-accuracy time services. If that is the case, you may
choose to configure a manual time source, but be aware that the Windows Time service was not designed to
function as a highly accurate time source. Ensure that you are aware of the support limitations for high-accuracy
time environments as described in Microsoft Knowledge Base article 939322, Support boundary to configure the
Windows Time service for high-accuracy environments.
To configure the Windows Time service on any Windows-based client or server computers that are
configured as workgroup members instead of domain members see Configure a manual time source for
a selected client computer.
To configure the Windows Time service on a host computer that runs a virtual environment, see
Microsoft Knowledge Base article 816042, How to configure an authoritative time server in Windows
Server. If you are working with a non-Microsoft virtualization product, be sure to consult the
documentation of the vendor for that product.
To configure the Windows Time service on a domain controller that is running in a virtual machine, it is
recommended that you partially disable time synchronization between the host system and guest
operating system acting as a domain controller. This enables your guest domain controller to synchronize
time for the domain hierarchy, but protects it from having a time skew if it is restored from a Saved state.
For more information, see Microsoft Knowledge Base article 976924, You receive Windows Time Service
event IDs 24, 29, and 38 on a virtualized domain controller that is running on a Windows Server 2008-
based host server with Hyper-V and Deployment Considerations for Virtualized Domain Controllers.
To configure the Windows Time service on a domain controller acting as the forest root PDC emulator
that is also running in a virtual computer, follow the same instructions for a physical computer as
described in Configure the Windows Time service on the PDC emulator in the Forest Root Domain.
To configure the Windows Time service on a member server running as a virtual computer, use the
domain time hierarchy as described in (Configure a client computer for automatic domain time
synchronization.
See Also
How the Windows Time Service Works Windows Time Service Tools and Settings Microsoft Knowledge Base
article 902229
AD DS Design and Planning
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
By deploying Windows Server Active Directory Domain Services (AD DS) in your environment, you can take
advantage of the centralized, delegated administrative model and single sign-on (SSO) capability that AD DS
provides. After you identify the deployment tasks and current environment for your organization, you can create
the AD DS deployment strategy that meets your organization's needs.
In this guide
Understanding AD DS Design
Identifying Your AD DS Design and Deployment Requirements
Mapping Your Requirements to an AD DS Deployment Strategy
Designing the Logical Structure for Windows Server 2008 AD DS
Designing the Site Topology for Windows Server 2008 AD DS
Enabling Advanced Features for AD DS
Evaluating AD DS Deployment Strategy Examples
Appendix A: Reviewing Key AD DS Terms
Understanding AD DS Design
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Organizations can use Active Directory Domain Services (AD DS) in Windows Server to simplify user and
resource management while creating scalable, secure, and manageable infrastructures. You can use AD DS to
manage your network infrastructure, including branch office, Microsoft Exchange Server, and multiple forest
environments.
An AD DS deployment project involves three phases: a design phase, a deployment phase, and an operations
phase. During the design phase, the design team creates a design for the AD DS logical structure that best meets
the needs of each division in the organization that will use the directory service. After the design is approved,
the deployment team tests the design in a lab environment and then implements the design in the production
environment. Because testing is performed by the deployment team and it potentially affects the design phase, it
is an interim activity that overlaps both design and deployment. When the deployment is complete, the
operations team is responsible for maintaining the directory service.
Although the Windows Server AD DS design and deployment strategies that are presented in this guide are
based on extensive lab and pilot-program testing and successful implementation in customer environments, you
might have to customize your AD DS design and deployment to better suit specific, complex environments.
For more information about deploying AD DS in a branch office environment, see the Read-Only Domain
Controller (RODC) Branch Office Planning Guide.
For more information about deploying AD DS in an Exchange environment, see the article Active Directory in
Exchange Server organizations.
For more information about deploying AD DS in a multiple forest environment, see the article Multiple
Forest Considerations in Windows 2000 and Windows Server 2003.
Identifying Your AD DS Design and Deployment
Requirements
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Performing a high-level assessment of your current environment and correctly identifying your Active Directory
Domain Services (AD DS) deployment tasks is essential for the success of your AD DS deployment strategy.
Your AD DS deployment strategy depends on your existing network configuration. For example, if your
organization currently runs Windows Server 2003, you can upgrade your operating system to Windows Server
2008. Your deployment process might involve restructuring existing domains, either within an Active Directory
forest or between Active Directory forests. You may have to restructure your existing domains after you deploy
Windows Server 2008 AD DS or after organizational changes or corporate acquisitions.
AD DS Design Requirements
AD DS Deployment Requirements
AD DS Design Requirements
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
For more information, see Designing the Logical Structure for Windows Server 2008 AD DS.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The structure of your existing environment determines your strategy for deploying Windows Server 2008 Active
Directory Domain Services (AD DS). If you are creating an AD DS environment and you do not have an existing
domain structure, complete your AD DS design before you begin creating your AD DS environment. Then, you
can deploy a new forest root domain and deploy the rest of your domain structure according to your design.
Also, as part of your AD DS deployment, you might decide to upgrade and restructure your environment. For
example, if your organization has an existing Windows 2000 domain structure, you might perform an in-place
upgrade of some domains and restructure others. In addition, you might decide to reduce the complexity of
your environment by either restructuring domains between forests or restructuring domains within a forest
after you deploy AD DS.
For more information, see Deploying a Windows Server 2008 Forest Root Domain.
Restructuring AD DS domains
When you restructure domains between Windows Server 2008 forests (interforest restructure), you can reduce
the number of domains in your environment and therefore reduce administrative complexity and overhead.
When you migrate objects between forests as part of this restructuring process, both the source domain and
target domain environments exist simultaneously. This makes it possible for you to roll back to the source
environment during the migration, if necessary.
When you restructure Windows Server 2008 domains within a Windows Server 2008 forest (intraforest
restructure), you can consolidate your domain structure and therefore reduce administrative complexity and
overhead. When you restructure domains within a forest, the migrated accounts no longer exist in the source
domain.
For more information about how to use the Active Directory Migration Tool (ADMT) version 3.1 (ADMT v3.1) to
restructure domains, see ADMT Guide: Migrating and Restructuring Active Directory Domains.
Mapping Your Requirements to an AD DS
Deployment Strategy
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
After you finish reviewing and identifying the Active Directory Domain Services (AD DS) design and deployment
requirements and you determine which of them are related to your specific deployment, you can map those
requirements to a specific AD DS deployment strategy.
Use the following table to determine which AD DS deployment strategy maps to the appropriate combination of
AD DS design and deployment requirements for your organization. ("Yes" means that a specific requirement is
necessary for your deployment strategy; "No" means that a specific requirement is not necessary for your
deployment strategy.)
This table refers only to the three primary AD DS deployment strategies as described in this guide:
Deploying AD DS in a New Organization
Deploying AD DS in a Windows Server 2003 Organization
Deploying AD DS in a Windows 2000 Organization
However, you can create a hybrid or custom AD DS deployment strategy by using any combination of the AD DS
design and deployment requirements to meet the needs of your organization.
Enabling Advanced Features Yes Yes, but all domain Yes, but all domain
for AD DS controllers in the controllers in the
environment must run environment must run
Windows Server 2008 Windows Server 2008
before you set the domain before you set the domain
or forest functional level to or forest functional level to
Windows Server 2008. Windows Server 2008.
ADMT Guide: Migrating Yes, if you want to migrate Yes, if you want to merge Yes, if you want to merge
and Restructuring Active a pilot domain into your with another organization with another organization
Directory Domains production environment, and consolidate the two IT and consolidate the two IT
merge with another infrastructures or infrastructures or
organization and consolidate resource and consolidate resource and
consolidate the two account domains that you account domains that you
information technology (IT) upgraded in place from upgraded in place from
infrastructures, or Windows 2000 or Windows Windows 2000 or Windows
consolidate resource and Server 2003 environments. Server 2003 environments.
account domains that you
upgraded in place from
Windows 2000 or Windows
Server 2003 environments.
ADMT Guide: Migrating No Yes, if you need to reduce Yes, if you need to reduce
and Restructuring Active the number of domains, the number of domains,
Directory Domains reduce replication traffic reduce replication traffic
and the amount of required and the amount of required
user and group user and group
administration, or simplify administration, or simplify
the administration of Group the administration of Group
Policy. Policy.
Deploying AD DS in a New Organization
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Thoroughly preparing your Active Directory Domain Services (AD DS) design is essential to a cost-effective
deployment. If your network environment is currently operating without a directory service, complete a
comprehensive design of your AD DS logical structure before you deploy AD DS. Then, you can deploy a new
forest root domain and deploy the rest of your domain structure according to your design.
The following illustration shows the steps for deploying Windows Server 2008 AD DS in a network environment
that is currently operating without a directory service.
For a list of detailed tasks that you can use to plan and deploy AD DS in a new organization, see Checklist:
Deploying AD DS in a New Organization.
Deploying AD DS in a Windows Server 2003
Organization
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
If your organization is currently running Windows Server 2003 Active Directory, you can deploy Windows
Server 2008 Active Directory Domain Services (AD DS) by either performing an in-place upgrade of some or all
of your domain controllers' operating systems to Windows Server 2008 or by introducing domain controllers
running Windows Server 2008 into your environment.
Before you can add a domain controller running Windows Server 2008 to an existing Windows Server 2003
Active Directory domain, you must run adprep , a command-line tool. Adprep extends the AD DS schema,
updates default security descriptors of selected objects, and adds new directory objects as required by some
applications. Adprep is available on the Windows Server 2008 installation disk (\sources\adprep\adprep.exe).
For more information, see Adprep.
The following illustration shows the steps for deploying Windows Server 2008 AD DS in a network environment
that is currently running Windows Server 2003 Active Directory.
NOTE
If you want to set the domain or forest functional level to Windows Server 2008 , all domain controllers in your
environment must run the Windows Server 2008 operating system.
Consolidating resource domains and account domains that are upgraded in place from a Windows Server 2003
environment as part of your Windows Server 2008 AD DS deployment may require interforest or intraforest
domain restructuring. Restructuring AD DS domains between forests helps you reduce the complexity of the
representation of your organization in AD DS, and it helps reduce the associated administrative costs.
Restructuring AD DS domains within a forest helps you decrease the administrative overhead for your
organization by reducing replication traffic, reducing the amount of user and group administration that is
required, and simplifying the administration of Group Policy. For more information, see ADMT Guide: Migrating
and Restructuring Active Directory Domains.
For a list of detailed tasks that you can use to plan and deploy AD DS in an organization that is running
Windows Server 2003 Active Directory, see Checklist: Deploying AD DS in a Windows Server 2003
Organization.
Deploying AD DS in a Windows 2000 Organization
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
If your organization is currently running Windows 2000 Active Directory, you can deploy Windows Server 2008
Active Directory Domain Services (AD DS) by either performing an in-place upgrade of some or all of your
domain controllers' operating systems to Windows Server 2008 or by introducing domain controllers running
Windows Server 2008 into your environment.
Before you can add a domain controller running Windows Server 2008 to an existing Windows 2000 Active
Directory domain, you must run adprep , a command-line tool. Adprep extends the AD DS schema, updates
default security descriptors of selected objects, and adds new directory objects as required by some
applications. Adprep is available on the Windows Server 2008 installation disk (\sources\adprep\adprep.exe).
For more information, see Adprep.
NOTE
If you want to perform an in-place upgrade of an existing Windows 2000 AD DS domain controller to Windows Server
2008 , you must first upgrade the server to Windows Server 2003, and then upgrade it to Windows Server 2008 .
The following illustration shows the steps for deploying the Windows Server 2008 AD DS in a network
environment that is currently running Windows 2000 Active Directory.
NOTE
If you want to set the domain or forest functional level to Windows Server 2008 , all domain controllers in your
environment must run the Windows Server 2008 operating system.
Consolidating resource and account domains that are upgraded in place from a Windows 2000 environment as
part of your Windows Server 2008 AD DS deployment may require interforest or intraforest domain
restructuring. Restructuring AD DS domains between forests helps you reduce the complexity of your
organization and the associated administrative costs. Restructuring AD DS domains within a forest helps you to
decrease the administrative overhead for your organization by reducing replication traffic, reducing the amount
of user and group administration that is required, and simplifying the administration of Group Policy. For more
information, see ADMT Guide: Migrating and Restructuring Active Directory Domains.
For a list of detailed tasks that you can use to plan and deploy AD DS in an organization that is currently running
Windows 2000 Active Directory, see Checklist: Deploying AD DS in a Windows 2000 Organization.
Designing the Logical Structure
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Active Directory Domain Services (AD DS) enables organizations to create a scalable, secure, and manageable
infrastructure for user and resource management. It also enables them to support directory-enabled
applications.
A well-designed Active Directory logical structure provides the following benefits:
Simplified management of Microsoft Windows-based networks that contain large numbers of objects
A consolidated domain structure and reduced administration costs
The ability to delegate administrative control over resources, as appropriate
Reduced impact on network bandwidth
Simplified resource sharing
Optimal search performance
Low total cost of ownership
A well-designed Active Directory logical structure facilitates the efficient integration of such features as Group
Policy; desktop lockdown; software distribution; and user, group, workstation, and server administration into
your system. In addition, a carefully designed logical structure facilitates the integration of Microsoft and non-
Microsoft applications and services, such as Microsoft Exchange Server, public key infrastructure (PKI), and a
domain-based distributed file system (DFS).
When you design an Active Directory logical structure before you deploy AD DS, you can optimize your
deployment process to best take advantage of Active Directory features. To design the Active Directory logical
structure, your design team first identifies the requirements for your organization and, based on this
information, decides where to place the forest and domain boundaries. Then, the design team decides how to
configure the Domain Name System (DNS) environment to meet the needs of the forest. Finally, the design
team identifies the organizational unit (OU) structure that is required to delegate the management of resources
in your organization.
In this guide
Understanding the Active Directory Logical Model
Identifying the Deployment Project Participants
Creating a Forest Design
Creating a Domain Design
Creating a DNS Infrastructure Design
Creating an Organizational Unit Design
Appendix A: DNS Inventory
Understanding the Active Directory Logical Model
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Designing your logical structure for Active Directory Domain Services (AD DS) involves defining the
relationships between the containers in your directory. These relationships might be based on administrative
requirements, such as delegation of authority, or they might be defined by operational requirements, such as the
need to control replication.
Before you design your Active Directory logical structure, it is important to understand the Active Directory
logical model. AD DS is a distributed database that stores and manages information about network resources as
well as application-specific data from directory-enabled applications. AD DS allows administrators to organize
elements of a network (such as users, computers, and devices) into a hierarchical containment structure. The
top-level container is the forest. Within forests are domains, and within domains are organizational units (OUs).
This is called the logical model because it is independent of the physical aspects of the deployment, such as the
number of domain controllers required within each domain and network topology.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The first step in establishing a deployment project for Active Directory Domain Service (AD DS) is to establish
the design and deployment project teams that will be responsible for managing the design phase and
deployment phase of the Active Directory project cycle. In addition, you must identify the individuals and groups
who will be responsible for owning and maintaining the directory after the deployment is completed.
Defining project-specific roles
Establishing owners and administrators
Building project teams
NOTE
If no existing personnel in your organization have directory design experience, you might want to hire an outside
consultant who is an expert in Active Directory design and deployment.
The responsibilities of the Active Directory project architect include the following:
Owning the Active Directory design
Understanding and recording the rationale for key design decisions
Ensuring that the design meets the business needs of the organization
Establishing consensus between design, deployment, and operations teams
Understanding the needs of AD DS-integrated applications
The final Active Directory design must reflect a combination of business goals and technical decisions.
Therefore, the project architect must review design decisions to ensure that they align with business goals.
Project manager
The project manager facilitates cooperation across business units and between technology management groups.
Ideally, the Active Directory deployment project manager is someone from within the organization who is
familiar with both the operational policies of the IT group and the design requirements for the groups that are
preparing to deploy AD DS. The project manager oversees the entire deployment project, beginning with design
and continuing through implementation, and makes sure that the project stays on schedule and within budget.
The responsibilities of the project manager include the following:
Providing basic project planning such as scheduling and budgeting
Driving progress on the Active Directory design and deployment project
Ensuring that the appropriate individuals are involved in each part of the design process
Serving as single point of contact for the Active Directory deployment project
Establishing communication between design, deployment, and operations teams
Establishing and maintaining communication with the executive sponsor throughout the deployment
project
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Creating a forest design involves first identifying the groups within your organization that have the resources
available to host an Active Directory forest and then defining your forest design requirements. Finally, you need
to determine the number of forests that you require to meet the needs of your organization.
After you map all your design requirements to forest models and select the forest model that meets the needs
of your organization, document the proposed forest design. Include in your documentation the name of the
group for which the forest is designed, the contact information for the forest owner, the type of forest for each
forest that you include, and the requirements that each forest is designed to meet. This documentation will help
the design team both to ensure that all the appropriate people are involved in the design process and to clarify
the scope of the deployment project.
For a worksheet to assist you in documenting the proposed forest design, download
Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip from Job Aids for Windows Server
2003 Deployment Kit and open "Forest Design" (DSSLOGI_3.doc).
In this section
Identifying Forest Design Requirements
Determining the Number of Forests Required
Identifying Forest Design Requirements
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
To create a forest design for your organization, you must identify the business requirements that your directory
structure needs to accommodate. This involves determining how much autonomy the groups in your
organization need to manage their network resources and whether or not each group needs to isolate their
resources on the network from other groups.
Active Directory Domain Services (AD DS) enables you to design a directory infrastructure that accommodates
multiple groups within an organization that have unique management requirements and to achieve structural
and operational independence between groups as needed.
Groups in your organization might have some of the following types of requirements:
Organizational structure requirements . Parts of an organization might participate in a shared
infrastructure to save costs but require the ability to operate independently from the rest of the
organization. For example, a research group within a large organization might need to maintain control
over all of their own research data.
Operational requirements . One part of an organization might place unique constraints on the
directory service configuration, availability, or security, or use applications that place unique constraints
on the directory. For example, individual business units within an organization might deploy directory-
enabled applications that modify the directory schema that are not deployed by other business units.
Because the directory schema is shared between all the domains in the forest, creating multiple forests is
one solution for such a scenario. Other examples are found in the following organizations and scenarios:
Military organizations
Hosting scenarios
Organizations maintaining a directory that is available both internally and externally (such as
those publicly accessible to users on the Internet)
Legal requirements . Some organizations have legal requirements to operate in a specific way, for
example, restricting access to certain information as specified in a business contract. Some organizations
have security requirements to operate on isolated internal networks. Failure to meet these requirements
can result in loss of the contract and possibly legal action.
Part of identifying your forest design requirements involves identifying the degree to which groups in your
organization can trust the potential forest owners and their service administrators and identifying the autonomy
and isolation requirements for each group in your organization.
The design team must document the isolation and autonomy requirements for service and data administration
for each group in the organization that intends to use AD DS. The team must also note any areas of limited
connectivity that might affect the deployment of AD DS.
The design team must document the isolation and autonomy requirements for service and data administration
for each group in the organization that intends to use AD DS. The team must also note any areas of limited
connectivity that might affect the deployment of AD DS. For a worksheet to assist you in documenting the
regions you identified, download Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip from
Job Aids for Windows Server 2003 Deployment Kit and open "Forest Design Requirements" (DSSLOGI_2.doc).
In this section
Service Administrator Scope of Authority
Autonomy vs. Isolation
Service Administrator Scope of Authority
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
If you choose to participate in an Active Directory forest, you must trust the forest owner and the service
administrators. The forest owners are responsible for selecting and managing the service administrators;
therefore, when you trust a forest owner, you also trust the service administrators that the forest owner
manages. These service administrators have access to all of the resources in the forest. Before making the
decision to participate in a forest, it is important to understand that the forest owner and the service
administrators will have full access to your data. You cannot prevent this access.
All service administrators in a forest have full control over all data and services on all computers in the forest.
Service administrators have the capability to do the following:
Correct errors on access control lists (ACLs) of objects. This enables the service administrator to read,
modify, or delete objects regardless of the ACLs that are set on those objects.
Modify the system software on a domain controller to bypass normal security checks. This enables the
service administrator to view or manipulate any object in the domain, regardless of the ACL on the
object.
Use the Restricted Groups security policy to grant to any user or group administrative access to any
computer joined to the domain. In this way, service administrators can obtain control of any computer
joined to the domain regardless of the intentions of the computer owner.
Reset passwords or change group memberships for users.
Gain access to other domains in the forest by modifying the system software on a domain controller.
Service administrators can affect the operation of any domain in the forest, view or manipulate forest
configuration data, view or manipulate data stored in any domain, and view or manipulate data stored on
any computer joined to the forest.
For this reason, groups that store data in organizational units (OUs) in the forest and that join computers to a
forest must trust the service administrators. For a group to join a forest, it must choose to trust all service
administrators in the forest. This involves ensuring that:
The forest owner can be trusted to act in the interests of the group and does not have reason to act
maliciously against the group.
The forest owner appropriately restricts physical access to domain controllers. Domain controllers within
a forest cannot be isolated from one another. It is possible for an attacker who has physical access to a
single domain controller to make offline changes to the directory database and, by doing so, interfere
with the operation of any domain in the forest, view or manipulate data stored anywhere in the forest,
and view or manipulate data stored on any computer joined to the forest. For this reason, physical access
to domain controllers must be restricted to trusted personnel.
You understand and accept the potential risk that trusted service administrators can be coerced into
compromising the security of the system.
Some groups might determine that the collaborative and cost-saving benefits of participating in a shared
infrastructure outweigh the risks that service administrators will misuse or will be coerced into misusing their
authority. These groups can share a forest and use OUs to delegate authority. However, other groups might not
accept this risk because the consequences of a compromise in security are too severe. These groups require
separate forests.
Autonomy vs. Isolation
3/5/2021 • 5 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
You can design your Active Directory logical structure to achieve either of the following:
Autonomy . Involves independent but not exclusive control of a resource. When you achieve autonomy,
administrators have the authority to manage resources independently; however, administrators with
greater authority exist who also have control over those resources and can take control away if necessary.
You can design your Active Directory logical structure to achieve the following types of autonomy:
Ser vice autonomy . This type of autonomy involves control over all or part of service
management.
Data autonomy . This type of autonomy involves control over all or part of the data stored in the
directory or on member computers joined to the directory.
Isolation . Involves independent and exclusive control of a resource. When you achieve isolation,
administrators have the authority to manage a resource independently, and no other administrator can
take away control of the resource. You can design your Active Directory logical structure to achieve the
following types of isolation:
Ser vice isolation . Prevents administrators (other than those administrators who are specifically
designated to control service management) from controlling or interfering with service
management.
Data isolation . Prevents administrators (other than those administrators who are specifically
designated to control or view data) from controlling or viewing a subset of data in the directory or
on member computers joined to the directory.
Administrators who require only autonomy accept that other administrators who have equal or greater
administrative authority have equal or greater control over service or data management. Administrators who
require isolation have exclusive control over service or data management. Creating a design to achieve
autonomy is generally less expensive than creating a design to achieve isolation.
In Active Directory Domain Services (AD DS), administrators can delegate both service administration and data
administration to achieve either autonomy or isolation between organizations. The combination of service
management, data management, autonomy, and isolation requirements of an organization impact the Active
Directory containers that are used to delegate administration.
NOTE
If you have a data isolation requirement, you must decide if you need to isolate your data from service
administrators or from data administrators and ordinary users. If your isolation requirement is based on isolation
from data administrators and ordinary users, you can use access control lists (ACLs) to isolate the data. For the
purposes of this design process, isolation from data administrators and ordinary users is not considered a data
isolation requirement.
Data autonomy
Data autonomy involves the ability of a group or organization to manage its own data, including making
administrative decisions about the data and performing any required administrative tasks without the need for
approval from another authority.
Data autonomy does not prevent service administrators in the forest from accessing the data. For example, a
research group within a large organization might want to be able to manage their project-specific data
themselves but not need to secure the data from other administrators in the forest.
Service isolation
Service isolation involves exclusive control of the Active Directory infrastructure. Groups that require service
isolation require that no administrator outside of the group can interfere with the operation of the directory
service.
Operational or legal requirements typically create a need for service isolation. For example:
A manufacturing company has a critical application that controls equipment on the factory floor.
Interruptions in the service on other parts of the network of the organization cannot be allowed to
interfere with the operation of the factory floor.
A hosting company provides service to multiple clients. Each client requires service isolation so that any
service interruption that affects one client does not affect the other clients.
Service autonomy
Service autonomy involves the ability to manage the infrastructure without a requirement for exclusive control;
for example, when a group wants to make changes to the infrastructure (such as adding or removing domains,
modifying the Domain Name System (DNS) namespace, or modifying the schema) without the approval of the
forest owner.
Service autonomy might be required within an organization for a group that wants to be able to control the
service level of AD DS (by adding and removing domain controllers, as needed) or for a group that needs to be
able to install directory-enabled applications that require schema extensions.
Limited connectivity
If a group within your organization owns networks that are separated by devices that restrict or limit
connectivity between networks (such as firewalls and Network Address Translation (NAT) devices), this can
impact your forest design. When you identify your forest design requirements, be sure to note the locations
where you have limited network connectivity. This information is required to enable you to make decisions
regarding the forest design.
Determining the Number of Forests Required
3/5/2021 • 3 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
To determine the number of forests that you must deploy, you need to carefully identify and evaluate the
isolation and autonomy requirements for each group in your organization and map those requirements to the
appropriate forest design models.
When determining the number of forests to deploy for your organization, consider the following:
Isolation requirements limit your design choices. Therefore, if you identify isolation requirements, make
sure that the groups actually require data isolation and that data autonomy is not sufficient for their
needs. Ensure that the various groups in your organization clearly understand the concepts of isolation
and autonomy.
Negotiating the design can be a lengthy process. It can be difficult for groups to come to an agreement
about ownership and uses for available resources. Make sure that you allow enough time for the groups
in your organization to conduct adequate research to identify their needs. Set firm deadlines for design
decisions and get consensus from all parties on the established deadlines.
Determining the number of forests to deploy involves balancing costs against benefits. A single-forest
model is the most cost-effective option and requires the least amount of administrative overhead.
Although a group in the organization might prefer autonomous service operations, it might be more
cost-effective for the organization to subscribe to service delivery from a centralized and trusted
information technology (IT) group. This allows the group to own data management without creating the
added costs of service management. Balancing costs against benefits might require input from the
executive sponsor.
A single forest is the easiest configuration to manage. It allows for maximum collaboration within the
environment because:
All objects in a single forest are listed in the global catalog. Therefore, no synchronization across
forests is required.
Management of a duplicate infrastructure is not required.
We do not recommend co-ownership of a single forest by two separate and autonomous IT
organizations. In the future, the goals of the two IT groups might change, so that they can no longer
accept shared control.
We do not recommend outsourcing service administration to more than one outside partner.
Multinational organizations that have groups in different countries or regions might choose to outsource
service administration to a different outside partner for each country or region. Because multiple outside
partners cannot be isolated from one another, the actions of one partner can affect the service of the
other, which makes it difficult to hold the partners accountable to their service level agreements.
Only one instance of an Active Directory domain should exist at any time. Microsoft does not support
cloning, splitting, or copying domain controllers from one domain in an attempt to establish a second
instance of the same domain. For more information about this limitation, see the following section.
Restructuring limitations
When a company acquires another company, business unit, or product line, the purchasing company might also
want to acquire corresponding IT assets from the seller. Specifically, the buyer might want to acquire some or all
of the domain controllers that host the user accounts, computer accounts, and security groups that correspond
to the business assets that are to be acquired. The only supported methods for the buyer to acquire the IT assets
that are stored in the seller's Active Directory forest are as follows:
1. Acquire the only instance of the forest, including all domain controllers and directory data in the seller's
entire forest.
2. Migrate the needed directory data from the seller's forest or domains to one or more of the buyer's
domains. The target for such a migration might be an entirely new forest or one or more existing
domains that are already deployed in the buyer's forest.
This support limitation exists because:
Each domain in an Active Directory forest is assigned a unique identity during the creation of the forest.
Copying domain controllers from an original domain to a cloned domain compromises the security of
both the domains and the forest. Threats to the original domain and the cloned domain include the
following:
Sharing of passwords that can be used to gain access to resources
Insight regarding privileged user accounts and groups
Mapping of IP addresses to computer names
Additions, deletions, and modifications of directory information if domain controllers in a cloned
domain ever establish network connectivity with domain controllers from the original domain
Cloned domains share a common security identity; therefore, trust relationships cannot be established
between them, even if one or both of the domains have been renamed.
In this section
Forest Design Models
Mapping Design Requirements to Forest Design Models
Using the Organizational Domain Forest Model
Forest Design Models
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
You can apply one of the following three forest design models in your Active Directory environment:
Organizational forest model
Resource forest model
Restricted access forest model
It is likely that you will need to use a combination of these models to meet the needs of all the different groups
in your organization.
Resource forests provide service isolation that is used to protect areas of the network that need to maintain a
state of high availability. For example, if your company includes a manufacturing facility that needs to continue
to operate when there are problems on the rest of the network, you can create a separate resource forest for the
manufacturing group.
Users from other forests cannot be granted access to the restricted data because no trust exists. In this model,
users have an account in an organizational forest for access to general organizational resources and a separate
user account in the restricted access forest for access to the classified data. These users must have two separate
workstations, one connected to the organizational forest and the other connected to the restricted access forest.
This protects against the possibility that a service administrator from one forest can gain access to a workstation
in the restricted forest.
In extreme cases, the restricted access forest might be maintained on a separate physical network. Organizations
that work on classified government projects sometimes maintain restricted access forests on separate networks
to meet security requirements.
Mapping Design Requirements to Forest Design
Models
3/5/2021 • 13 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Most groups in your organization can share a single organizational forest that is managed by a single
information technology (IT) group and that contains the user accounts and resources for all of the groups that
share the forest. This shared forest, called the initial organizational forest, is the foundation of the forest design
model for the organization.
Because the initial organizational forest can host multiple groups in the organization, the forest owner must
establish service level agreements with each group so that all the parties understand what is expected of them.
This protects both the individual groups and the forest owner by establishing agreed-on service expectations.
If not all of the groups in your organization can share a single organizational forest, you must expand your
forest design to accommodate the needs of the different groups. This involves identifying the design
requirements that apply to the groups based on their needs for autonomy and isolation and whether or not they
have a limited-connectivity network, and then identifying the forest model that you can use to accommodate
those requirements. The following table lists forest design model scenarios based on the autonomy, isolation,
and connectivity factors. After you identify the forest design scenario that best matches your requirements,
determine if you need to make any additional decisions to meet your design specifications.
NOTE
If a factor is listed as N/A, it is not a consideration because other requirements also accommodate that factor.
NOTE
To prevent servers in a trusting forest from impersonating users from the isolated forest, and then accessing
resources in the isolated forest, the forest owner can disable delegated authentication or use the constrained
delegation feature. For more information about delegated authentication and constrained delegation, see
Delegating authentication.
You might need to establish a firewall between the organizational forest and the other forests in the
organization to limit user access to information outside of their forest.
Although creating a separate forest enables data isolation, as long as the domain controllers in the
isolated forest and computers that host protected information are accessible on a network, they are
subject to attacks launched from computers on that network. Organizations that decide that the risk of
attack is too high or that the consequence of an attack or security violation is too great need to limit
access to the network or networks that are hosting the domain controllers and the computers that are
hosting protected data. Limiting access can be done by using technologies such as firewalls and Internet
Protocol security (IPsec). In extreme cases, organizations might choose to maintain the protected data on
an independent network that has no physical connection to any other network in the organization.
NOTE
If any network connectivity exists between a restricted access forest and another network, the possibility exists for
data in the restricted area to be transmitted to the other network.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
In the organizational domain forest model, several autonomous groups each own a domain within a forest. Each
group controls domain-level service administration, which enables them to manage certain aspects of service
management autonomously while the forest owner controls forest-level service management.
The following illustration shows an organizational domain forest model.
Configuration of domain-wide settings - Creating domain and domain user account policies, such as
password, Kerberos, and account lockout policies
- Creating and applying domain-wide Group Policy
T Y P E O F SERVIC E M A N A GEM EN T A SSO C IAT ED TA SK S
Management of external trusts - Establishing trust relationships with domains outside the
forest
Other types of service management, such as schema or replication topology management, are the responsibility
of the forest owner.
Domain owner
In an organizational domain forest model, domain owners are responsible for domain-level service
management tasks. Domain owners have authority over the entire domain as well as access to all other domains
in the forest. For this reason, domain owners must be trusted individuals selected by the forest owner.
Delegate domain-level service management to a domain owner, if the following conditions are met:
All groups participating in the forest trust the new domain owner and the service management practices
of the new domain.
The new domain owner trusts the forest owner and all the other domain owners.
All domain owners in the forest agree that the new domain owner has service administrator
management and selection policies and practices that are equal to or more strict than their own.
All domain owners in the forest agree that domain controllers managed by the new domain owner in the
new domain are physically secure.
Note that if a forest owner delegates domain-level service management to a domain owner, other groups might
choose not to join that forest if they do not trust that domain owner.
All domain owners must be aware that if any of these conditions change in the future, it might become
necessary to move the organizational domains into a multiple forest deployment.
NOTE
Another way to minimize security risks to a Windows Server 2008 Active Directory domain is to employ administrator
role separation, which requires the deployment of a read-only domain controller (RODC) in your Active Directory
infrastructure. An RODC is a new type of domain controller in the Windows Server 2008 operating system that hosts
read-only partitions of the Active Directory database. Before the release of Windows Server 2008 , any server
maintenance work on a domain controller had to be performed by a domain administrator. In Windows Server 2008 , you
can delegate local administrative permissions for an RODC to any domain user without granting that user any
administrative rights for the domain or other domain controllers. This permits the delegated user to log on to an RODC
and perform maintenance work, such as upgrading a driver, on the server. However, this delegated user cannot log on to
any other domain controller or perform any other administrative task in the domain. In this way, any trusted user can be
delegated the ability to effectively manage the RODC without compromising the security of the rest of the domain. For
more information about RODCs, see AD DS: Read-Only Domain Controllers.
Creating a Domain Design
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The forest owner is responsible for creating a domain design for the forest. Creating a domain design involves
examining the replication requirements and the existing capacity of your network infrastructure and then
building a domain structure that enables Active Directory Domain Services (AD DS) to function in the most
efficient way. Domains are used to partition the directory so that the information in the directory can be
distributed and managed efficiently throughout the enterprise. The goal for your domain design is to maximize
the efficiency of the Active Directory replication topology while ensuring that replication does not use too much
available network bandwidth and does not interfere with the daily operation of your network.
In this section
Reviewing the Domain Models
Determining the Number of Domains Required
Determining Whether to Upgrade Existing Domains or Deploy New Domains
Assigning Domain Names
Selecting the Forest Root Domain
Reviewing the Domain Models
3/5/2021 • 4 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The following factors impact the domain design model that you select:
Amount of available capacity on your network that you are willing to allocate to Active Directory Domain
Services (AD DS). The goal is to select a model that provides efficient replication of information with
minimal impact on available network bandwidth.
Number of users in your organization. If your organization includes a large number of users, deploying
more than one domain enables you to partition your data and gives you more control over the amount
of replication traffic that will pass through a given network connection. This makes it possible for you to
control where data is replicated and reduce the load created by replication traffic on slow links in your
network.
The simplest domain design is a single domain. In a single domain design, all information is replicated to all of
the domain controllers. If necessary, however, you can deploy additional regional domains. This might occur if
portions of the network infrastructure are connected by slow links, and the forest owner wants to be sure that
replication traffic does not exceed the capacity that has been allocated to AD DS.
It is best to minimize the number of domains that you deploy in your forest. This reduces the overall complexity
of the deployment and, as a result, reduces total cost of ownership. The following table lists the administrative
costs associated with adding regional domains.
C O ST IM P L IC AT IO N S
Management of multiple service administrator groups Each domain has its own service administrator groups that
need to be managed independently. The membership of
these service administrator groups must be carefully
controlled.
Maintaining consistency among Group Policy settings that Group Policy settings that need to be applied forest-wide
are common to multiple domains must be applied separately to each individual domain in the
forest.
Maintaining consistency among access control and auditing Access control and auditing settings that need to be applied
settings that are common to multiple domains across the forest must be applied separately to each
individual domain in the forest.
Increased likelihood of objects moving between domains The greater the number of domains, the greater the
likelihood that users will need to move from one domain to
another. This move can potentially impact end users.
NOTE
Windows Server fine-grained password and account lockout policies can also impact the domain design model that you
select. Before this release of Windows Server 2008, you could apply only one password and account lockout policy, which
is specified in the domain Default Domain Policy, to all users in the domain. As a result, if you wanted different password
and account lockout settings for different sets of users, you had to either create a password filter or deploy multiple
domains. You can now use fine-grained password policies to specify multiple password policies and to apply different
password restrictions and account lockout policies to different sets of users within a single domain. For more information
about fine-grained password and account lockout policies, see the article AD DS Fine-Grained Password and Account
Lockout Policy Step-by-Step Guide.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Every forest starts with a single domain. The maximum number of users that a single domain forest can contain
is based on the slowest link that must accommodate replication between domain controllers and the available
bandwidth that you want to allocate to Active Directory Domain Services (AD DS). The following table lists the
maximum recommended number of users that a domain can contain based on a single domain forest, the speed
of the slowest link, and the percentage of bandwidth that you want to reserve for replication. This information
applies to forests that contain a maximum of 100,000 users and that have a connectivity of 28.8 kilobits per
second (Kbps) or higher. For recommendations that apply to forests that contain more than 100,000 users or
connectivity of less than 28.8 Kbps, consult an experienced Active Directory designer. The values in the following
table are based on the replication traffic generated in an environment that has the following characteristics:
New users join the forest at a rate of 20 percent per year.
Users leave the forest at a rate of 15 percent per year.
Each user is a member of five global groups and five universal groups.
The ratio of users to computers is 1:1.
Active Directory-integrated Domain Name System (DNS) is used.
DNS scavenging is used.
NOTE
The figures listed in the following table are approximations. The quantity of replication traffic depends largely on the
number of changes made to the directory in a given amount of time. Confirm that your network can accommodate your
replication traffic by testing the estimated quantity and rate of changes on your design in a lab before deploying your
domains.
NOTE
The figures listed in the following table are approximations. The quantity of replication traffic depends largely on the
number of changes made to the directory in a given amount of time. Confirm that your network can accommodate your
replication traffic by testing the estimated quantity and rate of changes on your design in a lab before deploying your
domains.
SLO W EST L IN K M A XIM UM N UM B ER O F M A XIM UM N UM B ER O F M A XIM UM N UM B ER O F
C O N N EC T IN G A DO M A IN USERS IF 1- P ERC EN T USERS IF 5- P ERC EN T USERS IF 10- P ERC EN T
C O N T RO L L ER ( K B P S) B A N DW IDT H IS AVA IL A B L E B A N DW IDT H IS AVA IL A B L E B A N DW IDT H IS AVA IL A B L E
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Each domain in your design will either be a new domain or an existing upgraded domain. Users from existing
domains that you do not upgrade must be moved into new domains.
Moving accounts between domains can impact end users. Before deciding whether to move users into a new
domain or to upgrade existing domains, evaluate the long-term administrative benefits of a new AD DS domain
against the cost of moving users into the domain.
For more information about upgrading Active Directory domains to Windows Server 2008, see Upgrading
Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains.
For more information about restructuring AD DS domains within and between forests, see ADMT Guide:
Migrating and Restructuring Active Directory Domains.
For a worksheet to assist you in documenting your plans for new and upgraded domains, download
Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip from Job Aids for Windows Server
2003 Deployment Kit and open "Domain Planning" (DSSLOGI_5.doc).
Assigning Domain Names
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
You must assign a name to every domain in your plan. Active Directory Domain Services (AD DS) domains have
two types of names: Domain Name System (DNS) names and NetBIOS names. In general, both names are
visible to end users. The DNS names of Active Directory domains include two parts, a prefix and a suffix. When
creating domain names, first determine the DNS prefix. This is the first label in the DNS name of the domain.
The suffix is determined when you select the name of the forest root domain. The following table lists the prefix
naming rules for DNS names.
RUL E EXP L A N AT IO N
Select a prefix that is not likely to become outdated. Avoid names such as a product line or operating system that
might change in the future. We recommend using
geographical names.
Select a prefix that includes Internet standard characters A-Z, a-z, 0-9, and (-), but not entirely numerical.
only.
Include 15 characters or less in the prefix. If you choose a prefix length of 15 characters or less, the
NetBIOS name is the same as the prefix.
For more information, see Naming conventions in Active Directory for computers, domains, sites, and OUs.
NOTE
Although Dcpromo.exe in Windows Server 2008 and Windows Server 2003 allows you to create a single-label DNS
domain name, you should not use a single-label DNS name for a domain for several reasons. In Windows Server 2008 R2,
Dcpromo.exe does not allow you to create a single-label DNS name for a domain. For more information, see Deployment
and operation of Active Directory domains that are configured by using single-label DNS names.
If the current NetBIOS name of the domain is inappropriate to represent the region or fails to satisfy the prefix
naming rules, select a new prefix. In this case, the NetBIOS name of the domain is different from the DNS prefix
of the domain.
For each new domain that you deploy, select a prefix that is appropriate for the region and that satisfies prefix
naming rules. We recommend that the NetBIOS name of the domain be the same as the DNS prefix.
Document the DNS prefix and NetBIOS names that you select for each domain in your forest. You can add the
DNS and NetBIOS name information to the "Domain Planning" worksheet that you created to document your
plan for new and upgraded domains. To open it, download
Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip from Job Aids for Windows Server
2003 Deployment Kit and open "Domain Planning" (DSSLOGI_5.doc).
Selecting the Forest Root Domain
3/5/2021 • 7 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The first domain that you deploy in an Active Directory forest is called the forest root domain. This domain
remains the forest root domain for the life cycle of the AD DS deployment.
The forest root domain contains the Enterprise Admins and Schema Admins groups. These service administrator
groups are used to manage forest-level operations such as the addition and removal of domains and the
implementation of changes to the schema.
Selecting the forest root domain involves determining if one of the Active Directory domains in your domain
design can function as the forest root domain or if you need to deploy a dedicated forest root domain.
For information about deploying a forest root domain, see Deploying a Windows Server 2008 Forest Root
Domain.
Do not use single-label DNS names. For more information, see Deployment and operation of Active Directory
domains that are configured by using single-label DNS names. Also, we do not recommend using unregistered
suffixes, such as .local .
Selecting a prefix
If you chose a registered suffix that is already in use on the network, select a prefix for the forest root domain
name by using the prefix rules in the table below. Add a prefix that is not currently in use to create a new
subordinate name. For example, if your DNS root name is contoso.com, you can create the Active Directory
forest root domain name concorp.contoso.com if the namespace concorp.contoso.com is not already in use on
the network. This new branch of the namespace will be dedicated to AD DS and can be integrated easily with the
existing DNS implementation.
If you selected a regional domain to function as a forest root domain, you might need to select a new prefix for
the domain. Because the forest root domain name affects all of the other domain names in the forest, a
regionally based name might not be appropriate. If you are using a new suffix that is not currently in use on the
network, you can use it as the forest root domain name without choosing an additional prefix.
The following table lists the rules for selecting a prefix for a registered DNS name.
RUL E EXP L A N AT IO N
Select a prefix that is not likely to become outdated. Avoid names such as a product line or operating system that
might change in the future. We recommend using generic
names such as corp or ds.
Select a prefix that includes Internet standard characters A-Z, a-z, 0-9, and (-), but not entirely numerical.
only.
Include 15 characters or less in the prefix. If you choose a prefix length of 15 characters or less, the
NetBIOS name is the same as the prefix.
It is important for the Active Directory DNS owner to work with the DNS owner for the organization to obtain
ownership of the name that will be used for the Active Directory namespace. For more information about
designing a DNS infrastructure to support AD DS, see Creating a DNS Infrastructure Design.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
After you create your Active Directory forest and domain designs, you must design a Domain Name System
(DNS) infrastructure to support your Active Directory logical structure. DNS enables users to use friendly names
that are easy to remember to connect to computers and other resources on IP networks. Active Directory
Domain Services (AD DS) in Windows Server 2008 requires DNS.
The process for designing DNS to support AD DS varies according to whether your organization already has an
existing DNS Server service or you are deploying a new DNS Server service:
If you already have an existing DNS infrastructure, you must integrate the Active Directory namespace into
that environment. For more information, see Integrating AD DS into an Existing DNS Infrastructure.
If you do not have a DNS infrastructure in place, you must design and deploy a new DNS infrastructure to
support AD DS. For more information, see Deploying Domain Name System (DNS).
If your organization has an existing DNS infrastructure, you must make sure that you understand how your DNS
infrastructure will interact with the Active Directory namespace. For a worksheet to assist you in documenting
your existing DNS infrastructure design, download
Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip from Job Aids for Windows Server
2003 Deployment Kit and open "DNS Inventory" (DSSLOGI_8.doc).
NOTE
In addition to IP version 4 (IPv4) addresses, Windows Server also supports IP version 6 (IPv6) addresses. For a worksheet
to assist you in listing the IPv6 addresses while documenting the recursive name resolution method of your current DNS
structure, see Appendix A: DNS Inventory.
Before you design your DNS infrastructure to support AD DS, it can be helpful to read about the DNS hierarchy,
the DNS name resolution process, and how DNS supports AD DS. For more information about the DNS
hierarchy and name resolution process, see the DNS Technical Reference. For more information about how DNS
supports AD DS, see the DNS Support for Active Directory Technical Reference.
In this section
Reviewing DNS Concepts
DNS and AD DS
Assigning the DNS for AD DS Owner Role
Integrating AD DS into an Existing DNS Infrastructure
Reviewing DNS Concepts
3/5/2021 • 5 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Domain Name System (DNS) is a distributed database that represents a namespace. The namespace contains all
of the information needed for any client to look up any name. Any DNS server can answer queries about any
name within its namespace. A DNS server answers queries in one of the following ways:
If the answer is in its cache, it answers the query from the cache.
If the answer is in a zone hosted by the DNS server, it answers the query from its zone. A zone is a portion of
the DNS tree stored on a DNS server. When a DNS server hosts a zone, it is authoritative for the names in
that zone (that is, the DNS server can answer queries for any name in the zone). For example, a server
hosting the zone contoso.com can answer queries for any name in contoso.com.
If the server cannot answer the query from its cache or zones, it queries other servers for the answer.
It is important to understand the core features of DNS, such as delegation, recursive name resolution, and Active
Directory-integrated DNS zones, because they have a direct impact on your Active Directory logical structure
design.
For more information about DNS and Active Directory Domain Services (AD DS), see DNS and AD DS.
Delegation
For a DNS server to answer queries about any name, it must have a direct or indirect path to every zone in the
namespace. These paths are created by means of delegation. A delegation is a record in a parent zone that lists a
name server that is authoritative for the zone in the next level of the hierarchy. Delegations make it possible for
servers in one zone to refer clients to servers in other zones. The following illustration shows one example of
delegation.
The DNS root server hosts the root zone represented as a dot ( . ). The root zone contains a delegation to a zone
in the next level of the hierarchy, the com zone. The delegation in the root zone tells the DNS root server that, to
find the com zone, it must contact the Com server. Likewise, the delegation in the com zone tells the Com server
that, to find the contoso.com zone, it must contact the Contoso server.
NOTE
A delegation uses two types of records. The name server (NS) resource record provides the name of an authoritative
server. Host (A) and host (AAAA) resource records provide IP version 4 (IPv4) and IP version 6 (IPv6) addresses of an
authoritative server.
This system of zones and delegations creates a hierarchical tree that represents the DNS namespace. Each zone
represents a layer in the hierarchy, and each delegation represents a branch of the tree.
By using the hierarchy of zones and delegations, a DNS root server can find any name in the DNS namespace.
The root zone includes delegations that lead directly or indirectly to all other zones in the hierarchy. Any server
that can query the DNS root server can use the information in the delegations to find any name in the
namespace.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Active Directory Domain Services (AD DS) uses Domain Name System (DNS) name resolution services to make
it possible for clients to locate domain controllers and for the domain controllers that host the directory service
to communicate with each other.
AD DS enables easy integration of the Active Directory namespace into an existing DNS namespace. Features
such as Active Directory-integrated DNS zones make it easier for you to deploy DNS by eliminating the need to
set up secondary zones, and then configure zone transfers.
For information about how DNS supports AD DS, see the section DNS Support for Active Directory Technical
Reference.
NOTE
If you implement a disjoint namespace in which the AD DS domain name differs from the primary DNS suffix that clients
use, AD DS integration with DNS is more complex. For more information, see Disjoint Namespace.
In this section
Domain Controller Location
Active Directory-Integrated DNS Zones
Computer Naming
Disjoint Namespace
Domain Controller Location
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Clients use Domain Name System (DNS) to locate domain controllers to complete operations such as
processing logon requests or searching the directory for published resources. Domain controllers register a
variety of records in DNS to help clients and other computers locate them. These records are collectively
referred to as the locator records.
Domain controllers also use DNS to locate other domain controllers and to perform tasks such as replication.
The process by which domain controllers locate other domain controllers is the same as the process by which
clients locate domain controllers.
Active Directory-Integrated DNS Zones
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Domain Name System (DNS) servers running on domain controllers can store their zones in Active Directory
Domain Services (AD DS). In this way, it is not necessary to configure a separate DNS replication topology that
uses ordinary DNS zone transfers because all zone data is replicated automatically by means of Active Directory
replication. This simplifies the process of deploying DNS and provides the following advantages:
Multiple masters are created for DNS replication. Therefore, any domain controller in the domain running
the DNS Server service can write updates to the Active Directory-integrated DNS zones for the domain
name for which they are authoritative. A separate DNS zone transfer topology is not needed.
Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control what
computers update what names and prevent unauthorized computers from overwriting existing names in
DNS.
Active Directory-integrated DNS in Windows Server 2008 stores zone data in application directory partitions.
(There are no behavioral changes from Windows Server 2003-based DNS integration with Active Directory.) The
following DNS-specific application directory partitions are created during AD DS installation:
A forest-wide application directory partition, called ForestDnsZones
Domain-wide application directory partitions for each domain in the forest, named DomainDnsZones
For more information about how AD DS stores DNS information in application partitions, see the DNS Technical
Reference.
NOTE
We recommend that you install DNS when you run the Active Directory Domain Services Installation Wizard
(Dcpromo.exe). If you do this, the wizard creates the DNS zone delegation automatically. For more information, see
Deploying a Windows Server 2008 Forest Root Domain.
Computer Naming
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
When a computer running the Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008 , or
Windows Vista operating system joins a domain, by default the computer assigns itself a name. The name it
assigns itself comprises the host name of the computer (that is, Computer Name in System Properties) and the
Domain Name System (DNS) name of the Active Directory domain that the computer joined (that is, Primary
DNS Suffix in System Properties). The concatenation of the host name and the DNS name of the domain is
known as the fully qualified domain name (FQDN). For example, if a computer with host name Server1 joins the
domain corp.contoso.com, the FQDN of the computer is server1.corp.contoso.com.
If a computer already has a different DNS domain name that was statically entered into a DNS zone or
registered by an integrated DNS/Dynamic Host Configuration Protocol (DHCP) Server service, the FQDN of the
computer is distinct from the name that was registered previously. The computer can be referenced by either
name.
For more information about naming conventions in Active Directory Domain Services (AD DS), see Naming
conventions in Active Directory for computers, domains, sites, and OUs.
Disjoint Namespace
3/5/2021 • 6 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
A disjoint namespace occurs when one or more domain member computers have a primary Domain Name
Service (DNS) suffix that does not match the DNS name of the Active Directory domain of which the computers
are members. For example, a member computer that uses a primary DNS suffix of corp.fabrikam.com in an
Active Directory domain named na.corp.fabrikam.com is using a disjoint namespace.
A disjoint namespace is more complex to administer, maintain, and troubleshoot than a contiguous namespace.
In a contiguous namespace, the primary DNS suffix matches the Active Directory domain name. Network
applications that are written to assume that the Active Directory namespace is identical to the primary DNS
suffix for all domain member computers do not function properly in a disjoint namespace.
IMPORTANT
Although Windows operating systems may support a disjoint namespace, applications that are written to assume that the
primary DNS suffix is the same as the Active Directory domain suffix may not function in such an environment. For this
reason, you should test all applications and their respective operating systems carefully before you deploy a disjoint
namespace.
NOTE
The Windows Internet Name Service (WINS) could be used to offset this disadvantage by resolving single-label names. For
more information about WINS, see the WINS Technical Reference.
When your environment requires multiple primary DNS suffixes, you must configure the DNS suffix
search order for all of the Active Directory domains in the forest appropriately.
To set the DNS suffix search order, you can use Group Policy objects or Dynamic Host Configuration
Protocol (DHCP) Server service parameters. You can also modify the registry.
You must carefully test all applications for compatibility issues.
For more information about steps that you can take to address these disadvantages, see Create a Disjoint
Namespace.
Planning a namespace transition
Before you modify a namespace, review the following considerations, which apply to transitions from
contiguous namespaces to disjoint namespaces (or the reverse):
Manually configured Service Principal Names (SPNs) may no longer match DNS names after a
namespace change. This can cause authentication failures.
For more information, see Service Logons Fail Due to Incorrectly Set SPNs.
If you use Windows Server 2003-based computers with constrained delegation, those computers
may require additional configuration to change SPNs. For more information, see article 936628 in
the Microsoft Knowledge Base, The SPN does not appear in the list of services that can be
delegated to an account when you try to configure constrained delegation on a computer that is
running Windows Server 2003 (404).
If you want to delegate permissions to modify SPNs to subordinate administrators, see Delegating
Authority to Modify SPNs.
If you use Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) (known as
LDAPS) with a CA in a deployment that has domain controllers that are configured in a disjoint
namespace, you must use the appropriate Active Directory domain name and primary DNS suffix when
you configure the LDAPS certificates.
For more information about domain controller certificate requirements, see article 321051 in the
Microsoft Knowledge Base, How to enable LDAP over SSL with a third-party certification authority.
NOTE
Domain controllers that use certificates for LDAPS may require you to redeploy their certificates. When you do so,
domain controllers may not select an appropriate certificate until they are restarted. For more information about
Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) (LDAPS) authentication for
Windows Server 2003, see article 938703 in the Microsoft Knowledge Base, How to troubleshoot LDAP over SSL
connection problems.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The forest owner assigns a Domain Name System (DNS) for Active Directory Domain Services (AD DS) owner
for the forest. The DNS for AD DS owner of the forest is a person (or group of people) who is responsible for
overseeing the deployment of the DNS for AD DS infrastructure and for making sure that (if necessary) domain
names are registered with the proper Internet authorities.
The DNS for AD DS owner is responsible for the DNS for AD DS design for the forest. If your organization is
currently operating a DNS Server service, the DNS designer for the existing DNS Server service works with the
DNS for AD DS owner to delegate the forest root DNS name to DNS servers running on domain controllers.
The DNS for AD DS owner for the forest also maintains contact with the Dynamic Host Configuration Protocol
(DHCP) group and the DNS group of the organization and coordinates the plans of the individual DNS owners
of each domain in the forest (if any) with these groups. The DNS owner for the forest ensures that the DHCP and
DNS groups are involved in the DNS for AD DS design process so that each group is aware of the DNS design
plan and can provide input early.
Integrating AD DS into an Existing DNS
Infrastructure
3/5/2021 • 3 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
If your organization already has an existing Domain Name System (DNS) Server service, the DNS for Active
Directory Domain Services (AD DS) owner must work with the DNS owner for your organization to integrate AD
DS into the existing infrastructure. This involves creating a DNS server and DNS client configuration.
NOTE
When the DNS Server service is installed with the Active Directory Domain Services Installation Wizard (we
recommend this option), all the previous tasks are performed automatically. For more information, see Deploying
a Windows Server 2008 Forest Root Domain.
NOTE
AD DS uses forest-wide locator records to enable replication partners to find each other and to enable clients to
find global catalog servers. AD DS stores the forest-wide locator records in the _msdcs.forestname zone. Because
the information in the zone must be widely available, this zone is replicated to all DNS servers in the forest by
means of the forest-wide DNS application directory partition.
The existing DNS structure remains intact. You do not need to move any servers or zones. You simply need to
create a delegation to your Active Directory-integrated DNS zones from your existing DNS hierarchy.
DESIGN EL EM EN T C O N F IGURAT IO N
Computer naming Use default naming. When a Windows 2000, Windows XP,
Windows Server 2003, Windows Server 2008 , or Windows
Vista-based computer joins a domain, the computer assigns
itself a fully qualified domain name (FQDN) that comprises
the host name of the computer and the name of the Active
Directory domain.
Client resolver configuration Configure client computers to point to any DNS server on
the network.
NOTE
Active Directory clients and domain controllers can dynamically register their DNS names even if they are not pointing to
the DNS server that is authoritative for their names.
A computer might have a different existing DNS name if the organization previously, statically registered the
computer in DNS or if the organization previously deployed an integrated Dynamic Host Configuration Protocol
(DHCP) solution. If your client computers already have a registered DNS name, when the domain to which they
are joined is upgraded to Windows Server 2008 AD DS, they will have two different names:
The existing DNS name
The new fully qualified domain name (FQDN)
Clients can still be located by either name. Any existing DNS, DHCP, or integrated DNS/DHCP solution is left
intact. The new primary names are created automatically and updated by means of dynamic update. They are
cleaned up automatically by means of scavenging.
If you want to take advantage of Kerberos authentication when connecting to a server running Windows 2000,
Windows Server 2003, or Windows Server 2008 , you must make sure that the client connects to the server by
using the primary name.
Appendix A: DNS Inventory
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
You can use the following tables to assist you in documenting the recursive name resolution method of your
current Domain Name System (DNS) structure as part of the logical structure design for Windows Server Active
Directory Domain Services (AD DS).
Root hints
NAME IP V4 A DDRESS IP V6 A DDRESS
Forwarding
NAME IP V4 A DDRESS IP V6 A DDRESS P H Y SIC A L LO C AT IO N
Creating an Organizational Unit Design
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Forest owners are responsible for creating organizational unit (OU) designs for their domains. Creating an OU
design involves designing the OU structure, assigning the OU owner role, and creating account and resource
OUs.
Initially, design your OU structure to enable delegation of administration. When the OU design is complete, you
can create additional OU structures for the application of Group Policy to the users and computers and to limit
the visibility of objects. For more information, see Designing a Group Policy Infrastructure.
OU owner role
The forest owner designates an OU owner for each OU that you design for the domain. OU owners are data
managers who control a subtree of objects in Active Directory Domain Services (AD DS). OU owners can control
how administration is delegated and how policy is applied to objects within their OU. They can also create new
subtrees and delegate administration of OUs within those subtrees.
Because OU owners do not own or control the operation of the directory service, you can separate ownership
and administration of the directory service from ownership and administration of objects, reducing the number
of service administrators who have high levels of access.
OUs provide administrative autonomy and the means to control visibility of objects in the directory. OUs
provide isolation from other data administrators, but they do not provide isolation from service administrators.
Although OU owners have control over a subtree of objects, the forest owner retains full control over all
subtrees. This enables the forest owner to correct mistakes, such as an error in an access control list (ACL), and
to reclaim delegated subtrees when data administrators are terminated.
In this section
Reviewing OU Design Concepts
Delegating Administration by Using OU Objects
Reviewing OU Design Concepts
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The organizational unit (OU) structure for a domain includes the following:
A diagram of the OU hierarchy
A list of OUs
For each OU:
The purpose for the OU
A list of users or groups that have control over the OU or the objects in the OU
The type of control that users and groups have over the objects in the OU
The OU hierarchy does not need to reflect the departmental hierarchy of the organization or group. OUs are
created for a specific purpose, such as the delegation of administration, the application of Group Policy, or to
limit the visibility of objects.
You can design your OU structure to delegate administration to individuals or groups within your organization
that require the autonomy to manage their own resources and data. OUs represent administrative boundaries
and enable you to control the scope of authority of data administrators.
For example, you can create an OU called ResourceOU and use it to store all the computer accounts that belong
to the file and print servers managed by a group. Then, you can configure security on the OU so that only data
administrators in the group have access to the OU. This prevents data administrators in other groups from
tampering with the file and print server accounts.
You can further refine your OU structure by creating subtrees of OUs for specific purposes, such as the
application of Group Policy or to limit the visibility of protected objects so that only certain users can see them.
For example, if you need to apply Group Policy to a select group of users or resources, you can add those users
or resources to an OU, and then apply Group Policy to that OU. You can also use the OU hierarchy to enable
further delegation of administrative control.
While there is no technical limit to the number of levels in your OU structure, for manageability we recommend
that you limit your OU structure to a depth of no more than 10 levels. There is no technical limit to the number
of OUs on each level. Note that Active Directory Domain Services (AD DS)-enabled applications might have
restrictions on the number of characters used in the distinguished name (that is, the full Lightweight Directory
Access Protocol (LDAP) path to the object in the directory) or on the OU depth within the hierarchy.
The OU structure in AD DS is not intended to be visible to end users. The OU structure is an administrative tool
for service administrators and for data administrators, and it is easy to change. Continue to review and update
your OU structure design to reflect changes in your administrative structure and to support policy-based
administration.
Delegating Administration by Using OU Objects
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
You can use organizational units (OUs) to delegate the administration of objects, such as users or computers,
within the OU to a designated individual or group. To delegate administration by using an OU, place the
individual or group to which you are delegating administrative rights into a group, place the set of objects to be
controlled into an OU, and then delegate administrative tasks for the OU to that group.
Active Directory Domain Services (AD DS) enables you to control the administrative tasks that can be delegated
at a very detailed level. For example, you can assign one group to have full control of all objects in an OU; assign
another group the rights only to create, delete, and manage user accounts in the OU; and then assign a third
group the right only to reset user account passwords. You can make these permissions inheritable so that they
apply to any OUs that are placed in subtrees of the original OU.
Default OUs and containers are created during the installation of AD DS and are controlled by service
administrators. It is best if service administrators continue to control these containers. If you need to delegate
control over objects in the directory, create additional OUs and place the objects in these OUs. Delegate control
over these OUs to the appropriate data administrators. This makes it possible to delegate control over objects in
the directory without changing the default control given to the service administrators.
The forest owner determines the level of authority that is delegated to an OU owner. This can range from the
ability to create and manipulate objects within the OU to only being allowed to control a single attribute of a
single type of object in the OU. Granting a user the ability to create an object in the OU implicitly grants that
user the ability to manipulate any attribute of any object that the user creates. In addition, if the object that is
created is a container, the user implicitly has the ability to create and manipulate any objects that are placed in
the container.
In this section
Delegating Administration of Default Containers and OUs
Delegating Administration of Account OUs and Resource OUs
Delegating Administration of Default Containers
and OUs
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Every Active Directory domain contains a standard set of containers and organizational units (OUs) that are
created during the installation of Active Directory Domain Services (AD DS). These include the following:
Domain container, which serves as the root container to the hierarchy
Built-in container, which holds the default service administrator accounts
Users container, which is the default location for new user accounts and groups created in the domain
Computers container, which is the default location for new computer accounts created in the domain
Domain Controllers OU, which is the default location for the computer accounts for domain controllers
computer accounts
The forest owner controls these default containers and OUs.
Domain container
The domain container is the root container of the hierarchy of a domain. Changes to the policies or the access
control list (ACL) on this container can potentially have domain-wide impact. Do not delegate control of this
container; it must be controlled by the service administrators.
IMPORTANT
If you need to delegate control over users or computers, do not modify the default settings on the users and computers
containers. Instead, create new OUs (as needed) and move the user and computer objects from their default containers
and into the new OUs. Delegate control over the new OUs, as needed. We recommend that you not modify who controls
the default containers.
Also, you cannot apply Group Policy settings to the default users and computers containers. To apply Group
Policy to users and computers, create new OUs and move the user and computer objects into those OUs. Apply
the Group Policy settings to the new OUs.
Optionally, you can redirect the creation of objects that are placed in the default containers to be placed in
containers of your choice.
Domain Controller OU
When domain controllers are added to the domain, their computer objects are automatically added to the
Domain Controller OU. This OU has a default set of policies applied to it. To ensure that these policies are
applied uniformly to all domain controllers, we recommend that you not move the computer objects of the
domain controllers out of this OU. Failure to apply the default policies can cause a domain controller to fail to
function properly.
By default, the service administrators control this OU. Do not delegate control of this OU to individuals other
than the service administrators.
Delegating Administration of Account OUs and
Resource OUs
3/5/2021 • 4 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Account organizational units (OUs) contain user, group, and computer objects. Resource OUs contain resources
and the accounts that are responsible for managing those resources. The forest owner is responsible for
creating an OU structure to manage these objects and resources and for delegating control of that structure to
the OU owner.
The following table lists and describes the possible child OUs that you can create in an account OU structure.
OU P URP O SE
Service Accounts Some services that require access to network resources run
as user accounts. This OU is created to separate service user
accounts from the user accounts contained in the users OU.
Also, placing the different types of user accounts in separate
OUs enables you to manage them according to their specific
administrative requirements.
The following illustration shows one example of an administrative group design for an account OU structure.
Groups that manage the child OUs are granted full control only over the specific class of objects that they are
responsible for managing.
The types of groups that you use to delegate control within an OU structure are based on where the accounts
are located relative to the OU structure that is to be managed. If the admin user accounts and the OU structure
all exist within a single domain, the groups that you create to use for delegation must be global groups. If your
organization has a department that manages its own user accounts and exists in more than one geographical
region, you might have a group of data administrators who are responsible for managing account OUs in more
than one domain. If the accounts of the data administrators all exist in a single domain and you have OU
structures in multiple domains to which you need to delegate control, make those administrative accounts
members of global groups and delegate control of the OU structures in each domain to those global groups. If
the data administrators accounts to which you delegate control of an OU structure come from multiple domains,
you must use a universal group. Universal groups can contain users from different domains, and therefore, they
can be used to delegate control in multiple domains.
The resource OU can be located under the domain root or as a child OU of the corresponding account OU in the
OU administrative hierarchy. Resource OUs do not have any standard child OUs. Computers and groups are
placed directly in the resource OU.
The resource OU owner owns the objects within the OU but does not own the OU container itself. Resource OU
owners manage only computer and group objects; they cannot create other classes of objects within the OU,
and they cannot create child OUs.
NOTE
The creator or owner of an object has the ability to set the access control list (ACL) on the object regardless of the
permissions that are inherited from the parent container. If a resource OU owner can reset the ACL on an OU, that owner
can create any class of object in the OU, including users. For this reason, resource OU owners are not permitted to create
OUs.
For each resource OU in the domain, create a global group to represent the data administrators who are
responsible for managing the content of the OU. This group has full control over the group and computer
objects in the OU but not over the OU container itself.
The following illustration shows the administrative group design for a resource OU.
Placing the computer accounts into a resource OU gives the OU owner control over the account objects but
does not make the OU owner an administrator of the computers. In an Active Directory domain, the Domain
Admins group is, by default, placed in the local Administrators group on all computers. That is, service
administrators have control over those computers. If resource OU owners require administrative control over
the computers in their OUs, the forest owner can apply a Restricted Groups Group Policy to make the resource
OU owner a member of the Administrators group on the computers in that OU.
Finding Additional Resources for Logical Structure
Design
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
You can find Additional Resources for Logical Structure Design in the following documentation about Active
Directory Domain Services (AD DS):
For more information about designing the site topology, see Designing the Site Topology for Windows
Server 2008 AD DS.
For worksheets to assist you in documenting the proposed forest, domain, Domain Name System (DNS)
infrastructure, and organizational unit (OU) design, download
Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip from Job Aids for Windows
Server 2003 Deployment Kit.
For more information about delegated authentication and constrained delegation, see Delegating
authentication.
For more information about configuring firewalls for use with AD DS, see Active Directory in Networks
Segmented by Firewalls.
For more information about upgrading Active Directory domains to Windows Server 2008, see
Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS
Domains.
For more information about restructuring AD DS domains within and between forests, see ADMT Guide:
Migrating and Restructuring Active Directory Domains.
For more information about deploying a forest root domain, see Deploying a Windows Server 2008
Forest Root Domain.
For more information about deploying DNS, see Deploying Domain Name System (DNS).
For more information about the DNS hierarchy and name resolution process, see the DNS Technical
Reference.
For more information about how DNS supports AD DS, see the DNS Support for Active Directory
Technical Reference.
For more information about WINS, see the WINS Technical Reference.
For more information about creating a disjoint namespace, see Create a Disjoint Namespace.
For more information about setting Service Principal Names (SPNs), see Service Logons Fail Due to
Incorrectly Set SPNs.
For more information about how to delegate permissions to modify SPNs to subordinate administrators,
see Delegating Authority to Modify SPNs.
For more information about domain controller certificate requirements, see article 321051 in the
Microsoft Knowledge Base, How to enable LDAP over SSL with a third-party certification authority.
For more information about Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer
(SSL) (LDAPS) authentication for Windows Server 2003, see article 938703 in the Microsoft Knowledge
Base, How to troubleshoot LDAP over SSL connection problems.
For more information about Group Policy infrastructure, see Designing a Group Policy Infrastructure.
For more information about read-only domain controllers (RODCs), see AD DS: Read-Only Domain
Controllers.
For more information about fine-grained password and account lockout policies, see the AD DS Fine-
Grained Password and Account Lockout Policy Step-by-Step Guide.
For more information about naming conventions in AD DS, see article 909264 in the Microsoft
Knowledge Base, Naming conventions in Active Directory for computers, domains, sites, and OUs.
Designing the Site Topology
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
A directory service site topology is a logical representation of your physical network. Designing a site topology
for Active Directory Domain Services (AD DS) involves planning for domain controller placement and designing
sites, subnets, site links, and site link bridges to ensure efficient routing of query and replication traffic.
Designing a site topology helps you efficiently route client queries and Active Directory replication traffic. A
well-designed site topology helps your organization achieve the following benefits:
Minimize the cost of replicating Active Directory data.
Minimize administrative efforts that are required to maintain the site topology.
Schedule replication that enables locations with slow or dial-up network links to replicate Active
Directory data during off-peak hours.
Optimize the ability of client computers to locate the nearest resources, such as domain controllers and
Distributed File System (DFS) servers. This helps to reduce network traffic over slow wide area network
(WAN) links, improve logon and logoff processes, and speed up file download operations.
Before you begin to design your site topology, you must understand your physical network structure. In
addition, you must first design your Active Directory logical structure, including the administrative hierarchy,
forest plan, and domain plan for each forest. You must also complete your Domain Name System (DNS)
infrastructure design for AD DS. For more information about designing your Active Directory logical structure
and DNS infrastructure, see Designing the Logical Structure for Windows Server 2008 AD DS.
After you complete your site topology design, you must verify that your domain controllers meet the hardware
requirements for Windows Server 2008 Standard , Windows Server 2008 Enterprise , and Windows Server
2008 Datacenter .
In this guide
Understanding Active Directory Site Topology
Collecting Network Information
Planning Domain Controller Placement
Creating a Site Design
Creating a Site Link Design
Creating a Site Link Bridge Design
Finding Additional Resources for Windows Server 2008 Active Directory Site Topology Design
Understanding Active Directory Site Topology
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Your site topology significantly affects the performance of your network and the ability of your users to access
network resources. Before you begin to design your site topology, become familiar with the functions for sites in
Windows Server 2008 , the different network topologies that organizations commonly use, the role of the site
topology owner, and some Active Directory replication concepts.
In this section
Site Functions
Site Topology Owner Role
Active Directory Replication Concepts
Site Functions
3/5/2021 • 3 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Windows Server 2008 uses site information for many purposes, including routing replication, client affinity,
system volume (SYSVOL) replication, Distributed File System Namespaces (DFSN), and service location.
Routing replication
Active Directory Domain Services (AD DS) uses a multimaster, store-and-forward method of replication. A
domain controller communicates directory changes to a second domain controller, which then communicates to
a third, and so on, until all domain controllers have received the change. To achieve the best balance between
reducing replication latency and reducing traffic, site topology controls Active Directory replication by
distinguishing between replication that occurs within a site and replication that occurs between sites.
Within sites, replication is optimized for speed, data updates trigger replication, and the data is sent without the
overhead required by data compression. Conversely, replication between sites is compressed to minimize the
cost of transmission over wide area network (WAN) links. When replication occurs between sites, a single
domain controller per domain at each site collects and stores the directory changes and communicates them at
a scheduled time to a domain controller in another site.
Client affinity
Domain controllers use site information to inform Active Directory clients about domain controllers present
within the closest site as the client. For example, consider a client in the Seattle site that does not know its site
affiliation and contacts a domain controller from the Atlanta site. Based on the IP address of the client, the
domain controller in Atlanta determines which site the client is actually from and sends the site information
back to the client. The domain controller also informs the client whether the chosen domain controller is the
closest one to it. The client caches the site information provided by the domain controller in Atlanta, queries for
the site-specific service (SRV) resource record (a Domain Name System (DNS) resource record used to locate
domain controllers for AD DS) and thereby finds a domain controller within the same site.
By finding a domain controller in the same site, the client avoids communications over WAN links. If no domain
controllers are located at the client site, a domain controller that has the lowest cost connections relative to
other connected sites advertises itself (registers a site-specific service (SRV) resource record in DNS) in the site
that does not have a domain controller. The domain controllers that are published in DNS are those from the
closest site as defined by the site topology. This process ensures that every site has a preferred domain
controller for authentication.
For more information about the process of locating a domain controller, see Active Directory Collection.
SYSVOL replication
SYSVOL is a collection of folders in the file system that exists on each domain controller in a domain. The
SYSVOL folders provide a default Active Directory location for files that must be replicated throughout a
domain, including Group Policy objects (GPOs), startup and shutdown scripts, and logon and logoff scripts.
Windows Server 2008 can use the File Replication Service (FRS) or Distributed File System Replication (DFSR) to
replicate changes made to the SYSVOL folders from one domain controller to other domain controllers. FRS and
DFSR replicate these changes according to the schedule that you create during your site topology design.
DFSN
DFSN uses site information to direct a client to the server that is hosting the requested data within the site. If
DFSN does not find a copy of the data within the same site as the client, DFSN uses the site information in AD
DS to determine which file server that has DFSN shared data is closest to the client.
Service location
By publishing services such as file and print services in AD DS, you allow Active Directory clients to locate the
requested service within the same or nearest site. Print services use the location attribute stored in AD DS to let
users browse for printers by location without knowing their precise location. For more information about
designing and deploying print servers, see Designing and Deploying Print Servers.
Site Topology Owner Role
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The administrator who manages the site topology is known as the site topology owner. The site topology owner
understands the conditions of the network between sites and has the authority to change settings in Active
Directory Domain Services (AD DS) to implement changes to the site topology. Changes to the site topology
affect changes in the replication topology. The site topology owner's responsibilities include:
Controlling changes to the site topology if network connectivity changes.
Obtaining and maintaining information about network connections and routers from the network group.
The site topology owner must maintain a list of subnet addresses, subnet masks, and the location to
which each belongs. The site topology owner must also understand any issues about network speed and
capacity that affect site topology to effectively set costs for site links.
Moving Active Directory server objects representing domain controllers between sites if a domain
controller's IP address changes to a different subnet in a different site, or if the subnet itself is assigned to
a different site. In either case, the site topology owner must manually move the Active Directory server
object of the domain controller to the new site.
Active Directory Replication Concepts
6/17/2021 • 10 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Before designing site topology, become familiar with some Active Directory replication concepts.
Connection object
KCC
Failover functionality
Subnet
Site
Site link
Site link bridge
Site link transitivity
Global catalog server
Universal group membership caching
Connection object
A connection object is an Active Directory object that represents a replication connection from a source domain
controller to a destination domain controller. A domain controller is a member of a single site and is represented
in the site by a server object in Active Directory Domain Services (AD DS). Each server object has a child NTDS
Settings object that represents the replicating domain controller in the site.
The connection object is a child of the NTDS Settings object on the destination server. For replication to occur
between two domain controllers, the server object of one must have a connection object that represents
inbound replication from the other. All replication connections for a domain controller are stored as connection
objects under the NTDS Settings object. The connection object identifies the replication source server, contains a
replication schedule, and specifies a replication transport.
The Knowledge Consistency Checker (KCC) creates connection objects automatically, but they can also be
created manually. Connection objects created by the KCC appear in the Active Directory Sites and Services snap-
in as and are considered adequate under normal operating conditions. Connection objects created by an
administrator are manually created connection objects. A manually created connection object is identified by the
name assigned by the administrator when it was created. When you modify a connection object, you convert it
into an administratively modified connection object and the object appears in the form of a GUID. The KCC does
not make changes to manual or modified connection objects.
KCC
The KCC is a built-in process that runs on all domain controllers and generates replication topology for the
Active Directory forest. The KCC creates separate replication topologies depending on whether replication is
occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to
accommodate the addition of new domain controllers, the removal of existing domain controllers, the
movement of domain controllers to and from sites, changing costs and schedules, and domain controllers that
are temporarily unavailable or in an error state.
Within a site, the connections between writable domain controllers are always arranged in a bidirectional ring,
with additional shortcut connections to reduce latency in large sites. On the other hand, the intersite topology is
a layering of spanning trees, which means one intersite connection exists between any two sites for each
directory partition and generally does not contain shortcut connections. For more information about spanning
trees and Active Directory replication topology, see Active Directory Replication Topology Technical Reference
(https://go.microsoft.com/fwlink/?LinkID=93578).
On each domain controller, the KCC creates replication routes by creating one-way inbound connection objects
that define connections from other domain controllers. For domain controllers in the same site, the KCC creates
connection objects automatically without administrative intervention. When you have more than one site, you
configure site links between sites, and a single KCC in each site automatically creates connections between sites
as well.
KCC improvements for Windows Server 2008 RODCs
There are a number of KCC improvements to accommodate the newly available read-only domain controller
(RODC) in Windows Server 2008. A typical deployment scenario for RODC is the branch office. The Active
Directory replication topology most commonly deployed in this scenario is based on a hub-and-spoke design,
where branch domain controllers in multiple sites replicate with a small number of bridgehead servers in a hub
site.
One of the benefits of deploying RODC in this scenario is unidirectional replication. Bridgehead servers are not
required to replicate from the RODC, which reduces administration and network usage.
However, one administrative challenge highlighted by the hub-spoke topology on previous versions of the
Windows Server operating system is that after adding a new bridgehead domain controller in the hub, there is
no automatic mechanism to redistribute the replication connections between the branch domain controllers and
the hub domain controllers to take advantage of the new hub domain controller.
For Windows Server 2008 RODCs, the normal functioning of the KCC provides some rebalancing. The new
functionality is enabled by default. You can disable it by adding the following registry key set on the RODC:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser vices\NTDS\Parameters
"Random BH Loadbalancing Allowed" 1 = Enabled (default), 0 = Disabled
For more information about how these KCC improvements work, see Planning and Deploying Active Directory
Domain Services for Branch Offices (https://go.microsoft.com/fwlink/?LinkId=107114).
Failover functionality
Sites ensure that replication is routed around network failures and offline domain controllers. The KCC runs at
specified intervals to adjust the replication topology for changes that occur in AD DS, such as when new domain
controllers are added and new sites are created. The KCC reviews the replication status of existing connections to
determine if any connections are not working. If a connection is not working due to a failed domain controller,
the KCC automatically builds temporary connections to other replication partners (if available) to ensure that
replication occurs. If all the domain controllers in a site are unavailable, the KCC automatically creates replication
connections between domain controllers from another site.
Subnet
A subnet is a segment of a TCP/IP network to which a set of logical IP addresses are assigned. Subnets group
computers in a way that identifies their physical proximity on the network. Subnet objects in AD DS identify the
network addresses that are used to map computers to sites.
Site
Sites are Active Directory objects that represent one or more TCP/IP subnets with highly reliable and fast
network connections. Site information allows administrators to configure Active Directory access and replication
to optimize usage of the physical network. Site objects are associated with a set of subnets, and each domain
controller in a forest is associated with an Active Directory site according to its IP address. Sites can host domain
controllers from more than one domain, and a domain can be represented in more than one site.
Site link
Site links are Active Directory objects that represent logical paths that the KCC uses to establish a connection for
Active Directory replication. A site link object represents a set of sites that can communicate at uniform cost
through a specified intersite transport.
All sites contained within the site link are considered to be connected by means of the same network type. Sites
must be manually linked to other sites by using site links so that domain controllers in one site can replicate
directory changes from domain controllers in another site. Because site links do not correspond to the actual
path taken by network packets on the physical network during replication, you do not need to create redundant
site links to improve Active Directory replication efficiency.
When two sites are connected by a site link, the replication system automatically creates connections between
specific domain controllers in each site that are called bridgehead servers. In Windows Server 2008, all domain
controllers in a site that host the same directory partition are candidates for being selected as bridgehead
servers. The replication connections created by the KCC are randomly distributed among all candidate
bridgehead servers in a site to share the replication workload. By default, the randomized selection process
takes place only once, when connection objects are first added to the site.
NOTE
SMTP replication will not be supported in future versions of AD DS; therefore, creating site links objects in the SMTP
container is not recommended.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The first step in designing an effective site topology in Active Directory Domain Services (AD DS) is to consult
your organization's networking group to collect information and communicate with them regularly about your
physical network topology.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
After you have gathered all of the network information that will be used to design your site topology, plan
where you want to place domain controllers, including forest root domain controllers, regional domain
controllers, operations master role holders, and global catalog servers.
In Windows Server 2008 , you can also take advantage of read-only domain controllers (RODCs). An RODC is a
new type of domain controller that hosts read-only partitions of the Active Directory database. Except for
account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain
controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must
be made on a writable domain controller and then replicated back to the RODC.
An RODC is designed primarily to be deployed in remote or branch office environments, which typically have
relatively few users, poor physical security, relatively poor network bandwidth to a hub site, and personnel with
limited knowledge of information technology (IT). Deploying RODCs results in improved security and more
efficient access to network resources. For more information about RODC features, see AD DS: Read-Only
Domain Controllers. For information about how to deploy an RODC, see the Read-Only Domain Controllers
Step-by-Step Guide
NOTE
This guide does not explain how you determine the proper number of domain controllers and the domain controller
hardware requirements for each domain that is represented in each site.
In this section
Planning Forest Root Domain Controller Placement
Planning Regional Domain Controller Placement
Planning Global Catalog Server Placement
Planning Operations Master Role Placement
Planning Forest Root Domain Controller Placement
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Forest root domain controllers are needed to create trust paths for clients that need to access resources in
domains other than their own. Place forest root domain controllers in hub locations and at locations that host
datacenters. If users in a given location need to access resources from other domains in the same location, and
the network availability between the datacenter and the user location is unreliable, you can either add a forest
root domain controller in the location or create a shortcut trust between the two domains. It is more cost
efficient to create a shortcut trust between the domains unless you have other reasons to place a forest root
domain controller in that location.
Shortcut trusts help to optimize authentication requests made from users located in either domain. For more
information about shortcut trusts between domains, see the article Understanding When to Create a Shortcut
Trust.
For a worksheet to assist you in documenting your forest root domain controller placement, see Job Aids for
Windows Server 2003 Deployment Kit, download
Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip, and open "Domain Controller
Placement" (DSSTOPO_4.doc).
You will need to refer to this information when you create the forest root domain. For more information about
deploying the forest root domain, see Deploying a Windows Server 2008 Forest Root Domain.
Planning Regional Domain Controller Placement
3/5/2021 • 6 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
To ensure cost efficiency, plan to place as few regional domain controllers as possible. First, review the
"Geographic Locations and Communication Links" (DSSTOPO_1.doc) worksheet used in Collecting Network
Information to determine whether a location is a hub.
Plan to place regional domain controllers for each domain that is represented in each hub location. After you
place regional domain controllers in all hub locations, evaluate the need for placing regional domain controllers
at satellite locations. Eliminating unnecessary regional domain controllers from satellite locations reduces the
support costs required to maintain a remote server infrastructure.
In addition, ensure the physical security of domain controllers in hub and satellite locations so that unauthorized
personnel cannot access them. Do not place writable domain controllers in hub and satellite locations in which
you cannot guarantee the physical security of the domain controller. A person who has physical access to a
writable domain controller can attack the system by:
Accessing physical disks by starting an alternate operating system on a domain controller.
Removing (and possibly replacing) physical disks on a domain controller.
Obtaining and manipulating a copy of a domain controller system state backup.
Add writable regional domain controllers only to locations in which you can guarantee their physical security.
In locations with inadequate physical security, deploying a read-only domain controller (RODC) is the
recommended solution. Except for account passwords, an RODC holds all the Active Directory objects and
attributes that a writable domain controller holds. However, changes cannot be made to the database that is
stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the
RODC.
To authenticate client logons and access to local file servers, most organizations place regional domain
controllers for all regional domains that are represented in a given location. However, you must consider many
variables when evaluating whether a business location requires its clients to have local authentication or the
clients can rely on authentication and query over a wide area network (WAN) link. The following illustration
shows how to determine whether to place domain controllers at satellite locations.
Onsite technical expertise availability
Domain controllers need to be managed continuously for various reasons. Place a regional domain controller
only in locations that include personnel who can administer the domain controller, or be sure that the domain
controller can be managed remotely.
In branch office environments with typically poor physical security and personnel with little information
technology knowledge, deploying an RODC is often the recommended solution. Local administrative
permissions for an RODC can be delegated to any domain user without granting that user any user rights for
the domain or other domain controllers. This permits a local branch user to log on to an RODC and perform
maintenance work on the server, such as upgrading a driver. However, the branch user cannot log on to any
other domain controller or perform any other administrative task in the domain. In this way, the branch user can
be delegated the ability to effectively manage the RODC in the branch office without compromising the security
of the rest of the domain or the forest.
Authentication availability
Certain organizations, such as banks, require that users be authenticated at all times. Place a regional domain
controller in a location where the WAN link availability is not 100 percent but users require authentication at all
times.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Global catalog placement requires planning except if you have a single-domain forest. In a single-domain forest,
configure all domain controllers as global catalog servers. Because every domain controller stores the only
domain directory partition in the forest, configuring each domain controller as a global catalog server does not
require any additional disk space usage, CPU usage, or replication traffic. In a single-domain forest, all domain
controllers act as virtual global catalog servers; that is, they can all respond to any authentication or service
request. This special condition for single-domain forests is by design. Authentication requests do not require
contacting a global catalog server as they do when there are multiple domains, and a user can be a member of a
universal group that exists in a different domain. However, only domain controllers that are designated as global
catalog servers can respond to global catalog queries on the global catalog port 3268. To simplify
administration in this scenario and to ensure consistent responses, designating all domain controllers as global
catalog servers eliminates the concern about which domain controllers can respond to global catalog queries.
Specifically, any time a user uses Start\Search\For People or Find Printers or expands Universal Groups, these
requests go only to the global catalog.
In multiple-domain forests, global catalog servers facilitate user logon requests and forest-wide searches. The
following illustration shows how to determine which locations require global catalog servers.
In most cases, it is recommended that you include the global catalog when you install new domain controllers.
The following exceptions apply:
Limited bandwidth: In remote sites, if the wide area network (WAN) link between the remote site and the hub
site is limited, you can use universal group membership caching in the remote site to accommodate the
logon needs of users in the site.
Infrastructure operations master role incompatibility: Do not place the global catalog on a domain controller
that hosts the infrastructure operations master role in the domain unless all domain controllers in the
domain are global catalog servers or the forest has only one domain.
NOTE
Read-only domain controllers (RODCs) can be promoted successfully to global catalog server status. However, certain
directory-enabled applications cannot support an RODC as a global catalog server. For example, no version of Microsoft
Exchange Server uses RODCs. However, Microsoft Exchange Server works in environments that include RODCs, as long as
there are writable domain controllers available. Exchange Server 2007 effectively ignores RODCs. Exchange Server 2003
also ignores RODCs in default conditions where Exchange components automatically detect available domain controllers.
No changes were made to Exchange Server 2003 to make it aware of read-only directory servers. Therefore, trying to
force Exchange Server 2003 services and management tools to use RODCs may result in unpredictable behavior.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Active Directory Domain Services (AD DS) supports multimaster replication of directory data, which means any
domain controller can accept directory changes and replicate the changes to all other domain controllers.
However, certain changes, such as schema modifications, are impractical to perform in a multimaster fashion.
For this reason certain domain controllers, known as operations masters, hold roles responsible for accepting
requests for certain specific changes.
NOTE
Operations master role holders must be able to write some information to the Active Directory database. Because of the
read-only nature of the Active Directory database on a read-only domain controller (RODC), RODCs cannot act as
operations master role holders .
Three operations master roles (also known as flexible single master operations or FSMO) exist in each domain:
The primary domain controller (PDC) emulator operations master processes all password updates.
The relative ID (RID) operations master maintains the global RID pool for the domain and allocates local
RIDs pools to all domain controllers to ensure that all security principals created in the domain have a
unique identifier.
The infrastructure operations master for a given domain maintains a list of the security principals from
other domains that are members of groups within its domain.
In addition to the three domain-level operations master roles, two operations master roles exist in each forest:
The schema operations master governs changes to the schema.
The domain naming operations master adds and removes domains and other directory partitions (for
example, Domain Name System (DNS) application partitions) to and from the forest.
Place the domain controllers hosting these operations master roles in areas where network reliability is high,
and ensure that the PDC emulator and the RID master are consistently available.
Operations master role holders are assigned automatically when the first domain controller in a given domain is
created. The two forest-level roles (schema master and domain naming master) are assigned to the first domain
controller created in a forest. In addition, the three domain-level roles (RID master, infrastructure master, and
PDC emulator) are assigned to the first domain controller created in a domain.
NOTE
Automatic operations master role holder assignments are made only when a new domain is created and when a current
role holder is demoted. All other changes to role owners have to be initiated by an administrator.
These automatic operations master role assignments can cause very high CPU usage on the first domain
controller created in the forest or the domain. To avoid this, assign (transfer) operations master roles to various
domain controllers in your forest or domain. Place the domain controllers that host operations master roles in
areas where the network is reliable and where the operations masters can be accessed by all other domain
controllers in the forest.
You should also designate standby (alternate) operations masters for all operations master roles. The standby
operations masters are domain controllers to which you could transfer the operations master roles in case the
original role holders fail. Ensure that the standby operations masters are direct replication partners of the actual
operations masters.
Next steps
Additional information about FSMO role placement can be found in the support topic FSMO placement and
optimization on Active Directory domain controllers
Creating a Site Design
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Creating a site design involves deciding which locations will become sites, creating site objects, creating subnet
objects, and associating the subnets with sites.
NOTE
If your organization has multiple networks in close proximity with fast, reliable connections, you can include all of the
subnets for those networks in a single Active Directory site. For example, if the round-trip return network latency between
two servers in different subnets is 10 ms or less, you can include both subnets in the same Active Directory site. If the
network latency between the two locations is greater than 10 ms, you should not include the subnets in a single Active
Directory site. Even when latency is 10 ms or less, you may elect to deploy separate sites if you want to segment the
traffic between sites for Active Directory-based applications.
If a site is not required for a location, add the subnet of the location to a site for which the location has the
maximum wide area network (WAN) speed and available bandwidth.
Document locations that will become sites and the network addresses and subnet masks within each location.
For a worksheet to assist you in documenting sites, see Job Aids for Windows Server 2003 Deployment Kit,
download Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip, and open "Associating
Subnets with Sites" (DSSTOPO_6.doc).
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Create a site link design to connect your sites with site links. Site links reflect the intersite connectivity and
method used to transfer replication traffic. You must connect sites with site links so that domain controllers at
each site can replicate Active Directory changes.
NOTE
SMTP replication will not be supported in future versions of Active Directory Domain Services (AD DS); therefore, creating
site links objects in the SMTP container is not recommended.
When you create a site link object in the respective Inter-Site Transports container, AD DS uses RPC over IP to
transfer both intersite and intrasite replication between domain controllers. To keep data secure while in transit,
RPC over IP replication uses both the Kerberos authentication protocol and data encryption.
When a direct IP connection is not available, you can configure replication between sites to use SMTP. However,
SMTP replication functionality is limited and requires an enterprise certification authority (CA). SMTP can only
replicate the configuration, schema, and application directory partitions and does not support the replication of
domain directory partitions.
To name site links, use a consistent naming scheme, such as name_of_site1-name_of_site2. Record the list of
sites, linked sites, and the names of the site links connecting these sites in a worksheet. For a worksheet to assist
you in recording site names and associated site link names, see Job Aids for Windows Server 2003 Deployment
Kit, download Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip, and open "Sites and
Associated Site Links" (DSSTOPO_5.doc).
In this guide
Setting Site Link Properties
Setting Site Link Properties
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Intersite replication occurs according to the properties of the connection objects. When the Knowledge
Consistency Checker (KCC) creates connection objects, it derives the replication schedule from properties of the
site link objects. Each site link object represents the wide area network (WAN) connection between two or more
sites.
Setting site link object properties includes the following steps:
Determining the cost that is associated with that replication path. The KCC uses cost to determine the
least expensive route for replication between two sites that replicate the same directory partition.
Determining the schedule that defines the times during which intersite replication can occur.
Determining the replication interval that defines how frequently replication should occur during the
times when replication is allowed, as defined in the schedule.
In this guide
Determining the Cost
Determining the Schedule
Determining the Interval
Determining the Cost
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
You assign cost values to site links to favor inexpensive connections over expensive connections. Certain
applications and services, such as Domain Controller Locator (DCLocator) and Distributed File System
Namespaces (DFSN), also use cost information to locate the nearest resources. Site link cost can be used to
determine which domain controller is contacted by clients in one site if the domain controller for the specified
domain does not exist at that site. The client contacts the domain controller by using the site link that has the
lowest cost assigned to it.
We recommend that the cost value be defined on a site-wide basis. Cost is usually based not only on the total
bandwidth of the link but also on the availability, latency, and monetary cost of the link.
To determine the costs to place on site links, document the connection speed for each site link. Refer to the
"Geographic Locations and Communication Links" (DSSTOPO_1.doc) worksheet in Collecting Network
Information for information about the connection speed that you identified.
The following table lists the speeds for different types of networks.
N ET W O RK T Y P E SP EED
Slow 64 Kbps
Frame relay Variable rate, commonly between 56 Kbps and 1.5 megabits
per second (Mbps)
T1 1.5 Mbps
T3 45 Mbps
10BaseT 10 Mbps
Asynchronous transfer mode (ATM) Variable rate, commonly between 155 Mbps and 622 Mbps
Use the following table to calculate the cost of each site link based on wide area network speed (WAN) link
speed. For WAN link speed that is not listed in the table, you can calculate a relative cost factor by dividing 1,024
by the logarithm of the available bandwidth, as measured in Kbps.
AVA IL A B L E B A N DW IDT H ( K B P S) C O ST
9.6 1,042
19.2 798
38.4 644
56 586
64 567
128 486
256 425
512 378
1,024 340
2,048 309
4,096 283
These costs do not reflect differences in reliability between network links. Set higher costs on any failure-prone
network links so that you do not have to rely on those links for replication. By setting higher site link costs, you
can control replication failover when a site link fails.
Enabling Clients to Locate the Next Closest Domain
Controller
3/5/2021 • 3 minutes to read • Edit Online
Applies To: Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
If you have a domain controller that runs Windows Server 2008 or newer, you can make it possible for client
computers that run Windows Vista or newer or Windows Server 2008 or newer to locate domain controllers
more efficiently by enabling the Tr y Next Closest Site Group Policy setting. This setting improves the Domain
Controller Locator (DC Locator) by helping to streamline network traffic, especially in large enterprises that have
many branch offices and sites.
This new setting can affect how you configure site link costs because it affects the order in which domain
controllers are located. For enterprises that have many hub sites and branch offices, you can significantly reduce
Active Directory traffic on the network by ensuring that clients fail over to the next closest hub site when they
cannot find a domain controller in the closest hub site.
As a general best practice, you should simplify your site topology and site link costs as much as possible if you
enable the Tr y Next Closest Site setting. In enterprises with many hub sites, this can simplify any plans that
you make for handling situations in which clients in one site need to fail over to a domain controller in another
site.
By default, the Tr y Next Closest Site setting is not enabled. When the setting is not enabled, DC Locator uses
the following algorithm to locate a domain controller:
Try to find a domain controller in the same site.
If no domain controller is available in the same site, try to find any domain controller in the domain.
NOTE
This is the same algorithm that DC Locator used in previous versions of Active Directory. For more information, see the
article How DNS Support for Active Directory Works.
If you enable the Tr y Next Closest Site setting, DC Locator uses the following algorithm to locate a domain
controller:
Try to find a domain controller in the same site.
If no domain controller is available in the same site, try to find a domain controller in the next closest site. A
site is closer if it has a lower site-link cost than another site with a higher site-link cost.
If no domain controller is available in the next closest site, try to find any domain controller in the domain.
The Tr y Next Closest Site setting works in coordination with automatic site coverage. For example, if the next
closest site has no domain controller, DC Locator tries to find the domain controller that performs automatic site
coverage for that site.
By default, DC Locator does not consider any site that contains a read-only domain controller (RODC) when it
determines the next closest site. In addition, when the client gets a response from a domain controller that runs
a version earlier than Windows Server 2008, the DC Locator behavior is the same as when then setting is not
enabled.
For example, assume that a site topology has four sites with the site link values in the following illustration. In
this example, all the domain controllers are writable domain controllers that run Windows Server 2008 or
newer.
When the Tr y Next Closest Site Group Policy setting is enabled in this example, if a client computer in Site_B
tries to locate a domain controller, it first tries to find a domain controller in its own Site_B. If none is available in
Site_B, it tries to find a domain controller in Site_A.
If the setting is not enabled, the client tries to find a domain controller in Site_A, Site_C, or Site_D if no domain
controller is available in Site_B.
NOTE
The Tr y Next Closest Site setting works in coordination with automatic site coverage. For example, if the next closest
site has no domain controller, DC Locator tries to find the domain controller that performs automatic site coverage for
that site.
To apply the Tr y Next Closest Site setting, you can create a Group Policy object (GPO) and link it to the
appropriate object for your organization, or you can modify the Default Domain Policy to have it affect all clients
that run Windows Vista or newer and Windows Server 2008 or newer in the domain. For more information
about how to set the Tr y Next Closest Site setting, see Enable Clients to Locate a Domain Controller in the
Next Closest Site.
Determining the Schedule
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
You can control site link availability by setting a schedule for site links. When replication between two sites
traverses multiple site links, the intersection of the replication schedules on all the relevant links determines the
connection schedule between the two sites.
To plan for setting the site link schedule, create two overlapping schedules between site links that contain
domain controllers that directly replicate with each other. Use the default (100-percent available) schedule on
those links unless you want to block replication traffic during peak hours. By blocking replication, you give
priority to other traffic, but you also increase replication latency.
Domain controllers store time in Coordinated Universal Time (UTC). Time settings in site link object schedules
conform to the local time of the site and computer on which the schedule is set. When a domain controller
contacts a computer that is in a different site and time zone, the schedule on the domain controller displays the
time setting according to the local time for the site of the computer.
Determining the Interval
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
You must set the site link replication interval property to indicate how frequently you want replication to occur
during the times when the schedule allows replication. For example, if the schedule allows replication between
02:00 hours and 04:00 hours, and the replication interval is set for 30 minutes, replication can occur up to four
times during the scheduled time. The default replication interval is 180 minutes, or 3 hours. The minimum
interval is 15 minutes.
Consider the following criteria to determine how often replication occurs within the schedule window:
A small interval decreases latency but increases the amount of wide area network (WAN) traffic.
To keep domain directory partitions up to date, low latency is preferred.
With a store-and-forward replication strategy, it is difficult to determine just how long a directory update might
take to be replicated to every domain controller. To provide a conservative estimate of maximum latency,
perform these tasks:
Create a table of all the sites on your network, as shown in the following example:
WA SH IN GTO N ,
SIT ES SEAT T L E B O STO N LO S A N GEL ES N EW Y O RK D. C .
Seattle 0.25
Boston 0.25
Washington, 0.25
D.C.
WA SH IN GTO N ,
SIT ES SEAT T L E B O STO N LO S A N GEL ES N EW Y O RK D. C .
Washington, 0.25
D.C.
Creating a Site Link Bridge Design
6/17/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
A site link bridge connects two or more site links and enables transitivity between site links. Each site link in a
bridge must have a site in common with another site link in the bridge. The Knowledge Consistency Checker
(KCC) uses the information on each site link to compute the cost of replication between sites in one site link and
sites in the other site links of the bridge. Without the presence of a common site between site links, the KCC also
cannot establish direct connections between domain controllers in the sites that are connected by the same site
link bridge.
By default, all site links are transitive. We recommend that you keep transitivity enabled by not changing the
default value of Bridge all site links (enabled by default). However, you will need to disable Bridge all site
links and complete a site link bridge design if:
Your IP network is not fully routed. When you disable Bridge all site links , all site links are considered
nontransitive, and you can create and configure site link bridge objects to model the actual routing behavior
of your network.
You need to control the replication flow of the changes made in Active Directory Domain Services (AD DS).
By disabling Bridge all site links for the site link IP transport and configuring a site link bridge, the site link
bridge becomes the equivalent of a disjointed network. All site links within the site link bridge can route
transitively, but they do not route outside of the site link bridge.
For more information about how to use the Active Directory Sites and Services snap-in to disable the Bridge
all site links setting, see the article Enable or disable site link bridges.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
You can find the following documentation about Active Directory Domain Services (AD DS) on the Windows
Server 2003 and Windows Server 2008 TechCenter websites:
For more information about the process of locating a domain controller, see Active Directory Collection.
For more information about designing and deploying print servers, see Designing and Deploying Print
Servers.
For more information about spanning trees and Active Directory replication topology, see Active
Directory Replication Topology Technical Reference.
For more information about using Adlb.exe and managing environments that have 100 or more branch
sites, see Review Bridgehead Server Load-Balancing Improvements with Windows Server 2008 RODCs.
For information about installing Network Monitor, see Monitoring network traffic.
For worksheets to assist you in documenting your Windows Server 2008 AD DS site topology design, see
Job Aids for Windows Server 2003 Deployment Kit.
For more information about shortcut trusts between domains, see Understanding When to Create a
Shortcut Trust.
For more information about deploying the forest root domain, see Deploying a Windows Server 2008
Forest Root Domain.
For more information about securing domain controllers, see AD DS Design and Planning.
For more information about deploying regional domains, see Deploying Windows Server 2008 Regional
Domains.
For more information about how universal group caching works, see How the Global Catalog Works.
For more information about how to create site objects, see Create a Site.
For more information about how to create subnet objects, see Create a Subnet.
For more information about how to use the Active Directory Sites and Services snap-in to disable the
Bridge all site links setting, see Enable or disable site link bridges.
For more information about read-only domain controller (RODC) features, see AD DS: Read-Only Domain
Controllers.
For information about how to deploy an RODC, see the Read-Only Domain Controllers Step-by-Step
Guide.
Appendix A: Locations and Subnet Prefixes
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Use the following table to assist in listing the IP version 6 (IPv6) subnet prefixes when you design the site
topology for Windows Server 2008 Active Directory Domain Services (AD DS).
LO C AT IO N N ET W O RK SUB N ET P REF IX
Enabling Advanced Features for AD DS
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Active Directory Domain Services (AD DS) makes it possible for you to introduce advanced features into your
environment by raising the domain or forest functional levels. To use advanced AD DS features, you must
identify the operating systems that are running on the domain controllers in your environment.
You must also determine the best functional level for your organization based on your existing infrastructure
and then raise the domain or forest functional level as appropriate. You can raise the functional level when all
domain controllers in the domain or forest are running an appropriate version of Windows. Although raising the
functional level makes it possible for you to enable new features, it also limits the versions of Windows
operating systems that you can run on domain controllers in your environment.
Forest and Domain Functional Levels
6/17/2021 • 10 minutes to read • Edit Online
Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest
capabilities. They also determine which Windows Server operating systems you can run on domain controllers
in the domain or forest. However, functional levels do not affect which operating systems you can run on
workstations and member servers that are joined to the domain or forest.
When you deploy AD DS, set the domain and forest functional levels to the highest value that your environment
can support. This way, you can use as many AD DS features as possible. When you deploy a new forest, you are
prompted to set the forest functional level and then set the domain functional level. You can set the domain
functional level to a value that is higher than the forest functional level, but you cannot set the domain
functional level to a value that is lower than the forest functional level.
With the end of life of Windows Server 2003, 2008, and 2008 R2, these domain controllers (DCs) need to be
updated to Windows Server 2012, 2012 R2, 2016, or 2019. As a result, any domain controller that runs
Windows Server 2008 R2 and older should be removed from the domain.
At the Windows Server 2008 and higher domain functional levels, Distributed File Service (DFS) Replication is
used to replicate SYSVOL folder contents between domain controllers. If you create a new domain at the
Windows Server 2008 domain functional level or higher, DFS Replication is automatically used to replicate
SYSVOL. If you created the domain at a lower functional level, you will need to migrate from using FRS to DFS
replication for SYSVOL. For migration steps, you can either follow the procedures on TechNet or you can refer to
the streamlined set of steps on the Storage Team File Cabinet blog. Windows Server 2016 RS1 is the last
Windows Server release that includes FRS.
NOTE
Beginning with Windows Server 2012 R2, File Replication Service (FRS) is deprecated. A new
domain that is created on a domain controller that runs at least Windows Server 2012 R2 must be
set to the Windows Server 2008 domain functional level or higher.
Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support
for access-based enumeration and increased scalability. Domain-based namespaces in Windows
Server 2008 mode also require the forest to use the Windows Server 2003 forest functional level.
For more information, see Choose a Namespace Type.
Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. In order
for TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or
higher and the domain password needs to be changed.
For more information, see Kerberos Enhancements.
NOTE
Authentication errors may occur on a domain controller after the domain functional level is raised
to Windows Server 2008 or higher if the domain controller has already replicated the DFL change
but has not yet refreshed the krbtgt password. In this case, a restart of the KDC service on the
domain controller will trigger an in-memory refresh of the new krbtgt password and resolve
related authentication errors.
Windows 2000
Supported Domain Controller Operating System:
Windows Server 2008 R2
Windows Server 2008
Windows Server 2003
Windows 2000
Windows 2000 native forest functional level features
All of the default AD DS features are available.
Windows 2000 native domain functional level features
All of the default AD DS features and the following directory features are available including:
Universal groups for both distribution and security groups.
Group nesting
Group conversion, which allows conversion between security and distribution groups
Security identifier (SID) history
Next Steps
Raise the Domain Functional Level
Raise the Forest Functional Level
Identifying Your Functional Level Upgrade
3/5/2021 • 8 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Before you can raise domain and forest functional levels, you have to evaluate your current environment and
identify the functional level requirement that best meets the needs of your organization. Assess your current
environment by identifying the domains in your forest, the domain controllers that are located in each domain,
the operating system and service packs that each domain controller is running, and the date that you plan to
upgrade the domain controllers. If you plan to retire a domain controller, make sure that you understand the full
impact that doing so will have on your environment.
The following circumstances might prevent you from upgrading an earlier version of the Windows Server
operating system to the Windows Server 2008 or Windows Server 2008 R2 functional level:
Insufficient hardware
A domain controller running an antivirus program that is incompatible with Windows Server 2008 or
Windows Server 2008 R2
Use of a version-specific program that does not run on Windows Server 2008 or Windows Server 2008
R2
The need to upgrade a program with the latest service pack
Documenting this information can help you identify the steps to take to ensure that you have a fully functional
Windows Server 2008 or Windows Server 2008 R2 environment.
After you assess your current environment, you have to identify the functional level upgrade that applies to your
organization. These options are available:
Windows 2000 native-mode environment to Windows Server 2008 or Windows Server 2008 R2
Windows Server 2003 forest to Windows Server 2008 or Windows Server 2008 R2
New Windows Server 2008 forest
New Windows Server 2008 R2 forest
IMPORTANT
Windows Server 2008 R2 is an x64-based operating system. If your server is running an x64-based version of
Windows Server 2003, you can successfully perform an in-place upgrade of this computer's operating system to
Windows Server 2008 R2 . If your server is running an x86-based version of Windows Server 2003, you cannot
upgrade this computer to Windows Server 2008 R2 .
To use the Windows Server 2008 or Windows Server 2008 R2 domain-level features without upgrading your
entire Windows 2000 forest to Windows Server 2008 or Windows Server 2008 R2 , raise only the domain
functional level to Windows Server 2008 or Windows Server 2008 R2 .
NOTE
Before you raise the domain functional level, you must upgrade all Windows 2000-based domain controllers in that
domain to Windows Server 2008 or Windows Server 2008 R2 .
After you replace all the Windows 2000-based domain controllers in the forest with domain controllers that run
Windows Server 2008 or Windows Server 2008 R2 , you can raise the forest functional level to Windows Server
2008 or Windows Server 2008 R2 . Doing so automatically raises the functional level of all domains in the forest
that are set to Windows 2000 native or higher to Windows Server 2008 or Windows Server 2008 R2 .
For more information about raising forest and domain functional levels, and for procedures to perform those
tasks, see Deploying a Windows Server 2008 Forest Root Domain.
To use all the Windows Server 2008 or Windows Server 2008 R2 domain-level features without upgrading your
entire Windows Server 2003 forest to Windows Server 2008 or Windows Server 2008 R2 , raise only the
domain functional level to Windows Server 2008 or Windows Server 2008 R2 .
NOTE
Before you raise the domain functional level, you must upgrade all Windows Server 2003-based domain controllers in
that domain to Windows Server 2008 or Windows Server 2008 R2 .
After you upgrade all the Windows Server 2003-based domain controllers in the forest to Windows Server
2008 or Windows Server 2008 R2 , you can raise the forest functional level to Windows Server 2008 or
Windows Server 2008 R2 . Doing so automatically raises the functional level of all domains in the forest that are
set to Windows Server 2003 to Windows Server 2008 or Windows Server 2008 R2 .
For more information about raising forest and domain functional levels, and for procedures to perform those
tasks, see Deploying a Windows Server 2008 Forest Root Domain.
IMPORTANT
If the forest operates at the Windows Server 2008 functional level and you attempt to install Active Directory on a
Windows Server 2003-based member server or a Windows 2000-based member server, the installation fails.
For more information about raising forest and domain functional levels, and for procedures to perform those
tasks, see Deploying a Windows Server 2008 Forest Root Domain.
IMPORTANT
If the forest operates at the Windows Server 2008 R2 functional level and you attempt to install Active Directory on a
Windows Server 2008 -based or Windows Server 2003-based member server, or on a Windows 2000-based member
server, the installation fails.
For more information about raising forest and domain functional levels, and for procedures to perform those
tasks, see Deploying a Windows Server 2008 Forest Root Domain.
NOTE
Although ADMT v3.1 must be installed on Windows Server 2008, you can use ADMT v3.1 to migrate objects to a domain
that is hosted by one or more Windows Server 2008 R2 domain controllers. For more information, see article 976659 in
the Microsoft Knowledge Base, Known issues that may occur when you use ADMT 3.1 to migrate to a domain that
contains Windows Server 2008 R2 domain controllers.
Finding Additional Resources for Enabling
Advanced Features
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
You can find the following documentation about Active Directory Domain Services (AD DS) in the Windows
Server 2008 Technical Library:
For more information about deploying a Windows Server 2008 forest root domain, see Deploying a
Windows Server 2008 Forest Root Domain.
For more information about upgrading an Active Directory domain to Windows Server 2008, see
Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS
Domains.
For more information about deploying AD DS, see the Step-by-Step Guide for Windows Server 2008 AD
DS Installation and Removal Step-by-Step Guide.
Evaluating AD DS Deployment Strategy Examples
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Consider the following example of a fictitious company, Contoso Pharmaceuticals, which is deploying Active
Directory Domain Services (AD DS) in its environment. The Contoso environment consists of four domains. The
forest functional level is Windows Server 2003. The following illustration shows the current domain structure
for the Contoso organization.
After reviewing its existing environment and identifying its deployment goals, Contoso established the following
AD DS deployment strategy:
Upgrade Windows Server 2003 domains to Windows Server 2008 domains.
Enable advanced AD DS features by raising the domain and forest functional levels to Windows Server
2008 .
Restructure the africa.concorp.contoso.com domain within the forest to consolidate that domain with the
emea.concorp.contoso.com domain.
Raising the forest functional level to Windows Server 2008 will enable Contoso to take full advantage of the
new AD DS features. Restructuring the domains within the forest, as shown in the following illustration, will
reduce the amount of administration that is necessary for managing the domains.
Appendix A: Reviewing Key AD DS Terms
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The following terms are relevant to the deployment process for Windows Server 2008 Active Directory Domain
Services (AD DS).
Migration
The process of moving an object from a source domain to a target domain, while preserving or modifying
characteristics of the object to make it accessible in the new domain.
Domain restructure
A migration process that involves changing the domain structure of a forest. A domain restructure can involve
either the consolidation or the addition of domains, and it can take place between forests or within a forest.
Domain consolidation
A restructuring process that involves eliminating AD DS domains by merging their contents with the contents of
other domains.
Domain upgrade
The process of upgrading the directory service of a domain to a later version of the directory service. This
includes upgrading the operating system on all domain controllers and raising the AD DS functional level where
applicable.
Regional domain
A child domain that is created in a geographic region to optimize replication traffic.
AD DS Deployment
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This guide covers how to install and remove Active Directory Domain Services (AD DS) in Windows Server 2012
, and important issues to be aware of when you add new domain controllers to an existing Active Directory
environment.
What's New in Active Directory Domain Services Installation and Removal
Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012
Install Active Directory Domain Services (Level 100)
Steps for removing Active Directory Domain Services
AD DS Installation and Removal Wizard Page Descriptions
Changes Made by Adprep
Windows Server Functional Levels
Troubleshooting Domain Controller Deployment
What's New in Active Directory Domain Services
Installation and Removal
3/5/2021 • 16 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Active Directory Domain Services (AD DS) deployment in Windows Server 2012 is simpler and faster than
previous versions of Windows Server. The AD DS installation process is now built on Windows PowerShell and
is integrated with Server Manager. The number of steps required to introduce domain controllers into an
existing Active Directory environment is reduced. This makes the process for creating a new Active Directory
environment simpler and more efficient. The new AD DS deployment process minimizes the chances of errors
that would have otherwise blocked installation.
In addition, you can install the AD DS server role binaries (that is the AD DS server role) on multiple servers at
the same time. You can also run the AD DS installation wizard remotely on an individual server. These
improvements provide more flexibility for deploying domain controllers that run Windows Server 2012,
especially for large-scale, global deployments where many domain controllers need to be deployed to offices in
different regions.
AD DS installation includes the following features:
Adprep.exe integration into the AD DS installation process. The cumbersome steps required to
prepare an existing Active Directory, such as the need to use a variety of different credentials, copy the
Adprep.exe files, or log on to specific domain controllers, are all simplified or occur automatically. This
reduces the time required to install AD DS and reduces the chances for errors that might otherwise block
domain controller promotion.
For environments where it is preferable to run adprep.exe commands in advance of a new domain
controller installation, you can still execute adprep.exe commands separately from the AD DS installation.
The Windows Server 2012 version of adprep.exe runs remotely, so you can execute all necessary
commands from a server that runs a 64-bit version of Windows Server 2008 or later.
The new AD DS installation is built on Windows PowerShell and can be invoked remotely.
The new AD DS installation is integrated with Server Manager, so you can use the same interface to install
AD DS that you use when installing other server roles. For Windows PowerShell users, the AD DS
deployment cmdlets provide greater functionality and flexibility. There is functional parity between
command-line and GUI installation options.
The new AD DS installation includes prerequisite validation. Any potential errors are identified
before the installation begins. You can correct error conditions before they occur without the concerns
resulting from a partially complete upgrade. For example, if adprep /domainprep needs to be run, the
installation wizard verifies that the user has sufficient rights to execute the operation.
Configuration pages are grouped in a sequence that mirrors the requirements of the most
common promotion options with related options grouped in fewer wizard pages. This
provides better context for making installation choices.
You can expor t a Windows PowerShell script that contains all the options that were specified
during the graphical installation. At the end of an installation or removal, you can export the settings
to a Windows PowerShell script for use with automating the same operation.
Only critical replication occurs before reboot. New switch to allow replication of non-critical data
before reboot. For more information, see ADDSDeployment cmdlet arguments.
WARNING
The legacy Active Directory Domain Services Installation Wizard (dcpromo.exe) is deprecated beginning with Windows
Server 2012.
In Install Active Directory Domain Services (Level 100), the UI procedures show how to start the Add Roles
Wizard to install the AD DS server role binaries and then run the Active Directory Domain Services
Configuration Wizard to complete the domain controller installation. The Windows PowerShell examples show
how to complete both steps using an AD DS deployment cmdlet.
Adprep.exe integration
Beginning with Windows Server 2012, there is only one version of Adprep.exe (there is no 32-bit version,
adprep32.exe). Adprep commands are run automatically as needed when you install a domain controller that
runs Windows Server 2012 to an existing Active Directory domain or forest.
Although adprep operations are run automatically, you can run Adprep.exe separately. For example, if the user
who installs AD DS is not a member of the Enterprise Admins group, which is required in order to run Adprep
/forestprep, then you might need to run the command separately. But, you only have to run adprep.exe if you
are planning to in-place upgrade your first Windows Server 2012 domain controller (in other words, you plan to
in-place upgrade the operating system of a domain controller that runs Windows Server 2012).
Adprep.exe is located in the \support\adprep folder of the Windows Server 2012 installation disc. The Windows
Server 2012 version of adprep is capable of executing remotely.
The Windows Server 2012 version of adprep.exe can run on any server that runs a 64-bit version of Windows
Server 2008 or later. The server needs network connectivity to the schema master for the forest and the
infrastructure master of the domain where you want to add a domain controller. If either of those roles is hosted
on a server that runs Windows Server 2003, then adprep must be run remotely. The server where you run
adprep does not need to be a domain controller. It can be domain joined or in a workgroup.
NOTE
If you try to run the Windows Server 2012 version of adprep.exe on a server that runs Windows Server 2003, the
following error appears:
Adprep.exe is not a valid Win32 application.
For information about resolving other errors returned by Adprep.exe, see Known issues.
Group membership check against Windows Server 2003 operations master roles
For each command (/forestprep, /domainprep, or /rodcprep), Adprep performs a group membership check to
determine whether the specified credential represents an account in certain groups. To perform this check,
Adprep contacts the operations master role owner. If the operations master is running Windows Server 2003,
you need to specify the /user and /userdomain command line parameters if you run Adprep.exe to ensure the
group membership check is performed in all cases.
The /user and /userdomain are new parameters for Adprep.exe in Windows Server 2012 . These parameters
specify the user account name and user domain, respectively, of the user who runs the adprep command. The
Adprep.exe command-line utility blocks specifying one of /userdomain and /user but omitting the other.
However, Adprep operations can also be run as part of an AD DS installation using Windows PowerShell or
Server Manager. Those experiences share the same underlying implementation (adprep.dll) as adprep.exe. The
Windows PowerShell and Server Manager experiences have their separate credentials input, which does not
impose the same requirements as by adprep.exe. Using Windows PowerShell or Server Manager, it is possible to
pass a value for /user but not /userdomain to adprep.dll. If /user is specified but /userdomain is not specified,
the local machine's domain is used to perform the check. If the machine is not domain joined, group
membership cannot be checked.
When group membership cannot be checked, Adprep shows a warning message in the adprep log files and
continues:
Adprep was unable to check the specified user's group membership. This could happen if the FSMO role owner
<DNS host name of operations master> is running Windows Server 2003 or lower version of Windows.
If you run Adprep.exe without specifying the /user and /userdomain parameters and the operations master is
running Windows Server 2003, Adprep.exe contacts a domain controller in the domain of the current logon
user. If the current logon user is not a domain account, Adprep.exe cannot perform the group membership
check. Adprep.exe also cannot perform the group membership check if smartcard credentials are used, even if
you do specify both /user and /userdomain.
If Adprep finishes successfully, there is no action required. If Adprep fails during execution with access errors,
provide an account with the correct membership. For more information, see Credential requirements to run
Adprep.exe and install Active Directory Domain Services.
Syntax for Adprep in Windows Server 2012
Use the following syntax to run adprep separately from an AD DS installation:
Adprep.exe /forestprep /forest <forest name> /userdomain <user domain name> /user <user name> /password *
Use /logdsid in the command in order to generate more detailed logging. The adprep.log is located in
%windir%\System32\Debug\Adprep\Logs.
Running adprep using smartcard
The Windows Server 2012 version of adprep.exe works using smartcard as credentials, but there is no easy way
to specify the smart card credential through the command line. One way to do it is to obtain the smart card
credential through PowerShell cmdlet Get-Credential. Then use the user name of the returned PSCredential
object, which appears as @@... . The password is the PIN of the smart card.
Adprep.exe requires /userdomain if /user is specified. For smartcard credentials, the /userdomain should be the
domain of the underlying user account represented by the smartcard.
Adprep /domainprep /gpprep command is not run automatically
The adprep /domainprep /gpprep command is not run as part of AD DS installation. This command sets
permissions that are required for Resultant Set of Policy (RSOP) planning mode functionality. For more
information about this command, see Microsoft Knowledge Base article 324392. If the command needs to be
run in your Active Directory domain, you can run it separately from the AD DS installation. If the command has
already been run in preparation of deploying domain controllers that run Windows Server 2003 SP1 or later, the
command does not need to be run again.
You can safely add domain controllers that run Windows Server 2012 to an existing domain without running
adprep /domainprep /gpprep, but RSOP planning mode will not function properly.
System requirements
System requirements for Windows Server 2012 are unchanged from Windows Server 2008 R2. For more
information, see Windows Server 2008 R2 with SP1 System Requirements
(https://www.microsoft.com/windowsserver2008/en/us/system-requirements.aspx).
Some features can have additional requirements. For example, the virtual domain controller cloning feature
requires that the PDC emulator run Windows Server 2012 and a computer running Windows Server 2012 with
the Hyper-V role installed.
Known issues
This section lists some of the known issues that affect AD DS installation in Windows Server 2012 . For
additional known issues, see Troubleshooting Domain Controller Deployment.
If WMI access to the schema master is blocked by Windows Firewall when you remotely run adprep
/forestprep, the following error is logged in the adprep log at %systemroot%\system32\debug\adprep:
In this case, you can work around the error by either running adprep /forestprep directly on the schema
master, or you can run one of the following commands to allow WMI traffic through Windows Firewall.
For Windows Server 2008 or later:
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
After adprep finishes you can run either of the following commands to block WMI traffic again:
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=no
You can type Ctrl + C to cancel the Install-ADDSForest cmdlet. The cancellation stops the installation and
any changes that were made to the state of the server are reverted. But after the cancellation command is
issued, control is not returned to Windows PowerShell, and the cmdlet can hang indefinitely.
Installation of an additional domain controller using smar t card credentials fails if the target
ser ver is not joined to the domain before installation.
The error message returned in this case is:
Unable to connect to the replication source domain controller source domain controller name. (Exception:
Logonfailure: unknown user name or bad password)
If you join the target server to the domain and then perform the installation using a smart card, the
installation succeeds.
The ADDSDeployment module does not run under 32-bit processes. If you are automating
deployment and configuration of Windows Server 2012 using a script that includes an ADDSDeployment
cmdlet and any other cmdlet that does not support native 64-bit processes, the script can fail with an
error that indicates the ADDSDeployment cmdlet cannot be found.
In this case, you need to run the ADDSDeployment cmdlet separately from the cmdlet that does not
support native 64-bit processes.
There is a new file system in Windows Server 2012 named Resilient File System. Do not store the Active
Directory database, log files, or SYSVOL on a data volume formatted with Resilient File System (ReFS).
For more information about ReFS, see Building the next generation file system for Windows: ReFS.
In Server Manager, servers that run AD DS or other server roles on a Server Core installation and have
been upgraded to Windows Server 2012 , the server role can appear with red status, even though events
and status are collected as expected. Servers that run a Server Core installation of a preliminary release
Windows Server 2012 can also be impacted.
Active Directory Domain Services installation hangs if an error prevents critical replication
If the AD DS installation encounters an error during the critical replication phase, the installation can hang
indefinitely. For example, if networking errors prevent critical replication from completing, the installation will
not proceed.
If you are installing using Server Manager, you may see the installation progress page remain open, but there is
no error reported on screen, and the progress may not change for about 15 minutes. If you are using Windows
PowerShell, the progress shown in the Windows PowerShell window will not change for more than 15 minutes.
If you experience this problem, check the dcpromo.log file in the %systemroot%\debug folder on the target
server. The log file will typically indicate repeated failures to replicate. Some known causes for this problem are:
Networking problems prevent critical replication between the target server being promoted and the
replication source domain controller.
For example, the dcpromo.log shows:
05/02/2012 14:16:46 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1963
Internal event: The following local directory service received an exception from a remote procedure
call (RPC) connection. Extensive RPC information was requested. This is intermediate information and
might not contain a possible cause.
Process ID:
500
Reported error information:
Error value:
Could not find the domain controller for this domain. (1908)
directory service:
<domain>.com
Extensive error information:
Error value:
A security package specific error occurred. 1825
directory service:
<DC Name>
Because the installation process retries critical replication indefinitely, the domain controller installation
proceeds if the underlying network problems are resolved. Investigate the networking problem using
tools such as ipconfig, nslookup, and netmon as needed. Ensure connectivity exists between the domain
controller you are promoting and the replication partner selected during the AD DS installation. Also
make sure name resolution is working.
AD DS installation requirements for network connectivity and name resolution are validated during the
prerequisite check before the installation begins. But some error conditions can arise in the time after
prerequisite validation occurs and before the installation completes, such as if the replication partner
becomes unavailable during installation.
During replica domain controller installation, the local Administrator account of the target server is
specified for the installation credentials and the password of the local Administrator account matches the
password of a Domain Admin account. In this case, you can complete the installation wizard and begin
the installation before you encounter the "Access is denied" failure.
For example, the dcpromo.log shows:
03/30/2012 11:36:51 [INFO] Creating the NTDS Settings object for this Active Directory Domain
Controller on the remote AD DC DC2.contoso.com...
03/30/2012 11:36:51 [INFO] EVENTLOG (Error): NTDS Replication / DS RPC Client : 1963Internal event:
The following local directory service received an exception from a remote procedure call (RPC)
connection. Extensive RPC information was requested. This is intermediate information and might not
contain a possible cause.
Process ID:
508
Reported error information:
Error value:
Access is denied. (5)
directory service:
DC2.contoso.com
If the error is caused by specifying a local Administrator account and password, in order to recover you
need to reinstall the operating system, perform metadata cleanup of the account for the domain
controller that failed to complete installation, and then retry the AD DS installation using Domain Admin
credentials. Restarting the server will not correct this error condition because the server will indicate that
AD DS is installed even though the installation did not finish successfully.
Active Directory Domain Services Configuration Wizard warns when a non-normalized DNS name is specified
If you create a new domain or forest and you specify a DNS domain name that includes internationalized
characters that are not normalized, then the Active Directory Domain Services Configuration Wizard displays a
warning that DNS queries for the name can fail. Although the DNS domain name is specified in the Deployment
Configuration page, the warning appears on the Prerequisites Check page later in the wizard.
If a DNS domain name is specified using an un-normalized name like füßball.com or 'ΣΤ '.com (the normalized
versions are: füssball.com and βστα.com), client applications that try to access it with WinHTTP will normalize
the name before calling name resolution APIs. If the user types "'ΣΤ '.com" on some dialog, the DNS query will
be sent as "βστα.com" and no DNS server will match it with a resource record for "'ΣΤ '.com". The user will be
unable to resolve name.
The following example explains one of the issues that can happen when using an IDN name that is not
normalized:
1. The domain using a non-normalized name is created and registered on dns server: füßball.com
2. Machine "nps" is joined to the domain and gets its name registered: nps.füßball.com
3. A client application tries to connect to the server nps.füßball.com
4. The client application tries to resolve the name nps.füßball.com calling name resolution APIs.
5. Due to normalization, the name gets converted to nps.füssball.com and is queried over the wire as
nps.füßball.com
6. The client application is unable to resolve the name since the registered name is nps.füßball.com
If the warning appears in the Prerequisites Check page in the Active Directory Domain Services Configuration
Wizard, return to the Deployment Configuration page and specify a normalized DNS domain name. If you are
installing a new domain using Windows PowerShell, specify a normalized DNS name for the -DomainName
option.
For more information about IDNs, see Handling Internationalized Domain Names (IDNs).
Upgrade Domain Controllers to Windows Server
2016
3/5/2021 • 7 minutes to read • Edit Online
Pre-requisites
The recommended way to upgrade a domain is to promote domain controllers that run newer versions of
Windows Server and demote the older domain controllers as needed. That method is preferable to upgrading
the operating system of an existing domain controller. This list covers general steps to follow before you
promote a domain controller that runs a newer version of Windows Server:
1. Verify the target server meets system requirements.
2. Verify Application compatibility.
3. Review Recommendations for moving to Windows Server 2016
4. Verify security settings. For more information, see Deprecated features and behavior changes related to AD
DS in Windows Server 2016.
5. Check connectivity to the target server from the computer where you plan to run the installation.
6. Check for availability of necessary operation master roles:
To install the first DC that runs Windows Server 2016 in an existing domain and forest, the machine
where you run the installation needs connectivity to the schema master in order to run adprep
/forestprep and the infrastructure master in order to run adprep /domainprep.
To install the first DC in a domain where the forest schema is already extended, you only need
connectivity to the infrastructure master .
To install or remove a domain in an existing forest, you need connectivity to the domain naming
master .
Any domain controller installation also requires connectivity to the RID master.
If you are installing the first read-only domain controller in an existing forest, you need connectivity to
the infrastructure master for each application directory partition, also known as a non-domain
naming context or NDNC.
Installation steps and required administrative levels
The following table provides a summary of the upgrade steps and the permission requirements to accomplish
these steps
Run adprep /forestprep Schema Admins, Enterprise Admins, and Domain Admins
For additional information on new features in Windows Server 2016, see What's new in Windows Server 2016.
Windows Storage Server 2012 Standard Windows Storage Server 2016 Standard
Windows Storage Server 2012 Workgroup Windows Storage Server 2016 Workgroup
Windows Storage Server 2012 R2 Standard Windows Storage Server 2016 Standard
Windows Storage Server 2012 R2 Workgroup Windows Storage Server 2016 Workgroup
For more information about supported upgrade paths, see Supported Upgrade Paths
1. Join the new Windows Server 2016 to your forest. Restart when prompted.
2. Sign in to the new Windows Server 2016 with a domain admin account.
3. In Ser ver Manager , under Add Roles and Features , install Active Director y Domain Ser vices on
the new Windows Server 2016. This will automatically run adprep on the 2012 R2 forest and domain.
4. In Ser ver Manager , click the yellow triangle, and from the drop-down click Promote the ser ver to a
domain controller .
5. On the Deployment Configuration screen, select Add a domain controller to an existing forest
and click next.
6. On the Domain Controller options screen, enter the Director y Ser vices Restore Mode (DSRM)
password and click next.
7. For the remainder of the screens click Next .
8. On the Prerequisite Check screen, click install . Once the restart has completed you can sign back in.
9. On the Windows Server 2012 R2 server, in Ser ver Manager , under tools, select Active Director y
Module for Windows PowerShell .
10. In the PowerShell windows use the Move-ADDirectoryServerOperationMasterRole to move the FSMO
roles. You can type the name of each -OperationMasterRole or use numbers to specify the roles. For more
information see Move-ADDirectoryServerOperationMasterRole
Move-ADDirectoryServerOperationMasterRole -Identity "DC-W2K16" -OperationMasterRole 0,1,2,3,4
11. Verify the roles have been moved by going to the Windows Server 2016 server, in Ser ver Manager ,
under tools , select Active Director y Module for Windows PowerShell . Use the Get-ADDomain and
Get-ADForest cmdlets to view the FSMO role holders.
12. Demote and remove the Windows Server 2012 R2 domain controller. For information on demoting a dc,
see Demoting Domain Controllers and Domains
13. Once the server is demoted and removed you can raise the forest functional and domain functional levels
to Windows Server 2016.
Next Steps
What's New in Active Directory Domain Services Installation and Removal
Install Active Directory Domain Services (Level 100)
Windows Server 2016 Functional Levels
Upgrade Domain Controllers to Windows Server
2012 R2 and Windows Server 2012
6/17/2021 • 33 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic provides background information about Active Directory Domain Services in Windows Server 2012
R2 and Windows Server 2012 and explains the process for upgrading domain controllers from Windows Server
2008 or Windows Server 2008 R2.
Run adprep /forestprep Schema Admins, Enterprise Admins, and Domain Admins
You can delegate permissions to install AD DS. For more information, see Installation Management Tasks.
Steps-by-step instructions to promote new and replica Windows Server 2012 domain controllers using
Windows PowerShell cmdlets and Server Manager can be found in the following links:
Install Active Directory Domain Services (Level 100)
Install a New Windows Server 2012 Active Directory Forest (Level 200)
Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)
Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200)
Install a Windows Server 2012 Active Directory Read-Only Domain Controller (RODC) (Level 200)
Windows Server 2012 forum about domain controllers
Web Application Proxy Provides access to web application using a new Remote
Access role service.
F EAT URE DESC RIP T IO N
SPN and UPN uniqueness Domain Controllers running Windows Server 2012 R2 block
the creation of duplicate service principal names (SPNs) and
user principal names (UPNs).
Winlogon Automatic Restart Sign-On (ARSO) Enables lock screen applications to be restarted and available
on Windows 8.1 devices.
Credentials Protection and Management New credential protection and domain authentication
controls to reduce credential theft.
Deprecation of File Replication Service (FRS) The Windows Server 2003 domain functional level is also
deprecated because at the functional level, FRS is used to
replicate SYSVOL. That means when you create a new
domain on a server that runs Windows Server 2012 R2, the
domain functional level must be Windows Server 2008 or
newer. You can still add a domain controller that runs
Windows Server 2012 R2 to an existing domain that has a
Windows Server 2003 domain functional level; you just can't
create a new domain at that level.
New domain and forest functional levels There are new functional levels for Windows Server 2012 R2.
New features are available at Windows Server 2012 R2 DFL.
LDAP query optimizer changes Performance improvement in LDAP search efficiency and
LDAP search time of complex queries.
1644 Event improvements LDAP search result statistics were added to event ID 1644 to
aid in troubleshooting.
Active Directory replication throughput improvement Adjusts the maximum AD Replication throughput from
40Mbps to around 600 Mbps
Active Directory-Based Activation (AD BA) see Volume Simplifies the task of configuring the distribution and
Activation Overview management of volume software licenses.
Active Directory Federation Services (AD FS) Adds role install via Server Manager, simplified trust-setup,
automatic trust management, SAML-protocol support, and
more.
F EAT URE DESC RIP T IO N
Active Directory lost page flush events NTDS ISAM event 530 with jet error -1119 is logged to
detect lost page flush events to Active Directory databases.
Active Directory Recycle Bin User Interface Active Directory Administrative Center (ADAC) adds GUI
management of recycle bin feature originally introduced in
Windows Server 2008 R2.
Active Directory Replication and Topology Windows Supports the creation and management of Active Directory
PowerShell cmdlets sites, site-links, connection objects, and more using Windows
PowerShell.
Dynamic Access Control New claims-based authorization platform that enhances the
legacy access control model.
Fine-Grained Password Policy User Interface ADAC adds GUI support for the creating, editing and
assignment of PSOs originally added in Windows Server
2008.
Group Managed Service Accounts (gMSA) A new security principal type known as a gMSA. Services
running on multiple hosts can run under the same gMSA
account.
Rapid deployment via virtual domain controller (DC) cloning Virtualized DCs can be rapidly deployed by cloning existing
virtual domain controllers using Windows PowerShell
cmdlets.
RID pool changes Adds new monitoring events and quotas to safeguard
against excessive consumption of the global RID pool.
Optionally doubles the size of the global RID pool if the
original pool becomes exhausted.
Secure Time service Enhances security for W32tm by removing secrets from the
wire, removing the MD5 hash functions and requiring the
server to authenticate with Windows 8 time clients
USN rollback protection for virtualized DCs Accidentally restoring snapshot backups of virtualized DCs
no longer causes USN rollback.
Windows PowerShell History Viewer Allow administrators to view the Windows PowerShell
commands executed when using ADAC.
Automatic Maintenance and changes to restart behavior after updates are applied by Windows Update
Prior to the release of Windows 8, Windows Update managed its own internal schedule to check for updates,
and to download and install them. It required that the Windows Update Agent was always running in the
background, consuming memory and other system resources.
Windows 8 and Windows Server 2012 introduce a new feature called Automatic Maintenance. Automatic
Maintenance consolidates many different features that each used to manage its own scheduling and execution
logic. This consolidation allows for all these components to use far less system resources, work consistently,
respect the new Connected Standby state for new device types, and consume less battery on portable devices.
Because Windows Update is a part of Automatic Maintenance in Windows 8 and Windows Server 2012, its own
internal schedule for setting a day and time to install updates is no longer effective. To help ensure consistent
and predictable restart behavior for all devices and computers in your enterprise, including those that run
Windows 8 and Windows Server 2012, you can configure the following Group Policy settings:
Computer Configuration|Policies|Administrative Templates|Windows Components|Windows
Update|Configure Automatic Updates
Computer Configuration|Policies|Administrative Templates|Windows Components|Windows
Update|No auto-restar t with logged on users
Computer Configuration|Policies|Administrative Templates|Windows Components|Maintenance
Scheduler|Maintenance Random Delay
The following table lists some examples of how to configure these settings to provide desired restart behavior.
WSUS managed Set target groups for different groups of machines that
- Stagger installs across different hours/days should be updated together
Use above steps for previous scenario
Set different deadlines for different target groups
Not WSUS-managed - no suppor t for deadlines Policy : Configure Automatic Updates (Enabled)
- Stagger installs at different times Configure automatic updating: 4 - Auto download and
schedule the install
Registr y key: Enable the registry key discussed in
Microsoft KB article 2835627
Policy: Automatic Maintenance Random Delay (Enabled)
Set Regular maintenance random delay to PT6H for
6-hour random delay to provide the following behavior:
- Updates will install at the configured maintenance time
plus a random delay
- Restart for each machine will take place exactly 3 days
later
Alternatively, set a different maintenance time for each
group of machines
For more information about why the Windows engineering team implemented these changes, see How to
reduce your chances of being prompted to restart your computer.
W IN DO W S SERVER 2012
EN C RY P T IO N T Y P E O R W IN DO W S SERVER 2008 A N D W IN DO W S SERVER
P O L IC Y DEFA ULT 2008 R2 DEFA ULT C O M M EN T
W IN DO W S SERVER 2012
EN C RY P T IO N T Y P E O R W IN DO W S SERVER 2008 A N D W IN DO W S SERVER
P O L IC Y DEFA ULT 2008 R2 DEFA ULT C O M M EN T
REQ UIREM EN T VA L UE
RAM 512 MB
Windows Server 2008 Standard with SP2 Windows Server 2012 Standard
OR OR
Windows Server 2008 Enterprise with SP2 Windows Server 2012 Datacenter
Windows Server 2008 Datacenter with SP2 Windows Server 2012 Datacenter
Windows Server 2008 R2 Standard with SP1 Windows Server 2012 Standard
OR OR
Windows Server 2008 R2 Enterprise with SP1 Windows Server 2012 Datacenter
Windows Server 2008 R2 Datacenter with SP1 Windows Server 2012 Datacenter
For more information about supported upgrade paths, see Evaluation Versions and Upgrade Options for
Windows Server 2012. Note that you cannot convert a domain controller that runs an evaluation version of
Windows Server 2012 directly to a retail version. Instead, install an additional domain controller on a server that
runs a retail version and remove AD DS from the domain controller that runs on the evaluation version.
Due to a known issue, you cannot upgrade a domain controller that runs a Server Core installation of Windows
Server 2008 R2 to a Server Core installation of Windows Server 2012 . The upgrade will hang on a solid black
screen late in the upgrade process. Rebooting such DCs exposes an option in boot.ini file to roll back to the
previous operating system version. An additional reboot triggers the automatic rollback to the previous
operating system version. Until a solution is available, it is recommended that you install a new domain
controller running a Server Core installation of Windows Server 2012 instead of in-place upgrading an existing
domain controller that runs a Server Core installation of Windows Server 2008 R2. For more information, see
KB article 2734222.
NOTE
Microsoft Exchange Server 2013 requires a forest functional level of Windows server 2003 or higher.
NOTE
Though they are not operations master roles, another change in AD DS installation is that DNS server role and the global
catalog are installed by default on all domain controllers that run Windows Server 2012 .
Application compatibility
The following table covers common Active Directory-integrated Microsoft applications. The table covers what
versions of Windows Server that the applications can be installed on and whether the introduction of Windows
Server 2012 DCs affects application compatibility.
P RO DUC T N OT ES
Microsoft SharePoint 2010 SharePoint 2010 Service Pack 2 is required to install and
operate
SharePoint 2010 on Windows Server 2012 Servers
SharePoint 2010 Foundation Service Pack 2 is required
to install and operate SharePoint 2010 Foundation on
Windows Server 2012 Servers
The SharePoint Server 2010 (without service packs)
installation process fails on Windows Server 2012
The SharePoint Server 2010 prerequisite installer
(PrerequisiteInstaller.exe) fails with error "This program
has compatibility issues." Clicking "Run the program
without getting help" displays the error "Verifying if
SharePoint can be installed | SharePoint Server 2010
(without service packs) cannot be installed on Windows
Server 2012."
P RO DUC T N OT ES
Microsoft Endpoint Configuration Manager (current branch) Supported operating systems for Configuration Manager
site system servers.
Microsoft Lync Server 2013 Lync Server 2013 requires with Windows Server 2008 R2 or
Windows Server 2012. It cannot be run on a Server Core
installation. It can be run on virtual servers.
Lync Server 2010 Lync Server 2010 can be installed on a new (not upgraded)
installation Windows Server 2012 if October 2012
cumulative updates for Lync Server are installed. Upgrading
the operating system to Windows Server 2012 for an
existing installation of Lync Server 2010 is not supported.
Microsoft Lync Server 2010 Group Chat Server is also not
supported on Windows Server 2012.
P RO DUC T N OT ES
System Center 2012 Endpoint Protection System Center 2012 Endpoint Protection Service Pack 1 will
update the client support matrix to include the following
operating systems
- Windows 8 Pro
- Windows 8 Enterprise
- Windows Server 2012 Standard
- Windows Server 2012 Datacenter
System Center 2012 Forefront Endpoint Protection FEP 2010 with Update Rollup 1 will update the client
support matrix to include the following operating systems:
- Windows 8 Pro
- Windows 8 Enterprise
- Windows Server 2012 Standard
- Windows Server 2012 Datacenter
Forefront Threat Management Gateway (TMG) TMG is supported to run only on Windows Server 2008 and
Windows Server 2008 R2. For more information, see System
requirements for Forefront TMG.
Windows Server Update Services This release of WSUS already supports Windows 8-based
computers or Windows Server 2012-based computers as
clients.
Windows Server Update Services 3.0 Update KB article 2734608 lets servers that are running
Windows Server Update Services (WSUS) 3.0 SP2 provide
updates to computers that are running Windows 8 or
Windows Server 2012: Note: Customers with standalone
WSUS 3.0 SP2 environments or Configuration Manager
2007 Service Pack 2 environments with WSUS 3.0 SP2
require 2734608 to properly manage Windows 8-based
computers or Windows Server 2012-based computers as
clients.
Known issues
The following table lists known issues related to AD DS installation:
2830145: SID S-1-18-1 and SID S-1- AD DS Management/App compat Applications that map SID S-1-18-1
18-2 can't be mapped on Windows 7 and SID S-1-18-2, which are new in
or Windows Server 2008 R2-based Windows Server 2012, may fail
computers in a domain environment because the SIDs cannot be resolved
on Windows 7-based or Windows
Server 2008 R2-based computers. To
resolve this issue, install the hotfix on
the Windows 7-based and Windows
Server 2008 R2-based computers in
the domain.
2737424: "Format of the specified AD DS Installation This error appears if you are removing
domain name is invalid" error when the last DC in a domain where pre-
you try to remove Active Directory created RODC accounts still exist. This
Domain Services from a domain affects Windows Server 2012,
controller Windows Server 2008 R2, and
Windows Server 2008.
2737463: Domain controller does not AD DS Installation A DC does not start because an
start, c00002e2 error occurs, or administrator used Dism.exe,
"Choose an option" is displayed Pkgmgr.exe, or Ocsetup.exe to remove
the DirectoryServices-
DomainController role.
K B A RT IC L E N UM B ER A N D T IT L E T EC H N O LO GY A REA IM PA C T ED ISSUE/ DESC RIP T IO N
2737516: IFM verification limitations AD DS Installation IFM verification can have limitations as
in Windows Server 2012 Server explained in the KB article.
Manager
2737535: Install- AD DS Installation You can receive an error when you try
AddsDomainController cmdlet returns to attach a server to an RODC account
parameter set error for RODC if you specify arguments that are
already populated on the pre-created
RODC account.
2737807: The Next button is not AD DS Installation The Next button is disabled on the
available on the Domain Controller Domain Controller Options page
Options page because the IP address of the target
DC does not map to an existing
subnet or site, or because the DSRM
password is not typed and confirmed
correctly.
2737935: Active Directory installation AD DS Installation The installation hangs because the
stalls at the "Creating the NTDS local Administrator password matches
settings object" stage the domain Administrator password,
or because networking problems
prevent critical replication from
completing.
2738060: "Access is denied" error AD DS Installation You receive the error when you run
message when you create a child Install-ADDSDomain with the Invoke-
domain remotely by using Install- Command cmdlet if the
AddsDomain DNSDelegationCredential has a bad
password.
2738697: "The server is not AD DS Installation You receive this error when you try to
operational" domain controller install AD DS on a workgroup
configuration error when you computer because NTLM
configure a server by using Server authentication is disabled.
Manager
2738746: You receive access denied AD DS Installation When you log on using a local
errors after you log on to a local Administrator account rather than the
administrator domain account built-in Administrator account and
then create a new domain, the account
is not added to the Domain Admins
group.
K B A RT IC L E N UM B ER A N D T IT L E T EC H N O LO GY A REA IM PA C T ED ISSUE/ DESC RIP T IO N
2743345: "The system cannot find the AD DS Installation You receive this error when you run
file specified" Adprep /gpprep error, or adprep /gpprep because the
tool crashes infrastructure master is implements a
disjoint namespace
2743367: Adprep "not a valid Win32 AD DS Installation You receive this error because
application" error on Windows Server Windows Server 2012 Adprep cannot
2003, 64-bit version be run on Windows Server 2003.
2753560: ADMT 3.2 and PES 3.1 ADMT ADMT 3.2 cannot be installed on
installation errors on Windows Server Windows Server 2012 by design.
2012
2750857: DFS Replication diagnostic DFS Replication DFS Replication diagnostic report does
reports do not display correctly in not display correctly because of
Internet Explorer 10 changes in Internet Explorer 10.
2741537: Remote Group Policy Group Policy This is due to scheduled tasks run in
updates are visible to users the context of each user who is logged
on. The Windows Task Scheduler
design requires an interactive prompt
in this scenario.
2741591: ADM files are not present in Group Policy GP replication can report "replication
SYSVOL in the GPMC Infrastructure in progress" because GPMC
Status option Infrastructure Status does not follow
customized filtering rules.
2737880: "The service cannot be Virtual DC cloning You receive this error while installing or
started" error during AD DS removing AD DS, or cloning, because
configuration the DS Role Server service is disabled.
2742836: Two DHCP leases are Virtual DC cloning This happens because the cloned
created for each domain controller domain controller received a lease
when you use the VDC cloning feature before cloning and again when cloning
was complete.
2742844: Domain controller cloning Virtual DC cloning The cloned DC starts in DSRM because
fails and the server restarts in DSRM cloning failed for any of a variety of
in Windows Server 2012 reasons listed in the KB article.
2742874: Domain controller cloning Virtual DC cloning Some three-part SPNs are not
does not re-create all service principal recreated on the cloned DC because of
names a limitation of the domain rename
process.
2742908: "No logon servers are Virtual DC cloning You receive this error when you try to
available" error after cloning domain log on after cloning a virtualized DC
controller because cloning failed and the DC is
started in DSRM. Log on as
.\administrator to troubleshoot the
cloning failure.
K B A RT IC L E N UM B ER A N D T IT L E T EC H N O LO GY A REA IM PA C T ED ISSUE/ DESC RIP T IO N
2742916: Domain controller cloning Virtual DC cloning Cloning fails because the PDC
fails with error 8610 in dcpromo.log emulator has not performed inbound
replication of the domain partition,
likely because the role was transferred.
2742927: "Index was out of range" Virtual DC cloning You receive the error after you run
New-AdDcCloneConfig error New-ADDCCloneConfigFile cmdlet
while cloning virtual DCs, either
because the cmdlet was not run from
an elevated command prompt or
because your access token does not
contain the Administrators group.
2742959: Domain controller cloning Virtual DC cloning Cloning failed because an invalid clone
fails with error 8437: "invalid name or a duplicate NetBIOS name
parameter was specified for this was specified.
replication operation"
2742970: DC Cloning fails with no Virtual DC cloning The cloned virtual DC boots in
DSRM, duplicate source and clone Directory Services Repair Mode
computer (DSRM), using a duplicate name as the
source DC because the
DCCloneConfig.xml file was not created
in the correct location or because the
source DC was rebooted before
cloning.
2743278: Domain controller cloning Virtual DC cloning The cloned DC boots into DSRM
error 0x80041005 because only one WINS server was
specified. If any WINS server is
specified, both Preferred and Alternate
WINS servers must be specified.
2745013: "Server is not operational" Virtual DC cloning You receive this error after you run the
error message if you run New- New-ADDCCloneConfigFile cmdlet
AdDcCloneConfigFile in Windows because the server cannot contact a
Server 2012 global catalog server.
2747974: Domain controller cloning Virtual DC cloning Event ID 2224 incorrectly states that
event 2224 provides incorrect managed service accounts must be
guidance removed before cloning. Standalone
MSAs must be removed but Group
MSAs do not block cloning.
2748266: You cannot unlock a BitLocker You receive an "Application not found"
BitLocker-encrypted drive after you error when you try to unlock a drive
upgrade to Windows 8 on a computer that was upgraded
from Windows 7.
See Also
Windows Server 2012 Evaluation Resources Windows Server 2012 Evaluation Guide Install and Deploy
Windows Server 2012
AD DS Simplified Administration
3/5/2021 • 12 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic explains the capabilities and benefits of Windows Server 2012 domain controller deployment and
administration, and the differences between previous operating system DC deployment and the new Windows
Server 2012 implementation.
Windows Server 2012 introduced the next generation of Active Directory Domain Services Simplified
Administration, and was the most radical domain re-envisioning since Windows 2000 Server. AD DS Simplified
Administration takes lessons learned from twelve years of Active Directory and makes a more supportable,
more flexible, more intuitive administrative experience for architects and administrators. This meant creating
new versions of existing technologies as well as extending the capabilities of components released in Windows
Server 2008 R2.
AD DS Simplified Administration is a reimagining of domain deployment.
AD DS role deployment is now part of the new Server Manager architecture and allows remote installation
The AD DS deployment and configuration engine is now Windows PowerShell, even when using the new AD
DS Configuration Wizard
Schema extension, forest preparation, and domain preparation are automatically part of domain controller
promotion and no longer require separate tasks on special servers such as the Schema Master
Promotion now includes prerequisite checking that validates forest and domain readiness for the new
domain controller, lowering the chance of failed promotions
Active Directory module for Windows PowerShell now includes cmdlets for replication topology
management, Dynamic Access Control, and other operations
The Windows Server 2012 forest functional level does not implement new features and domain functional
level is required only for a subset of new Kerberos features, relieving administrators of the frequent need for
a homogenous domain controller environment
Full support added for Virtualized Domain Controllers, to include automated deployment and rollback
protection
For more information about virtualized domain controllers, see Introduction to Active Directory
Domain Services (AD DS) Virtualization (Level 100).
In addition, there are many administrative and maintenance improvements:
The Active Directory Administrative Center includes a graphical Active Directory Recycle Bin, Fine-Grained
Password Policy management, and Windows PowerShell history viewer
The new Server Manager has AD DS-specific interfaces into performance monitoring, best practice analysis,
critical services, and the event logs
Group Managed Service Accounts support multiple computers using the same security principals
Improvements in Relative Identifier (RID) issuance and monitoring for better manageability in mature Active
Directory domains
AD DS profits from other new features included in Windows Server 2012, such as:
NIC teaming and Datacenter Bridging
DNS Security and faster AD-integrated zone availability after boot
Hyper-V reliability and scalability improvements
BitLocker Network Unlock
Additional Windows PowerShell component administration modules
ADPREP Integration
Active Directory forest schema extension and domain preparation now integrate into the domain controller
configuration process. If you promote a new domain controller into an existing forest, the process detects
upgrade status and the schema extension and domain preparation phases occur automatically. The user
installing the first Windows Server 2012 domain controller must still be an Enterprise Admin and Schema
Admin or provide valid alternate credentials.
Adprep.exe remains on the DVD for separate forest and domain preparation. The version of the tool included
with Windows Server 2012 is backwards compatible to Windows Server 2008 x64 and Windows Server 2008
R2. Adprep.exe also supports remote forestprep and domainprep, just like the ADDSDeployment-based domain
controller configuration tools.
For information about Adprep and previous operating system forest preparation, see Running Adprep
(Windows Server 2008 R2).
Server Manager acts as a hub for server management tasks. Its dashboard-style appearance periodically
refreshes views of installed roles and remote server groups. Server Manager provides centralized management
of local and remote servers, without the need for console access.
Active Directory Domain Services is one of those hub roles; by running Server Manager on a domain controller
or the Remote Server Administration Tools on a Windows 8, you see important recent issues on domain
controllers in your forest.
These views include:
Server availability
Performance monitor alerts for high CPU and memory usage
The status of Windows services specific to AD DS
Recent Directory Services-related warning and error entries in the event log
Best Practice analysis of a domain controller against a set of Microsoft-recommended rules
Windows Server 2008 R2 introduced the Active Directory Recycle Bin, which recovers deleted Active Directory
objects without restoring from backup, restarting the AD DS service, or rebooting domain controllers.
Windows Server 2012 enhances the existing Windows PowerShell-based restore capabilities with a new
graphical interface in the Active Directory Administrative Center. This allows administrators to enable the
Recycle Bin and locate or restore deleted objects in the domain contexts of the forest, all without directly running
Windows PowerShell cmdlets. The Active Directory Administrative Center and Active Directory Recycle Bin still
use Windows PowerShell under the covers, so previous scripts and procedures are still valuable.
For information about the Active Directory Recycle Bin, see Active Directory Recycle Bin Step-by-Step Guide
(Windows Server 2008 R2).
Windows Server 2008 introduced the Fine-Grained Password policy, which allows administrators to configure
multiple password and account lockout policies per domain. This allows domains a flexible solution to enforce
more or less restrictive password rules, based on users and groups. It had no managerial interface and required
administrators to configure it using Ldp.exe or Adsiedit.msc. Windows Server 2008 R2 introduced the Active
Directory module for Windows PowerShell, which granted administrators a command-line interface to FGPP.
Windows Server 2012 brings a graphical interface to Fine-Grained Password Policy. The Active Directory
Administrative Center is the home of this new dialog, which brings simplified FGPP management to all
administrators.
For information about the Fine-Grained Password Policy, see AD DS Fine-Grained Password and Account
Lockout Policy Step-by-Step Guide (Windows Server 2008 R2).
Windows Server 2008 R2 introduced the Active Directory Administrative Center, which superseded the older
Active Directory Users and Computers snap-in created in Windows 2000. The Active Directory Administrative
Center creates a graphical administrative interface to the then-new Active Directory module for Windows
PowerShell.
While the Active Directory module contains over a hundred cmdlets, the learning curve for an administrator can
be steep. Since Windows PowerShell integrates heavily into the strategy of Windows administration, the Active
Directory Administrative Center now includes a viewer that enables you to see the cmdlet execution in the
graphical interface. You can search, copy, clear history, and add notes with a simple interface. The intent is for an
administrator to use the graphical interface to create and modify objects, and then review them in the history
viewer to learn more about Windows PowerShell scripting and modify the examples.
NOTE
Adprep uses LDAP to import Schxx.ldf files and does not automatically reconnect if the connection to the schema master
is lost during import. As part of the import process, the schema master is set in a specific mode and automatic
reconnection is disabled because if LDAP reconnects after the connection is lost, the re-established connection would not
be in the specific mode. In that case, the schema would not be updated correctly.
Prerequisite checking ensures that certain conditions are true. These conditions are required for successful AD
DS installation. If some required conditions are not true, they can be resolved before continuing the installation.
It also detects that a forest or domain are not yet prepared, so that the Adprep deployment code runs
automatically.
ADPrep Executables, DLLs, LDFs, files
ADprep.dll
Ldifde.dll
Csvde.dll
Sch14.ldf - Sch56.ldf
Schupgrade.cat
*dcpromo.csv
The AD Preparation code formerly housed in ADprep.exe is refactored into adprep.dll. This allows both
ADPrep.exe and the ADDSDeployment Windows PowerShell module to use the library for the same tasks and
have the same capabilities. Adprep.exe is included with the installation media but automated processes do not
call it directly - only an Administrator runs it manually. It can only run on Windows Server 2008 x64 and later
operating systems. Ldifde.exe and csvde.exe also have refactored versions as DLLs that are loaded by the
preparation process. Schema extension still uses the signature-verified LDF files, like in previous operating
system versions.
IMPORTANT
There is no 32-bit Adprep32.exe tool for Windows Server 2012. You must have at least one Windows Server 2008 x64,
Windows Server 2008 R2, or Windows Server 2012 computer, running as a domain controller, member server, or in a
workgroup, to prepare the forest and domain. Adprep.exe does not run on Windows Server 2003 x64.
Prerequisite Checking
The prerequisite checking system built into ADDSDeployment Windows PowerShell managed code works in
different modes, based on the operation. The tables below describe each test, when it is used, and an explanation
of how and what it validates. These tables may be useful if there are issues where the validation fails and the
error is not sufficient to troubleshoot the problem.
These tests log in the Director ySer vices-Deployment operational event log channel under the Task Category
Core , always as Event ID 103 .
Prerequisite Windows PowerShell
There are ADDSDeployment Windows PowerShell cmdlets for all of the domain controller deployment cmdlets.
They have approximately the same arguments as their associated cmdlets.
Test-ADDSDomainControllerInstallation
Test-ADDSDomainControllerUninstallation
Test-ADDSDomainInstallation
Test-ADDSForestInstallation
Test-ADDSReadOnlyDomainControllerAccountCreation
There is no need to run these cmdlets, ordinarily; they already automatically execute with the deployment
cmdlets by default.
Prerequisite Tests
P ROTO C O L S
USED
T EST N A M E EXP L A N AT IO N A N D N OT ES
VerifyExchange LDAP, WMI, DCOM, RPC Validate the existing forest schema
SchemaFixed does not still contain problem
Exchange 2000 extensions ms-Exch-
Assistant-Name, ms-Exch-LabeledURI,
and ms-Exch-House-Identifier
(https://support.microsoft.com/kb/314
649)
VerifyOutbound LDAP, DRSR over SMB, RPC over SMB Validate the existing domain controller
ReplicationEnabled (LSARPC) specified as the replication partner has
outbound replication enabled by
checking the NTDS Settings object's
options attribute for
NTDSDSA_OPT_DISABLE_OUTBOUND_
REPL (0x00000004)
VerifyMachineAdmin DRSR over RPC, Validate the safe mode password set
Password LDAP, for DSRM meets domain complexity
requirements.
DNS
RPC over SMB (SAMR)
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
(&(ObjectCategory=computer)
(&(ObjectCategory=computer)(cn=dc*)(OperatingSystemVersion=6.2*))
(&(ObjectCategory=computer)(OperatingSystemVersion=6.1*))
(&(ObjectCategory=computer)(OperatingSystemVersion=6.0*))
(&(ObjectCategory=computer)(|(OperatingSystemVersion=5.2*)(OperatingSystemVersion=5.1*)))
( dnsHostName )( operatingSystem )( cn )
Get-Module
To see all installed modules with their exported functions and cmdlets, use:
Get-Module -ListAvailable
The main case for using the impor t-module command is when you need access to the "AD:" Windows
PowerShell virtual drive and nothing else has already loaded the module. For example, using the following
commands:
import-module activedirectory
cd ad:
dir
Create Full NoDefrag %s Create IFM media without defragmenting for a full AD DC or
an AD/LDS instance into folder %s
Create Sysvol Full NoDefrag %s Create IFM media with SYSVOL and without defragmenting
for a full AD DC into folder %s
Install Active Directory Domain Services (Level 100)
3/5/2021 • 34 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic explains how to install AD DS in Windows Server 2012 by using any of the following methods:
Credential requirements to run Adprep.exe and install Active Directory Domain Services
Installing AD DS by Using Windows PowerShell
Installing AD DS by using Server Manager
Performing a Staged RODC Installation using the Graphical User Interface
NOTE
If you do not run adprep.exe command separately and you are installing the first domain controller that runs
Windows Server 2012 in an existing domain or forest, you will be prompted to supply credentials to run Adprep
commands. The credential requirements are as follows:
To introduce the first Windows Server 2012 domain controller in the forest, you need to supply credentials
for a member of Enterprise Admins group, the Schema Admins group, and the Domain Admins group in
the domain that hosts the schema master.
To introduce the first Windows Server 2012 domain controller in a domain, you need to supply credentials
for a member of the Domain Admins group.
To introduce the first read-only domain controller (RODC) in the forest, you need to supply credentials for
a member of the Enterprise Admins group.
NOTE
If you have already run adprep /rodcprep in Windows Server 2008 or Windows Server 2008 R2, you do not
need to run it again for Windows Server 2012 .
To see the list of arguments that can be specified for a cmdlets and syntax:
For example, to see the arguments for creating an unoccupied read-only domain controller (RODC) account,
type
Get-Help Add-ADDSReadOnlyDomainControllerAccount
-or-
In Server Manager, create a server group that includes the remote server. Right-click the name of the remote
server and click Windows PowerShell .
The next sections explain how to run ADDSDeployment module cmdlets to install AD DS.
ADDSDeployment cmdlet arguments
Specifying Windows PowerShell Credentials
Using test cmdlets
Installing a new forest root domain using Windows PowerShell
Installing a new child or tree domain using Windows PowerShell
Installing an additional (replica) domain controller using Windows PowerShell
ADDSDeployment cmdlet arguments
The following table lists arguments for the ADDSDeployment cmdlets in Windows PowerShell. Arguments in
bold are required. Equivalent arguments for dcpromo.exe are listed in parentheses if they are named different in
Windows PowerShell.
Windows PowerShell switches accept $TRUE or $FALSE arguments. Arguments that are $TRUE by default do not
need to be specified.
To override default values, you can specify the argument with a $False value. For example, because -installdns
is automatically run for a new forest installation if it is not specified, the only way to prevent DNS installation
when you install a new forest is to use:
-InstallDNS:$false
Similarly, because "installdns has a default value of $False if you install a domain controller in an environment
that does not host Windows Server DNS server, you need to specify the following argument in order to install
DNS server:
-InstallDNS:$true
ADPrepCredential Note: Required if you are installing the Specifies the account with Enterprise Admins and Schema
first Windows Server 2012 domain controller in a domain or Admins group membership that can prepare the forest,
forest and the credentials of the current user are insufficient according to the rules of Get-Credential and a PSCredential
to perform the operation. object.
If no value is specified, the value of the "credential
argument is used.
AllowPasswordReplicationAccountName <string []> Specifies the names of user accounts, group accounts, and
computer accounts whose passwords can be replicated to
this RODC. Use an empty string "" if you want to keep the
value empty. By default, only the Allowed RODC Password
Replication Group is allowed, and it is originally created
empty.
Supply values as a string array. For example:
Code -AllowPasswordReplicationAccountName
"JSmith","JSmithPC","Branch Users"
ApplicationPartitionsToReplicate <string []> Note: There is Specifies the application directory partitions to replicate. This
no equivalent option in the UI. If you install using the UI, or argument is applied only when you specify the -
using IFM, then all application partitions will be replicated. InstallationMediaPath argument to install from media
(IFM). By default, all application partitions will replicate based
on their own scopes.
Supply values as a string array. For example:
Code -
-ApplicationPartitionsToReplicate
"partition1","partition2","partition3"
CreateDnsDelegation Note: You cannot specify this Indicates whether to create a DNS delegation that references
argument when you run the Add- the new DNS server that you are installing along with the
ADDSReadOnlyDomainController cmdlet. domain controller. Valid for Active Directory"integrated DNS
only. Delegation records can be created only on Microsoft
DNS servers that are online and accessible. Delegation
records cannot be created for domains that are immediately
subordinate to top-level domains such as .com, .gov, .biz,
.edu or two-letter country code domains such as .nz and .au.
The default is computed automatically based on the
environment.
Credential Note: Required only if the credentials of the Specifies the domain account that can logon to the domain,
current user are insufficient to perform the operation. according to the rules of Get-Credential and a PSCredential
object.
If no value is specified, the credentials of the current user
are used.
DelegatedAdministratorAccountName Specifies the name of the user or group that can install and
administer the RODC.
By default, only members of the Domain Admins group
can administer an RODC.
DenyPasswordReplicationAccountName <string []> Specifies the names of user accounts, group accounts, and
computer accounts whose passwords are not to be
replicated to this RODC. Use an empty string "" if you do not
want to deny the replication of credentials of any users or
computers. By default, Administrators, Server Operators,
Backup Operators, Account Operators, and the Denied
RODC Password Replication Group are denied. By default,
the Denied RODC Password Replication Group includes Cert
Publishers, Domain Admins, Enterprise Admins, Enterprise
Domain Controllers, Enterprise Read-Only Domain
Controllers, Group Policy Creator Owners, the krbtgt
account, and Schema Admins.
Supply values as a string array. For example:
Code -
-DenyPasswordReplicationAccountName
"RegionalAdmins","AdminPCs"
DnsDelegationCredential Note: You cannot specify this Specifies the user name and password for creating DNS
argument when you run the Add- delegation, according to the rules of Get-Credential and a
ADDSReadOnlyDomainController cmdlet. PSCredential object.
DomainMode {Win2003 | Win2008 | Win2008R2 | Win2012 | Specifies the domain functional level during the creation of a
Win2012R2} new domain.
Or The domain functional level cannot be lower than the
forest functional level, but it can be higher.
DomainMode {2 | 3 | 4 | 5 | 6}
The default value is automatically computed and set to
the existing forest functional level or the value that is set
for -ForestMode .
DomainType {ChildDomain | TreeDomain} or {child | tree} Indicates the type of domain that you want to create: a new
domain tree in an existing forest, a child of an existing
domain, or a new forest.
The default for DomainType is ChildDomain.
ForestMode {Win2003 | Win2008 | Win2008R2 | Win2012 | Specifies the forest functional level when you create a new
Win2012R2} forest.
Or The default value is Win2012.
ForestMode {2 | 3 | 4 | 5 | 6}
NewDomainName Note: Required only for Install- Specifies the single domain name for the new domain.
ADDSDomain. For example, if you want to create a new child domain
named emea.corp.fabrikam.com , you should specify
emea as the value of this argument.
ParentDomainName Note: Required for Install- Specifies the FQDN of an existing parent domain. You use
ADDSDomain cmdlet this argument when you install a child domain or new
domain tree.
For example, if you want to create a new child domain
named emea.corp.fabrikam.com , you should specify
corp.fabrikam.com as the value of this argument.
SystemKey Specifies the system key for the media from which you
replicate the data.
The default is none .
Data must be in format provided by read-host -
assecurestring or ConvertTo-SecureString.
A RGUM EN T DESC RIP T IO N
WhatIf Shows what would happen if the cmdlet runs. The cmdlet is
not run.
WARNING
As the previous option does not confirm the password, use extreme caution: the password is not visible.
You can also provide a secure string as a converted clear-text variable, although this is highly discouraged:
WARNING
Providing or storing a clear text password is not recommended. Anyone running this command in a script or looking over
your shoulder knows the DSRM password of that domain controller. With that knowledge, they can impersonate the
domain controller itself and elevate their privilege to the highest level in an Active Directory forest.
NOTE
The -DomainNetBIOSName argument is required if you want to change the 15-character name that is automatically
generated based on the DNS domain name prefix or if the name exceeds 15 characters.
For example, to install a new forest named corp.contoso.com and be securely prompted to provide the DSRM
password, type:
NOTE
DNS server is installed by default when you run Install-ADDSForest.
To install a new forest named corp.contoso.com, create a DNS delegation in the contoso.com domain, set
domain functional level to Windows Server 2008 R2 and set forest functional level to Windows Server 2008,
install the Active Directory database and SYSVOL on the D:\ drive, install the log files on the E:\ drive, and be
prompted to provide the Directory Services Restore Mode password and type:
NOTE
The -credential argument is only required when you are not currently logged on as a member of the Enterprise Admins
group.
The -NewDomainNetBIOSName argument is required if you want to change the automatically generated 15-character
name based on the DNS domain name prefix or if the name exceeds 15 characters.
For example, to use credentials of corp\EnterpriseAdmin1 to create a new child domain named
child.corp.contoso.com, install DNS server, create a DNS delegation in the corp.contoso.com domain, set domain
functional level to Windows Server 2003, make the domain controller a global catalog server in a site named
Houston, use DC1.corp.contoso.com as the replication source domain controller, install the Active Directory
database and SYSVOL on the D:\ drive, install the log files on the E:\ drive, and be prompted to provide the
Directory Services Restore Mode password but not prompted to confirm the command, type:
To install a domain controller and DNS server in the corp.contoso.com domain and be prompted to supply the
domain Administrator credentials and the DSRM password, type:
If the computer is already domain joined and you are a member of the Domain Admins group, you can use:
The following command will use credentials of Contoso\EnterpriseAdmin1 to install a writable domain
controller and a global catalog server in a site named Boston, install DNS server, create a DNS delegation in the
contoso.com domain, install from media that is stored in the c:\ADDS IFM folder, install the Active Directory
database and SYSVOL on the D:\ drive, install the log files on the E:\ drive, have the server automatically restart
after AD DS installation is complete, and be prompted to provide the Directory Services Restore Mode
password:
The command syntax to attach a server to an RODC account is as follows. Optional arguments appear within
square brackets.
Then run the following commands on the server that you want to attach to the RODC1 account. The server
cannot be joined to the domain. First, install the AD DS server role and management tools:
Press Y to confirm or include the "confirm argument to prevent the confirmation prompt.
Installing AD DS by using Server Manager
AD DS can be installed in Windows Server 2012 by using the Add Roles Wizard in Server Manager, followed by
the Active Directory Domain Services Configuration Wizard, which is new beginning in Windows Server 2012 .
The Active Directory Domain Services Installation Wizard (dcpromo.exe) is deprecated beginning in Windows
Server 2012 .
The following sections explain how to create server pools in order to install and manage AD DS on multiple
servers, and how to use the wizards to install AD DS.
Creating server pools
Server Manager can pool other servers on the network as long as they are accessible from the computer
running Server Manager. Once pooled, you choose those servers for remote installation of AD DS or any other
configuration options possible within Server Manager. The computer running Server Manager automatically
pools itself. For more information about server pools, see Add Servers to Server Manager.
NOTE
In order to manage a domain-joined computer using Server Manager on a workgroup server, or vice-versa, additional
configuration steps are needed. For more information, see "Add and manage servers in workgroups" in Add Servers to
Server Manager.
Installing AD DS
Administrative credentials
The credential requirements to install AD DS vary depending on which deployment configuration you choose.
For more information, see Credential requirements to run Adprep.exe and install Active Directory Domain
Services.
Use the following procedures to install AD DS using the GUI method. The steps can be performed locally or
remotely. For more detailed explanation of these steps, see the following topics:
Deploying a Forest with Server Manager
Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)
Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200)
Install a Windows Server 2012 Active Directory Read-Only Domain Controller (RODC) (Level 200)
To i n st a l l A D D S b y u si n g Se r v e r M a n a g e r
1. In Server Manager, click Manage and click Add Roles and Features to start the Add Roles Wizard.
2. On the Before you begin page, click Next .
3. On the Select installation type page, click Role-based or feature-based installation and then click
Next .
4. On the Select destination ser ver page, click Select a ser ver from the ser ver pool , click the name
of the server where you want to install AD DS and then click Next .
To select remote servers, first create a server pool and add the remote servers to it. For more information
about creating server pools, see Add Servers to Server Manager.
5. On the Select ser ver roles page, click Active Director y Domain Ser vices , then on the Add Roles
and Features Wizard dialog box, click Add Features , and then click Next .
6. On the Select features page, select any additional features you want to install and click Next .
7. On the Active Director y Domain Ser vices page, review the information and then click Next .
8. On the Confirm installation selections page, click Install .
9. On the Results page, verify that the installation succeeded, and click Promote this ser ver to a
domain controller to start the Active Directory Domain Services Configuration Wizard.
IMPORTANT
If you close Add Roles Wizard at this point without starting the Active Directory Domain Services Configuration
Wizard, you can restart it by clicking Tasks in Server Manager.
10. On the Deployment Configuration page, choose one of the following options:
If you are installing an additional domain controller in an existing domain, click Add a domain
controller to an existing domain , and type the name of the domain (for example,
emea.corp.contoso.com) or click Select... to choose a domain, and credentials (for example,
specify an account that is a member of the Domain Admins group) and then click Next .
NOTE
The name of the domain and current user credentials are supplied by default only if the machine is
domain-joined and you are performing a local installation. If you are installing AD DS on a remote server,
you need to specify the credentials, by design. If current user credentials are not sufficient to perform the
installation, click Change... in order to specify different credentials.
For more information, see Install a Replica Windows Server 2012 Domain Controller in an Existing
Domain (Level 200).
If you are installing a new child domain, click Add a new domain to an existing forest , for
Select domain type , select Child Domain , type or browse to the name of the parent domain
DNS name (for example, corp.contoso.com), type the relative name of the new child domain (for
example emea), type credentials to use to create the new domain, and then click Next .
For more information, see Install a New Windows Server 2012 Active Directory Child or Tree
Domain (Level 200).
If you are installing a new domain tree, click Add new domain to an existing forest , for Select
domain type , choose Tree Domain , type the name of the root domain (for example,
corp.contoso.com), type the DNS name of the new domain (for example, fabrikam.com), type
credentials to use to create the new domain, and then click Next .
For more information, see Install a New Windows Server 2012 Active Directory Child or Tree
Domain (Level 200).
If you are installing a new forest, click Add a new forest and then type the name of the root
domain (for example, corp.contoso.com).
For more information, see Install a New Windows Server 2012 Active Directory Forest (Level 200).
11. On the Domain Controller Options page, choose one of the following options:
If you are creating a new forest or domain, select the domain and forest functional levels, click
Domain Name System (DNS) ser ver , specify the DSRM password, and then click Next .
If you are adding a domain controller to an existing domain, click Domain Name System (DNS)
ser ver , Global Catalog (GC) , or Read Only Domain Controller (RODC) as needed, choose
the site name, and type the DSRM password and then click Next .
For more information about which options on this page are available or not available under different
conditions, see Domain Controller Options.
12. On the DNS Options page (which appears only if you install a DNS server), click Update DNS
delegation as needed. If you do, provide credentials that have permission to create DNS delegation
records in the parent DNS zone.
If a DNS server that hosts the parent zone cannot be contacted, the Update DNS Delegation option is
not available.
For more information about whether you need to update the DNS delegation, see Understanding Zone
Delegation. If you attempt to update the DNS delegation and encounter an error, see DNS Options.
13. On the RODC Options page (which appears only if you install an RODC), specify the name of a group or
user who will manage the RODC, add accounts to or remove accounts from the Allowed or Denied
password replication groups, and then click Next .
For more information, see Password Replication Policy.
14. On the Additional Options page, choose one of the following options:
If you are creating a new domain, type a new NetBIOS name or verify the default NetBIOS name of
the domain, and then click Next .
If you are adding a domain controller to an existing domain, select the domain controller that you
want to replicate the AD DS installation data from (or allow the wizard to select any domain
controller). If you are installing from media, click Install from media path type and verify the
path to the installation source files, and then click Next .
You cannot use install from media (IFM) to install the first domain controller in a domain. IFM does
not work across different operating system versions. In other words, in order to install an
additional domain controller that runs Windows Server 2012 by using IFM, you must create the
backup media on a Windows Server 2012 domain controller. For more information about IFM, see
Installing an Additional Domain Controller by Using IFM.
15. On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder (or
accept default locations), and click Next .
IMPORTANT
Do not store the Active Directory database, log files, or SYSVOL folder on a data volume formatted with Resilient
File System (ReFS).
16. On the Preparation Options page, type credentials that are sufficient to run adprep. For more
information, see Credential requirements to run Adprep.exe and install Active Directory Domain Services.
17. On the Review Options page, confirm your selections, click View script if you want to export the
settings to a Windows PowerShell script, and then click Next .
18. On the Prerequisites Check page, confirm that prerequisite validation completed and then click Install .
19. On the Results page, verify that the server was successfully configured as a domain controller. The
server will be restarted automatically to complete the AD DS installation.
IMPORTANT
If you close Add Roles Wizard at this point without starting the Active Directory Domain Services Configuration
Wizard, you can restart it by clicking Tasks in Server Manager.
(media/Install-Active-Directory-Domain-Services--Level-100-/ADDS_SMI_Tasks.gif)
11. On the Deployment Configuration page, click Add a domain controller to an existing domain ,
type the name of the domain (for example, emea.contoso.com) and credentials (for example, specify an
account that is delegated to manage and install the RODC), and then click Next .
12. On the Domain Controller Options page, click Use existing RODC account , type and confirm the
Directory Services Restore Mode password, and then click Next .
13. On the Additional Options page, if you are installing from media, click Install from media path type
and verify the path to the installation source files, select the domain controller that you want to replicate
the AD DS installation data from (or allow the wizard to select any domain controller) and then click
Next .
14. On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder, or
accept default locations, and then click Next .
15. On the Review Options page, confirm your selections, click View Script to export the settings to a
Windows PowerShell script, and then click Next .
16. On the Prerequisites Check page, confirm that prerequisite validation completed and then click Install .
To complete the AD DS installation, the server will restart automatically.
See Also
Troubleshooting Domain Controller Deployment Install a New Windows Server 2012 Active Directory Forest
(Level 200) Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200) Install a
Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)
Install a New Windows Server 2012 Active Directory
Forest (Level 200)
3/5/2021 • 24 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic explains the new Windows Server 2012 Active Directory Domain Services domain controller
promotion feature at an introductory level. In Windows Server 2012, AD DS replaces the Dcpromo tool with a
Server Manager and Windows PowerShell-based deployment system.
Active Directory Domain Services Simplified Administration
Technical Overview
Deploying a Forest with Server Manager
Deploying a Forest with Windows PowerShell
Technical Overview
What You Should Know Before You Begin
This topic assumes familiarity with previous releases of Active Directory Domain Services, and does not provide
foundational detail around their purpose and functionality. For more information about AD DS, see the TechNet
Portal pages linked below:
Active Directory Domain Services for Windows Server 2008 R2
Active Directory Domain Services for Windows Server 2008
Windows Server Technical Reference
Functional Descriptions
AD DS Role Installation
Active Directory Domain Services installation uses Server Manager and Windows PowerShell, like all other
server roles and features in Windows Server 2012. The Dcpromo.exe program no longer provides GUI
configuration options.
You use a graphical wizard in Server Manager or the ServerManager module for Windows PowerShell in both
local and remote installations. By running multiple instances of those wizards or cmdlets and targeting different
servers, you can deploy AD DS to multiple domain controllers simultaneously, all from one single console.
Although these new features are not backwards compatible with Windows Server 2008 R2 or earlier operating
systems, you can also still use the Dism.exe application introduced in Windows Server 2008 R2 for local role
installation from the classic command-line.
AD DS Role Configuration
Active Directory Domain Services configuration " previously known as DCPROMO " is a now a discrete
operation from role installation. After installing the AD DS role, an administrator configures the server as a
domain controller using a separate wizard within Server Manager or using the ADDSDeployment Windows
PowerShell module.
AD DS role configuration builds on twelve years of field experience and now configures domain controllers
based on the most recent Microsoft best practices. For example, Domain Name System and Global Catalogs
install by default on every domain controller.
The Server Manager AD DS configuration wizard merges many individual dialogs into fewer prompts and no
longer hides settings in an "advanced" mode. The entire promotion process is in one expanding dialog box
during installation. The wizard and the ADDSDeployment Windows PowerShell module show you notable
changes and security concerns, with links to further information.
The Dcpromo.exe remains in Windows Server 2012 for command-line unattended installations only, and no
longer runs the graphical installation wizard. It is highly recommended that you discontinue use of Dcpromo.exe
for unattended installs and replace it with the ADDSDeployment module, as the now-deprecated executable will
not be included in the next version of Windows.
These new features are not backwards compatible to Windows Server 2008 R2 or older operating systems.
IMPORTANT
Dcpromo.exe no longer contains a graphical wizard and no longer installs role or feature binaries. Attempting to run
Dcpromo.exe from the Explorer shell returns:
"The Active Directory Domain Services Installation Wizard is relocated in Server Manager. For more information, see
https://go.microsoft.com/fwlink/?LinkId=220921."
Attempting to run Dcpromo.exe /unattend still installs the binaries, as in previous operating systems, but warns:
"The dcpromo unattended operation is replaced by the ADDSDeployment module for Windows PowerShell. For more
information, see https://go.microsoft.com/fwlink/?LinkId=220924."
Windows Server 2012 deprecates dcpromo.exe and it will not be included with future versions of Windows, nor will it
receive further enhancements in this operating system. Administrators should discontinue its use and switch to the
supported Windows PowerShell modules if they wish to create domain controllers from the command-line.
Prerequisite Checking
Domain controller configuration also implements a prerequisite checking phase that evaluates the forest and
domain prior to continuing with domain controller promotion. This includes FSMO role availability, user
privileges, extended schema compatibility and other requirements. This new design alleviates issues where
domain controller promotion starts and then halts midway with a fatal configuration error. This lessens the
chance of orphaned domain controller metadata in the forest or a server that incorrectly believes it is a domain
controller.
This gives you three ways to add servers to the pool for use or grouping:
Active Directory search (uses LDAP, requires that the computers belong to a domain, allows operating
system filtering and supports wildcards)
DNS search (uses DNS alias or IP address via ARP or NetBIOS broadcast or WINS lookup, does not allow
operating system filtering or support wildcards)
Import (uses a text file list of servers separated by CR/LF)
Click Find Now to return a list of servers from that same Active Directory domain that the computer is joined
to, Click one or more server names from the list of servers. Click the right arrow to add the servers to the
Selected list. Use the Add Ser vers dialog to add selected servers to dashboard role groups. Or Click Manage ,
and then click Create Ser ver Group , or click Create Ser ver Group on the dashboard Welcome to Ser ver
Manager tile to create custom server groups.
NOTE
The Add Servers procedure does not validate that a server is online or accessible. However, any unreachable servers flag
in the Manageability view in Server Manager at the next refresh
You can install roles remotely on any Windows Server 2012 computers added the pool, as shown:
You cannot fully manage servers running operating systems older than Windows Server 2012. The Add Roles
and Features selection is running ServerManager Windows PowerShell Module Install-WindowsFeature .
You can also use the Server Manager Dashboard on an existing domain controller to select remote server AD DS
installation with the role already preselected by right clicking the AD DS dashboard tile and selecting Add AD
DS to Another Ser ver . This is invoking Install-WindowsFeature AD-Domain-Ser vices .
The computer you are running Server Manager on pools itself automatically. To install the AD DS role here,
simply click the Manage menu and click Add Roles and Features .
Installation Type
The Installation Type dialog provides an option that does not support Active Directory Domain Services: the
Remote Desktop Ser vices scenario based-installation . That option only allows Remote Desktop Service in
a multi-server distributed workload. If you select it, AD DS cannot install.
Always leave the default selection in place when installing AD DS: Role-based or Feature-based
Installation .
Server Selection
The Ser ver Selection dialog enables you to choose from one of the servers previously added to the pool, as
long as it is accessible. The local server running Server Manager is automatically available.
In addition, you can select offline Hyper-V VHD files with the Windows Server 2012 operating system and
Server Manager adds the role to them directly through component servicing. This allows you to provision
virtual servers with the necessary components before further configuring them.
Server Roles and Features
Select the Active Director y Domain Ser vices role if you intend to promote a domain controller. All Active
Directory administration features and required services install automatically, even if they are ostensibly part of
another role or do not appear selected in the Server Manager interface.
Server Manager also presents an informational dialog that shows which management features this role
implicitly installs; this is equivalent to the -IncludeManagementTools argument.
Additional Features can be added here as desired.
Active Directory Domain Services
The Active Director y Domain Ser vices dialog provides limited information on requirements and best
practices. It mainly acts as a confirmation that you chose the AD DS role " if this screen does not appear, you did
not select AD DS.
Confirmation
The Confirmation dialog is the final checkpoint before role installation starts. It offers an option to restart the
computer as needed after role installation, but AD DS installation does not require a reboot.
By clicking Install , you confirm you are ready to begin role installation. You cannot cancel a role installation
once it begins.
Results
The Results dialog shows the current installation progress and current installation status. Role installation
continues regardless of whether Server Manager is closed.
Verifying the installation results is still a best practice. If you close the Results dialog before installation
completes, you can check the results using the Server Manager notification flag. Server Manager also shows a
warning message for any servers that have installed the AD DS role but not been further configured as domain
controllers.
Task Notifications
AD DS Details
Task Details
Promote to Domain Controller
At the end of the AD DS role installation, you can continue with configuration by using the Promote this
ser ver to a domain controller link. This is required to make the server a domain controller, but is not
necessary to run the configuration wizard immediately. For example, you may only want to provision servers
with the AD DS binaries before sending them to another branch office for later configuration. By adding the AD
DS role before shipping, you save time when it reaches its destination. You also follow the best practice of not
keeping a domain controller offline for days or weeks. Finally, this enables you to update components before
domain controller promotion, saving you at least one subsequent reboot.
Selecting this link later invokes the ADDSDeployment cmdlets: install-addsforest , install-addsdomain , or
install-addsdomaincontroller .
Uninstalling/Disabling
You remove the AD DS role like any other role, regardless of whether you promoted the server to a domain
controller. However, removing the AD DS role requires a restart on completion.
Active Directory Domain Services role removal is different from installation, in that it requires domain controller
demotion before it can complete. This is necessary to prevent a domain controller from having its role binaries
uninstalled without proper metadata cleanup in the forest. For more information, see Demoting Domain
Controllers and Domains (Level 200).
WARNING
Removing the AD DS roles with Dism.exe or the Windows PowerShell DISM module after promotion to a Domain
Controller is not supported and will prevent the server from booting normally.
Unlike Server Manager or the AD DS Deployment module for Windows PowerShell, DISM is a native servicing system that
has no inherent knowledge of AD DS or its configuration. Do not use Dism.exe or the Windows PowerShell DISM module
to uninstall the AD DS role unless the server is no longer a domain controller.
Deployment Configuration
Server Manager begins every domain controller promotion with the Deployment Configuration page. The
remaining options and required fields change on this page and subsequent pages, depending on which
deployment operation you select.
To create a new Active Directory forest, click Add a new forest . You must provide a valid root domain name;
the name cannot be single-labeled (for example, the name must be contoso.com or similar and not just contoso)
and must use allowed DNS domain naming requirements.
For more information on valid domain names, see KB article Naming conventions in Active Directory for
computers, domains, sites, and OUs.
WARNING
Do not create new Active Directory forests with the same name as an external DNS name. For example, if your Internet
DNS URL is http://contoso.com, you must choose a different name for your internal forest to avoid future compatibility
issues. That name should be unique and unlikely for web traffic. For example: corp.contoso.com.
A new forest does not need new credentials for the domain's Administrator account. The domain controller
promotion process uses the credentials of the built-in Administrator account from the first domain controller
used to create the forest root. There is no way (by default) to disable or lock out the built-in Administrator
account and it may be the only entry point into a forest if the other administrative domain accounts are
unusable. It is critical to know the password before deploying a new forest.
DomainName requires a valid fully qualified domain DNS name and is required.
Domain Controller Options
The Domain Controller Options enables you to configure the forest functional level and domain
functional level for the new forest root domain. By default, these settings are Windows Server 2012 in a new
forest root domain. The Windows Server 2012 forest functional level does not provide any new functionality
over the Windows Server 2008 R2 forest functional level. The Windows Server 2012 domain functional level is
required only in order to implement the new Kerberos settings "always provide claims" and "Fail unarmored
authentication requests." A primary use for functional levels in Windows Server 2012 is to restrict participation
in the domain to domain controllers that meet minimum-allowed operating system requirements. In other
words, you can specify Windows Server 2012 domain functional level only domain controllers that run
Windows Server 2012 can host the domain. Windows Server 2012 implements a new domain controller flag
called DS_WIN8_REQUIRED in the DSGetDcName function of NetLogon that exclusively locates Windows
Server 2012 domain controllers. This allows you the flexibility of a more homogeneous or heterogeneous forest
in terms of which operating systems are permitted to be run on domain controllers.
For more information about domain controller Location, review Directory Service Functions.
The only configurable domain controller capability is the DNS server option. Microsoft recommends that all
domain controllers provide DNS services for high availability in distributed environments, which is why this
option is selected by default when installing a domain controller in any mode or domain. The Global Catalog
and read only domain controller options are unavailable when creating a new forest root domain; the first
domain controller must be a GC, and cannot be a read only domain controller (RODC).
The specified Director y Ser vices Restore Mode Password must adhere to the password policy applied to
the server, which by default does not require a strong password; only a non-blank one. Always choose a strong,
complex password or preferably, a passphrase.
DNS Options and DNS Delegation Credentials
The DNS Options page enables you to configure DNS delegation and provide alternate DNS administrative
credentials.
You cannot configure DNS options or delegation in the Active Directory Domain Services Configuration Wizard
when installing a new Active Directory Forest Root Domain where you selected the DNS ser ver on the
Domain Controller Options page. The Create DNS delegation option is available when creating a new
forest root DNS zone in an existing DNS server infrastructure. This option enables you to provide alternate DNS
administrative credentials that have the rights to update DNS zone.
For more information about whether you need to create a DNS delegation, see Understanding Zone Delegation.
Additional Options
The Additional Options page shows the NetBIOS name of the domain and enables you to override it. By
default, the NetBIOS domain name matches the left-most label of the fully qualified domain name provided on
the Deployment Configuration page. For example, if you provided the fully qualified domain name of
corp.contoso.com, the default NetBIOS domain name is CORP.
If the name is 15 characters or less and does not conflict with another NetBIOS name, it is unaltered. If it does
conflict with another NetBIOS name, a number is appended to the name. If the name is more than 15 characters,
the wizard provides a unique, truncated suggestion. In either case, the wizard first validates the name is not
already in use via a WINS lookup and NetBIOS broadcast.
For more information on valid domain names, see KB article Naming conventions in Active Directory for
computers, domains, sites, and OUs.
Paths
The Paths page enables you to override the default folder locations of the AD DS database, the database
transaction logs, and the SYSVOL share. The default locations are always in subdirectories of %systemroot% (i.e.
C:\Windows).
Review Options and View Script
The Review Options page enables you to validate your settings and ensure they meet your requirements
before you start the installation. This is not the last opportunity to stop the installation when using Server
Manager. This is simply an option to confirm your settings before continuing the configuration
The Review Options page in Server Manager also offers an optional View Script button to create a Unicode
text file that contains the current ADDSDeployment configuration as a single Windows PowerShell script. This
enables you to use the Server Manager graphical interface as a Windows PowerShell deployment studio. Use
the Active Directory Domain Services Configuration Wizard to configure options, export the configuration, and
then cancel the wizard. This process creates a valid and syntactically correct sample for further modification or
direct use. For example:
#
# Windows PowerShell Script for AD DS Deployment
#
Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDNSDelegation `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2012" `
-DomainName "corp.contoso.com" `
-DomainNetBIOSName "CORP" `
-ForestMode "Win2012" `
-InstallDNS:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SYSVOLPath "C:\Windows\SYSVOL"
-Force:$true
NOTE
Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (as they may
change between future versions of Windows or service packs). The one exception to this is the -
safemodeadministratorpassword argument (which is deliberately omitted from the script). To force a confirmation
prompt, omit the value when running cmdlet interactively.
Prerequisites Check
The Prerequisites Check is a new feature in AD DS domain configuration. This new phase validates that the
server configuration is capable of supporting a new AD DS forest.
When installing a new forest root domain, the Server Manager Active Directory Domain Services Configuration
Wizard invokes a series of modular tests. These tests alert you with suggested repair options. You can run the
tests as many times as required. The domain controller process cannot continue until all prerequisite tests pass.
The Prerequisites Check also surfaces relevant information such as security changes that affect older
operating systems.
For more information on the specific prerequisite checks, see Prerequisite Checking.
Installation
When the Installation page displays, the domain controller configuration begins and cannot be halted or
canceled. Detailed operations display on this page and are written to logs:
%systemroot%\debug\dcpromo.log
%systemroot%\debug\dcpromoui.log
NOTE
You can run multiple role installation and AD DS configuration wizards from the same Server Manager console
simultaneously.
Results
The Results page shows the success or failure of the promotion and any important administrative information.
The domain controller will automatically reboot after 10 seconds.
Deploying a Forest with Windows PowerShell
This section explains how to install the first domain controller in a forest root domain using Windows
PowerShell on a Core Windows Server 2012 computer.
Windows PowerShell AD DS Role Installation Process
By implementing a few straightforward ServerManager deployment cmdlets into your deployment processes,
you further realize the vision of AD DS simplified administration.
The next figure illustrates the Active Directory Domain Services role installation process, beginning with you
running PowerShell.exe and ending right before the promotion of the domain controller.
Install-WindowsFeature/Add-WindowsFeature -Name
-Restart
-IncludeAllSubFeature
-IncludeManagementTools
-Source
-ComputerName
-Credential
-LogPath
-Vhd
-ConfigurationFilePath
NOTE
While not required, the argument -IncludeManagementTools is highly recommended when installing the AD DS role
binaries
The ServerManager module exposes role installation, status, and removal portions of the new DISM module for
Windows PowerShell. This layering simplifies the most tasks and reduces need for direct usage of the powerful
(but dangerous when misused) DISM module.
Use Get-Command to export the aliases and cmdlets in ServerManager.
For example:
To add the Active Directory Domain Services role, simply run the Install-WindowsFeature with the AD DS role
name as an argument. Like Server Manager, all required services implicit to the AD DS role install automatically.
If you also want the AD DS management tools installed - and this is highly recommended - then provide the -
IncludeManagementTools argument:
For example:
To list all features and roles with their installation status, use Get-WindowsFeature without arguments. Specify
-ComputerName argument for the installation status from a remote server.
Get-WindowsFeature
Because Get-WindowsFeature does not have a filtering mechanism, you must use Where-Object with a
pipeline to find specific features. The pipeline is a channel used between multiple cmdlets to pass data and the
Where-Object cmdlet acts as a filter. The built-in $_ variable acts as the current object passing through the
pipeline with any properties it may contain.
For example, to find all features containing "Active Dir" in their Display Name property, use:
By using the Windows PowerShell pipeline, you can create readable results. For example:
Install-WindowsFeature | Format-List
Install-WindowsFeature | select-object | Format-List
Note how using the Select-Object cmdlet with the -expandproper ty argument returns interesting data:
NOTE
The Select-Object -expandproper ty argument slows down overall installation performance slightly.
Install-addsforest
The Install-AddsForest cmdlet only has two phases (prerequisite checking and installation). The two figures
below show the installation phase with the minimum required argument of -domainname .
Install-Addsforest -Confirm
-CreateDNSDelegation
-DatabasePath
-DomainMode
-DomainName
-DomainNetBIOSName
-DNSDelegationCredential
-ForestMode
-Force
-InstallDNS
-LogPath
-NoDnsOnNetwork
-NoRebootOnCompletion
-SafeModeAdministratorPassword
-SkipAutoConfigureDNS
-SkipPreChecks
-SYSVOLPath
-Whatif
NOTE
The -DomainNetBIOSName argument is required if you want to change the automatically generated 15-character
name based on the DNS domain name prefix or if the name exceeds 15 characters.
The equivalent Server Manager Deployment Configuration ADDSDeployment cmdlet and arguments are:
Install-ADDSForest
-DomainName <string>
The equivalent Server Manager Domain Controller Options ADDSDeployment cmdlet arguments are:
The Install-ADDSForest arguments follow the same defaults as Server Manager if not specified.
The SafeModeAdministratorPassword argument's operation is special:
If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. This is
the preferred usage when running the cmdlet interactively.
For example, to create a new forest named corp.contoso.com and be prompted to enter and confirm a
masked password:
If specified with a value, the value must be a secure string. This is not the preferred usage when running
the cmdlet interactively.
For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a
secure string:
WARNING
As the previous option does not confirm the password, use extreme caution: the password is not visible.
You can also provide a secure string as a converted clear-text variable, although this is highly discouraged.
Finally, you could store the obfuscated password in a file, and then reuse it later, without the clear text password
ever appearing. For example:
$file = "c:\pw.txt"
$pw = read-host -prompt "Password:" -assecurestring
$pw | ConvertFrom-SecureString | Set-Content $file
WARNING
Providing or storing a clear or obfuscated text password is not recommended. Anyone running this command in a script
or looking over your shoulder knows the DSRM password of that domain controller. Anyone with access to the file could
reverse that obfuscated password. With that knowledge, they can logon to a DC started in DSRM and eventually
impersonate the domain controller itself, elevating their privileges to the highest level in an Active Directory forest. An
additional set of steps using System.Security.Cr yptography to encrypt the text file data is advisable but out of scope.
The best practice is to totally avoid password storage.
The ADDSDeployment cmdlet offers an additional option to skip automatic configuration of DNS client settings,
forwarders, and root hints. You cannot skip this configuration option when using Server Manager. This
argument matters only if you installed the DNS Server role prior to configuring the domain controller:
-SkipAutoConfigureDNS
-domainnetbiosname <string>
-databasepath <string>
-logpath <string>
-sysvolpath <string>
Use the optional Whatif argument with the Install-ADDSForest cmdlet to review configuration information.
This enables you to see the explicit and implicit values of a cmdlet's arguments.
For example:
You cannot bypass the Prerequisite Check when using Server Manager, but you can skip the process when
using the AD DS Deployment cmdlet using the following argument:
-skipprechecks
WARNING
Microsoft discourages skipping the prerequisite check as it can lead to a partial domain controller promotion or damaged
AD DS forest.
Note how, just like Server Manager, Install-ADDSForest reminds you that promotion will reboot the server
automatically.
To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any
ADDSDeployment Windows PowerShell cmdlet. To prevent the server from automatically rebooting at the end
of promotion, use the -norebootoncompletion argument.
WARNING
Overriding the reboot is discouraged. The domain controller must reboot to function correctly.
See Also
Active Directory Domain Services (TechNet Portal) Active Directory Domain Services for Windows Server 2008
R2 Active Directory Domain Services for Windows Server 2008 Windows Server Technical Reference (Windows
Server 2003) Active Directory Administrative Center: Getting Started (Windows Server 2008 R2) Active
Directory Administration with Windows PowerShell (Windows Server 2008 R2) Ask the Directory Services Team
(Official Microsoft Commercial Technical Support Blog)
Install a Replica Windows Server 2012 Domain
Controller in an Existing Domain (Level 200)
3/5/2021 • 12 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic covers the steps necessary to upgrade an existing forest or domain to Windows Server 2012, using
either Server Manager or Windows PowerShell. It covers how to add domain controllers that run Windows
Server 2012 to an existing domain.
Upgrade and Replica Workflow
Upgrade and Replica Windows PowerShell
Deployment
Install-AddsDomainController -SkipPreChecks
-DomainName
-SafeModeAdministratorPassword
-SiteName
-ADPrepCredential
-ApplicationPartitionsToReplicate
-AllowDomainControllerReinstall
-Confirm
-CreateDNSDelegation
-Credential
-CriticalReplicationOnly
-DatabasePath
-DNSDelegationCredential
-Force
-InstallationMediaPath
-InstallDNS
-LogPath
-MoveInfrastructureOperationMasterRoleIfNecessary
-NoDnsOnNetwork
-NoGlobalCatalog
-Norebootoncompletion
-ReplicationSourceDC
-SkipAutoConfigureDNS
-SiteName
-SystemKey
-SYSVOLPath
-UseExistingAccount
-Whatif
NOTE
The -credential argument is only required if you are not already logged on as a member of the Enterprise Admins and
Schema Admins groups (if you are upgrading the forest) or the Domain Admins group (if you are adding a new DC to an
existing domain).
Deployment
Deployment Configuration
Server Manager begins every domain controller promotion with the Deployment Configuration page. The
remaining options and required fields change on this page and subsequent pages, depending on which
deployment operation you select.
To upgrade an existing forest or add a writable domain controller to an existing domain, click Add a domain
controller to an existing domain and click Select to Specify the domain information for this domain .
Server Manager prompts you for valid credentials if needed.
Upgrading the forest requires credentials that include group memberships in both the Enterprise Admins and
Schema Admins groups in Windows Server 2012. The Active Directory Domain Services Configuration Wizard
prompts you later if your current credentials do not have adequate permissions or group memberships.
The automatic Adprep process is the only operational difference between adding a domain controller to an
existing Windows Server 2012 domain and a domain where domain controllers run an earlier version of
Windows Server.
The Deployment Configuration ADDSDeployment cmdlet and arguments are:
Install-AddsDomainController
-domainname <string>
-credential <pscredential>
Certain tests perform at each page, some of which repeat later as discrete prerequisite checks. For instance, if
the selected domain does not meet the minimal functional levels, you do not have to go all the way through
promotion to the prerequisite check to find out:
The Domain Controller Options page specifies the domain controller capabilities for the new domain
controller. The configurable domain controller capabilities are DNS ser ver , Global Catalog , and Read-only
domain controller . Microsoft recommends that all domain controllers provide DNS and GC services for high
availability in distributed environments. GC is always selected by default and DNS server is selected by default if
the current domain hosts DNS already on its DCs based on Start of Authority query. The Domain Controller
Options page also enables you to choose the appropriate Active Directory logical site name from the forest
configuration. By default, it selects the site with the most correct subnet. If there is only one site, it selects
automatically.
NOTE
If the server does not belong to an Active Directory subnet and there is more than one Active Directory site, nothing is
selected and the Next button is unavailable until you choose a site from the list.
The specified Director y Ser vices Restore Mode Password must adhere to the password policy applied to
the server. Always choose a strong, complex password or preferably, a passphrase.
The Domain Controller Options ADDSDeployment arguments are:
IMPORTANT
The site name must already exist when provided as an argument to -sitename . The install-AddsDomainController
cmdlet does not create sites. You can use cmdlet new-adreplicationsite to create new sites.
If specified with a value, the value must be a secure string. This is not the preferred usage when running
the cmdlet interactively.
For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a
secure string:
WARNING
As the previous option does not confirm the password, use extreme caution: the password is not visible.
You can also provide a secure string as a converted clear-text variable, although this is highly discouraged.
$file = "c:\pw.txt"
$pw = read-host -prompt "Password:" -assecurestring
$pw | ConvertFrom-SecureString | Set-Content $file
WARNING
Providing or storing a clear or obfuscated text password is not recommended. Anyone running this command in a script
or looking over your shoulder knows the DSRM password of that domain controller. Anyone with access to the file could
reverse that obfuscated password. With that knowledge, they can logon to a DC started in DSRM and eventually
impersonate the domain controller itself, elevating their privileges to the highest level in an Active Directory forest. An
additional set of steps using System.Security.Cr yptography to encrypt the text file data is advisable but out of scope.
The best practice is to totally avoid password storage.
The ADDSDeployment cmdlet offers an additional option to skip automatic configuration of DNS client settings,
forwarders, and root hints. You cannot skip this configuration option when using Server Manager. This
argument matters only if you installed the DNS Server role prior to configuring the domain controller:
-SkipAutoConfigureDNS
The Domain Controller Options page warns that you cannot create read only domain controllers if your
existing domain controllers run Windows Server 2003. This is expected, and you can dismiss the warning.
-creatednsdelegation
-dnsdelegationcredential <pscredential>
For more information about whether you need to create a DNS delegation, see Understanding Zone Delegation.
Additional Options
The Additional Options page provides the configuration option to name a domain controller as the replication
source, or you can use any domain controller as the replication source.
You can also choose to install the domain controller using backed up media using the Install from media (IFM)
option. The Install from media checkbox provides a browse option once selected and you must click Verify to
ensure the provided path is valid media. Media used by the IFM option is created with Windows Server Backup
or Ntdsutil.exe from another existing Windows Server 2012 computer only; you cannot use a Windows Server
2008 R2 or previous operating system to create media for a Windows Server 2012 domain controller. For more
information about changes in IFM, see Simplified Administration Appendix. If using media protected with a
SYSKEY, Server Manager prompts for the image's password during verification.
-replicationsourcedc <string>
-installationmediapath <string>
-syskey <secure string>
Paths
The Paths page enables you to override the default folder locations of the AD DS database, the database
transaction logs, and the SYSVOL share. The default locations are always in subdirectories of %systemroot%.
The Active Directory Paths ADDSDeployment cmdlet arguments are:
-databasepath <string>
-logpath <string>
-sysvolpath <string>
Preparation Options
The Preparation Options page alerts you that the AD DS configuration includes extending the Schema
(forestprep) and updating the domain (domainprep). You only see this page when the forest and domain have
not been prepared by previous Windows Server 2012 domain controller installation or from manually running
Adprep.exe. For example, the Active Directory Domain Services Configuration Wizard suppresses this page if
you add a new domain controller to an existing Windows Server 2012 forest root domain.
Extending the Schema and updating the domain do not occur when you click Next . These events occur only
during the installation phase. This page simply brings awareness about the events that will occur later in the
installation.
This page also validates that the current user credentials are members of the Schema Admin and Enterprise
Admins groups, as you need membership in these groups to extend the schema or prepare a domain. Click
Change to provide the adequate user credentials if the page informs you that the current credentials do not
provide sufficient permissions.
-adprepcredential <pscredential>
IMPORTANT
As with previous versions of Windows Server, automated domain preparation for domain controllers that run Windows
Server 2012 does not run GPPREP. Run adprep.exe /gpprep manually for all domains that were not previously prepared
for Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. You should run GPPrep only once in the
history of a domain, not with every upgrade. Adprep.exe does not run /gpprep automatically because its operation can
cause all files and folders in the SYSVOL folder to re-replicate on all domain controllers.
Automatic RODCPrep runs when you promote the first un-staged RODC in a domain. It does not occur when you
promote the first writeable Windows Server 2012 domain controller. You can also still manually adprep.exe /rodcprep if
you plan to deploy read-only domain controllers.
#
# Windows PowerShell Script for AD DS Deployment
#
Import-Module ADDSDeployment
Install-ADDSDomainController `
-CreateDNSDelegation `
-Credential (Get-Credential) `
-CriticalReplicationOnly:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainName "root.fabrikam.com" `
-InstallDNS:$true `
-LogPath "C:\Windows\NTDS" `
-SiteName "Default-First-Site-Name" `
-SYSVOLPath "C:\Windows\SYSVOL"
-Force:$true
NOTE
Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (as they may
change between future versions of Windows or service packs). The one exception to this is the -
safemodeadministratorpassword argument. To force a confirmation prompt omit the value when running cmdlet
interactively
Use the optional Whatif argument with the Install-ADDSDomainController cmdlet to review configuration
information. This enables you to see the explicit and implicit values of the arguments for a cmdlet.
Prerequisites Check
The Prerequisites Check is a new feature in AD DS domain configuration. This new phase validates that the
domain and forest are capable of supporting a new Windows Server 2012 domain controller.
When installing a new domain controller, the Server Manager Active Directory Domain Services Configuration
Wizard invokes a series of serialized modular tests. These tests alert you with suggested repair options. You can
run the tests as many times as required. The domain controller process cannot continue until all prerequisite
tests pass.
The Prerequisites Check also surfaces relevant information such as security changes that affect older
operating systems.
For more information about the specific prerequisite checks, see Prerequisite Checking.
You cannot bypass the Prerequisite Check when using Server Manager, but you can skip the process when
using the AD DS Deployment cmdlet using the following argument:
-skipprechecks
WARNING
Microsoft discourages skipping the prerequisite check as it can lead to a partial domain controller promotion or damaged
AD DS forest.
Click Install to begin the domain controller promotion process. This is last opportunity to cancel the installation.
You cannot cancel the promotion process once it begins. The computer will reboot automatically at the end of
promotion, regardless of the promotion results.The Prerequisites Check page displays any issues it
encountered during the process and guidance for resolving the issue.
Installation
When the Installation page displays, the domain controller configuration begins and cannot be halted or
canceled. Detailed operations display on this page and are written to logs:
%systemroot%\debug\dcpromo.log
%systemroot%\debug\dcpromoui.log
%systemroot%\debug\adprep\logs
%systemroot%\debug\netsetup.log (if server is in a workgroup)
To install a new Active Directory forest using the ADDSDeployment module, use the following cmdlet:
Install-addsdomaincontroller
See Upgrade and Replica Windows PowerShell for required and optional arguments.
The Install-AddsDomainController cmdlet only has two phases (prerequisite checking and installation). The
two figures below show the installation phase with the minimum required arguments of -domainname and -
credential . Note how the Adprep operation happens automatically as part of adding the first Windows Server
2012 domain controller to an existing Windows Server 2003 forest:
Note how, just like Server Manager, Install-ADDSDomainController reminds you that promotion will reboot
the server automatically. To accept the reboot prompt automatically, use the -force or -confirm:$false
arguments with any ADDSDeployment Windows PowerShell cmdlet. To prevent the server from automatically
rebooting at the end of promotion, use the -norebootoncompletion argument.
WARNING
Overriding the reboot is discouraged. The domain controller must reboot to function correctly.
To configure a domain controller remotely using Windows PowerShell, wrap the install-
addsdomaincontroller cmdlet inside of the invoke-command cmdlet. This requires using the curly braces.
For example:
NOTE
For more information on how the installation and Adprep process works, see the Troubleshooting Domain Controller
Deployment.
Results
The Results page shows the success or failure of the promotion and any important administrative information.
If successful, the domain controller will automatically reboot after 10 seconds.
As with previous versions of Windows Server, automated domain preparation for domain controllers that run
Windows server 2012 does not run GPPREP. Run adprep.exe /gpprep manually for all domains that were not
previously prepared for Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. You should
run GPPrep only once in the history of a domain, not with every upgrade. Adprep.exe does not run /gpprep
automatically because its operation can cause all files and folders in the SYSVOL folder to re-replicate on all
domain controllers.
Install a New Windows Server 2012 Active Directory
Child or Tree Domain (Level 200)
3/23/2021 • 11 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic explains how to add child and tree domains to an existing Windows Server 2012 forest, using Server
Manager or Windows PowerShell.
Child and Tree Domain Workflow
Child and Tree Domain Windows PowerShell
Deployment
Install-AddsDomain -SkipPreChecks
-NewDomainName
-ParentDomainName
-SafeModeAdministratorPassword
-ADPrepCredential
-AllowDomainReinstall
-Confirm
-CreateDNSDelegation
-Credential
-DatabasePath
-DNSDelegationCredential
-NoDNSOnNetwork
-DomainMode
-DomainType
-Force
-InstallDNS
-LogPath
-NewDomainNetBIOSName
-NoGlobalCatalog
-NoNorebootoncompletion
-ReplicationSourceDC
-SiteName
-SkipAutoConfigureDNS
-SYSVOLPath
-Whatif
NOTE
The -credential argument is only required when you are not currently logged on as a member of the Enterprise Admins
group.The -NewDomainNetBIOSName argument is required if you want to change the automatically generated 15-
character name based on the DNS domain name prefix or if the name exceeds 15 characters.
Deployment
Deployment Configuration
The following screenshot shows the options for adding a child domain:
The following screenshot shows the options for adding a tree domain:
Server Manager begins every domain controller promotion with the Deployment Configuration page. The
remaining options and required fields change on this page and subsequent pages, depending on which
deployment operation you select.
This topic combines two discrete operations: child domain promotion and tree domain promotion. The only
difference between the two operations is the domain type that you choose to create. All of the other steps are
identical between the two operations.
To create a new child domain, click Add a domain to an existing Forest and choose Child Domain .
For Parent domain name , type or select the name of the parent domain. Then type the name of the new
domain in the New domain name box. Provide a valid, single-label child domain name; the name must
use DNS domain name requirements.
To create a tree domain within an existing forest, click Add a domain to an existing Forest and choose
Tree Domain . Type the name of the forest root domain, and then type the name of the new domain.
Provide a valid, fully qualified root domain name; the name cannot be single-labeled and must use DNS
domain name requirements.
For more information about DNS names, see Naming conventions in Active Directory for computers, domains,
sites, and OUs.
The Server Manager Active Directory Domain Services Configuration Wizard prompts you for domain
credentials if your current credentials are not from the domain. Click Change to provide domain credentials for
the promotion operation.
The Deployment Configuration ADDSDeployment cmdlet and arguments are:
Install-AddsDomain
-domaintype <{childdomain | treedomain}>
-parentdomainname <string>
-newdomainname <string>
-credential <pscredential>
The Domain Controller Options page specifies the domain controller options for the new domain controller.
The configurable domain controller options include DNS ser ver and Global Catalog ; you cannot configure
read-only domain controller as the first domain controller in a new domain.
Microsoft recommends that all domain controllers provide DNS and GC services for high availability in
distributed environments. GC is always selected by default and DNS is selected by default if the current domain
hosts DNS already on its DCs, based on a Start-of-Authority query. You must also specify a Domain functional
level . The default functional level is Windows Server 2012, and you can choose any other value that is equal to
or greater than the current forest functional level.
The Domain Controller Options page also enables you to choose the appropriate Active Directory logical
site name from the forest configuration. By default, the site with the most correct subnet is selected. If there is
only one site, it is selected automatically.
IMPORTANT
If the server does not belong to an Active Directory subnet and there is more than one Active Directory site, nothing is
selected and the Next button is unavailable until you choose a site from the list.
The specified Director y Ser vices Restore Mode Password must adhere to the password policy applied to
the server. Always choose a strong, complex password or preferably, a passphrase.
The Domain Controller Options ADDSDeployment cmdlet arguments are:
IMPORTANT
The site name must already exist when provided as a value to the sitename argument. The install-
AddsDomainController cmdlet does not create site names. You can use the new-adreplicationsite cmdlet to create
new sites.
The Install-ADDSDomainController cmdlet arguments follow the same defaults as Server Manager if not
specified.
The SafeModeAdministratorPassword argument's operation is special:
If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. This is
the preferred usage when running the cmdlet interactively.
For example, to create a new child domain named NorthAmerica in the Contoso.com forest and be
prompted to enter and confirm a masked password:
If specified with a value, the value must be a secure string. This is not the preferred usage when running
the cmdlet interactively.
For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a
secure string:
You can also provide a secure string as a converted clear-text variable, although this is highly discouraged.
Finally, you could store the obfuscated password in a file, and then reuse it later, without the clear text password
ever appearing. For example:
$file = "c:\pw.txt"
$pw = read-host -prompt "Password:" -assecurestring
$pw | ConvertFrom-SecureString | Set-Content $file
WARNING
Providing or storing a clear or obfuscated text password is not recommended. Anyone running this command in a script
or looking over your shoulder knows the DSRM password of that domain controller. Anyone with access to the file could
reverse that obfuscated password. With that knowledge, they can logon to a DC started in DSRM and eventually
impersonate the domain controller itself, elevating their privileges to the highest level in an AD forest. An additional set of
steps using System.Security.Cr yptography to encrypt the text file data is advisable but out of scope. The best practice
is to totally avoid password storage.
The ADDSDeployment module offers an additional option to skip automatic configuration of DNS client settings,
forwarders, and root hints. This is not configurable when using Server Manager. This argument matters only if
you already installed the DNS Server service prior to configuring the domain controller:
-SkipAutoConfigureDNS
The DNS Options page enables you to provide alternate DNS Admin credentials for delegation.
When installing a new domain in an existing forest - where you selected DNS installation on the Domain
Controller Options page - you cannot configure any options; the delegation happens automatically and
irrevocably. You have the option to provide alternate DNS administrative credentials with rights to update that
structure.
The DNS Options ADDSDeployment Windows PowerShell arguments are:
-creatednsdelegation
-dnsdelegationcredential <pscredential>
For more information about DNS delegation, see Understanding Zone Delegation.
Additional Options
The Additional Options page shows the NetBIOS name of the domain and enables you to override it. By
default, the NetBIOS domain name matches the left-most label of the fully qualified domain name provided on
the Deployment Configuration page. For example, if you provided the fully qualified domain name of
corp.contoso.com, the default NetBIOS domain name is CORP.
If the name is 15 characters or less and does not conflict with another NetBIOS name, it is unaltered. If it does
conflict with another NetBIOS name, a number is appended to the name. If the name is more than 15 characters,
the wizard provides a unique, truncated suggestion. In either case, the wizard first validates the name is not
already in use via a WINS lookup and NetBIOS broadcast.
For more information about DNS names, see Naming conventions in Active Directory for computers, domains,
sites, and OUs.
The Install-AddsDomain arguments follow the same defaults as Server Manager if not specified. The
DomainNetBIOSName operation is special:
1. If the NewDomainNetBIOSName argument is not specified with a NetBIOS domain name and the
single-label prefix domain name in the DomainName argument is 15 characters or fewer, then
promotion continues with an automatically generated name.
2. If the NewDomainNetBIOSName argument is not specified with a NetBIOS domain name and the
single-label prefix domain name in the DomainName argument is 16 characters or more, then
promotion fails.
3. If the NewDomainNetBIOSName argument is specified with a NetBIOS domain name of 15 characters
or fewer, then promotion continues with that specified name.
4. If the NewDomainNetBIOSName argument is specified with a NetBIOS domain name of 16 characters
or more, then promotion fails.
The Additional Options ADDSDeployment cmdlet argument is:
-newdomainnetbiosname <string>
Paths
The Paths page enables you to override the default folder locations of the AD DS database, the data base
transaction logs, and the SYSVOL share. The default locations are always in subdirectories of %systemroot%.
The Paths ADDSDeployment cmdlet arguments are:
-databasepath <string>
-logpath <string>
-sysvolpath <string>
#
# Windows PowerShell Script for AD DS Deployment
#
Import-Module ADDSDeployment
Install-ADDSDomain `
-NoGlobalCatalog:$false `
-CreateDNSDelegation `
-Credential (Get-Credential) `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2012" `
-DomainType "ChildDomain" `
-InstallDNS:$true `
-LogPath "C:\Windows\NTDS" `
-NewDomainName "research" `
-NewDomainNetBIOSName "RESEARCH" `
-ParentDomainName "corp.contoso.com" `
-Norebootoncompletion:$false `
-SiteName "Default-First-Site-Name" `
-SYSVOLPath "C:\Windows\SYSVOL"
-Force:$true
NOTE
Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (as they may
change between future versions of Windows or service packs). The one exception to this is the -
safemodeadministratorpassword argument (which is deliberately omitted from the script). To force a confirmation
prompt, omit the value when running cmdlet interactively.
Use the optional Whatif argument with the Install-ADDSForest cmdlet to review configuration information.
This enables you to see the explicit and implicit values of the arguments for a cmdlet.
Prerequisites Check
The Prerequisites Check is a new feature in AD DS domain configuration. This new phase validates that the
server configuration is capable of supporting a new AD DS domain.
When installing a new forest root domain, the Server Manager Active Directory Domain Services Configuration
Wizard invokes a series of serialized modular tests. These tests alert you with suggested repair options. You can
run the tests as many times as required. The domain controller process cannot continue until all prerequisite
tests pass.
The Prerequisites Check also surfaces relevant information such as security changes that affect older
operating systems.
For more information on the specific prerequisite checks, see Prerequisite Checking.
You cannot bypass the Prerequisite Check when using Server Manager, but you can skip the process when
using the AD DS Deployment cmdlet using the following argument:
-skipprechecks
WARNING
Microsoft discourages skipping the prerequisite check as it can lead to a partial domain controller promotion or damaged
AD DS forest.
Click Install to begin the domain controller promotion process. This is last opportunity to cancel the installation.
You cannot cancel the promotion process once it begins. The computer will reboot automatically at the end of
promotion, regardless of the promotion results.
Installation
When the Installation page displays, the domain controller configuration begins and cannot be halted or
canceled. Detailed operations display on this page and are written to logs:
%systemroot%\debug\dcpromo.log
%systemroot%\debug\dcpromoui.log
To install a new Active Directory domain using the ADDSDeployment module, use the following cmdlet:
Install-addsdomain
See Child and Tree Domain Windows PowerShell for required and optional arguments.The Install-
addsdomain cmdlet only has two phases (prerequisite checking and installation). The two figures below show
the installation phase with the minimum required arguments of -domaintype , -newdomainname , -
parentdomainname , and -credential . Note how, just like Server Manager, Install-ADDSDomain reminds
you that promotion will reboot the server automatically.
To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any
ADDSDeployment Windows PowerShell cmdlet. To prevent the server from automatically rebooting at the end
of promotion, use the -norebootoncompletion argument.
WARNING
Overriding the reboot is not recommended. The domain controller must reboot to function correctly
Results
The Results page shows the success or failure of the promotion and any important administrative information.
The domain controller will automatically reboot after 10 seconds.
Install a Windows Server 2012 Active Directory
Read-Only Domain Controller (RODC) (Level 200)
3/5/2021 • 26 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic explains how to create a staged RODC account and then attach a server to that account during RODC
installation. This topic also explains how to install an RODC without performing a staged installation.
Add-addsreadonlydomaincontrolleraccount -SkipPreChecks
-DomainControllerAccountName
-DomainName
-SiteName
-AllowPasswordReplicationAccountName
-Credential
-DelegatedAdministratorAccountName
-DenyPasswordReplicationAccountName
-NoGlobalCatalog
-InstallDNS
-ReplicationSourceDC
NOTE
The -credential argument is only required if you are not already logged on as a member of the Domain Admins group.
Install-AddsDomaincontroller -SkipPreChecks
-DomainName
-SafeModeAdministratorPassword
-ApplicationPartitionsToReplicate
-CreateDNSDelegation
-Credential
-CriticalReplicationOnly
-DatabasePath
-DNSDelegationCredential
-InstallationMediaPath
-LogPath
-Norebootoncompletion
-ReplicationSourceDC
-SystemKey
-SYSVOLPath
-UseExistingAccount
NOTE
The -credential argument is only required if you are not already logged on as a member of the Domain Admins group.
Staging
You perform the staging operation of a read-only domain controller computer account by opening the Active
Directory Administrative Center (Dsac.exe ). Click the name of the domain in the navigation pane. Double-click
Domain Controllers in the management list. Click Pre-create a Read-only domain controller account in
the tasks pane.
For more information about the Active Directory Administrative Center, see Advanced AD DS Management
Using Active Directory Administrative Center (Level 200) and review Active Directory Administrative Center:
Getting Started.
If you have experience creating read-only domain controllers, you will discover that the installation wizard has
the same graphical interface as seen when using the older Active Directory Users and Computers snap-in from
Windows Server 2008 and uses the same code, which includes exporting the configuration in the unattend file
format used by the obsolete dcpromo.
Windows Server 2012 introduces a new ADDSDeployment cmdlet to stage RODC computer accounts, but the
wizard does not use the cmdlet for its operation. The following sections display the equivalent cmdlet and
arguments in order to make the information associated with each easier to understand.
The Pre-create a Read-only domain controller account link in the Active Directory Administrative Center's
task pane is equivalent to the ADDSDeployment Windows PowerShell cmdlet:
Add-addsreadonlydomaincontrolleraccount
Welcome
The Welcome to the Active Director y Domain Ser vices Installation Wizard dialog has one option
named Use advanced mode installation . Select this option and click Next to show password replication
policy options. Clear this option to use the default values for password replication policy options (this is
discussed in further detail later in this section).
Network Credentials
The domain name option in the Network Credentials dialog displays the domain targeted by the Active
Directory Administrative Center by default. Your current credentials are used by default. If they do not include
membership in the Domain Admins group, click Alternate Credentials , and click Set to provide the wizard
with a user name and password that is a member of Domain Admins.
The equivalent ADDSDeployment Windows PowerShell argument is:
-credential <pscredential>
Keep in mind that the staging system is a direct port from Windows Server 2008 R2 and does not provide the
new Adprep functionality. If you plan to deploy staged RODC accounts, you must either first deploy an un-
staged RODC in that domain so that the automatic rodcprep operation runs, or manually run adprep.exe
/rodcprep first.
Otherwise, you will receive error You will not be able to install a read-only domain controller in this domain
because adprep /rodcprep was not yet run.
-domaincontrolleraccountname <string>
Select a Site
The Select a Site dialog shows a list of Active Directory sites for the current forest. The staged read-only
domain controller operation requires you to select a single site from the list. The RODC uses this information to
create its NTDS Settings object in the Configuration partition and join itself to the correct site when it starts for
the first time after being deployed.
The equivalent ADDSDeployment Windows PowerShell argument is:
-sitename <string>
-installdns <string>
-NoGlobalCatalog <{$true | $false}>
NOTE
By default, the -NoGlobalCatalog value is $false, which means the domain controller will be a global catalog server if
the argument is not specified.
IMPORTANT
The wizard shows this dialog only if you select the Use Advanced Mode Installation check box on the welcome
screen. If you clear this check box, then the wizard uses following default groups and values:
Administrators - Deny
Server Operators - Deny
Backup Operators - Deny
Account Operators - Deny
Denied RODC Password Replication Group - Deny
Allowed RODC Password Replication Group - Allow
The Delegation of RODC Installation and Administration dialog enables you to configure a user or group
containing users who are allowed to attach the server to the RODC computer account. Click Set to browse the
domain for a user or group. The user or group specified in this dialog gains local administrative permissions to
the RODC. The specified user or members of the specified group can perform operations on the RODC with
privileges equivalent to the computer's Administrators group. They are not members of the Domain Admins or
domain built-in Administrators groups.
Use this option to delegate branch office administration without granting the branch administrator membership
to the Domain Admins group. Delegating RODC administration is not required.
The equivalent ADDSDeployment Windows PowerShell argument is:
-delegatedadministratoraccountname <string>
Summary
The Summar y dialog enables you to confirm your settings. This is the last opportunity to stop the installation
before the wizard creates the staged account. Click Next when you are ready to create the staged RODC
computer account. Click Expor t Settings to save an answer file in the obsolete dcpromo unattend file format.
Creation
The Active Director y Domain Ser vices Installation Wizard creates the staged read-only domain controller
in Active Directory. You cannot cancel this operation after it starts.
Use the following cmdlet to stage a read-only domain controller computer account using the ADDSDeployment
Windows PowerShell module:
Add-addsreadonlydomaincontrolleraccount
See Stage RODC Windows PowerShell for required and optional arguments.
Because Add-addsreadonlydomaincontrolleraccount only has one action with two phases (prerequisite
checking and installation), the following screenshots show the installation phase with the minimum required
arguments.
The stage RODC operation creates the RODC computer account in Active Directory. The Active Directory
Administrative Center shows the Domain Controller Type as an Unoccupied Domain Controller Account .
This domain controller types indicates that staged RODC account is ready for a server to attach to it as a read
only domain controller.
IMPORTANT
The Active Directory Administrative Center is no longer required to attach a server to a read-only domain controller
computer account. Use Server Manager and the Active Directory Domain Services Configuration Wizard or the
ADDSDeployment Windows PowerShell module cmdlet Install-AddsDomainController to attach a new RODC to its
staged account. The steps are similar to adding a new writable domain controller to an existing domain, with the
exception that the staged RODC computer account contains configuration options decided at the time you staged the
RODC computer account.
Attaching
Deployment Configuration
Server Manager begins every domain controller promotion with the Deployment Configuration page. The
remaining options and required fields change on this page and subsequent pages, depending on which
deployment operation you select.
To add a read-only domain controller to an existing domain, select Add a domain controller to an existing
domain and click the Select button to Specify the domain information for this domain . Server Manager
automatically prompts you for valid credentials, or you can click Change .
Attaching an RODC requires membership in the Domain Admins groups in Windows Server 2012. The Active
Directory Domain Services Configuration Wizard prompts you later if your current credentials do not have
adequate permissions or group memberships.
The Deployment Configuration ADDSDeployment Windows PowerShell cmdlet and arguments are:
Install-AddsDomainController
-domainname <string>
-credential <pscredential>
The Domain Controller Options page shows the domain controller options for the new domain controller.
When this page loads, the Active Directory Domain Services Configuration Wizard sends an LDAP query to an
existing domain controller to check for unoccupied accounts. If the query finds an unoccupied domain controller
computer account that shares the same name as the current computer, then the wizard displays an
informational message at the top of the page that reads A Pre-created RODC account that matches the
name of the target ser ver exists in the director y. Choose whether to use this existing RODC
account or reinstall this domain controller . The wizard uses the Use existing RODC account as the
default configuration.
IMPORTANT
You can use the Reinstall this domain controller option when a domain controller has suffered a physical problem
and cannot return to functionality. This saves time when configuring the replacement domain controller, by leaving the
domain controller computer account and object metadata in Active Directory. Install the new computer with the same
name, and promote it as a domain controller in the domain. The Reinstall this domain controller option is unavailable
if you removed the domain controller object's metadata from Active Directory (metadata cleanup).
You cannot configure domain controller options when you are attaching a server to an RODC computer account.
You configure domain controller options when you create the staged RODC computer account.
The specified Director y Ser vices Restore Mode Password must adhere to the password policy applied to
the server. Always choose a strong, complex password or preferably, a passphrase.
The Domain Controller Options ADDSDeployment Windows PowerShell arguments are:
IMPORTANT
The site name must already exist when provided as an argument to -sitename . The install-AddsDomainController
cmdlet does not create site names. You can use cmdlet new-adreplicationsite to create new sites.
The Install-ADDSDomainController arguments follow the same defaults as Server Manager if not specified.
The SafeModeAdministratorPassword argument's operation is special:
If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. This is
the preferred usage when running the cmdlet interactively.
For example, to create a new RODC in the corp.contoso.com and be prompted to enter and confirm a
masked password:
If specified with a value, the value must be a secure string. This is not the preferred usage when running
the cmdlet interactively.
For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a
secure string:
WARNING
As the previous option does not confirm the password, use extreme caution: the password is not visible.
You can also provide a secure string as a converted clear-text variable, although this is highly discouraged.
Finally, you could store the obfuscated password in a file, and then reuse it later, without the clear text password
ever appearing. For example:
$file = c:\pw.txt
$pw = read-host -prompt Password: -assecurestring
$pw | ConvertFrom-SecureString | Set-Content $file
Additional Options
The Additional Options page provides configuration options to name a domain controller as the replication
source, or you can use any domain controller as the replication source.
You can also choose to install the domain controller using backed up media using the Install from media (IFM)
option. The Install from media checkbox provides a browse option once selected and you must click Verify to
ensure the provided path is valid media.
Guidelines for the IFM source:
Media used by the IFM option is created with Windows Server Backup or Ntdsutil.exe from another existing
Windows Server Domain Controller with the same operating system version only. For example, you cannot
use a Windows Server 2008 R2 or previous operating system to create media for a Windows Server 2012
domain controller.
The IFM source data should be from a writable Domain Controller. While a source from RODC will technically
work to create a new RODC, there are false positive replication warnings that the IFM source RODC is not
replicating.
For more information about changes in IFM, see Ntdsutil.exe Install from Media Changes. If using media
protected with a SYSKEY, Server Manager prompts for the image's password during verification.
The Additional Options ADDSDeployment cmdlet arguments are:
-replicationsourcedc <string>
-installationmediapath <string>
-systemkey <secure string>
Paths
The Paths page enables you to override the default folder locations of the AD DS database, the database
transaction logs, and the SYSVOL share. The default locations are always in subdirectories of %systemroot%.
The Paths ADDSDeployment cmdlet arguments are:
-databasepath <string>
-logpath <string>
-sysvolpath <string>
#
# Windows PowerShell Script for AD DS Deployment
#
Import-Module ADDSDeployment
Install-ADDSDomainController `
-Credential (Get-Credential) `
-CriticalReplicationOnly:$false `
-DatabasePath C:\Windows\NTDS `
-DomainName corp.contoso.com `
-LogPath C:\Windows\NTDS `
-SYSVOLPath C:\Windows\SYSVOL `
-UseExistingAccount:$true `
-Norebootoncompletion:$false
-Force:$true
NOTE
Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (as they may
change between future versions of Windows or service packs). The one exception to this is the -
safemodeadministratorpassword argument. To force a confirmation prompt omit the value when running cmdlet
interactively
Use the optional Whatif argument with the Install-ADDSDomainController cmdlet to review configuration
information. This enables you to see the explicit and implicit values of the arguments for a cmdlet.
Prerequisites Check
The Prerequisites Check is a new feature in AD DS domain configuration. This new phase validates that the
server configuration is capable of supporting a new AD DS forest.
When installing a new forest root domain, the Server Manager Active Directory Domain Services Configuration
Wizard invokes a series of serialized modular tests. These tests alert you with suggested repair options. You can
run the tests as many times as required. The domain controller installation process cannot continue until all
prerequisite tests pass.
The Prerequisites Check also surfaces relevant information such as security changes that affect older
operating systems. For more information about the prerequisite checks, see Prerequisite Checking.
You cannot bypass the Prerequisite Check when using Server Manager, but you can skip the process when
using the AD DS Deployment cmdlet using the following argument:
-skipprechecks
WARNING
Microsoft discourages skipping the prerequisite check as it can lead to a partial domain controller promotion or damaged
AD DS forest.
Click Install to begin the domain controller promotion process. This is last opportunity to cancel the installation.
You cannot cancel the promotion process once it begins. The computer will reboot automatically at the end of
promotion, regardless of the promotion results.
Installation
When the Installation page displays, the domain controller configuration begins and cannot be halted or
canceled. Detailed operations display on this page and are written to logs:
%systemroot%\debug\dcpromo.log
%systemroot%\debug\dcpromoui.log
To install a new Active Directory forest using the ADDSDeployment module, use the following cmdlet:
Install-addsdomaincontroller
See Attach RODC Windows PowerShell for required and optional arguments.
The Install-addsdomaincontroller cmdlet only has two phases (prerequisite checking and installation). The
two figures below show the installation phase with the minimum required arguments of -domainname , -
useexistingaccount , and -credential . Note how, just like Server Manager, Install-ADDSDomainController
reminds you that promotion will reboot the server automatically:
To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any
ADDSDeployment Windows PowerShell cmdlet. To prevent the server from automatically rebooting at the end
of promotion, use the -norebootoncompletion argument.
WARNING
Overriding the reboot is discouraged. The domain controller must reboot to function correctly.
Results
The Results page shows the success or failure of the promotion and any important administrative information.
The domain controller will automatically reboot after 10 seconds.
Install-AddsDomainController -SkipPreChecks
-DomainName
-SafeModeAdministratorPassword
-SiteName
-ApplicationPartitionsToReplicate
-CreateDNSDelegation
-Credential
-CriticalReplicationOnly
-DatabasePath
-DNSDelegationCredential
-DNSOnNetwork
-InstallationMediaPath
-InstallDNS
-LogPath
-MoveInfrastructureOperationMasterRoleIfNecessary
-NoGlobalCatalog
-Norebootoncompletion
-ReplicationSourceDC
-SkipAutoConfigureDNS
-SystemKey
-SYSVOLPath
-AllowPasswordReplicationAccountName
-DelegatedAdministratorAccountName
-DenyPasswordReplicationAccountName
-ReadOnlyReplica
NOTE
The -credential argument is only required if you are not already logged on as a member of the Domain Admins group.
Install-AddsDomainController
-domainname <string>
-credential <pscredential>
IMPORTANT
If the server does not belong to an Active Directory subnet and there is more than one Active Directory site, nothing is
selected and the Next button is unavailable until you choose a site from the list.
The specified Director y Ser vices Restore Mode Password must adhere to the password policy applied to
the server. Always choose a strong, complex password or preferably, a passphrase.The Domain Controller
Options ADDSDeployment Windows PowerShell arguments are:
IMPORTANT
The site name must already exist when provided as an argument to -sitename . The install-AddsDomainController
cmdlet does not create site names. You can use cmdlet new-adreplicationsite to create new sites.
The Install-ADDSDomainController arguments follow the same defaults as Server Manager if not specified.
The SafeModeAdministratorPassword argument's operation is special:
If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. This is
the preferred usage when running the cmdlet interactively.
For example, to create a new RODC in the corp.contoso.com and be prompted to enter and confirm a
masked password:
If specified with a value, the value must be a secure string. This is not the preferred usage when running
the cmdlet interactively.
For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a
secure string:
WARNING
As the previous option does not confirm the password, use extreme caution: the password is not visible.
You can also provide a secure string as a converted clear-text variable, although this is highly discouraged.
Finally, you could store the obfuscated password in a file, and then reuse it later, without the clear text password
ever appearing. For example:
$file = c:\pw.txt
$pw = read-host -prompt Password: -assecurestring
$pw | ConvertFrom-SecureString | Set-Content $file
WARNING
Providing or storing a clear or obfuscated text password is not recommended. Anyone running this command in a script
or looking over your shoulder knows the DSRM password of that domain controller. Anyone with access to the file could
reverse that obfuscated password. With that knowledge, they can logon to a DC started in DSRM and eventually
impersonate the domain controller itself, elevating their privileges to the highest level in an AD forest. An additional set of
steps using System.Security.Cr yptography to encrypt the text file data is advisable but out of scope. The best practice
is to totally avoid password storage.
RODC Options
The RODC Options page enables you to modify the settings:
Delegated Administrator Account
Accounts that are allowed to replicate passwords to the RODC
Accounts that are denied from replicating passwords to the RODC
Delegated administrator accounts gain local administrative permissions to the RODC. These users can operate
with privileges equivalent to the local computer's Administrators group. They are not members of the Domain
Admins or the domain built-in Administrators groups. This option is useful for delegating branch office
administration without giving out domain administrative permissions. Configuring delegation of administration
is not required.
The equivalent ADDSDeployment Windows PowerShell argument is:
-delegatedadministratoraccountname <string>
Accounts that are not allowed to cache passwords on the RODC and cannot connect and authenticate to a
writable domain controller cannot access resources or functionality provided by Active Directory.
IMPORTANT
If not modified, the default groups and settings are used:
Administrators - Deny
Server Operators - Deny
Backup Operators - Deny
Account Operators - Deny
Denied RODC Password Replication Group - Deny
Allowed RODC Password Replication Group - Allow
Additional Options
The Additional Options page provides configuration options to name a domain controller as the replication
source, or you can use any domain controller as the replication source.
You can also choose to install the domain controller using backed up media using the Install from media (IFM)
option. The Install from media checkbox provides a browse option once selected and you must click Verify to
ensure the provided path is valid media.
Guidelines for the IFM source:
Media used by the IFM option is created with Windows Server Backup or Ntdsutil.exe from another existing
Windows Server Domain Controller with the same operating system version only. For example, you cannot
use a Windows Server 2008 R2 or previous operating system to create media for a Windows Server 2012
domain controller.
The IFM source data should be from a writable Domain Controller. While a source from RODC will technically
work to create a new RODC, there are false positive replication warnings that the IFM source RODC is not
replicating.
For more information about changes in IFM, see Ntdsutil.exe Install from Media Changes. If using media
protected with a SYSKEY, Server Manager prompts for the image's password during verification.
The Additional Options ADDSDeployment cmdlet arguments are:
-replicationsourcedc <string>
-installationmediapath <string>
-systemkey <secure string>
Paths
The Paths page enables you to override the default folder locations of the AD DS database, the database
transaction logs, and the SYSVOL share. The default locations are always in subdirectories of %systemroot%.
The Paths ADDSDeployment cmdlet arguments are:
-databasepath <string>
-logpath <string>
-sysvolpath <string>
Preparation Options
The Preparation Options page alerts you that the AD DS configuration includes extending the Schema
(forestprep) and updating the domain (domainprep). You only see this page when the forest or domain has not
been prepared by previous Windows Server 2012 domain controller installation or from manually running
Adprep.exe. For example, the Active Directory Domain Services Configuration Wizard suppresses this page if
you add a new replica domain controller to an existing Windows Server 2012 forest root domain.
Extending the Schema and updating the domain do not occur when you click Next . These events occur only
during the installation phase. This page simply brings awareness about the events that will occur later in the
installation.
This page also validates that the current user credentials are members of the Schema Admin and Enterprise
Admins groups, as you need membership in these groups to extend the schema or prepare a domain. Click
Change to provide the adequate user credentials if the page informs you that the current credentials do not
provide sufficient permissions.
The Additional Options ADDSDeployment cmdlet argument is:
-adprepcredential <pscredential>
IMPORTANT
As with previous versions of Windows Server, Windows Server 2012's automated domain preparation does not run
GPPREP. Run adprep.exe /gpprep manually for all domains that were not previously prepared for Windows Server
2003, Windows Server 2008, or Windows Server 2008 R2. You should run GPPrep only once in the history of a domain,
not with every upgrade. Adprep.exe does not run /gpprep automatically because its operation can cause all files and
folders in the SYSVOL folder to re-replicate on all domain controllers.
Automatic RODCPrep runs when you promote the first un-staged RODC in a domain. It does not occur when you
promote the first writeable Windows Server 2012 domain controller. You can also still manually run adprep.exe
/rodcprep if you plan to deploy read-only domain controllers.
#
# Windows PowerShell Script for AD DS Deployment
#
Import-Module ADDSDeployment
Install-ADDSDomainController `
-AllowPasswordReplicationAccountName @(CORP\Allowed RODC Password Replication Group, CORP\Chicago RODC
Admins, CORP\Chicago RODC Users and Computers) `
-Credential (Get-Credential) `
-CriticalReplicationOnly:$false `
-DatabasePath C:\Windows\NTDS `
-DelegatedAdministratorAccountName CORP\Chicago RODC Admins `
-DenyPasswordReplicationAccountName @(BUILTIN\Administrators, BUILTIN\Server Operators, BUILTIN\Backup
Operators, BUILTIN\Account Operators, CORP\Denied RODC Password Replication Group) `
-DomainName corp.contoso.com `
-InstallDNS:$true `
-LogPath C:\Windows\NTDS `
-ReadOnlyReplica:$true `
-SiteName Default-First-Site-Name `
-SYSVOLPath C:\Windows\SYSVOL
-Force:$true
NOTE
Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (as they may
change between future versions of Windows or service packs). The one exception to this is the -
safemodeadministratorpassword argument. To force a confirmation prompt, omit the value when running cmdlet
interactively.
Use the optional Whatif argument with the Install-ADDSDomainController cmdlet to review configuration
information. This enables you to see the explicit and implicit values of the arguments for a cmdlet.
Prerequisites Check
The Prerequisites Check is a new feature in AD DS domain configuration. This new phase validates that the
server configuration is capable of supporting a new AD DS forest.
When installing a new forest root domain, the Server Manager Active Directory Domain Services Configuration
Wizard invokes a series of serialized modular tests. These tests alert you with suggested repair options. You can
run the tests as many times as required. The domain controller process cannot continue until all prerequisite
tests pass.
The Prerequisites Check also surfaces relevant information such as security changes that affect older
operating systems.
You cannot bypass the Prerequisite Check when using Server Manager, but you can skip the process when
using the AD DS Deployment cmdlet using the following argument:
-skipprechecks
Click Install to begin the domain controller promotion process. This is last opportunity to cancel the installation.
You cannot cancel the promotion process once it begins. The computer will reboot automatically at the end of
promotion, regardless of the promotion results.
Installation
When the Installation page displays, the domain controller configuration begins and cannot be halted or
canceled. Detailed operations display on this page and are written to logs:
%systemroot%\debug\dcpromo.log
%systemroot%\debug\dcpromoui.log
To install a new Active Directory forest using the ADDSDeployment module, use the following cmdlet:
Install-addsdomaincontroller
See the ADDSDeployment Cmdlet table at the beginning of this section for required and optional arguments.
The Install-addsdomaincontroller cmdlet only has two phases (prerequisite checking and installation). The
two figures below show the installation phase with the minimum required arguments of -domainname , -
readonlyreplica , -sitename , and -credential . Note how, just like Server Manager, Install-
ADDSDomainController reminds you that promotion will reboot the server automatically:
To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any
ADDSDeployment Windows PowerShell cmdlet. To prevent the server from automatically rebooting at the end
of promotion, use the -norebootoncompletion argument.
WARNING
Overriding the reboot is not recommended. The domain controller must reboot to function correctly. If you log off the
domain controller, you cannot log back on interactively until you restart it.
Results
The Results page shows the success or failure of the promotion and any important administrative information.
The domain controller will automatically reboot after 10 seconds.
Demoting Domain Controllers and Domains
3/5/2021 • 7 minutes to read • Edit Online
This topic explains how to remove AD DS, using Server Manager or Windows PowerShell.
AD DS removal workflow
Cau t i on
Removing the AD DS roles with Dism.exe or the Windows PowerShell DISM module after promotion to a
Domain Controller is not supported and will prevent the server from booting normally.
Unlike Server Manager or the ADDSDeployment module for Windows PowerShell, DISM is a native servicing
system that has no inherent knowledge of AD DS or its configuration. Do not use Dism.exe or the Windows
PowerShell DISM module to uninstall the AD DS role unless the server is no longer a domain controller.
Uninstall-ADDSDomainController -SkipPreChecks
-LocalAdministratorPassword
-Confirm
-Credential
-DemoteOperationMasterRole
-DNSDelegationRemovalCredential
-Force
-ForceRemoval
-IgnoreLastDCInDomainMismatch
-IgnoreLastDNSServerForZone
-LastDomainControllerInDomain
-Norebootoncompletion
-RemoveApplicationPartitions
-RemoveDNSDelegation
-RetainDCMetadata
Uninstall-WindowsFeature/Remove-WindowsFeature -Name
-IncludeManagementTools
-Restart
-Remove
-Force
-ComputerName
-Credential
-LogPath
-Vhd
NOTE
The -credential argument is only required if you are not already logged on as a member of the Enterprise Admins group
(demoting last DC in a domain) or the Domain Admins group (demoting a replica DC).The -includemanagementtools
argument is only required if you want to remove all of the AD DS management utilities.
Demote
Remove Roles and Features
Server Manager offers two interfaces to removing the Active Directory Domain Services role:
The Manage menu on the main dashboard, using Remove Roles and Features
Click AD DS or All Ser vers on the navigation pane. Scroll down to the Roles and Features section.
Right-click Active Director y Domain Ser vices in the Roles and Features list and click Remove Role
or Feature . This interface skips the Ser ver Selection page.
The Ser ver Selection dialog enables you to choose from one of the servers previously added to the pool, as
long as it is accessible. The local server running Server Manager is always automatically available.
Server Roles and Features
Clear the Active Director y Domain Ser vices check box to demote a domain controller; if the server is
currently a domain controller, this does not remove the AD DS role and instead switches to a Validation
Results dialog with the offer to demote. Otherwise, it removes the binaries like any other role feature.
Do not remove any other AD DS-related roles or features - such as DNS, GPMC, or the RSAT tools - if you
intend to promote the domain controller again immediately. Removing additional roles and feature
increases the time to re-promote, as Server Manager reinstalls these features when you reinstall the role.
Remove unneeded AD DS roles and features at your own discretion if you intend to demote the domain
controller permanently. This requires clearing the check boxes for those roles and features.
The full list of AD DS-related roles and features include:
Active Directory Module for Windows PowerShell feature
AD DS and AD LDS Tools feature
Active Directory Administrative Center feature
AD DS Snap-ins and Command-line Tools feature
DNS Server
Group Policy Management Console
The equivalent ADDSDeployment and ServerManager Windows PowerShell cmdlets are:
Uninstall-addsdomaincontroller
Uninstall-windowsfeature
Credentials
You configure demotion options on the Credentials page. Provide the credentials necessary to perform the
demotion from the following list:
Demoting an additional domain controller requires Domain Admin credentials. Selecting Force the
removal of this domain controller demotes the domain controller without removing the domain
controller object's metadata from Active Directory.
WARNING
Do not select this option unless the domain controller cannot contact other domain controllers and there is no
reasonable way to resolve that network issue. Forced demotion leaves orphaned metadata in Active Directory on
the remaining domain controllers in the forest. In addition, all un-replicated changes on that domain controller,
such as passwords or new user accounts, are lost forever. Orphaned metadata is the root cause in a significant
percentage of Microsoft Customer Support cases for AD DS, Exchange, SQL, and other software.
If you forcibly demote a domain controller, you must manually perform metadata cleanup immediately. For steps,
review Clean Up Server Metadata.
Demoting the last domain controller in a domain requires Enterprise Admins group membership, as this
removes the domain itself (if the last domain in the forest, this removes the forest). Server Manager
informs you if the current domain controller is the last domain controller in the domain. Select the Last
domain controller in the domain check box to confirm the domain controller is the last domain
controller in the domain.
The equivalent ADDSDeployment Windows PowerShell arguments are:
-credential <pscredential>
-forceremoval <{ $true | false }>
-lastdomaincontrollerindomain <{ $true | false }>
Warnings
The Warnings page alerts you to the possible consequences of removing this domain controller. To continue,
you must select Proceed with removal .
WARNING
If you previously selected Force the removal of this domain controller on the Credentials page, then the
Warnings page shows all Flexible Single Master Operations roles hosted by this domain controller. You must seize the
roles from another domain controller immediately after demoting this server. For more information on seizing FSMO
roles, see Seize the Operations Master Role.
This page does not have an equivalent ADDSDeployment Windows PowerShell argument.
Removal Options
The Removal Options page appears depending on previously selecting Last domain controller in the
domain on the Credentials page. This page enables you to configure additional removal options. Select
Ignore last DNS ser ver for zone , Remove application par titions , and Remove DNS Delegation to
enable the Next button.
The options only appear if applicable to this domain controller. For instance, if there is no DNS delegation for
this server then that checkbox will not display.
Click Change to specify alternate DNS administrative credentials. Click View Par titions to view additional
partitions the wizard removes during the demotion. By default, the only additional partitions are Domain DNS
and Forest DNS Zones. All other partitions are non-Windows partitions.
The equivalent ADDSDeployment cmdlet arguments are:
The New Administrator Password page requires you to provide a password for the built-in local computer's
Administrator account, once the demotion completes and the computer becomes a domain member server or
workgroup computer.
The Uninstall-ADDSDomainController cmdlet and arguments follow the same defaults as Server Manager if
not specified.
The LocalAdministratorPassword argument is special:
If not specified as an argument, then the cmdlet prompts you to enter and confirm a masked password. This
is the preferred usage when running the cmdlet interactively.
If specified with a value, then the value must be a secure string. This is not the preferred usage when running
the cmdlet interactively.
For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a
secure string.
WARNING
As the previous two options do not confirm the password, use extreme caution: the password is not visible.
You can also provide a secure string as a converted clear-text variable, although this is highly discouraged. For
example:
-localadministratorpassword (convertto-securestring "Password1" -asplaintext -force)
WARNING
Providing or storing a clear text password is not recommended. Anyone running this command in a script or looking over
your shoulder knows the local administrator password of that computer. With that knowledge, they have access to all of
its data and can impersonate the server itself.
Confirmation
The Confirmation page shows the planned demotion; the page does not list demotion configuration options.
This is the last page the wizard shows before the demotion begins. The View Script button creates a Windows
PowerShell demotion script.
Click Demote to run the following AD DS Deployment cmdlet:
Uninstall-ADDSDomainController
Use the optional Whatif argument with the Uninstall-ADDSDomainController and cmdlet to review
configuration information. This enables you to see the explicit and implicit values of a cmdlet's arguments.
For example:
The prompt to restart is your last opportunity to cancel this operation when using ADDSDeployment Windows
PowerShell. To override that prompt, use the -force or confirm:$false arguments.
Demotion
When the Demotion page displays, the domain controller configuration begins and cannot be halted or
canceled. Detailed operations display on this page and write to logs:
%systemroot%\debug\dcpromo.log
%systemroot%\debug\dcpromoui.log
Since Uninstall-ADDSDomainController and Uninstall-WindowsFeature only have one action apiece,
they are shown here in the Confirmation phase with the minimum required arguments. Pressing ENTER starts
the irrevocable demotion process and restarts the computer.
To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any
ADDSDeployment Windows PowerShell cmdlet. To prevent the server from automatically rebooting at the end
of promotion, use the -norebootoncompletion:$false argument.
WARNING
Overriding the reboot is discouraged. The member server must reboot to function correctly.
Here is an example of forcibly demoting with its minimal required arguments of -forceremoval and -
demoteoperationmasterrole . The -credential argument is not required because the user logged on as a
member of the Enterprise Admins group:
Here is an example of removing the last domain controller in the domain with its minimal required arguments
of -lastdomaincontrollerindomain and -removeapplicationpar titions :
If you attempt to remove the AD DS role before demoting the server, Windows PowerShell blocks you with an
error:
IMPORTANT
You must restart the computer after demoting the server before you can remove the AD-Domain-Services role binaries.
Results
The Results page shows the success or failure of the promotion and any important administrative information.
The domain controller will automatically reboot after 10 seconds.
Clean up Active Directory Domain Controller server
metadata
11/2/2020 • 5 minutes to read • Edit Online
NOTE
If you receive an "Access is denied" error when you use any of these methods to perform metadata cleanup, make sure
that the computer object and the NTDS Settings object for the domain controller are not protected against accidental
deletion. To verify this right-click the computer object or the NTDS Settings object, click Proper ties , click Object , and
clear the Protect object from accidental deletion check box. In Active Directory Users and Computers, the Object
tab of an object appears if you click View and then click Advanced Features .
4. At the metadata cleanup: prompt, type the following command, and then press ENTER:
remove selected server <ServerName>
5. In Ser ver Remove Configuration Dialog , review the information and warning, and then click Yes to
remove the server object and metadata.
At this point, Ntdsutil confirms that the domain controller was removed successfully. If you receive an
error message that indicates that the object cannot be found, the domain controller might have been
removed earlier.
6. At the metadata cleanup: and ntdsutil: prompts, type quit , and then press ENTER.
7. To confirm removal of the domain controller:
Open Active Directory Users and Computers. In the domain of the removed domain controller, click
Domain Controllers . In the details pane, an object for the domain controller that you removed should
not appear.
Open Active Directory Sites and Services. Navigate to the Ser vers container and confirm that the server
object for the domain controller that you removed does not contain an NTDS Settings object. If no child
objects appear below the server object, you can delete the server object. If a child object appears, do not
delete the server object because another application is using the object.
See Also
Demoting Domain Controllers
Ntdsutil command reference
AD DS Installation and Removal Wizard Page
Descriptions
6/17/2021 • 20 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic provides descriptions for the controls on the following wizard pages that comprise the AD DS server
role installation and removal in Server Manager.
Deployment Configuration
Domain Controller Options
DNS Options
RODC Options
Additional Options
Paths
Preparation Options
Review Options
Prerequisites Check
Results
Role Removal credentials
AD DS Removal Options and Warnings
New Administrator Password
Confirm Role Removal Selections
Deployment Configuration
Server Manager begins every domain controller installation with the Deployment Configuration page. The
remaining options and required fields change on this page and subsequent pages, depending on which
deployment operation you select. For example, if you create a new forest, the Preparation Options page does
not appear, but it does if you install the first domain controller that runs Windows Server 2012 in an existing
forest or domain.
Some validations tests are performed on this page, and again later as part of prerequisite checks. For example, if
you try to install the first Windows Server 2012 domain controller in a forest that has Windows 2000 functional
level, an error appears on this page.
The following options appear when you create a new forest.
When you create a new forest, you must specify a name for the forest root domain. The forest root
domain name cannot be single-labeled (for example, it must be "contoso.com" instead of "contoso"). It
must use allowed DNS domain naming conventions. You can specify an Internationalized Domain Name
(IDN). For more information about DNS domain naming conventions, see KB 909264.
Do not create new Active Directory forests with the same name as your external DNS name. For example,
if your Internet DNS URL is http://contoso.com, you must choose a different name for your internal forest
to avoid future compatibility issues. That name should be unique and unlikely for web traffic, such as
corp.contoso.com.
You must be a member of Administrators group on the server where you want to create a new forest.
For more information about how to create a forest, see Install a New Windows Server 2012 Active Directory
Forest (Level 200).
The following options appear when you create a new domain.
NOTE
If you create a new tree domain, you need to specify the name of the forest root domain instead of the parent domain,
but the remaining wizard pages and options are the same.
Click Select to browse to the parent domain or Active Directory tree, or type a valid parent domain or
tree name. Then type the name of the new domain in New domain name .
Tree domain: provide a valid, fully qualified root domain name; the name cannot be single-labeled and
must use DNS domain name requirements.
Child domain: provide a valid, single-label child domain name; the name must use DNS domain name
requirements.
The Active Directory Domain Services Configuration Wizard prompts you for domain credentials if your
current credentials are not from the domain. Click Change to provide domain credentials.
For more information about how to create a domain, see Install a New Windows Server 2012 Active Directory
Child or Tree Domain (Level 200).
The following options appear when you add a new domain controller to an existing domain.
Click Select to browse to the domain, or type a valid domain name.
Server Manager prompts you for valid credentials if needed. Installing an additional domain controller
requires membership in the Domain Admins group.
In addition, installing the first domain controller that runs Windows Server 2012 in a forest requires
credentials that include group memberships in both the Enterprise Admins and Schema Admins groups.
The Active Directory Domain Services Configuration Wizard prompts you later if your current credentials
do not have adequate permissions or group memberships.
For more information about how to add a domain controller to an existing domain, see Install a Replica
Windows Server 2012 Domain Controller in an Existing Domain (Level 200).
The domain functional level is set to Windows Server 2012 by default. You can specify any other value
that is at least the value of the forest functional level or higher.
The configurable domain controller options include DNS ser ver and Global Catalog ; you cannot
configure read-only domain controller as the first domain controller in a new domain.
Microsoft recommends that all domain controllers provide DNS and global catalog services for high
availability in distributed environments, which is why the wizard enables these options by default when
creating a new domain.
The Domain Controller Options page also enables you to choose the appropriate Active Directory
logical site name from the forest configuration. By default, it selects the site with the most correct
subnet. If there is only one site, it selects that site automatically.
IMPORTANT
If the server does not belong to an Active Directory subnet and there is more than one site, nothing is selected
and the Next button is unavailable until you choose a site from the list.
For more information about how to create a domain, see Install a New Windows Server 2012 Active Directory
Child or Tree Domain (Level 200).
If you are adding a domain controller to a domain, the Domain Controller Options page has these options:
The configurable domain controller options include DNS ser ver and Global Catalog , and Read-only
domain controller .
Microsoft recommends that all domain controllers provide DNS and global catalog services for high
availability in distributed environments, which is why the wizard enables these options by default. For
more information about deploying RODCs, see Read-Only Domain Controller Planning and Deployment
Guide.
For more information about how to add a domain controller to an existing domain, see Install a Replica
Windows Server 2012 Domain Controller in an Existing Domain (Level 200).
DNS Options
If you install DNS server, the following DNS Options page appears:
When you install DNS server, delegation records that point to the DNS server as authoritative for the zone
should be created in the parent Domain Name System (DNS) zone. Delegation records transfer name resolution
authority and provide correct referral to other DNS servers and clients of the new servers that are being made
authoritative for the new zone. These resource records include the following:
A name server (NS) resource record to effect the delegation. This resource record advertises that the
server named ns1.na.example.microsoft.com is an authoritative server for the delegated subdomain.
A host (A or AAAA) resource record also known as a glue record must be present to resolve the name of
the server that is specified in the name server (NS) resource record to its IP address. The process of
resolving the host name in this resource record to the delegated DNS server in the name server (NS)
resource record is sometimes referred to as "glue chasing."
You can have the Active Directory Domain Services Configuration Wizard create them automatically. The wizard
verifies that the appropriate records exist in the parent DNS zone after you click Next on the Domain
Controller Options page. If the wizard cannot verify that the records exist in the parent domain, the wizard
provides you with the option to create a new DNS delegation for a new domain (or update the existing
delegation) automatically and continue with the new domain controller installation.
Alternatively, you can create these DNS delegation records before you install DNS server. To create a zone
delegation, open DNS Manager , right-click the parent domain, and then click New Delegation . Follow the
steps in the New Delegation Wizard to create the delegation.
The installation process tries to create the delegation to ensure that computers in other domains can resolve
DNS queries for hosts, including domain controllers and member computers, in the DNS subdomain. Note that
the delegation records can be automatically created only on Microsoft DNS servers. If the parent DNS domain
zone resides on third party DNS servers such as BIND, a warning about the failure to create DNS delegation
records appears on the Prerequisites check page. For more information about the warning, see Known issues for
installing AD DS.
Delegations between the parent domain and the subdomain being promoted can be created and validated
before or after the installation. There is no reason to delay the installation of a new domain controller because
you cannot create or update the DNS delegation.
For more information about delegation, see Understanding Zone Delegation (https://go.microsoft.com/fwlink/?
LinkId=164773). If zone delegation is not possible in your situation, you might consider other methods for
providing name resolution from other domains to the hosts in your domain. For example, the DNS
administrator of another domain could configure conditional forwarding, stub-zones, or secondary zones in
order to resolve names in your domain. For more information, see the following topics:
Understanding zone types (https://go.microsoft.com/fwlink/?LinkID=157399)
Understanding stub zones (https://go.microsoft.com/fwlink/?LinkId=164776)
Understanding forwarders (https://go.microsoft.com/fwlink/?LinkId=164778)
RODC Options
The following options appear when you install a read-only domain controller (RODC).
Delegated administrator accounts gain local administrative permissions to the RODC. These users can
operate with privileges equivalent to the local computer's Administrators group. They are not members
of the Domain Admins or the domain built-in Administrators groups. This option is useful for delegating
branch office administration without giving out domain administrative permissions. Configuring
delegation of administration is not required. For more information, see Administrator Role Separation.
The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be
permitted to cache a password. After the RODC receives an authenticated user or computer logon
request, it refers to the Password Replication Policy to determine if the password for the account should
be cached. The same account can then perform subsequent logons more efficiently.
The Password Replication Policy (PRP) lists the accounts whose passwords are allowed to be cached, and
accounts whose passwords are explicitly denied from being cached. The list of user and computer
accounts that are permitted to be cached does not imply that the RODC has necessarily cached the
passwords for those accounts. An administrator can, for example, specify in advance any accounts that an
RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub
site is offline.
Any users or computers who are not allowed (including implicit) or denied do not cache their password. If
those users or computers do not have access to a writable domain controller, they cannot access AD DS-
provided resources or functionality. For more information about the PRP, see Password Replication Policy.
For more information about managing the PRP, see Administering the Password Replication Policy.
For more information about installing RODCs, see Install a Windows Server 2012 Active Directory Read-Only
Domain Controller (RODC) (Level 200).
Additional Options
The following option appears on the Additional Options page if you are creating a new domain:
The following options appear on the Additional Options page if you install an additional domain controller in
an existing domain:
You can either specify a domain controller as the replication source, or allow the wizard to choose any
domain controller as the replication source.
You can also choose to install the domain controller using backed up media using the Install from media
(IFM) option. If the installation media is stored locally, the Install from media Path option allows you to
browse to the file location. The browse option is not available for a remote installation. You can click
Verify to ensure the provided path is valid media. Media used by the IFM option must be created with
Windows Server Backup or Ntdsutil.exe from another existing Windows Server 2012 computer only; you
cannot use a Windows Server 2008 R2 or previous operating system to create media for a Windows
Server 2012 domain controller. If the media is protected with a SYSKEY, Server Manager prompts for the
image's password during verification.
For more information about how to create a domain, see Install a New Windows Server 2012 Active Directory
Child or Tree Domain (Level 200). For more information about how to add a domain controller to an existing
domain, see Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200).
Paths
The following options appear on the Paths page.
The Paths page enables you to override the default folder locations of the AD DS database, the database
transaction logs, and the SYSVOL share. The default locations are always in %systemroot%.
Specify the location for the AD DS database (NTDS.DIT), log files, and SYSVOL. For a local installation, you can
browse to the location where you want to store the files.
Preparation Options
If you are not currently logged on with sufficient credentials to run adprep.exe commands and adprep is
required to run in order to complete the AD DS installation, you are prompted to supply credentials to run
adprep.exe. Adprep is required to run in order to add the first domain controller that runs Windows Server 2012
to an existing domain or forest. More specifically:
Adprep /forestprep must be run to add the first domain controller that runs Windows Server 2012 to an
existing forest. This command must be run by a member of the Enterprise Admins group, the Schema
Admins group, and the Domain Admins group of the domain that hosts the schema master. For this
command to complete successfully, there must be connectivity between the computer where you run the
command and the schema master for the forest.
Adprep /domainprep must be run to add the first domain controller that runs Windows Server 2012 to
an existing domain. This command must be run by a member of the Domain Admins group of the
domain where you are installing the domain controller that runs Windows Server 2012 . For this
command to complete successfully, there must be connectivity between the computer where you run the
command and the infrastructure master for the domain.
Adprep /rodcprep must be run to add the first RODC to an existing forest. This command must be run by
a member of the Enterprise Admins group. For this command to complete successfully, there must be
connectivity between the computer where you run the command and the infrastructure master for each
application directory partition in the forest.
For more information about Adprep.exe, see Adprep.exe integration and see Running Adprep.exe.
Review Options
The Review Options page enables you to validate your settings and ensure that they meet your
requirements before you start the installation. This is not the last opportunity to stop the installation
using Server Manager. This page simply enables you to review and confirm your settings before
continuing the configuration.
The Review Options page in Server Manager also offers an optional View Script button to create a
Unicode text file that contains the current ADDSDeployment configuration as a single Windows
PowerShell script. This enables you to use the Server Manager graphical interface as a Windows
PowerShell deployment studio. Use the Active Directory Domain Services Configuration Wizard to
configure options, export the configuration, and then cancel the wizard. This process creates a valid and
syntactically correct sample for further modification or direct use.
Prerequisites Check
Some of the warnings that appear on this page include:
Domain controllers that run Windows Server 2008 or later have a default setting for "Allow cryptography
algorithms compatible with Windows NT 4" that prevents weaker cryptography algorithms when
establishing secure channel sessions. For more information about the potential impact and a
workaround, see KB article 942564.
DNS delegation could not be created or updated. For more information, see DNS Options.
The prerequisite check requires WMI calls. They can fail if they are blocked firewall rules block, and return
an RPC server unavailable error.
For more information about the specific prerequisite checks that are performed for AD DS installation, see
Prerequisite Tests.
Results
On this page, you can review the results of the installation.
You can also select to restart the target server after the wizard completes, but if the installation succeeds, the
server will always restart regardless of whether you select that option. In some cases after the wizard completes
on a target server that was not joined to the domain before the installation, the system state of the target server
can make the server unreachable on the network, or the system state can prevent you from having permissions
to manage the remote server.
If the target server fails to restart in this case, you must manually restart it. Tools such as shutdown.exe or
Windows PowerShell cannot restart it. You can use Remote Desktop Services to log on and remotely shut down
the target server.
IMPORTANT
Do not select this option unless the domain controller cannot contact other domain controllers and there is no
reasonable way to resolve that network issue. Forced demotion leaves orphaned metadata in Active Directory on
the remaining domain controllers in the forest. In addition, all un-replicated changes on that domain controller,
such as passwords or new user accounts, are lost forever. Orphaned metadata is the root cause in a significant
percentage of Microsoft Customer Support cases for AD DS, Exchange, SQL, and other software. If you forcibly
demote a domain controller, you must manually perform metadata cleanup immediately. For steps, review Clean
Up Server Metadata.
Demoting the last domain controller in a domain requires Enterprise Admins group membership, as this
removes the domain itself (if this is the last domain in the forest, this removes the forest). Server
Manager informs you if the current domain controller is the last domain controller in the domain. Select
Last domain controller in the domain to confirm the domain controller is the last domain controller
in the domain.
For more information about removing AD DS, see Remove Active Directory Domain Services (Level 100) and
Demoting Domain Controllers and Domains (Level 200).
You must click Proceed with removal in order to acknowledge that the additional roles will no longer be
available before you can click Next to continue.
If you force the removal of a domain controller, any Active Directory object changes that have not replicated to
other domain controllers in the domain will be lost. Additionally, if the domain controller hosts operation master
roles, the global catalog, or DNS server role, critical operations in the domain and forest may be impacted as
follows. Before you remove a domain controller that hosts any operations master role, try to transfer the role to
another domain controller. If it is not possible to transfer the role, first remove Active Directory Domain Services
from this computer, and then use Ntdsutil.exe to seize the role. Use Ntdsutil on the domain controller that you
plan to seize the role to; if possible, use a recent replication partner in the same site as this domain controller.
For more information about transferring and seizing operations master roles, see article 255504 in the
Microsoft Knowledge Base. If the wizard cannot determine if the domain controller host an operations master
role, run netdom.exe command to determine whether this domain controller performs any operations master
roles.
Global catalog: Users might have trouble logging on to domains in the forest. Before you remove a global
catalog server, ensure that enough global catalog servers are in this forest and site to service user logons.
If necessary, designate another global catalog server and update clients and applications with the new
information.
DNS server: All of the DNS data that is stored in Active Directory-integrated zones will be lost. After you
remove AD DS, this DNS server will not be able to perform name resolution for the DNS zones that were
Active Directory-integrated. Therefore, we recommend that you update the DNS configuration of all
computers that currently refer to the IP address of this DNS server for name resolution with the IP
address of a new DNS server.
Infrastructure master: clients in the domain might have difficulty locating objects in other domains.
Before you continue, transfer the infrastructure master role to a domain controller that is not a global
catalog server.
RID master: you might have problems creating new user accounts, computer accounts, and security
groups. Before you continue, transfer the RID master role to a domain controller in the same domain as
this domain controller.
Primary domain controller (PDC) emulator: operations that are performed by the PDC emulator, such as
Group Policy updates and password resets for non-AD DS accounts, will not function properly. Before you
continue, transfer the PDC emulator master role to a domain controller that is in the same domain as this
domain controller.
Schema master: you will no longer be able to modify the schema for this forest. Before you continue,
transfer the schema master role to a domain controller in the root domain in the forest.
Domain naming master: you will no longer be able to add domains to or remove domains from this
forest. Before you continue, transfer the domain naming master role to a domain controller in the root
domain in the forest.
All application directory partitions on this Active Directory domain controller will be removed. If a
domain controller holds the last replica of one or more application directory partitions, when the removal
operation is complete, those partitions will no longer exist.
Be aware that the domain will no longer exist after you uninstall Active Directory Domain Services from the last
domain controller in the domain.
If the domain controller is a DNS server that is delegated to host the DNS zone, the following page will provide
the option to remove the DNS server from the DNS zone delegation.
For more information about removing AD DS, see Remove Active Directory Domain Services (Level 100) and
Demoting Domain Controllers and Domains (Level 200).
New Administrator Password
The New Administrator Password page requires you to provide a password for the built-in local computer's
Administrator account, once the demotion completes and the computer becomes a domain member server or
workgroup computer.
For more information about removing AD DS, see Remove Active Directory Domain Services (Level 100) and
Demoting Domain Controllers and Domains (Level 200).
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic describes the changes that Adprep.exe makes in Windows Server 2012 R2 and Windows Server 2012.
Forest-Wide Updates
Domain-Wide Updates
Read-Only Domain Controller Updates
Schema Updates
See Also
Windows Server 2008 R2: Appendix of Changes to Adprep.exe to Support AD DS
Windows Server 2008: Appendix of Changes to Adprep.exe to Support AD DS
Windows Server Active Directory schema updates
11/2/2020 • 466 minutes to read • Edit Online
This topic lists the LDF files that include the changes that Adprep.exe makes.
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2366
-
dn: CN=Contact,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2366
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2366
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 88
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2308
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 70
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch71.ldf
dn: CN=ms-DS-GeoCoordinates-Altitude,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 16
-
dn: CN=ms-DS-GeoCoordinates-Latitude,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 16
-
dn: CN=ms-DS-GeoCoordinates-Longitude,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 16
-
dn: CN=ms-DS-Device-OS-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 1
-
dn: CN=ms-DS-Device-OS-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 1
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch72.ldf
dn: CN=ms-DS-External-Directory-Object-Id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
adminDisplayName: ms-DS-External-Directory-Object-Id
adminDescription: ms-DS-External-Directory-Object-Id
ldapDisplayName: msDS-ExternalDirectoryObjectId
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
attributeId: 1.2.840.113556.1.4.2310
attributeSyntax: 2.5.5.12
omSyntax: 64
isMemberOfPartialAttributeSet: TRUE
isSingleValued: TRUE
instanceType: 4
rangeUpper: 256
schemaIdGuid:: kL8pva1m4UCIexDfBwQZpg==
searchFlags: 9
showInAdvancedViewOnly: FALSE
systemOnly: FALSE
systemFlags: 16
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Mail-Recipient,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.4.2310
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2273
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 72
-
Sch73.ldf
dn: CN=ms-DS-Is-Compliant,CN=Schema,CN=Configuration,DC=x
changetype: ntdsSchemaAdd
objectClass: attributeSchema
CN: ms-DS-Is-Compliant
adminDescription: This attribute is used to determine if the object is compliant with company policies.
adminDisplayName: msDS-IsCompliant
lDAPDisplayName: msDS-IsCompliant
attributeId: 1.2.840.113556.1.4.2314
oMSyntax: 1
attributeSyntax: 2.5.5.8
isSingleValued: TRUE
instanceType: 4
searchFlags: 0
isMemberOfPartialAttributeSet: TRUE
systemOnly: FALSE
schemaIDGUID:: D31SWcC34kyh3XHO9pYykg==
systemFlags: 16
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2314
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 73
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch74.ldf
dn: CN=ms-DS-Key-Id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-KeyId
adminDisplayName: msDS-KeyId
adminDescription: This attribute contains a key identifier.
attributeId: 1.2.840.113556.1.4.2315
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
isMemberOfPartialAttributeSet: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: S/iUwq0vcUu+TJ/FcB9gug==
systemFlags: 16
RangeLower: 0
RangeUpper: 132096
instanceType: 4
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Key-Material,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-KeyMaterial
adminDisplayName: msDS-KeyMaterial
adminDescription: This attribute contains key material.
attributeId: 1.2.840.113556.1.4.2316
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
isMemberOfPartialAttributeSet: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: nw4uodveMU+PIRMRuVgYLw==
systemFlags: 16
RangeLower: 0
RangeUpper: 132096
instanceType: 4
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Key-Usage,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-KeyUsage
adminDisplayName: msDS-KeyUsage
adminDescription: This attribute identifies the usage scenario for the key.
attributeId: 1.2.840.113556.1.4.2317
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
isMemberOfPartialAttributeSet: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: TLRx3ropl0WeysM0is4ZFw==
systemFlags: 16
RangeLower: 0
RangeUpper: 132096
instanceType: 4
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Key-Principal,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-KeyPrincipal
adminDisplayName: msDS-KeyPrincipal
adminDescription: This attribute specifies the principal that a key object applies to.
attributeId: 1.2.840.113556.1.4.2318
attributeSyntax: 2.5.5.1
omObjectClass:: KwwCh3McAIVK
omSyntax: 127
isSingleValued: TRUE
isMemberOfPartialAttributeSet: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: OyVhvQGUOUGmkzVvxADz6g==
systemFlags: 16
instanceType: 4
linkID: 2218
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Key-Principal-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-KeyPrincipalBL
adminDisplayName: msDS-KeyPrincipalBL
adminDescription: This attribute is the backlink for msDS-KeyPrincipal.
attributeId: 1.2.840.113556.1.4.2319
attributeSyntax: 2.5.5.1
omObjectClass:: KwwCh3McAIVK
omSyntax: 127
isSingleValued: FALSE
isMemberOfPartialAttributeSet: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: vI8y0XSFUEGIHQsQiIJ4eA==
systemFlags: 16
instanceType: 4
linkID: 2219
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Device-DN,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-DeviceDN
adminDisplayName: msDS-DeviceDN
adminDescription: This attribute identifies the registered device from which this key object was
provisioned.
attributeId: 1.2.840.113556.1.4.2320
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
isMemberOfPartialAttributeSet: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: KREsZJk4IUeOIUg545iM5Q==
systemFlags: 16
instanceType: 4
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Computer-SID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ComputerSID
adminDisplayName: msDS-ComputerSID
adminDescription: This attribute identifies a domain-joined computer.
attributeId: 1.2.840.113556.1.4.2321
attributeSyntax: 2.5.5.17
omSyntax: 4
isSingleValued: TRUE
isMemberOfPartialAttributeSet: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: INf733IILkCZQPzXjbBJug==
systemFlags: 16
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Custom-Key-Information,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-CustomKeyInformation
adminDisplayName: msDS-CustomKeyInformation
adminDescription: This attribute contains additional information about the key.
attributeId: 1.2.840.113556.1.4.2322
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
isMemberOfPartialAttributeSet: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: iOnltuTlhkyirg2suXCg4Q==
systemFlags: 16
RangeLower: 0
RangeUpper: 132096
instanceType: 4
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Key-Approximate-Last-Logon-Time-Stamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
objectClass: attributeSchema
adminDisplayName: msDS-KeyApproximateLastLogonTimeStamp
adminDescription: The approximate time this key was last used in a logon operation.
ldapDisplayName: msDS-KeyApproximateLastLogonTimeStamp
attributeId: 1.2.840.113556.1.4.2323
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
instanceType: 4
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
systemOnly: FALSE
schemaIdGuid:: jcmaZJqbQU2va/YW8qYuSg==
systemFlags: 16
showInAdvancedViewOnly: TRUE
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Key-Credential,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-KeyCredential
adminDisplayName: msDS-KeyCredential
adminDescription: An instance of this class contains key material.
governsId: 1.2.840.113556.1.5.297
objectClassCategory: 1
rdnAttId: cn
schemaIdGuid:: Q1Uf7i58akeLP+EfSvbEmA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
defaultHidingValue: FALSE
showInAdvancedViewOnly: TRUE
systemOnly: FALSE
systemFlags: 16
instanceType: 4
subClassOf: top
systemPossSuperiors: 1.2.840.113556.1.3.23
systemMustContain: 1.2.840.113556.1.4.2315
systemMayContain: 1.2.840.113556.1.4.2316
systemMayContain: 1.2.840.113556.1.4.2317
systemMayContain: 1.2.840.113556.1.4.2318
systemMayContain: 1.2.840.113556.1.4.2320
systemMayContain: 1.2.840.113556.1.4.2321
systemMayContain: 1.2.840.113556.1.4.2322
systemMayContain: 1.2.840.113556.1.4.2323
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
add:systemMayContain
systemMayContain: 1.2.840.113556.1.4.2319
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 74
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch75.ldf
dn: CN=ms-DS-Device-Trust-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
CN: ms-DS-Device-Trust-Type
adminDescription: Represents join type for devices.
adminDisplayName: msDS-DeviceTrustType
lDAPDisplayName: msDS-DeviceTrustType
attributeId: 1.2.840.113556.1.4.2325
oMSyntax: 2
attributeSyntax: 2.5.5.9
instanceType: 4
isMemberOfPartialAttributeSet: TRUE
isSingleValued: TRUE
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemOnly: FALSE
schemaIDGUID:: B2ikxNxqu0uX3mvtGBob/g==
systemFlags: 16
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2325
-
#
# Optional Feature Object
#
dn: CN=Expiring Group Membership Feature,CN=Optional Features,CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: msDS-OptionalFeature
msDS-OptionalFeatureFlags: 1
msDS-OptionalFeatureGUID:: c+hD7OjMQEa0qwf/5KtbzQ==
msDS-RequiredForestBehaviorVersion: 7
# 0x800000000
# 0x080000000
# 0x040000000
systemFlags: 2348810240
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 75
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch76.ldf
dn: CN=ms-DS-Shadow-Principal-Sid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
lDAPDisplayName: msDS-ShadowPrincipalSid
lDAPDisplayName: msDS-ShadowPrincipalSid
adminDisplayName: ms-DS-Shadow-Principal-Sid
adminDescription: Contains the SID of a principal from an external forest.
attributeID: 1.2.840.113556.1.4.2324
attributeSyntax: 2.5.5.17
oMSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIDGUID:: IgfMHbCq70+Vbydv4Z3hBw==
systemFlags: 16
instanceType: 4
showInAdvancedViewOnly: TRUE
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Shadow-Principal-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-ShadowPrincipalContainer
adminDisplayName: ms-DS-Shadow-Principal-Container
adminDescription: Dedicated container for msDS-ShadowPrincipal objects.
governsId: 1.2.840.113556.1.5.298
objectClassCategory: 1
rdnAttId: cn
schemaIdGuid:: RVX5ERLXUEy4R9J4FTfGMw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
defaultHidingValue: FALSE
showInAdvancedViewOnly: TRUE
systemOnly: FALSE
systemFlags: 16
instanceType: 4
subClassOf: container
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Shadow-Principal,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-ShadowPrincipal
adminDisplayName: ms-DS-Shadow-Principal
adminDescription: Represents a principal from an external forest.
governsId: 1.2.840.113556.1.5.299
objectClassCategory: 1
rdnAttId: cn
schemaIdGuid:: s0wPd0MWnEa3Zu3XeqdeFA==
defaultHidingValue: FALSE
showInAdvancedViewOnly: TRUE
systemOnly: FALSE
systemFlags: 16
instanceType: 4
subClassOf: top
systemPossSuperiors: msDS-ShadowPrincipalContainer
systemMayContain: member
systemMustContain: msDS-ShadowPrincipalSid
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 76
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch77.ldf
dn: CN=ms-DS-Key-Id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: FALSE
-
dn: CN=ms-DS-Key-Material,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: FALSE
-
dn: CN=ms-DS-Key-Usage,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: FALSE
-
dn: CN=ms-DS-Key-Principal,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: FALSE
-
dn: CN=ms-DS-Device-DN,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: FALSE
-
dn: CN=ms-DS-Computer-SID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: FALSE
-
dn: CN=ms-DS-Custom-Key-Information,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: FALSE
-
dn: CN=ms-DS-Key-Approximate-Last-Logon-Time-Stamp,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DS-Key-Approximate-Last-Logon-Time-Stamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: FALSE
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Key-Credential,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2252
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 77
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch78.ldf
#
# Optional Feature Object
#
dn: CN=Expiring Group Membership Feature,CN=Optional Features,CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
# FLAG_ALLOW_RENAME 0x400000
systemFlags: 1073741824
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 78
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch79.ldf
dn: CN=ms-DS-Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2321
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 79
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch80.ldf
dn: CN=ms-DS-Key-Credential-Link,CN=schema,CN=configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
attributeID: 1.2.840.113556.1.4.2328
attributeSyntax: 2.5.5.7
adminDisplayName: ms-DS-Key-Credential-Link
adminDescription: Contains key material and usage.
oMSyntax: 127
oMObjectClass:: KoZIhvcUAQEBCw==
lDAPDisplayName: msDS-KeyCredentialLink
isSingleValued: FALSE
systemOnly: FALSE
schemaIDGUID:: D9ZHW5BgskCfNypN6I8wYw==
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemFlags: 16
linkId: 2220
dn: CN=ms-DS-Key-Credential-Link-BL,CN=schema,CN=configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
attributeID: 1.2.840.113556.1.4.2329
attributeSyntax: 2.5.5.1
oMSyntax: 127
lDAPDisplayName: msDS-KeyCredentialLink-BL
isSingleValued: FALSE
systemOnly: FALSE
schemaIDGUID:: iNeKk18i7k6Tua0koVnh2w==
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemFlags: 16
linkId: 2221
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2328
-
dn: CN=ms-DS-Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2328
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 80
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch81.ldf
dn: CN=DS-Validated-Write-Computer,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
displayName: Validated write to computer attributes.
rightsGuid: 9b026da6-0d3c-465c-8bee-5199d7165cba
appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
ShowInAdvancedViewOnly: TRUE
validAccesses: 8
dn: CN=ms-DS-Key-Credential-Link,CN=schema,CN=configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGUID
attributeSecurityGUID:: pm0CmzwNXEaL7lGZ1xZcug==
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 81
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch82.ldf
dn: CN=Dns-Zone-Scope-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
cn: Dns-Zone-Scope-Container
adminDisplayName: Dns-Zone-Scope-Container
adminDescription: Container for Dns Zone Scope objects.
ldapDisplayName: dnsZoneScopeContainer
rDNAttID: cn
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;ED)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;CC;;;AU)(A;;RPLCLORC;;;WD)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)
governsId: 1.2.840.113556.1.5.300
instanceType: 4
objectClassCategory: 1
schemaIdGuid:: k5Bp8lryIEKd6wPfTMSpxQ==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
systemFlags: 16
subClassOf: top
systemPossSuperiors: 1.2.840.113556.1.5.85
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Dns-Zone-Scope,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
cn: Dns-Zone-Scope
adminDisplayName: Dns-Zone-Scope
adminDescription: A zonescope of a zone is another copy of the zone contained in the zone with different set
of resource records.
ldapDisplayName: dnsZoneScope
rDNAttID: cn
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;ED)
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;ED)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;CC;;;AU)(A;;RPLCLORC;;;WD)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)
governsId: 1.2.840.113556.1.5.301
instanceType: 4
objectClassCategory: 1
schemaIdGuid:: YYpvaT8tzkCks+J138xJxQ==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
systemFlags: 16
subClassOf: top
systemPossSuperiors: 1.2.840.113556.1.5.300
systemMustContain: 0.9.2342.19200300.100.1.25
systemMayContain: 1.2.840.113556.1.4.1306
systemMayContain: 1.2.840.113556.1.4.653
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Dns-Node,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.301
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 82
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch83.ldf
dn: CN=ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
CN: ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts
attributeID: 1.2.840.113556.1.4.2344
attributeSyntax: 2.5.5.8
adminDisplayName: ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts
adminDescription: This attribute controls whether the passwords on smart-card-only accounts expire in
accordance with the password policy.
oMSyntax: 1
lDAPDisplayName: msDS-ExpirePasswordsOnSmartCardOnlyAccounts
isSingleValued: TRUE
systemOnly: FALSE
schemaIDGUID:: SKsXNCTfsU+AsA/LNn4l4w==
systemFlags: 16
searchFlags: 0
instanceType: 4
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2344
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 83
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch84.ldf
dn: CN=ms-DS-Token-Group-Names,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msds-tokenGroupNames
adminDisplayName: ms-DS-Token-Group-Names
adminDescription: The distinguished names of security groups the principal is directly or indirectly a
member of.
attributeId: 1.2.840.113556.1.4.2345
attributeSyntax: 2.5.5.1
omSyntax: 127
omObjectClass:: KwwCh3McAIVK
isSingleValued: FALSE
systemOnly: TRUE
# 0x00000800 (Attribute is returned only on base searches.)
# searchFlags hex value 0x00000800
searchFlags: 2048
schemaIdGuid:: dgVlZZlGyU+NGCbgzQE3pg==
attributeSecurityGuid:: +IhwA+EK0hG0IgCgyWj5OQ==
showInAdvancedViewOnly: TRUE
# 0x00000001 (Attribute is not replicated)
# 0x00000004 (Attribute is constructed)
# 0x00000008 (Attribute is operational)
# 0x00000008 (Attribute is operational)
# 0x00000010 (Attribute is in the base schema)
# systemFlags hex value 0x0000001D
systemFlags: 29
dn: CN=ms-DS-Token-Group-Names-Global-And-Universal,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msds-tokenGroupNamesGlobalAndUniversal
adminDisplayName: ms-DS-Token-Group-Names-Global-And-Universal
adminDescription: The distinguished names of global and universal security groups the principal is directly
or indirectly a member of.
attributeId: 1.2.840.113556.1.4.2346
attributeSyntax: 2.5.5.1
omSyntax: 127
omObjectClass:: KwwCh3McAIVK
isSingleValued: FALSE
systemOnly: TRUE
# 0x00000800 (Attribute is returned only on base searches.)
# searchFlags hex value 0x00000800
searchFlags: 2048
schemaIdGuid:: 9NEG+iJ5rUq3nLIgH1RBfA==
attributeSecurityGuid:: +IhwA+EK0hG0IgCgyWj5OQ==
showInAdvancedViewOnly: TRUE
# 0x00000001 (Attribute is not replicated)
# 0x00000004 (Attribute is constructed)
# 0x00000008 (Attribute is operational)
# 0x00000010 (Attribute is in the base schema)
# systemFlags hex value 0x0000001D
systemFlags: 29
dn: CN=ms-DS-Token-Group-Names-No-GC-Acceptable,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msds-tokenGroupNamesNoGCAcceptable
adminDisplayName: ms-DS-Token-Group-Names-No-GC-Acceptable
adminDescription: The distinguished names of security groups the principal is directly or indirectly a
member of as reported by the local DC.
attributeId: 1.2.840.113556.1.4.2347
attributeSyntax: 2.5.5.1
omSyntax: 127
omObjectClass:: KwwCh3McAIVK
isSingleValued: FALSE
systemOnly: TRUE
# 0x00000800 (Attribute is returned only on base searches.)
# searchFlags hex value 0x00000800
searchFlags: 2048
schemaIdGuid:: yMY/UvSaAkqc1z3qEp7rJw==
attributeSecurityGuid:: +IhwA+EK0hG0IgCgyWj5OQ==
showInAdvancedViewOnly: TRUE
# 0x00000001 (Attribute is not replicated)
# 0x00000004 (Attribute is constructed)
# 0x00000008 (Attribute is operational)
# 0x00000010 (Attribute is in the base schema)
# systemFlags hex value 0x0000001D
systemFlags: 29
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Security-Principal,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2345
systemMayContain: 1.2.840.113556.1.4.2346
systemMayContain: 1.2.840.113556.1.4.2347
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 84
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch85.ldf
dn: CN=ms-DS-User-Allowed-NTLM-Network-Authentication,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-UserAllowedNTLMNetworkAuthentication
adminDisplayName: ms-DS-User-Allowed-NTLM-Network-Authentication
adminDescription: This attribute is used to determine if a user is allowed to authenticate using NTLM
authentication.
attributeId: 1.2.840.113556.1.4.2348
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
# searchFlags hex value 0x00000000
searchFlags: 0
# schemaIdGuid {7ece040f-9327-4cdc-aad3-037adfe62639}
schemaIdGuid:: DwTOfieT3Eyq0wN63+YmOQ==
# attributeSecurityGuid {00000000-0000-0000-0000-000000000000}
showInAdvancedViewOnly: TRUE
# systemFlags hex value 0x00000010
# 0x00000010 (Attribute is in the base schema)
systemFlags: 16
dn: CN=ms-DS-Service-Allowed-NTLM-Network-Authentication,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ServiceAllowedNTLMNetworkAuthentication
adminDisplayName: ms-DS-Service-Allowed-NTLM-Network-Authentication
adminDescription: This attribute is used to determine if a service is allowed to authenticate using NTLM
authentication.
attributeId: 1.2.840.113556.1.4.2349
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
# searchFlags hex value 0x00000000
searchFlags: 0
# schemaIdGuid {278947b9-5222-435e-96b7-1503858c2b48}
schemaIdGuid:: uUeJJyJSXkOWtxUDhYwrSA==
# attributeSecurityGuid {00000000-0000-0000-0000-000000000000}
showInAdvancedViewOnly: TRUE
# systemFlags hex value 0x00000010
# 0x00000010 (Attribute is in the base schema)
systemFlags: 16
dn: CN=ms-DS-Strong-NTLM-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-StrongNTLMPolicy
adminDisplayName: ms-DS-Strong-NTLM-Policy
adminDescription: This attribute specifies policy options for NTLM secrets with strong entropy.
attributeId: 1.2.840.113556.1.4.2350
attributeId: 1.2.840.113556.1.4.2350
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
# searchFlags hex value 0x00000000
searchFlags: 0
# schemaIdGuid {aacd2170-482a-44c6-b66e-42c2f66a285c}
schemaIdGuid:: cCHNqipIxkS2bkLC9mooXA==
# attributeSecurityGuid {00000000-0000-0000-0000-000000000000}
showInAdvancedViewOnly: TRUE
# systemFlags hex value 0x00000010
# 0x00000010 (Attribute is in the base schema)
systemFlags: 16
dn: CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2348
systemMayContain: 1.2.840.113556.1.4.2349
systemMayContain: 1.2.840.113556.1.4.2350
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 85
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch86.ldf
dn: CN=ms-DS-Source-Anchor,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-SourceAnchor
adminDisplayName: ms-DS-Source-Anchor
adminDescription: Unique, immutable identifier for the object in the authoritative directory.
attributeId: 1.2.840.113556.1.4.2352
attributeSyntax: 2.5.5.12
# Syntax: String
oMSyntax: 64
isSingleValued: TRUE
# Note that we do not supply rangeUpper here.DS API enforces a maximum length of 256 Unicode characters,
# which may translate to more than 256 multi-byte characters in AD given that the AD syntax for this
# attribute is not String(Unicode).
rangeLower: 1
systemOnly: FALSE
# searchFlags: +fPDNTATTINDEX for SearchForAddressListObjects
# searchFlags: fPDNTATTINDEX | fPRESERVEONDELETE
searchFlags: 10
schemaIDGUID:: B/QCsEAT60G8oL19k44lqQ==
# attributeSecurityGuid {00000000-0000-0000-0000-000000000000}
showInAdvancedViewOnly: TRUE
# systemFlags hex value 0x00000010
# 0x00000010 (Attribute is in the base schema)
systemFlags: 16
dn: CN=ms-DS-Object-SOA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ObjectSoa
ldapDisplayName: msDS-ObjectSoa
adminDisplayName: ms-DS-Object-SOA
adminDescription: This attribute is used to identify the source of authority of the object.
attributeId: 1.2.840.113556.1.4.2353
attributeSyntax: 2.5.5.12
# Syntax: String
oMSyntax: 64
isSingleValued: TRUE
# Note that we do not supply rangeUpper here.DS API enforces a maximum length of 256 Unicode characters,
# which may translate to more than 256 multi-byte characters in AD given that the AD syntax for this
# attribute is not String(Unicode).
rangeLower: 1
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: 9b32NHkuO0yOFD2Tt1qriQ==
showInAdvancedViewOnly: TRUE
# systemFlags hex value 0x00000010
# 0x00000010 (Attribute is in the base schema)
systemFlags: 16
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2352
systemMayContain: 1.2.840.113556.1.4.2353
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 86
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch87.ldf
dn: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=X
changetype: modify
add: appliesTo
appliesTo: 7b8b558a-93a5-4af7-adca-c017e67f1057
-
dn: CN=Receive-As,CN=Extended-Rights,CN=Configuration,DC=X
changetype: modify
add: appliesTo
appliesTo: 7b8b558a-93a5-4af7-adca-c017e67f1057
-
dn: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: modify
add: appliesTo
appliesTo: 7b8b558a-93a5-4af7-adca-c017e67f1057
-
dn: CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: modify
add: appliesTo
appliesTo: 7b8b558a-93a5-4af7-adca-c017e67f1057
-
dn: CN=Validated-SPN,CN=Extended-Rights,CN=Configuration,DC=X
changetype: modify
add: appliesTo
appliesTo: 7b8b558a-93a5-4af7-adca-c017e67f1057
-
dn: CN=Allowed-To-Authenticate,CN=Extended-Rights,CN=Configuration,DC=X
changetype: modify
add: appliesTo
appliesTo: 7b8b558a-93a5-4af7-adca-c017e67f1057
-
dn: CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=X
changetype: modify
add: appliesTo
appliesTo: 7b8b558a-93a5-4af7-adca-c017e67f1057
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 87
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Issuer-Certificates,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Issuer-Certificates
adminDisplayName: ms-DS-Issuer-Certificates
adminDisplayName: ms-DS-Issuer-Certificates
adminDescription: The keys used to sign certificates issued by the Registration Service.
ldapDisplayName: msDS-IssuerCertificates
attributeId: 1.2.840.113556.1.4.2240
omSyntax: 4
attributeSyntax: 2.5.5.10
isSingleValued: FALSE
instanceType: 4
rangeLower: 1
rangeUpper: 65536
searchFlags: 0
systemOnly: FALSE
schemaIdGuid:: 2m89a5MIxEOJ+x+1KmYWqQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Registration-Quota,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Registration-Quota
adminDisplayName: ms-DS-Registration-Quota
adminDescription: Policy used to limit the number of registrations allowed for a single user.
ldapDisplayName: msDS-RegistrationQuota
attributeId: 1.2.840.113556.1.4.2241
omSyntax: 2
attributeSyntax: 2.5.5.9
isSingleValued: TRUE
instanceType: 4
searchFlags: 0
systemOnly: FALSE
schemaIdGuid:: woYyymQfeUCWvOYrYQ5zDw==
systemFlags: 16
dn: CN=ms-DS-Maximum-Registration-Inactivity-Period,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Maximum-Registration-Inactivity-Period
adminDisplayName: ms-DS-Maximum-Registration-Inactivity-Period
adminDescription: The maximum amount of days used to detect inactivty of registration objects.
ldapDisplayName: msDS-MaximumRegistrationInactivityPeriod
attributeId: 1.2.840.113556.1.4.2242
omSyntax: 2
attributeSyntax: 2.5.5.9
isSingleValued: TRUE
instanceType: 4
searchFlags: 0
systemOnly: FALSE
schemaIdGuid:: OapcCuYFykm4CAJbk2YQ5w==
systemFlags: 16
dn: CN=ms-DS-Is-Enabled,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Is-Enabled
adminDisplayName: ms-DS-Is-Enabled
adminDescription: This attribute is used to enable or disable the user-device relationship.
ldapDisplayName: msDS-IsEnabled
attributeId: 1.2.840.113556.1.4.2248
omSyntax: 1
attributeSyntax: 2.5.5.8
isSingleValued: TRUE
instanceType: 4
searchFlags: 0
systemOnly: FALSE
schemaIdGuid:: DlypIoMfgkyUzr6miM/IcQ==
systemFlags: 16
dn: CN=ms-DS-Device-OS-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Device-OS-Type
adminDisplayName: ms-DS-Device-OS-Type
adminDescription: This attribute is used to track the type of device based on the OS.
ldapDisplayName: msDS-DeviceOSType
attributeId: 1.2.840.113556.1.4.2249
omSyntax: 64
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
instanceType: 4
rangeLower: 0
rangeUpper: 1024
searchFlags: 0
systemOnly: FALSE
schemaIdGuid:: TUUOELvzy02EX41e3EccWQ==
systemFlags: 16
dn: CN=ms-DS-Device-OS-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Device-OS-Version
adminDisplayName: ms-DS-Device-OS-Version
adminDescription: This attribute is used to track the OS version of the device.
ldapDisplayName: msDS-DeviceOSVersion
attributeId: 1.2.840.113556.1.4.2250
omSyntax: 64
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
instanceType: 4
rangeLower: 0
rangeUpper: 512
searchFlags: 0
systemOnly: FALSE
schemaIdGuid:: Y4z7cKtfBEWrnRSzKain+A==
systemFlags: 16
dn: CN=ms-DS-Device-Physical-IDs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Device-Physical-IDs
adminDisplayName: ms-DS-Device-Physical-IDs
adminDescription: This attribute is used to store identifiers of the physical device.
ldapDisplayName: msDS-DevicePhysicalIDs
attributeId: 1.2.840.113556.1.4.2251
omSyntax: 4
attributeSyntax: 2.5.5.10
isSingleValued: FALSE
instanceType: 4
rangeLower: 1
rangeUpper: 10485760
searchFlags: 1
systemOnly: FALSE
schemaIdGuid:: FFRhkKCiR0Spk1NAlZm3Tg==
systemFlags: 16
dn: CN=ms-DS-Device-ID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Device-ID
adminDisplayName: ms-DS-Device-ID
adminDescription: This attribute stores the ID of the device.
ldapDisplayName: msDS-DeviceID
attributeId: 1.2.840.113556.1.4.2252
omSyntax: 4
attributeSyntax: 2.5.5.10
isSingleValued: TRUE
instanceType: 4
rangeLower: 16
rangeUpper: 16
rangeUpper: 16
searchFlags: 1
systemOnly: FALSE
schemaIdGuid:: x4EBw0Jj+0GyeffFZsvgpw==
systemFlags: 16
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Device-Registration-Service-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
cn: ms-DS-Device-Registration-Service-Container
adminDisplayName: ms-DS-Device-Registration-Service-Container
adminDescription: A class for the container used to house all enrollment services used for device
registrations.
ldapDisplayName: msDS-DeviceRegistrationServiceContainer
rDNAttID: cn
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
governsId: 1.2.840.113556.1.5.287
instanceType: 4
objectClassCategory: 1
schemaIdGuid:: zlULMc09kkOpbcnjU5fCTw==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
systemFlags: 16
subClassOf: top
systemPossSuperiors: 1.2.840.113556.1.3.23
dn: CN=ms-DS-Device-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
cn: ms-DS-Device-Container
adminDisplayName: ms-DS-Device-Container
adminDescription: A class for the container used to hold device objects.
ldapDisplayName: msDS-DeviceContainer
rDNAttID: cn
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
governsId: 1.2.840.113556.1.5.289
instanceType: 4
objectClassCategory: 1
schemaIdGuid:: WIyefBuQqE627E656fwOEQ==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
systemFlags: 16
subClassOf: top
systemPossSuperiors: 1.2.840.113556.1.5.67
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Device-Registration-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
cn: ms-DS-Device-Registration-Service
adminDisplayName: ms-DS-Device-Registration-Service
adminDescription: An object of this class holds the registration service configuration used for devices.
ldapDisplayName: msDS-DeviceRegistrationService
rDNAttID: cn
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
governsId: 1.2.840.113556.1.5.284
governsId: 1.2.840.113556.1.5.284
instanceType: 4
objectClassCategory: 1
schemaIdGuid:: Gjq8ltLj00mvEXsN951n9Q==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
systemFlags: 16
subClassOf: top
systemPossSuperiors: 1.2.840.113556.1.5.287
systemMayContain: 1.2.840.113556.1.4.2240
systemMayContain: 1.2.840.113556.1.4.2241
systemMayContain: 1.2.840.113556.1.4.2242
dn: CN=ms-DS-Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
cn: ms-DS-Device
adminDisplayName: ms-DS-Device
adminDescription: An object of this type represents a registered device.
ldapDisplayName: msDS-Device
rDNAttID: cn
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
governsId: 1.2.840.113556.1.5.286
instanceType: 4
objectClassCategory: 1
schemaIdGuid:: c7byXUFtdEez6NUujun/mQ==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
systemFlags: 16
subClassOf: top
systemPossSuperiors: 1.2.840.113556.1.5.289
systemMayContain: 1.2.840.113556.1.4.2248
systemMayContain: 1.2.840.113556.1.4.2249
systemMayContain: 1.2.840.113556.1.4.2250
systemMayContain: 1.2.840.113556.1.4.2251
systemMayContain: 1.2.840.113556.1.4.2252
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 57
-
Sch58.ldf
dn: CN=ms-DS-Resource-Property-List,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingValue: FALSE
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 58
-
Sch59.ldf
dn: CN=ms-DS-User-Device-Registration,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: isDefunct
isDefunct: TRUE
-
dn: CN=ms-DS-User-Device-Registration-Container,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: isDefunct
isDefunct: TRUE
-
dn: CN=ms-DS-Device,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2246
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2244
-
dn: CN=ms-DS-User-Device-Registration-Link,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: isDefunct
isDefunct: TRUE
-
dn: CN=ms-DS-User-Device-Registration-Link-BL,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: isDefunct
isDefunct: TRUE
-
dn: CN=ms-DS-Authentication-Level,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: isDefunct
isDefunct: TRUE
-
dn: CN=ms-DS-Approximate-Last-Use-Time-Stamp,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: isDefunct
isDefunct: TRUE
-
-
dn: CN=ms-DS-Device-Reference,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: isDefunct
isDefunct: TRUE
-
dn: CN=ms-DS-Device-Location,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Device-Location
adminDisplayName: ms-DS-Device-Location
adminDescription: The DN under which the device objects will be created.
ldapDisplayName: msDS-DeviceLocation
attributeId: 1.2.840.113556.1.4.2261
omSyntax: 127
omObjectClass:: KwwCh3McAIVK
attributeSyntax: 2.5.5.1
isSingleValued: TRUE
instanceType: 4
searchFlags: 0
systemOnly: TRUE
schemaIdGuid:: yFb74+hd9UWxsdK2zTHnYg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Registered-Owner,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Registered-Owner
adminDisplayName: ms-DS-Registered-Owner
adminDescription: Single valued binary attribute containing the primary SID referencing the first user to
register the device. The value is not removed during de-registration, but could be managed by an
administrator.
ldapDisplayName: msDS-RegisteredOwner
attributeId: 1.2.840.113556.1.4.2258
omSyntax: 4
attributeSyntax: 2.5.5.10
isSingleValued: TRUE
instanceType: 4
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
systemOnly: FALSE
schemaIdGuid:: 6SZ2YesBz0KZH85heYIjfg==
systemFlags: 18
dn: CN=ms-DS-Registered-Users,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Registered-Users
adminDisplayName: ms-DS-Registered-Users
adminDescription: Contains the list of users that have registered the device.Users in this list have all of
the features provided by the "Company Portal" app.And they have SSO to company resources.
ldapDisplayName: msDS-RegisteredUsers
attributeId: 1.2.840.113556.1.4.2263
omSyntax: 4
attributeSyntax: 2.5.5.10
isSingleValued: FALSE
instanceType: 4
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
systemOnly: FALSE
schemaIdGuid:: DBZJBI5ayE+wUgHA9uSPAg==
systemFlags: 18
dn: CN=ms-DS-Approximate-Last-Logon-Time-Stamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Approximate-Last-Logon-Time-Stamp
adminDisplayName: ms-DS-Approximate-Last-Logon-Time-Stamp
adminDescription: The approximate time a user last logged on with from the device.
ldapDisplayName: msDS-ApproximateLastLogonTimeStamp
attributeId: 1.2.840.113556.1.4.2262
omSyntax: 65
attributeSyntax: 2.5.5.16
isSingleValued: TRUE
instanceType: 4
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
systemOnly: FALSE
schemaIdGuid:: O5hPo8aEDE+QUKOhSh01pA==
systemFlags: 16
dn: CN=ms-DS-Device-Object-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Device-Object-Version
adminDisplayName: ms-DS-Device-Object-Version
adminDescription: This attribute is used to identify the schema version of the device.
ldapDisplayName: msDS-DeviceObjectVersion
attributeId: 1.2.840.113556.1.4.2257
omSyntax: 2
attributeSyntax: 2.5.5.9
isSingleValued: TRUE
instanceType: 4
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
systemOnly: FALSE
schemaIdGuid:: Wmll73nxak6T3rAeBmgc+w==
systemFlags: 18
dn: CN=ms-DS-Device-OS-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isSingleValued
isSingleValued: TRUE
-
dn: CN=ms-DS-Device-OS-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 1
-
dn: CN=ms-DS-Device-OS-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isSingleValued
isSingleValued: TRUE
-
dn: CN=ms-DS-Device-Physical-IDs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: omSyntax
omSyntax: 64
-
dn: CN=ms-DS-Device-Physical-IDs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: attributeSyntax
attributeSyntax: 2.5.5.12
-
dn: CN=ms-DS-Device-Physical-IDs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rangeUpper
rangeUpper: 1024
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Device-Registration-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMustContain
systemMustContain: 1.2.840.113556.1.4.2261
-
dn: CN=ms-DS-Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2257
systemMayContain: 1.2.840.113556.1.4.2258
systemMayContain: 1.2.840.113556.1.4.2262
systemMayContain: 1.2.840.113556.1.4.2263
-
dn: CN=ms-DS-Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2248
-
dn: CN=ms-DS-Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMustContain
systemMustContain: 1.2.840.113556.1.4.2248
systemMustContain: 1.2.840.113556.1.2.13
systemMustContain: 1.2.840.113556.1.4.867
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 59
-
Sch60.ldf
dn: CN=ms-DS-Is-Member-Of-DL-Transitive,CN=Schema,CN=Configuration,DC=X
# This constructed attribute transitively expands the
# linked attribute "isMemberOfDL"
changetype: ntdsschemaadd
objectClass: attributeSchema
lDAPDisplayName: msds-memberOfTransitive
adminDisplayName: msds-memberOfTransitive
adminDescription: msds-memberOfTransitive
attributeID: 1.2.840.113556.1.4.2236
attributeSyntax: 2.5.5.1
oMSyntax: 127
oMObjectClass:: KwwCh3McAIVK
isSingleValued: FALSE
systemOnly: TRUE
# 0x800(only return on base search)
searchFlags: 2048
showInAdvancedViewOnly: TRUE
schemaIdGuid:: tmYhhkHJJ0eVZUi//ylB3g==
# 0x10 (base schema) +
# 0x08 (operational) +
# 0x04 (constructed) +
# 0x01 (not replicated)
systemFlags: 29
dn: CN=ms-DS-Member-Transitive,CN=Schema,CN=Configuration,DC=X
# This constructed attribute transitively expands the
# linked attribute "member"
changetype: ntdsschemaadd
objectClass: attributeSchema
lDAPDisplayName: msds-memberTransitive
adminDisplayName: msds-memberTransitive
adminDescription: msds-memberTransitive
attributeID: 1.2.840.113556.1.4.2238
attributeSyntax: 2.5.5.1
oMSyntax: 127
oMObjectClass:: KwwCh3McAIVK
isSingleValued: FALSE
systemOnly: TRUE
# 0x800(only return on base search)
searchFlags: 2048
showInAdvancedViewOnly: TRUE
schemaIdGuid:: WzkV4gSR2US4lDmeyeId/A==
# 0x10 (base schema) +
# 0x08 (operational) +
# 0x04 (constructed) +
# 0x01 (not replicated)
systemFlags: 29
dn: CN=ms-DS-Parent-Dist-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsschemaadd
objectClass: attributeSchema
lDAPDisplayName: msDS-parentdistname
adminDisplayName: ms-DS-Parent-Dist-Name
adminDescription: ms-DS-Parent-Dist-Name
attributeID: 1.2.840.113556.1.4.2203
attributeSyntax: 2.5.5.1
oMSyntax: 127
oMObjectClass:: KwwCh3McAIVK
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIDGUID:: ff4YuRqXBPSeIZJhq+yXCw==
showInAdvancedViewOnly: TRUE
# 0x10 (base schema) +
# 0x08 (operational) +
# 0x04 (constructed) +
# 0x01 (not replicated)
systemFlags: 29
dn: CN=ms-DS-Repl-Value-Meta-Data-Ext,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ReplValueMetaDataExt
adminDisplayName: ms-DS-Repl-Value-Meta-Data-Ext
adminDescription: ms-DS-Repl-Value-Meta-Data-Ext
attributeId: 1.2.840.113556.1.4.2235
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 79ICHq1EskamfZ/RjXgLyg==
showInAdvancedViewOnly: TRUE
# 0x10 (base schema) +
# 0x04 (constructed)
systemFlags: 20
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: cn=Top,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemamodify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2238
systemMayContain: 1.2.840.113556.1.4.2236
systemMayContain: 1.2.840.113556.1.4.2203
systemMayContain: 1.2.840.113556.1.4.2235
-
dn: CN=DS-Set-Owner,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
displayName: Set Owner of an object during creation.
rightsGuid: 4125c71f-7fac-4ff0-bcb7-f09a41325286
appliesTo: 26f11b08-a29d-4869-99bb-ef0b99fd883e
validAccesses: 256
dn: CN=DS-Bypass-Quota,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
displayName: Bypass the quota restrictions during creation.
rightsGuid: 88a9933e-e5c8-4f2a-9dd7-2527416b8092
appliesTo: 26f11b08-a29d-4869-99bb-ef0b99fd883e
validAccesses: 256
dn: CN=DS-Read-Partition-Secrets,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
displayName: Read secret attributes of objects in a Partition
rightsGuid: 084c93a2-620d-4879-a836-f0ae47de0e89
appliesTo: 26f11b08-a29d-4869-99bb-ef0b99fd883e
validAccesses: 256
dn: CN=DS-Write-Partition-Secrets,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
displayName: Write secret attributes of objects in a Partition
rightsGuid: 94825A8D-B171-4116-8146-1E34D8F54401
appliesTo: 26f11b08-a29d-4869-99bb-ef0b99fd883e
validAccesses: 256
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 60
-
Sch61.ldf
dn: CN=ms-DS-Drs-Farm-ID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Drs-Farm-ID
adminDisplayName: ms-DS-Drs-Farm-ID
adminDescription: This attribute stores the name of the federation service this DRS object is associated
with.
ldapDisplayName: msDS-DrsFarmID
attributeId: 1.2.840.113556.1.4.2265
omSyntax: 64
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
instanceType: 4
searchFlags: 0
isMemberOfPartialAttributeSet: TRUE
systemOnly: TRUE
schemaIdGuid:: ZvdVYC4gzUmovuUrsVnt+w==
systemFlags: 16
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Device-Registration-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMustContain
systemMustContain: 1.2.840.113556.1.4.2248
systemMustContain: 1.2.840.113556.1.4.2265
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 61
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch62.ldf
dn: CN=ms-DS-Issuer-Public-Certificates,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Issuer-Public-Certificates
adminDisplayName: ms-DS-Issuer-Public-Certificates
adminDescription: The public keysof the keys used to sign certificates issued by the Registration Service.
ldapDisplayName: msDS-IssuerPublicCertificates
attributeId: 1.2.840.113556.1.4.2269
omSyntax: 4
attributeSyntax: 2.5.5.10
isSingleValued: FALSE
instanceType: 4
rangeLower: 1
rangeUpper: 65536
searchFlags: 0
systemOnly: FALSE
schemaIdGuid:: /u3xtdK0dkCrD2FINCsL9g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Device-Registration-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2269
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 62
-
Sch63.ldf
dn: CN=ms-DS-Issuer-Certificates,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 128
-
dn: CN=ms-DS-Device-Registration-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
-
dn: CN=ms-DS-Device-Registration-Service-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 63
-
Sch64.ldf
dn: CN=ms-DS-Device-Registration-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
-
dn: CN=ms-DS-Device-Registration-Service-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
-
dn: CN=ms-DS-Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2252
-
dn: CN=ms-DS-Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMustContain
systemMustContain: 1.2.840.113556.1.4.2252
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 64
-
Sch65.ldf
dn: CN=ms-DS-Registration-Quota,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: showInAdvancedViewOnly
showInAdvancedViewOnly: TRUE
-
dn: CN=ms-DS-Maximum-Registration-Inactivity-Period,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: showInAdvancedViewOnly
showInAdvancedViewOnly: TRUE
-
dn: CN=ms-DS-Registered-Owner,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: showInAdvancedViewOnly
showInAdvancedViewOnly: TRUE
-
dn: CN=ms-DS-Registered-Users,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: showInAdvancedViewOnly
showInAdvancedViewOnly: TRUE
-
dn: CN=ms-DS-Approximate-Last-Logon-Time-Stamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: showInAdvancedViewOnly
add: showInAdvancedViewOnly
showInAdvancedViewOnly: TRUE
-
dn: CN=ms-DS-Is-Enabled,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: showInAdvancedViewOnly
showInAdvancedViewOnly: TRUE
-
dn: CN=ms-DS-Device-OS-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: showInAdvancedViewOnly
showInAdvancedViewOnly: TRUE
-
dn: CN=ms-DS-Device-OS-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: showInAdvancedViewOnly
showInAdvancedViewOnly: TRUE
-
dn: CN=ms-DS-Device-Physical-IDs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: showInAdvancedViewOnly
showInAdvancedViewOnly: TRUE
-
dn: CN=ms-DS-Device-ID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: showInAdvancedViewOnly
showInAdvancedViewOnly: TRUE
-
dn: CN=ms-DS-Device-Object-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: showInAdvancedViewOnly
showInAdvancedViewOnly: TRUE
-
dn: CN=ms-DS-Drs-Farm-ID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: showInAdvancedViewOnly
showInAdvancedViewOnly: TRUE
-
dn: CN=ms-DS-IsManaged,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-IsManaged
adminDisplayName: ms-DS-IsManaged
adminDescription: This attribute is used to indicate the device is managed by a on-premises MDM.
ldapDisplayName: msDS-IsManaged
attributeId: 1.2.840.113556.1.4.2270
omSyntax: 1
attributeSyntax: 2.5.5.8
isSingleValued: TRUE
instanceType: 4
searchFlags: 1
systemOnly: FALSE
schemaIdGuid:: zmpoYCds3kOk5fAML40zCQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Cloud-IsManaged,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Cloud-IsManaged
adminDisplayName: ms-DS-Cloud-IsManaged
adminDescription: This attribute is used to indicate the device is managed by a cloud MDM.
ldapDisplayName: msDS-CloudIsManaged
attributeId: 1.2.840.113556.1.4.2271
omSyntax: 1
attributeSyntax: 2.5.5.8
isSingleValued: TRUE
instanceType: 4
searchFlags: 1
systemOnly: FALSE
schemaIdGuid:: jroVU4+VUku9OBNJowTdYw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Cloud-Anchor,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Cloud-Anchor
adminDisplayName: ms-DS-Cloud-Anchor
adminDescription: This attribute is used by the DirSync engine to indicate the object SOA and to maintain
the relationship between the on-premises and cloud object.
ldapDisplayName: msDS-CloudAnchor
attributeId: 1.2.840.113556.1.4.2273
omSyntax: 4
attributeSyntax: 2.5.5.10
isSingleValued: TRUE
instanceType: 4
searchFlags: 0
systemOnly: FALSE
schemaIdGuid:: gF5WeNQD40+vrIw7yi82Uw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Cloud-Issuer-Public-Certificates,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Cloud-Issuer-Public-Certificates
adminDisplayName: ms-DS-Cloud-Issuer-Public-Certificates
adminDescription: The public keys used by the cloud DRS to sign certificates issued by the Registration
Service.
ldapDisplayName: msDS-CloudIssuerPublicCertificates
attributeId: 1.2.840.113556.1.4.2274
omSyntax: 4
attributeSyntax: 2.5.5.10
isSingleValued: FALSE
instanceType: 4
rangeLower: 1
rangeUpper: 65536
searchFlags: 0
systemOnly: FALSE
schemaIdGuid:: T7XoodZL0k+Y4rzukqVUlw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Cloud-IsEnabled,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-Cloud-IsEnabled
adminDisplayName: ms-DS-Cloud-IsEnabled
adminDescription: This attribute is used to indicate whether cloud DRS is enabled.
ldapDisplayName: msDS-CloudIsEnabled
attributeId: 1.2.840.113556.1.4.2275
omSyntax: 1
attributeSyntax: 2.5.5.8
isSingleValued: TRUE
instanceType: 4
searchFlags: 0
systemOnly: FALSE
schemaIdGuid:: KIOEiU58b0+gEyjOOtKC3A==
showInAdvancedViewOnly: TRUE
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2270
systemMayContain: 1.2.840.113556.1.4.2271
systemMayContain: 1.2.840.113556.1.4.2273
-
dn: CN=ms-DS-Device-Registration-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2274
systemMayContain: 1.2.840.113556.1.4.2275
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 65
-
Sch66.ldf
dn: CN=ms-DS-SyncServerUrl,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-SyncServerUrl
ldapDisplayName: msDS-SyncServerUrl
adminDisplayName: ms-DS-SyncServerUrl
adminDescription: Use this attribute to store the sync server (Url format) which hosts the user sync folder
AttributeID: 1.2.840.113556.1.4.2276
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
SystemOnly: FALSE
searchFlags: 1
rangeLower: 1
rangeUpper: 512
schemaIdGuid:: 0sOst3QqpE+sJeY/6LYSGA==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2276
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 66
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch67.ldf
dn: CN=ms-DS-Device-Registration-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMustContain
systemMustContain: 1.2.840.113556.1.4.2265
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Drs-Farm-ID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isDefunct
isDefunct: TRUE
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 67
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch68.ldf
dn: CN=ms-DS-User-Allowed-To-Authenticate-To,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-UserAllowedToAuthenticateTo
adminDisplayName: ms-DS-User-Allowed-To-Authenticate-To
adminDescription: This attribute is used to determine if a user has permission to authenticate to a service.
attributeId: 1.2.840.113556.1.4.2277
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: f6oM3k5yhkKxeRkmce/GZA==
systemFlags: 16
RangeLower: 0
RangeUpper: 132096
instanceType: 4
dn: CN=ms-DS-User-Allowed-To-Authenticate-From,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-UserAllowedToAuthenticateFrom
adminDisplayName: ms-DS-User-Allowed-To-Authenticate-From
adminDescription: This attribute is used to determine if a user has permission to authenticate from a
computer.
attributeId: 1.2.840.113556.1.4.2278
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: AJZMLOGwfUSN2nSQIle9tQ==
systemFlags: 16
RangeLower: 0
RangeUpper: 132096
RangeUpper: 132096
instanceType: 4
dn: CN=ms-DS-User-TGT-Lifetime,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-UserTGTLifetime
adminDisplayName: User TGT Lifetime
adminDescription: This attribute specifies the maximum age of a Kerberos TGT issued to a user in units of
10^(-7) seconds.
attributeId: 1.2.840.113556.1.4.2279
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: g8khhZn1D0K5q7EiK9+VwQ==
systemFlags: 16
instanceType: 4
dn: CN=ms-DS-Computer-Allowed-To-Authenticate-To,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ComputerAllowedToAuthenticateTo
adminDisplayName: ms-DS-Computer-Allowed-To-Authenticate-To
adminDescription: This attribute is used to determine if a computer has permission to authenticate to a
service.
attributeId: 1.2.840.113556.1.4.2280
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 6atbEH4Hk0e5dO8EELYlcw==
systemFlags: 16
RangeLower: 0
RangeUpper: 132096
instanceType: 4
dn: CN=ms-DS-Computer-TGT-Lifetime,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ComputerTGTLifetime
adminDisplayName: Computer TGT Lifetime
adminDescription: This attribute specifies the maximum age of a Kerberos TGT issued to a computer in units
of 10^(-7) seconds.
attributeId: 1.2.840.113556.1.4.2281
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: JHWTLrnfrEykNqW32mT9Zg==
systemFlags: 16
instanceType: 4
dn: CN=ms-DS-Service-Allowed-To-Authenticate-To,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ServiceAllowedToAuthenticateTo
adminDisplayName: ms-DS-Service-Allowed-To-Authenticate-To
adminDescription: This attribute is used to determine if a service has permission to authenticate to a
service.
attributeId: 1.2.840.113556.1.4.2282
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: MTGX8k2bIEi03gR07zuEnw==
systemFlags: 16
RangeLower: 0
RangeUpper: 132096
instanceType: 4
dn: CN=ms-DS-Service-Allowed-To-Authenticate-From,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ServiceAllowedToAuthenticateFrom
adminDisplayName: ms-DS-Service-Allowed-To-Authenticate-From
adminDescription: This attribute is used to determine if a service has permission to authenticate from a
computer.
attributeId: 1.2.840.113556.1.4.2283
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: mnDalxY3Zkmx0YOLpTw9iQ==
systemFlags: 16
RangeLower: 0
RangeUpper: 132096
instanceType: 4
dn: CN=ms-DS-Service-TGT-Lifetime,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ServiceTGTLifetime
adminDisplayName: Service TGT Lifetime
adminDescription: This attribute specifies the maximum age of a Kerberos TGT issued to a service in units of
10^(-7) seconds.
attributeId: 1.2.840.113556.1.4.2284
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: IDz+XSnKfUCbq4Qh5V63XA==
systemFlags: 16
instanceType: 4
dn: CN=ms-DS-Assigned-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AssignedAuthNPolicySilo
adminDisplayName: Assigned Authentication Policy Silo
adminDescription: This attribute specifies which AuthNPolicySilo a principal is assigned to.
attributeId: 1.2.840.113556.1.4.2285
attributeSyntax: 2.5.5.1
omObjectClass:: KwwCh3McAIVK
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: QcE/svUN6kqzPWz0kwd7Pw==
systemFlags: 16
instanceType: 4
linkID: 2202
dn: CN=ms-DS-Assigned-AuthN-Policy-Silo-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AssignedAuthNPolicySiloBL
adminDisplayName: Assigned Authentication Policy Silo Backlink
adminDescription: This attribute is the backlink for msDS-AssignedAuthNPolicySilo.
attributeId: 1.2.840.113556.1.4.2286
attributeSyntax: 2.5.5.1
omObjectClass:: KwwCh3McAIVK
omObjectClass:: KwwCh3McAIVK
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: FAUUM3r10keOxATEZmYAxw==
systemFlags: 16
instanceType: 4
linkID: 2203
dn: CN=ms-DS-AuthN-Policy-Silo-Members,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AuthNPolicySiloMembers
adminDisplayName: Authentication Policy Silo Members
adminDescription: This attribute specifies which principals are assigned to the AuthNPolicySilo.
attributeId: 1.2.840.113556.1.4.2287
attributeSyntax: 2.5.5.1
omObjectClass:: KwwCh3McAIVK
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: BR5NFqZIhkio6XeiAG48dw==
systemFlags: 16
instanceType: 4
linkID: 2204
dn: CN=ms-DS-AuthN-Policy-Silo-Members-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AuthNPolicySiloMembersBL
adminDisplayName: Authentication Policy Silo Members Backlink
adminDescription: This attribute is the backlink for msDS-AuthNPolicySiloMembers.
attributeId: 1.2.840.113556.1.4.2288
attributeSyntax: 2.5.5.1
omObjectClass:: KwwCh3McAIVK
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: x8v8EeT7UUm0t63fb579RA==
systemFlags: 16
instanceType: 4
linkID: 2205
dn: CN=ms-DS-User-AuthN-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-UserAuthNPolicy
adminDisplayName: User Authentication Policy
adminDescription: This attribute specifies which AuthNPolicy should be applied to users assigned to this
silo object.
attributeId: 1.2.840.113556.1.4.2289
attributeSyntax: 2.5.5.1
omObjectClass:: KwwCh3McAIVK
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 87kmzRXUKkSPeHxhUj7pWw==
systemFlags: 16
instanceType: 4
linkID: 2206
dn: CN=ms-DS-User-AuthN-Policy-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-UserAuthNPolicyBL
adminDisplayName: User Authentication Policy Backlink
adminDisplayName: User Authentication Policy Backlink
adminDescription: This attribute is the backlink for msDS-UserAuthNPolicy.
attributeId: 1.2.840.113556.1.4.2290
attributeSyntax: 2.5.5.1
omObjectClass:: KwwCh3McAIVK
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: qfoXL0ddH0uXfqpS+r5lyA==
systemFlags: 16
instanceType: 4
linkID: 2207
dn: CN=ms-DS-Computer-AuthN-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ComputerAuthNPolicy
adminDisplayName: Computer Authentication Policy
adminDescription: This attribute specifies which AuthNPolicy should be applied to computers assigned to this
silo object.
attributeId: 1.2.840.113556.1.4.2291
attributeSyntax: 2.5.5.1
omObjectClass:: KwwCh3McAIVK
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: yWO4r6O+D0Sp82FTzGaJKQ==
systemFlags: 16
instanceType: 4
linkID: 2208
dn: CN=ms-DS-Computer-AuthN-Policy-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ComputerAuthNPolicyBL
adminDisplayName: Computer Authentication Policy Backlink
adminDescription: This attribute is the backlink for msDS-ComputerAuthNPolicy.
attributeId: 1.2.840.113556.1.4.2292
attributeSyntax: 2.5.5.1
omObjectClass:: KwwCh3McAIVK
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: MmLvK6EwfkWGBHr22/ExuA==
systemFlags: 16
instanceType: 4
linkID: 2209
dn: CN=ms-DS-Service-AuthN-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ServiceAuthNPolicy
adminDisplayName: Service Authentication Policy
adminDescription: This attribute specifies which AuthNPolicy should be applied to services assigned to this
silo object.
attributeId: 1.2.840.113556.1.4.2293
attributeSyntax: 2.5.5.1
omObjectClass:: KwwCh3McAIVK
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: lW1qKs4o7km7JG0fwB4xEQ==
systemFlags: 16
instanceType: 4
linkID: 2210
dn: CN=ms-DS-Service-AuthN-Policy-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ServiceAuthNPolicyBL
adminDisplayName: Service Authentication Policy Backlink
adminDescription: This attribute is the backlink for msDS-ServiceAuthNPolicy.
attributeId: 1.2.840.113556.1.4.2294
attributeSyntax: 2.5.5.1
omObjectClass:: KwwCh3McAIVK
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: 7CgRLKJao0KzLfCXnKn80g==
systemFlags: 16
instanceType: 4
linkID: 2211
dn: CN=ms-DS-Assigned-AuthN-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AssignedAuthNPolicy
adminDisplayName: Assigned Authentication Policy
adminDescription: This attribute specifies which AuthNPolicy should be applied to this principal.
attributeId: 1.2.840.113556.1.4.2295
attributeSyntax: 2.5.5.1
omObjectClass:: KwwCh3McAIVK
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 2Ap6uPdUwUmEoOZNEoU1iA==
systemFlags: 16
instanceType: 4
linkID: 2212
dn: CN=ms-DS-Assigned-AuthN-Policy-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AssignedAuthNPolicyBL
adminDisplayName: Assigned Authentication Policy Backlink
adminDescription: This attribute is the backlink for msDS-AssignedAuthNPolicy.
attributeId: 1.2.840.113556.1.4.2296
attributeSyntax: 2.5.5.1
omObjectClass:: KwwCh3McAIVK
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: PBsTLZ/T7kqBXo20vBznrA==
systemFlags: 16
instanceType: 4
linkID: 2213
dn: CN=ms-DS-AuthN-Policy-Enforced,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AuthNPolicyEnforced
adminDisplayName: Authentication Policy Enforced
adminDescription: This attribute specifies whether the authentication policy is enforced.
attributeId: 1.2.840.113556.1.4.2297
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: wgxWekXsukSy1yEjatWf1Q==
instanceType: 4
systemFlags: 16
systemFlags: 16
dn: CN=ms-DS-AuthN-Policy-Silo-Enforced,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AuthNPolicySiloEnforced
adminDisplayName: Authentication Policy Silo Enforced
adminDescription: This attribute specifies whether the authentication policy silo is enforced.
attributeId: 1.2.840.113556.1.4.2298
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: AhH18uBrPUmHJhVGzbyHcQ==
instanceType: 4
systemFlags: 16
dn: CN=ms-DS-AuthN-Policy-Silos,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-AuthNPolicySilos
adminDisplayName: Authentication Policy Silos
adminDescription: A container of this class can contain authentication policy silo objects.
governsId: 1.2.840.113556.1.5.291
objectClassCategory: 1
rdnAttId: cn
schemaIdGuid:: Ckex0oSPHkmnUrQB7gD+XA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-AuthN-Policy-Silos,CN=Schema,CN=Configuration,DC=X
instanceType: 4
systemFlags: 16
subClassOf: top
systemPossSuperiors: 1.2.840.113556.1.3.23
dn: CN=ms-DS-AuthN-Policies,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-AuthNPolicies
adminDisplayName: Authentication Policies
adminDescription: A container of this class can contain authentication policy objects.
governsId: 1.2.840.113556.1.5.293
objectClassCategory: 1
rdnAttId: cn
schemaIdGuid:: Xd+aOpd7fk+rtOW1XBwGtA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-AuthN-Policies,CN=Schema,CN=Configuration,DC=X
instanceType: 4
systemFlags: 16
subClassOf: top
systemPossSuperiors: 1.2.840.113556.1.3.23
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-AuthNPolicySilo
ldapDisplayName: msDS-AuthNPolicySilo
adminDisplayName: Authentication Policy Silo
adminDescription: An instance of this class defines authentication policies and related behaviors for
assigned users, computers, and services.
governsId: 1.2.840.113556.1.5.292
objectClassCategory: 1
rdnAttId: cn
schemaIdGuid:: Hkbw+X1piUaSmTfmHWF7DQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
instanceType: 4
systemmaycontain: msDS-AuthNPolicySiloMembers
systemmaycontain: msDS-UserAuthNPolicy
systemmaycontain: msDS-ComputerAuthNPolicy
systemmaycontain: msDS-ServiceAuthNPolicy
systemmaycontain: msDS-AssignedAuthNPolicySiloBL
systemmaycontain: msDS-AuthNPolicySiloEnforced
subClassOf: top
systemPossSuperiors: msDS-AuthNPolicySilos
dn: CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-AuthNPolicy
adminDisplayName: Authentication Policy
adminDescription: An instance of this class defines authentication policy behaviors for assigned principals.
governsId: 1.2.840.113556.1.5.294
objectClassCategory: 1
rdnAttId: cn
schemaIdGuid:: VhFqq8dN9UCRgI5M5C/lzQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
instanceType: 4
systemmaycontain: msDS-UserAllowedToAuthenticateTo
systemmaycontain: msDS-UserAllowedToAuthenticateFrom
systemmaycontain: msDS-UserTGTLifetime
systemmaycontain: msDS-ComputerAllowedToAuthenticateTo
systemmaycontain: msDS-ComputerTGTLifetime
systemmaycontain: msDS-ServiceAllowedToAuthenticateTo
systemmaycontain: msDS-ServiceAllowedToAuthenticateFrom
systemmaycontain: msDS-ServiceTGTLifetime
systemmaycontain: msDS-UserAuthNPolicyBL
systemmaycontain: msDS-ComputerAuthNPolicyBL
systemmaycontain: msDS-ServiceAuthNPolicyBL
systemmaycontain: msDS-AssignedAuthNPolicyBL
systemmaycontain: msDS-AuthNPolicyEnforced
subClassOf: top
systemPossSuperiors: msDS-AuthNPolicies
dn: CN=user,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add:systemmaycontain
systemmaycontain: msDS-AssignedAuthNPolicy
systemmaycontain: msDS-AssignedAuthNPolicySilo
systemmaycontain: msDS-AuthNPolicySiloMembersBL
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 68
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch69.ldf
dn: CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: defaultHidingValue
defaultHidingValue: FALSE
-
dn: CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: defaultHidingValue
defaultHidingValue: FALSE
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 69
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Members-Of-Resource-Property-List,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-MembersOfResourcePropertyList
adminDisplayName: ms-DS-Members-Of-Resource-Property-List
adminDescription: For a resource property list object, this multi-valued link attribute points to one or
more resource property objects.
attributeId: 1.2.840.113556.1.4.2103
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: ERw3Ta1MQUyK0rGAqyvRPA==
linkID: 2180
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Members-Of-Resource-Property-List-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-MembersOfResourcePropertyListBL
adminDisplayName: ms-DS-Members-Of-Resource-Property-List-BL
adminDescription: Backlink for ms-DS-Members-Of-Resource-Property-List. For a resource property object, this
attribute references the resource property list object that it is a member of.
attributeId: 1.2.840.113556.1.4.2104
attributeId: 1.2.840.113556.1.4.2104
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: BLdpdLDtaEWlpVn0hix1pw==
linkID: 2181
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Claim-Value-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ClaimValueType
adminDisplayName: ms-DS-Claim-Value-Type
adminDescription: For a claim type object, specifies the value type of the claims issued.
attributeId: 1.2.840.113556.1.4.2098
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: uRdixo7k90e31WVSuK/WGQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Claim-Possible-Values,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ClaimPossibleValues
adminDisplayName: ms-DS-Claim-Possible-Values
adminDescription: For a claim type or resource property object, this attribute describes the values
suggested to a user when the he/she use the claim type or resource property in applications.
attributeId: 1.2.840.113556.1.4.2097
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 1048576
schemaIdGuid:: 7u0oLnztP0Wv5JO9hvIXTw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Claim-Attribute-Source,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ClaimAttributeSource
adminDisplayName: ms-DS-Claim-Attribute-Source
adminDescription: For a claim type object, this attribute points to the attribute that will be used as the
source for the claim type.
attributeId: 1.2.840.113556.1.4.2099
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: PhK87ua6ZkGeWymISot2sA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Claim-Type-Applies-To-Class,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ClaimTypeAppliesToClass
adminDisplayName: ms-DS-Claim-Type-Applies-To-Class
adminDescription: For a claim type object, this linked attribute points to the AD security principal classes
adminDescription: For a claim type object, this linked attribute points to the AD security principal classes
that for which claims should be issued. (For example, a link to the user class).
attributeId: 1.2.840.113556.1.4.2100
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: TA77anbYfEOutsPkFFTCcg==
linkID: 2176
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Claim-Shares-Possible-Values-With,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ClaimSharesPossibleValuesWith
adminDisplayName: ms-DS-Claim-Shares-Possible-Values-With
adminDescription: For a resource property object, this attribute indicates that the suggested values of the
claims issued are defined on the object that this linked attribute points to. Overrides ms-DS-Claim-
Possible-Values on itself, if populated.
attributeId: 1.2.840.113556.1.4.2101
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: OtHIUgvOV0+JKxj1pDokAA==
linkID: 2178
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Claim-Shares-Possible-Values-With-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ClaimSharesPossibleValuesWithBL
adminDisplayName: ms-DS-Claim-Shares-Possible-Values-With-BL
adminDescription: For a claim type object, this attribute indicates that the possible values described in
ms-DS-Claim-Possible-Values are being referenced by other claim type objects.
attributeId: 1.2.840.113556.1.4.2102
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 2yLVVJXs9UibvRiA67shgA==
linkID: 2179
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Is-Used-As-Resource-Security-Attribute,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-IsUsedAsResourceSecurityAttribute
adminDisplayName: ms-DS-Is-Used-As-Resource-Security-Attribute
adminDescription: For a resource property, this attribute indicates whether it is being used as a secure
attribute.
attributeId: 1.2.840.113556.1.4.2095
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: nfjJUTBHjUaitR1JMhLRfg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-SPP-KMS-Ids,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSPP-KMSIds
adminDisplayName: ms-SPP-KMS-Ids
adminDescription: KMS IDs enabled by the Activation Object
attributeId: 1.2.840.113556.1.4.2082
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 1
rangeLower: 16
rangeUpper: 16
schemaIdGuid:: 2j5mm0I11kad8DFAJa8rrA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-SPP-CSVLK-Pid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSPP-CSVLKPid
adminDisplayName: ms-SPP-CSVLK-Pid
adminDescription: ID of CSVLK product-key used to create the Activation Object
attributeId: 1.2.840.113556.1.4.2105
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 512
schemaIdGuid:: DVF/tFBr4Ue1VncseeT/xA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-SPP-CSVLK-Sku-Id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSPP-CSVLKSkuId
adminDisplayName: ms-SPP-CSVLK-Sku-Id
adminDescription: SKU ID of CSVLK product-key used to create the Activation Object
attributeId: 1.2.840.113556.1.4.2081
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 16
rangeUpper: 16
schemaIdGuid:: OfeElnh7bUeNdDGtdpLu9A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-SPP-Phone-License,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSPP-PhoneLicense
adminDisplayName: ms-SPP-Phone-License
adminDescription: License used during phone activation of the Active Directory forest
attributeId: 1.2.840.113556.1.4.2086
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 5242880
schemaIdGuid:: EtnkZ2LzUkCMeUL0W6eyIQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
systemFlags: 16
dn: CN=ms-SPP-Config-License,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSPP-ConfigLicense
adminDisplayName: ms-SPP-Config-License
adminDescription: Product-key configuration license used during online/phone activation of the Active
Directory forest
attributeId: 1.2.840.113556.1.4.2087
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 5242880
schemaIdGuid:: tcRTA5nRsECzxd6zL9nsBg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-SPP-Online-License,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSPP-OnlineLicense
adminDisplayName: ms-SPP-Online-License
adminDescription: License used during online activation of the Active Directory forest
attributeId: 1.2.840.113556.1.4.2085
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 5242880
schemaIdGuid:: jjaPCRJIzUivt6E2uWgH7Q==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-SPP-Confirmation-Id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSPP-ConfirmationId
adminDisplayName: ms-SPP-Confirmation-Id
adminDescription: Confirmation ID (CID) used for phone activation of the Active Directory forest
attributeId: 1.2.840.113556.1.4.2084
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 512
schemaIdGuid:: xJeHbtqsSUqHQLC9Bam4MQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-SPP-Installation-Id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSPP-InstallationId
adminDisplayName: ms-SPP-Installation-Id
adminDescription: Installation ID (IID) used for phone activation of the Active Directory forest
attributeId: 1.2.840.113556.1.4.2083
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 512
schemaIdGuid:: FLG/aXtAOUeiE8ZjgCs+Nw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-SPP-Issuance-License,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSPP-IssuanceLicense
adminDisplayName: ms-SPP-Issuance-License
adminDescription: Issuance license used during online/phone activation of the Active Directory forest
attributeId: 1.2.840.113556.1.4.2088
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 5242880
schemaIdGuid:: obN1EK+70kmujcTyXIIzAw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-SPP-CSVLK-Partial-Product-Key,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSPP-CSVLKPartialProductKey
adminDisplayName: ms-SPP-CSVLK-Partial-Product-Key
adminDescription: Last 5 characters of CSVLK product-key used to create the Activation Object
attributeId: 1.2.840.113556.1.4.2106
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 5
rangeUpper: 5
schemaIdGuid:: kbABplKGOkWzhoetI5t8CA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TPM-Srk-Pub-Thumbprint,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTPM-SrkPubThumbprint
adminDisplayName: TPM-SrkPubThumbprint
adminDescription: This attribute contains the thumbprint of the SrkPub corresponding to a particular TPM.
This helps to index the TPM devices in the directory.
attributeId: 1.2.840.113556.1.4.2107
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 11
rangeUpper: 20
schemaIdGuid:: 6wbXGXZNokSF1hw0K+O+Nw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TPM-Owner-Information-Temp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTPM-OwnerInformationTemp
adminDisplayName: TPM-OwnerInformationTemp
adminDescription: This attribute contains temporary owner information for a particular TPM.
attributeId: 1.2.840.113556.1.4.2108
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 640
rangeUpper: 128
schemaIdGuid:: nYCUyBO1+E+IEfT0P1rHvA==
schemaIdGuid:: nYCUyBO1+E+IEfT0P1rHvA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TPM-Tpm-Information-For-Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTPM-TpmInformationForComputer
adminDisplayName: TPM-TpmInformationForComputer
adminDescription: This attribute links a Computer object to a TPM object.
attributeId: 1.2.840.113556.1.4.2109
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 16
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: k3sb6khe1Ua8bE30/aeKNQ==
linkID: 2182
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TPM-Tpm-Information-For-Computer-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTPM-TpmInformationForComputerBL
adminDisplayName: TPM-TpmInformationForComputerBL
adminDescription: This attribute links a TPM object to the Computer objects associated with it.
attributeId: 1.2.840.113556.1.4.2110
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: yYT6FM2OSEO8kW087Ucqtw==
linkID: 2183
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Claim-Types,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-ClaimTypes
adminDisplayName: ms-DS-Claim-Types
adminDescription: A container of this class can contain claim type objects.
governsId: 1.2.840.113556.1.5.270
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: NTIJNhXHIUirarVvsoBaWA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Claim-Types,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Resource-Property-List,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-ResourcePropertyList
ldapDisplayName: msDS-ResourcePropertyList
adminDisplayName: ms-DS-Resource-Property-List
adminDescription: An object of this class contains a list of resource properties.
governsId: 1.2.840.113556.1.5.274
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.2103
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: etTjckKzRU2PVrr/gDyr+Q==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Resource-Property-List,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Resource-Properties,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-ResourceProperties
adminDisplayName: ms-DS-Resource-Properties
adminDescription: A container of this class can contain resource properties.
governsId: 1.2.840.113556.1.5.271
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: hEVKelCzj0es1rS4UtgswA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Resource-Properties,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Claim-Type-Property-Base,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-ClaimTypePropertyBase
adminDisplayName: ms-DS-Claim-Type-Property-Base
adminDescription: An abstract class that defines the base class for claim type or resource property classes.
governsId: 1.2.840.113556.1.5.269
objectClassCategory: 2
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.2101
systemMayContain: 1.2.840.113556.1.2.557
systemMayContain: 1.2.840.113556.1.4.2097
schemaIdGuid:: WC9EuJDEh0SKndgLiDJxrQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Claim-Type-Property-Base,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Resource-Property,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-ResourceProperty
adminDisplayName: ms-DS-Resource-Property
adminDescription: An instance of this class holds the definition of a property on resources.
governsId: 1.2.840.113556.1.5.273
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.269
subClassOf: 1.2.840.113556.1.5.269
systemMayContain: 1.2.840.113556.1.4.2095
systemPossSuperiors: 1.2.840.113556.1.5.271
schemaIdGuid:: Xj0oWwSElUGTOYRQGIxQGg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Resource-Property,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Claim-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-ClaimType
adminDisplayName: ms-DS-Claim-Type
adminDescription: An instance of this class holds the definition of a claim type that can be defined on
security principals.
governsId: 1.2.840.113556.1.5.272
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.269
systemMayContain: 1.2.840.113556.1.4.2100
systemMayContain: 1.2.840.113556.1.4.2099
systemPossSuperiors: 1.2.840.113556.1.5.270
schemaIdGuid:: fIWjgWlUj02q5sJ2mXYmBA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Claim-Type,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-SPP-Activation-Objects-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msSPP-ActivationObjectsContainer
adminDisplayName: ms-SPP-Activation-Objects-Container
adminDescription: Container for Activation Objects used by Active Directory based activation
governsId: 1.2.840.113556.1.5.266
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: K4YvtyW7XU2qUWLFm9+Qrg==
defaultSecurityDescriptor: O:BAG:BAD: (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: FALSE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-SPP-Activation-Objects-Container,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-SPP-Activation-Object,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msSPP-ActivationObject
adminDisplayName: ms-SPP-Activation-Object
adminDescription: Activation Object used in Active Directory based activation
governsId: 1.2.840.113556.1.5.267
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.2082
systemMustContain: 1.2.840.113556.1.4.2081
systemMustContain: 1.2.840.113556.1.4.2106
systemMustContain: 1.2.840.113556.1.4.2105
systemMayContain: 1.2.840.113556.1.4.2088
systemMayContain: 1.2.840.113556.1.4.2087
systemMayContain: 1.2.840.113556.1.4.2087
systemMayContain: 1.2.840.113556.1.4.2086
systemMayContain: 1.2.840.113556.1.4.2085
systemMayContain: 1.2.840.113556.1.4.2084
systemMayContain: 1.2.840.113556.1.4.2083
systemPossSuperiors: 1.2.840.113556.1.5.266
schemaIdGuid:: jOagUcUNykOTXcHJEb8u5Q==
defaultSecurityDescriptor: O:BAG:BAD: (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: FALSE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-SPP-Activation-Object,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-TPM-Information-Objects-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msTPM-InformationObjectsContainer
adminDisplayName: TPM-InformationObjectsContainer
adminDescription: Container for TPM objects.
governsId: 1.2.840.113556.1.5.276
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.3
systemPossSuperiors: 1.2.840.113556.1.5.67
systemPossSuperiors: 1.2.840.113556.1.5.66
schemaIdGuid:: vagn4FZk3kWQozhZOHfudA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;LOLCCCRP;;;DC)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-TPM-Information-Objects-Container,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-TPM-Information-Object,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msTPM-InformationObject
adminDisplayName: TPM-InformationObject
adminDescription: This class contains recovery information for a Trusted Platform Module (TPM) device.
governsId: 1.2.840.113556.1.5.275
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1966
systemMayContain: 1.2.840.113556.1.4.2108
systemMayContain: 1.2.840.113556.1.4.2107
systemPossSuperiors: 1.2.840.113556.1.5.276
schemaIdGuid:: alsEhaZHQ0KnzGiQcB9mLA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLO;;;DC)(A;;WP;;;CO)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-TPM-Information-Object,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2102
systemMayContain: 1.2.840.113556.1.4.2104
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2109
systemMayContain: 1.2.840.113556.1.4.2109
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 48
-
Sch49.ldf
dn: CN=ms-DNS-Is-Signed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-IsSigned
adminDisplayName: ms-DNS-Is-Signed
adminDescription: An attribute used to define whether or not the DNS zone is signed.
attributeId: 1.2.840.113556.1.4.2130
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
schemaIdGuid:: TIUSqvzYXk2RyjaLjYKb7g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-NSEC3-OptOut,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-NSEC3OptOut
adminDisplayName: ms-DNS-NSEC3-OptOut
adminDescription: An attribute used to define whether or not the DNS zone should be signed using NSEC opt-
out.
attributeId: 1.2.840.113556.1.4.2132
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
schemaIdGuid:: iCDqe+KMPEKxkWbsUGsVlQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-Signing-Keys,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-SigningKeys
adminDisplayName: ms-DNS-Signing-Keys
adminDescription: An attribute that contains the set of encrypted DNSSEC signing keys used by the DNS server
to sign the DNS zone.
attributeId: 1.2.840.113556.1.4.2144
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 8
rangeUpper: 10000
schemaIdGuid:: bT5nt9nKnk6zGmPoCY/dYw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-Sign-With-NSEC3,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-SignWithNSEC3
adminDisplayName: ms-DNS-Sign-With-NSEC3
adminDescription: An attribute used to define whether or not the DNS zone is signed with NSEC3.
attributeId: 1.2.840.113556.1.4.2131
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
schemaIdGuid:: mSGfx6Ft/0aSPB8/gAxyHg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-NSEC3-User-Salt,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-NSEC3UserSalt
adminDisplayName: ms-DNS-NSEC3-User-Salt
adminDescription: An attribute that defines a user-specified NSEC3 salt string to use when signing the DNS
zone. If empty, random salt will be used.
attributeId: 1.2.840.113556.1.4.2148
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
rangeLower: 0
rangeUpper: 510
schemaIdGuid:: cGfxryKWvE+hKDCId3YFuQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-DNSKEY-Records,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-DNSKEYRecords
adminDisplayName: ms-DNS-DNSKEY-Records
adminDescription: An attribute that contains the DNSKEY record set for the root of the DNS zone and the root
key signing key signature records.
attributeId: 1.2.840.113556.1.4.2145
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 8
rangeUpper: 10000
schemaIdGuid:: 9VjEKC1gyUqnfLPxvlA6fg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-DS-Record-Set-TTL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-DSRecordSetTTL
adminDisplayName: ms-DNS-DS-Record-Set-TTL
adminDescription: An attribute that defines the time-to-live (TTL) value assigned to DS records when signing
the DNS zone.
attributeId: 1.2.840.113556.1.4.2140
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
rangeLower: 0
rangeUpper: 2592000
schemaIdGuid:: fJuGKcRk/kKX1fvC+hJBYA==
schemaIdGuid:: fJuGKcRk/kKX1fvC+hJBYA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-Keymaster-Zones,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-KeymasterZones
adminDisplayName: ms-DNS-Keymaster-Zones
adminDescription: A list of Active Directory-integrated zones for which the DNS server is the keymaster.
attributeId: 1.2.840.113556.1.4.2128
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: O93gCxoEjEGs6S8X0j6dQg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-NSEC3-Iterations,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-NSEC3Iterations
adminDisplayName: ms-DNS-NSEC3-Iterations
adminDescription: An attribute that defines how many NSEC3 hash iterations to perform when signing the DNS
zone.
attributeId: 1.2.840.113556.1.4.2138
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
rangeLower: 0
rangeUpper: 10000
schemaIdGuid:: qwq3gFmJwE6OkxJudt86yg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-Propagation-Time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-PropagationTime
adminDisplayName: ms-DNS-Propagation-Time
adminDescription: An attribute used to define in seconds the expected time required to propagate zone
changes through Active Directory.
attributeId: 1.2.840.113556.1.4.2147
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
schemaIdGuid:: Rw00uoEhoEyi9vrkR52rKg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-NSEC3-Current-Salt,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-NSEC3CurrentSalt
adminDisplayName: ms-DNS-NSEC3-Current-Salt
adminDescription: An attribute that defines the current NSEC3 salt string being used to sign the DNS zone.
attributeId: 1.2.840.113556.1.4.2149
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
rangeLower: 0
rangeUpper: 510
schemaIdGuid:: MpR9ONGmdESCzQqJquCErg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-RFC5011-Key-Rollovers,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-RFC5011KeyRollovers
adminDisplayName: ms-DNS-RFC5011-Key-Rollovers
adminDescription: An attribute that defines whether or not the DNS zone should be maintained using key
rollover procedures defined in RFC 5011.
attributeId: 1.2.840.113556.1.4.2135
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
schemaIdGuid:: QDzZJ1oGwEO92M3yx9Egqg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-NSEC3-Hash-Algorithm,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-NSEC3HashAlgorithm
adminDisplayName: ms-DNS-NSEC3-Hash-Algorithm
adminDescription: An attribute that defines the NSEC3 hash algorithm to use when signing the DNS zone.
attributeId: 1.2.840.113556.1.4.2136
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
schemaIdGuid:: UlWe/7d9OEGIiAXOMgoDIw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-DS-Record-Algorithms,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-DSRecordAlgorithms
adminDisplayName: ms-DNS-DS-Record-Algorithms
adminDescription: An attribute used to define the algorithms used when writing the dsset file during zone
signing.
attributeId: 1.2.840.113556.1.4.2134
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
schemaIdGuid:: 0npbXPogu0S+szS5wPZVeQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-DNSKEY-Record-Set-TTL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-DNSKEYRecordSetTTL
adminDisplayName: ms-DNS-DNSKEY-Record-Set-TTL
adminDescription: An attribute that defines the time-to-live (TTL) value assigned to DNSKEY records when
signing the DNS zone.
attributeId: 1.2.840.113556.1.4.2139
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
rangeLower: 0
rangeUpper: 2592000
schemaIdGuid:: fzFOj9coLESm3x9JH5ezJg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-Maintain-Trust-Anchor,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-MaintainTrustAnchor
adminDisplayName: ms-DNS-Maintain-Trust-Anchor
adminDescription: An attribute used to define the type of trust anchor to automatically publish in the
forest-wide trust anchor store when the DNS zone is signed.
attributeId: 1.2.840.113556.1.4.2133
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
schemaIdGuid:: wWPADdlSVkSeFZwkNKr9lA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-NSEC3-Random-Salt-Length,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-NSEC3RandomSaltLength
adminDisplayName: ms-DNS-NSEC3-Random-Salt-Length
adminDescription: An attribute that defines the length in bytes of the random salt used when signing the DNS
zone.
attributeId: 1.2.840.113556.1.4.2137
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
rangeLower: 0
rangeUpper: 255
schemaIdGuid:: ZRY2E2yR502lnbHrvQ3hKQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-Signing-Key-Descriptors,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-SigningKeyDescriptors
adminDisplayName: ms-DNS-Signing-Key-Descriptors
adminDescription: An attribute that contains the set of DNSSEC Signing Key Descriptors (SKDs) used by the
DNS server to generate keys and sign the DNS zone.
attributeId: 1.2.840.113556.1.4.2143
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 8
rangeUpper: 10000
schemaIdGuid:: zdhDNLblO0+wmGWaAhSgeQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-Signature-Inception-Offset,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-SignatureInceptionOffset
adminDisplayName: ms-DNS-Signature-Inception-Offset
adminDescription: An attribute that defines in seconds how far in the past DNSSEC signature validity periods
should begin when signing the DNS zone.
attributeId: 1.2.840.113556.1.4.2141
attributeSyntax: 2.5.5.9
omSyntax: 2
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
rangeLower: 0
rangeUpper: 2592000
schemaIdGuid:: LsPUAxfiYUqWmXu8RymgJg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-Parent-Has-Secure-Delegation,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-ParentHasSecureDelegation
adminDisplayName: ms-DNS-Parent-Has-Secure-Delegation
adminDescription: An attribute used to define whether the parental delegation to the DNS zone is secure.
attributeId: 1.2.840.113556.1.4.2146
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
schemaIdGuid:: ZGlcKBrBnkmW2L98daIjxg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DNS-Secure-Delegation-Polling-Period,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDNS-SecureDelegationPollingPeriod
adminDisplayName: ms-DNS-Secure-Delegation-Polling-Period
adminDescription: An attribute that defines in seconds the time between polling attempts for child zone key
rollovers.
attributeId: 1.2.840.113556.1.4.2142
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 8
rangeLower: 0
rangeUpper: 2592000
schemaIdGuid:: vvCw9uSoaESP2cPEe4ci+Q==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Authz-Member-Rules-In-Central-Access-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msAuthz-MemberRulesInCentralAccessPolicy
adminDisplayName: ms-Authz-Member-Rules-In-Central-Access-Policy
adminDescription: For a central access policy, this attribute identifies the central access rules that
comprise the policy.
attributeId: 1.2.840.113556.1.4.2155
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: ei/yV343w0KYcs7G8h0uPg==
linkID: 2184
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Authz-Member-Rules-In-Central-Access-Policy-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msAuthz-MemberRulesInCentralAccessPolicyBL
adminDisplayName: ms-Authz-Member-Rules-In-Central-Access-Policy-BL
adminDescription: Backlink for ms-Authz-Member-Rules-In-Central-Access-Policy. For a central access rule
adminDescription: Backlink for ms-Authz-Member-Rules-In-Central-Access-Policy. For a central access rule
object, this attribute references one or more central access policies that point to it.
attributeId: 1.2.840.113556.1.4.2156
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: z2duUd3+lES7OrxQapSIkQ==
linkID: 2185
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Claim-Source,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ClaimSource
adminDisplayName: ms-DS-Claim-Source
adminDescription: For a claim type, this attribute indicates the source of the claim type. For example, the
source can be certificate.
attributeId: 1.2.840.113556.1.4.2157
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: pvIy+ovy0Ee/kWY+j5EKcg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Authz-Proposed-Security-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msAuthz-ProposedSecurityPolicy
adminDisplayName: ms-Authz-Proposed-Security-Policy
adminDescription: For a Central Access Policy Entry, defines the proposed security policy of the objects the
CAPE is applied to.
attributeId: 1.2.840.113556.1.4.2151
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: zr5GubUJakuyWktjozDoDg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Claim-Source-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ClaimSourceType
adminDisplayName: ms-DS-Claim-Source-Type
adminDescription: For a security principal claim type, lists the type of store the issued claim is sourced
from
attributeId: 1.2.840.113556.1.4.2158
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: BZzxkvqNIkK70SxPAUh3VA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Authz-Effective-Security-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msAuthz-EffectiveSecurityPolicy
adminDisplayName: ms-Authz-Security-Policy
adminDisplayName: ms-Authz-Security-Policy
adminDescription: For a central access rule, this attribute defines the permission that is applying to the
target resources on the central access rule.
attributeId: 1.2.840.113556.1.4.2150
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: GRmDB5SPtk+KQpFUXcza0w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Claim-Is-Single-Valued,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ClaimIsSingleValued
adminDisplayName: ms-DS-Claim-Is-Single-Valued
adminDescription: For a claim type object, this attribute identifies if the claim type or resource property
can only contain single value.
attributeId: 1.2.840.113556.1.4.2160
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: uZ94zbSWSEaCGco3gWGvOA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Authz-Last-Effective-Security-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msAuthz-LastEffectiveSecurityPolicy
adminDisplayName: ms-Authz-Last-Effective-Security-Policy
adminDescription: For a Central Access Policy Entry, defines the security policy that was last applied to
the objects the CAPE is applied to.
attributeId: 1.2.840.113556.1.4.2152
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: xoUWji8+okiljVrw6nifoA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Authz-Resource-Condition,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msAuthz-ResourceCondition
adminDisplayName: ms-Authz-Resource-Condition
adminDescription: For a central access rule, this attribute is an expression that identifies the scope of
the target resource to which the policy applies.
attributeId: 1.2.840.113556.1.4.2153
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: d3iZgHT4aEyGTW5QioO9vQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Claim-Is-Value-Space-Restricted,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ClaimIsValueSpaceRestricted
adminDisplayName: ms-DS-Claim-Is-Value-Space-Restricted
adminDescription: For a claim type, this attribute identifies whether a user can input values other than
adminDescription: For a claim type, this attribute identifies whether a user can input values other than
those described in the msDS-ClaimPossibleValues in applications.
attributeId: 1.2.840.113556.1.4.2159
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: x+QsDMPxgkSFeMYNS7dEIg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Authz-Central-Access-Policy-ID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msAuthz-CentralAccessPolicyID
adminDisplayName: ms-Authz-Central-Access-Policy-ID
adminDescription: For a Central Access Policy, this attribute defines a GUID that can be used to identify
the set of policies when applied to a resource.
attributeId: 1.2.840.113556.1.4.2154
attributeSyntax: 2.5.5.17
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: YJvyYnS+MEaUVi9mkZk6hg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Generation-Id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-GenerationId
adminDisplayName: ms-DS-Generation-Id
adminDescription: For virtual machine snapshot resuming detection. This attribute represents the VM
Generation ID.
attributeId: 1.2.840.113556.1.4.2166
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
rangeLower: 16
rangeUpper: 16
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: PTldHreMT0uECpc7NswJww==
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Claim-Shares-Possible-Values-With,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: adminDescription
adminDescription: For a claim type object, indicates that the possible values of the claims issued are
defined on the object this linked attribute points to; overrides msDS-ClaimPossibleValues, msDS-
ClaimValueType, and msDS-ClaimIsValueSpaceRestricted, if populated.
-
replace: isSingleValued
isSingleValued: TRUE
-
dn: CN=ms-DNS-Server-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDNS-ServerSettings
adminDisplayName: ms-DNS-Server-Settings
adminDescription: A container for storing DNS server settings.
governsId: 1.2.840.113556.1.4.2129
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.2128
systemMayContain: 1.2.840.113556.1.4.2128
systemPossSuperiors: 1.2.840.113556.1.5.17
schemaIdGuid:: 7cMv7xhuW0GZ5DEUqMsSSw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DNS-Server-Settings,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-Authz-Central-Access-Policies,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msAuthz-CentralAccessPolicies
adminDisplayName: ms-Authz-Central-Access-Policies
adminDescription: A container of this class can contain Central Access Policy objects.
governsId: 1.2.840.113556.1.4.2161
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: wyFcVTahWkWTl3lrvTWOJQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-Authz-Central-Access-Policies,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-Authz-Central-Access-Rules,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msAuthz-CentralAccessRules
adminDisplayName: ms-Authz-Central-Access-Rules
adminDescription: A container of this class can contain Central Access Policy Entry objects.
governsId: 1.2.840.113556.1.4.2162
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: ehu7mW1gi0+ADuFb5VTKjQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-Authz-Central-Access-Rules,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-Authz-Central-Access-Rule,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msAuthz-CentralAccessRule
adminDisplayName: ms-Authz-Central-Access-Rule
adminDescription: A class that defines Central Access Rules used to construct a central access policy.
governsId: 1.2.840.113556.1.4.2163
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.2153
systemMayContain: 1.2.840.113556.1.4.2152
systemMayContain: 1.2.840.113556.1.4.2151
systemMayContain: 1.2.840.113556.1.4.2150
systemMayContain: 1.2.840.113556.1.2.557
systemPossSuperiors: 1.2.840.113556.1.4.2162
schemaIdGuid:: 3AZKWxwl206IEwvdcTJyJg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=ms-Authz-Central-Access-Rule,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-Authz-Central-Access-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msAuthz-CentralAccessPolicy
adminDisplayName: ms-Authz-Central-Access-Policy
adminDescription: A class that defines Central Access Policy objects.
governsId: 1.2.840.113556.1.4.2164
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.2155
systemMayContain: 1.2.840.113556.1.4.2154
systemPossSuperiors: 1.2.840.113556.1.4.2161
schemaIdGuid:: sJxnpZ1vLEOLdR4+g08Cqg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=ms-Authz-Central-Access-Policy,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Claim-Types,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=ms-DS-Resource-Properties,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=ms-DS-List-Of-Claim-Types,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=ms-DS-Claim-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2157
systemMayContain: 1.2.840.113556.1.4.2158
systemMayContain: 1.2.840.113556.1.4.2098
systemMayContain: 1.2.840.113556.1.4.2159
systemMayContain: 1.2.840.113556.1.4.2160
-
dn: CN=Dns-Zone,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2130
systemMayContain: 1.2.840.113556.1.4.2131
systemMayContain: 1.2.840.113556.1.4.2132
systemMayContain: 1.2.840.113556.1.4.2133
systemMayContain: 1.2.840.113556.1.4.2134
systemMayContain: 1.2.840.113556.1.4.2135
systemMayContain: 1.2.840.113556.1.4.2136
systemMayContain: 1.2.840.113556.1.4.2137
systemMayContain: 1.2.840.113556.1.4.2138
systemMayContain: 1.2.840.113556.1.4.2138
systemMayContain: 1.2.840.113556.1.4.2139
systemMayContain: 1.2.840.113556.1.4.2140
systemMayContain: 1.2.840.113556.1.4.2141
systemMayContain: 1.2.840.113556.1.4.2142
systemMayContain: 1.2.840.113556.1.4.2143
systemMayContain: 1.2.840.113556.1.4.2144
systemMayContain: 1.2.840.113556.1.4.2145
systemMayContain: 1.2.840.113556.1.4.2146
systemMayContain: 1.2.840.113556.1.4.2147
systemMayContain: 1.2.840.113556.1.4.2148
systemMayContain: 1.2.840.113556.1.4.2149
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2166
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=DS-Clone-Domain-Controller,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
displayName: Allow a DC to create a clone of itself
rightsGuid: 3e0f7e18-2c7a-4c10-ba82-4d926db99a3e
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
validAccesses: 256
localizationDisplayId: 80
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 49
-
Sch50.ldf
dn: CN=ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity
adminDisplayName: ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
adminDescription: This attribute is used for access checks to determine if a requester has permission to act
on the behalf of other identities to services running as this account.
attributeId: 1.2.840.113556.1.4.2182
attributeSyntax: 2.5.5.15
omSyntax: 66
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 132096
schemaIdGuid:: 5cN4P5r3vUaguJ0YEW3ceQ==
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Kds-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msKds-Version
adminDisplayName: ms-Kds-Version
adminDescription: Version number of this root key.
attributeId: 1.2.840.113556.1.4.2176
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 640
schemaIdGuid:: QHPw1bDmSh6Xvg0zGL2dsQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Kds-DomainID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msKds-DomainID
adminDisplayName: ms-Kds-DomainID
adminDescription: Distinguished name of the Domain Controller which generated this root key.
attributeId: 1.2.840.113556.1.4.2177
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 640
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: ggRAlgfPTOmQ6PLvxPBJXg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Kds-KDF-Param,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msKds-KDFParam
adminDisplayName: ms-Kds-KDF-Param
adminDescription: Parameters for the key derivation algorithm.
attributeId: 1.2.840.113556.1.4.2170
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 640
rangeUpper: 2000
schemaIdGuid:: cgeAirj0TxW0HC5Cce/3pw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Kds-CreateTime,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msKds-CreateTime
adminDisplayName: ms-Kds-CreateTime
adminDescription: The time when this root key was created.
attributeId: 1.2.840.113556.1.4.2179
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 640
schemaIdGuid:: nxEYrpBjRQCzLZfbxwGu9w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Kds-RootKeyData,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msKds-RootKeyData
adminDisplayName: ms-Kds-RootKeyData
adminDescription: Root key.
attributeId: 1.2.840.113556.1.4.2175
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 640
rangeUpper: 128
schemaIdGuid:: J3xiJqIIQAqhsY3OhbQpkw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Primary-Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PrimaryComputer
adminDisplayName: ms-DS-Primary-Computer
adminDescription: For a user or group object, identifies the primary computers.
attributeId: 1.2.840.113556.1.4.2167
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 1
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 4vQ9obDb60yCi4suFD6egQ==
linkID: 2186
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
systemFlags: 16
dn: CN=ms-Kds-UseStartTime,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msKds-UseStartTime
adminDisplayName: ms-Kds-UseStartTime
adminDescription: The time after which this root key may be used.
attributeId: 1.2.840.113556.1.4.2178
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 640
schemaIdGuid:: fwTcbCL1SreanNlayM39og==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Imaging-Hash-Algorithm,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msImaging-HashAlgorithm
adminDisplayName: ms-Imaging-Hash-Algorithm
adminDescription: Contains the name of the hash algorithm used to create the Thumbprint Hash for the Scan
Repository/Secure Print Device.
attributeId: 1.2.840.113556.1.4.2181
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 64
schemaIdGuid:: tQ3nigZklkGS/vO7VXUgpw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Kds-KDF-AlgorithmID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msKds-KDFAlgorithmID
adminDisplayName: ms-Kds-KDF-AlgorithmID
adminDescription: The algorithm name of the key derivation function used to compute keys.
attributeId: 1.2.840.113556.1.4.2169
attributeId: 1.2.840.113556.1.4.2169
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 640
rangeUpper: 200
schemaIdGuid:: skgs203RTuyfWK1XnYtEDg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Imaging-Thumbprint-Hash,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msImaging-ThumbprintHash
adminDisplayName: ms-Imaging-Thumbprint-Hash
adminDescription: Contains a hash of the security certificate for the Scan Repository/Secure Print Device.
attributeId: 1.2.840.113556.1.4.2180
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 1024
schemaIdGuid:: xdvfnAQDaUWV9sT2Y/5a5g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Kds-PublicKey-Length,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msKds-PublicKeyLength
adminDisplayName: ms-Kds-PublicKey-Length
adminDescription: The length of the secret agreement public key.
attributeId: 1.2.840.113556.1.4.2173
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 640
schemaIdGuid:: cPQ44805SUWrW/afnlg/4A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Kds-PrivateKey-Length,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msKds-PrivateKeyLength
adminDisplayName: ms-Kds-PrivateKey-Length
adminDescription: The length of the secret agreement private key.
attributeId: 1.2.840.113556.1.4.2174
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 640
schemaIdGuid:: oUJfYec3SBGg3TAH4Jz8gQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Is-Primary-Computer-For,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-IsPrimaryComputerFor
adminDisplayName: ms-DS-Is-Primary-Computer-For
adminDescription: Backlink attribute for msDS-IsPrimaryComputer.
attributeId: 1.2.840.113556.1.4.2168
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: rAaMmYc/TkSl3xGwPcilDA==
linkID: 2187
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-Kds-SecretAgreement-Param,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msKds-SecretAgreementParam
adminDisplayName: ms-Kds-SecretAgreement-Param
adminDescription: The parameters for the secret agreement algorithm.
attributeId: 1.2.840.113556.1.4.2172
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 640
rangeUpper: 2000
schemaIdGuid:: MLCZ2e3+dUm4B+ukRNp56Q==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Kds-SecretAgreement-AlgorithmID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msKds-SecretAgreementAlgorithmID
adminDisplayName: ms-Kds-SecretAgreement-AlgorithmID
adminDescription: The name of the secret agreement algorithm to be used with public keys.
attributeId: 1.2.840.113556.1.4.2171
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 640
rangeUpper: 200
schemaIdGuid:: XZcCF14iSsuxXQ2uqLXpkA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Value-Type-Reference,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ValueTypeReference
adminDisplayName: ms-DS-Value-Type-Reference
adminDescription: This attribute is used to link a resource property object to its value type.
attributeId: 1.2.840.113556.1.4.2187
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: hF38eNzBSDGJhFj3ktQdPg==
linkID: 2188
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Value-Type-Reference-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ValueTypeReferenceBL
adminDisplayName: ms-DS-Value-Type-Reference-BL
adminDescription: This is the back link for ms-DS-Value-Type-Reference. It links a value type object back to
resource properties.
attributeId: 1.2.840.113556.1.4.2188
attributeSyntax: 2.5.5.1
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: rUNVq6EjRTu5N5sxPVR0qA==
linkID: 2189
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Is-Possible-Values-Present,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-IsPossibleValuesPresent
adminDisplayName: ms-DS-Is-Possible-Values-Present
adminDescription: This attribute identifies if ms-DS-Claim-Possible-Values on linked resource property must
have value or must not have value.
attributeId: 1.2.840.113556.1.4.2186
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: 2tyrb1OMTyCxpJ3wxnwetA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-Kds-Prov-RootKey,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msKds-ProvRootKey
adminDisplayName: ms-Kds-Prov-RootKey
adminDescription: Root keys for the Group Key Distribution Service.
governsId: 1.2.840.113556.1.5.278
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.2179
systemMustContain: 1.2.840.113556.1.4.2175
systemMustContain: 1.2.840.113556.1.4.2174
systemMustContain: 1.2.840.113556.1.4.2173
systemMustContain: 1.2.840.113556.1.4.2171
systemMustContain: 1.2.840.113556.1.4.2169
systemMustContain: 1.2.840.113556.1.4.2178
systemMustContain: 1.2.840.113556.1.4.2177
systemMustContain: 1.2.840.113556.1.4.2176
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.4.2172
systemMayContain: 1.2.840.113556.1.4.2170
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: Qf0CquAXGE+Gh7Ijlklzaw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-Kds-Prov-RootKey,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-Kds-Prov-ServerConfiguration,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msKds-ProvServerConfiguration
ldapDisplayName: msKds-ProvServerConfiguration
adminDisplayName: ms-Kds-Prov-ServerConfiguration
adminDescription: Configuration for the Group Key Distribution Service.
governsId: 1.2.840.113556.1.5.277
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.2176
systemMayContain: 1.2.840.113556.1.4.2174
systemMayContain: 1.2.840.113556.1.4.2173
systemMayContain: 1.2.840.113556.1.4.2172
systemMayContain: 1.2.840.113556.1.4.2171
systemMayContain: 1.2.840.113556.1.4.2170
systemMayContain: 1.2.840.113556.1.4.2169
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: qEPyXiUqpkWLcwinGuZ3zg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-Kds-Prov-ServerConfiguration,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2168
systemMayContain: 1.2.840.113556.1.4.2188
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2167
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2167
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2180
systemMayContain: 1.2.840.113556.1.4.2181
-
dn: CN=Organizational-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2182
-
dn: CN=ms-DS-Resource-Property,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMustContain
systemMustContain: 1.2.840.113556.1.4.2187
-
dn: CN=ms-DS-Value-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-ValueType
adminDisplayName: ms-DS-Value-Type
adminDescription: An value type object holds value type information for a resource property.
governsId: 1.2.840.113556.1.5.279
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.2186
systemMustContain: 1.2.840.113556.1.4.2160
systemMustContain: 1.2.840.113556.1.4.2159
systemMustContain: 1.2.840.113556.1.4.2098
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 33/C4x2wTk+H5wVu7w65Ig==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Value-Type,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Validated-MS-DS-Behavior-Version,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
rightsGuid: d31a8757-2447-4545-8081-3bb610cacbf2
appliesTo: f0f8ffab-1191-11d0-a060-00aa006c33ed
displayName: Validated write to MS DS behavior version
localizationDisplayId: 81
validAccesses: 8
showInAdvancedViewOnly: TRUE
dn: CN=Validated-MS-DS-Additional-DNS-Host-Name,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
rightsGuid: 80863791-dbe9-4eb8-837e-7f0ab55d9ac7
appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
displayName: Validated write to MS DS Additional DNS Host Name
localizationDisplayId: 82
validAccesses: 8
showInAdvancedViewOnly: TRUE
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 50
-
Sch51.ldf
dn: CN=ms-DS-Transformation-Rules,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-TransformationRules
adminDisplayName: ms-DS-Transformation-Rules
adminDescription: Specifies the Transformation Rules for Across-Forest Claims Transformation.
attributeId: 1.2.840.113556.1.4.2189
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: cSuHVbLESDuuUUCV+R7GAA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Applies-To-Resource-Types,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DS-Applies-To-Resource-Types,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AppliesToResourceTypes
adminDisplayName: ms-DS-Applies-To-Resource-Types
adminDescription: For a resource property, this attribute indicates what resource types this resource
property applies to.
attributeId: 1.2.840.113556.1.4.2195
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: BiA/aWRXSj2EOVjwSqtLWQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Transformation-Rules-Compiled,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-TransformationRulesCompiled
adminDisplayName: ms-DS-Transformation-Rules-Compiled
adminDescription: Blob containing compiled transformation rules.
attributeId: 1.2.840.113556.1.4.2190
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 128
schemaIdGuid:: EJq0C2tTTbyicwurDdS9EA==
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Egress-Claims-Transformation-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-EgressClaimsTransformationPolicy
adminDisplayName: ms-DS-Egress-Claims-Transformation-Policy
adminDescription: This is a link to a Claims Transformation Policy Object for the egress claims (claims
leaving this forest) to the Trusted Domain. This is applicable only for an incoming or bidirectional Across-
Forest Trust. When this link is not present, all claims are allowed to egress as-is.
attributeId: 1.2.840.113556.1.4.2192
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: fkI3wXOaQLCRkBsJW7QyiA==
linkID: 2192
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Ingress-Claims-Transformation-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-IngressClaimsTransformationPolicy
adminDisplayName: ms-DS-Ingress-Claims-Transformation-Policy
adminDescription: This is a link to a Claims Transformation Policy Object for the ingress claims (claims
entering this forest) from the Trusted Domain. This is applicable only for an outgoing or bidirectional
Across-Forest Trust. If this link is absent, all the ingress claims are dropped.
attributeId: 1.2.840.113556.1.4.2191
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: CEwohm4MQBWLFXUUfSPSDQ==
linkID: 2190
linkID: 2190
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-TDO-Egress-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-TDOEgressBL
adminDisplayName: ms-DS-TDO-Egress-BL
adminDescription: Backlink to TDO Egress rules link on object.
attributeId: 1.2.840.113556.1.4.2194
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: KWIA1ROZQiKLF4N2HR4OWw==
linkID: 2193
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-TDO-Ingress-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-TDOIngressBL
adminDisplayName: ms-DS-TDO-Ingress-BL
adminDescription: Backlink to TDO Ingress rules link on object.
attributeId: 1.2.840.113556.1.4.2193
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: oWFWWsaXS1SAVuQw/nvFVA==
linkID: 2191
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-ManagedPassword,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ManagedPassword
adminDisplayName: msDS-ManagedPassword
adminDescription: This attribute is the managed password data for a group MSA.
attributeId: 1.2.840.113556.1.4.2196
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: hu1i4yi3QgiyfS3qep3yGA==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-ManagedPasswordId,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ManagedPasswordId
adminDisplayName: msDS-ManagedPasswordId
adminDescription: This attribute is the identifier for the current managed password data for a group MSA.
attributeId: 1.2.840.113556.1.4.2197
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
rangeUpper: 1024
schemaIdGuid:: Wil4DtPGQAq0kdYiUf+gpg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-GroupMSAMembership,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-GroupMSAMembership
adminDisplayName: msDS-GroupMSAMembership
adminDescription: This attribute is used for access checks to determine if a requester has permission to
retrieve the password for a group MSA.
attributeId: 1.2.840.113556.1.4.2200
attributeSyntax: 2.5.5.15
omSyntax: 66
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 132096
schemaIdGuid:: 1u2OiATOQN+0YrilDkG6OA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-GeoCoordinates-Altitude,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-GeoCoordinatesAltitude
adminDisplayName: ms-DS-GeoCoordinates-Altitude
adminDescription: ms-DS-GeoCoordinates-Altitude
attributeId: 1.2.840.113556.1.4.2183
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
searchFlags: 1
schemaIdGuid:: twMXoUFWnE2GPl+zMl504A==
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-GeoCoordinates-Latitude,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-GeoCoordinatesLatitude
adminDisplayName: ms-DS-GeoCoordinates-Latitude
adminDescription: ms-DS-GeoCoordinates-Latitude
attributeId: 1.2.840.113556.1.4.2184
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
searchFlags: 1
schemaIdGuid:: TtRm3EM99UCFxTwS4WmSfg==
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-GeoCoordinates-Longitude,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-GeoCoordinatesLongitude
adminDisplayName: ms-DS-GeoCoordinates-Longitude
adminDescription: ms-DS-GeoCoordinates-Longitude
attributeId: 1.2.840.113556.1.4.2185
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
searchFlags: 1
schemaIdGuid:: ECHElOS66kyFd6+BOvXaJQ==
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
systemFlags: 16
dn: CN=ms-DS-ManagedPasswordInterval,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ManagedPasswordInterval
adminDisplayName: msDS-ManagedPasswordInterval
adminDescription: This attribute is used to retrieve the number of days before a managed password is
automatically changed for a group MSA.
attributeId: 1.2.840.113556.1.4.2199
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: 9451+HasQ4ii7qJrTcr0CQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-ManagedPasswordPreviousId,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ManagedPasswordPreviousId
adminDisplayName: msDS-ManagedPasswordPreviousId
adminDescription: This attribute is the identifier for the previous managed password data for a group MSA.
attributeId: 1.2.840.113556.1.4.2198
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
rangeUpper: 1024
schemaIdGuid:: MSHW0EotT9CZ2RxjZGIppA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Claims-Transformation-Policies,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-ClaimsTransformationPolicies
adminDisplayName: ms-DS-Claims-Transformation-Policies
adminDescription: An object of this class holds the one set of Claims Transformation Policy for Across-
Forest Claims Transformation.
governsId: 1.2.840.113556.1.5.281
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: san8yIh9T7uCekSJJ3EHYg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Claims-Transformation-Policies,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Claims-Transformation-Policy-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-ClaimsTransformationPolicyType
adminDisplayName: ms-DS-Claims-Transformation-Policy-Type
adminDescription: An object of this class holds the one set of Claims Transformation Policy for Across-
Forest Claims Transformation.
governsId: 1.2.840.113556.1.5.280
governsId: 1.2.840.113556.1.5.280
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.2190
systemMayContain: 1.2.840.113556.1.4.2189
systemPossSuperiors: 1.2.840.113556.1.5.281
schemaIdGuid:: s2LrLnMTRf6BATh/Fnbtxw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Claims-Transformation-Policy-Type,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2193
systemMayContain: 1.2.840.113556.1.4.2194
-
dn: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2191
systemMayContain: 1.2.840.113556.1.4.2192
-
dn: CN=ms-DS-Resource-Property,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2195
-
dn: CN=Mail-Recipient,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.4.2183
mayContain: 1.2.840.113556.1.4.2184
mayContain: 1.2.840.113556.1.4.2185
-
dn: CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-GroupManagedServiceAccount
adminDisplayName: msDS-Group-Managed-Service-Account
adminDescription: The group managed service account class is used to create an account which can be shared
by different computers to run Windows services.
governsId: 1.2.840.113556.1.5.282
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.30
systemMustContain: 1.2.840.113556.1.4.2199
systemMayContain: 1.2.840.113556.1.4.2200
systemMayContain: 1.2.840.113556.1.4.2198
systemMayContain: 1.2.840.113556.1.4.2197
systemMayContain: 1.2.840.113556.1.4.2196
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.3.23
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.5.67
schemaIdGuid:: ilWLe6WT90qtysAX5n8QVw==
defaultSecurityDescriptor: D:(OD;;CR;00299570-246d-11d0-a768-00aa006e0529;;WD)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPCRLCLORCSDDT;;;CO)(OA;;WP;4c164200-20c0-11d0-a768-00aa006e0529;;CO)(OA;;SW;72e39547-7b18-11d1-adef-
00c04fd8d5cd;;CO)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;CO)(OA;;WP;3e0abfd0-126a-11d0-a060-
00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;WP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-
0de6-11d0-a285-00aa003049e2;CO)(OA;;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-
0de6-11d0-a285-00aa003049e2;CO)(OA;;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-
00aa003049e2;CO)(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO)
(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)
(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;PS)(A;;RPLCLORC;;;AU)(OA;;RPWP;bf967a7f-0de6-11d0-a285-
00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RP;e362ed86-b728-0842-b27d-
2dea7a9df218;;WD)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 51
-
Sch52.ldf
dn: CN=ms-DS-RID-Pool-Allocation-Enabled,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-RIDPoolAllocationEnabled
adminDisplayName: ms-DS-RID-Pool-Allocation-Enabled
adminDescription: This attribute indicates whether RID pool allocation is enabled or not.
attributeId: 1.2.840.113556.1.4.2213
attributeSyntax: 2.5.5.8
omSyntax: 1
instanceType: 4
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaFlagsEx: 1
schemaIdGuid:: jHyXJLfBQDO09is3XrcR1w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=RID-Set-References,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 8
-
dn: CN=Netboot-DUID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: Netboot-DUID
ldapDisplayName: netbootDUID
adminDisplayName: Netboot-DUID
adminDescription: This attribute is used to store DHCPv6 DUID device ID.
attributeId: 1.2.840.113556.1.4.2234
attributeSyntax: 2.5.5.10
omSyntax: 4
instanceType: 4
isSingleValued: TRUE
searchFlags: 1
systemFlags: 16
isMemberOfPartialAttributeSet: TRUE
systemOnly: FALSE
rangeLower: 2
rangeUpper: 128
rangeUpper: 128
schemaIdGuid:: vXAlU3c9T0KCLw1jbcbarQ==
showInAdvancedViewOnly: TRUE
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=RID-Manager,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2213
-
dn: CN=domainDNS-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminContextMenu
adminContextMenu: 3,{2fb1b669-59ea-4f64-b728-05309f2c11c8}
-
dn: CN=computer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminPropertyPages
adminPropertyPages: 13,{2fb1b669-59ea-4f64-b728-05309f2c11c8}
-
dn: CN=Certificate-AutoEnrollment,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
showInAdvancedViewOnly: TRUE
appliesTo: e5209ca2-3bba-11d2-90cc-00c04fd91ab1
displayname: AutoEnrollment
localizationDisplayId: 83
rightsGuid: a05b8cc2-17bc-4802-a710-e7c15ab866a2
validAccesses: 256
dn: CN=ms-DS-cloudExtensionAttribute1,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute1
lDAPDisplayName: msDS-cloudExtensionAttribute1
adminDisplayName: ms-DS-cloudExtensionAttribute1
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2214
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: r+oJl9pJsk2QigRG5eq4RA==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute2,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute2
lDAPDisplayName: msDS-cloudExtensionAttribute2
adminDisplayName: ms-DS-cloudExtensionAttribute2
adminDisplayName: ms-DS-cloudExtensionAttribute2
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2215
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: rOBO88HAqUuCyRqQdS8WpQ==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute3,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute3
lDAPDisplayName: msDS-cloudExtensionAttribute3
adminDisplayName: ms-DS-cloudExtensionAttribute3
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2216
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: Gsj2gtr6DUqw93BtRoOOtQ==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute4,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute4
lDAPDisplayName: msDS-cloudExtensionAttribute4
adminDisplayName: ms-DS-cloudExtensionAttribute4
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2217
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: NzS/nG5OW0iykSKwJVQnPw==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute5,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute5
lDAPDisplayName: msDS-cloudExtensionAttribute5
adminDisplayName: ms-DS-cloudExtensionAttribute5
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2218
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: W+gVKUfjUkiquyLlplHIZA==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute6,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute6
lDAPDisplayName: msDS-cloudExtensionAttribute6
adminDisplayName: ms-DS-cloudExtensionAttribute6
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2219
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: eSZFYOEo7Eus43EoMzYUVg==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute7,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute7
lDAPDisplayName: msDS-cloudExtensionAttribute7
adminDisplayName: ms-DS-cloudExtensionAttribute7
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2220
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: GRN8Sk7jwkCdAGD/eJDyBw==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute8,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute8
lDAPDisplayName: msDS-cloudExtensionAttribute8
adminDisplayName: ms-DS-cloudExtensionAttribute8
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2221
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: FMXRPEmEykSBwAIXgYANKg==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute9,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute9
lDAPDisplayName: msDS-cloudExtensionAttribute9
adminDisplayName: ms-DS-cloudExtensionAttribute9
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2222
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: LOFjCkAwQUSuJs2Vrw0kfg==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute10,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute10
lDAPDisplayName: msDS-cloudExtensionAttribute10
adminDisplayName: ms-DS-cloudExtensionAttribute10
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2223
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: s/wKZ70T/EeQswpSftgatw==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute11,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute11
lDAPDisplayName: msDS-cloudExtensionAttribute11
adminDisplayName: ms-DS-cloudExtensionAttribute11
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2224
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: yLuenqV9pkKJJSROEqVuJA==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute12,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute12
lDAPDisplayName: msDS-cloudExtensionAttribute12
adminDisplayName: ms-DS-cloudExtensionAttribute12
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2225
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: PcQBPAvhyk+Sskz2FdWwmg==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute13,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute13
lDAPDisplayName: msDS-cloudExtensionAttribute13
adminDisplayName: ms-DS-cloudExtensionAttribute13
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2226
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: S0a+KJCreUumsN9DdDHQNg==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute14,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute14
lDAPDisplayName: msDS-cloudExtensionAttribute14
adminDisplayName: ms-DS-cloudExtensionAttribute14
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2227
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: ura8zoBuJ0mFYJj+yghqnw==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute15,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute15
lDAPDisplayName: msDS-cloudExtensionAttribute15
adminDisplayName: ms-DS-cloudExtensionAttribute15
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2228
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: N9XkqvCKqk2cxmLq24T/Aw==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute16,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute16
lDAPDisplayName: msDS-cloudExtensionAttribute16
adminDisplayName: ms-DS-cloudExtensionAttribute16
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2229
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: WyGBlZZRU0ChHm/8r8YsTQ==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute17,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute17
lDAPDisplayName: msDS-cloudExtensionAttribute17
adminDisplayName: ms-DS-cloudExtensionAttribute17
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2230
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: 2m08PehrKUKWfi/1u5O0zg==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute18,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute18
lDAPDisplayName: msDS-cloudExtensionAttribute18
adminDisplayName: ms-DS-cloudExtensionAttribute18
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2231
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: NDvniKYKaUSYQm6wGzKltQ==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute19,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute19
lDAPDisplayName: msDS-cloudExtensionAttribute19
adminDisplayName: ms-DS-cloudExtensionAttribute19
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2232
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: mf51CQeWikaOGMgA0zhzlQ==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-cloudExtensionAttribute20,CN=Schema,CN=Configuration,dc=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DS-cloudExtensionAttribute20
lDAPDisplayName: msDS-cloudExtensionAttribute20
adminDisplayName: ms-DS-cloudExtensionAttribute20
adminDescription: An attribute used to house an arbitrary cloud-relevant string
attributeID: 1.2.840.113556.1.4.2233
attributeID: 1.2.840.113556.1.4.2233
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
schemaIDGUID:: KGNE9W6LjUmVqCEXSNWs3A==
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Cloud-Extensions,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-CloudExtensions
adminDisplayName: ms-DS-Cloud-Extensions
adminDescription: A collection of attributes used to house arbitrary cloud-relevant strings.
governsId: 1.2.840.113556.1.5.283
objectClassCategory: 3
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
MayContain: 1.2.840.113556.1.4.2214
MayContain: 1.2.840.113556.1.4.2215
MayContain: 1.2.840.113556.1.4.2216
MayContain: 1.2.840.113556.1.4.2217
MayContain: 1.2.840.113556.1.4.2218
MayContain: 1.2.840.113556.1.4.2219
MayContain: 1.2.840.113556.1.4.2220
MayContain: 1.2.840.113556.1.4.2221
MayContain: 1.2.840.113556.1.4.2222
MayContain: 1.2.840.113556.1.4.2223
MayContain: 1.2.840.113556.1.4.2224
MayContain: 1.2.840.113556.1.4.2225
MayContain: 1.2.840.113556.1.4.2226
MayContain: 1.2.840.113556.1.4.2227
MayContain: 1.2.840.113556.1.4.2228
MayContain: 1.2.840.113556.1.4.2229
MayContain: 1.2.840.113556.1.4.2230
MayContain: 1.2.840.113556.1.4.2231
MayContain: 1.2.840.113556.1.4.2232
MayContain: 1.2.840.113556.1.4.2233
schemaIdGuid:: pIceZCaDcUe6LccG3zXjWg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Cloud-Extensions,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemAuxiliaryClass
systemAuxiliaryClass: 1.2.840.113556.1.5.283
-
dn: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 641E87A4-8326-4771-BA2D-C706DF35E35A
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 52
-
Sch53.ldf
dn: CN=ms-Authz-Central-Access-Rule,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2156
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 53
-
Sch54.ldf
dn: CN=User-Account-Restrictions,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 7b8b558a-93a5-4af7-adca-c017e67f1057
-
dn: CN=ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: attributeSecurityGuid
attributeSecurityGuid:: AEIWTMAg0BGnaACqAG4FKQ==
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 54
-
Sch55.ldf
dn: CN=DNS-Host-Name-Attributes,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 7b8b558a-93a5-4af7-adca-c017e67f1057
-
dn: CN=Validated-DNS-Host-Name,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 7b8b558a-93a5-4af7-adca-c017e67f1057
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 55
-
Sch56.ldf
# Update element: computer. Remove netboot-DUID from mayContain
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: mayContain
mayContain: 1.2.840.113556.1.4.2234
-
dn: CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
replace: objectVersion
objectVersion: 56
-
dn: CN=User-Principal-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemFlags
systemFlags: 2
-
dn: CN=container-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{6384e23e-736d-11d1-bd0d-00c04fd8d5b6}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
shellPropertyPages: 1,{f2c3faae-c8ac-11d0-bcdb-00c04fd8d5b6}
contextMenu: 0,{62AE1F9A-126A-11D0-A14B-0800361B1103}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
adminContextMenu: 1,{6BA3F852-23C6-11D1-B91F-00A0C9A06D2D}
classDisplayName: Container
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
dn: CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{6384e23e-736d-11d1-bd0d-00c04fd8d5b6}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
shellPropertyPages: 1,{f2c3faae-c8ac-11d0-bcdb-00c04fd8d5b6}
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
attributeDisplayNames: description,Description
# Attribute Adds
dn: CN=Pek-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: pekList
adminDisplayName: Pek-List
adminDescription: Pek-List
attributeId: 1.2.840.113556.1.4.865
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gzA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
systemFlags: 1
dn: CN=FRS-Flags,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSFlags
adminDisplayName: FRS-Flags
adminDescription: FRS-Flags
attributeId: 1.2.840.113556.1.4.874
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fSUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Site-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: siteList
adminDisplayName: Site-List
adminDescription: Site-List
attributeId: 1.2.840.113556.1.4.821
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 3CwM1VGJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Msi-Script,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msiScript
adminDisplayName: Msi-Script
adminDescription: Msi-Script
attributeId: 1.2.840.113556.1.4.814
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: E4Ph2TmJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Version,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSVersion
adminDisplayName: FRS-Version
adminDescription: FRS-Version
attributeId: 1.2.840.113556.1.4.882
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32
schemaIdGuid:: hSUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Treat-As-Leaf,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: treatAsLeaf
adminDisplayName: Treat-As-Leaf
adminDescription: Treat-As-Leaf
attributeId: 1.2.840.113556.1.4.806
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 40TQjx930RGurgAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Product-Code,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: productCode
adminDisplayName: Product-Code
adminDescription: Product-Code
attributeId: 1.2.840.113556.1.4.818
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 16
schemaIdGuid:: F4Ph2TmJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=DNS-Host-Name,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: dNSHostName
adminDisplayName: DNS-Host-Name
adminDescription: DNS-Host-Name
attributeId: 1.2.840.113556.1.4.619
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2048
schemaIdGuid:: R5Xjchh70RGt7wDAT9jVzQ==
hideFromAB: TRUE
dn: CN=Create-Dialog,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: createDialog
adminDisplayName: Create-Dialog
adminDisplayName: Create-Dialog
adminDescription: Create-Dialog
attributeId: 1.2.840.113556.1.4.810
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ipUJKzGJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-SCP-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootSCPBL
adminDisplayName: netboot-SCP-BL
adminDescription: netboot-SCP-BL
attributeId: 1.2.840.113556.1.4.864
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gjA4B9+R0RGuvAAA+ANnwQ==
linkID: 101
hideFromAB: TRUE
systemFlags: 1
dn: CN=Site-Link-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: siteLinkList
adminDisplayName: Site-Link-List
adminDescription: Site-Link-List
attributeId: 1.2.840.113556.1.4.822
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 3SwM1VGJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Tools,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootTools
adminDisplayName: netboot-Tools
adminDescription: netboot-Tools
attributeId: 1.2.840.113556.1.4.858
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fzA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Msi-Script-Name,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msiScriptName
adminDisplayName: Msi-Script-Name
adminDescription: Msi-Script-Name
attributeId: 1.2.840.113556.1.4.845
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Yt2nlhiR0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootServer
adminDisplayName: netboot-Server
adminDescription: netboot-Server
attributeId: 1.2.840.113556.1.4.860
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gTA4B9+R0RGuvAAA+ANnwQ==
linkID: 100
hideFromAB: TRUE
dn: CN=Msi-Script-Size,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msiScriptSize
adminDisplayName: Msi-Script-Size
adminDescription: Msi-Script-Size
attributeId: 1.2.840.113556.1.4.846
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Y92nlhiR0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=LDAP-IPDeny-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: lDAPIPDenyList
adminDisplayName: LDAP-IPDeny-List
adminDescription: LDAP-IPDeny-List
attributeId: 1.2.840.113556.1.4.844
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: U6NZc/eQ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Install-Ui-Level,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: installUiLevel
adminDisplayName: Install-Ui-Level
adminDescription: Install-Ui-Level
attributeId: 1.2.840.113556.1.4.847
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ZN2nlhiR0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Terminal-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: terminalServer
ldapDisplayName: terminalServer
adminDisplayName: Terminal-Server
adminDescription: Terminal-Server
attributeId: 1.2.840.113556.1.4.885
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: HJq2bSKU0RGuvQAA+ANnwQ==
hideFromAB: TRUE
dn: CN=LDAP-Admin-Limits,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: lDAPAdminLimits
adminDisplayName: LDAP-Admin-Limits
adminDescription: LDAP-Admin-Limits
attributeId: 1.2.840.113556.1.4.843
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: UqNZc/eQ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Create-Wizard-Ext,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: createWizardExt
adminDisplayName: Create-Wizard-Ext
adminDescription: Create-Wizard-Ext
attributeId: 1.2.840.113556.1.4.812
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: i5UJKzGJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Purported-Search,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: purportedSearch
adminDisplayName: Purported-Search
adminDescription: Purported-Search
attributeId: 1.2.840.113556.1.4.886
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2048
schemaIdGuid:: UE61tDqU0RGuvQAA+ANnwQ==
hideFromAB: TRUE
dn: CN=ms-RRAS-Attribute,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRRASAttribute
adminDisplayName: ms-RRAS-Attribute
adminDescription: ms-RRAS-Attribute
attributeId: 1.2.840.113556.1.4.884
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: rZib842T0RGuvQAA+ANnwQ==
hideFromAB: TRUE
dn: CN=File-Ext-Priority,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fileExtPriority
adminDisplayName: File-Ext-Priority
adminDescription: File-Ext-Priority
attributeId: 1.2.840.113556.1.4.816
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: FYPh2TmJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Can-Upgrade-Script,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: canUpgradeScript
adminDisplayName: Can-Upgrade-Script
adminDescription: Can-Upgrade-Script
attributeId: 1.2.840.113556.1.4.815
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: FIPh2TmJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=App-Schema-Version,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: appSchemaVersion
adminDisplayName: App-Schema-Version
adminDescription: App-Schema-Version
attributeId: 1.2.840.113556.1.4.848
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Zd2nlhiR0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Primary-Member,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSPrimaryMember
adminDisplayName: FRS-Primary-Member
adminDescription: FRS-Primary-Member
attributeId: 1.2.840.113556.1.4.878
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
linkId: 106
schemaIdGuid:: gSUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Remote-Storage-GUID,CN=Schema,CN=Configuration,DC=X
dn: CN=Remote-Storage-GUID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: remoteStorageGUID
adminDisplayName: Remote-Storage-GUID
adminDescription: Remote-Storage-GUID
attributeId: 1.2.840.113556.1.4.809
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: sMU5KmCJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Max-Clients,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootMaxClients
adminDisplayName: netboot-Max-Clients
adminDescription: netboot-Max-Clients
attributeId: 1.2.840.113556.1.4.851
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: eDA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Member-Reference,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSMemberReference
adminDisplayName: FRS-Member-Reference
adminDescription: FRS-Member-Reference
attributeId: 1.2.840.113556.1.4.875
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fiUTKnOT0RGuvAAA+ANnwQ==
linkID: 104
hideFromAB: TRUE
systemFlags: 2
dn: CN=Upgrade-Product-Code,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: upgradeProductCode
adminDisplayName: Upgrade-Product-Code
adminDescription: Upgrade-Product-Code
attributeId: 1.2.840.113556.1.4.813
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 16
schemaIdGuid:: EoPh2TmJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Time-Last-Command,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSTimeLastCommand
adminDisplayName: FRS-Time-Last-Command
adminDescription: FRS-Time-Last-Command
attributeId: 1.2.840.113556.1.4.880
attributeSyntax: 2.5.5.11
omSyntax: 23
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gyUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-New-Machine-OU,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootNewMachineOU
adminDisplayName: netboot-New-Machine-OU
adminDescription: netboot-New-Machine-OU
attributeId: 1.2.840.113556.1.4.856
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fTA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Limit-Clients,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootLimitClients
adminDisplayName: netboot-Limit-Clients
adminDescription: netboot-Limit-Clients
attributeId: 1.2.840.113556.1.4.850
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: dzA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Signature-Algorithms,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: signatureAlgorithms
adminDisplayName: Signature-Algorithms
adminDescription: Signature-Algorithms
attributeId: 1.2.840.113556.1.4.824
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ssU5KmCJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Partner-Auth-Level,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSPartnerAuthLevel
adminDisplayName: FRS-Partner-Auth-Level
adminDescription: FRS-Partner-Auth-Level
attributeId: 1.2.840.113556.1.4.877
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gCUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Enrollment-Providers,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: enrollmentProviders
adminDisplayName: Enrollment-Providers
adminDescription: Enrollment-Providers
attributeId: 1.2.840.113556.1.4.825
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: s8U5KmCJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Member-Reference-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSMemberReferenceBL
adminDisplayName: FRS-Member-Reference-BL
adminDescription: FRS-Member-Reference-BL
attributeId: 1.2.840.113556.1.4.876
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fyUTKnOT0RGuvAAA+ANnwQ==
linkID: 105
hideFromAB: TRUE
systemFlags: 1
dn: CN=Certificate-Templates,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: certificateTemplates
adminDisplayName: Certificate-Templates
adminDescription: Certificate-Templates
attributeId: 1.2.840.113556.1.4.823
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: scU5KmCJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Pek-Key-Change-Interval,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: pekKeyChangeInterval
adminDisplayName: Pek-Key-Change-Interval
adminDescription: Pek-Key-Change-Interval
attributeId: 1.2.840.113556.1.4.866
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: hDA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Localized-Description,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
objectClass: attributeSchema
ldapDisplayName: localizedDescription
adminDisplayName: Localized-Description
adminDescription: Localized-Description
attributeId: 1.2.840.113556.1.4.817
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: FoPh2TmJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Frs-Computer-Reference,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: frsComputerReference
adminDisplayName: Frs-Computer-Reference
adminDescription: Frs-Computer-Reference
attributeId: 1.2.840.113556.1.4.869
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: eCUTKnOT0RGuvAAA+ANnwQ==
linkID: 102
systemFlags: 2
hideFromAB: TRUE
dn: CN=Alt-Security-Identities,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: altSecurityIdentities
adminDisplayName: Alt-Security-Identities
adminDescription: Alt-Security-Identities
attributeId: 1.2.840.113556.1.4.867
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: DPP7AP6R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Answer-Requests,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootAnswerRequests
adminDisplayName: netboot-Answer-Requests
adminDescription: netboot-Answer-Requests
attributeId: 1.2.840.113556.1.4.853
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ejA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Bridgehead-Server-List-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: bridgeheadServerListBL
adminDisplayName: Bridgehead-Server-List-BL
adminDescription: Bridgehead-Server-List-BL
attributeId: 1.2.840.113556.1.4.820
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 2ywM1VGJ0RGuvAAA+ANnwQ==
linkID: 99
hideFromAB: TRUE
systemFlags: 1
dn: CN=Frs-Computer-Reference-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: frsComputerReferenceBL
adminDisplayName: Frs-Computer-Reference-BL
adminDescription: Frs-Computer-Reference-BL
attributeId: 1.2.840.113556.1.4.870
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: eSUTKnOT0RGuvAAA+ANnwQ==
linkID: 103
hideFromAB: TRUE
systemFlags: 1
dn: CN=FRS-Control-Data-Creation,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSControlDataCreation
adminDisplayName: FRS-Control-Data-Creation
adminDescription: FRS-Control-Data-Creation
attributeId: 1.2.840.113556.1.4.871
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32
schemaIdGuid:: eiUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Is-Critical-System-Object,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: isCriticalSystemObject
adminDisplayName: Is-Critical-System-Object
adminDescription: Is-Critical-System-Object
attributeId: 1.2.840.113556.1.4.868
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: DfP7AP6R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Allow-New-Clients,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootAllowNewClients
adminDisplayName: netboot-Allow-New-Clients
adminDescription: netboot-Allow-New-Clients
attributeId: 1.2.840.113556.1.4.849
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: djA4B9+R0RGuvAAA+ANnwQ==
schemaIdGuid:: djA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Time-Last-Config-Change,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSTimeLastConfigChange
adminDisplayName: FRS-Time-Last-Config-Change
adminDescription: FRS-Time-Last-Config-Change
attributeId: 1.2.840.113556.1.4.881
attributeSyntax: 2.5.5.11
omSyntax: 23
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: hCUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Bridgehead-Transport-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: bridgeheadTransportList
adminDisplayName: Bridgehead-Transport-List
adminDescription: Bridgehead-Transport-List
attributeId: 1.2.840.113556.1.4.819
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 2iwM1VGJ0RGuvAAA+ANnwQ==
linkID: 98
hideFromAB: TRUE
dn: CN=FRS-Service-Command-Status,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSServiceCommandStatus
adminDisplayName: FRS-Service-Command-Status
adminDescription: FRS-Service-Command-Status
attributeId: 1.2.840.113556.1.4.879
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 512
schemaIdGuid:: giUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Control-Inbound-Backlog,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSControlInboundBacklog
adminDisplayName: FRS-Control-Inbound-Backlog
adminDescription: FRS-Control-Inbound-Backlog
attributeId: 1.2.840.113556.1.4.872
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32
schemaIdGuid:: eyUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-IntelliMirror-OSes,CN=Schema,CN=Configuration,DC=X
changetype: add
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootIntelliMirrorOSes
adminDisplayName: netboot-IntelliMirror-OSes
adminDescription: netboot-IntelliMirror-OSes
attributeId: 1.2.840.113556.1.4.857
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fjA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Control-Outbound-Backlog,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSControlOutboundBacklog
adminDisplayName: FRS-Control-Outbound-Backlog
adminDescription: FRS-Control-Outbound-Backlog
attributeId: 1.2.840.113556.1.4.873
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32
schemaIdGuid:: fCUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Current-Client-Count,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootCurrentClientCount
adminDisplayName: netboot-Current-Client-Count
adminDescription: netboot-Current-Client-Count
attributeId: 1.2.840.113556.1.4.852
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: eTA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=IPSEC-Negotiation-Policy-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: iPSECNegotiationPolicyType
adminDisplayName: IPSEC-Negotiation-Policy-Type
adminDescription: IPSEC-Negotiation-Policy-Type
attributeId: 1.2.840.113556.1.4.887
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: dDA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=ms-RRAS-Vendor-Attribute-Entry,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRRASVendorAttributeEntry
adminDisplayName: ms-RRAS-Vendor-Attribute-Entry
adminDescription: ms-RRAS-Vendor-Attribute-Entry
attributeId: 1.2.840.113556.1.4.883
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: rJib842T0RGuvQAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Locally-Installed-OSes,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootLocallyInstalledOSes
adminDisplayName: netboot-Locally-Installed-OSes
adminDescription: netboot-Locally-Installed-OSes
attributeId: 1.2.840.113556.1.4.859
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gDA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=IPSEC-Negotiation-Policy-Action,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: iPSECNegotiationPolicyAction
adminDisplayName: IPSEC-Negotiation-Policy-Action
adminDescription: IPSEC-Negotiation-Policy-Action
attributeId: 1.2.840.113556.1.4.888
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: dTA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-New-Machine-Naming-Policy,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootNewMachineNamingPolicy
adminDisplayName: netboot-New-Machine-Naming-Policy
adminDescription: netboot-New-Machine-Naming-Policy
attributeId: 1.2.840.113556.1.4.855
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fDA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Answer-Only-Valid-Clients,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootAnswerOnlyValidClients
adminDisplayName: netboot-Answer-Only-Valid-Clients
adminDescription: netboot-Answer-Only-Valid-Clients
attributeId: 1.2.840.113556.1.4.854
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ezA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=UPN-Suffixes,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
lDAPDisplayName: uPNSuffixes
adminDescription: UPN-Suffixes
adminDisplayName: UPN-Suffixes
attributeID: 1.2.840.113556.1.4.890
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
schemaIDGUID:: v2AhAySY0RGuwAAA+ANnwQ==
searchFlags: 0
systemOnly: FALSE
hideFromAB: TRUE
dn: CN=Additional-Trusted-Service-Names,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
lDAPDisplayName: additionalTrustedServiceNames
adminDescription: Additional-Trusted-Service-Names
adminDisplayName: Additional-Trusted-Service-Names
attributeID: 1.2.840.113556.1.4.889
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
schemaIDGUID:: vmAhAySY0RGuwAAA+ANnwQ==
searchFlags: 0
systemOnly: FALSE
hideFromAB: TRUE
dn: CN=NTFRS-Replica-Set,CN=schema,CN=configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.30
-
dn: CN=Replica-Set-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=FRS-Replica-Set-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSReplicaSetType
adminDisplayName: FRS-Replica-Set-Type
adminDescription: FRS-Replica-Set-Type
attributeId: 1.2.840.113556.1.4.31
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: a3PZJnBg0RGpxgAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Replication-DS-Poll,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-DS-Poll
deleteoldrdn: 1
deleteoldrdn: 1
dn: CN=FRS-DS-Poll,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSDSPoll
-
replace: adminDisplayName
adminDisplayName: FRS-DS-Poll
-
replace: adminDescription
adminDescription: FRS-DS-Poll
-
dn: CN=Com-Unique-Cat-Id,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: Category-Id
deleteoldrdn: 1
dn: CN=Category-Id,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: categoryId
-
replace: adminDisplayName
adminDisplayName: Category-Id
-
replace: adminDescription
adminDescription: Category-Id
-
dn: CN=Replication-Root-Path,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Root-Path
deleteoldrdn: 1
dn: CN=FRS-Root-Path,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSRootPath
-
replace: adminDisplayName
adminDisplayName: FRS-Root-Path
-
replace: adminDescription
adminDescription: FRS-Root-Path
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 2048
-
dn: CN=Replication-File-Filter,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-File-Filter
deleteoldrdn: 1
dn: CN=FRS-File-Filter,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSFileFilter
-
replace: adminDisplayName
adminDisplayName: FRS-File-Filter
-
-
replace: adminDescription
adminDescription: FRS-File-Filter
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 2048
-
dn: CN=Replication-Level-Limit,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Level-Limit
deleteoldrdn: 1
dn: CN=FRS-Level-Limit,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSLevelLimit
-
replace: adminDisplayName
adminDisplayName: FRS-Level-Limit
-
replace: adminDescription
adminDescription: FRS-Level-Limit
-
dn: CN=Replication-Extensions,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Extensions
deleteoldrdn: 1
dn: CN=FRS-Extensions,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSExtensions
-
replace: adminDisplayName
adminDisplayName: FRS-Extensions
-
replace: adminDescription
adminDescription: FRS-Extensions
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 65536
-
dn: CN=Replication-Staging-Path,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Staging-Path
deleteoldrdn: 1
dn: CN=FRS-Staging-Path,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSStagingPath
-
replace: adminDisplayName
adminDisplayName: FRS-Staging-Path
-
replace: adminDescription
adminDescription: FRS-Staging-Path
-
add: rangeLower
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 2048
-
dn: CN=Code-Package,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: Msi-Script-Path
deleteoldrdn: 1
dn: CN=Msi-Script-Path,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: msiScriptPath
-
replace: adminDisplayName
adminDisplayName: Msi-Script-Path
-
replace: adminDescription
adminDescription: Msi-Script-Path
-
dn: CN=Replication-DB-Path,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Working-Path
deleteoldrdn: 1
dn: CN=FRS-Working-Path,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSWorkingPath
-
replace: adminDisplayName
adminDisplayName: FRS-Working-Path
-
replace: adminDescription
adminDescription: FRS-Working-Path
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 2048
-
dn: CN=Replica-Version-GUID,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Version-GUID
deleteoldrdn: 1
dn: CN=FRS-Version-GUID,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSVersionGuid
-
replace: adminDisplayName
adminDisplayName: FRS-Version-GUID
-
replace: adminDescription
adminDescription: FRS-Version-GUID
-
add: rangeLower
rangeLower: 16
-
add: rangeUpper
add: rangeUpper
rangeUpper: 16
-
dn: CN=Replication-Root-Security,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Root-Security
deleteoldrdn: 1
dn: CN=FRS-Root-Security,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSRootSecurity
-
replace: adminDisplayName
adminDisplayName: FRS-Root-Security
-
replace: adminDescription
adminDescription: FRS-Root-Security
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 65535
-
dn: CN=Replication-Update-Timeout,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Update-Timeout
deleteoldrdn: 1
dn: CN=FRS-Update-Timeout,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSUpdateTimeout
-
replace: adminDisplayName
adminDisplayName: FRS-Update-Timeout
-
replace: adminDescription
adminDescription: FRS-Update-Timeout
-
dn: CN=Replication-Service-Command,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Service-Command
deleteoldrdn: 1
dn: CN=FRS-Service-Command,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSServiceCommand
-
replace: adminDisplayName
adminDisplayName: FRS-Service-Command
-
replace: adminDescription
adminDescription: FRS-Service-Command
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 512
-
dn: CN=Replica-Set-GUID,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Replica-Set-GUID
deleteoldrdn: 1
dn: CN=FRS-Replica-Set-GUID,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSReplicaSetGuid
-
replace: adminDisplayName
adminDisplayName: FRS-Replica-Set-GUID
-
replace: adminDescription
adminDescription: FRS-Replica-Set-GUID
-
dn: CN=Replication-Status,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Fault-Condition
deleteoldrdn: 1
dn: CN=FRS-Fault-Condition,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSFaultCondition
-
replace: adminDisplayName
adminDisplayName: FRS-Fault-Condition
-
replace: adminDescription
adminDescription: FRS-Fault-Condition
-
add: rangeLower
rangeLower: 1
-
add: rangeUpper
rangeUpper: 16
-
dn: CN=Replication-Directory-Filter,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Directory-Filter
deleteoldrdn: 1
dn: CN=FRS-Directory-Filter,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSDirectoryFilter
-
replace: adminDisplayName
adminDisplayName: FRS-Directory-Filter
-
replace: adminDescription
adminDescription: FRS-Directory-Filter
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 2048
-
dn: CN=Created-Entry,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: rpc-Ns-Entry-Flags
deleteoldrdn: 1
dn: CN=rpc-Ns-Entry-Flags,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: rpcNsEntryFlags
-
replace: adminDisplayName
adminDisplayName: rpc-Ns-Entry-Flags
-
replace: adminDescription
adminDescription: rpc-Ns-Entry-Flags
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Class Adds
dn: CN=NTFRS-Member,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: nTFRSMember
adminDisplayName: NTFRS-Member
adminDescription: NTFRS-Member
governsId: 1.2.840.113556.1.5.153
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.515
systemMayContain: 1.2.840.113556.1.4.485
systemMayContain: 1.2.840.113556.1.4.500
systemMayContain: 1.2.840.113556.1.4.535
systemMayContain: 1.2.840.113556.1.4.877
systemMayContain: 1.2.840.113556.1.4.874
systemMayContain: 1.2.840.113556.1.4.536
systemMayContain: 1.2.840.113556.1.4.873
systemMayContain: 1.2.840.113556.1.4.872
systemMayContain: 1.2.840.113556.1.4.871
systemMayContain: 1.2.840.113556.1.4.869
systemPossSuperiors: 1.2.840.113556.1.5.102
schemaIdGuid:: hiUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=NTFRS-Member,CN=Schema,CN=Configuration,DC=X
dn: CN=Site-Link-Bridge,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: siteLinkBridge
adminDisplayName: Site-Link-Bridge
adminDescription: Site-Link-Bridge
governsId: 1.2.840.113556.1.5.148
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.822
systemPossSuperiors: 1.2.840.113556.1.5.141
schemaIdGuid:: 3ywM1VGJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=Site-Link-Bridge,CN=Schema,CN=Configuration,DC=X
dn: CN=RRAS-Administration-Connection-Point,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: rRASAdministrationConnectionPoint
adminDisplayName: RRAS-Administration-Connection-Point
adminDescription: RRAS-Administration-Connection-Point
governsId: 1.2.840.113556.1.5.150
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.94
systemMayContain: 1.2.840.113556.1.4.884
systemPossSuperiors: 1.2.840.113556.1.3.30
schemaIdGuid:: vsU5KmCJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=RRAS-Administration-Connection-Point,CN=Schema,CN=Configuration,DC=X
dn: CN=NTFRS-Subscriptions,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
lDAPDisplayName: nTFRSSubscriptions
adminDescription: NTFRS-Subscriptions
adminDisplayName: NTFRS-Subscriptions
governsID: 1.2.840.113556.1.5.154
objectClassCategory: 1
rDNAttID: 2.5.4.3
subClassOf: 2.5.6.0
schemaIDGUID:: hyUTKnOT0RGuvAAA+ANnwQ==
systemMayContain: 1.2.840.113556.1.4.486
systemMayContain: 1.2.840.113556.1.4.882
systemMayContain: 1.2.840.113556.1.4.536
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.5.154
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=NTFRS-Subscriptions,CN=Schema,CN=Configuration,DC=X
dn: CN=Remote-Storage-Service-Point,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: remoteStorageServicePoint
adminDisplayName: Remote-Storage-Service-Point
adminDescription: Remote-Storage-Service-Point
governsId: 1.2.840.113556.1.5.146
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.94
systemMayContain: 1.2.840.113556.1.4.809
systemPossSuperiors: 1.2.840.113556.1.3.30
schemaIdGuid:: vcU5KmCJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Remote-Storage-Service-Point,CN=Schema,CN=Configuration,DC=X
dn: CN=Intellimirror-Group,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
lDAPDisplayName: intellimirrorGroup
adminDescription: Intellimirror-Group
adminDisplayName: Intellimirror-Group
governsID: 1.2.840.113556.1.5.152
objectClassCategory: 1
rDNAttID: 2.5.4.3
schemaIDGUID:: hjA4B9+R0RGuvAAA+ANnwQ==
subClassOf: 2.5.6.0
subClassOf: 2.5.6.0
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.3.23
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=Intellimirror-Group,CN=Schema,CN=Configuration,DC=X
dn: CN=Site-Link,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: siteLink
adminDisplayName: Site-Link
adminDescription: Site-Link
governsId: 1.2.840.113556.1.5.147
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.821
systemMayContain: 1.2.840.113556.1.4.211
systemMayContain: 1.2.840.113556.1.2.135
systemPossSuperiors: 1.2.840.113556.1.5.141
schemaIdGuid:: 3iwM1VGJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=Site-Link,CN=Schema,CN=Configuration,DC=X
dn: CN=Intellimirror-SCP,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: intellimirrorSCP
adminDisplayName: Intellimirror-SCP
adminDescription: Intellimirror-SCP
governsId: 1.2.840.113556.1.5.151
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.94
systemMayContain: 1.2.840.113556.1.4.858
systemMayContain: 1.2.840.113556.1.4.860
systemMayContain: 1.2.840.113556.1.4.856
systemMayContain: 1.2.840.113556.1.4.855
systemMayContain: 1.2.840.113556.1.4.851
systemMayContain: 1.2.840.113556.1.4.361
systemMayContain: 1.2.840.113556.1.4.859
systemMayContain: 1.2.840.113556.1.4.850
systemMayContain: 1.2.840.113556.1.4.857
systemMayContain: 1.2.840.113556.1.4.358
systemMayContain: 1.2.840.113556.1.4.359
systemMayContain: 1.2.840.113556.1.4.852
systemMayContain: 1.2.840.113556.1.4.853
systemMayContain: 1.2.840.113556.1.4.854
systemMayContain: 1.2.840.113556.1.4.849
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.5.152
schemaIdGuid:: hTA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=Intellimirror-SCP,CN=Schema,CN=Configuration,DC=X
dn: CN=NTFRS-Subscriber,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: nTFRSSubscriber
adminDisplayName: NTFRS-Subscriber
adminDescription: NTFRS-Subscriber
governsId: 1.2.840.113556.1.5.155
objectClassCategory: 1
rdnAttId: 2.5.4.3
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.488
systemMustContain: 1.2.840.113556.1.4.487
systemMayContain: 1.2.840.113556.1.4.211
systemMayContain: 1.2.840.113556.1.4.485
systemMayContain: 1.2.840.113556.1.4.881
systemMayContain: 1.2.840.113556.1.4.880
systemMayContain: 1.2.840.113556.1.4.879
systemMayContain: 1.2.840.113556.1.4.500
systemMayContain: 1.2.840.113556.1.4.875
systemMayContain: 1.2.840.113556.1.4.874
systemMayContain: 1.2.840.113556.1.4.491
systemMayContain: 1.2.840.113556.1.4.536
systemPossSuperiors: 1.2.840.113556.1.5.154
schemaIdGuid:: iCUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=NTFRS-Subscriber,CN=Schema,CN=Configuration,DC=X
dn: CN=RRAS-Administration-Dictionary,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: rRASAdministrationDictionary
adminDisplayName: RRAS-Administration-Dictionary
adminDescription: RRAS-Administration-Dictionary
governsId: 1.2.840.113556.1.5.156
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.883
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: rpib842T0RGuvQAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=RRAS-Administration-Dictionary,CN=Schema,CN=Configuration,DC=X
dn: CN=Object-Class,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 0
-
dn: CN=Surname,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=State-Or-Province-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Street-Address,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
-
dn: CN=Title,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Postal-Address,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Postal-Code,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Office-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Post-Office-Box,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Physical-Delivery-Office-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Home-Primary,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Telephone-Number,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Telex-Number,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Teletex-Terminal-Identifier,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Facsimile-Telephone-Number,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=X121-Address,CN=Schema,CN=Configuration,DC=X
changetype: modify
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=International-ISDN-Number,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Registered-Address,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Preferred-Delivery-Method,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Picture,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Mobile-Primary,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Pager-Primary,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Initials,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Voice-Mail-Password,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Voice-Mail-Recorded-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Voice-Mail-Greetings,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Voice-Mail-Flags,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Voice-Mail-Volume,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Voice-Mail-Speed,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Voice-Mail-Recording-Length,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Forwarding-Address,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Personal-Title,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Address-Home,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Pager-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Fax-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Mobile-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Telex-Primary,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-ISDN-Primary,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Assistant,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Categories,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: rangeLower
rangeLower: 36
-
add: rangeUpper
rangeUpper: 36
-
dn: CN=Creator,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 0
-
dn: CN=Phone-Ip-Primary,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Ip-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=WWW-Page-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: s5VX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Group-Type,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 1
-
add: systemFlags
systemFlags: 2
-
dn: CN=User-Shared-Folder,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=User-Shared-Folder-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Address,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Service-Principal-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemFlags
add: systemFlags
systemFlags: 2
-
dn: CN=Phone-Home-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=AutoReply,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=AutoReply-Message,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Package-Flags,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 1
-
dn: CN=AutoReply-Subject,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=WWW-Home-Page,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: s5VX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Cross-Ref-Container,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.890
-
dn: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.889
-
dn: CN=Inter-Site-Transport,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.789
-
add: systemMustContain
systemMustContain: 1.2.840.113556.1.4.789
-
dn: CN=Group-Of-Names,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: objectClassCategory
objectClassCategory: 2
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: modify
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.820
systemMayContain: 1.2.840.113556.1.4.864
systemMayContain: 1.2.840.113556.1.4.868
systemMayContain: 1.2.840.113556.1.4.870
systemMayContain: 1.2.840.113556.1.4.876
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.290
systemMayContain: 1.2.840.113556.1.2.291
systemMayContain: 1.2.840.113556.1.2.292
systemMayContain: 1.2.840.113556.1.2.293
systemMayContain: 1.2.840.113556.1.2.339
systemMayContain: 1.2.840.113556.1.2.340
systemMayContain: 1.2.840.113556.1.2.341
systemMayContain: 1.2.840.113556.1.2.342
systemMayContain: 1.2.840.113556.1.2.469
-
dn: CN=Sam-Domain,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.865
systemMayContain: 1.2.840.113556.1.4.866
-
dn: CN=Domain,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultObjectCategory
defaultObjectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=X
-
dn: CN=Security-Principal,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.867
-
dn: CN=ACS-Policy,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.765
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.885
systemMayContain: 1.2.840.113556.1.4.771
-
dn: CN=ACS-Subnet,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=Class-Registration,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.252
-
dn: CN=Inter-Site-Transport-Container,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemPossSuperiors
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.107
-
delete: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.142
-
dn: CN=Inter-Site-Transport,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMustContain
systemMustContain: 1.2.840.113556.1.4.790
-
dn: CN=Certification-Authority,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.619
systemMayContain: 1.2.840.113556.1.4.823
systemMayContain: 1.2.840.113556.1.4.824
systemMayContain: 1.2.840.113556.1.4.825
-
dn: CN=Server,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.619
systemMayContain: 1.2.840.113556.1.4.786
systemMayContain: 1.2.840.113556.1.4.819
-
dn: CN=Print-Queue,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.631
-
dn: CN=Remote-Mail-Recipient,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.619
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.360
systemMayContain: 1.2.840.113556.1.4.486
-
dn: CN=Storage,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=Class-Store,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.848
-
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.18
-
dn: CN=Mail-Recipient,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.47
systemMayContain: 1.2.840.113556.1.2.129
systemMayContain: 1.2.840.113556.1.2.144
systemMayContain: 1.2.840.113556.1.2.221
-
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.786
systemMayContain: 0.9.2342.19200300.100.1.3
-
dn: CN=Package-Registration,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.20
systemMayContain: 1.2.840.113556.1.4.813
systemMayContain: 1.2.840.113556.1.4.814
systemMayContain: 1.2.840.113556.1.4.815
systemMayContain: 1.2.840.113556.1.4.816
systemMayContain: 1.2.840.113556.1.4.818
systemMayContain: 1.2.840.113556.1.4.845
systemMayContain: 1.2.840.113556.1.4.846
systemMayContain: 1.2.840.113556.1.4.847
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.17
-
dn: CN=NTDS-Site-Settings,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.607
-
dn: CN=NTDS-Connection,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.791
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.785
-
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.153
-
dn: CN=Category-Registration,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.817
-
dn: CN=Display-Specifier,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.806
systemMayContain: 1.2.840.113556.1.4.810
systemMayContain: 1.2.840.113556.1.4.812
-
dn: CN=NTFRS-Settings,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.653
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.459
systemMayContain: 1.2.840.113556.1.4.211
systemMayContain: 1.2.840.113556.1.4.486
systemMayContain: 1.2.840.113556.1.4.487
systemMayContain: 1.2.840.113556.1.4.488
systemMayContain: 1.2.840.113556.1.4.489
systemMayContain: 1.2.840.113556.1.4.490
systemMayContain: 1.2.840.113556.1.4.491
systemMayContain: 1.2.840.113556.1.4.500
systemMayContain: 1.2.840.113556.1.4.535
systemMayContain: 1.2.840.113556.1.4.564
-
delete: systemMustContain
systemMustContain: 1.2.840.113556.1.4.43
-
add: systemPossSuperiors
systemPossSuperiors: 2.5.6.4
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.3.23
-
delete: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.17
-
dn: CN=NTFRS-Replica-Set,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.43
systemMayContain: 1.2.840.113556.1.4.31
systemMayContain: 1.2.840.113556.1.4.653
systemMayContain: 1.2.840.113556.1.4.874
systemMayContain: 1.2.840.113556.1.4.877
systemMayContain: 1.2.840.113556.1.4.878
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.459
systemMayContain: 1.2.840.113556.1.4.485
systemMayContain: 1.2.840.113556.1.4.486
systemMayContain: 1.2.840.113556.1.4.487
systemMayContain: 1.2.840.113556.1.4.488
systemMayContain: 1.2.840.113556.1.4.489
systemMayContain: 1.2.840.113556.1.4.491
systemMayContain: 1.2.840.113556.1.4.564
-
dn: CN=Query-Policy,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.844
systemMayContain: 1.2.840.113556.1.4.843
-
delete: systemMustContain
systemMustContain: 1.2.840.113556.1.4.604
systemMustContain: 1.2.840.113556.1.4.603
systemMustContain: 1.2.840.113556.1.4.602
systemMustContain: 1.2.840.113556.1.4.599
systemMustContain: 1.2.840.113556.1.4.601
systemMustContain: 1.2.840.113556.1.4.600
-
dn: CN=Ipsec-Negotiation-Policy,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.887
systemMayContain: 1.2.840.113556.1.4.888
-
dn: CN=Address-Book-Container,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.886
-
add: systemMustContain
systemMustContain: 1.2.840.113556.1.2.13
-
dn: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.658
-
dn: CN=RAS-X400-Link,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Information-Store-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MHS-Link-Monitoring-Config,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=LocalGroup,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Exchange-Admin-Service,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Eicon-X25-X400-Link,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X400-Link,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-POP,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DX-Requestor,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-LDAP-Site,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-LDAP-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=COM-Interface,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Mailbox-Agent,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Eicon-X25-Stack,CN=Schema,CN=Configuration,DC=X
changetype: delete
changetype: delete
dn: CN=Directory-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=NNTP-Newsfeed,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RAS-Stack,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Site-Connector,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Encryption-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=View-Container,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Site-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Application-Registration,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-IMAP,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MHS-Server-Monitoring-Config,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Site-Addressing,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Admin-Extension,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-HTTP,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MHS-Public-Store,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Add-In,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Transport-Stack,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-NNTP,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-LDAP,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MHS-Message-Store,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-Shared-Site,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MTA-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MHS-Monitoring-Config,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Mail-Gateway,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Distribution-List,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-Shared-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Local-DXA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=NTFRS-Site-Settings,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MTA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Addr-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=View-Root,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Remote-DXA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-Shared,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=ADMD,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=PRMD,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Run-As,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Req-Seq,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=To-Site,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Runs-On,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Enabled,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Encrypt,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=COM-App-Id,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=App-Flags,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Form-Data,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=INSAdmin,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=N-Address,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Send-TNEF,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Line-Wrap,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Auth-Orig,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=From-Site,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Types,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Inbound-DN,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=View-Flags,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Imp-Seq,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Req-Seq,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Assistant-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=P-Selector,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Rid-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=S-Selector,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=T-Selector,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=HTTP-Pub-PF,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=OWA-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Svr-Seq,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Domain-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-ReqName,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Conf-Seq,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Auth-Orig-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=COM-PS-CLSID,CN=Schema,CN=Configuration,DC=X
dn: CN=COM-PS-CLSID,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Netboot-NIC,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=HTTP-Pub-GAL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RAS-Account,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Remote-Site,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Port-Number,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Require-SSL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Target-MTAs,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Trust-Level,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Create-PF,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Log-Filename,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Contact-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Inbound-Host,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Password,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RAS-Password,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Content-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Routing-List,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=HTTP-Servers,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=COM-Package-Id,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MTA-Local-Cred,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Group-By-Attr-1,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Group-By-Attr-2,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Group-By-Attr-3,CN=Schema,CN=Configuration,DC=X
dn: CN=Group-By-Attr-3,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Group-By-Attr-4,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Character-Set,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Delegate-User,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DL-Member-Rule,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Admin-Copy,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Do-OAB-Version,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=COM-Unique-IID,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Computer-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Newsfeed-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitor-Clock,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=N-Address-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Inbound-Sites,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Referral-List,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Imp-Seq-USN,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Employee-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Req-Seq-USN,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Role-Occupant,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Site-Affinity,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Unauth-Orig-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Import-Now,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=USN-Intersite,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Outbound-Host,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Export-Now,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Svr-Seq-USN,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=LDAP-Search-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Create-PF-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Create-PF-DL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Local-Admin,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MTA-Local-Desig,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Imp-Seq-Time,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Req-Seq-Time,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Conf-Seq-USN,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Svr-Seq-Time,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Property-Pages,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Outbound-Sites,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Use-Site-Values,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Newsgroup-List,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Report-To-Owner,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RTS-Window-Size,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Unauth-Orig,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Admin-Update,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Domain-Replicas,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Not-Create-PF,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Append-ReqCN,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Recipient-CP,CN=Schema,CN=Configuration,DC=X
dn: CN=DXA-Recipient-CP,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MDB-Unread-Limit,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Off-Line-AB-Style,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Conf-Req-Time,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Preserve-DNs,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Employee-Number,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Connection-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RAS-Phone-Number,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Authorized-User,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Site-Folder-GUID,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Site-Proxy-Space,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=SMIME-Alg-List-NA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Local-Bridge-Head,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitor-Servers,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=View-Definition,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Trans-Retry-Mins,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Create-PF-DL-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Logging-Level,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Off-Line-AB-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Inbound-Newsfeed,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Maximum-Object-ID,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=House-Identifier,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Remote-Client,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=HTTP-Pub-GAL-Limit,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Anonymous-Access,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Import-Container,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitor-Services,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Supporting-Stack,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Control-Msg-Rules,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Remote-Bridge-Head,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Send-EMail-Message,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Inbound-Accept-All,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Not-Create-PF-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Not-Create-PF-DL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Connected-Domains,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Gateway-Local-Cred,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Clock-Alert-Repair,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Clock-Alert-Offset,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-In-Template-Map,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Folders-Container,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DL-Mem-Reject-Perms,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Character-Set-List,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Expand-DLs-Locally,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Authorized-Domain,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Local-Initial-Turn,CN=Schema,CN=Configuration,DC=X
dn: CN=Local-Initial-Turn,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Home-Public-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Encrypt-Alg-List-NA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Incoming-Password,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DL-Mem-Submit-Perms,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Outbound-Newsfeed,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=P-Selector-Inbound,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Anonymous-Account,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Num-Of-Open-Retries,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Export-Containers,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitored-Servers,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Replica-Set-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Service-Realm-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Aliased-Object-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Site-Folder-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=S-Selector-Inbound,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Outbound-Host-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Off-Line-AB-Schedule,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Trans-Timeout-Mins,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=T-Selector-Inbound,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RAS-Callback-Number,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X25-Leased-Line-Port,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X25-Remote-MTA-Phone,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X400-Attachment-Type,CN=Schema,CN=Configuration,DC=X
dn: CN=X400-Attachment-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Bridgehead-Servers,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Gateway-Local-Desig,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=GWART-Last-Modified,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X400-Selector-Syntax,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Admin-Extension-DLL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=List-Public-Folders,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Lockout-Disconnect,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Display-Name-Suffix,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Certificate-Chain-V3,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Out-Template-Map,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=SMIME-Alg-List-Other,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Space-Last-Computed,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Over-Site-Connector,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RAS-Remote-SRVR-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RTS-Checkpoint-Size,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Proxy-Generator-DLL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Remote-Out-BH-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Open-Retry-Interval,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=XMIT-Timeout-Normal,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=NNTP-Distributions,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=XMIT-Timeout-Urgent,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MDB-Backoff-Interval,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Import-Sensitivity,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=SMIME-Alg-Selected-NA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Not-Create-PF-DL-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Enabled-Protocol-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DL-Mem-Reject-Perms-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Clock-Warning-Repair,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Replication-Stagger,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Clock-Warning-Offset,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X25-Leased-or-Switched,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Exchange-Options,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Control-Msg-Folder-ID,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Service-Action-Other,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Service-Action-First,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DL-Mem-Submit-Perms-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Temp-Assoc-Threshold,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Template-Options,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Gateway-Routing-Tree,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Authorized-Password,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Group-By-Attr-Value-DN,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Return-Exact-Msg-Size,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Client-Access-Enabled,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Report-To-Originator,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RTS-Recovery-Timeout,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Off-Line-AB-Containers,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Enable-Compatibility,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Association-Lifetime,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Service-Action-Second,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Cross-Certificate-CRL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Responsible-Local-DXA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Encapsulation-Method,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Inbound-Newsfeed-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MDB-Msg-Time-Out-Period,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Service-Restart-Delay,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Authentication-To-Use,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=HTTP-Pub-AB-Attributes,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Encrypt-Alg-List-Other,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Group-By-Attr-Value-Str,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Hide-DL-Membership,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Filter-Local-Addresses,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Encrypt-Alg-Selected-NA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Default-Message-Format,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Conf-Container-List,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Translation-Table-Used,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Disabled-Gateway-Proxy,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Native-Address-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Template-TimeStamp,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Alert-Delay,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Replication-Boot-State,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Connection-List-Filter,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Assoc-Protocol-Cfg-NNTP,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Recipients,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Prev-Remote-Entries,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Num-Of-Transfer-Retries,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=CA-Exchange-Certificate,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Outgoing-Msg-Size-Limit,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Alert-Units,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=OOF-Reply-To-Originator,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Disable-Deferred-Commit,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Turn-Request-Threshold,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=XMIT-Timeout-Non-Urgent,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=SMIME-Alg-Selected-Other,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Service-Restart-Message,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=COM-Auto-Convert-Class-Id,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RAS-Phonebook-Entry-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=NNTP-Distributions-Flag,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Local-Bridge-Head-Address,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Transfer-Timeout-Normal,CN=Schema,CN=Configuration,DC=X
dn: CN=Transfer-Timeout-Normal,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Transfer-Retry-Interval,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Transfer-Timeout-Urgent,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Message-Tracking-Enabled,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=CA-Signature-Certificate,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Bidirectional-Connector,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X25-Call-User-Data-Incoming,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Available-Distributions,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Replication-Mail-Msg-Size,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X25-Call-User-Data-Outgoing,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Transport-Expedited-Data,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-UnConf-Container-List,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Prev-Exchange-Options,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Warning-Delay,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Session-Disconnect-Timer,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Prev-Template-Options,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Quota-Notification-Style,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Root-Newsgroups-Folder-ID,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Warning-Units,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Remote-Bridge-Head-Address,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Export-Custom-Recipients,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Support-SMIME-Signatures,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Encrypt-Alg-Selected-Other,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Container-Administrators,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Recipients-NDR,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Two-Way-Alternate-Facility,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Preserve-Internet-Content,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Prev-Export-Native-Only,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X25-Facilities-Data-Incoming,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X25-Facilities-Data-Outgoing,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Default-Intra-Site-Schedule,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Default-Inter-Site-Schedule,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Connection-List-Filter-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Transfer-Timeout-Non-Urgent,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Quota-Notification-Schedule,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=CA-Exchange-Certificate-Chain,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Authorized-Password-Confirm,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Normal-Poll-Units,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=CA-Signature-Certificate-Chain,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Certificate-Revocation-List-V1,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Certificate-Revocation-List-V3,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Hotsite-Poll-Units,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Enabled-Authorization-Packages,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Prev-In-Exchange-Sensitivity,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Normal-Poll-Interval,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Escalation-Procedure,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Prev-Replication-Sensitivity,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Hotsite-Poll-Interval,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Available-Authorization-Packages,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Application-Entity,CN=schema,CN=configuration,DC=X
changetype: modify
delete: systemMustContain
systemMustContain: presentationAddress
-
dn: CN=DMD,CN=schema,CN=configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: foreignDSAs
-
dn: CN=NTDS-DSA,CN=schema,CN=configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: presentationAddress
-
dn: CN=Top,CN=schema,CN=configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: masterDSA
-
dn: CN=Foreign-DSAs,CN=schema,CN=configuration,dc=X
changetype: delete
dn: CN=Presentation-Address,CN=schema,CN=configuration,dc=X
changetype: delete
dn: CN=Ref-Full-Replicas,CN=schema,CN=configuration,dc=X
changetype: delete
dn: CN=Ref-Master-DSA,CN=schema,CN=configuration,dc=X
changetype: delete
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Config NC changes
# Extended rights
dn: CN=Open-Address-Book,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
hideFromAB: TRUE
appliesTo: 3e74f60f-3e73-11d1-a9c0-0000f80367c1
displayName: Open Address Book
rightsGuid: a1990816-4298-11d1-ade2-00c04fd8d5cd
dn: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2
displayName: Modify Personal Information
rightsGuid: 77B5B886-944A-11d1-AEBD-0000F80367C1
dn: CN=Email-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2
displayName: Modify Email Information
rightsGuid: E45795B2-9455-11d1-AEBD-0000F80367C1
dn: CN=Web-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2
displayName: Modify Web Information
rightsGuid: E45795B3-9455-11d1-AEBD-0000F80367C1
# Display-Specifiers
dn: CN=localGroup-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: delete
dn: CN=nTFRSSettings-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{9da6fd68-c63b-11d0-b94d-00c04fd8d5b0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextmenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
classDisplayName: NTFRS Settings
dn: CN=nTFRSReplicaSet-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{9da6fd69-c63b-11d0-b94d-00c04fd8d5b0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
classDisplayName: NTFRS Replica Set
dn: CN=mSFTFRS-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{9da6fd6a-c63b-11d0-b94d-00c04fd8d5b0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
classDisplayName: Microsoft FRS
dn: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: treatAsLeaf
treatAsLeaf: TRUE
-
delete: adminPropertyPages
adminPropertyPages: 5,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 6,{4E40F770-369C-11d0-8922-00A024AB2DBB}
-
add: adminPropertyPages
adminPropertyPages: 5,{FD57D295-4FD9-11D1-854E-00C04FC31FD3}
adminPropertyPages: 6,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 7,{4E40F770-369C-11d0-8922-00A024AB2DBB}
-
delete: attributeDisplayNames
attributeDisplayNames: comment,Comment
attributeDisplayNames: company,Company
attributeDisplayNames: distinguishedName,X500 DN
attributeDisplayNames: facsimileTelephoneNumber, Facsimile Telephone Numbers
attributeDisplayNames: generationQualifier, Generation Qualifier
attributeDisplayNames: internationalISDNNumber, International ISDN Number
attributeDisplayNames: mobile,Cellular Phone Number
attributeDisplayNames: personalTitle,Personal Title
attributeDisplayNames: physicalDeliveryOfficeName,Delivery Office
attributeDisplayNames: postalCode,ZIP Code
attributeDisplayNames: primaryGroupID,Primary Group SID
attributeDisplayNames: streetAddress,Address
attributeDisplayNames: telephoneNumber,Telephone Number
attributeDisplayNames: title,Title
attributeDisplayNames: url,Web Page Address
attributeDisplayNames: userAccountControl,User Account Control Flags
-
add: attributeDisplayNames
attributeDisplayNames: assistant,Assistant
attributeDisplayNames: comment,User Account Comment
attributeDisplayNames: co,Company
attributeDisplayNames: distinguishedName,X500 Distinguished Name
attributeDisplayNames: facsimileTelephoneNumber,Facsimile Telephone Number
attributeDisplayNames: generationQualifier,Name Suffix
attributeDisplayNames: internationalISDNNumber, International ISDN Number (Others)
attributeDisplayNames: ipPhone,IP Phone Number
attributeDisplayNames: mobile,Primary Mobile Phone Number
attributeDisplayNames: otherFacsimileTelephoneNumber,Facsimile Telephone Number (Others)
attributeDisplayNames: otherHomePhone,Home Phone (Others)
attributeDisplayNames: otherIpPhone,IP Phone Number (Others)
attributeDisplayNames: otherMailbox,E-Mail Address (Others)
attributeDisplayNames: otherMobile,Mobile Phone Number (Others)
attributeDisplayNames: otherPager,Pager Number (Others)
attributeDisplayNames: otherTelephone,Office Telephone Number (Others)
attributeDisplayNames: personalTitle,Title
attributeDisplayNames: physicalDeliveryOfficeName,Office Location
attributeDisplayNames: postalCode,ZIP/Postal Code
attributeDisplayNames: primaryInternationalISDNNumber,International ISDN Number
attributeDisplayNames: primaryTelexNumber,Telex Number
attributeDisplayNames: streetAddress,Other Address
attributeDisplayNames: telephoneNumber,Primary Phone
attributeDisplayNames: telexNumber,Telex Number (Others)
attributeDisplayNames: url,Web Page Address (Others)
attributeDisplayNames: userPrincipalName,Logon Name
attributeDisplayNames: wWWHomePage,Web Page Address
-
dn: CN=group-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
delete: attributeDisplayNames
attributeDisplayNames: desctription,Description
attributeDisplayNames: contactName,Contact Name
attributeDisplayNames: distinguishedName,X500 DN
attributeDisplayNames: groupAttributes,Group Attribute Flags
-
add: attributeDisplayNames
attributeDisplayNames: description,Description
attributeDisplayNames: distinguishedName,X500 Distinguished Name
attributeDisplayNames: managedBy,Managed By
-
dn: CN=domainDNS-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
delete: classDisplayName
classDisplayName: Domain (DNS)
-
add: classDisplayName
classDisplayName: Domain
-
add: attributeDisplayNames
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
-
dn: CN=contact-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: attributeDisplayNames
attributeDisplayNames: assistant,Assistant
attributeDisplayNames: cn,Name
attributeDisplayNames: comment,Comment
attributeDisplayNames: co,Company
attributeDisplayNames: department,Department
attributeDisplayNames: description,Description
attributeDisplayNames: directReports,Direct Reports
attributeDisplayNames: distinguishedName,X500 Distinguished Name
attributeDisplayNames: division,Division
attributeDisplayNames: employeeID,Employee ID
attributeDisplayNames: facsimileTelephoneNumber,Facsimile Telephone Number
attributeDisplayNames: generationQualifier,Name Suffix
attributeDisplayNames: givenName,First Name
attributeDisplayNames: homePhone,Home Phone
attributeDisplayNames: homePostalAddress,Home Address
attributeDisplayNames: info,Notes
attributeDisplayNames: initials,Initials
attributeDisplayNames: internationalISDNNumber,International ISDN Number (Others)
attributeDisplayNames: ipPhone,IP Phone Number
attributeDisplayNames: l,City
attributeDisplayNames: mail,E-Mail Address
attributeDisplayNames: manager,Manager
attributeDisplayNames: memberOf,Group Membership
attributeDisplayNames: middleName,Middle Name
attributeDisplayNames: mobile,Primary Mobile Phone Number
attributeDisplayNames: otherHomePhone,Home Phone Number (Others)
attributeDisplayNames: otherIpPhone,IP Phone Number (Others)
attributeDisplayNames: otherMailbox,E-Mail Address (Others)
attributeDisplayNames: otherMobile,Mobile Phone Number (Others)
attributeDisplayNames: otherPager,Pager Number (Others)
attributeDisplayNames: otherTelephone,Telephone Number (Others)
attributeDisplayNames: personalTitle,Personal Title
attributeDisplayNames: physicalDeliveryOfficeName,Office Location
attributeDisplayNames: postalCode,ZIP/Postal Code
attributeDisplayNames: postOfficeBox,Post Office Box
attributeDisplayNames: primaryInternationalISDNNumber,International ISDN Number
attributeDisplayNames: primaryTelexNumber,Telex Number
attributeDisplayNames: sn,Last Name
attributeDisplayNames: st,State
attributeDisplayNames: streetAddress,Other Address
attributeDisplayNames: telephoneNumber,Primary Phone
attributeDisplayNames: telexNumber,Telex Number (Others)
attributeDisplayNames: url,Web Page Address (Others)
attributeDisplayNames: wWWHomePage,Web Page Address
-
dn: CN=domainPolicy-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
delete: adminPropertyPages
delete: adminPropertyPages
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminPropertyPages: 4,{AAD30A04-E1D0-11d0-B859-00A024CDD4DE}
-
add: adminPropertyPages
adminPropertyPages: 2,{AAD30A04-E1D0-11d0-B859-00A024CDD4DE}
adminPropertyPages: 3,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 4,{4E40F770-369C-11d0-8922-00A024AB2DBB}
-
dn: CN=serviceAdministrationPoint-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
delete: classDisplayName
classDisplayName: Service Administration Point
-
add: classDisplayName
classDisplayName: Service
-
dn: CN=computer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: attributeDisplayNames
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
attributeDisplayNames: operatingSystem,Operating System
attributeDisplayNames: operatingSystemVersion,Operating System Version
attributeDisplayNames: type,Type
-
dn: CN=printQueue-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: attributeDisplayNames
attributeDisplayNames: cn,Directory Service Name
attributeDisplayNames: uNCName,Network Name
attributeDisplayNames: assetNumber,Asset Number
attributeDisplayNames: bytesPerMinute,Bytes per Minute
attributeDisplayNames: contactName,Contact
attributeDisplayNames: description,Comment
attributeDisplayNames: driverName,Model
attributeDisplayNames: driverVersion,Driver Version
attributeDisplayNames: location,Location
attributeDisplayNames: portName,Port
attributeDisplayNames: printBinNames,Input Trays
attributeDisplayNames: printCollate,Supports Collation
attributeDisplayNames: printColor,Supports Color Printing
attributeDisplayNames: printDuplexSupported,Supports Double-sided Printing
attributeDisplayNames: printerName,Name
attributeDisplayNames: printFormName,Form Name
attributeDisplayNames: printLanguage,Data Format
attributeDisplayNames: printMACAddress,Physical Network Address
attributeDisplayNames: printMaxCopies,Maximum Number of Copies
attributeDisplayNames: printMaxResolutionSupported,Maximum Resolution
attributeDisplayNames: printMaxXExtent,Maximum Printable Width
attributeDisplayNames: printMaxYExtent,Maximum Printable Height
attributeDisplayNames: printMediaReady,Paper Available
attributeDisplayNames: printMediaSupported,Paper Types Supported
attributeDisplayNames: printMemory,Installed Memory
attributeDisplayNames: printMinXExtent,Minimum Printable Width
attributeDisplayNames: printMinYExtent,Minimum Printable Height
attributeDisplayNames: printNetworkAddress,Network Address
attributeDisplayNames: printNumberUp,Supports N-Up Printing
attributeDisplayNames: operatingSystem,Operating System
attributeDisplayNames: operatingSystemVersion,Operating System Version
attributeDisplayNames: printOrientationsSupported,Orientations Supported
attributeDisplayNames: printOwner,Owner Name
attributeDisplayNames: printRate,Speed
attributeDisplayNames: printRateUnit,Speed Units
attributeDisplayNames: printPagesPerMinute,Pages per Minute
attributeDisplayNames: printShareName,Share Name
attributeDisplayNames: printShareName,Share Name
attributeDisplayNames: printStaplingSupported,Supports Stapling
attributeDisplayNames: printStatus,State
attributeDisplayNames: priority,Print Job Priority
attributeDisplayNames: serverName,Server Name
attributeDisplayNames: url,Web Page Address
attributeDisplayNames: versionNumber,Object Version
attributeDisplayNames: whenChanged,Date Modified
attributeDisplayNames: whenCreated,Date Created
-
dn: CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: attributeDisplayNames
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
-
dn: CN=trustedDomain-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: attributeDisplayNames
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
-
dn: CN=volume-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: attributeDisplayNames
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
attributeDisplayNames: uNCName,Network Path
-
delete: classDisplayName
classDisplayName: Volume
-
add: classDisplayName
classDisplayName: Shared Folder
-
dn: CN=Master-DSA,CN=schema,CN=configuration,dc=X
changetype: delete
dn: CN=schema,CN=configuration,DC=X
changetype: modify
add: objectVersion
objectVersion: 1
-
Sch00.ldf
dn: CN=container-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: delete
dn: CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: delete
Sch1.ldf
dn: CN=container-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{6384e23e-736d-11d1-bd0d-00c04fd8d5b6}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
shellPropertyPages: 1,{f2c3faae-c8ac-11d0-bcdb-00c04fd8d5b6}
contextMenu: 0,{62AE1F9A-126A-11D0-A14B-0800361B1103}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
adminContextMenu: 1,{6BA3F852-23C6-11D1-B91F-00A0C9A06D2D}
classDisplayName: Container
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
dn: CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{6384e23e-736d-11d1-bd0d-00c04fd8d5b6}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
shellPropertyPages: 1,{f2c3faae-c8ac-11d0-bcdb-00c04fd8d5b6}
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
# Attribute Adds
dn: CN=Pek-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: pekList
adminDisplayName: Pek-List
adminDescription: Pek-List
attributeId: 1.2.840.113556.1.4.865
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gzA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
systemFlags: 1
dn: CN=FRS-Flags,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSFlags
adminDisplayName: FRS-Flags
adminDescription: FRS-Flags
attributeId: 1.2.840.113556.1.4.874
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fSUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Site-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: siteList
adminDisplayName: Site-List
adminDescription: Site-List
attributeId: 1.2.840.113556.1.4.821
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 3CwM1VGJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Msi-Script,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msiScript
adminDisplayName: Msi-Script
adminDescription: Msi-Script
attributeId: 1.2.840.113556.1.4.814
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: E4Ph2TmJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Version,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSVersion
adminDisplayName: FRS-Version
adminDescription: FRS-Version
attributeId: 1.2.840.113556.1.4.882
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32
schemaIdGuid:: hSUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Treat-As-Leaf,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: treatAsLeaf
adminDisplayName: Treat-As-Leaf
adminDescription: Treat-As-Leaf
attributeId: 1.2.840.113556.1.4.806
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 40TQjx930RGurgAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Product-Code,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: productCode
adminDisplayName: Product-Code
adminDescription: Product-Code
attributeId: 1.2.840.113556.1.4.818
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 16
schemaIdGuid:: F4Ph2TmJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=DNS-Host-Name,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: dNSHostName
adminDisplayName: DNS-Host-Name
adminDescription: DNS-Host-Name
attributeId: 1.2.840.113556.1.4.619
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2048
schemaIdGuid:: R5Xjchh70RGt7wDAT9jVzQ==
hideFromAB: TRUE
dn: CN=Create-Dialog,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: createDialog
adminDisplayName: Create-Dialog
adminDescription: Create-Dialog
attributeId: 1.2.840.113556.1.4.810
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ipUJKzGJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-SCP-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootSCPBL
adminDisplayName: netboot-SCP-BL
adminDescription: netboot-SCP-BL
attributeId: 1.2.840.113556.1.4.864
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gjA4B9+R0RGuvAAA+ANnwQ==
linkID: 101
hideFromAB: TRUE
systemFlags: 1
dn: CN=Site-Link-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: siteLinkList
adminDisplayName: Site-Link-List
adminDescription: Site-Link-List
attributeId: 1.2.840.113556.1.4.822
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 3SwM1VGJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Tools,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootTools
adminDisplayName: netboot-Tools
adminDescription: netboot-Tools
attributeId: 1.2.840.113556.1.4.858
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fzA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Msi-Script-Name,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msiScriptName
adminDisplayName: Msi-Script-Name
adminDescription: Msi-Script-Name
attributeId: 1.2.840.113556.1.4.845
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Yt2nlhiR0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Server,CN=Schema,CN=Configuration,DC=X
dn: CN=netboot-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootServer
adminDisplayName: netboot-Server
adminDescription: netboot-Server
attributeId: 1.2.840.113556.1.4.860
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gTA4B9+R0RGuvAAA+ANnwQ==
linkID: 100
hideFromAB: TRUE
dn: CN=Msi-Script-Size,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msiScriptSize
adminDisplayName: Msi-Script-Size
adminDescription: Msi-Script-Size
attributeId: 1.2.840.113556.1.4.846
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Y92nlhiR0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=LDAP-IPDeny-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: lDAPIPDenyList
adminDisplayName: LDAP-IPDeny-List
adminDescription: LDAP-IPDeny-List
attributeId: 1.2.840.113556.1.4.844
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: U6NZc/eQ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Install-Ui-Level,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: installUiLevel
adminDisplayName: Install-Ui-Level
adminDescription: Install-Ui-Level
attributeId: 1.2.840.113556.1.4.847
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ZN2nlhiR0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Terminal-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: terminalServer
adminDisplayName: Terminal-Server
adminDescription: Terminal-Server
attributeId: 1.2.840.113556.1.4.885
attributeSyntax: 2.5.5.10
omSyntax: 4
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: HJq2bSKU0RGuvQAA+ANnwQ==
hideFromAB: TRUE
dn: CN=LDAP-Admin-Limits,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: lDAPAdminLimits
adminDisplayName: LDAP-Admin-Limits
adminDescription: LDAP-Admin-Limits
attributeId: 1.2.840.113556.1.4.843
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: UqNZc/eQ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Create-Wizard-Ext,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: createWizardExt
adminDisplayName: Create-Wizard-Ext
adminDescription: Create-Wizard-Ext
attributeId: 1.2.840.113556.1.4.812
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: i5UJKzGJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Purported-Search,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: purportedSearch
adminDisplayName: Purported-Search
adminDescription: Purported-Search
attributeId: 1.2.840.113556.1.4.886
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2048
schemaIdGuid:: UE61tDqU0RGuvQAA+ANnwQ==
hideFromAB: TRUE
dn: CN=ms-RRAS-Attribute,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRRASAttribute
adminDisplayName: ms-RRAS-Attribute
adminDescription: ms-RRAS-Attribute
attributeId: 1.2.840.113556.1.4.884
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: rZib842T0RGuvQAA+ANnwQ==
hideFromAB: TRUE
dn: CN=File-Ext-Priority,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fileExtPriority
adminDisplayName: File-Ext-Priority
adminDescription: File-Ext-Priority
attributeId: 1.2.840.113556.1.4.816
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: FYPh2TmJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Can-Upgrade-Script,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: canUpgradeScript
adminDisplayName: Can-Upgrade-Script
adminDescription: Can-Upgrade-Script
attributeId: 1.2.840.113556.1.4.815
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: FIPh2TmJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=App-Schema-Version,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: appSchemaVersion
adminDisplayName: App-Schema-Version
adminDescription: App-Schema-Version
attributeId: 1.2.840.113556.1.4.848
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Zd2nlhiR0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Primary-Member,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSPrimaryMember
adminDisplayName: FRS-Primary-Member
adminDescription: FRS-Primary-Member
attributeId: 1.2.840.113556.1.4.878
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
linkId: 106
schemaIdGuid:: gSUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Remote-Storage-GUID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: remoteStorageGUID
adminDisplayName: Remote-Storage-GUID
adminDescription: Remote-Storage-GUID
attributeId: 1.2.840.113556.1.4.809
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: sMU5KmCJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Max-Clients,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootMaxClients
adminDisplayName: netboot-Max-Clients
adminDescription: netboot-Max-Clients
attributeId: 1.2.840.113556.1.4.851
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: eDA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Member-Reference,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSMemberReference
adminDisplayName: FRS-Member-Reference
adminDescription: FRS-Member-Reference
attributeId: 1.2.840.113556.1.4.875
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fiUTKnOT0RGuvAAA+ANnwQ==
linkID: 104
hideFromAB: TRUE
systemFlags: 2
dn: CN=Upgrade-Product-Code,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: upgradeProductCode
adminDisplayName: Upgrade-Product-Code
adminDescription: Upgrade-Product-Code
attributeId: 1.2.840.113556.1.4.813
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 16
schemaIdGuid:: EoPh2TmJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Time-Last-Command,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSTimeLastCommand
adminDisplayName: FRS-Time-Last-Command
adminDescription: FRS-Time-Last-Command
attributeId: 1.2.840.113556.1.4.880
attributeSyntax: 2.5.5.11
omSyntax: 23
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gyUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-New-Machine-OU,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootNewMachineOU
adminDisplayName: netboot-New-Machine-OU
adminDescription: netboot-New-Machine-OU
attributeId: 1.2.840.113556.1.4.856
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fTA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Limit-Clients,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootLimitClients
adminDisplayName: netboot-Limit-Clients
adminDescription: netboot-Limit-Clients
attributeId: 1.2.840.113556.1.4.850
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: dzA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Signature-Algorithms,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: signatureAlgorithms
adminDisplayName: Signature-Algorithms
adminDescription: Signature-Algorithms
attributeId: 1.2.840.113556.1.4.824
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ssU5KmCJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Partner-Auth-Level,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSPartnerAuthLevel
adminDisplayName: FRS-Partner-Auth-Level
adminDescription: FRS-Partner-Auth-Level
attributeId: 1.2.840.113556.1.4.877
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gCUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Enrollment-Providers,CN=Schema,CN=Configuration,DC=X
dn: CN=Enrollment-Providers,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: enrollmentProviders
adminDisplayName: Enrollment-Providers
adminDescription: Enrollment-Providers
attributeId: 1.2.840.113556.1.4.825
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: s8U5KmCJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Member-Reference-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSMemberReferenceBL
adminDisplayName: FRS-Member-Reference-BL
adminDescription: FRS-Member-Reference-BL
attributeId: 1.2.840.113556.1.4.876
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fyUTKnOT0RGuvAAA+ANnwQ==
linkID: 105
hideFromAB: TRUE
systemFlags: 1
dn: CN=Certificate-Templates,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: certificateTemplates
adminDisplayName: Certificate-Templates
adminDescription: Certificate-Templates
attributeId: 1.2.840.113556.1.4.823
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: scU5KmCJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Pek-Key-Change-Interval,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: pekKeyChangeInterval
adminDisplayName: Pek-Key-Change-Interval
adminDescription: Pek-Key-Change-Interval
attributeId: 1.2.840.113556.1.4.866
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: hDA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Localized-Description,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: localizedDescription
adminDisplayName: Localized-Description
adminDescription: Localized-Description
attributeId: 1.2.840.113556.1.4.817
attributeSyntax: 2.5.5.12
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: FoPh2TmJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Frs-Computer-Reference,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: frsComputerReference
adminDisplayName: Frs-Computer-Reference
adminDescription: Frs-Computer-Reference
attributeId: 1.2.840.113556.1.4.869
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: eCUTKnOT0RGuvAAA+ANnwQ==
linkID: 102
systemFlags: 2
hideFromAB: TRUE
dn: CN=Alt-Security-Identities,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: altSecurityIdentities
adminDisplayName: Alt-Security-Identities
adminDescription: Alt-Security-Identities
attributeId: 1.2.840.113556.1.4.867
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: DPP7AP6R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Answer-Requests,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootAnswerRequests
adminDisplayName: netboot-Answer-Requests
adminDescription: netboot-Answer-Requests
attributeId: 1.2.840.113556.1.4.853
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ejA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Bridgehead-Server-List-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: bridgeheadServerListBL
adminDisplayName: Bridgehead-Server-List-BL
adminDescription: Bridgehead-Server-List-BL
attributeId: 1.2.840.113556.1.4.820
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 2ywM1VGJ0RGuvAAA+ANnwQ==
linkID: 99
hideFromAB: TRUE
hideFromAB: TRUE
systemFlags: 1
dn: CN=Frs-Computer-Reference-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: frsComputerReferenceBL
adminDisplayName: Frs-Computer-Reference-BL
adminDescription: Frs-Computer-Reference-BL
attributeId: 1.2.840.113556.1.4.870
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: eSUTKnOT0RGuvAAA+ANnwQ==
linkID: 103
hideFromAB: TRUE
systemFlags: 1
dn: CN=FRS-Control-Data-Creation,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSControlDataCreation
adminDisplayName: FRS-Control-Data-Creation
adminDescription: FRS-Control-Data-Creation
attributeId: 1.2.840.113556.1.4.871
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32
schemaIdGuid:: eiUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Is-Critical-System-Object,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: isCriticalSystemObject
adminDisplayName: Is-Critical-System-Object
adminDescription: Is-Critical-System-Object
attributeId: 1.2.840.113556.1.4.868
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: DfP7AP6R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Allow-New-Clients,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootAllowNewClients
adminDisplayName: netboot-Allow-New-Clients
adminDescription: netboot-Allow-New-Clients
attributeId: 1.2.840.113556.1.4.849
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: djA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Time-Last-Config-Change,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
objectClass: attributeSchema
ldapDisplayName: fRSTimeLastConfigChange
adminDisplayName: FRS-Time-Last-Config-Change
adminDescription: FRS-Time-Last-Config-Change
attributeId: 1.2.840.113556.1.4.881
attributeSyntax: 2.5.5.11
omSyntax: 23
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: hCUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Bridgehead-Transport-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: bridgeheadTransportList
adminDisplayName: Bridgehead-Transport-List
adminDescription: Bridgehead-Transport-List
attributeId: 1.2.840.113556.1.4.819
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 2iwM1VGJ0RGuvAAA+ANnwQ==
linkID: 98
hideFromAB: TRUE
dn: CN=FRS-Service-Command-Status,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSServiceCommandStatus
adminDisplayName: FRS-Service-Command-Status
adminDescription: FRS-Service-Command-Status
attributeId: 1.2.840.113556.1.4.879
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 512
schemaIdGuid:: giUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Control-Inbound-Backlog,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSControlInboundBacklog
adminDisplayName: FRS-Control-Inbound-Backlog
adminDescription: FRS-Control-Inbound-Backlog
attributeId: 1.2.840.113556.1.4.872
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32
schemaIdGuid:: eyUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-IntelliMirror-OSes,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootIntelliMirrorOSes
adminDisplayName: netboot-IntelliMirror-OSes
adminDescription: netboot-IntelliMirror-OSes
attributeId: 1.2.840.113556.1.4.857
attributeId: 1.2.840.113556.1.4.857
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fjA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=FRS-Control-Outbound-Backlog,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSControlOutboundBacklog
adminDisplayName: FRS-Control-Outbound-Backlog
adminDescription: FRS-Control-Outbound-Backlog
attributeId: 1.2.840.113556.1.4.873
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32
schemaIdGuid:: fCUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Current-Client-Count,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootCurrentClientCount
adminDisplayName: netboot-Current-Client-Count
adminDescription: netboot-Current-Client-Count
attributeId: 1.2.840.113556.1.4.852
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: eTA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=IPSEC-Negotiation-Policy-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: iPSECNegotiationPolicyType
adminDisplayName: IPSEC-Negotiation-Policy-Type
adminDescription: IPSEC-Negotiation-Policy-Type
attributeId: 1.2.840.113556.1.4.887
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: dDA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=ms-RRAS-Vendor-Attribute-Entry,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRRASVendorAttributeEntry
adminDisplayName: ms-RRAS-Vendor-Attribute-Entry
adminDescription: ms-RRAS-Vendor-Attribute-Entry
attributeId: 1.2.840.113556.1.4.883
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: rJib842T0RGuvQAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Locally-Installed-OSes,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootLocallyInstalledOSes
adminDisplayName: netboot-Locally-Installed-OSes
adminDescription: netboot-Locally-Installed-OSes
attributeId: 1.2.840.113556.1.4.859
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gDA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=IPSEC-Negotiation-Policy-Action,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: iPSECNegotiationPolicyAction
adminDisplayName: IPSEC-Negotiation-Policy-Action
adminDescription: IPSEC-Negotiation-Policy-Action
attributeId: 1.2.840.113556.1.4.888
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: dTA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-New-Machine-Naming-Policy,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootNewMachineNamingPolicy
adminDisplayName: netboot-New-Machine-Naming-Policy
adminDescription: netboot-New-Machine-Naming-Policy
attributeId: 1.2.840.113556.1.4.855
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fDA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=netboot-Answer-Only-Valid-Clients,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: netbootAnswerOnlyValidClients
adminDisplayName: netboot-Answer-Only-Valid-Clients
adminDescription: netboot-Answer-Only-Valid-Clients
attributeId: 1.2.840.113556.1.4.854
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ezA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
dn: CN=UPN-Suffixes,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
lDAPDisplayName: uPNSuffixes
adminDescription: UPN-Suffixes
adminDisplayName: UPN-Suffixes
attributeID: 1.2.840.113556.1.4.890
attributeID: 1.2.840.113556.1.4.890
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
schemaIDGUID:: v2AhAySY0RGuwAAA+ANnwQ==
searchFlags: 0
systemOnly: FALSE
hideFromAB: TRUE
dn: CN=Additional-Trusted-Service-Names,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
lDAPDisplayName: additionalTrustedServiceNames
adminDescription: Additional-Trusted-Service-Names
adminDisplayName: Additional-Trusted-Service-Names
attributeID: 1.2.840.113556.1.4.889
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
schemaIDGUID:: vmAhAySY0RGuwAAA+ANnwQ==
searchFlags: 0
systemOnly: FALSE
hideFromAB: TRUE
dn: CN=NTFRS-Replica-Set,CN=schema,CN=configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.30
-
dn: CN=Replica-Set-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=FRS-Replica-Set-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fRSReplicaSetType
adminDisplayName: FRS-Replica-Set-Type
adminDescription: FRS-Replica-Set-Type
attributeId: 1.2.840.113556.1.4.31
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: a3PZJnBg0RGpxgAA+ANnwQ==
hideFromAB: TRUE
# End of change
dn: CN=Replication-DS-Poll,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-DS-Poll
deleteoldrdn: 1
dn: CN=FRS-DS-Poll,CN=schema,CN=configuration,DC=X
changetype: modify
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSDSPoll
-
replace: adminDisplayName
adminDisplayName: FRS-DS-Poll
-
replace: adminDescription
adminDescription: FRS-DS-Poll
-
dn: CN=Com-Unique-Cat-Id,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: Category-Id
deleteoldrdn: 1
dn: CN=Category-Id,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: categoryId
-
replace: adminDisplayName
adminDisplayName: Category-Id
-
replace: adminDescription
adminDescription: Category-Id
-
dn: CN=Replication-Root-Path,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Root-Path
deleteoldrdn: 1
dn: CN=FRS-Root-Path,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSRootPath
-
replace: adminDisplayName
adminDisplayName: FRS-Root-Path
-
replace: adminDescription
adminDescription: FRS-Root-Path
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 2048
-
dn: CN=Replication-File-Filter,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-File-Filter
deleteoldrdn: 1
dn: CN=FRS-File-Filter,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSFileFilter
-
replace: adminDisplayName
adminDisplayName: FRS-File-Filter
-
replace: adminDescription
adminDescription: FRS-File-Filter
-
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 2048
-
dn: CN=Replication-Level-Limit,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Level-Limit
deleteoldrdn: 1
dn: CN=FRS-Level-Limit,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSLevelLimit
-
replace: adminDisplayName
adminDisplayName: FRS-Level-Limit
-
replace: adminDescription
adminDescription: FRS-Level-Limit
-
dn: CN=Replication-Extensions,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Extensions
deleteoldrdn: 1
dn: CN=FRS-Extensions,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSExtensions
-
replace: adminDisplayName
adminDisplayName: FRS-Extensions
-
replace: adminDescription
adminDescription: FRS-Extensions
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 65536
-
dn: CN=Replication-Staging-Path,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Staging-Path
deleteoldrdn: 1
dn: CN=FRS-Staging-Path,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSStagingPath
-
replace: adminDisplayName
adminDisplayName: FRS-Staging-Path
-
replace: adminDescription
adminDescription: FRS-Staging-Path
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
add: rangeUpper
rangeUpper: 2048
-
dn: CN=Code-Package,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: Msi-Script-Path
deleteoldrdn: 1
dn: CN=Msi-Script-Path,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: msiScriptPath
-
replace: adminDisplayName
adminDisplayName: Msi-Script-Path
-
replace: adminDescription
adminDescription: Msi-Script-Path
-
dn: CN=Replication-DB-Path,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Working-Path
deleteoldrdn: 1
dn: CN=FRS-Working-Path,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSWorkingPath
-
replace: adminDisplayName
adminDisplayName: FRS-Working-Path
-
replace: adminDescription
adminDescription: FRS-Working-Path
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 2048
-
dn: CN=Replica-Version-GUID,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Version-GUID
deleteoldrdn: 1
dn: CN=FRS-Version-GUID,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSVersionGuid
-
replace: adminDisplayName
adminDisplayName: FRS-Version-GUID
-
replace: adminDescription
adminDescription: FRS-Version-GUID
-
add: rangeLower
rangeLower: 16
-
add: rangeUpper
rangeUpper: 16
-
dn: CN=Replication-Root-Security,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Root-Security
deleteoldrdn: 1
dn: CN=FRS-Root-Security,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSRootSecurity
-
replace: adminDisplayName
adminDisplayName: FRS-Root-Security
-
replace: adminDescription
adminDescription: FRS-Root-Security
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 65535
-
dn: CN=Replication-Update-Timeout,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Update-Timeout
deleteoldrdn: 1
dn: CN=FRS-Update-Timeout,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSUpdateTimeout
-
replace: adminDisplayName
adminDisplayName: FRS-Update-Timeout
-
replace: adminDescription
adminDescription: FRS-Update-Timeout
-
dn: CN=Replication-Service-Command,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Service-Command
deleteoldrdn: 1
dn: CN=FRS-Service-Command,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSServiceCommand
-
replace: adminDisplayName
adminDisplayName: FRS-Service-Command
-
replace: adminDescription
adminDescription: FRS-Service-Command
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 512
-
dn: CN=Replica-Set-GUID,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Replica-Set-GUID
deleteoldrdn: 1
dn: CN=FRS-Replica-Set-GUID,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSReplicaSetGuid
-
replace: adminDisplayName
adminDisplayName: FRS-Replica-Set-GUID
-
replace: adminDescription
adminDescription: FRS-Replica-Set-GUID
-
dn: CN=Replication-Status,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Fault-Condition
deleteoldrdn: 1
dn: CN=FRS-Fault-Condition,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSFaultCondition
-
replace: adminDisplayName
adminDisplayName: FRS-Fault-Condition
-
replace: adminDescription
adminDescription: FRS-Fault-Condition
-
add: rangeLower
rangeLower: 1
-
add: rangeUpper
rangeUpper: 16
-
dn: CN=Replication-Directory-Filter,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: FRS-Directory-Filter
deleteoldrdn: 1
dn: CN=FRS-Directory-Filter,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: fRSDirectoryFilter
-
replace: adminDisplayName
adminDisplayName: FRS-Directory-Filter
-
replace: adminDescription
adminDescription: FRS-Directory-Filter
-
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 2048
-
dn: CN=Created-Entry,CN=schema,CN=configuration,DC=X
changetype: modrdn
newrdn: rpc-Ns-Entry-Flags
deleteoldrdn: 1
dn: CN=rpc-Ns-Entry-Flags,CN=schema,CN=configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: rpcNsEntryFlags
-
replace: adminDisplayName
adminDisplayName: rpc-Ns-Entry-Flags
-
replace: adminDescription
adminDescription: rpc-Ns-Entry-Flags
-
# Class Adds
dn: CN=NTFRS-Member,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: nTFRSMember
adminDisplayName: NTFRS-Member
adminDescription: NTFRS-Member
governsId: 1.2.840.113556.1.5.153
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.515
systemMayContain: 1.2.840.113556.1.4.485
systemMayContain: 1.2.840.113556.1.4.500
systemMayContain: 1.2.840.113556.1.4.535
systemMayContain: 1.2.840.113556.1.4.877
systemMayContain: 1.2.840.113556.1.4.874
systemMayContain: 1.2.840.113556.1.4.536
systemMayContain: 1.2.840.113556.1.4.873
systemMayContain: 1.2.840.113556.1.4.872
systemMayContain: 1.2.840.113556.1.4.871
systemMayContain: 1.2.840.113556.1.4.869
systemPossSuperiors: 1.2.840.113556.1.5.102
schemaIdGuid:: hiUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=NTFRS-Member,CN=Schema,CN=Configuration,DC=X
dn: CN=Site-Link-Bridge,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: siteLinkBridge
adminDisplayName: Site-Link-Bridge
adminDescription: Site-Link-Bridge
governsId: 1.2.840.113556.1.5.148
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.822
systemPossSuperiors: 1.2.840.113556.1.5.141
schemaIdGuid:: 3ywM1VGJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=Site-Link-Bridge,CN=Schema,CN=Configuration,DC=X
dn: CN=RRAS-Administration-Connection-Point,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: rRASAdministrationConnectionPoint
adminDisplayName: RRAS-Administration-Connection-Point
adminDescription: RRAS-Administration-Connection-Point
governsId: 1.2.840.113556.1.5.150
objectClassCategory: 1
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.94
systemMayContain: 1.2.840.113556.1.4.884
systemPossSuperiors: 1.2.840.113556.1.3.30
schemaIdGuid:: vsU5KmCJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=RRAS-Administration-Connection-Point,CN=Schema,CN=Configuration,DC=X
dn: CN=NTFRS-Subscriptions,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
lDAPDisplayName: nTFRSSubscriptions
adminDescription: NTFRS-Subscriptions
adminDisplayName: NTFRS-Subscriptions
governsID: 1.2.840.113556.1.5.154
objectClassCategory: 1
rDNAttID: 2.5.4.3
subClassOf: 2.5.6.0
schemaIDGUID:: hyUTKnOT0RGuvAAA+ANnwQ==
systemMayContain: 1.2.840.113556.1.4.486
systemMayContain: 1.2.840.113556.1.4.882
systemMayContain: 1.2.840.113556.1.4.536
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.5.154
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=NTFRS-Subscriptions,CN=Schema,CN=Configuration,DC=X
dn: CN=Remote-Storage-Service-Point,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: remoteStorageServicePoint
adminDisplayName: Remote-Storage-Service-Point
adminDescription: Remote-Storage-Service-Point
governsId: 1.2.840.113556.1.5.146
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.94
systemMayContain: 1.2.840.113556.1.4.809
systemPossSuperiors: 1.2.840.113556.1.3.30
schemaIdGuid:: vcU5KmCJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Remote-Storage-Service-Point,CN=Schema,CN=Configuration,DC=X
dn: CN=Intellimirror-Group,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
lDAPDisplayName: intellimirrorGroup
adminDescription: Intellimirror-Group
adminDisplayName: Intellimirror-Group
governsID: 1.2.840.113556.1.5.152
objectClassCategory: 1
rDNAttID: 2.5.4.3
schemaIDGUID:: hjA4B9+R0RGuvAAA+ANnwQ==
subClassOf: 2.5.6.0
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.3.23
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=Intellimirror-Group,CN=Schema,CN=Configuration,DC=X
dn: CN=Site-Link,CN=Schema,CN=Configuration,DC=X
dn: CN=Site-Link,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: siteLink
adminDisplayName: Site-Link
adminDescription: Site-Link
governsId: 1.2.840.113556.1.5.147
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.821
systemMayContain: 1.2.840.113556.1.4.211
systemMayContain: 1.2.840.113556.1.2.135
systemPossSuperiors: 1.2.840.113556.1.5.141
schemaIdGuid:: 3iwM1VGJ0RGuvAAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=Site-Link,CN=Schema,CN=Configuration,DC=X
dn: CN=Intellimirror-SCP,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: intellimirrorSCP
adminDisplayName: Intellimirror-SCP
adminDescription: Intellimirror-SCP
governsId: 1.2.840.113556.1.5.151
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.94
systemMayContain: 1.2.840.113556.1.4.858
systemMayContain: 1.2.840.113556.1.4.860
systemMayContain: 1.2.840.113556.1.4.856
systemMayContain: 1.2.840.113556.1.4.855
systemMayContain: 1.2.840.113556.1.4.851
systemMayContain: 1.2.840.113556.1.4.361
systemMayContain: 1.2.840.113556.1.4.859
systemMayContain: 1.2.840.113556.1.4.850
systemMayContain: 1.2.840.113556.1.4.857
systemMayContain: 1.2.840.113556.1.4.358
systemMayContain: 1.2.840.113556.1.4.359
systemMayContain: 1.2.840.113556.1.4.852
systemMayContain: 1.2.840.113556.1.4.853
systemMayContain: 1.2.840.113556.1.4.854
systemMayContain: 1.2.840.113556.1.4.849
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.5.152
schemaIdGuid:: hTA4B9+R0RGuvAAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=Intellimirror-SCP,CN=Schema,CN=Configuration,DC=X
dn: CN=NTFRS-Subscriber,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: nTFRSSubscriber
adminDisplayName: NTFRS-Subscriber
adminDescription: NTFRS-Subscriber
governsId: 1.2.840.113556.1.5.155
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.488
systemMustContain: 1.2.840.113556.1.4.487
systemMayContain: 1.2.840.113556.1.4.211
systemMayContain: 1.2.840.113556.1.4.485
systemMayContain: 1.2.840.113556.1.4.881
systemMayContain: 1.2.840.113556.1.4.880
systemMayContain: 1.2.840.113556.1.4.879
systemMayContain: 1.2.840.113556.1.4.879
systemMayContain: 1.2.840.113556.1.4.500
systemMayContain: 1.2.840.113556.1.4.875
systemMayContain: 1.2.840.113556.1.4.874
systemMayContain: 1.2.840.113556.1.4.491
systemMayContain: 1.2.840.113556.1.4.536
systemPossSuperiors: 1.2.840.113556.1.5.154
schemaIdGuid:: iCUTKnOT0RGuvAAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=NTFRS-Subscriber,CN=Schema,CN=Configuration,DC=X
dn: CN=RRAS-Administration-Dictionary,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: rRASAdministrationDictionary
adminDisplayName: RRAS-Administration-Dictionary
adminDescription: RRAS-Administration-Dictionary
governsId: 1.2.840.113556.1.5.156
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.883
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: rpib842T0RGuvQAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=RRAS-Administration-Dictionary,CN=Schema,CN=Configuration,DC=X
dn: CN=Object-Class,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 0
-
dn: CN=Surname,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=State-Or-Province-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Street-Address,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Title,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Postal-Address,CN=Schema,CN=Configuration,DC=X
dn: CN=Postal-Address,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Postal-Code,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Office-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Post-Office-Box,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Physical-Delivery-Office-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Home-Primary,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Telephone-Number,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Telex-Number,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Teletex-Terminal-Identifier,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Facsimile-Telephone-Number,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=X121-Address,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=International-ISDN-Number,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Registered-Address,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Preferred-Delivery-Method,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Picture,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Mobile-Primary,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Pager-Primary,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Initials,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Voice-Mail-Password,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Voice-Mail-Recorded-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Voice-Mail-Greetings,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Voice-Mail-Flags,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Voice-Mail-Volume,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Voice-Mail-Speed,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Voice-Mail-Recording-Length,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Forwarding-Address,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Personal-Title,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Address-Home,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Pager-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Fax-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Mobile-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Telex-Primary,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-ISDN-Primary,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Assistant,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=User-Principal-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemFlags
add: systemFlags
systemFlags: 2
-
dn: CN=Categories,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: rangeLower
rangeLower: 36
-
add: rangeUpper
rangeUpper: 36
-
dn: CN=Creator,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 0
-
dn: CN=Phone-Ip-Primary,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Phone-Ip-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=WWW-Page-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: s5VX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Group-Type,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 1
-
add: systemFlags
systemFlags: 2
-
dn: CN=User-Shared-Folder,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=User-Shared-Folder-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Address,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Service-Principal-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemFlags
systemFlags: 2
-
dn: CN=Phone-Home-Other,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=AutoReply,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=AutoReply-Message,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Package-Flags,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 1
-
dn: CN=AutoReply-Subject,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: spVX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=WWW-Home-Page,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: s5VX5FWU0RGuvQAA+ANnwQ==
-
dn: CN=Cross-Ref-Container,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.890
-
dn: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.889
-
dn: CN=Inter-Site-Transport,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.789
-
add: systemMustContain
systemMustContain: 1.2.840.113556.1.4.789
-
dn: CN=Group-Of-Names,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: objectClassCategory
objectClassCategory: 2
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.820
systemMayContain: 1.2.840.113556.1.4.864
systemMayContain: 1.2.840.113556.1.4.864
systemMayContain: 1.2.840.113556.1.4.868
systemMayContain: 1.2.840.113556.1.4.870
systemMayContain: 1.2.840.113556.1.4.876
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.290
systemMayContain: 1.2.840.113556.1.2.291
systemMayContain: 1.2.840.113556.1.2.292
systemMayContain: 1.2.840.113556.1.2.293
systemMayContain: 1.2.840.113556.1.2.339
systemMayContain: 1.2.840.113556.1.2.340
systemMayContain: 1.2.840.113556.1.2.341
systemMayContain: 1.2.840.113556.1.2.342
systemMayContain: 1.2.840.113556.1.2.469
-
dn: CN=Sam-Domain,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.865
systemMayContain: 1.2.840.113556.1.4.866
-
dn: CN=Domain,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultObjectCategory
defaultObjectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=X
-
dn: CN=Security-Principal,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.867
-
dn: CN=ACS-Policy,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.765
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.885
systemMayContain: 1.2.840.113556.1.4.771
-
dn: CN=ACS-Subnet,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=Class-Registration,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.252
-
dn: CN=Inter-Site-Transport-Container,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.107
-
delete: systemPossSuperiors
delete: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.142
-
dn: CN=Inter-Site-Transport,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMustContain
systemMustContain: 1.2.840.113556.1.4.790
-
dn: CN=Certification-Authority,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.619
systemMayContain: 1.2.840.113556.1.4.823
systemMayContain: 1.2.840.113556.1.4.824
systemMayContain: 1.2.840.113556.1.4.825
-
dn: CN=Server,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.619
systemMayContain: 1.2.840.113556.1.4.786
systemMayContain: 1.2.840.113556.1.4.819
-
dn: CN=Print-Queue,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.631
-
dn: CN=Remote-Mail-Recipient,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.619
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.360
systemMayContain: 1.2.840.113556.1.4.486
-
dn: CN=Storage,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=Class-Store,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.848
-
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.18
-
dn: CN=Mail-Recipient,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.47
systemMayContain: 1.2.840.113556.1.2.129
systemMayContain: 1.2.840.113556.1.2.144
systemMayContain: 1.2.840.113556.1.2.144
systemMayContain: 1.2.840.113556.1.2.221
-
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.786
systemMayContain: 0.9.2342.19200300.100.1.3
-
dn: CN=Package-Registration,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.20
systemMayContain: 1.2.840.113556.1.4.813
systemMayContain: 1.2.840.113556.1.4.814
systemMayContain: 1.2.840.113556.1.4.815
systemMayContain: 1.2.840.113556.1.4.816
systemMayContain: 1.2.840.113556.1.4.818
systemMayContain: 1.2.840.113556.1.4.845
systemMayContain: 1.2.840.113556.1.4.846
systemMayContain: 1.2.840.113556.1.4.847
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.17
-
dn: CN=NTDS-Site-Settings,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.607
-
dn: CN=NTDS-Connection,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.791
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.785
-
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.153
-
dn: CN=Category-Registration,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.817
-
dn: CN=Display-Specifier,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.806
systemMayContain: 1.2.840.113556.1.4.810
systemMayContain: 1.2.840.113556.1.4.812
-
dn: CN=NTFRS-Settings,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.653
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.459
systemMayContain: 1.2.840.113556.1.4.211
systemMayContain: 1.2.840.113556.1.4.486
systemMayContain: 1.2.840.113556.1.4.487
systemMayContain: 1.2.840.113556.1.4.488
systemMayContain: 1.2.840.113556.1.4.489
systemMayContain: 1.2.840.113556.1.4.490
systemMayContain: 1.2.840.113556.1.4.491
systemMayContain: 1.2.840.113556.1.4.500
systemMayContain: 1.2.840.113556.1.4.535
systemMayContain: 1.2.840.113556.1.4.564
-
delete: systemMustContain
systemMustContain: 1.2.840.113556.1.4.43
-
add: systemPossSuperiors
systemPossSuperiors: 2.5.6.4
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.3.23
-
delete: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.17
-
dn: CN=NTFRS-Replica-Set,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.43
systemMayContain: 1.2.840.113556.1.4.31
systemMayContain: 1.2.840.113556.1.4.653
systemMayContain: 1.2.840.113556.1.4.874
systemMayContain: 1.2.840.113556.1.4.877
systemMayContain: 1.2.840.113556.1.4.878
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.459
systemMayContain: 1.2.840.113556.1.4.485
systemMayContain: 1.2.840.113556.1.4.486
systemMayContain: 1.2.840.113556.1.4.487
systemMayContain: 1.2.840.113556.1.4.488
systemMayContain: 1.2.840.113556.1.4.489
systemMayContain: 1.2.840.113556.1.4.491
systemMayContain: 1.2.840.113556.1.4.564
-
dn: CN=Query-Policy,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.844
systemMayContain: 1.2.840.113556.1.4.843
-
delete: systemMustContain
systemMustContain: 1.2.840.113556.1.4.604
systemMustContain: 1.2.840.113556.1.4.603
systemMustContain: 1.2.840.113556.1.4.602
systemMustContain: 1.2.840.113556.1.4.599
systemMustContain: 1.2.840.113556.1.4.601
systemMustContain: 1.2.840.113556.1.4.600
-
dn: CN=Ipsec-Negotiation-Policy,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.887
systemMayContain: 1.2.840.113556.1.4.888
-
dn: CN=Address-Book-Container,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.886
-
-
add: systemMustContain
systemMustContain: 1.2.840.113556.1.2.13
-
dn: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.658
-
dn: CN=RAS-X400-Link,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Information-Store-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MHS-Link-Monitoring-Config,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=LocalGroup,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Exchange-Admin-Service,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Eicon-X25-X400-Link,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X400-Link,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-POP,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DX-Requestor,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-LDAP-Site,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-LDAP-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=COM-Interface,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Mailbox-Agent,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Eicon-X25-Stack,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Directory-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: delete
changetype: delete
dn: CN=NNTP-Newsfeed,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RAS-Stack,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Site-Connector,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Encryption-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=View-Container,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Site-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Application-Registration,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-IMAP,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MHS-Server-Monitoring-Config,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Site-Addressing,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Admin-Extension,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-HTTP,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MHS-Public-Store,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Add-In,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Transport-Stack,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-NNTP,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-LDAP,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MHS-Message-Store,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-Shared-Site,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MTA-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MHS-Monitoring-Config,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Mail-Gateway,CN=Schema,CN=Configuration,DC=X
dn: CN=Mail-Gateway,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Distribution-List,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-Shared-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Local-DXA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=NTFRS-Site-Settings,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MTA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Addr-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=View-Root,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Remote-DXA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Protocol-Cfg-Shared,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=ADMD,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=PRMD,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Run-As,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Req-Seq,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=To-Site,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Runs-On,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Enabled,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Encrypt,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=COM-App-Id,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=App-Flags,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Form-Data,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=INSAdmin,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=N-Address,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Send-TNEF,CN=Schema,CN=Configuration,DC=X
dn: CN=Send-TNEF,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Line-Wrap,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Auth-Orig,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=From-Site,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Types,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Inbound-DN,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=View-Flags,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Imp-Seq,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Req-Seq,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Assistant-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=P-Selector,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Rid-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=S-Selector,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=T-Selector,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=HTTP-Pub-PF,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=OWA-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Svr-Seq,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Domain-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-ReqName,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Conf-Seq,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Auth-Orig-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=COM-PS-CLSID,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Netboot-NIC,CN=Schema,CN=Configuration,DC=X
changetype: delete
changetype: delete
dn: CN=HTTP-Pub-GAL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RAS-Account,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Remote-Site,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Port-Number,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Require-SSL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Target-MTAs,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Trust-Level,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Create-PF,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Log-Filename,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Contact-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Inbound-Host,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Password,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RAS-Password,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Content-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Routing-List,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=HTTP-Servers,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=COM-Package-Id,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MTA-Local-Cred,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Group-By-Attr-1,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Group-By-Attr-2,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Group-By-Attr-3,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Group-By-Attr-4,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Character-Set,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Delegate-User,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DL-Member-Rule,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Admin-Copy,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Do-OAB-Version,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=COM-Unique-IID,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Computer-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Newsfeed-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitor-Clock,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=N-Address-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Inbound-Sites,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Referral-List,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Imp-Seq-USN,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Employee-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Req-Seq-USN,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Role-Occupant,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Site-Affinity,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Unauth-Orig-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Import-Now,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=USN-Intersite,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Outbound-Host,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Export-Now,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Svr-Seq-USN,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=LDAP-Search-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Create-PF-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Create-PF-DL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Local-Admin,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MTA-Local-Desig,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Imp-Seq-Time,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Req-Seq-Time,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Conf-Seq-USN,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Svr-Seq-Time,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Property-Pages,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Outbound-Sites,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Use-Site-Values,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Newsgroup-List,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Report-To-Owner,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RTS-Window-Size,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Unauth-Orig,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Admin-Update,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Domain-Replicas,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Not-Create-PF,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Append-ReqCN,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Recipient-CP,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MDB-Unread-Limit,CN=Schema,CN=Configuration,DC=X
changetype: delete
changetype: delete
dn: CN=Off-Line-AB-Style,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Conf-Req-Time,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Preserve-DNs,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Employee-Number,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Connection-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RAS-Phone-Number,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Authorized-User,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Site-Folder-GUID,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Site-Proxy-Space,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=SMIME-Alg-List-NA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Local-Bridge-Head,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitor-Servers,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=View-Definition,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Trans-Retry-Mins,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Create-PF-DL-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Logging-Level,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Off-Line-AB-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Inbound-Newsfeed,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Maximum-Object-ID,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=House-Identifier,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Remote-Client,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=HTTP-Pub-GAL-Limit,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Anonymous-Access,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Import-Container,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitor-Services,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Supporting-Stack,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Control-Msg-Rules,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Remote-Bridge-Head,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Send-EMail-Message,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Inbound-Accept-All,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Not-Create-PF-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Not-Create-PF-DL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Connected-Domains,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Gateway-Local-Cred,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Clock-Alert-Repair,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Clock-Alert-Offset,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-In-Template-Map,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Folders-Container,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DL-Mem-Reject-Perms,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Character-Set-List,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Expand-DLs-Locally,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Authorized-Domain,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Local-Initial-Turn,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Home-Public-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
changetype: delete
dn: CN=Encrypt-Alg-List-NA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Incoming-Password,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DL-Mem-Submit-Perms,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Outbound-Newsfeed,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=P-Selector-Inbound,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Anonymous-Account,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Num-Of-Open-Retries,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Export-Containers,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitored-Servers,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Replica-Set-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Service-Realm-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Aliased-Object-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Site-Folder-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=S-Selector-Inbound,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Outbound-Host-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Off-Line-AB-Schedule,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Trans-Timeout-Mins,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=T-Selector-Inbound,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RAS-Callback-Number,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X25-Leased-Line-Port,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X25-Remote-MTA-Phone,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X400-Attachment-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Bridgehead-Servers,CN=Schema,CN=Configuration,DC=X
changetype: delete
changetype: delete
dn: CN=Gateway-Local-Desig,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=GWART-Last-Modified,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X400-Selector-Syntax,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Admin-Extension-DLL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=List-Public-Folders,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Lockout-Disconnect,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Display-Name-Suffix,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Certificate-Chain-V3,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Out-Template-Map,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=SMIME-Alg-List-Other,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Space-Last-Computed,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Over-Site-Connector,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RAS-Remote-SRVR-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RTS-Checkpoint-Size,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Proxy-Generator-DLL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Remote-Out-BH-Server,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Open-Retry-Interval,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=XMIT-Timeout-Normal,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=NNTP-Distributions,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=XMIT-Timeout-Urgent,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MDB-Backoff-Interval,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Import-Sensitivity,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=SMIME-Alg-Selected-NA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Can-Not-Create-PF-DL-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Enabled-Protocol-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DL-Mem-Reject-Perms-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Clock-Warning-Repair,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Replication-Stagger,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Clock-Warning-Offset,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X25-Leased-or-Switched,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Exchange-Options,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Control-Msg-Folder-ID,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Service-Action-Other,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Service-Action-First,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DL-Mem-Submit-Perms-BL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Temp-Assoc-Threshold,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Template-Options,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Gateway-Routing-Tree,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Authorized-Password,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Group-By-Attr-Value-DN,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Return-Exact-Msg-Size,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Client-Access-Enabled,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Report-To-Originator,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RTS-Recovery-Timeout,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Off-Line-AB-Containers,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Enable-Compatibility,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Association-Lifetime,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Service-Action-Second,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Cross-Certificate-CRL,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Responsible-Local-DXA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Encapsulation-Method,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Inbound-Newsfeed-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=MDB-Msg-Time-Out-Period,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Service-Restart-Delay,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Authentication-To-Use,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=HTTP-Pub-AB-Attributes,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Encrypt-Alg-List-Other,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Group-By-Attr-Value-Str,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Hide-DL-Membership,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Filter-Local-Addresses,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Encrypt-Alg-Selected-NA,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Default-Message-Format,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Conf-Container-List,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Translation-Table-Used,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Disabled-Gateway-Proxy,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Native-Address-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Template-TimeStamp,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Alert-Delay,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Replication-Boot-State,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Connection-List-Filter,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Assoc-Protocol-Cfg-NNTP,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Recipients,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Prev-Remote-Entries,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Num-Of-Transfer-Retries,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=CA-Exchange-Certificate,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Outgoing-Msg-Size-Limit,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Alert-Units,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=OOF-Reply-To-Originator,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Disable-Deferred-Commit,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Turn-Request-Threshold,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=XMIT-Timeout-Non-Urgent,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=SMIME-Alg-Selected-Other,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Service-Restart-Message,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=COM-Auto-Convert-Class-Id,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=RAS-Phonebook-Entry-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=NNTP-Distributions-Flag,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Local-Bridge-Head-Address,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Transfer-Timeout-Normal,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Transfer-Retry-Interval,CN=Schema,CN=Configuration,DC=X
changetype: delete
changetype: delete
dn: CN=Transfer-Timeout-Urgent,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Message-Tracking-Enabled,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=CA-Signature-Certificate,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Bidirectional-Connector,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X25-Call-User-Data-Incoming,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Available-Distributions,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Replication-Mail-Msg-Size,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X25-Call-User-Data-Outgoing,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Transport-Expedited-Data,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-UnConf-Container-List,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Prev-Exchange-Options,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Warning-Delay,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Session-Disconnect-Timer,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Prev-Template-Options,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Quota-Notification-Style,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Root-Newsgroups-Folder-ID,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Warning-Units,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Remote-Bridge-Head-Address,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Export-Custom-Recipients,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Support-SMIME-Signatures,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Encrypt-Alg-Selected-Other,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Container-Administrators,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Recipients-NDR,CN=Schema,CN=Configuration,DC=X
dn: CN=Monitoring-Recipients-NDR,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Two-Way-Alternate-Facility,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Preserve-Internet-Content,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Prev-Export-Native-Only,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X25-Facilities-Data-Incoming,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=X25-Facilities-Data-Outgoing,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Default-Intra-Site-Schedule,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Default-Inter-Site-Schedule,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Connection-List-Filter-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Transfer-Timeout-Non-Urgent,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Quota-Notification-Schedule,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=CA-Exchange-Certificate-Chain,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Authorized-Password-Confirm,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Normal-Poll-Units,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=CA-Signature-Certificate-Chain,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Certificate-Revocation-List-V1,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Certificate-Revocation-List-V3,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Hotsite-Poll-Units,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Enabled-Authorization-Packages,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Prev-In-Exchange-Sensitivity,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Normal-Poll-Interval,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Escalation-Procedure,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=DXA-Prev-Replication-Sensitivity,CN=Schema,CN=Configuration,DC=X
dn: CN=DXA-Prev-Replication-Sensitivity,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Monitoring-Hotsite-Poll-Interval,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Available-Authorization-Packages,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Config NC changes
# Extended rights
dn: CN=Open-Address-Book,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: 3e74f60f-3e73-11d1-a9c0-0000f80367c1
displayName: Open Address Book
rightsGuid: a1990816-4298-11d1-ade2-00c04fd8d5cd
dn: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2
displayName: Modify Personal Information
rightsGuid: 77B5B886-944A-11d1-AEBD-0000F80367C1
dn: CN=Email-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2
displayName: Modify Email Information
rightsGuid: E45795B2-9455-11d1-AEBD-0000F80367C1
dn: CN=Web-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2
displayName: Modify Web Information
rightsGuid: E45795B3-9455-11d1-AEBD-0000F80367C1
# Display-Specifiers
dn: CN=localGroup-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: delete
dn: CN=nTFRSSettings-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{9da6fd68-c63b-11d0-b94d-00c04fd8d5b0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextmenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
classDisplayName: NTFRS Settings
dn: CN=nTFRSReplicaSet-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{9da6fd69-c63b-11d0-b94d-00c04fd8d5b0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
classDisplayName: NTFRS Replica Set
dn: CN=mSFTFRS-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{9da6fd6a-c63b-11d0-b94d-00c04fd8d5b0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
classDisplayName: Microsoft FRS
dn: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: treatAsLeaf
treatAsLeaf: TRUE
-
delete: adminPropertyPages
adminPropertyPages: 5,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 6,{4E40F770-369C-11d0-8922-00A024AB2DBB}
-
add: adminPropertyPages
adminPropertyPages: 5,{FD57D295-4FD9-11D1-854E-00C04FC31FD3}
adminPropertyPages: 6,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 7,{4E40F770-369C-11d0-8922-00A024AB2DBB}
-
delete: attributeDisplayNames
attributeDisplayNames: comment,Comment
attributeDisplayNames: company,Company
attributeDisplayNames: distinguishedName,X500 DN
attributeDisplayNames: facsimileTelephoneNumber, Facsimile Telephone Numbers
attributeDisplayNames: generationQualifier, Generation Qualifier
attributeDisplayNames: internationalISDNNumber, International ISDN Number
attributeDisplayNames: mobile,Cellular Phone Number
attributeDisplayNames: personalTitle,Personal Title
attributeDisplayNames: physicalDeliveryOfficeName,Delivery Office
attributeDisplayNames: postalCode,ZIP Code
attributeDisplayNames: primaryGroupID,Primary Group SID
attributeDisplayNames: streetAddress,Address
attributeDisplayNames: telephoneNumber,Telephone Number
attributeDisplayNames: title,Title
attributeDisplayNames: url,Web Page Address
attributeDisplayNames: userAccountControl,User Account Control Flags
-
add: attributeDisplayNames
attributeDisplayNames: assistant,Assistant
attributeDisplayNames: comment,User Account Comment
attributeDisplayNames: co,Company
attributeDisplayNames: distinguishedName,X500 Distinguished Name
attributeDisplayNames: facsimileTelephoneNumber,Facsimile Telephone Number
attributeDisplayNames: generationQualifier,Name Suffix
attributeDisplayNames: internationalISDNNumber, International ISDN Number (Others)
attributeDisplayNames: ipPhone,IP Phone Number
attributeDisplayNames: mobile,Primary Mobile Phone Number
attributeDisplayNames: otherFacsimileTelephoneNumber,Facsimile Telephone Number (Others)
attributeDisplayNames: otherHomePhone,Home Phone (Others)
attributeDisplayNames: otherIpPhone,IP Phone Number (Others)
attributeDisplayNames: otherMailbox,E-Mail Address (Others)
attributeDisplayNames: otherMobile,Mobile Phone Number (Others)
attributeDisplayNames: otherPager,Pager Number (Others)
attributeDisplayNames: otherTelephone,Office Telephone Number (Others)
attributeDisplayNames: personalTitle,Title
attributeDisplayNames: physicalDeliveryOfficeName,Office Location
attributeDisplayNames: postalCode,ZIP/Postal Code
attributeDisplayNames: primaryInternationalISDNNumber,International ISDN Number
attributeDisplayNames: primaryTelexNumber,Telex Number
attributeDisplayNames: streetAddress,Other Address
attributeDisplayNames: telephoneNumber,Primary Phone
attributeDisplayNames: telexNumber,Telex Number (Others)
attributeDisplayNames: url,Web Page Address (Others)
attributeDisplayNames: userPrincipalName,Logon Name
attributeDisplayNames: wWWHomePage,Web Page Address
-
dn: CN=group-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
delete: attributeDisplayNames
attributeDisplayNames: desctription,Description
attributeDisplayNames: contactName,Contact Name
attributeDisplayNames: distinguishedName,X500 DN
attributeDisplayNames: groupAttributes,Group Attribute Flags
-
add: attributeDisplayNames
attributeDisplayNames: description,Description
attributeDisplayNames: distinguishedName,X500 Distinguished Name
attributeDisplayNames: managedBy,Managed By
-
dn: CN=domainDNS-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
delete: classDisplayName
classDisplayName: Domain (DNS)
-
add: classDisplayName
classDisplayName: Domain
-
add: attributeDisplayNames
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
-
dn: CN=contact-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: attributeDisplayNames
attributeDisplayNames: assistant,Assistant
attributeDisplayNames: cn,Name
attributeDisplayNames: comment,Comment
attributeDisplayNames: co,Company
attributeDisplayNames: department,Department
attributeDisplayNames: description,Description
attributeDisplayNames: directReports,Direct Reports
attributeDisplayNames: distinguishedName,X500 Distinguished Name
attributeDisplayNames: division,Division
attributeDisplayNames: employeeID,Employee ID
attributeDisplayNames: facsimileTelephoneNumber,Facsimile Telephone Number
attributeDisplayNames: generationQualifier,Name Suffix
attributeDisplayNames: givenName,First Name
attributeDisplayNames: homePhone,Home Phone
attributeDisplayNames: homePostalAddress,Home Address
attributeDisplayNames: info,Notes
attributeDisplayNames: initials,Initials
attributeDisplayNames: internationalISDNNumber,International ISDN Number (Others)
attributeDisplayNames: ipPhone,IP Phone Number
attributeDisplayNames: l,City
attributeDisplayNames: mail,E-Mail Address
attributeDisplayNames: manager,Manager
attributeDisplayNames: memberOf,Group Membership
attributeDisplayNames: middleName,Middle Name
attributeDisplayNames: mobile,Primary Mobile Phone Number
attributeDisplayNames: otherHomePhone,Home Phone Number (Others)
attributeDisplayNames: otherIpPhone,IP Phone Number (Others)
attributeDisplayNames: otherIpPhone,IP Phone Number (Others)
attributeDisplayNames: otherMailbox,E-Mail Address (Others)
attributeDisplayNames: otherMobile,Mobile Phone Number (Others)
attributeDisplayNames: otherPager,Pager Number (Others)
attributeDisplayNames: otherTelephone,Telephone Number (Others)
attributeDisplayNames: personalTitle,Personal Title
attributeDisplayNames: physicalDeliveryOfficeName,Office Location
attributeDisplayNames: postalCode,ZIP/Postal Code
attributeDisplayNames: postOfficeBox,Post Office Box
attributeDisplayNames: primaryInternationalISDNNumber,International ISDN Number
attributeDisplayNames: primaryTelexNumber,Telex Number
attributeDisplayNames: sn,Last Name
attributeDisplayNames: st,State
attributeDisplayNames: streetAddress,Other Address
attributeDisplayNames: telephoneNumber,Primary Phone
attributeDisplayNames: telexNumber,Telex Number (Others)
attributeDisplayNames: url,Web Page Address (Others)
attributeDisplayNames: wWWHomePage,Web Page Address
-
dn: CN=domainPolicy-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
delete: adminPropertyPages
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminPropertyPages: 4,{AAD30A04-E1D0-11d0-B859-00A024CDD4DE}
-
add: adminPropertyPages
adminPropertyPages: 2,{AAD30A04-E1D0-11d0-B859-00A024CDD4DE}
adminPropertyPages: 3,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 4,{4E40F770-369C-11d0-8922-00A024AB2DBB}
-
dn: CN=serviceAdministrationPoint-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
delete: classDisplayName
classDisplayName: Service Administration Point
-
add: classDisplayName
classDisplayName: Service
-
dn: CN=computer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: attributeDisplayNames
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
attributeDisplayNames: operatingSystem,Operating System
attributeDisplayNames: operatingSystemVersion,Operating System Version
attributeDisplayNames: type,Type
-
dn: CN=printQueue-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: attributeDisplayNames
attributeDisplayNames: cn,Directory Service Name
attributeDisplayNames: uNCName,Network Name
attributeDisplayNames: assetNumber,Asset Number
attributeDisplayNames: bytesPerMinute,Bytes per Minute
attributeDisplayNames: contactName,Contact
attributeDisplayNames: description,Comment
attributeDisplayNames: driverName,Model
attributeDisplayNames: driverVersion,Driver Version
attributeDisplayNames: location,Location
attributeDisplayNames: portName,Port
attributeDisplayNames: printBinNames,Input Trays
attributeDisplayNames: printCollate,Supports Collation
attributeDisplayNames: printColor,Supports Color Printing
attributeDisplayNames: printDuplexSupported,Supports Double-sided Printing
attributeDisplayNames: printerName,Name
attributeDisplayNames: printerName,Name
attributeDisplayNames: printFormName,Form Name
attributeDisplayNames: printLanguage,Data Format
attributeDisplayNames: printMACAddress,Physical Network Address
attributeDisplayNames: printMaxCopies,Maximum Number of Copies
attributeDisplayNames: printMaxResolutionSupported,Maximum Resolution
attributeDisplayNames: printMaxXExtent,Maximum Printable Width
attributeDisplayNames: printMaxYExtent,Maximum Printable Height
attributeDisplayNames: printMediaReady,Paper Available
attributeDisplayNames: printMediaSupported,Paper Types Supported
attributeDisplayNames: printMemory,Installed Memory
attributeDisplayNames: printMinXExtent,Minimum Printable Width
attributeDisplayNames: printMinYExtent,Minimum Printable Height
attributeDisplayNames: printNetworkAddress,Network Address
attributeDisplayNames: printNumberUp,Supports N-Up Printing
attributeDisplayNames: operatingSystem,Operating System
attributeDisplayNames: operatingSystemVersion,Operating System Version
attributeDisplayNames: printOrientationsSupported,Orientations Supported
attributeDisplayNames: printOwner,Owner Name
attributeDisplayNames: printRate,Speed
attributeDisplayNames: printRateUnit,Speed Units
attributeDisplayNames: printPagesPerMinute,Pages per Minute
attributeDisplayNames: printShareName,Share Name
attributeDisplayNames: printStaplingSupported,Supports Stapling
attributeDisplayNames: printStatus,State
attributeDisplayNames: priority,Print Job Priority
attributeDisplayNames: serverName,Server Name
attributeDisplayNames: url,Web Page Address
attributeDisplayNames: versionNumber,Object Version
attributeDisplayNames: whenChanged,Date Modified
attributeDisplayNames: whenCreated,Date Created
-
dn: CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: attributeDisplayNames
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
-
dn: CN=trustedDomain-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: attributeDisplayNames
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
-
dn: CN=volume-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: attributeDisplayNames
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
attributeDisplayNames: uNCName,Network Path
-
delete: classDisplayName
classDisplayName: Volume
-
add: classDisplayName
classDisplayName: Shared Folder
-
dn: CN=schema,CN=configuration,DC=X
changetype: modify
add: objectVersion
objectVersion: 1
-
Sch2.ldf
dn: CN=GP-Link,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: gPLink
adminDisplayName: GP-Link
adminDescription: GP-Link
attributeId: 1.2.840.113556.1.4.891
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: vjsO8/Cf0RG2AwAA+ANnwQ==
hideFromAB: TRUE
dn: CN=GP-Options,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: gPOptions
adminDisplayName: GP-Options
adminDescription: GP-Options
attributeId: 1.2.840.113556.1.4.892
attributeSyntax: 2.5.5.9
omSyntax: 2
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: vzsO8/Cf0RG2AwAA+ANnwQ==
hideFromAB: TRUE
dn: CN=GPC-File-Sys-Path,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: gPCFileSysPath
adminDisplayName: GPC-File-Sys-Path
adminDescription: GPC-File-Sys-Path
attributeId: 1.2.840.113556.1.4.894
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: wTsO8/Cf0RG2AwAA+ANnwQ==
hideFromAB: TRUE
dn: CN=GPC-Functionality-Version,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: gPCFunctionalityVersion
adminDisplayName: GPC-Functionality-Version
adminDescription: GPC-Functionality-Version
attributeId: 1.2.840.113556.1.4.893
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: wDsO8/Cf0RG2AwAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Transport-Address-Attribute,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: transportAddressAttribute
adminDisplayName: Transport-Address-Attribute
adminDescription: Transport-Address-Attribute
attributeId: 1.2.840.113556.1.4.895
attributeSyntax: 2.5.5.2
omSyntax: 6
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fIbcwWGi0RG2BgAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: groupPolicyContainer
adminDisplayName: Group-Policy-Container
adminDescription: Group-Policy-Container
governsId: 1.2.840.113556.1.5.157
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.23
systemMayContain: 1.2.840.113556.1.4.141
systemMayContain: 1.2.840.113556.1.4.893
systemMayContain: 1.2.840.113556.1.4.894
systemMayContain: 1.2.840.113556.1.4.38
systemMayContain: 1.2.840.113556.1.2.13
schemaIdGuid:: wjsO8/Cf0RG2AwAA+ANnwQ==
hideFromAB: TRUE
defaultHidingValue: FALSE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=X
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.374
-
dn: CN=USN-Source,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=USN-Source,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
lDAPDisplayName: uSNSource
adminDescription: USN-Source
adminDisplayName: USN-Source
attributeID: 1.2.840.113556.1.4.896
attributeSyntax: 2.5.5.16
isSingleValued: TRUE
mAPIID: 33111
oMSyntax: 65
schemaIDGUID:: rVh3FvNH0RGpwwAA+ANnwQ==
searchFlags: 0
systemOnly: FALSE
hideFromAB: TRUE
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.896
-
dn: CN=Sam-Domain,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.891
systemMayContain: 1.2.840.113556.1.4.892
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.342
systemMayContain: 1.2.840.113556.1.4.678
-
dn: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.891
systemMayContain: 1.2.840.113556.1.4.892
systemMayContain: 2.5.4.6
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.342
systemMayContain: 1.2.840.113556.1.4.678
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.342
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.891
systemMayContain: 1.2.840.113556.1.4.892
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.342
systemMayContain: 1.2.840.113556.1.4.343
-
dn: CN=Inter-Site-Transport,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMustContain
systemMustContain: 1.2.840.113556.1.4.895
-
dn: CN=Domain-Policy,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.418
-
dn: CN=Container,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.213
-
dn: CN=Intellimirror-SCP,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.358
systemMayContain: 1.2.840.113556.1.4.359
-
dn: CN=Intellimirror-Group,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.67
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.342
systemMayContain: 1.2.840.113556.1.4.343
systemMayContain: 1.2.840.113556.1.4.515
-
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.515
-
dn: CN=Site,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.891
systemMayContain: 1.2.840.113556.1.4.892
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.342
systemMayContain: 1.2.840.113556.1.4.678
-
-
dn: CN=Object-Category,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemFlags
systemFlags: 2
-
dn: CN=NTFRS-Replica-Set,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: fRSReplicaSetType
-
dn: CN=FRS-Replica-Set-Type,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=FRS-Replica-Set-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
lDAPDisplayName: fRSReplicaSetType
adminDescription: FRS-Replica-Set-Type
adminDisplayName: FRS-Replica-Set-Type
attributeID: 1.2.840.113556.1.4.31
attributeSyntax: 2.5.5.9
hideFromAB: TRUE
isSingleValued: TRUE
oMSyntax: 2
schemaIDGUID:: a3PZJnBg0RGpxgAA+ANnwQ==
searchFlags: 0
systemOnly: FALSE
dn: CN=NTFRS-Replica-Set,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.31
-
dn: CN=Builtin-Sync,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=Policy-Name,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Policy-Link,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Policy-Options,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn: CN=Change-Pwd-Logon-Required,CN=Schema,CN=Configuration,DC=X
changetype: delete
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=DS-Replication-Get-Changes,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
appliesTo: bf967a87-0de6-11d0-a285-00aa003049e2
appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2
displayName: Replicating Directory Changes
rightsGUID: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
dn: CN=DS-Replication-Synchronize,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
appliesTo: bf967a87-0de6-11d0-a285-00aa003049e2
appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2
displayName: Replication Synchronization
rightsGUID: 1131f6ab-9c07-11d1-f79f-00c04fc2dcd2
dn: CN=DS-Replication-Manage-Topology,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
appliesTo: bf967a87-0de6-11d0-a285-00aa003049e2
appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2
displayName: Manage Replication Topology
rightsGUID: 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2
dn: CN=IntellimirrorGroup-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{C641CF88-892F-11d1-BBEB-0060081692B3}
classDisplayName: IntelliMirror-Group
shellPropertyPages: 1,{C641CF88-892F-11d1-BBEB-0060081692B3}
dn: CN=IntellimirrorSCP-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{AC409538-741C-11d1-BBE6-0060081692B3}
classDisplayName: IntelliMirror-Service
shellPropertyPages: 1,{AC409538-741C-11d1-BBE6-0060081692B3}
dn: CN=computer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminPropertyPages
adminPropertyPages: 10,{0F65B1BF-740F-11d1-BBE6-0060081692B3}
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: objectVersion
objectVersion: 2
-
Sch3.ldf
dn: CN=User-Force-Change-Password,CN=Extended-Rights,CN=Configuration,DC=X
changetype: modify
replace: displayName
displayName: Reset Password
-
add: appliesTo
appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
-
dn: CN=server-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{6dfe6494-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
classDisplayName: Server
dn: CN=siteLink-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{50d30561-9911-11d1-b9af-00c04fd8d5b0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
classDisplayName: Site Link
dn: CN=siteLinkBridge-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{50d30562-9911-11d1-b9af-00c04fd8d5b0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
classDisplayName: Site Link Bridge
dn: CN=interSiteTransport-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{6DFE6491-AC8D-11D0-B945-00C04FD8D5B0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
classDisplayName: Inter-Site Transport
dn: CN=licensingSiteSettings-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{717ef500-ac8d-11d0-b945-00c04fd8d5b0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
classDisplayName: Licensing Site Settings
dn: CN=nTDSSiteSettings-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{2f280288-bb6d-11d0-b948-00c04fd8d5b0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
classDisplayName: NTDS Site Settings
dn: CN=nTFRSMember-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{9da6fd6a-c63b-11d0-b94d-00c04fd8d5b0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
classDisplayName: NTFRS Member
dn: CN=nTFRSSubscriber-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{50d3055f-9911-11d1-b9af-00c04fd8d5b0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
classDisplayName: NTFRS Subscriber
dn: CN=nTFRSSubscriptions-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{50d30560-9911-11d1-b9af-00c04fd8d5b0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
classDisplayName: NTFRS Subscriptions
dn: CN=rpcContainer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: add
objectClass: displaySpecifier
hideFromAB: TRUE
adminPropertyPages: 1,{50d30572-9911-11d1-b9af-00c04fd8d5b0}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
contextMenu: 0,{62AE1F9A-126A-11D0-A14B-0800361B1103}
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
classDisplayName: RPC Services
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
dn: CN=mSFTFRS-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: delete
dn: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
delete: adminPropertyPages
adminPropertyPages: 3,{6dfe648a-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 4,{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3}
adminPropertyPages: 5,{FD57D295-4FD9-11D1-854E-00C04FC31FD3}
adminPropertyPages: 6,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 7,{4E40F770-369C-11d0-8922-00A024AB2DBB}
-
add: adminPropertyPages
adminPropertyPages: 3,{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3}
adminPropertyPages: 4,{FD57D295-4FD9-11D1-854E-00C04FC31FD3}
adminPropertyPages: 5,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 6,{4E40F770-369C-11d0-8922-00A024AB2DBB}
-
add: attributeDisplayNames
attributeDisplayNames: userWorkstations,Logon Workstations
-
dn: CN=group-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
delete: adminPropertyPages
adminPropertyPages: 2,{6dfe648a-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{6dfe648b-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 4,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 5,{4E40F770-369C-11d0-8922-00A024AB2DBB}
-
add: adminPropertyPages
adminPropertyPages: 2,{6dfe648b-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 4,{4E40F770-369C-11d0-8922-00A024AB2DBB}
-
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=domainDNS-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 2,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=contact-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=domainPolicy-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=localPolicy-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=serviceAdministrationPoint-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=computer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=printQueue-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=site-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
adminContextMenu: 2,{6BA3F852-23C6-11D1-B91F-00A0C9A06D2D}
-
dn: CN=nTDSSettings-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=nTDSDSA-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=nTDSConnection-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=nTFRSSettings-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=nTFRSReplicaSet-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=subnet-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 2,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=container-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 2,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=trustedDomain-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
dn: CN=trustedDomain-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=volume-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: modify
add: adminContextMenu
adminContextMenu: 0,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
-
dn: CN=Change-Schema-Master,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2
displayName: Change Schema Master
rightsGUID: e12b56b6-0a95-11d1-adbb-00c04fd8d5cd
dn: CN=Change-Rid-Master,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: 6617188d-8f3c-11d0-afda-00c04fd930c9
displayName: Change Rid Master
rightsGUID: d58d5f36-0a98-11d1-adbb-00c04fd8d5cd
dn: CN=Abandon-Replication,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: f0f8ffab-1191-11d0-a060-00aa006c33ed
displayName: Abandon Replication
rightsGUID: ee914b82-0a98-11d1-adbb-00c04fd8d5cd
dn: CN=Do-Garbage-Collection,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: f0f8ffab-1191-11d0-a060-00aa006c33ed
displayName: Do Garbage Collection
rightsGUID: fec364e0-0a98-11d1-adbb-00c04fd8d5cd
dn: CN=Recalculate-Hierarchy,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: f0f8ffab-1191-11d0-a060-00aa006c33ed
displayName: Recalculate Hierarchy
rightsGUID: 0bc1554e-0a99-11d1-adbb-00c04fd8d5cd
dn: CN=Allocate-Rids,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: f0f8ffab-1191-11d0-a060-00aa006c33ed
displayName: Allocate Rids
rightsGUID: 1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd
rightsGUID: 1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd
dn: CN=Change-PDC,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
displayName: Change PDC
rightsGUID: bae50096-4752-11d1-9052-00c04fc2d4cf
dn: CN=Add-GUID,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
displayName: Add GUID
rightsGUID: 440820ad-65b4-11d1-a3da-0000f875ae0d
dn: CN=Change-Domain-Master,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
hideFromAB: TRUE
appliesTo: ef9e60e0-56f7-11d1-a9c6-0000f80367c1
displayName: Change Domain Master
rightsGUID: 014bf69c-7b3b-11d1-85f6-08002be74fab
Sch4.ldf
# Renames.
dn: CN=DXA-Flags,CN=Schema,CN=Configuration,DC=X
changetype: modrdn
newrdn: Deleted-Item-Flags
deleteoldrdn: 1
dn: CN=Deleted-Item-Flags,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: deletedItemFlags
-
replace: adminDisplayName
adminDisplayName: Deleted-Item-Flags
-
replace: adminDescription
adminsDescription: Deleted-Item-Flags
-
dn: CN=DXA-Task,CN=Schema,CN=Configuration,DC=X
changetype: modrdn
newrdn: Message-Size-Limit
deleteoldrdn: 1
dn: CN=Message-Size-Limit,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: messageSizeLimit
-
replace: adminDisplayName
replace: adminDisplayName
adminDisplayName: Message-Size-Limit
-
replace: adminDescription
adminsDescription: Message-Size-Limit
-
dn: CN=Assoc-NT-Account,CN=Schema,CN=Configuration,DC=X
changetype: modrdn
newrdn: Assoc-NT-Account-Unused
deleteoldrdn: 1
dn: CN=Assoc-NT-Account-Unused,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: assocNTAccountUnused
-
replace: adminDisplayName
adminDisplayName: Assoc-NT-Account-Unused
-
replace: adminDescription
adminsDescription: Assoc-NT-Account-Unused
-
dn: CN=Assoc-NT-Account,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: assocNTAccount
adminDisplayName: Assoc-NT-Account
adminDescription: Assoc-NT-Account
attributeId: 1.2.840.113556.1.4.1213
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
hideFromAB: TRUE
dn: CN=ANR,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: aNR
adminDisplayName: ANR
adminDescription: ANR
attributeId: 1.2.840.113556.1.4.1208
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ABWwRRnE0RG7yQCAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
dn: CN=ADMD,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ADMD
adminDisplayName: ADMD
adminDescription: ADMD
attributeId: 1.2.840.113556.1.2.232
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeLower: 1
rangeUpper: 16
schemaIdGuid:: kHPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32841
hideFromAB: TRUE
dn: CN=PRMD,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: PRMD
adminDisplayName: PRMD
adminDescription: PRMD
attributeId: 1.2.840.113556.1.2.224
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 16
schemaIdGuid:: TXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33038
hideFromAB: TRUE
dn: CN=Req-Seq,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ReqSeq
adminDisplayName: Req-Seq
adminDescription: Req-Seq
attributeId: 1.2.840.113556.1.2.173
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: YHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33058
hideFromAB: TRUE
dn: CN=Runs-On,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RunsOn
adminDisplayName: Runs-On
adminDescription: Runs-On
attributeId: 1.2.840.113556.1.2.185
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: a3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33066
hideFromAB: TRUE
dn: CN=Enabled,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: Enabled
adminDisplayName: Enabled
adminDescription: Enabled
attributeId: 1.2.840.113556.1.2.557
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 8nPfqOrF0RG7ywCAx2ZwwA==
schemaIdGuid:: 8nPfqOrF0RG7ywCAx2ZwwA==
mapiID: 35873
hideFromAB: TRUE
dn: CN=Telephone-Home-Fax,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: homeFax
adminDisplayName: Telephone-Home-Fax
adminDescription: Telephone-Home-Fax
attributeId: 1.2.840.113556.1.2.609
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 128
schemaIdGuid:: hXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 14885
hideFromAB: TRUE
dn: CN=Encrypt,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: Encrypt
adminDisplayName: Encrypt
adminDescription: Encrypt
attributeId: 1.2.840.113556.1.2.236
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 9nPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32931
hideFromAB: TRUE
dn: CN=Form-Data,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: FormData
adminDisplayName: Form-Data
adminDescription: Form-Data
attributeId: 1.2.840.113556.1.2.607
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: AHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 35941
hideFromAB: TRUE
dn: CN=INSAdmin,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: INSAdmin
adminDisplayName: INSAdmin
adminDescription: INSAdmin
attributeId: 1.2.840.113556.1.2.543
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: FnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33221
hideFromAB: TRUE
hideFromAB: TRUE
dn: CN=N-Address,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: NAddress
adminDisplayName: N-Address
adminDescription: N-Address
attributeId: 1.2.840.113556.1.2.282
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 50
schemaIdGuid:: NHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33009
hideFromAB: TRUE
dn: CN=Send-TNEF,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SendTNEF
adminDisplayName: Send-TNEF
adminDescription: Send-TNEF
attributeId: 1.2.840.113556.1.2.492
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: b3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33169
hideFromAB: TRUE
dn: CN=Line-Wrap,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: LineWrap
adminDisplayName: Line-Wrap
adminDescription: Line-Wrap
attributeId: 1.2.840.113556.1.2.449
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: GHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32964
hideFromAB: TRUE
dn: CN=Auth-Orig,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: AuthOrig
adminDisplayName: Auth-Orig
adminDescription: Auth-Orig
attributeId: 1.2.840.113556.1.2.129
attributeSyntax: 2.5.5.7
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: VgYBAgULHQ==
schemaIdGuid:: l3PfqOrF0RG7ywCAx2ZwwA==
linkID: 110
hideFromAB: TRUE
dn: CN=MSMQ-QM-ID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQQMID
adminDisplayName: MSMQ-QM-ID
adminDescription: MSMQ-QM-ID
attributeId: 1.2.840.113556.1.4.951
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: PsMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DXA-Types,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXATypes
adminDisplayName: DXA-Types
adminDescription: DXA-Types
attributeId: 1.2.840.113556.1.2.119
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 7XPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32928
hideFromAB: TRUE
dn: CN=MSMQ-Cost,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQCost
adminDisplayName: MSMQ-Cost
adminDescription: MSMQ-Cost
attributeId: 1.2.840.113556.1.4.946
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: OsMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=MSMQ-Site-1,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQSite1
adminDisplayName: MSMQ-Site-1
adminDescription: MSMQ-Site-1
attributeId: 1.2.840.113556.1.4.943
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: N8MNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=MSMQ-Site-2,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQSite2
adminDisplayName: MSMQ-Site-2
adminDescription: MSMQ-Site-2
attributeId: 1.2.840.113556.1.4.944
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: OMMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=MSMQ-Label,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQLabel
adminDisplayName: MSMQ-Label
adminDescription: MSMQ-Label
attributeId: 1.2.840.113556.1.4.922
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: JcMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=Inbound-DN,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: InboundDN
adminDisplayName: Inbound-DN
adminDescription: Inbound-DN
attributeId: 1.2.840.113556.1.2.553
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: EHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 35870
hideFromAB: TRUE
dn: CN=View-Flags,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ViewFlags
adminDisplayName: View-Flags
adminDescription: View-Flags
attributeId: 1.2.840.113556.1.2.546
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: mnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 35864
hideFromAB: TRUE
dn: CN=DXA-Imp-Seq,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAImpSeq
adminDisplayName: DXA-Imp-Seq
adminDescription: DXA-Imp-Seq
attributeId: 1.2.840.113556.1.2.116
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeLower: 1
rangeUpper: 32
schemaIdGuid:: 0nPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32899
hideFromAB: TRUE
dn: CN=DXA-Req-Seq,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAReqSeq
adminDisplayName: DXA-Req-Seq
adminDescription: DXA-Req-Seq
attributeId: 1.2.840.113556.1.2.101
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32
schemaIdGuid:: 5HPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32918
hideFromAB: TRUE
dn: CN=Assistant-Name,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: secretary
adminDisplayName: Assistant-Name
adminDescription: Assistant-Name
attributeId: 1.2.840.113556.1.2.444
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: lHPfqOrF0RG7ywCAx2ZwwA==
mapiID: 14896
hideFromAB: TRUE
dn: CN=P-Selector,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: PSelector
adminDisplayName: P-Selector
adminDescription: P-Selector
attributeId: 1.2.840.113556.1.2.285
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 16
schemaIdGuid:: SHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33030
hideFromAB: TRUE
dn: CN=Rid-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RidServer
adminDisplayName: Rid-Server
adminDescription: Rid-Server
attributeId: 1.2.840.113556.1.2.346
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: ZHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33060
hideFromAB: TRUE
dn: CN=S-Selector,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SSelector
adminDisplayName: S-Selector
adminDescription: S-Selector
attributeId: 1.2.840.113556.1.2.284
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 16
schemaIdGuid:: bHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33067
hideFromAB: TRUE
dn: CN=T-Selector,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TSelector
adminDisplayName: T-Selector
adminDescription: T-Selector
attributeId: 1.2.840.113556.1.2.283
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32
schemaIdGuid:: gXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33088
hideFromAB: TRUE
dn: CN=HTTP-Pub-PF,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: HTTPPubPF
adminDisplayName: HTTP-Pub-PF
adminDescription: HTTP-Pub-PF
attributeId: 1.2.840.113556.1.2.505
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 1024
schemaIdGuid:: C3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33182
hideFromAB: TRUE
dn: CN=OWA-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: OWAServer
adminDisplayName: OWA-Server
adminDescription: OWA-Server
attributeId: 1.2.840.113556.1.2.608
attributeSyntax: 2.5.5.12
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 128
schemaIdGuid:: R3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 35942
hideFromAB: TRUE
dn: CN=DXA-Svr-Seq,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXASvrSeq
adminDisplayName: DXA-Svr-Seq
adminDescription: DXA-Svr-Seq
attributeId: 1.2.840.113556.1.2.360
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32
schemaIdGuid:: 6HPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32922
hideFromAB: TRUE
dn: CN=From-Entry,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: fromEntry
adminDisplayName: From-Entry
adminDescription: From-Entry
attributeId: 1.2.840.113556.1.4.910
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: Sdl6mlPK0RG70ACAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
dn: CN=MSMQ-Sites,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQSites
adminDisplayName: MSMQ-Sites
adminDescription: MSMQ-Sites
attributeId: 1.2.840.113556.1.4.927
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: KsMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=MSMQ-Quota,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQQuota
adminDisplayName: MSMQ-Quota
adminDescription: MSMQ-Quota
attributeId: 1.2.840.113556.1.4.919
attributeSyntax: 2.5.5.9
omSyntax: 2
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: IsMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=Domain-Name,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DomainName
adminDisplayName: Domain-Name
adminDescription: Domain-Name
attributeId: 1.2.840.113556.1.2.147
attributeSyntax: 2.5.5.4
omSyntax: 20
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 362
schemaIdGuid:: yHPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32886
hideFromAB: TRUE
dn: CN=DXA-ReqName,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAReqName
adminDisplayName: DXA-ReqName
adminDescription: DXA-ReqName
attributeId: 1.2.840.113556.1.2.446
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: 53PfqOrF0RG7ywCAx2ZwwA==
mapiID: 32921
hideFromAB: TRUE
dn: CN=DXA-Conf-Seq,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAConfSeq
adminDisplayName: DXA-Conf-Seq
adminDescription: DXA-Conf-Seq
attributeId: 1.2.840.113556.1.2.184
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32
schemaIdGuid:: znPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32894
hideFromAB: TRUE
dn: CN=Auth-Orig-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: AuthOrigBL
adminDisplayName: Auth-Orig-BL
adminDescription: Auth-Orig-BL
attributeId: 1.2.840.113556.1.2.290
attributeSyntax: 2.5.5.1
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: mHPfqOrF0RG7ywCAx2ZwwA==
linkID: 111
mapiID: 32851
hideFromAB: TRUE
systemFlags: 1
dn: CN=HTTP-Pub-GAL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: HTTPPubGAL
adminDisplayName: HTTP-Pub-GAL
adminDescription: HTTP-Pub-GAL
attributeId: 1.2.840.113556.1.2.502
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: CXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33179
hideFromAB: TRUE
dn: CN=MSMQ-Site-ID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQSiteID
adminDisplayName: MSMQ-Site-ID
adminDescription: MSMQ-Site-ID
attributeId: 1.2.840.113556.1.4.953
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: QMMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=RAS-Account,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RASAccount
adminDisplayName: RAS-Account
adminDescription: RAS-Account
attributeId: 1.2.840.113556.1.2.519
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: UXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33197
hideFromAB: TRUE
dn: CN=Remote-Site,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RemoteSite
adminDisplayName: Remote-Site
adminDescription: Remote-Site
attributeId: 1.2.840.113556.1.2.27
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: W3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33053
hideFromAB: TRUE
dn: CN=Port-Number,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: PortNumber
adminDisplayName: Port-Number
adminDescription: Port-Number
attributeId: 1.2.840.113556.1.2.527
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 65535
schemaIdGuid:: SnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33205
hideFromAB: TRUE
dn: CN=Require-SSL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RequireSSL
adminDisplayName: Require-SSL
adminDescription: Require-SSL
attributeId: 1.2.840.113556.1.2.560
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: YXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 35877
hideFromAB: TRUE
dn: CN=Target-MTAs,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TargetMTAs
adminDisplayName: Target-MTAs
adminDescription: Target-MTAs
attributeId: 1.2.840.113556.1.2.259
attributeSyntax: 2.5.5.4
omSyntax: 20
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 36
schemaIdGuid:: g3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33090
hideFromAB: TRUE
dn: CN=Trust-Level,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TrustLevel
adminDisplayName: Trust-Level
adminDescription: Trust-Level
attributeId: 1.2.840.113556.1.2.70
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 100
schemaIdGuid:: knTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33103
hideFromAB: TRUE
dn: CN=Unauth-Orig,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: UnauthOrig
adminDisplayName: Unauth-Orig
adminDescription: Unauth-Orig
attributeId: 1.2.840.113556.1.2.221
attributeSyntax: 2.5.5.7
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: VgYBAgULHQ==
schemaIdGuid:: lXTfqOrF0RG7ywCAx2ZwwA==
linkID: 114
hideFromAB: TRUE
dn: CN=MSMQ-OS-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQOSType
adminDisplayName: MSMQ-OS-Type
adminDescription: MSMQ-OS-Type
attributeId: 1.2.840.113556.1.4.935
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: MMMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Can-Create-PF,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: CanCreatePF
adminDisplayName: Can-Create-PF
adminDescription: Can-Create-PF
attributeId: 1.2.840.113556.1.2.11
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: oXPfqOrF0RG7ywCAx2ZwwA==
linkID: 124
mapiID: 32856
hideFromAB: TRUE
dn: CN=Log-Filename,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: LogFilename
adminDisplayName: Log-Filename
adminDescription: Log-Filename
attributeId: 1.2.840.113556.1.2.192
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: HXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32970
hideFromAB: TRUE
dn: CN=Is-Ephemeral,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: isEphemeral
adminDisplayName: Is-Ephemeral
adminDescription: Is-Ephemeral
attributeId: 1.2.840.113556.1.4.1212
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: 8FPE9PHF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Inbound-Host,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: InboundHost
adminDisplayName: Inbound-Host
adminDescription: Inbound-Host
attributeId: 1.2.840.113556.1.2.489
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 512
schemaIdGuid:: EXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33166
hideFromAB: TRUE
dn: CN=MSMQ-CSP-Name,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQCSPName
adminDisplayName: MSMQ-CSP-Name
adminDescription: MSMQ-CSP-Name
attributeId: 1.2.840.113556.1.4.940
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: NMMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DXA-Password,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAPassword
adminDisplayName: DXA-Password
adminDescription: DXA-Password
attributeId: 1.2.840.113556.1.2.305
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 12
rangeUpper: 12
schemaIdGuid:: 23PfqOrF0RG7ywCAx2ZwwA==
mapiID: 32908
hideFromAB: TRUE
dn: CN=MSMQ-Digests,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQDigests
adminDisplayName: MSMQ-Digests
adminDescription: MSMQ-Digests
attributeId: 1.2.840.113556.1.4.948
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: PMMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=MSMQ-Foreign,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQForeign
adminDisplayName: MSMQ-Foreign
adminDescription: MSMQ-Foreign
attributeId: 1.2.840.113556.1.4.934
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: L8MNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=MSMQ-Owner-ID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQOwnerID
adminDisplayName: MSMQ-Owner-ID
adminDescription: MSMQ-Owner-ID
attributeId: 1.2.840.113556.1.4.925
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: KMMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=MSMQ-Sign-Key,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQSignKey
adminDisplayName: MSMQ-Sign-Key
adminDescription: MSMQ-Sign-Key
attributeId: 1.2.840.113556.1.4.937
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: MsMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=MSMQ-Journal,CN=Schema,CN=Configuration,DC=X
changetype: add
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQJournal
adminDisplayName: MSMQ-Journal
adminDescription: MSMQ-Journal
attributeId: 1.2.840.113556.1.4.918
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: IcMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=Content-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ContentType
adminDisplayName: Content-Type
adminDescription: Content-Type
attributeId: 1.2.840.113556.1.2.481
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 4
schemaIdGuid:: uXPfqOrF0RG7ywCAx2ZwwA==
mapiID: 33158
hideFromAB: TRUE
dn: CN=RAS-Password,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RASPassword
adminDisplayName: RAS-Password
adminDescription: RAS-Password
attributeId: 1.2.840.113556.1.2.520
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: U3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33198
hideFromAB: TRUE
dn: CN=MSMQ-Version,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQVersion
adminDisplayName: MSMQ-Version
adminDescription: MSMQ-Version
attributeId: 1.2.840.113556.1.4.942
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: NsMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msNPVersion,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPVersion
adminDisplayName: msNPVersion
adminDescription: msNPVersion
adminDescription: msNPVersion
attributeId: 1.2.840.113556.1.4.1135
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: k5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Routing-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RoutingList
adminDisplayName: Routing-List
adminDescription: Routing-List
attributeId: 1.2.840.113556.1.2.354
attributeSyntax: 2.5.5.4
omSyntax: 20
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 2243
schemaIdGuid:: Z3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33062
hideFromAB: TRUE
dn: CN=HTTP-Servers,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: HTTPServers
adminDisplayName: HTTP-Servers
adminDescription: HTTP-Servers
attributeId: 1.2.840.113556.1.2.517
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: DHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33195
hideFromAB: TRUE
dn: CN=MTA-Local-Cred,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MTALocalCred
adminDisplayName: MTA-Local-Cred
adminDescription: MTA-Local-Cred
attributeId: 1.2.840.113556.1.2.270
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: MnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33007
hideFromAB: TRUE
dn: CN=Character-Set,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: CharacterSet
adminDisplayName: Character-Set
adminDescription: Character-Set
attributeId: 1.2.840.113556.1.2.480
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: rXPfqOrF0RG7ywCAx2ZwwA==
mapiID: 33157
hideFromAB: TRUE
dn: CN=Delegate-User,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DelegateUser
adminDisplayName: Delegate-User
adminDescription: Delegate-User
attributeId: 1.2.840.113556.1.2.591
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: vnPfqOrF0RG7ywCAx2ZwwA==
mapiID: 35913
hideFromAB: TRUE
dn: CN=DL-Member-Rule,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DLMemberRule
adminDisplayName: DL-Member-Rule
adminDescription: DL-Member-Rule
attributeId: 1.2.840.113556.1.2.330
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 4096
schemaIdGuid:: xnPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32884
hideFromAB: TRUE
dn: CN=DXA-Admin-Copy,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAAdminCopy
adminDisplayName: DXA-Admin-Copy
adminDescription: DXA-Admin-Copy
attributeId: 1.2.840.113556.1.2.378
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: yXPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32888
hideFromAB: TRUE
dn: CN=Do-OAB-Version,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DoOABVersion
adminDisplayName: Do-OAB-Version
adminDescription: Do-OAB-Version
attributeId: 1.2.840.113556.1.2.575
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: x3PfqOrF0RG7ywCAx2ZwwA==
mapiID: 35898
hideFromAB: TRUE
dn: CN=MSMQ-Migrated,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQMigrated
adminDisplayName: MSMQ-Migrated
adminDescription: MSMQ-Migrated
attributeId: 1.2.840.113556.1.4.952
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: P8MNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Computer-Name,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ComputerName
adminDisplayName: Computer-Name
adminDescription: Computer-Name
attributeId: 1.2.840.113556.1.2.20
attributeSyntax: 2.5.5.4
omSyntax: 20
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: tHPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32869
hideFromAB: TRUE
dn: CN=Monitor-Clock,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MonitorClock
adminDisplayName: Monitor-Clock
adminDescription: Monitor-Clock
attributeId: 1.2.840.113556.1.2.163
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: I3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 32982
hideFromAB: TRUE
dn: CN=N-Address-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: NAddressType
adminDisplayName: N-Address-Type
adminDescription: N-Address-Type
attributeId: 1.2.840.113556.1.2.222
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: NXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33010
hideFromAB: TRUE
dn: CN=Inbound-Sites,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: InboundSites
adminDisplayName: Inbound-Sites
adminDescription: Inbound-Sites
attributeId: 1.2.840.113556.1.2.71
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: FHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32956
hideFromAB: TRUE
dn: CN=msNPSequence,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPSequence
adminDisplayName: msNPSequence
adminDescription: msNPSequence
attributeId: 1.2.840.113556.1.4.1131
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: j5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msNPVendorID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPVendorID
adminDisplayName: msNPVendorID
adminDescription: msNPVendorID
attributeId: 1.2.840.113556.1.4.1134
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: kpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Newsfeed-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: NewsfeedType
adminDisplayName: Newsfeed-Type
adminDescription: Newsfeed-Type
attributeId: 1.2.840.113556.1.2.495
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2
schemaIdGuid:: NnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33172
mapiID: 33172
hideFromAB: TRUE
dn: CN=DXA-Imp-Seq-USN,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAImpSeqUSN
adminDisplayName: DXA-Imp-Seq-USN
adminDescription: DXA-Imp-Seq-USN
attributeId: 1.2.840.113556.1.2.86
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 1HPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32901
hideFromAB: TRUE
dn: CN=Employee-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: employeeType
adminDisplayName: Employee-Type
adminDescription: Employee-Type
attributeId: 1.2.840.113556.1.2.613
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: 8HPfqOrF0RG7ywCAx2ZwwA==
mapiID: 35945
hideFromAB: TRUE
dn: CN=DXA-Req-Seq-USN,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAReqSeqUSN
adminDisplayName: DXA-Req-Seq-USN
adminDescription: DXA-Req-Seq-USN
attributeId: 1.2.840.113556.1.2.182
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 5nPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32920
hideFromAB: TRUE
dn: CN=MSMQ-Services,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQServices
adminDisplayName: MSMQ-Services
adminDescription: MSMQ-Services
attributeId: 1.2.840.113556.1.4.950
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: PcMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=Referral-List,CN=Schema,CN=Configuration,DC=X
dn: CN=Referral-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ReferralList
adminDisplayName: Referral-List
adminDescription: Referral-List
attributeId: 1.2.840.113556.1.2.510
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 1024
schemaIdGuid:: V3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33187
hideFromAB: TRUE
dn: CN=Role-Occupant,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: roleOccupant
adminDisplayName: Role-Occupant
adminDescription: Role-Occupant
attributeId: 2.5.4.33
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: ZXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33061
hideFromAB: TRUE
dn: CN=DXA-Import-Now,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAImportNow
adminDisplayName: DXA-Import-Now
adminDescription: DXA-Import-Now
attributeId: 1.2.840.113556.1.2.376
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 1XPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32902
hideFromAB: TRUE
dn: CN=Outbound-Host,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: OutboundHost
adminDisplayName: Outbound-Host
adminDescription: Outbound-Host
attributeId: 1.2.840.113556.1.2.488
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 1024
schemaIdGuid:: QnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33165
hideFromAB: TRUE
dn: CN=Site-Affinity,CN=Schema,CN=Configuration,DC=X
dn: CN=Site-Affinity,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SiteAffinity
adminDisplayName: Site-Affinity
adminDescription: Site-Affinity
attributeId: 1.2.840.113556.1.2.434
attributeSyntax: 2.5.5.4
omSyntax: 20
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: dnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33079
hideFromAB: TRUE
dn: CN=msAscendFRN391,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRN391
adminDisplayName: msAscendFRN391
adminDescription: msAscendFRN391
attributeId: 1.2.840.113556.1.4.1035
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: MZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DXA-Export-Now,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAExportNow
adminDisplayName: DXA-Export-Now
adminDescription: DXA-Export-Now
attributeId: 1.2.840.113556.1.2.377
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 0XPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32897
hideFromAB: TRUE
dn: CN=Unauth-Orig-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: UnauthOrigBL
adminDisplayName: Unauth-Orig-BL
adminDescription: Unauth-Orig-BL
attributeId: 1.2.840.113556.1.2.292
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: lnTfqOrF0RG7ywCAx2ZwwA==
linkID: 115
mapiID: 33106
hideFromAB: TRUE
systemFlags: 1
dn: CN=DXA-Svr-Seq-USN,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXASvrSeqUSN
adminDisplayName: DXA-Svr-Seq-USN
adminDescription: DXA-Svr-Seq-USN
attributeId: 1.2.840.113556.1.2.124
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 6nPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32924
hideFromAB: TRUE
dn: CN=msAscendFRT391,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRT391
adminDisplayName: msAscendFRT391
adminDescription: msAscendFRT391
attributeId: 1.2.840.113556.1.4.1038
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: NJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendFRT392,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRT392
adminDisplayName: msAscendFRT392
adminDescription: msAscendFRT392
attributeId: 1.2.840.113556.1.4.1039
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: NZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=USN-Intersite,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: USNIntersite
adminDisplayName: USN-Intersite
adminDescription: USN-Intersite
attributeId: 1.2.840.113556.1.2.469
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: mHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33146
hideFromAB: TRUE
dn: CN=LDAP-Search-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: LDAPSearchCfg
adminDisplayName: LDAP-Search-Cfg
adminDescription: LDAP-Search-Cfg
attributeId: 1.2.840.113556.1.2.552
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2
schemaIdGuid:: F3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 35869
hideFromAB: TRUE
dn: CN=Canonical-Name,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: canonicalName
adminDisplayName: Canonical-Name
adminDescription: Canonical-Name
attributeId: 1.2.840.113556.1.4.916
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: Rdl6mlPK0RG70ACAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
dn: CN=Can-Create-PF-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: CanCreatePFBL
adminDisplayName: Can-Create-PF-BL
adminDescription: Can-Create-PF-BL
attributeId: 1.2.840.113556.1.2.339
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: onPfqOrF0RG7ywCAx2ZwwA==
linkID: 125
mapiID: 32857
hideFromAB: TRUE
systemFlags: 1
dn: CN=Can-Create-PF-DL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: CanCreatePFDL
adminDisplayName: Can-Create-PF-DL
adminDescription: Can-Create-PF-DL
attributeId: 1.2.840.113556.1.2.62
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: o3PfqOrF0RG7ywCAx2ZwwA==
linkID: 126
mapiID: 32858
hideFromAB: TRUE
dn: CN=DXA-Local-Admin,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXALocalAdmin
adminDisplayName: DXA-Local-Admin
adminDescription: DXA-Local-Admin
attributeId: 1.2.840.113556.1.2.113
attributeSyntax: 2.5.5.1
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 13PfqOrF0RG7ywCAx2ZwwA==
mapiID: 32904
hideFromAB: TRUE
dn: CN=MTA-Local-Desig,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MTALocalDesig
adminDisplayName: MTA-Local-Desig
adminDescription: MTA-Local-Desig
attributeId: 1.2.840.113556.1.2.271
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32
schemaIdGuid:: M3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33008
hideFromAB: TRUE
dn: CN=Object-Classes,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: objectClasses
adminDisplayName: Object-Classes
adminDescription: Object-Classes
attributeId: 2.5.21.6
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: S9l6mlPK0RG70ACAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
dn: CN=DXA-Imp-Seq-Time,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAImpSeqTime
adminDisplayName: DXA-Imp-Seq-Time
adminDescription: DXA-Imp-Seq-Time
attributeId: 1.2.840.113556.1.2.117
attributeSyntax: 2.5.5.11
omSyntax: 23
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 03PfqOrF0RG7ywCAx2ZwwA==
mapiID: 32900
hideFromAB: TRUE
dn: CN=msAscendGroup,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendGroup
adminDisplayName: msAscendGroup
adminDescription: msAscendGroup
attributeId: 1.2.840.113556.1.4.1042
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: OJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DXA-Req-Seq-Time,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAReqSeqTime
adminDisplayName: DXA-Req-Seq-Time
adminDescription: DXA-Req-Seq-Time
attributeId: 1.2.840.113556.1.2.114
attributeSyntax: 2.5.5.11
omSyntax: 23
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 5XPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32919
hideFromAB: TRUE
dn: CN=DXA-Conf-Seq-USN,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAConfSeqUSN
adminDisplayName: DXA-Conf-Seq-USN
adminDescription: DXA-Conf-Seq-USN
attributeId: 1.2.840.113556.1.2.45
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: z3PfqOrF0RG7ywCAx2ZwwA==
mapiID: 32895
hideFromAB: TRUE
dn: CN=MSMQ-Long-Lived,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQLongLived
adminDisplayName: MSMQ-Long-Lived
adminDescription: MSMQ-Long-Lived
attributeId: 1.2.840.113556.1.4.941
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: NcMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=MSMQ-Site-Gates,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQSiteGates
adminDisplayName: MSMQ-Site-Gates
adminDescription: MSMQ-Site-Gates
attributeId: 1.2.840.113556.1.4.945
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: OcMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msNPTimeOfDay,CN=Schema,CN=Configuration,DC=X
changetype: add
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPTimeOfDay
adminDisplayName: msNPTimeOfDay
adminDescription: msNPTimeOfDay
attributeId: 1.2.840.113556.1.4.1133
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: kZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSClass,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSClass
adminDisplayName: msRADIUSClass
adminDescription: msRADIUSClass
attributeId: 1.2.840.113556.1.4.1146
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: nZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DXA-Svr-Seq-Time,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXASvrSeqTime
adminDisplayName: DXA-Svr-Seq-Time
adminDescription: DXA-Svr-Seq-Time
attributeId: 1.2.840.113556.1.2.361
attributeSyntax: 2.5.5.11
omSyntax: 23
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 6XPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32923
hideFromAB: TRUE
dn: CN=MSMQ-Name-Style,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQNameStyle
adminDisplayName: MSMQ-Name-Style
adminDescription: MSMQ-Name-Style
attributeId: 1.2.840.113556.1.4.939
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: M8MNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Outbound-Sites,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: OutboundSites
adminDisplayName: Outbound-Sites
adminDescription: Outbound-Sites
attributeId: 1.2.840.113556.1.2.0
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: RXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33029
hideFromAB: TRUE
dn: CN=MSMQ-Queue-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQQueueType
adminDisplayName: MSMQ-Queue-Type
adminDescription: MSMQ-Queue-Type
attributeId: 1.2.840.113556.1.4.917
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: IMMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=Newsgroup-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: NewsgroupList
adminDisplayName: Newsgroup-List
adminDescription: Newsgroup-List
attributeId: 1.2.840.113556.1.2.497
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: N3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33174
hideFromAB: TRUE
dn: CN=Report-To-Owner,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ReportToOwner
adminDisplayName: Report-To-Owner
adminDescription: Report-To-Owner
attributeId: 1.2.840.113556.1.2.207
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: X3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33057
hideFromAB: TRUE
dn: CN=Telephone-Personal-Pager,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: personalPager
adminDisplayName: Telephone-Personal-Pager
adminDescription: Telephone-Personal-Pager
attributeId: 1.2.840.113556.1.2.612
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 128
rangeUpper: 128
schemaIdGuid:: h3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 35944
hideFromAB: TRUE
dn: CN=RTS-Window-Size,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RTSWindowSize
adminDisplayName: RTS-Window-Size
adminDescription: RTS-Window-Size
attributeId: 1.2.840.113556.1.2.153
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 10
schemaIdGuid:: anTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33065
hideFromAB: TRUE
dn: CN=Use-Site-Values,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: UseSiteValues
adminDisplayName: Use-Site-Values
adminDescription: Use-Site-Values
attributeId: 1.2.840.113556.1.2.478
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: l3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33155
hideFromAB: TRUE
dn: CN=msAscendBridge,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendBridge
adminDisplayName: msAscendBridge
adminDescription: msAscendBridge
attributeId: 1.2.840.113556.1.4.989
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: A5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendFRDLCI,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRDLCI
adminDisplayName: msAscendFRDLCI
adminDescription: msAscendFRDLCI
attributeId: 1.2.840.113556.1.4.1030
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: LJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendBackup,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendBackup
adminDisplayName: msAscendBackup
adminDescription: msAscendBackup
attributeId: 1.2.840.113556.1.4.985
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: /48M2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendForce56,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendForce56
adminDisplayName: msAscendForce56
adminDescription: msAscendForce56
attributeId: 1.2.840.113556.1.4.1023
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: JZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DXA-Admin-Update,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAAdminUpdate
adminDisplayName: DXA-Admin-Update
adminDescription: DXA-Admin-Update
attributeId: 1.2.840.113556.1.2.381
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ynPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32890
hideFromAB: TRUE
dn: CN=Can-Not-Create-PF,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: CanNotCreatePF
adminDisplayName: Can-Not-Create-PF
adminDescription: Can-Not-Create-PF
attributeId: 1.2.840.113556.1.2.63
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: pXPfqOrF0RG7ywCAx2ZwwA==
linkID: 128
mapiID: 32860
hideFromAB: TRUE
dn: CN=DXA-Append-ReqCN,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAAppendReqCN
adminDisplayName: DXA-Append-ReqCN
adminDisplayName: DXA-Append-ReqCN
adminDescription: DXA-Append-ReqCN
attributeId: 1.2.840.113556.1.2.174
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: y3PfqOrF0RG7ywCAx2ZwwA==
mapiID: 32891
hideFromAB: TRUE
dn: CN=DXA-Recipient-CP,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXARecipientCP
adminDisplayName: DXA-Recipient-CP
adminDescription: DXA-Recipient-CP
attributeId: 1.2.840.113556.1.2.384
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 24
schemaIdGuid:: 4nPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32916
hideFromAB: TRUE
dn: CN=MDB-Unread-Limit,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MDBUnreadLimit
adminDisplayName: MDB-Unread-Limit
adminDescription: MDB-Unread-Limit
attributeId: 1.2.840.113556.1.2.69
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: IXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32979
hideFromAB: TRUE
dn: CN=msAscendMetric,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendMetric
adminDisplayName: msAscendMetric
adminDescription: msAscendMetric
attributeId: 1.2.840.113556.1.4.1065
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: T5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Off-Line-AB-Style,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: OffLineABStyle
adminDisplayName: Off-Line-AB-Style
adminDescription: Off-Line-AB-Style
attributeId: 1.2.840.113556.1.2.390
attributeSyntax: 2.5.5.9
omSyntax: 2
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: P3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33019
hideFromAB: TRUE
dn: CN=DXA-Conf-Req-Time,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAConfReqTime
adminDisplayName: DXA-Conf-Req-Time
adminDescription: DXA-Conf-Req-Time
attributeId: 1.2.840.113556.1.2.122
attributeSyntax: 2.5.5.11
omSyntax: 23
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: zXPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32893
hideFromAB: TRUE
dn: CN=Can-Preserve-DNs,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: CanPreserveDNs
adminDisplayName: Can-Preserve-DNs
adminDescription: Can-Preserve-DNs
attributeId: 1.2.840.113556.1.2.455
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: qXPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32864
hideFromAB: TRUE
dn: CN=Employee-Number,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: employeeNumber
adminDisplayName: Employee-Number
adminDescription: Employee-Number
attributeId: 1.2.840.113556.1.2.610
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 512
schemaIdGuid:: 73PfqOrF0RG7ywCAx2ZwwA==
mapiID: 35943
hideFromAB: TRUE
dn: CN=Connection-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ConnectionType
adminDisplayName: Connection-Type
adminDescription: Connection-Type
attributeId: 1.2.840.113556.1.2.525
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
searchFlags: 0
schemaIdGuid:: uHPfqOrF0RG7ywCAx2ZwwA==
mapiID: 33203
hideFromAB: TRUE
dn: CN=msAscendFRType,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRType
adminDisplayName: msAscendFRType
adminDescription: msAscendFRType
attributeId: 1.2.840.113556.1.4.1040
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: NpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msNPIPPoolName,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPIPPoolName
adminDisplayName: msNPIPPoolName
adminDescription: msNPIPPoolName
attributeId: 1.2.840.113556.1.4.1128
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: jJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSAnyVSA,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSAnyVSA
adminDisplayName: msRADIUSAnyVSA
adminDescription: msRADIUSAnyVSA
attributeId: 1.2.840.113556.1.4.1137
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: lJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRASUseRADIUS,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRASUseRADIUS
adminDisplayName: msRASUseRADIUS
adminDescription: msRASUseRADIUS
attributeId: 1.2.840.113556.1.4.1192
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: yJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Authorized-User,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: AuthorizedUser
adminDisplayName: Authorized-User
adminDisplayName: Authorized-User
adminDescription: Authorized-User
attributeId: 1.2.840.113556.1.2.276
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 512
schemaIdGuid:: nXPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32854
hideFromAB: TRUE
dn: CN=msNPConstraint,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPConstraint
adminDisplayName: msNPConstraint
adminDescription: msNPConstraint
attributeId: 1.2.840.113556.1.4.1126
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: i5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Attribute-Types,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: attributeTypes
adminDisplayName: Attribute-Types
adminDescription: Attribute-Types
attributeId: 2.5.21.5
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: RNl6mlPK0RG70ACAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
dn: CN=Local-Bridge-Head,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: LocalBridgeHead
adminDisplayName: Local-Bridge-Head
adminDescription: Local-Bridge-Head
attributeId: 1.2.840.113556.1.2.311
attributeSyntax: 2.5.5.4
omSyntax: 20
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: GnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32966
hideFromAB: TRUE
dn: CN=msRADIUSPrompt,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSPrompt
adminDisplayName: msRADIUSPrompt
adminDescription: msRADIUSPrompt
attributeId: 1.2.840.113556.1.4.1170
attributeId: 1.2.840.113556.1.4.1170
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: tZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=MSMQ-Encrypt-Key,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQEncryptKey
adminDisplayName: MSMQ-Encrypt-Key
adminDescription: MSMQ-Encrypt-Key
attributeId: 1.2.840.113556.1.4.936
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: McMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=RAS-Phone-Number,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RASPhoneNumber
adminDisplayName: RAS-Phone-Number
adminDescription: RAS-Phone-Number
attributeId: 1.2.840.113556.1.2.314
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 128
schemaIdGuid:: VHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33046
hideFromAB: TRUE
dn: CN=Monitor-Servers,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MonitorServers
adminDisplayName: Monitor-Servers
adminDescription: Monitor-Servers
attributeId: 1.2.840.113556.1.2.156
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: JHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32983
hideFromAB: TRUE
dn: CN=Site-Folder-GUID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SiteFolderGUID
adminDisplayName: Site-Folder-GUID
adminDescription: Site-Folder-GUID
attributeId: 1.2.840.113556.1.2.456
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: d3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33126
hideFromAB: TRUE
dn: CN=Site-Proxy-Space,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SiteProxySpace
adminDisplayName: Site-Proxy-Space
adminDescription: Site-Proxy-Space
attributeId: 1.2.840.113556.1.2.385
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 1123
schemaIdGuid:: eXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33080
hideFromAB: TRUE
dn: CN=SMIME-Alg-List-NA,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SMIMEAlgListNA
adminDisplayName: SMIME-Alg-List-NA
adminDescription: SMIME-Alg-List-NA
attributeId: 1.2.840.113556.1.2.568
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: enTfqOrF0RG7ywCAx2ZwwA==
mapiID: 35891
hideFromAB: TRUE
dn: CN=Can-Create-PF-DL-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: CanCreatePFDLBL
adminDisplayName: Can-Create-PF-DL-BL
adminDescription: Can-Create-PF-DL-BL
attributeId: 1.2.840.113556.1.2.340
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: pHPfqOrF0RG7ywCAx2ZwwA==
linkID: 127
mapiID: 32859
hideFromAB: TRUE
systemFlags: 1
dn: CN=Telephone-Personal-Mobile,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: personalMobile
adminDisplayName: Telephone-Personal-Mobile
adminDescription: Telephone-Personal-Mobile
attributeId: 1.2.840.113556.1.2.611
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 128
schemaIdGuid:: hnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 14877
hideFromAB: TRUE
dn: CN=Trans-Retry-Mins,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TransRetryMins
adminDisplayName: Trans-Retry-Mins
adminDescription: Trans-Retry-Mins
attributeId: 1.2.840.113556.1.2.219
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: inTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33095
hideFromAB: TRUE
dn: CN=View-Definition,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ViewDefinition
adminDisplayName: View-Definition
adminDescription: View-Definition
attributeId: 1.2.840.113556.1.2.549
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 2048
schemaIdGuid:: mXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 35867
hideFromAB: TRUE
dn: CN=msAscendDataSvc,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendDataSvc
adminDisplayName: msAscendDataSvc
adminDescription: msAscendDataSvc
attributeId: 1.2.840.113556.1.4.1009
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: F5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DXA-Logging-Level,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXALoggingLevel
adminDisplayName: DXA-Logging-Level
adminDescription: DXA-Logging-Level
attributeId: 1.2.840.113556.1.2.382
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 1
schemaIdGuid:: 2HPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32905
hideFromAB: TRUE
dn: CN=Off-Line-AB-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: OffLineABServer
adminDisplayName: Off-Line-AB-Server
adminDescription: Off-Line-AB-Server
attributeId: 1.2.840.113556.1.2.392
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: PnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33018
hideFromAB: TRUE
dn: CN=Inbound-Newsfeed,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: InboundNewsfeed
adminDisplayName: Inbound-Newsfeed
adminDescription: Inbound-Newsfeed
attributeId: 1.2.840.113556.1.2.494
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: EnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33171
hideFromAB: TRUE
dn: CN=Maximum-Object-ID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MaximumObjectID
adminDisplayName: Maximum-Object-ID
adminDescription: Maximum-Object-ID
attributeId: 1.2.840.113556.1.2.458
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 22
schemaIdGuid:: HnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33129
hideFromAB: TRUE
dn: CN=House-Identifier,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: houseIdentifier
adminDisplayName: House-Identifier
adminDescription: House-Identifier
attributeId: 1.2.840.113556.1.2.596
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 128
schemaIdGuid:: B3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 35924
hideFromAB: TRUE
dn: CN=DXA-Remote-Client,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXARemoteClient
adminDisplayName: DXA-Remote-Client
adminDescription: DXA-Remote-Client
attributeId: 1.2.840.113556.1.2.112
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 43PfqOrF0RG7ywCAx2ZwwA==
mapiID: 32917
hideFromAB: TRUE
dn: CN=msAscendPPPVJ1172,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendPPPVJ1172
adminDisplayName: msAscendPPPVJ1172
adminDescription: msAscendPPPVJ1172
attributeId: 1.2.840.113556.1.4.1080
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: XpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msNPAllowDialin,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPAllowDialin
adminDisplayName: msNPAllowDialin
adminDescription: msNPAllowDialin
attributeId: 1.2.840.113556.1.4.1119
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: hZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendRouteIP,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendRouteIP
adminDisplayName: msAscendRouteIP
adminDescription: msAscendRouteIP
attributeId: 1.2.840.113556.1.4.1096
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: bpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
hideFromAB: TRUE
dn: CN=HTTP-Pub-GAL-Limit,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: HTTPPubGALLimit
adminDisplayName: HTTP-Pub-GAL-Limit
adminDescription: HTTP-Pub-GAL-Limit
attributeId: 1.2.840.113556.1.2.503
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: CnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33180
hideFromAB: TRUE
dn: CN=Anonymous-Access,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: AnonymousAccess
adminDisplayName: Anonymous-Access
adminDescription: Anonymous-Access
attributeId: 1.2.840.113556.1.2.482
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: knPfqOrF0RG7ywCAx2ZwwA==
mapiID: 33159
hideFromAB: TRUE
dn: CN=Import-Container,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ImportContainer
adminDisplayName: Import-Container
adminDescription: Import-Container
attributeId: 1.2.840.113556.1.2.110
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: DXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32954
hideFromAB: TRUE
dn: CN=Modify-Time-Stamp,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: modifyTimeStamp
adminDisplayName: Modify-Time-Stamp
adminDescription: Modify-Time-Stamp
attributeId: 2.5.18.2
attributeSyntax: 2.5.5.11
omSyntax: 24
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: Stl6mlPK0RG70ACAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
dn: CN=msAscendFRDCEN392,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
objectClass: attributeSchema
ldapDisplayName: msAscendFRDCEN392
adminDisplayName: msAscendFRDCEN392
adminDescription: msAscendFRDCEN392
attributeId: 1.2.840.113556.1.4.1025
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: J5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendFRDCEN393,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRDCEN393
adminDisplayName: msAscendFRDCEN393
adminDescription: msAscendFRDCEN393
attributeId: 1.2.840.113556.1.4.1026
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: KJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DIT-Content-Rules,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: dITContentRules
adminDisplayName: DIT-Content-Rules
adminDescription: DIT-Content-Rules
attributeId: 2.5.21.2
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: Rtl6mlPK0RG70ACAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
dn: CN=Monitor-Services,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MonitorServices
adminDisplayName: Monitor-Services
adminDescription: Monitor-Services
attributeId: 1.2.840.113556.1.2.160
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: JXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32984
hideFromAB: TRUE
dn: CN=msAscendFRDTEN392,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRDTEN392
adminDisplayName: msAscendFRDTEN392
adminDescription: msAscendFRDTEN392
attributeId: 1.2.840.113556.1.4.1031
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: LZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendFRDTEN393,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRDTEN393
adminDisplayName: msAscendFRDTEN393
adminDescription: msAscendFRDTEN393
attributeId: 1.2.840.113556.1.4.1032
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: LpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=MSMQ-Service-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQServiceType
adminDisplayName: MSMQ-Service-Type
adminDescription: MSMQ-Service-Type
attributeId: 1.2.840.113556.1.4.930
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: LcMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=Control-Msg-Rules,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ControlMsgRules
adminDisplayName: Control-Msg-Rules
adminDescription: Control-Msg-Rules
attributeId: 1.2.840.113556.1.2.485
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32767
schemaIdGuid:: u3PfqOrF0RG7ywCAx2ZwwA==
mapiID: 33162
hideFromAB: TRUE
dn: CN=Short-Server-Name,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: shortServerName
adminDisplayName: Short-Server-Name
adminDescription: Short-Server-Name
attributeId: 1.2.840.113556.1.4.1209
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ARWwRRnE0RG7yQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Supporting-Stack,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SupportingStack
adminDisplayName: Supporting-Stack
adminDescription: Supporting-Stack
attributeId: 1.2.840.113556.1.2.28
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: gHTfqOrF0RG7ywCAx2ZwwA==
linkID: 132
mapiID: 33086
hideFromAB: TRUE
dn: CN=msAscendCallback,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendCallback
adminDisplayName: msAscendCallback
adminDescription: msAscendCallback
attributeId: 1.2.840.113556.1.4.992
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: BpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendCBCPMode,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendCBCPMode
adminDisplayName: msAscendCBCPMode
adminDescription: msAscendCBCPMode
attributeId: 1.2.840.113556.1.4.1000
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: DpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Remote-Bridge-Head,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RemoteBridgeHead
adminDisplayName: Remote-Bridge-Head
adminDescription: Remote-Bridge-Head
attributeId: 1.2.840.113556.1.2.191
attributeSyntax: 2.5.5.4
omSyntax: 20
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: WHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33050
hideFromAB: TRUE
dn: CN=msAscendDataRate,CN=Schema,CN=Configuration,DC=X
dn: CN=msAscendDataRate,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendDataRate
adminDisplayName: msAscendDataRate
adminDescription: msAscendDataRate
attributeId: 1.2.840.113556.1.4.1008
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: FpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Hide-DL-Membership,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: HideDLMembership
adminDisplayName: Hide-DL-Membership
adminDescription: Hide-DL-Membership
attributeId: 1.2.840.113556.1.2.297
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: BXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32952
hideFromAB: TRUE
dn: CN=Send-EMail-Message,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SendEMailMessage
adminDisplayName: Send-EMail-Message
adminDescription: Send-EMail-Message
attributeId: 1.2.840.113556.1.2.566
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: bnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 35889
hideFromAB: TRUE
dn: CN=Inbound-Accept-All,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: InboundAcceptAll
adminDisplayName: Inbound-Accept-All
adminDescription: Inbound-Accept-All
attributeId: 1.2.840.113556.1.2.555
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: D3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 35872
hideFromAB: TRUE
dn: CN=Can-Not-Create-PF-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: CanNotCreatePFBL
adminDisplayName: Can-Not-Create-PF-BL
adminDescription: Can-Not-Create-PF-BL
attributeId: 1.2.840.113556.1.2.341
attributeId: 1.2.840.113556.1.2.341
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: pnPfqOrF0RG7ywCAx2ZwwA==
linkID: 129
mapiID: 32861
hideFromAB: TRUE
systemFlags: 1
dn: CN=Can-Not-Create-PF-DL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: CanNotCreatePFDL
adminDisplayName: Can-Not-Create-PF-DL
adminDescription: Can-Not-Create-PF-DL
attributeId: 1.2.840.113556.1.2.300
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: p3PfqOrF0RG7ywCAx2ZwwA==
linkID: 130
mapiID: 32862
hideFromAB: TRUE
dn: CN=Connected-Domains,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ConnectedDomains
adminDisplayName: Connected-Domains
adminDescription: Connected-Domains
attributeId: 1.2.840.113556.1.2.211
attributeSyntax: 2.5.5.4
omSyntax: 20
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 1243
schemaIdGuid:: tXPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32870
hideFromAB: TRUE
dn: CN=Gateway-Local-Cred,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: GatewayLocalCred
adminDisplayName: Gateway-Local-Cred
adminDescription: Gateway-Local-Cred
attributeId: 1.2.840.113556.1.2.37
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: AXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32944
hideFromAB: TRUE
dn: CN=msAscendFRDirect,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
objectClass: attributeSchema
ldapDisplayName: msAscendFRDirect
adminDisplayName: msAscendFRDirect
adminDescription: msAscendFRDirect
attributeId: 1.2.840.113556.1.4.1027
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: KZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendIPDirect,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendIPDirect
adminDisplayName: msAscendIPDirect
adminDescription: msAscendIPDirect
attributeId: 1.2.840.113556.1.4.1053
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Q5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Clock-Alert-Repair,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ClockAlertRepair
adminDisplayName: Clock-Alert-Repair
adminDescription: Clock-Alert-Repair
attributeId: 1.2.840.113556.1.2.164
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: sXPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32866
hideFromAB: TRUE
dn: CN=msAscendIPXAlias,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendIPXAlias
adminDisplayName: msAscendIPXAlias
adminDescription: msAscendIPXAlias
attributeId: 1.2.840.113556.1.4.1055
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: RZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Clock-Alert-Offset,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ClockAlertOffset
adminDisplayName: Clock-Alert-Offset
adminDescription: Clock-Alert-Offset
attributeId: 1.2.840.113556.1.2.165
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: sHPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32865
hideFromAB: TRUE
dn: CN=DXA-In-Template-Map,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAInTemplateMap
adminDisplayName: DXA-In-Template-Map
adminDescription: DXA-In-Template-Map
attributeId: 1.2.840.113556.1.2.363
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 128
schemaIdGuid:: 1nPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32903
hideFromAB: TRUE
dn: CN=DL-Mem-Reject-Perms,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DLMemRejectPerms
adminDisplayName: DL-Mem-Reject-Perms
adminDescription: DL-Mem-Reject-Perms
attributeId: 1.2.840.113556.1.2.47
attributeSyntax: 2.5.5.7
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: VgYBAgULHQ==
schemaIdGuid:: wnPfqOrF0RG7ywCAx2ZwwA==
linkID: 116
hideFromAB: TRUE
dn: CN=Character-Set-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: CharacterSetList
adminDisplayName: Character-Set-List
adminDescription: Character-Set-List
attributeId: 1.2.840.113556.1.2.477
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 128
schemaIdGuid:: rnPfqOrF0RG7ywCAx2ZwwA==
mapiID: 33154
hideFromAB: TRUE
dn: CN=Expand-DLs-Locally,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ExpandDLsLocally
adminDisplayName: Expand-DLs-Locally
adminDescription: Expand-DLs-Locally
attributeId: 1.2.840.113556.1.2.201
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: +3PfqOrF0RG7ywCAx2ZwwA==
mapiID: 32932
hideFromAB: TRUE
dn: CN=Authorized-Domain,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: AuthorizedDomain
adminDisplayName: Authorized-Domain
adminDescription: Authorized-Domain
attributeId: 1.2.840.113556.1.2.202
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 15
schemaIdGuid:: mnPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32852
hideFromAB: TRUE
dn: CN=Folders-Container,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: FoldersContainer
adminDisplayName: Folders-Container
adminDescription: Folders-Container
attributeId: 1.2.840.113556.1.2.235
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: /3PfqOrF0RG7ywCAx2ZwwA==
mapiID: 32942
hideFromAB: TRUE
dn: CN=msAscendCallType,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendCallType
adminDisplayName: msAscendCallType
adminDescription: msAscendCallType
attributeId: 1.2.840.113556.1.4.997
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: C5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendFRLinkUp,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRLinkUp
adminDisplayName: msAscendFRLinkUp
adminDescription: msAscendFRLinkUp
attributeId: 1.2.840.113556.1.4.1034
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: MJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendHostInfo,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendHostInfo
adminDisplayName: msAscendHostInfo
adminDescription: msAscendHostInfo
attributeId: 1.2.840.113556.1.4.1049
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: P5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Local-Initial-Turn,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: LocalInitialTurn
adminDisplayName: Local-Initial-Turn
adminDescription: Local-Initial-Turn
attributeId: 1.2.840.113556.1.2.39
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: HHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32968
hideFromAB: TRUE
dn: CN=Home-Public-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: HomePublicServer
adminDisplayName: Home-Public-Server
adminDescription: Home-Public-Server
attributeId: 1.2.840.113556.1.2.441
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: BnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32831
hideFromAB: TRUE
dn: CN=msAscendMenuItem,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendMenuItem
adminDisplayName: msAscendMenuItem
adminDescription: msAscendMenuItem
attributeId: 1.2.840.113556.1.4.1063
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: TZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendRemoteFW,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
objectClass: attributeSchema
ldapDisplayName: msAscendRemoteFW
adminDisplayName: msAscendRemoteFW
adminDescription: msAscendRemoteFW
attributeId: 1.2.840.113556.1.4.1092
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: apAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Encrypt-Alg-List-NA,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: EncryptAlgListNA
adminDisplayName: Encrypt-Alg-List-NA
adminDescription: Encrypt-Alg-List-NA
attributeId: 1.2.840.113556.1.2.130
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32
schemaIdGuid:: 93PfqOrF0RG7ywCAx2ZwwA==
mapiID: 32832
hideFromAB: TRUE
dn: CN=Incoming-Password,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: IncomingPassword
adminDisplayName: Incoming-Password
adminDescription: Incoming-Password
attributeId: 1.2.840.113556.1.2.521
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: FXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33199
hideFromAB: TRUE
dn: CN=msAscendSendAuth,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendSendAuth
adminDisplayName: msAscendSendAuth
adminDescription: msAscendSendAuth
attributeId: 1.2.840.113556.1.4.1101
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: c5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DL-Mem-Submit-Perms,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DLMemSubmitPerms
adminDisplayName: DL-Mem-Submit-Perms
adminDescription: DL-Mem-Submit-Perms
attributeId: 1.2.840.113556.1.2.144
attributeSyntax: 2.5.5.7
attributeSyntax: 2.5.5.7
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: VgYBAgULHQ==
schemaIdGuid:: xHPfqOrF0RG7ywCAx2ZwwA==
linkID: 112
hideFromAB: TRUE
dn: CN=msAscendFT1Caller,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFT1Caller
adminDisplayName: msAscendFT1Caller
adminDescription: msAscendFT1Caller
attributeId: 1.2.840.113556.1.4.1041
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: N5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendIPXRoute,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendIPXRoute
adminDisplayName: msAscendIPXRoute
adminDescription: msAscendIPXRoute
attributeId: 1.2.840.113556.1.4.1058
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: SJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendRouteIPX,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendRouteIPX
adminDisplayName: msAscendRouteIPX
adminDescription: msAscendRouteIPX
attributeId: 1.2.840.113556.1.4.1097
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: b5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendXmitRate,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendXmitRate
adminDisplayName: msAscendXmitRate
adminDescription: msAscendXmitRate
attributeId: 1.2.840.113556.1.4.1118
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: hJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=MSMQ-Authenticate,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQAuthenticate
adminDisplayName: MSMQ-Authenticate
adminDescription: MSMQ-Authenticate
attributeId: 1.2.840.113556.1.4.923
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: JsMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=msRADIUSFilterId,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSFilterId
adminDisplayName: msRADIUSFilterId
adminDescription: msRADIUSFilterId
attributeId: 1.2.840.113556.1.4.1148
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: n5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Anonymous-Account,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: AnonymousAccount
adminDisplayName: Anonymous-Account
adminDescription: Anonymous-Account
attributeId: 1.2.840.113556.1.2.561
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: k3PfqOrF0RG7ywCAx2ZwwA==
mapiID: 35878
hideFromAB: TRUE
dn: CN=Export-Containers,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ExportContainers
adminDisplayName: Export-Containers
adminDescription: Export-Containers
attributeId: 1.2.840.113556.1.2.111
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: /HPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32933
hideFromAB: TRUE
dn: CN=Monitored-Servers,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
objectClass: attributeSchema
ldapDisplayName: MonitoredServers
adminDisplayName: Monitored-Servers
adminDescription: Monitored-Servers
attributeId: 1.2.840.113556.1.2.179
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: JnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32986
hideFromAB: TRUE
dn: CN=MSMQ-Base-Priority,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQBasePriority
adminDisplayName: MSMQ-Base-Priority
adminDescription: MSMQ-Base-Priority
attributeId: 1.2.840.113556.1.4.920
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: I8MNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=Num-Of-Open-Retries,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: NumOfOpenRetries
adminDisplayName: Num-Of-Open-Retries
adminDescription: Num-Of-Open-Retries
attributeId: 1.2.840.113556.1.2.148
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: OnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33012
hideFromAB: TRUE
dn: CN=Outbound-Newsfeed,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: OutboundNewsfeed
adminDisplayName: Outbound-Newsfeed
adminDescription: Outbound-Newsfeed
attributeId: 1.2.840.113556.1.2.496
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: RHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33173
hideFromAB: TRUE
dn: CN=MSMQ-Journal-Quota,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQJournalQuota
adminDisplayName: MSMQ-Journal-Quota
adminDisplayName: MSMQ-Journal-Quota
adminDescription: MSMQ-Journal-Quota
attributeId: 1.2.840.113556.1.4.921
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: JMMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=P-Selector-Inbound,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: PSelectorInbound
adminDisplayName: P-Selector-Inbound
adminDescription: P-Selector-Inbound
attributeId: 1.2.840.113556.1.2.52
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 16
schemaIdGuid:: SXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33031
hideFromAB: TRUE
dn: CN=MSMQ-Computer-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQComputerType
adminDisplayName: MSMQ-Computer-Type
adminDescription: MSMQ-Computer-Type
attributeId: 1.2.840.113556.1.4.933
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: LsMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Outbound-Host-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: OutboundHostType
adminDisplayName: Outbound-Host-Type
adminDescription: Outbound-Host-Type
attributeId: 1.2.840.113556.1.2.522
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Q3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33200
hideFromAB: TRUE
dn: CN=S-Selector-Inbound,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SSelectorInbound
adminDisplayName: S-Selector-Inbound
adminDescription: S-Selector-Inbound
attributeId: 1.2.840.113556.1.2.46
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 16
schemaIdGuid:: bXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33068
hideFromAB: TRUE
dn: CN=Off-Line-AB-Schedule,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: OffLineABSchedule
adminDisplayName: Off-Line-AB-Schedule
adminDescription: Off-Line-AB-Schedule
attributeId: 1.2.840.113556.1.2.389
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 84
rangeUpper: 84
schemaIdGuid:: PXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33017
hideFromAB: TRUE
dn: CN=msAscendCBCPDelay,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendCBCPDelay
adminDisplayName: msAscendCBCPDelay
adminDescription: msAscendCBCPDelay
attributeId: 1.2.840.113556.1.4.998
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: DJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=RAS-Callback-Number,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RASCallbackNumber
adminDisplayName: RAS-Callback-Number
adminDescription: RAS-Callback-Number
attributeId: 1.2.840.113556.1.2.315
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 48
schemaIdGuid:: UnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33045
hideFromAB: TRUE
dn: CN=Site-Folder-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SiteFolderServer
adminDisplayName: Site-Folder-Server
adminDescription: Site-Folder-Server
attributeId: 1.2.840.113556.1.2.457
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: eHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33127
hideFromAB: TRUE
dn: CN=T-Selector-Inbound,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TSelectorInbound
adminDisplayName: T-Selector-Inbound
adminDescription: T-Selector-Inbound
attributeId: 1.2.840.113556.1.2.5
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32
schemaIdGuid:: gnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33089
hideFromAB: TRUE
dn: CN=Trans-Timeout-Mins,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TransTimeoutMins
adminDisplayName: Trans-Timeout-Mins
adminDescription: Trans-Timeout-Mins
attributeId: 1.2.840.113556.1.2.220
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: i3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33096
hideFromAB: TRUE
dn: CN=Bridgehead-Servers,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: BridgeheadServers
adminDisplayName: Bridgehead-Servers
adminDescription: Bridgehead-Servers
attributeId: 1.2.840.113556.1.2.463
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: oHPfqOrF0RG7ywCAx2ZwwA==
mapiID: 33140
hideFromAB: TRUE
dn: CN=Gateway-Local-Desig,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: GatewayLocalDesig
adminDisplayName: Gateway-Local-Desig
adminDescription: Gateway-Local-Desig
attributeId: 1.2.840.113556.1.2.29
attributeSyntax: 2.5.5.5
omSyntax: 22
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32
schemaIdGuid:: AnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32945
hideFromAB: TRUE
dn: CN=msAscendHandleIPX,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendHandleIPX
adminDisplayName: msAscendHandleIPX
adminDescription: msAscendHandleIPX
attributeId: 1.2.840.113556.1.4.1043
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: OZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendIdleLimit,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendIdleLimit
adminDisplayName: msAscendIdleLimit
adminDescription: msAscendIdleLimit
attributeId: 1.2.840.113556.1.4.1050
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: QJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendIFNetmask,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendIFNetmask
adminDisplayName: msAscendIFNetmask
adminDescription: msAscendIFNetmask
attributeId: 1.2.840.113556.1.4.1051
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: QZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Extended-Class-Info,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: extendedClassInfo
adminDisplayName: Extended-Class-Info
adminDescription: Extended-Class-Info
attributeId: 1.2.840.113556.1.4.908
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: SNl6mlPK0RG70ACAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
systemFlags: 8000004
dn: CN=msAscendDHCPReply,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendDHCPReply
adminDisplayName: msAscendDHCPReply
adminDescription: msAscendDHCPReply
attributeId: 1.2.840.113556.1.4.1014
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: HJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendFRLinkMgt,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRLinkMgt
adminDisplayName: msAscendFRLinkMgt
adminDescription: msAscendFRLinkMgt
attributeId: 1.2.840.113556.1.4.1033
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: L5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Admin-Extension-DLL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: AdminExtensionDLL
adminDisplayName: Admin-Extension-DLL
adminDescription: Admin-Extension-DLL
attributeId: 1.2.840.113556.1.2.95
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 255
schemaIdGuid:: kXPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32844
hideFromAB: TRUE
dn: CN=msAscendFirstDest,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFirstDest
adminDisplayName: msAscendFirstDest
adminDescription: msAscendFirstDest
attributeId: 1.2.840.113556.1.4.1022
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: JJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=List-Public-Folders,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ListPublicFolders
adminDisplayName: List-Public-Folders
adminDisplayName: List-Public-Folders
adminDescription: List-Public-Folders
attributeId: 1.2.840.113556.1.2.592
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: GXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 35920
hideFromAB: TRUE
dn: CN=Display-Name-Suffix,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DisplayNameSuffix
adminDisplayName: Display-Name-Suffix
adminDescription: Display-Name-Suffix
attributeId: 1.2.840.113556.1.2.586
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: wXPfqOrF0RG7ywCAx2ZwwA==
mapiID: 35908
hideFromAB: TRUE
dn: CN=msRADIUSEapTypeID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSEapTypeID
adminDisplayName: msRADIUSEapTypeID
adminDescription: msRADIUSEapTypeID
attributeId: 1.2.840.113556.1.4.1210
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 4I3dYZnF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Allowed-Attributes,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: allowedAttributes
adminDisplayName: Allowed-Attributes
adminDescription: Allowed-Attributes
attributeId: 1.2.840.113556.1.4.913
attributeSyntax: 2.5.5.2
omSyntax: 6
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: QNl6mlPK0RG70ACAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
dn: CN=Certificate-Chain-V3,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: CertificateChainV3
adminDisplayName: Certificate-Chain-V3
adminDescription: Certificate-Chain-V3
attributeId: 1.2.840.113556.1.2.562
attributeSyntax: 2.5.5.10
omSyntax: 4
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: qnPfqOrF0RG7ywCAx2ZwwA==
mapiID: 35879
hideFromAB: TRUE
dn: CN=DXA-Out-Template-Map,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAOutTemplateMap
adminDisplayName: DXA-Out-Template-Map
adminDescription: DXA-Out-Template-Map
attributeId: 1.2.840.113556.1.2.364
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 128
schemaIdGuid:: 2nPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32907
hideFromAB: TRUE
dn: CN=msAscendEventType,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendEventType
adminDisplayName: msAscendEventType
adminDescription: msAscendEventType
attributeId: 1.2.840.113556.1.4.1019
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: IZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=MSMQ-Transactional,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQTransactional
adminDisplayName: MSMQ-Transactional
adminDescription: MSMQ-Transactional
attributeId: 1.2.840.113556.1.4.926
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: KcMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=msRADIUSFramedMTU,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSFramedMTU
adminDisplayName: msRADIUSFramedMTU
adminDescription: msRADIUSFramedMTU
attributeId: 1.2.840.113556.1.4.1156
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: p5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Possible-Inferiors,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: possibleInferiors
adminDisplayName: Possible-Inferiors
adminDescription: Possible-Inferiors
attributeId: 1.2.840.113556.1.4.915
attributeSyntax: 2.5.5.2
omSyntax: 6
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: TNl6mlPK0RG70ACAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
dn: CN=MSMQ-Privacy-Levell,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQPrivacyLevell
adminDisplayName: MSMQ-Privacy-Levell
adminDescription: MSMQ-Privacy-Levell
attributeId: 1.2.840.113556.1.4.924
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2
schemaIdGuid:: J8MNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=RAS-Remote-SRVR-Name,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RASRemoteSRVRName
adminDisplayName: RAS-Remote-SRVR-Name
adminDescription: RAS-Remote-SRVR-Name
attributeId: 1.2.840.113556.1.2.78
attributeSyntax: 2.5.5.4
omSyntax: 20
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 15
schemaIdGuid:: VnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33048
hideFromAB: TRUE
dn: CN=Proxy-Generator-DLL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ProxyGeneratorDLL
adminDisplayName: Proxy-Generator-DLL
adminDescription: Proxy-Generator-DLL
attributeId: 1.2.840.113556.1.2.328
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 255
schemaIdGuid:: TnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33039
hideFromAB: TRUE
dn: CN=Remote-Out-BH-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RemoteOutBHServer
adminDisplayName: Remote-Out-BH-Server
adminDescription: Remote-Out-BH-Server
attributeId: 1.2.840.113556.1.2.310
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: WnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33052
hideFromAB: TRUE
dn: CN=RTS-Checkpoint-Size,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RTSCheckpointSize
adminDisplayName: RTS-Checkpoint-Size
adminDescription: RTS-Checkpoint-Size
attributeId: 1.2.840.113556.1.2.152
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 100
schemaIdGuid:: aHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33063
hideFromAB: TRUE
dn: CN=msAscendBACPEnable,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendBACPEnable
adminDisplayName: msAscendBACPEnable
adminDescription: msAscendBACPEnable
attributeId: 1.2.840.113556.1.4.986
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: AJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendCBCPEnable,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendCBCPEnable
adminDisplayName: msAscendCBCPEnable
adminDescription: msAscendCBCPEnable
attributeId: 1.2.840.113556.1.4.999
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: DZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSPortLimit,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSPortLimit
adminDisplayName: msRADIUSPortLimit
adminDescription: msRADIUSPortLimit
attributeId: 1.2.840.113556.1.4.1169
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: tJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Open-Retry-Interval,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: OpenRetryInterval
adminDisplayName: Open-Retry-Interval
adminDescription: Open-Retry-Interval
attributeId: 1.2.840.113556.1.2.143
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: QXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33024
hideFromAB: TRUE
dn: CN=NNTP-Distributions,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: NNTPDistributions
adminDisplayName: NNTP-Distributions
adminDescription: NNTP-Distributions
attributeId: 1.2.840.113556.1.2.498
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 4096
schemaIdGuid:: OHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33175
hideFromAB: TRUE
dn: CN=SMIME-Alg-List-Other,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SMIMEAlgListOther
adminDisplayName: SMIME-Alg-List-Other
adminDescription: SMIME-Alg-List-Other
attributeId: 1.2.840.113556.1.2.569
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: e3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 35892
hideFromAB: TRUE
dn: CN=SubSchemaSubEntry,CN=Schema,CN=Configuration,DC=X
changetype: add
changetype: add
objectClass: attributeSchema
ldapDisplayName: subSchemaSubEntry
adminDisplayName: SubSchemaSubEntry
adminDescription: SubSchemaSubEntry
attributeId: 2.5.18.10
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIDGUID:: Tdl6mlPK0RG70ACAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
dn: CN=Well-Known-Objects,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: wellKnownObjects
adminDisplayName: Well-Known-Objects
adminDescription: Well-Known-Objects
attributeId: 1.2.840.113556.1.4.618
attributeSyntax: 2.5.5.7
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
oMObjectClass:: KoZIhvcUAQEBCw==
schemaIdGuid:: g4kwBYh20RGt7QDAT9jVzQ==
hideFromAB: TRUE
dn: CN=X25-Leased-Line-Port,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: X25LeasedLinePort
adminDisplayName: X25-Leased-Line-Port
adminDescription: X25-Leased-Line-Port
attributeId: 1.2.840.113556.1.2.321
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 3
schemaIdGuid:: n3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33117
hideFromAB: TRUE
dn: CN=msAscendCallByCall,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendCallByCall
adminDisplayName: msAscendCallByCall
adminDescription: msAscendCallByCall
attributeId: 1.2.840.113556.1.4.995
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: CZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSCallbackId,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSCallbackId
adminDisplayName: msRADIUSCallbackId
adminDisplayName: msRADIUSCallbackId
adminDescription: msRADIUSCallbackId
attributeId: 1.2.840.113556.1.4.1144
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: m5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=X25-Remote-MTA-Phone,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: X25RemoteMTAPhone
adminDisplayName: X25-Remote-MTA-Phone
adminDescription: X25-Remote-MTA-Phone
attributeId: 1.2.840.113556.1.2.373
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 55
schemaIdGuid:: oXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33119
hideFromAB: TRUE
dn: CN=MDB-Backoff-Interval,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MDBBackoffInterval
adminDisplayName: MDB-Backoff-Interval
adminDescription: MDB-Backoff-Interval
attributeId: 1.2.840.113556.1.2.72
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: H3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 32975
hideFromAB: TRUE
dn: CN=X400-Attachment-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: X400AttachmentType
adminDisplayName: X400-Attachment-Type
adminDescription: X400-Attachment-Type
attributeId: 1.2.840.113556.1.2.99
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: onTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33120
hideFromAB: TRUE
dn: CN=Import-Sensitivity,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ImportSensitivity
adminDisplayName: Import-Sensitivity
adminDescription: Import-Sensitivity
attributeId: 1.2.840.113556.1.2.383
attributeSyntax: 2.5.5.9
omSyntax: 2
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: DnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32955
hideFromAB: TRUE
dn: CN=msAscendAddSeconds,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendAddSeconds
adminDisplayName: msAscendAddSeconds
adminDescription: msAscendAddSeconds
attributeId: 1.2.840.113556.1.4.978
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: +I8M2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=SMIME-Alg-Selected-NA,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SMIMEAlgSelectedNA
adminDisplayName: SMIME-Alg-Selected-NA
adminDescription: SMIME-Alg-Selected-NA
attributeId: 1.2.840.113556.1.2.570
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: fHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 35893
hideFromAB: TRUE
dn: CN=X400-Selector-Syntax,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: X400SelectorSyntax
adminDisplayName: X400-Selector-Syntax
adminDescription: X400-Selector-Syntax
attributeId: 1.2.840.113556.1.2.443
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 1
schemaIdGuid:: o3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33121
hideFromAB: TRUE
dn: CN=Can-Not-Create-PF-DL-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: CanNotCreatePFDLBL
adminDisplayName: Can-Not-Create-PF-DL-BL
adminDescription: Can-Not-Create-PF-DL-BL
attributeId: 1.2.840.113556.1.2.342
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: qHPfqOrF0RG7ywCAx2ZwwA==
linkID: 131
mapiID: 32863
hideFromAB: TRUE
systemFlags: 1
dn: CN=XMIT-Timeout-Normal,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: XMITTimeoutNormal
adminDisplayName: XMIT-Timeout-Normal
adminDescription: XMIT-Timeout-Normal
attributeId: 1.2.840.113556.1.2.67
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: pXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33124
hideFromAB: TRUE
dn: CN=Enabled-Protocol-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: EnabledProtocolCfg
adminDisplayName: Enabled-Protocol-Cfg
adminDescription: Enabled-Protocol-Cfg
attributeId: 1.2.840.113556.1.2.515
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 9HPfqOrF0RG7ywCAx2ZwwA==
mapiID: 33192
hideFromAB: TRUE
dn: CN=msAscendDataFilter,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendDataFilter
adminDisplayName: msAscendDataFilter
adminDescription: msAscendDataFilter
attributeId: 1.2.840.113556.1.4.1007
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: FZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendCallFilter,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendCallFilter
adminDisplayName: msAscendCallFilter
adminDescription: msAscendCallFilter
attributeId: 1.2.840.113556.1.4.996
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: CpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendDialNumber,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendDialNumber
adminDisplayName: msAscendDialNumber
adminDescription: msAscendDialNumber
attributeId: 1.2.840.113556.1.4.1015
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: HZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=XMIT-Timeout-Urgent,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: XMITTimeoutUrgent
adminDisplayName: XMIT-Timeout-Urgent
adminDescription: XMIT-Timeout-Urgent
attributeId: 1.2.840.113556.1.2.53
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: pnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33125
hideFromAB: TRUE
dn: CN=msAscendRemoteAddr,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendRemoteAddr
adminDisplayName: msAscendRemoteAddr
adminDescription: msAscendRemoteAddr
attributeId: 1.2.840.113556.1.4.1091
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: aZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendTSIdleMode,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendTSIdleMode
adminDisplayName: msAscendTSIdleMode
adminDescription: msAscendTSIdleMode
attributeId: 1.2.840.113556.1.4.1110
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DL-Mem-Reject-Perms-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
changetype: add
objectClass: attributeSchema
ldapDisplayName: DLMemRejectPermsBL
adminDisplayName: DL-Mem-Reject-Perms-BL
adminDescription: DL-Mem-Reject-Perms-BL
attributeId: 1.2.840.113556.1.2.293
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: w3PfqOrF0RG7ywCAx2ZwwA==
linkID: 117
mapiID: 32882
hideFromAB: TRUE
systemFlags: 1
dn: CN=msAscendDBAMonitor,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendDBAMonitor
adminDisplayName: msAscendDBAMonitor
adminDescription: msAscendDBAMonitor
attributeId: 1.2.840.113556.1.4.1010
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: GJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Clock-Warning-Repair,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ClockWarningRepair
adminDisplayName: Clock-Warning-Repair
adminDescription: Clock-Warning-Repair
attributeId: 1.2.840.113556.1.2.166
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: s3PfqOrF0RG7ywCAx2ZwwA==
mapiID: 32868
hideFromAB: TRUE
dn: CN=msAscendPPPAddress,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendPPPAddress
adminDisplayName: msAscendPPPAddress
adminDescription: msAscendPPPAddress
attributeId: 1.2.840.113556.1.4.1078
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: XJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendSendSecret,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendSendSecret
adminDisplayName: msAscendSendSecret
adminDescription: msAscendSendSecret
adminDescription: msAscendSendSecret
attributeId: 1.2.840.113556.1.4.1103
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: dZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSEapKeyFlag,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSEapKeyFlag
adminDisplayName: msRADIUSEapKeyFlag
adminDescription: msRADIUSEapKeyFlag
attributeId: 1.2.840.113556.1.4.1211
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 4Y3dYZnF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Clock-Warning-Offset,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ClockWarningOffset
adminDisplayName: Clock-Warning-Offset
adminDescription: Clock-Warning-Offset
attributeId: 1.2.840.113556.1.2.177
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: snPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32867
hideFromAB: TRUE
dn: CN=msAscendSendPasswd,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendSendPasswd
adminDisplayName: msAscendSendPasswd
adminDescription: msAscendSendPasswd
attributeId: 1.2.840.113556.1.4.1102
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: dJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DXA-Exchange-Options,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAExchangeOptions
adminDisplayName: DXA-Exchange-Options
adminDescription: DXA-Exchange-Options
attributeId: 1.2.840.113556.1.2.359
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 3
rangeUpper: 3
schemaIdGuid:: 0HPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32896
hideFromAB: TRUE
dn: CN=Control-Msg-Folder-ID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ControlMsgFolderID
adminDisplayName: Control-Msg-Folder-ID
adminDescription: Control-Msg-Folder-ID
attributeId: 1.2.840.113556.1.2.483
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 1024
schemaIdGuid:: unPfqOrF0RG7ywCAx2ZwwA==
mapiID: 33160
hideFromAB: TRUE
dn: CN=msAscendTargetUtil,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendTargetUtil
adminDisplayName: msAscendTargetUtil
adminDescription: msAscendTargetUtil
attributeId: 1.2.840.113556.1.4.1106
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: eJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Replication-Stagger,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ReplicationStagger
adminDisplayName: Replication-Stagger
adminDescription: Replication-Stagger
attributeId: 1.2.840.113556.1.2.349
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: XXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33055
hideFromAB: TRUE
dn: CN=msRADIUSVendorName,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSVendorName
adminDisplayName: msRADIUSVendorName
adminDescription: msRADIUSVendorName
attributeId: 1.2.840.113556.1.4.1182
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: wZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DL-Mem-Submit-Perms-BL,CN=Schema,CN=Configuration,DC=X
dn: CN=DL-Mem-Submit-Perms-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DLMemSubmitPermsBL
adminDisplayName: DL-Mem-Submit-Perms-BL
adminDescription: DL-Mem-Submit-Perms-BL
attributeId: 1.2.840.113556.1.2.291
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: xXPfqOrF0RG7ywCAx2ZwwA==
linkID: 113
mapiID: 32883
hideFromAB: TRUE
systemFlags: 1
dn: CN=Service-Action-First,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ServiceActionFirst
adminDisplayName: Service-Action-First
adminDescription: Service-Action-First
attributeId: 1.2.840.113556.1.2.161
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2
schemaIdGuid:: cHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33073
hideFromAB: TRUE
dn: CN=msNPAllowedEapType,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPAllowedEapType
adminDisplayName: msNPAllowedEapType
adminDescription: msNPAllowedEapType
attributeId: 1.2.840.113556.1.4.1120
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: hpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Service-Action-Other,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ServiceActionOther
adminDisplayName: Service-Action-Other
adminDescription: Service-Action-Other
attributeId: 1.2.840.113556.1.2.59
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2
schemaIdGuid:: cXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33074
hideFromAB: TRUE
dn: CN=Telephone-Assistant,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TelephoneAssistant
adminDisplayName: Telephone-Assistant
adminDescription: Telephone-Assistant
attributeId: 1.2.840.113556.1.2.79
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: hHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 14894
hideFromAB: TRUE
dn: CN=Temp-Assoc-Threshold,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TempAssocThreshold
adminDisplayName: Temp-Assoc-Threshold
adminDescription: Temp-Assoc-Threshold
attributeId: 1.2.840.113556.1.2.329
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32767
schemaIdGuid:: iHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33092
hideFromAB: TRUE
dn: CN=DXA-Template-Options,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXATemplateOptions
adminDisplayName: DXA-Template-Options
adminDescription: DXA-Template-Options
attributeId: 1.2.840.113556.1.2.358
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 3
schemaIdGuid:: 63PfqOrF0RG7ywCAx2ZwwA==
mapiID: 32926
hideFromAB: TRUE
dn: CN=Gateway-Routing-Tree,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: GatewayRoutingTree
adminDisplayName: Gateway-Routing-Tree
adminDescription: Gateway-Routing-Tree
attributeId: 1.2.840.113556.1.2.167
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: A3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 32947
hideFromAB: TRUE
dn: CN=X25-Leased-or-Switched,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: X25LeasedorSwitched
adminDisplayName: X25-Leased-or-Switched
adminDescription: X25-Leased-or-Switched
attributeId: 1.2.840.113556.1.2.372
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: oHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33118
hideFromAB: TRUE
dn: CN=Authorized-Password,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: AuthorizedPassword
adminDisplayName: Authorized-Password
adminDescription: Authorized-Password
attributeId: 1.2.840.113556.1.2.193
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 512
schemaIdGuid:: m3PfqOrF0RG7ywCAx2ZwwA==
mapiID: 32853
hideFromAB: TRUE
dn: CN=Return-Exact-Msg-Size,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ReturnExactMsgSize
adminDisplayName: Return-Exact-Msg-Size
adminDescription: Return-Exact-Msg-Size
attributeId: 1.2.840.113556.1.2.594
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Y3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 35922
hideFromAB: TRUE
dn: CN=Client-Access-Enabled,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ClientAccessEnabled
adminDisplayName: Client-Access-Enabled
adminDescription: Client-Access-Enabled
attributeId: 1.2.840.113556.1.2.559
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: r3PfqOrF0RG7ywCAx2ZwwA==
mapiID: 35876
hideFromAB: TRUE
dn: CN=Report-To-Originator,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ReportToOriginator
adminDisplayName: Report-To-Originator
adminDescription: Report-To-Originator
attributeId: 1.2.840.113556.1.2.206
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: XnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33056
hideFromAB: TRUE
dn: CN=msRADIUSTunnelType,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSTunnelType
adminDisplayName: msRADIUSTunnelType
adminDescription: msRADIUSTunnelType
attributeId: 1.2.840.113556.1.4.1181
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: wJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=RTS-Recovery-Timeout,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RTSRecoveryTimeout
adminDisplayName: RTS-Recovery-Timeout
adminDescription: RTS-Recovery-Timeout
attributeId: 1.2.840.113556.1.2.151
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: aXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33064
hideFromAB: TRUE
dn: CN=Allowed-Child-Classes,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: allowedChildClasses
adminDisplayName: Allowed-Child-Classes
adminDescription: Allowed-Child-Classes
attributeId: 1.2.840.113556.1.4.911
attributeSyntax: 2.5.5.2
omSyntax: 6
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: Qtl6mlPK0RG70ACAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
dn: CN=msAscendFRNailedGrp,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRNailedGrp
adminDisplayName: msAscendFRNailedGrp
adminDisplayName: msAscendFRNailedGrp
adminDescription: msAscendFRNailedGrp
attributeId: 1.2.840.113556.1.4.1036
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: MpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendAuthenAlias,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendAuthenAlias
adminDisplayName: msAscendAuthenAlias
adminDescription: msAscendAuthenAlias
attributeId: 1.2.840.113556.1.4.984
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: /o8M2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendIPXNodeAddr,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendIPXNodeAddr
adminDisplayName: msAscendIPXNodeAddr
adminDescription: msAscendIPXNodeAddr
attributeId: 1.2.840.113556.1.4.1056
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: RpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Enable-Compatibility,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: EnableCompatibility
adminDisplayName: Enable-Compatibility
adminDescription: Enable-Compatibility
attributeId: 1.2.840.113556.1.2.567
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 8XPfqOrF0RG7ywCAx2ZwwA==
mapiID: 35890
hideFromAB: TRUE
dn: CN=Association-Lifetime,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: AssociationLifetime
adminDisplayName: Association-Lifetime
adminDescription: Association-Lifetime
attributeId: 1.2.840.113556.1.2.149
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: lnPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32850
hideFromAB: TRUE
dn: CN=Off-Line-AB-Containers,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: OffLineABContainers
adminDisplayName: Off-Line-AB-Containers
adminDescription: Off-Line-AB-Containers
attributeId: 1.2.840.113556.1.2.391
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: PHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33016
hideFromAB: TRUE
dn: CN=Cross-Certificate-CRL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: CrossCertificateCRL
adminDisplayName: Cross-Certificate-CRL
adminDescription: Cross-Certificate-CRL
attributeId: 1.2.840.113556.1.2.565
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: vHPfqOrF0RG7ywCAx2ZwwA==
mapiID: 35888
hideFromAB: TRUE
dn: CN=msAscendIPXPeerMode,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendIPXPeerMode
adminDisplayName: msAscendIPXPeerMode
adminDescription: msAscendIPXPeerMode
attributeId: 1.2.840.113556.1.4.1057
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: R5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendTSIdleLimit,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendTSIdleLimit
adminDisplayName: msAscendTSIdleLimit
adminDescription: msAscendTSIdleLimit
attributeId: 1.2.840.113556.1.4.1109
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: e5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendMultilinkID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendMultilinkID
adminDisplayName: msAscendMultilinkID
adminDescription: msAscendMultilinkID
attributeId: 1.2.840.113556.1.4.1074
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: WJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendUserAcctKey,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendUserAcctKey
adminDisplayName: msAscendUserAcctKey
adminDescription: msAscendUserAcctKey
attributeId: 1.2.840.113556.1.4.1114
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msNPCalledStationID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPCalledStationID
adminDisplayName: msNPCalledStationID
adminDescription: msNPCalledStationID
attributeId: 1.2.840.113556.1.4.1123
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: iZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Encapsulation-Method,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: EncapsulationMethod
adminDisplayName: Encapsulation-Method
adminDescription: Encapsulation-Method
attributeId: 1.2.840.113556.1.2.448
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 9XPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32930
hideFromAB: TRUE
dn: CN=msAscendPPPAsyncMap,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendPPPAsyncMap
adminDisplayName: msAscendPPPAsyncMap
adminDescription: msAscendPPPAsyncMap
attributeId: 1.2.840.113556.1.4.1079
attributeSyntax: 2.5.5.9
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: XZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendMaximumTime,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendMaximumTime
adminDisplayName: msAscendMaximumTime
adminDescription: msAscendMaximumTime
attributeId: 1.2.840.113556.1.4.1062
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: TJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendRequireAuth,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendRequireAuth
adminDisplayName: msAscendRequireAuth
adminDescription: msAscendRequireAuth
attributeId: 1.2.840.113556.1.4.1094
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: bJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendModemSlotNo,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendModemSlotNo
adminDisplayName: msAscendModemSlotNo
adminDescription: msAscendModemSlotNo
attributeId: 1.2.840.113556.1.4.1069
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: U5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Responsible-Local-DXA,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ResponsibleLocalDXA
adminDisplayName: Responsible-Local-DXA
adminDescription: Responsible-Local-DXA
attributeId: 1.2.840.113556.1.2.298
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: YnTfqOrF0RG7ywCAx2ZwwA==
linkID: 122
mapiID: 33059
hideFromAB: TRUE
dn: CN=Inbound-Newsfeed-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: InboundNewsfeedType
adminDisplayName: Inbound-Newsfeed-Type
adminDescription: Inbound-Newsfeed-Type
attributeId: 1.2.840.113556.1.2.554
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: E3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 35871
hideFromAB: TRUE
dn: CN=msAscendModemPortNo,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendModemPortNo
adminDisplayName: msAscendModemPortNo
adminDescription: msAscendModemPortNo
attributeId: 1.2.840.113556.1.4.1067
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: UZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=MDB-Msg-Time-Out-Period,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MDBMsgTimeOutPeriod
adminDisplayName: MDB-Msg-Time-Out-Period
adminDescription: MDB-Msg-Time-Out-Period
attributeId: 1.2.840.113556.1.2.64
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: IHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32976
hideFromAB: TRUE
dn: CN=msRADIUSFramedRoute,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSFramedRoute
adminDisplayName: msRADIUSFramedRoute
adminDescription: msRADIUSFramedRoute
attributeId: 1.2.840.113556.1.4.1158
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: qZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Presentation-Address,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: presentationAddress
adminDisplayName: Presentation-Address
adminDescription: Presentation-Address
attributeId: 2.5.4.29
attributeSyntax: 2.5.5.13
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVc
schemaIdGuid:: S3TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendThirdPrompt,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendThirdPrompt
adminDisplayName: msAscendThirdPrompt
adminDescription: msAscendThirdPrompt
attributeId: 1.2.840.113556.1.4.1107
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: eZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSIdleTimeout,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSIdleTimeout
adminDisplayName: msRADIUSIdleTimeout
adminDescription: msRADIUSIdleTimeout
attributeId: 1.2.840.113556.1.4.1160
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: q5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Authentication-To-Use,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: AuthenticationToUse
adminDisplayName: Authentication-To-Use
adminDescription: Authentication-To-Use
attributeId: 1.2.840.113556.1.2.501
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 128
schemaIdGuid:: mXPfqOrF0RG7ywCAx2ZwwA==
mapiID: 33178
hideFromAB: TRUE
dn: CN=Encrypt-Alg-List-Other,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: EncryptAlgListOther
adminDisplayName: Encrypt-Alg-List-Other
adminDescription: Encrypt-Alg-List-Other
attributeId: 1.2.840.113556.1.2.399
attributeSyntax: 2.5.5.5
omSyntax: 19
omSyntax: 19
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32
schemaIdGuid:: +HPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32833
hideFromAB: TRUE
dn: CN=HTTP-Pub-AB-Attributes,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: HTTPPubABAttributes
adminDisplayName: HTTP-Pub-AB-Attributes
adminDescription: HTTP-Pub-AB-Attributes
attributeId: 1.2.840.113556.1.2.516
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 128
schemaIdGuid:: CHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33193
hideFromAB: TRUE
dn: CN=msRADIUSLoginIPHost,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSLoginIPHost
adminDisplayName: msRADIUSLoginIPHost
adminDescription: msRADIUSLoginIPHost
attributeId: 1.2.840.113556.1.4.1161
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: rJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSServiceType,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSServiceType
adminDisplayName: msRADIUSServiceType
adminDescription: msRADIUSServiceType
attributeId: 1.2.840.113556.1.4.1171
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: tpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msNPSessionsAllowed,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPSessionsAllowed
adminDisplayName: msNPSessionsAllowed
adminDescription: msNPSessionsAllowed
attributeId: 1.2.840.113556.1.4.1132
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
searchFlags: 0
schemaIdGuid:: kJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Service-Action-Second,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ServiceActionSecond
adminDisplayName: Service-Action-Second
adminDescription: Service-Action-Second
attributeId: 1.2.840.113556.1.2.60
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2
schemaIdGuid:: cnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33075
hideFromAB: TRUE
dn: CN=Service-Restart-Delay,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ServiceRestartDelay
adminDisplayName: Service-Restart-Delay
adminDescription: Service-Restart-Delay
attributeId: 1.2.840.113556.1.2.162
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: c3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33076
hideFromAB: TRUE
dn: CN=msAscendFRDirectDLCI,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRDirectDLCI
adminDisplayName: msAscendFRDirectDLCI
adminDescription: msAscendFRDirectDLCI
attributeId: 1.2.840.113556.1.4.1028
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: KpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendUserAcctBase,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendUserAcctBase
adminDisplayName: msAscendUserAcctBase
adminDescription: msAscendUserAcctBase
attributeId: 1.2.840.113556.1.4.1112
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendFCPParameter,CN=Schema,CN=Configuration,DC=X
changetype: add
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFCPParameter
adminDisplayName: msAscendFCPParameter
adminDescription: msAscendFCPParameter
attributeId: 1.2.840.113556.1.4.1021
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: I5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Filter-Local-Addresses,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: FilterLocalAddresses
adminDisplayName: Filter-Local-Addresses
adminDescription: Filter-Local-Addresses
attributeId: 1.2.840.113556.1.2.44
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: /nPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32941
hideFromAB: TRUE
dn: CN=msAscendModemShelfNo,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendModemShelfNo
adminDisplayName: msAscendModemShelfNo
adminDescription: msAscendModemShelfNo
attributeId: 1.2.840.113556.1.4.1068
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: UpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Encrypt-Alg-Selected-NA,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: EncryptAlgSelectedNA
adminDisplayName: Encrypt-Alg-Selected-NA
adminDescription: Encrypt-Alg-Selected-NA
attributeId: 1.2.840.113556.1.2.401
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32
schemaIdGuid:: +XPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32835
hideFromAB: TRUE
dn: CN=Default-Message-Format,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DefaultMessageFormat
adminDisplayName: Default-Message-Format
adminDescription: Default-Message-Format
attributeId: 1.2.840.113556.1.2.572
attributeId: 1.2.840.113556.1.2.572
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: vXPfqOrF0RG7ywCAx2ZwwA==
mapiID: 35895
hideFromAB: TRUE
dn: CN=msAscendEndpointDisc,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendEndpointDisc
adminDisplayName: msAscendEndpointDisc
adminDescription: msAscendEndpointDisc
attributeId: 1.2.840.113556.1.4.1018
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: IJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendUserAcctTime,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendUserAcctTime
adminDisplayName: msAscendUserAcctTime
adminDescription: msAscendUserAcctTime
attributeId: 1.2.840.113556.1.4.1116
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DXA-Conf-Container-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAConfContainerList
adminDisplayName: DXA-Conf-Container-List
adminDescription: DXA-Conf-Container-List
attributeId: 1.2.840.113556.1.2.180
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: zHPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32892
hideFromAB: TRUE
dn: CN=msAscendMenuSelector,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendMenuSelector
adminDisplayName: msAscendMenuSelector
adminDescription: msAscendMenuSelector
attributeId: 1.2.840.113556.1.4.1064
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: TpAM2/LB0RG7xQCAx2ZwwA==
schemaIdGuid:: TpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=MSMQ-Sign-Certificates,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQSignCertificates
adminDisplayName: MSMQ-Sign-Certificates
adminDescription: MSMQ-Sign-Certificates
attributeId: 1.2.840.113556.1.4.947
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: O8MNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=msAscendAssignIPPool,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendAssignIPPool
adminDisplayName: msAscendAssignIPPool
adminDescription: msAscendAssignIPPool
attributeId: 1.2.840.113556.1.4.982
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: /I8M2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendUserAcctHost,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendUserAcctHost
adminDisplayName: msAscendUserAcctHost
adminDescription: msAscendUserAcctHost
attributeId: 1.2.840.113556.1.4.1113
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: f5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendPreemptLimit,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendPreemptLimit
adminDisplayName: msAscendPreemptLimit
adminDescription: msAscendPreemptLimit
attributeId: 1.2.840.113556.1.4.1082
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: YJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendUserAcctType,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendUserAcctType
adminDisplayName: msAscendUserAcctType
adminDescription: msAscendUserAcctType
attributeId: 1.2.840.113556.1.4.1117
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: g5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Disabled-Gateway-Proxy,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DisabledGatewayProxy
adminDisplayName: Disabled-Gateway-Proxy
adminDescription: Disabled-Gateway-Proxy
attributeId: 1.2.840.113556.1.2.541
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 1024
schemaIdGuid:: wHPfqOrF0RG7ywCAx2ZwwA==
mapiID: 33219
hideFromAB: TRUE
dn: CN=DXA-Native-Address-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXANativeAddressType
adminDisplayName: DXA-Native-Address-Type
adminDescription: DXA-Native-Address-Type
attributeId: 1.2.840.113556.1.2.331
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32
schemaIdGuid:: 2XPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32906
hideFromAB: TRUE
dn: CN=DXA-Template-TimeStamp,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXATemplateTimeStamp
adminDisplayName: DXA-Template-TimeStamp
adminDescription: DXA-Template-TimeStamp
attributeId: 1.2.840.113556.1.2.365
attributeSyntax: 2.5.5.11
omSyntax: 23
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 7HPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32927
hideFromAB: TRUE
dn: CN=Monitoring-Alert-Delay,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MonitoringAlertDelay
adminDisplayName: Monitoring-Alert-Delay
adminDescription: Monitoring-Alert-Delay
attributeId: 1.2.840.113556.1.2.158
attributeId: 1.2.840.113556.1.2.158
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: J3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 32988
hideFromAB: TRUE
dn: CN=msAscendUserAcctPort,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendUserAcctPort
adminDisplayName: msAscendUserAcctPort
adminDescription: msAscendUserAcctPort
attributeId: 1.2.840.113556.1.4.1115
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Connection-List-Filter,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ConnectionListFilter
adminDisplayName: Connection-List-Filter
adminDescription: Connection-List-Filter
attributeId: 1.2.840.113556.1.2.475
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 10240
schemaIdGuid:: tnPfqOrF0RG7ywCAx2ZwwA==
mapiID: 33152
hideFromAB: TRUE
dn: CN=msNPCallingStationID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPCallingStationID
adminDisplayName: msNPCallingStationID
adminDescription: msNPCallingStationID
attributeId: 1.2.840.113556.1.4.1124
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ipAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSArapFeatures,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSArapFeatures
adminDisplayName: msRADIUSArapFeatures
adminDescription: msRADIUSArapFeatures
attributeId: 1.2.840.113556.1.4.1138
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
searchFlags: 0
schemaIdGuid:: lZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSLoginLATNode,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSLoginLATNode
adminDisplayName: msRADIUSLoginLATNode
adminDescription: msRADIUSLoginLATNode
attributeId: 1.2.840.113556.1.4.1163
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: rpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSLoginService,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSLoginService
adminDisplayName: msRADIUSLoginService
adminDescription: msRADIUSLoginService
attributeId: 1.2.840.113556.1.4.1166
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: sZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Assoc-Protocol-Cfg-NNTP,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: AssocProtocolCfgNNTP
adminDisplayName: Assoc-Protocol-Cfg-NNTP
adminDescription: Assoc-Protocol-Cfg-NNTP
attributeId: 1.2.840.113556.1.2.512
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: lXPfqOrF0RG7ywCAx2ZwwA==
linkID: 140
mapiID: 33189
hideFromAB: TRUE
dn: CN=Monitoring-Recipients,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MonitoringRecipients
adminDisplayName: Monitoring-Recipients
adminDescription: Monitoring-Recipients
attributeId: 1.2.840.113556.1.2.159
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: LnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33001
hideFromAB: TRUE
dn: CN=DXA-Prev-Remote-Entries,CN=Schema,CN=Configuration,DC=X
dn: CN=DXA-Prev-Remote-Entries,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAPrevRemoteEntries
adminDisplayName: DXA-Prev-Remote-Entries
adminDescription: DXA-Prev-Remote-Entries
attributeId: 1.2.840.113556.1.2.265
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 33PfqOrF0RG7ywCAx2ZwwA==
mapiID: 32912
hideFromAB: TRUE
dn: CN=msRADIUSArapSecurity,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSArapSecurity
adminDisplayName: msRADIUSArapSecurity
adminDescription: msRADIUSArapSecurity
attributeId: 1.2.840.113556.1.4.1139
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: lpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Text-Encoded-OR-Address,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: textEncodedORAddress
adminDisplayName: Text-Encoded-OR-Address
adminDescription: Text-Encoded-OR-Address
attributeId: 0.9.2342.19200300.100.1.2
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 1024
schemaIdGuid:: iXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 35949
hideFromAB: TRUE
dn: CN=msRADIUSLoginLATPort,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSLoginLATPort
adminDisplayName: msRADIUSLoginLATPort
adminDescription: msRADIUSLoginLATPort
attributeId: 1.2.840.113556.1.4.1164
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: r5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Num-Of-Transfer-Retries,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: NumOfTransferRetries
adminDisplayName: Num-Of-Transfer-Retries
adminDisplayName: Num-Of-Transfer-Retries
adminDescription: Num-Of-Transfer-Retries
attributeId: 1.2.840.113556.1.2.134
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: O3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33013
hideFromAB: TRUE
dn: CN=ACS-Non-Reserved-Tx-Size,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: aCSNonReservedTxSize
adminDisplayName: ACS-Non-Reserved-Tx-Size
adminDescription: ACS-Non-Reserved-Tx-Size
attributeId: 1.2.840.113556.1.4.898
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: DSNy8PWu0RG9zwAA+ANnwQ==
hideFromAB: TRUE
dn: CN=msAscendCallbackDelay,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendCallbackDelay
adminDisplayName: msAscendCallbackDelay
adminDescription: msAscendCallbackDelay
attributeId: 1.2.840.113556.1.4.993
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: B5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Translation-Table-Used,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TranslationTableUsed
adminDisplayName: Translation-Table-Used
adminDescription: Translation-Table-Used
attributeId: 1.2.840.113556.1.2.396
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: kHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33101
hideFromAB: TRUE
dn: CN=msRADIUSLoginTCPPort,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSLoginTCPPort
adminDisplayName: msRADIUSLoginTCPPort
adminDescription: msRADIUSLoginTCPPort
attributeId: 1.2.840.113556.1.4.1167
attributeSyntax: 2.5.5.9
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: spAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Outgoing-Msg-Size-Limit,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: OutgoingMsgSizeLimit
adminDisplayName: Outgoing-Msg-Size-Limit
adminDescription: Outgoing-Msg-Size-Limit
attributeId: 1.2.840.113556.1.2.490
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: RnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33167
hideFromAB: TRUE
dn: CN=Monitoring-Alert-Units,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MonitoringAlertUnits
adminDisplayName: Monitoring-Alert-Units
adminDescription: Monitoring-Alert-Units
attributeId: 1.2.840.113556.1.2.57
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2
schemaIdGuid:: KHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32989
hideFromAB: TRUE
dn: CN=OOF-Reply-To-Originator,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: OOFReplyToOriginator
adminDisplayName: OOF-Reply-To-Originator
adminDescription: OOF-Reply-To-Originator
attributeId: 1.2.840.113556.1.2.438
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: QHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33023
hideFromAB: TRUE
dn: CN=Disable-Deferred-Commit,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DisableDeferredCommit
adminDisplayName: Disable-Deferred-Commit
adminDescription: Disable-Deferred-Commit
attributeId: 1.2.840.113556.1.2.558
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: v3PfqOrF0RG7ywCAx2ZwwA==
mapiID: 35875
hideFromAB: TRUE
dn: CN=msNPAllowedPortTypes,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPAllowedPortTypes
adminDisplayName: msNPAllowedPortTypes
adminDescription: msNPAllowedPortTypes
attributeId: 1.2.840.113556.1.4.1121
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: h5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendBridgeAddress,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendBridgeAddress
adminDisplayName: msAscendBridgeAddress
adminDescription: msAscendBridgeAddress
attributeId: 1.2.840.113556.1.4.990
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: BJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Turn-Request-Threshold,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TurnRequestThreshold
adminDisplayName: Turn-Request-Threshold
adminDescription: Turn-Request-Threshold
attributeId: 1.2.840.113556.1.2.38
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: k3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33104
hideFromAB: TRUE
dn: CN=MSMQ-In-Routing-Servers,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQInRoutingServers
adminDisplayName: MSMQ-In-Routing-Servers
adminDescription: MSMQ-In-Routing-Servers
attributeId: 1.2.840.113556.1.4.929
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: LMMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=XMIT-Timeout-Non-Urgent,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: XMITTimeoutNonUrgent
adminDisplayName: XMIT-Timeout-Non-Urgent
adminDescription: XMIT-Timeout-Non-Urgent
attributeId: 1.2.840.113556.1.2.84
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: pHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33123
hideFromAB: TRUE
dn: CN=msAscendBillingNumber,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendBillingNumber
adminDisplayName: msAscendBillingNumber
adminDescription: msAscendBillingNumber
attributeId: 1.2.840.113556.1.4.988
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ApAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendFRProfileName,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRProfileName
adminDisplayName: msAscendFRProfileName
adminDescription: msAscendFRProfileName
attributeId: 1.2.840.113556.1.4.1037
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: M5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendFRCircuitName,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRCircuitName
adminDisplayName: msAscendFRCircuitName
adminDescription: msAscendFRCircuitName
attributeId: 1.2.840.113556.1.4.1024
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: JpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendReceiveSecret,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendReceiveSecret
adminDisplayName: msAscendReceiveSecret
adminDescription: msAscendReceiveSecret
adminDescription: msAscendReceiveSecret
attributeId: 1.2.840.113556.1.4.1090
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: aJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=SMIME-Alg-Selected-Other,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SMIMEAlgSelectedOther
adminDisplayName: SMIME-Alg-Selected-Other
adminDescription: SMIME-Alg-Selected-Other
attributeId: 1.2.840.113556.1.2.571
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: fXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 35894
hideFromAB: TRUE
dn: CN=msAscendClientGateway,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendClientGateway
adminDisplayName: msAscendClientGateway
adminDescription: msAscendClientGateway
attributeId: 1.2.840.113556.1.4.1003
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: EZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendRemoveSeconds,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendRemoveSeconds
adminDisplayName: msAscendRemoveSeconds
adminDescription: msAscendRemoveSeconds
attributeId: 1.2.840.113556.1.4.1093
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: a5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Extended-Attribute-Info,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: extendedAttributeInfo
adminDisplayName: Extended-Attribute-Info
adminDescription: Extended-Attribute-Info
attributeId: 1.2.840.113556.1.4.909
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
searchFlags: 0
schemaIDGUID:: R9l6mlPK0RG70ACAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
dn: CN=msRASSavedFramedRoute,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRASSavedFramedRoute
adminDisplayName: msRASSavedFramedRoute
adminDescription: msRASSavedFramedRoute
attributeId: 1.2.840.113556.1.4.1191
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: x5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msNPRADIUSProfileName,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPRADIUSProfileName
adminDisplayName: msNPRADIUSProfileName
adminDescription: msNPRADIUSProfileName
attributeId: 1.2.840.113556.1.4.1129
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: jZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Service-Restart-Message,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ServiceRestartMessage
adminDisplayName: Service-Restart-Message
adminDescription: Service-Restart-Message
attributeId: 1.2.840.113556.1.2.58
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 120
schemaIdGuid:: dHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33077
hideFromAB: TRUE
dn: CN=msAscendTransitNumber,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendTransitNumber
adminDisplayName: msAscendTransitNumber
adminDescription: msAscendTransitNumber
attributeId: 1.2.840.113556.1.4.1108
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: epAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSFramedRouting,CN=Schema,CN=Configuration,DC=X
dn: CN=msRADIUSFramedRouting,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSFramedRouting
adminDisplayName: msRADIUSFramedRouting
adminDescription: msRADIUSFramedRouting
attributeId: 1.2.840.113556.1.4.1159
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: qpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=RAS-Phonebook-Entry-Name,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RASPhonebookEntryName
adminDisplayName: RAS-Phonebook-Entry-Name
adminDescription: RAS-Phonebook-Entry-Name
attributeId: 1.2.840.113556.1.2.313
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: VXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33047
hideFromAB: TRUE
dn: CN=msAscendPRINumberType,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendPRINumberType
adminDisplayName: msAscendPRINumberType
adminDescription: msAscendPRINumberType
attributeId: 1.2.840.113556.1.4.1089
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Z5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=NNTP-Distributions-Flag,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: NNTPDistributionsFlag
adminDisplayName: NNTP-Distributions-Flag
adminDescription: NNTP-Distributions-Flag
attributeId: 1.2.840.113556.1.2.511
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: OXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33188
hideFromAB: TRUE
dn: CN=msAscendPPPVJSlotComp,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendPPPVJSlotComp
adminDisplayName: msAscendPPPVJSlotComp
adminDescription: msAscendPPPVJSlotComp
adminDescription: msAscendPPPVJSlotComp
attributeId: 1.2.840.113556.1.4.1081
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: X5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Local-Bridge-Head-Address,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: LocalBridgeHeadAddress
adminDisplayName: Local-Bridge-Head-Address
adminDescription: Local-Bridge-Head-Address
attributeId: 1.2.840.113556.1.2.225
attributeSyntax: 2.5.5.4
omSyntax: 20
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 1118
schemaIdGuid:: G3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 32967
hideFromAB: TRUE
dn: CN=msRADIUSLoginLATGroup,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSLoginLATGroup
adminDisplayName: msRADIUSLoginLATGroup
adminDescription: msRADIUSLoginLATGroup
attributeId: 1.2.840.113556.1.4.1162
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: rZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendSessionSvrKey,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendSessionSvrKey
adminDisplayName: msAscendSessionSvrKey
adminDescription: msAscendSessionSvrKey
attributeId: 1.2.840.113556.1.4.1104
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: dpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Transfer-Timeout-Normal,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TransferTimeoutNormal
adminDisplayName: Transfer-Timeout-Normal
adminDescription: Transfer-Timeout-Normal
attributeId: 1.2.840.113556.1.2.137
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: jnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33099
hideFromAB: TRUE
dn: CN=msRADIUSAttributeType,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSAttributeType
adminDisplayName: msRADIUSAttributeType
adminDescription: msRADIUSAttributeType
attributeId: 1.2.840.113556.1.4.1142
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: mZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Transfer-Retry-Interval,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TransferRetryInterval
adminDisplayName: Transfer-Retry-Interval
adminDescription: Transfer-Retry-Interval
attributeId: 1.2.840.113556.1.2.133
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: jHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33097
hideFromAB: TRUE
dn: CN=Transfer-Timeout-Urgent,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TransferTimeoutUrgent
adminDisplayName: Transfer-Timeout-Urgent
adminDescription: Transfer-Timeout-Urgent
attributeId: 1.2.840.113556.1.2.142
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: j3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33100
hideFromAB: TRUE
dn: CN=Message-Tracking-Enabled,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MessageTrackingEnabled
adminDisplayName: Message-Tracking-Enabled
adminDescription: Message-Tracking-Enabled
attributeId: 1.2.840.113556.1.2.453
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: InTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32981
hideFromAB: TRUE
dn: CN=msAscendExpectCallback,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendExpectCallback
adminDisplayName: msAscendExpectCallback
adminDescription: msAscendExpectCallback
attributeId: 1.2.840.113556.1.4.1020
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: IpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSPasswordRetry,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSPasswordRetry
adminDisplayName: msRADIUSPasswordRetry
adminDescription: msRADIUSPasswordRetry
attributeId: 1.2.840.113556.1.4.1168
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: s5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSCallbackNumber,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSCallbackNumber
adminDisplayName: msRADIUSCallbackNumber
adminDescription: msRADIUSCallbackNumber
attributeId: 1.2.840.113556.1.4.1145
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: nJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendDialoutAllowed,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendDialoutAllowed
adminDisplayName: msAscendDialoutAllowed
adminDescription: msAscendDialoutAllowed
attributeId: 1.2.840.113556.1.4.1016
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: HpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=MSMQ-Out-Routing-Servers,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMQOutRoutingServers
ldapDisplayName: mSMQOutRoutingServers
adminDisplayName: MSMQ-Out-Routing-Servers
adminDescription: MSMQ-Out-Routing-Servers
attributeId: 1.2.840.113556.1.4.928
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: K8MNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=msAscendMPPIdlePercent,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendMPPIdlePercent
adminDisplayName: msAscendMPPIdlePercent
adminDescription: msAscendMPPIdlePercent
attributeId: 1.2.840.113556.1.4.1070
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: VJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendAssignIPClient,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendAssignIPClient
adminDisplayName: msAscendAssignIPClient
adminDescription: msAscendAssignIPClient
attributeId: 1.2.840.113556.1.4.981
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: +48M2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=X25-Call-User-Data-Incoming,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: X25CallUserDataIncoming
adminDisplayName: X25-Call-User-Data-Incoming
adminDescription: X25-Call-User-Data-Incoming
attributeId: 1.2.840.113556.1.2.316
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 128
schemaIdGuid:: m3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33113
hideFromAB: TRUE
dn: CN=ACS-Max-No-Of-Account-Files,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: aCSMaxNoOfAccountFiles
adminDisplayName: ACS-Max-No-Of-Account-Files
adminDescription: ACS-Max-No-Of-Account-Files
attributeId: 1.2.840.113556.1.4.901
attributeSyntax: 2.5.5.9
omSyntax: 2
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ECNy8PWu0RG9zwAA+ANnwQ==
hideFromAB: TRUE
dn: CN=msAscendDHCPPoolNumber,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendDHCPPoolNumber
adminDisplayName: msAscendDHCPPoolNumber
adminDescription: msAscendDHCPPoolNumber
attributeId: 1.2.840.113556.1.4.1013
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: G5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Available-Distributions,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: AvailableDistributions
adminDisplayName: Available-Distributions
adminDescription: Available-Distributions
attributeId: 1.2.840.113556.1.2.486
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 10240
schemaIdGuid:: n3PfqOrF0RG7ywCAx2ZwwA==
mapiID: 33163
hideFromAB: TRUE
dn: CN=msAscendAppletalkRoute,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendAppletalkRoute
adminDisplayName: msAscendAppletalkRoute
adminDescription: msAscendAppletalkRoute
attributeId: 1.2.840.113556.1.4.980
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: +o8M2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendRouteAppletalk,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendRouteAppletalk
adminDisplayName: msAscendRouteAppletalk
adminDescription: msAscendRouteAppletalk
attributeId: 1.2.840.113556.1.4.1095
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: bZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSArapZoneAccess,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSArapZoneAccess
adminDisplayName: msRADIUSArapZoneAccess
adminDescription: msRADIUSArapZoneAccess
attributeId: 1.2.840.113556.1.4.1140
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: l5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendAssignIPServer,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendAssignIPServer
adminDisplayName: msAscendAssignIPServer
adminDescription: msAscendAssignIPServer
attributeId: 1.2.840.113556.1.4.983
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: /Y8M2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DXA-UnConf-Container-List,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAUnConfContainerList
adminDisplayName: DXA-UnConf-Container-List
adminDescription: DXA-UnConf-Container-List
attributeId: 1.2.840.113556.1.2.181
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 7nPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32929
hideFromAB: TRUE
dn: CN=Replication-Mail-Msg-Size,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ReplicationMailMsgSize
adminDisplayName: Replication-Mail-Msg-Size
adminDescription: Replication-Mail-Msg-Size
attributeId: 1.2.840.113556.1.2.103
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: XHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33128
hideFromAB: TRUE
dn: CN=msAscendCBCPTrunkGroup,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendCBCPTrunkGroup
adminDisplayName: msAscendCBCPTrunkGroup
adminDescription: msAscendCBCPTrunkGroup
adminDescription: msAscendCBCPTrunkGroup
attributeId: 1.2.840.113556.1.4.1001
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: D5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendPreSessionTime,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendPreSessionTime
adminDisplayName: msAscendPreSessionTime
adminDescription: msAscendPreSessionTime
attributeId: 1.2.840.113556.1.4.1087
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ZZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DXA-Prev-Exchange-Options,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAPrevExchangeOptions
adminDisplayName: DXA-Prev-Exchange-Options
adminDescription: DXA-Prev-Exchange-Options
attributeId: 1.2.840.113556.1.2.216
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 3
schemaIdGuid:: 3HPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32909
hideFromAB: TRUE
dn: CN=Monitoring-Warning-Delay,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MonitoringWarningDelay
adminDisplayName: Monitoring-Warning-Delay
adminDescription: Monitoring-Warning-Delay
attributeId: 1.2.840.113556.1.2.157
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: MHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33005
hideFromAB: TRUE
dn: CN=msAscendNetwaretimeout,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendNetwaretimeout
adminDisplayName: msAscendNetwaretimeout
adminDescription: msAscendNetwaretimeout
attributeId: 1.2.840.113556.1.4.1075
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: WZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSFramedProtocol,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSFramedProtocol
adminDisplayName: msRADIUSFramedProtocol
adminDescription: msRADIUSFramedProtocol
attributeId: 1.2.840.113556.1.4.1157
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: qJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendNumberSessions,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendNumberSessions
adminDisplayName: msAscendNumberSessions
adminDescription: msAscendNumberSessions
attributeId: 1.2.840.113556.1.4.1076
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: WpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendNumInMultilink,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendNumInMultilink
adminDisplayName: msAscendNumInMultilink
adminDescription: msAscendNumInMultilink
attributeId: 1.2.840.113556.1.4.1077
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: W5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Session-Disconnect-Timer,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SessionDisconnectTimer
adminDisplayName: Session-Disconnect-Timer
adminDescription: Session-Disconnect-Timer
attributeId: 1.2.840.113556.1.2.154
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: dXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33078
hideFromAB: TRUE
dn: CN=Transport-Expedited-Data,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TransportExpeditedData
adminDisplayName: Transport-Expedited-Data
adminDescription: Transport-Expedited-Data
attributeId: 1.2.840.113556.1.2.150
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: kXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33102
hideFromAB: TRUE
dn: CN=X25-Call-User-Data-Outgoing,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: X25CallUserDataOutgoing
adminDisplayName: X25-Call-User-Data-Outgoing
adminDescription: X25-Call-User-Data-Outgoing
attributeId: 1.2.840.113556.1.2.317
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 128
schemaIdGuid:: nHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33114
hideFromAB: TRUE
dn: CN=msAscendPreInputOctets,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendPreInputOctets
adminDisplayName: msAscendPreInputOctets
adminDescription: msAscendPreInputOctets
attributeId: 1.2.840.113556.1.4.1083
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: YZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msNPAuthenticationType,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPAuthenticationType
adminDisplayName: msNPAuthenticationType
adminDescription: msNPAuthenticationType
attributeId: 1.2.840.113556.1.4.1122
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: iJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DXA-Prev-Template-Options,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAPrevTemplateOptions
adminDisplayName: DXA-Prev-Template-Options
adminDescription: DXA-Prev-Template-Options
adminDescription: DXA-Prev-Template-Options
attributeId: 1.2.840.113556.1.2.395
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 3
schemaIdGuid:: 4XPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32914
hideFromAB: TRUE
dn: CN=Quota-Notification-Style,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: QuotaNotificationStyle
adminDisplayName: Quota-Notification-Style
adminDescription: Quota-Notification-Style
attributeId: 1.2.840.113556.1.2.388
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2
schemaIdGuid:: UHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33042
hideFromAB: TRUE
dn: CN=Root-Newsgroups-Folder-ID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RootNewsgroupsFolderID
adminDisplayName: Root-Newsgroups-Folder-ID
adminDescription: Root-Newsgroups-Folder-ID
attributeId: 1.2.840.113556.1.2.524
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 1024
schemaIdGuid:: ZnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33202
hideFromAB: TRUE
dn: CN=MS-MPPE-Encryption-Policy,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: mSMPPEEncryptionPolicy
adminDisplayName: MS-MPPE-Encryption-Policy
adminDescription: MS-MPPE-Encryption-Policy
attributeId: 1.2.840.113556.1.4.977
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 948M2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Monitoring-Warning-Units,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MonitoringWarningUnits
adminDisplayName: Monitoring-Warning-Units
adminDisplayName: Monitoring-Warning-Units
adminDescription: Monitoring-Warning-Units
attributeId: 1.2.840.113556.1.2.56
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2
schemaIdGuid:: MXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33006
hideFromAB: TRUE
dn: CN=msRADIUSTunnelPassword,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSTunnelPassword
adminDisplayName: msRADIUSTunnelPassword
adminDescription: msRADIUSTunnelPassword
attributeId: 1.2.840.113556.1.4.1177
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: vJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Remote-Bridge-Head-Address,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: RemoteBridgeHeadAddress
adminDisplayName: Remote-Bridge-Head-Address
adminDescription: Remote-Bridge-Head-Address
attributeId: 1.2.840.113556.1.2.94
attributeSyntax: 2.5.5.4
omSyntax: 20
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 1118
schemaIdGuid:: WXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33051
hideFromAB: TRUE
dn: CN=Export-Custom-Recipients,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ExportCustomRecipients
adminDisplayName: Export-Custom-Recipients
adminDescription: Export-Custom-Recipients
attributeId: 1.2.840.113556.1.2.307
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: /XPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32934
hideFromAB: TRUE
dn: CN=msRADIUSSessionTimeout,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSSessionTimeout
adminDisplayName: msRADIUSSessionTimeout
adminDescription: msRADIUSSessionTimeout
attributeId: 1.2.840.113556.1.4.1172
attributeId: 1.2.840.113556.1.4.1172
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: t5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendHomeAgentIPAddr,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendHomeAgentIPAddr
adminDisplayName: msAscendHomeAgentIPAddr
adminDescription: msAscendHomeAgentIPAddr
attributeId: 1.2.840.113556.1.4.1045
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: O5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendDecChannelCount,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendDecChannelCount
adminDisplayName: msAscendDecChannelCount
adminDescription: msAscendDecChannelCount
attributeId: 1.2.840.113556.1.4.1011
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: GZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Support-SMIME-Signatures,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: SupportSMIMESignatures
adminDisplayName: Support-SMIME-Signatures
adminDescription: Support-SMIME-Signatures
attributeId: 1.2.840.113556.1.2.590
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: f3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 35912
hideFromAB: TRUE
dn: CN=msAscendDisconnectCause,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendDisconnectCause
adminDisplayName: msAscendDisconnectCause
adminDescription: msAscendDisconnectCause
attributeId: 1.2.840.113556.1.4.1017
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: H5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendIncChannelCount,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendIncChannelCount
adminDisplayName: msAscendIncChannelCount
adminDescription: msAscendIncChannelCount
attributeId: 1.2.840.113556.1.4.1052
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: QpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendFRDirectProfile,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendFRDirectProfile
adminDisplayName: msAscendFRDirectProfile
adminDescription: msAscendFRDirectProfile
attributeId: 1.2.840.113556.1.4.1029
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: K5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=ACS-Enable-RSVP-Accounting,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: aCSEnableRSVPAccounting
adminDisplayName: ACS-Enable-RSVP-Accounting
adminDescription: ACS-Enable-RSVP-Accounting
attributeId: 1.2.840.113556.1.4.899
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: DiNy8PWu0RG9zwAA+ANnwQ==
hideFromAB: TRUE
dn: CN=msAscendMinimumChannels,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendMinimumChannels
adminDisplayName: msAscendMinimumChannels
adminDescription: msAscendMinimumChannels
attributeId: 1.2.840.113556.1.4.1066
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: UJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendClientAssignDNS,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendClientAssignDNS
adminDisplayName: msAscendClientAssignDNS
adminDescription: msAscendClientAssignDNS
attributeId: 1.2.840.113556.1.4.1002
attributeSyntax: 2.5.5.9
omSyntax: 2
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: EJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendMaximumChannels,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendMaximumChannels
adminDisplayName: msAscendMaximumChannels
adminDescription: msAscendMaximumChannels
attributeId: 1.2.840.113556.1.4.1061
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: S5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSFramedIPAddress,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSFramedIPAddress
adminDisplayName: msRADIUSFramedIPAddress
adminDescription: msRADIUSFramedIPAddress
attributeId: 1.2.840.113556.1.4.1153
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: pJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendRoutePreference,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendRoutePreference
adminDisplayName: msAscendRoutePreference
adminDescription: msAscendRoutePreference
attributeId: 1.2.840.113556.1.4.1098
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: cJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendHomeNetworkName,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendHomeNetworkName
adminDisplayName: msAscendHomeNetworkName
adminDescription: msAscendHomeNetworkName
attributeId: 1.2.840.113556.1.4.1048
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: PpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendMulticastClient,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendMulticastClient
adminDisplayName: msAscendMulticastClient
adminDescription: msAscendMulticastClient
attributeId: 1.2.840.113556.1.4.1071
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: VZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Encrypt-Alg-Selected-Other,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: EncryptAlgSelectedOther
adminDisplayName: Encrypt-Alg-Selected-Other
adminDescription: Encrypt-Alg-Selected-Other
attributeId: 1.2.840.113556.1.2.397
attributeSyntax: 2.5.5.5
omSyntax: 19
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32
schemaIdGuid:: +nPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32829
hideFromAB: TRUE
dn: CN=msRADIUSFramedIPNetmask,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSFramedIPNetmask
adminDisplayName: msRADIUSFramedIPNetmask
adminDescription: msRADIUSFramedIPNetmask
attributeId: 1.2.840.113556.1.4.1154
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: pZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendConnectProgress,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendConnectProgress
adminDisplayName: msAscendConnectProgress
adminDescription: msAscendConnectProgress
attributeId: 1.2.840.113556.1.4.1006
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: FJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendLinkCompression,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendLinkCompression
adminDisplayName: msAscendLinkCompression
adminDescription: msAscendLinkCompression
attributeId: 1.2.840.113556.1.4.1059
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: SZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendPreInputPackets,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendPreInputPackets
adminDisplayName: msAscendPreInputPackets
adminDescription: msAscendPreInputPackets
attributeId: 1.2.840.113556.1.4.1084
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: YpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSLoginLATService,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSLoginLATService
adminDisplayName: msRADIUSLoginLATService
adminDescription: msRADIUSLoginLATService
attributeId: 1.2.840.113556.1.4.1165
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: sJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Monitoring-Recipients-NDR,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MonitoringRecipientsNDR
adminDisplayName: Monitoring-Recipients-NDR
adminDescription: Monitoring-Recipients-NDR
attributeId: 1.2.840.113556.1.2.387
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: L3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33002
hideFromAB: TRUE
dn: CN=Two-Way-Alternate-Facility,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TwoWayAlternateFacility
adminDisplayName: Two-Way-Alternate-Facility
adminDescription: Two-Way-Alternate-Facility
attributeId: 1.2.840.113556.1.2.40
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: lHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33105
hideFromAB: TRUE
hideFromAB: TRUE
dn: CN=msRADIUSAttributeNumber,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSAttributeNumber
adminDisplayName: msRADIUSAttributeNumber
adminDescription: msRADIUSAttributeNumber
attributeId: 1.2.840.113556.1.4.1141
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: mJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSAttributeVendor,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSAttributeVendor
adminDisplayName: msRADIUSAttributeVendor
adminDescription: msRADIUSAttributeVendor
attributeId: 1.2.840.113556.1.4.1143
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: mpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Preserve-Internet-Content,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: PreserveInternetContent
adminDisplayName: Preserve-Internet-Content
adminDescription: Preserve-Internet-Content
attributeId: 1.2.840.113556.1.2.556
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: THTfqOrF0RG7ywCAx2ZwwA==
mapiID: 35874
hideFromAB: TRUE
dn: CN=msAscendPreOutputOctets,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendPreOutputOctets
adminDisplayName: msAscendPreOutputOctets
adminDescription: msAscendPreOutputOctets
attributeId: 1.2.840.113556.1.4.1085
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Y5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DXA-Prev-Export-Native-Only,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAPrevExportNativeOnly
adminDisplayName: DXA-Prev-Export-Native-Only
adminDescription: DXA-Prev-Export-Native-Only
adminDescription: DXA-Prev-Export-Native-Only
attributeId: 1.2.840.113556.1.2.203
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 3XPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32910
hideFromAB: TRUE
dn: CN=msRASMPPEEncryptionType,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRASMPPEEncryptionType
adminDisplayName: msRASMPPEEncryptionType
adminDescription: msRASMPPEEncryptionType
attributeId: 1.2.840.113556.1.4.1188
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: xJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=X25-Facilities-Data-Incoming,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: X25FacilitiesDataIncoming
adminDisplayName: X25-Facilities-Data-Incoming
adminDescription: X25-Facilities-Data-Incoming
attributeId: 1.2.840.113556.1.2.318
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 109
schemaIdGuid:: nXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33115
hideFromAB: TRUE
dn: CN=msAscendBaseChannelCount,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendBaseChannelCount
adminDisplayName: msAscendBaseChannelCount
adminDescription: msAscendBaseChannelCount
attributeId: 1.2.840.113556.1.4.987
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: AZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRASSavedCallbackNumber,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRASSavedCallbackNumber
adminDisplayName: msRASSavedCallbackNumber
adminDescription: msRASSavedCallbackNumber
attributeId: 1.2.840.113556.1.4.1189
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: xZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=X25-Facilities-Data-Outgoing,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: X25FacilitiesDataOutgoing
adminDisplayName: X25-Facilities-Data-Outgoing
adminDescription: X25-Facilities-Data-Outgoing
attributeId: 1.2.840.113556.1.2.319
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 109
schemaIdGuid:: nnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33116
hideFromAB: TRUE
dn: CN=msAscendCallAttemptLimit,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendCallAttemptLimit
adminDisplayName: msAscendCallAttemptLimit
adminDescription: msAscendCallAttemptLimit
attributeId: 1.2.840.113556.1.4.991
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: BZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendIPPoolDefinition,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendIPPoolDefinition
adminDisplayName: msAscendIPPoolDefinition
adminDescription: msAscendIPPoolDefinition
attributeId: 1.2.840.113556.1.4.1054
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: RJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendPrimaryHomeAgent,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendPrimaryHomeAgent
adminDisplayName: msAscendPrimaryHomeAgent
adminDescription: msAscendPrimaryHomeAgent
attributeId: 1.2.840.113556.1.4.1088
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ZpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendHomeAgentUDPPort,CN=Schema,CN=Configuration,DC=X
changetype: add
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendHomeAgentUDPPort
adminDisplayName: msAscendHomeAgentUDPPort
adminDescription: msAscendHomeAgentUDPPort
attributeId: 1.2.840.113556.1.4.1047
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: PZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendClientPrimaryDNS,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendClientPrimaryDNS
adminDisplayName: msAscendClientPrimaryDNS
adminDescription: msAscendClientPrimaryDNS
attributeId: 1.2.840.113556.1.4.1004
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: EpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSTunnelPreference,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSTunnelPreference
adminDisplayName: msRADIUSTunnelPreference
adminDescription: msRADIUSTunnelPreference
attributeId: 1.2.840.113556.1.4.1178
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: vZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendSecondsOfHistory,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendSecondsOfHistory
adminDisplayName: msAscendSecondsOfHistory
adminDescription: msAscendSecondsOfHistory
attributeId: 1.2.840.113556.1.4.1100
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: cpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendPreOutputPackets,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendPreOutputPackets
adminDisplayName: msAscendPreOutputPackets
adminDescription: msAscendPreOutputPackets
attributeId: 1.2.840.113556.1.4.1086
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ZJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSFramedIPXNetwork,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSFramedIPXNetwork
adminDisplayName: msRADIUSFramedIPXNetwork
adminDescription: msRADIUSFramedIPXNetwork
attributeId: 1.2.840.113556.1.4.1155
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ppAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Connection-List-Filter-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: ConnectionListFilterType
adminDisplayName: Connection-List-Filter-Type
adminDescription: Connection-List-Filter-Type
attributeId: 1.2.840.113556.1.2.526
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2
schemaIdGuid:: t3PfqOrF0RG7ywCAx2ZwwA==
mapiID: 33204
hideFromAB: TRUE
dn: CN=msAscendHistoryWeighType,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendHistoryWeighType
adminDisplayName: msAscendHistoryWeighType
adminDescription: msAscendHistoryWeighType
attributeId: 1.2.840.113556.1.4.1044
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: OpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSTunnelMediumType,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSTunnelMediumType
adminDisplayName: msRADIUSTunnelMediumType
adminDescription: msRADIUSTunnelMediumType
attributeId: 1.2.840.113556.1.4.1176
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: u5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Transfer-Timeout-Non-Urgent,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: TransferTimeoutNonUrgent
adminDisplayName: Transfer-Timeout-Non-Urgent
adminDescription: Transfer-Timeout-Non-Urgent
attributeId: 1.2.840.113556.1.2.136
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: jXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33098
hideFromAB: TRUE
dn: CN=msAscendCallBlockDuration,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendCallBlockDuration
adminDisplayName: msAscendCallBlockDuration
adminDescription: msAscendCallBlockDuration
attributeId: 1.2.840.113556.1.4.994
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: CJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendAppletalkPeerMode,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendAppletalkPeerMode
adminDisplayName: msAscendAppletalkPeerMode
adminDescription: msAscendAppletalkPeerMode
attributeId: 1.2.840.113556.1.4.979
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: +Y8M2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRASSavedFramedIPAddress,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRASSavedFramedIPAddress
adminDisplayName: msRASSavedFramedIPAddress
adminDescription: msRASSavedFramedIPAddress
attributeId: 1.2.840.113556.1.4.1190
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: xpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendDHCPMaximumLeases,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendDHCPMaximumLeases
adminDisplayName: msAscendDHCPMaximumLeases
adminDescription: msAscendDHCPMaximumLeases
attributeId: 1.2.840.113556.1.4.1012
attributeId: 1.2.840.113556.1.4.1012
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: GpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendHomeAgentPassword,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendHomeAgentPassword
adminDisplayName: msAscendHomeAgentPassword
adminDescription: msAscendHomeAgentPassword
attributeId: 1.2.840.113556.1.4.1046
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: PJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msNPSavedCallingStationID,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msNPSavedCallingStationID
adminDisplayName: msNPSavedCallingStationID
adminDescription: msNPSavedCallingStationID
attributeId: 1.2.840.113556.1.4.1130
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: jpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Quota-Notification-Schedule,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: QuotaNotificationSchedule
adminDisplayName: Quota-Notification-Schedule
adminDescription: Quota-Notification-Schedule
attributeId: 1.2.840.113556.1.2.98
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 84
rangeUpper: 84
schemaIdGuid:: T3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 33041
hideFromAB: TRUE
dn: CN=msRADIUSFramedCompression,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSFramedCompression
adminDisplayName: msRADIUSFramedCompression
adminDescription: msRADIUSFramedCompression
attributeId: 1.2.840.113556.1.4.1152
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: o5AM2/LB0RG7xQCAx2ZwwA==
schemaIdGuid:: o5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSTerminationAction,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSTerminationAction
adminDisplayName: msRADIUSTerminationAction
adminDescription: msRADIUSTerminationAction
attributeId: 1.2.840.113556.1.4.1173
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: uJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendTunnelingProtocol,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendTunnelingProtocol
adminDisplayName: msAscendTunnelingProtocol
adminDescription: msAscendTunnelingProtocol
attributeId: 1.2.840.113556.1.4.1111
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Authorized-Password-Confirm,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: AuthorizedPasswordConfirm
adminDisplayName: Authorized-Password-Confirm
adminDescription: Authorized-Password-Confirm
attributeId: 1.2.840.113556.1.2.493
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 512
schemaIdGuid:: nHPfqOrF0RG7ywCAx2ZwwA==
mapiID: 33170
hideFromAB: TRUE
dn: CN=msRASMPPEEncryptionPolicy,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRASMPPEEncryptionPolicy
adminDisplayName: msRASMPPEEncryptionPolicy
adminDescription: msRASMPPEEncryptionPolicy
attributeId: 1.2.840.113556.1.4.1187
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: w5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Monitoring-Normal-Poll-Units,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MonitoringNormalPollUnits
ldapDisplayName: MonitoringNormalPollUnits
adminDisplayName: Monitoring-Normal-Poll-Units
adminDescription: Monitoring-Normal-Poll-Units
attributeId: 1.2.840.113556.1.2.88
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2
schemaIdGuid:: LXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 33000
hideFromAB: TRUE
dn: CN=msAscendSecondaryHomeAgent,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendSecondaryHomeAgent
adminDisplayName: msAscendSecondaryHomeAgent
adminDescription: msAscendSecondaryHomeAgent
attributeId: 1.2.840.113556.1.4.1099
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: cZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendClientSecondaryDNS,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendClientSecondaryDNS
adminDisplayName: msAscendClientSecondaryDNS
adminDescription: msAscendClientSecondaryDNS
attributeId: 1.2.840.113556.1.4.1005
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: E5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Allowed-Attributes-Effective,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: allowedAttributesEffective
adminDisplayName: Allowed-Attributes-Effective
adminDescription: Allowed-Attributes-Effective
attributeId: 1.2.840.113556.1.4.914
attributeSyntax: 2.5.5.2
omSyntax: 6
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: Qdl6mlPK0RG70ACAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
dn: CN=msAscendMulticastRateLimit,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendMulticastRateLimit
adminDisplayName: msAscendMulticastRateLimit
adminDescription: msAscendMulticastRateLimit
attributeId: 1.2.840.113556.1.4.1073
attributeSyntax: 2.5.5.9
omSyntax: 2
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: V5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSTunnelAssignmentId,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSTunnelAssignmentId
adminDisplayName: msRADIUSTunnelAssignmentId
adminDescription: msRADIUSTunnelAssignmentId
attributeId: 1.2.840.113556.1.4.1174
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: uZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSVSAAttributeNumber,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSVSAAttributeNumber
adminDisplayName: msRADIUSVSAAttributeNumber
adminDescription: msRADIUSVSAAttributeNumber
attributeId: 1.2.840.113556.1.4.1183
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: wpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendSharedProfileEnable,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendSharedProfileEnable
adminDisplayName: msAscendSharedProfileEnable
adminDescription: msAscendSharedProfileEnable
attributeId: 1.2.840.113556.1.4.1105
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: d5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Certificate-Revocation-List-V1,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: CertificateRevocationListV1
adminDisplayName: Certificate-Revocation-List-V1
adminDescription: Certificate-Revocation-List-V1
attributeId: 1.2.840.113556.1.2.564
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: q3PfqOrF0RG7ywCAx2ZwwA==
mapiID: 35881
hideFromAB: TRUE
dn: CN=Certificate-Revocation-List-V3,CN=Schema,CN=Configuration,DC=X
changetype: add
changetype: add
objectClass: attributeSchema
ldapDisplayName: CertificateRevocationListV3
adminDisplayName: Certificate-Revocation-List-V3
adminDescription: Certificate-Revocation-List-V3
attributeId: 1.2.840.113556.1.2.563
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: rHPfqOrF0RG7ywCAx2ZwwA==
mapiID: 35880
hideFromAB: TRUE
dn: CN=Monitoring-Hotsite-Poll-Units,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MonitoringHotsitePollUnits
adminDisplayName: Monitoring-Hotsite-Poll-Units
adminDescription: Monitoring-Hotsite-Poll-Units
attributeId: 1.2.840.113556.1.2.87
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2
schemaIdGuid:: K3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 32996
hideFromAB: TRUE
dn: CN=msRADIUSFramedAppleTalkLink,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSFramedAppleTalkLink
adminDisplayName: msRADIUSFramedAppleTalkLink
adminDescription: msRADIUSFramedAppleTalkLink
attributeId: 1.2.840.113556.1.4.1149
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: oJAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msAscendMaximumCallDuration,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendMaximumCallDuration
adminDisplayName: msAscendMaximumCallDuration
adminDescription: msAscendMaximumCallDuration
attributeId: 1.2.840.113556.1.4.1060
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: SpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSFramedAppleTalkZone,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSFramedAppleTalkZone
adminDisplayName: msRADIUSFramedAppleTalkZone
adminDescription: msRADIUSFramedAppleTalkZone
attributeId: 1.2.840.113556.1.4.1151
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: opAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=ACS-RSVP-Account-Files-Location,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: aCSRSVPAccountFilesLocation
adminDisplayName: ACS-RSVP-Account-Files-Location
adminDescription: ACS-RSVP-Account-Files-Location
attributeId: 1.2.840.113556.1.4.900
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: DyNy8PWu0RG9zwAA+ANnwQ==
hideFromAB: TRUE
dn: CN=ACS-Max-Size-Of-RSVP-Account-File,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: aCSMaxSizeOfRSVPAccountFile
adminDisplayName: ACS-Max-Size-Of-RSVP-Account-File
adminDescription: ACS-Max-Size-Of-RSVP-Account-File
attributeId: 1.2.840.113556.1.4.902
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ESNy8PWu0RG9zwAA+ANnwQ==
hideFromAB: TRUE
dn: CN=Allowed-Child-Classes-Effective,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: allowedChildClassesEffective
adminDisplayName: Allowed-Child-Classes-Effective
adminDescription: Allowed-Child-Classes-Effective
attributeId: 1.2.840.113556.1.4.912
attributeSyntax: 2.5.5.2
omSyntax: 6
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: Q9l6mlPK0RG70ACAx2ZwwA==
hideFromAB: TRUE
systemFlags: 8000004
dn: CN=Enabled-Authorization-Packages,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: EnabledAuthorizationPackages
adminDisplayName: Enabled-Authorization-Packages
adminDescription: Enabled-Authorization-Packages
attributeId: 1.2.840.113556.1.2.479
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 128
rangeUpper: 128
schemaIdGuid:: 83PfqOrF0RG7ywCAx2ZwwA==
mapiID: 33156
hideFromAB: TRUE
dn: CN=msAscendMulticastGLeaveDelay,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msAscendMulticastGLeaveDelay
adminDisplayName: msAscendMulticastGLeaveDelay
adminDescription: msAscendMulticastGLeaveDelay
attributeId: 1.2.840.113556.1.4.1072
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: VpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSTunnelClientEndpoint,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSTunnelClientEndpoint
adminDisplayName: msRADIUSTunnelClientEndpoint
adminDescription: msRADIUSTunnelClientEndpoint
attributeId: 1.2.840.113556.1.4.1175
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: upAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=DXA-Prev-In-Exchange-Sensitivity,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAPrevInExchangeSensitivity
adminDisplayName: DXA-Prev-In-Exchange-Sensitivity
adminDescription: DXA-Prev-In-Exchange-Sensitivity
attributeId: 1.2.840.113556.1.2.90
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 3nPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32911
hideFromAB: TRUE
dn: CN=Monitoring-Normal-Poll-Interval,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MonitoringNormalPollInterval
adminDisplayName: Monitoring-Normal-Poll-Interval
adminDescription: Monitoring-Normal-Poll-Interval
attributeId: 1.2.840.113556.1.2.187
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: LHTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32999
hideFromAB: TRUE
dn: CN=msRADIUSTunnelPrivateGroupId,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
objectClass: attributeSchema
ldapDisplayName: msRADIUSTunnelPrivateGroupId
adminDisplayName: msRADIUSTunnelPrivateGroupId
adminDescription: msRADIUSTunnelPrivateGroupId
attributeId: 1.2.840.113556.1.4.1179
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: vpAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=msRADIUSTunnelServerEndpoint,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSTunnelServerEndpoint
adminDisplayName: msRADIUSTunnelServerEndpoint
adminDescription: msRADIUSTunnelServerEndpoint
attributeId: 1.2.840.113556.1.4.1180
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: v5AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Monitoring-Escalation-Procedure,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MonitoringEscalationProcedure
adminDisplayName: Monitoring-Escalation-Procedure
adminDescription: Monitoring-Escalation-Procedure
attributeId: 1.2.840.113556.1.2.188
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 1064
schemaIdGuid:: KXTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32994
hideFromAB: TRUE
dn: CN=DXA-Prev-Replication-Sensitivity,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: DXAPrevReplicationSensitivity
adminDisplayName: DXA-Prev-Replication-Sensitivity
adminDescription: DXA-Prev-Replication-Sensitivity
attributeId: 1.2.840.113556.1.2.215
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 4HPfqOrF0RG7ywCAx2ZwwA==
mapiID: 32913
hideFromAB: TRUE
dn: CN=Monitoring-Hotsite-Poll-Interval,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: MonitoringHotsitePollInterval
adminDisplayName: Monitoring-Hotsite-Poll-Interval
adminDescription: Monitoring-Hotsite-Poll-Interval
attributeId: 1.2.840.113556.1.2.186
attributeSyntax: 2.5.5.9
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: KnTfqOrF0RG7ywCAx2ZwwA==
mapiID: 32995
hideFromAB: TRUE
dn: CN=Available-Authorization-Packages,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: AvailableAuthorizationPackages
adminDisplayName: Available-Authorization-Packages
adminDescription: Available-Authorization-Packages
attributeId: 1.2.840.113556.1.2.476
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 512
schemaIdGuid:: nnPfqOrF0RG7ywCAx2ZwwA==
mapiID: 33153
hideFromAB: TRUE
dn: CN=ACS-Max-Aggregate-Peak-Rate-Per-User,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: aCSMaxAggregatePeakRatePerUser
adminDisplayName: ACS-Max-Aggregate-Peak-Rate-Per-User
adminDescription: ACS-Max-Aggregate-Peak-Rate-Per-User
attributeId: 1.2.840.113556.1.4.897
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: DCNy8PWu0RG9zwAA+ANnwQ==
hideFromAB: TRUE
dn: CN=msRADIUSFramedAppleTalkNetwork,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msRADIUSFramedAppleTalkNetwork
adminDisplayName: msRADIUSFramedAppleTalkNetwork
adminDescription: msRADIUSFramedAppleTalkNetwork
attributeId: 1.2.840.113556.1.4.1150
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: oZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
dn: CN=Mail-Gateway,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mailGateway
adminDisplayName: Mail-Gateway
adminDescription: Mail-Gateway
governsId: 1.2.840.113556.1.3.51
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.2.171
systemMustContain: 1.2.840.113556.1.2.241
systemMustContain: 2.5.4.3
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.221
systemMayContain: 1.2.840.113556.1.2.396
systemMayContain: 1.2.840.113556.1.2.142
systemMayContain: 1.2.840.113556.1.2.137
systemMayContain: 1.2.840.113556.1.2.136
systemMayContain: 1.2.840.113556.1.2.133
systemMayContain: 2.5.4.30
systemMayContain: 1.2.840.113556.1.2.354
systemMayContain: 1.2.840.113556.1.2.223
systemMayContain: 1.2.840.113556.1.2.224
systemMayContain: 1.2.840.113556.1.2.69
systemMayContain: 1.2.840.113556.1.2.266
systemMayContain: 1.2.840.113556.1.2.64
systemMayContain: 1.2.840.113556.1.2.72
systemMayContain: 1.2.840.113556.1.2.449
systemMayContain: 1.2.840.113556.1.2.383
systemMayContain: 1.2.840.113556.1.2.110
systemMayContain: 1.2.840.113556.1.2.244
systemMayContain: 1.2.840.113556.1.2.307
systemMayContain: 1.2.840.113556.1.2.111
systemMayContain: 1.2.840.113556.1.2.448
systemMayContain: 1.2.840.113556.1.2.144
systemMayContain: 1.2.840.113556.1.2.47
systemMayContain: 1.2.840.113556.1.2.189
systemMayContain: 1.2.840.113556.1.2.140
systemMayContain: 1.2.840.113556.1.2.139
systemMayContain: 1.2.840.113556.1.2.138
systemMayContain: 2.5.4.6
systemMayContain: 1.2.840.113556.1.2.211
systemMayContain: 1.2.840.113556.1.2.20
systemMayContain: 1.2.840.113556.1.2.455
systemMayContain: 1.2.840.113556.1.2.129
systemMayContain: 1.2.840.113556.1.2.232
systemMayContain: 1.2.840.113556.1.2.73
systemMayContain: 1.2.840.113556.1.2.213
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: t3TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Mail-Gateway,CN=Schema,CN=Configuration,DC=X
dn: CN=X400-Link,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: x400Link
adminDisplayName: X400-Link
adminDescription: X400-Link
governsId: 1.2.840.113556.1.3.29
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.51
systemMayContain: 1.2.840.113556.1.2.443
systemMayContain: 1.2.840.113556.1.2.99
systemMayContain: 1.2.840.113556.1.2.40
systemMayContain: 1.2.840.113556.1.2.38
systemMayContain: 1.2.840.113556.1.2.150
systemMayContain: 1.2.840.113556.1.2.329
systemMayContain: 1.2.840.113556.1.2.5
systemMayContain: 1.2.840.113556.1.2.283
systemMayContain: 1.2.840.113556.1.2.28
systemMayContain: 1.2.840.113556.1.2.154
systemMayContain: 1.2.840.113556.1.2.46
systemMayContain: 1.2.840.113556.1.2.284
systemMayContain: 1.2.840.113556.1.2.153
systemMayContain: 1.2.840.113556.1.2.151
systemMayContain: 1.2.840.113556.1.2.152
systemMayContain: 1.2.840.113556.1.2.52
systemMayContain: 1.2.840.113556.1.2.285
systemMayContain: 1.2.840.113556.1.2.285
systemMayContain: 1.2.840.113556.1.2.143
systemMayContain: 1.2.840.113556.1.2.134
systemMayContain: 1.2.840.113556.1.2.148
systemMayContain: 1.2.840.113556.1.2.222
systemMayContain: 1.2.840.113556.1.2.282
systemMayContain: 1.2.840.113556.1.2.271
systemMayContain: 1.2.840.113556.1.2.270
systemMayContain: 1.2.840.113556.1.2.39
systemMayContain: 1.2.840.113556.1.2.29
systemMayContain: 1.2.840.113556.1.2.37
systemMayContain: 1.2.840.113556.1.2.149
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 4HTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=X400-Link,CN=Schema,CN=Configuration,DC=X
dn: CN=Information-Store-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: informationStoreCfg
adminDisplayName: Information-Store-Cfg
adminDescription: Information-Store-Cfg
governsId: 1.2.840.113556.1.3.5
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.457
systemMayContain: 1.2.840.113556.1.2.456
systemMayContain: 1.2.840.113556.1.2.434
systemMayContain: 1.2.840.113556.1.2.388
systemMayContain: 1.2.840.113556.1.2.98
systemMayContain: 1.2.840.113556.1.2.453
systemMayContain: 1.2.840.113556.1.2.266
systemMayContain: 1.2.840.113556.1.2.272
systemMayContain: 1.2.840.113556.1.2.235
systemMayContain: 1.2.840.113556.1.2.586
systemMayContain: 1.2.840.113556.1.2.13
systemMayContain: 1.2.840.113556.1.2.300
systemMayContain: 1.2.840.113556.1.2.63
systemMayContain: 1.2.840.113556.1.2.62
systemMayContain: 1.2.840.113556.1.2.11
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: tHTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Information-Store-Cfg,CN=Schema,CN=Configuration,DC=X
dn: CN=MHS-Monitoring-Config,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mHSMonitoringConfig
adminDisplayName: MHS-Monitoring-Config
adminDescription: MHS-Monitoring-Config
governsId: 1.2.840.113556.1.3.6
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.185
systemMayContain: 1.2.840.113556.1.2.88
systemMayContain: 1.2.840.113556.1.2.187
systemMayContain: 1.2.840.113556.1.2.87
systemMayContain: 1.2.840.113556.1.2.186
systemMayContain: 1.2.840.113556.1.2.188
systemMayContain: 1.2.840.113556.1.2.200
systemMayContain: 1.2.840.113556.1.2.450
systemMayContain: 1.2.840.113556.1.2.179
systemMayContain: 1.2.840.113556.1.2.192
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: u3TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MHS-Monitoring-Config,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-Shared,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgShared
adminDisplayName: Protocol-Cfg-Shared
adminDescription: Protocol-Cfg-Shared
governsId: 1.2.840.113556.1.3.65
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.478
systemMayContain: 1.2.840.113556.1.2.608
systemMayContain: 1.2.840.113556.1.4.216
systemMayContain: 1.2.840.113556.1.2.9
systemMayContain: 1.2.840.113556.1.2.607
systemMayContain: 1.2.840.113556.1.2.337
systemMayContain: 1.2.840.113556.1.2.526
systemMayContain: 1.2.840.113556.1.2.475
systemMayContain: 1.2.840.113556.1.2.477
systemMayContain: 1.2.840.113556.1.2.476
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 0HTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-Shared,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-Shared-Site,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgSharedSite
adminDisplayName: Protocol-Cfg-Shared-Site
adminDescription: Protocol-Cfg-Shared-Site
governsId: 1.2.840.113556.1.3.66
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.65
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 0nTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-Shared-Site,CN=Schema,CN=Configuration,DC=X
dn: CN=MTA,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mTA
adminDisplayName: MTA
adminDescription: MTA
governsId: 1.2.840.113556.1.3.49
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.2.220
systemMustContain: 1.2.840.113556.1.2.219
systemMustContain: 1.2.840.113556.1.2.271
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.270
systemMayContain: 1.2.840.113556.1.2.201
systemMayContain: 1.2.840.113556.1.2.189
systemMayContain: 1.2.840.113556.1.2.140
systemMayContain: 1.2.840.113556.1.2.139
systemMayContain: 1.2.840.113556.1.2.138
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: container
schemaIdGuid:: p3TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MTA,CN=Schema,CN=Configuration,DC=X
dn: CN=Exchange-Admin-Service,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: exchangeAdminService
adminDisplayName: Exchange-Admin-Service
adminDescription: Exchange-Admin-Service
governsId: 1.2.840.113556.1.3.62
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemAuxiliaryClass: 1.2.840.113556.1.3.46
systemMustContain: 1.2.840.113556.1.2.241
systemMayContain: 1.2.840.113556.1.2.189
systemPossSuperiors: 1.2.840.113556.1.3.23
systemPossSuperiors: 1.2.840.113556.1.3.30
schemaIdGuid:: snTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Exchange-Admin-Service,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-Shared-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgSharedServer
adminDisplayName: Protocol-Cfg-Shared-Server
adminDescription: Protocol-Cfg-Shared-Server
governsId: 1.2.840.113556.1.3.67
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.65
systemPossSuperiors: 1.2.840.113556.1.3.30
schemaIdGuid:: 0XTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-Shared-Server,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfg
adminDisplayName: Protocol-Cfg
adminDescription: Protocol-Cfg
governsId: 1.2.840.113556.1.3.68
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.478
systemMayContain: 1.2.840.113556.1.2.492
systemMayContain: 1.2.840.113556.1.2.560
systemMayContain: 1.2.840.113556.1.2.560
systemMayContain: 1.2.840.113556.1.2.556
systemMayContain: 1.2.840.113556.1.2.527
systemMayContain: 1.2.840.113556.1.2.491
systemMayContain: 1.2.840.113556.1.2.515
systemMayContain: 1.2.840.113556.1.2.479
systemMayContain: 1.2.840.113556.1.2.189
systemMayContain: 1.2.840.113556.1.2.481
systemMayContain: 1.2.840.113556.1.2.559
systemMayContain: 1.2.840.113556.1.2.480
systemMayContain: 1.2.840.113556.1.2.149
systemMayContain: 1.2.840.113556.1.2.482
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: wHTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg,CN=Schema,CN=Configuration,DC=X
dn: CN=RFC1006-X400-Link,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: rFC1006X400Link
adminDisplayName: RFC1006-X400-Link
adminDescription: RFC1006-X400-Link
governsId: 1.2.840.113556.1.3.32
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.29
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 2HTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=RFC1006-X400-Link,CN=Schema,CN=Configuration,DC=X
dn: CN=Remote-DXA,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: remoteDXA
adminDisplayName: Remote-DXA
adminDescription: Remote-DXA
governsId: 1.2.840.113556.1.3.2
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.2.307
systemMustContain: 1.2.840.113556.1.2.112
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.298
systemMayContain: 1.2.840.113556.1.2.173
systemMayContain: 1.2.840.113556.1.2.223
systemMayContain: 1.2.840.113556.1.2.100
systemMayContain: 1.2.840.113556.1.2.383
systemMayContain: 1.2.840.113556.1.2.110
systemMayContain: 1.2.840.113556.1.2.111
systemMayContain: 1.2.840.113556.1.2.181
systemMayContain: 1.2.840.113556.1.2.119
systemMayContain: 1.2.840.113556.1.2.358
systemMayContain: 1.2.840.113556.1.2.124
systemMayContain: 1.2.840.113556.1.2.361
systemMayContain: 1.2.840.113556.1.2.360
systemMayContain: 1.2.840.113556.1.2.446
systemMayContain: 1.2.840.113556.1.2.182
systemMayContain: 1.2.840.113556.1.2.114
systemMayContain: 1.2.840.113556.1.2.101
systemMayContain: 1.2.840.113556.1.2.384
systemMayContain: 1.2.840.113556.1.2.217
systemMayContain: 1.2.840.113556.1.2.395
systemMayContain: 1.2.840.113556.1.2.215
systemMayContain: 1.2.840.113556.1.2.215
systemMayContain: 1.2.840.113556.1.2.265
systemMayContain: 1.2.840.113556.1.2.90
systemMayContain: 1.2.840.113556.1.2.203
systemMayContain: 1.2.840.113556.1.2.216
systemMayContain: 1.2.840.113556.1.2.305
systemMayContain: 1.2.840.113556.1.2.331
systemMayContain: 1.2.840.113556.1.2.113
systemMayContain: 1.2.840.113556.1.2.376
systemMayContain: 1.2.840.113556.1.2.86
systemMayContain: 1.2.840.113556.1.2.117
systemMayContain: 1.2.840.113556.1.2.116
systemMayContain: 1.2.840.113556.1.2.377
systemMayContain: 1.2.840.113556.1.2.359
systemMayContain: 1.2.840.113556.1.2.45
systemMayContain: 1.2.840.113556.1.2.184
systemMayContain: 1.2.840.113556.1.2.122
systemMayContain: 1.2.840.113556.1.2.180
systemMayContain: 1.2.840.113556.1.2.174
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 1XTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Remote-DXA,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-HTTP,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgHTTP
adminDisplayName: Protocol-Cfg-HTTP
adminDescription: Protocol-Cfg-HTTP
governsId: 1.2.840.113556.1.3.79
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.68
systemMustContain: 1.2.840.113556.1.2.502
systemMayContain: 1.2.840.113556.1.2.517
systemMayContain: 1.2.840.113556.1.2.505
systemMayContain: 1.2.840.113556.1.2.503
systemMayContain: 1.2.840.113556.1.2.516
systemPossSuperiors: 1.2.840.113556.1.3.67
systemPossSuperiors: 1.2.840.113556.1.3.66
schemaIdGuid:: wXTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-HTTP,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-LDAP,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgLDAP
adminDisplayName: Protocol-Cfg-LDAP
adminDescription: Protocol-Cfg-LDAP
governsId: 1.2.840.113556.1.3.75
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.68
systemMayContain: 1.2.840.113556.1.2.490
systemMayContain: 1.2.840.113556.1.2.552
systemPossSuperiors: 1.2.840.113556.1.3.67
systemPossSuperiors: 1.2.840.113556.1.3.66
schemaIdGuid:: x3TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-LDAP,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-IMAP,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-IMAP,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgIMAP
adminDisplayName: Protocol-Cfg-IMAP
adminDescription: Protocol-Cfg-IMAP
governsId: 1.2.840.113556.1.3.84
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.68
systemMayContain: 1.2.840.113556.1.2.594
systemMayContain: 1.2.840.113556.1.2.608
systemMayContain: 1.2.840.113556.1.2.592
systemMayContain: 1.2.840.113556.1.2.9
systemMayContain: 1.2.840.113556.1.2.607
systemMayContain: 1.2.840.113556.1.2.337
systemMayContain: 1.2.840.113556.1.2.591
systemMayContain: 1.2.840.113556.1.2.561
systemPossSuperiors: 1.2.840.113556.1.3.67
systemPossSuperiors: 1.2.840.113556.1.3.66
schemaIdGuid:: xHTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-IMAP,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-HTTP-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgHTTPServer
adminDisplayName: Protocol-Cfg-HTTP-Server
adminDescription: Protocol-Cfg-HTTP-Server
governsId: 1.2.840.113556.1.3.80
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.79
systemPossSuperiors: 1.2.840.113556.1.3.67
schemaIdGuid:: wnTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-HTTP-Server,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-NNTP,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgNNTP
adminDisplayName: Protocol-Cfg-NNTP
adminDescription: Protocol-Cfg-NNTP
governsId: 1.2.840.113556.1.3.72
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.68
systemMayContain: 1.2.840.113556.1.2.484
systemMayContain: 1.2.840.113556.1.2.590
systemMayContain: 1.2.840.113556.1.2.524
systemMayContain: 1.2.840.113556.1.2.543
systemMayContain: 1.2.840.113556.1.2.485
systemMayContain: 1.2.840.113556.1.2.483
systemMayContain: 1.2.840.113556.1.2.486
systemPossSuperiors: 1.2.840.113556.1.3.67
systemPossSuperiors: 1.2.840.113556.1.3.66
schemaIdGuid:: ynTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-NNTP,CN=Schema,CN=Configuration,DC=X
dn: CN=Mailbox-Agent,CN=Schema,CN=Configuration,DC=X
changetype: add
changetype: add
objectClass: classSchema
ldapDisplayName: mailboxAgent
adminDisplayName: Mailbox-Agent
adminDescription: Mailbox-Agent
governsId: 1.2.840.113556.1.3.17
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.22
systemMayContain: 2.5.4.32
systemMayContain: 1.2.840.113556.1.2.20
systemMayContain: 1.2.840.113556.1.2.73
systemMayContain: 1.2.840.113556.1.2.213
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: uHTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Mailbox-Agent,CN=Schema,CN=Configuration,DC=X
dn: CN=Directory-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: directoryCfg
adminDisplayName: Directory-Cfg
adminDescription: Directory-Cfg
governsId: 1.2.840.113556.1.3.4
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.509
systemMayContain: 1.2.840.113556.1.2.54
systemMayContain: 1.2.840.113556.1.2.385
systemMayContain: 1.2.840.113556.1.2.520
systemMayContain: 1.2.840.113556.1.2.519
systemMayContain: 1.2.840.113556.1.2.390
systemMayContain: 1.2.840.113556.1.2.392
systemMayContain: 1.2.840.113556.1.2.389
systemMayContain: 1.2.840.113556.1.2.391
systemMayContain: 1.2.840.113556.1.2.301
systemMayContain: 1.2.840.113556.1.2.575
systemMayContain: 1.2.840.113556.1.2.212
systemMayContain: 1.2.840.113556.1.4.1213
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: rXTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Directory-Cfg,CN=Schema,CN=Configuration,DC=X
dn: CN=NNTP-Newsfeed,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: nNTPNewsfeed
adminDisplayName: NNTP-Newsfeed
adminDescription: NNTP-Newsfeed
governsId: 1.2.840.113556.1.3.78
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.2.495
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.484
systemMayContain: 1.2.840.113556.1.2.492
systemMayContain: 1.2.840.113556.1.2.560
systemMayContain: 1.2.840.113556.1.2.313
systemMayContain: 1.2.840.113556.1.2.520
systemMayContain: 1.2.840.113556.1.2.519
systemMayContain: 1.2.840.113556.1.2.527
systemMayContain: 1.2.840.113556.1.2.490
systemMayContain: 1.2.840.113556.1.2.496
systemMayContain: 1.2.840.113556.1.2.522
systemMayContain: 1.2.840.113556.1.2.488
systemMayContain: 1.2.840.113556.1.2.511
systemMayContain: 1.2.840.113556.1.2.498
systemMayContain: 1.2.840.113556.1.2.497
systemMayContain: 1.2.840.113556.1.2.543
systemMayContain: 1.2.840.113556.1.2.521
systemMayContain: 1.2.840.113556.1.2.491
systemMayContain: 1.2.840.113556.1.2.554
systemMayContain: 1.2.840.113556.1.2.494
systemMayContain: 1.2.840.113556.1.2.489
systemMayContain: 1.2.840.113556.1.2.553
systemMayContain: 1.2.840.113556.1.2.555
systemMayContain: 1.2.840.113556.1.2.557
systemMayContain: 1.2.840.113556.1.2.558
systemMayContain: 1.2.840.113556.1.2.525
systemMayContain: 1.2.840.113556.1.2.276
systemMayContain: 1.2.840.113556.1.2.493
systemMayContain: 1.2.840.113556.1.2.193
systemMayContain: 1.2.840.113556.1.2.501
systemMayContain: 1.2.840.113556.1.2.512
systemMayContain: 1.2.840.113556.1.2.212
systemMayContain: 1.2.840.113556.1.2.73
systemMayContain: 1.2.840.113556.1.2.213
systemMayContain: 1.2.840.113556.1.4.1213
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: qXTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=NNTP-Newsfeed,CN=Schema,CN=Configuration,DC=X
dn: CN=DXA-Site-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: dXASiteServer
adminDisplayName: DXA-Site-Server
adminDescription: DXA-Site-Server
governsId: 1.2.840.113556.1.3.60
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.298
systemMayContain: 1.2.840.113556.1.2.113
systemMayContain: 1.2.840.113556.1.2.379
systemMayContain: 1.2.840.113556.1.2.378
systemMayContain: 1.2.840.113556.1.2.73
systemMayContain: 1.2.840.113556.1.2.213
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: sHTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=DXA-Site-Server,CN=Schema,CN=Configuration,DC=X
dn: CN=MSMQ-Site-Link,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mSMQSiteLink
adminDisplayName: MSMQ-Site-Link
adminDescription: MSMQ-Site-Link
governsId: 1.2.840.113556.1.5.164
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.945
systemMayContain: 1.2.840.113556.1.4.944
systemMayContain: 1.2.840.113556.1.4.943
systemMayContain: 1.2.840.113556.1.4.946
systemPossSuperiors: 1.2.840.113556.1.5.31
schemaIdGuid:: RsMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=MSMQ-Site-Link,CN=Schema,CN=Configuration,DC=X
dn: CN=MSMQ-Settings,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mSMQSettings
adminDisplayName: MSMQ-Settings
adminDescription: MSMQ-Settings
governsId: 1.2.840.113556.1.5.165
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.950
systemMayContain: 1.2.840.113556.1.4.951
systemMayContain: 1.2.840.113556.1.4.925
systemMayContain: 1.2.840.113556.1.4.952
systemPossSuperiors: 1.2.840.113556.1.5.17
schemaIdGuid:: R8MNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=MSMQ-Settings,CN=Schema,CN=Configuration,DC=X
dn: CN=EAP,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: eAP
adminDisplayName: EAP
adminDescription: EAP
governsId: 1.2.840.113556.1.5.167
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1210
systemMayContain: 1.2.840.113556.1.4.1211
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 2ZAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=EAP,CN=Schema,CN=Configuration,DC=X
dn: CN=Transport-Stack,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: transportStack
adminDisplayName: Transport-Stack
adminDescription: Transport-Stack
governsId: 1.2.840.113556.1.3.18
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.443
systemMayContain: 1.2.840.113556.1.2.283
systemMayContain: 1.2.840.113556.1.2.284
systemMayContain: 1.2.840.113556.1.2.285
systemMayContain: 1.2.840.113556.1.2.222
systemMayContain: 1.2.840.113556.1.2.282
systemPossSuperiors: 1.2.840.113556.1.3.49
systemPossSuperiors: 1.2.840.113556.1.3.49
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: container
schemaIdGuid:: 3XTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Transport-Stack,CN=Schema,CN=Configuration,DC=X
dn: CN=Mail-Connector,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mailConnector
adminDisplayName: Mail-Connector
adminDescription: Mail-Connector
governsId: 1.2.840.113556.1.3.61
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.51
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: tnTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Mail-Connector,CN=Schema,CN=Configuration,DC=X
dn: CN=MSMQ-Enterprise-Settings,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mSMQEnterpriseSettings
adminDisplayName: MSMQ-Enterprise-Settings
adminDescription: MSMQ-Enterprise-Settings
governsId: 1.2.840.113556.1.5.163
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.942
systemMayContain: 1.2.840.113556.1.4.939
systemMayContain: 1.2.840.113556.1.4.941
systemMayContain: 1.2.840.113556.1.4.940
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: RcMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=MSMQ-Enterprise-Settings,CN=Schema,CN=Configuration,DC=X
dn: CN=Encryption-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: encryptionCfg
adminDisplayName: Encryption-Cfg
adminDescription: Encryption-Cfg
governsId: 1.2.840.113556.1.3.16
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.571
systemMayContain: 1.2.840.113556.1.2.570
systemMayContain: 1.2.840.113556.1.2.569
systemMayContain: 1.2.840.113556.1.2.568
systemMayContain: 1.2.840.113556.1.2.440
systemMayContain: 1.2.840.113556.1.2.397
systemMayContain: 1.2.840.113556.1.2.401
systemMayContain: 1.2.840.113556.1.2.399
systemMayContain: 1.2.840.113556.1.2.130
systemMayContain: 1.2.840.113556.1.2.572
systemPossSuperiors: 1.2.840.113556.1.3.23
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: sXTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Encryption-Cfg,CN=Schema,CN=Configuration,DC=X
dn: CN=Site-Connector,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: siteConnector
adminDisplayName: Site-Connector
adminDescription: Site-Connector
governsId: 1.2.840.113556.1.3.50
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.259
systemMayContain: 1.2.840.113556.1.2.354
systemMayContain: 1.2.840.113556.1.2.171
systemMayContain: 1.2.840.113556.1.2.147
systemMayContain: 1.2.840.113556.1.2.135
systemMayContain: 1.2.840.113556.1.2.463
systemMayContain: 1.2.840.113556.1.2.276
systemMayContain: 1.2.840.113556.1.2.193
systemMayContain: 1.2.840.113556.1.2.202
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 2nTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Site-Connector,CN=Schema,CN=Configuration,DC=X
dn: CN=DX-Server-Conn,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: dXServerConn
adminDisplayName: DX-Server-Conn
adminDescription: DX-Server-Conn
governsId: 1.2.840.113556.1.3.20
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.2
systemPossSuperiors: 1.2.840.113556.1.3.60
schemaIdGuid:: r3TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=DX-Server-Conn,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-POP,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgPOP
adminDisplayName: Protocol-Cfg-POP
adminDescription: Protocol-Cfg-POP
governsId: 1.2.840.113556.1.3.69
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.68
systemMayContain: 1.2.840.113556.1.2.608
systemMayContain: 1.2.840.113556.1.2.9
systemMayContain: 1.2.840.113556.1.2.607
systemMayContain: 1.2.840.113556.1.2.337
systemPossSuperiors: 1.2.840.113556.1.3.67
systemPossSuperiors: 1.2.840.113556.1.3.66
schemaIdGuid:: zXTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-POP,CN=Schema,CN=Configuration,DC=X
dn: CN=MHS-Link-Monitoring-Config,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mHSLinkMonitoringConfig
adminDisplayName: MHS-Link-Monitoring-Config
adminDescription: MHS-Link-Monitoring-Config
governsId: 1.2.840.113556.1.3.12
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.6
systemMayContain: 1.2.840.113556.1.2.56
systemMayContain: 1.2.840.113556.1.2.157
systemMayContain: 1.2.840.113556.1.2.387
systemMayContain: 1.2.840.113556.1.2.159
systemMayContain: 1.2.840.113556.1.2.57
systemMayContain: 1.2.840.113556.1.2.158
systemMayContain: 1.2.840.113556.1.2.156
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: uXTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MHS-Link-Monitoring-Config,CN=Schema,CN=Configuration,DC=X
dn: CN=Site-Addressing,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: siteAddressing
adminDisplayName: Site-Addressing
adminDescription: Site-Addressing
governsId: 1.2.840.113556.1.3.0
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.385
systemMayContain: 1.2.840.113556.1.2.354
systemMayContain: 1.2.840.113556.1.2.346
systemMayContain: 1.2.840.113556.1.2.167
systemMayContain: 1.2.840.113556.1.2.302
systemMayContain: 1.2.840.113556.1.2.44
systemMayContain: 1.2.840.113556.1.2.541
systemMayContain: 1.2.840.113556.1.2.73
systemMayContain: 1.2.840.113556.1.2.213
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 2XTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Site-Addressing,CN=Schema,CN=Configuration,DC=X
dn: CN=Admin-Extension,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: adminExtension
adminDisplayName: Admin-Extension
adminDescription: Admin-Extension
governsId: 1.2.840.113556.1.3.21
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.2.178
systemMustContain: 2.5.4.3
systemMustContain: 1.2.840.113556.1.2.95
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: rHTfqOrF0RG7ywCAx2ZwwA==
schemaIdGuid:: rHTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Admin-Extension,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-POP-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgPOPServer
adminDisplayName: Protocol-Cfg-POP-Server
adminDescription: Protocol-Cfg-POP-Server
governsId: 1.2.840.113556.1.3.71
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.69
systemPossSuperiors: 1.2.840.113556.1.3.67
schemaIdGuid:: znTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-POP-Server,CN=Schema,CN=Configuration,DC=X
dn: CN=MHS-Public-Store,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mHSPublicStore
adminDisplayName: MHS-Public-Store
adminDescription: MHS-Public-Store
governsId: 1.2.840.113556.1.3.28
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemAuxiliaryClass: 1.2.840.113556.1.3.46
systemMustContain: 1.2.840.113556.1.2.241
systemMayContain: 1.2.840.113556.1.2.266
systemMayContain: 1.2.840.113556.1.2.272
systemMayContain: 1.2.840.113556.1.2.458
systemMayContain: 1.2.840.113556.1.2.189
systemMayContain: 1.2.840.113556.1.2.106
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: container
schemaIdGuid:: vHTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MHS-Public-Store,CN=Schema,CN=Configuration,DC=X
dn: CN=Add-In,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: addIn
adminDisplayName: Add-In
adminDescription: Add-In
governsId: 1.2.840.113556.1.3.36
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.2.20
systemMustContain: 2.5.4.3
systemMayContain: 2.5.4.32
systemMayContain: 1.2.840.113556.1.2.73
systemMayContain: 1.2.840.113556.1.2.213
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: qnTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Add-In,CN=Schema,CN=Configuration,DC=X
dn: CN=RFC1006-Stack,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: rFC1006Stack
adminDisplayName: RFC1006-Stack
adminDescription: RFC1006-Stack
governsId: 1.2.840.113556.1.3.24
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.18
systemPossSuperiors: 1.2.840.113556.1.3.49
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: container
schemaIdGuid:: 13TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=RFC1006-Stack,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-LDAP-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgLDAPServer
adminDisplayName: Protocol-Cfg-LDAP-Server
adminDescription: Protocol-Cfg-LDAP-Server
governsId: 1.2.840.113556.1.3.77
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.75
systemMayContain: 1.2.840.113556.1.2.510
systemPossSuperiors: 1.2.840.113556.1.3.67
schemaIdGuid:: yHTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-LDAP-Server,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-IMAP-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgIMAPServer
adminDisplayName: Protocol-Cfg-IMAP-Server
adminDescription: Protocol-Cfg-IMAP-Server
governsId: 1.2.840.113556.1.3.85
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.84
systemPossSuperiors: 1.2.840.113556.1.3.67
schemaIdGuid:: xXTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-IMAP-Server,CN=Schema,CN=Configuration,DC=X
dn: CN=MS-Mail-Connector,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mSMailConnector
adminDisplayName: MS-Mail-Connector
adminDescription: MS-Mail-Connector
governsId: 1.2.840.113556.1.3.31
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.51
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: vnTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MS-Mail-Connector,CN=Schema,CN=Configuration,DC=X
dn: CN=msRADIUSProfile,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: msRADIUSProfile
adminDisplayName: msRADIUSProfile
adminDescription: msRADIUSProfile
governsId: 1.2.840.113556.1.5.166
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1188
systemMayContain: 1.2.840.113556.1.4.1187
systemMayContain: 1.2.840.113556.1.4.739
systemMayContain: 1.2.840.113556.1.4.738
systemMayContain: 1.2.840.113556.1.4.737
systemMayContain: 1.2.840.113556.1.4.1181
systemMayContain: 1.2.840.113556.1.4.1180
systemMayContain: 1.2.840.113556.1.4.1179
systemMayContain: 1.2.840.113556.1.4.1178
systemMayContain: 1.2.840.113556.1.4.1177
systemMayContain: 1.2.840.113556.1.4.1176
systemMayContain: 1.2.840.113556.1.4.1175
systemMayContain: 1.2.840.113556.1.4.1174
systemMayContain: 1.2.840.113556.1.4.1173
systemMayContain: 1.2.840.113556.1.4.1172
systemMayContain: 1.2.840.113556.1.4.1171
systemMayContain: 1.2.840.113556.1.4.1170
systemMayContain: 1.2.840.113556.1.4.1169
systemMayContain: 1.2.840.113556.1.4.1168
systemMayContain: 1.2.840.113556.1.4.1167
systemMayContain: 1.2.840.113556.1.4.1166
systemMayContain: 1.2.840.113556.1.4.1165
systemMayContain: 1.2.840.113556.1.4.1164
systemMayContain: 1.2.840.113556.1.4.1163
systemMayContain: 1.2.840.113556.1.4.1162
systemMayContain: 1.2.840.113556.1.4.1161
systemMayContain: 1.2.840.113556.1.4.1160
systemMayContain: 1.2.840.113556.1.4.1159
systemMayContain: 1.2.840.113556.1.4.1158
systemMayContain: 1.2.840.113556.1.4.1157
systemMayContain: 1.2.840.113556.1.4.1156
systemMayContain: 1.2.840.113556.1.4.1155
systemMayContain: 1.2.840.113556.1.4.1154
systemMayContain: 1.2.840.113556.1.4.1153
systemMayContain: 1.2.840.113556.1.4.1152
systemMayContain: 1.2.840.113556.1.4.1151
systemMayContain: 1.2.840.113556.1.4.1150
systemMayContain: 1.2.840.113556.1.4.1149
systemMayContain: 1.2.840.113556.1.4.1148
systemMayContain: 1.2.840.113556.1.4.1146
systemMayContain: 1.2.840.113556.1.4.1145
systemMayContain: 1.2.840.113556.1.4.1144
systemMayContain: 1.2.840.113556.1.4.1140
systemMayContain: 1.2.840.113556.1.4.1139
systemMayContain: 1.2.840.113556.1.4.1138
systemMayContain: 1.2.840.113556.1.4.1137
systemMayContain: 1.2.840.113556.1.4.1135
systemMayContain: 1.2.840.113556.1.4.1134
systemMayContain: 1.2.840.113556.1.4.1133
systemMayContain: 1.2.840.113556.1.4.1132
systemMayContain: 1.2.840.113556.1.4.1128
systemMayContain: 1.2.840.113556.1.4.1126
systemMayContain: 1.2.840.113556.1.4.1124
systemMayContain: 1.2.840.113556.1.4.1123
systemMayContain: 1.2.840.113556.1.4.1122
systemMayContain: 1.2.840.113556.1.4.1121
systemMayContain: 1.2.840.113556.1.4.1121
systemMayContain: 1.2.840.113556.1.4.1120
systemMayContain: 1.2.840.113556.1.4.1119
systemMayContain: 1.2.840.113556.1.4.1118
systemMayContain: 1.2.840.113556.1.4.1117
systemMayContain: 1.2.840.113556.1.4.1116
systemMayContain: 1.2.840.113556.1.4.1115
systemMayContain: 1.2.840.113556.1.4.1114
systemMayContain: 1.2.840.113556.1.4.1113
systemMayContain: 1.2.840.113556.1.4.1112
systemMayContain: 1.2.840.113556.1.4.1111
systemMayContain: 1.2.840.113556.1.4.1110
systemMayContain: 1.2.840.113556.1.4.1109
systemMayContain: 1.2.840.113556.1.4.1108
systemMayContain: 1.2.840.113556.1.4.1107
systemMayContain: 1.2.840.113556.1.4.1106
systemMayContain: 1.2.840.113556.1.4.1105
systemMayContain: 1.2.840.113556.1.4.1104
systemMayContain: 1.2.840.113556.1.4.1103
systemMayContain: 1.2.840.113556.1.4.1102
systemMayContain: 1.2.840.113556.1.4.1101
systemMayContain: 1.2.840.113556.1.4.1100
systemMayContain: 1.2.840.113556.1.4.1099
systemMayContain: 1.2.840.113556.1.4.1098
systemMayContain: 1.2.840.113556.1.4.1097
systemMayContain: 1.2.840.113556.1.4.1096
systemMayContain: 1.2.840.113556.1.4.1095
systemMayContain: 1.2.840.113556.1.4.1094
systemMayContain: 1.2.840.113556.1.4.1093
systemMayContain: 1.2.840.113556.1.4.1092
systemMayContain: 1.2.840.113556.1.4.1091
systemMayContain: 1.2.840.113556.1.4.1090
systemMayContain: 1.2.840.113556.1.4.1089
systemMayContain: 1.2.840.113556.1.4.1088
systemMayContain: 1.2.840.113556.1.4.1087
systemMayContain: 1.2.840.113556.1.4.1086
systemMayContain: 1.2.840.113556.1.4.1085
systemMayContain: 1.2.840.113556.1.4.1084
systemMayContain: 1.2.840.113556.1.4.1083
systemMayContain: 1.2.840.113556.1.4.1082
systemMayContain: 1.2.840.113556.1.4.1081
systemMayContain: 1.2.840.113556.1.4.1080
systemMayContain: 1.2.840.113556.1.4.1079
systemMayContain: 1.2.840.113556.1.4.1078
systemMayContain: 1.2.840.113556.1.4.1077
systemMayContain: 1.2.840.113556.1.4.1076
systemMayContain: 1.2.840.113556.1.4.1075
systemMayContain: 1.2.840.113556.1.4.1074
systemMayContain: 1.2.840.113556.1.4.1073
systemMayContain: 1.2.840.113556.1.4.1072
systemMayContain: 1.2.840.113556.1.4.1071
systemMayContain: 1.2.840.113556.1.4.1070
systemMayContain: 1.2.840.113556.1.4.1069
systemMayContain: 1.2.840.113556.1.4.1068
systemMayContain: 1.2.840.113556.1.4.1067
systemMayContain: 1.2.840.113556.1.4.1066
systemMayContain: 1.2.840.113556.1.4.1065
systemMayContain: 1.2.840.113556.1.4.1064
systemMayContain: 1.2.840.113556.1.4.1063
systemMayContain: 1.2.840.113556.1.4.1062
systemMayContain: 1.2.840.113556.1.4.1061
systemMayContain: 1.2.840.113556.1.4.1060
systemMayContain: 1.2.840.113556.1.4.1059
systemMayContain: 1.2.840.113556.1.4.1058
systemMayContain: 1.2.840.113556.1.4.1057
systemMayContain: 1.2.840.113556.1.4.1056
systemMayContain: 1.2.840.113556.1.4.1055
systemMayContain: 1.2.840.113556.1.4.1054
systemMayContain: 1.2.840.113556.1.4.1053
systemMayContain: 1.2.840.113556.1.4.1052
systemMayContain: 1.2.840.113556.1.4.1052
systemMayContain: 1.2.840.113556.1.4.1051
systemMayContain: 1.2.840.113556.1.4.1050
systemMayContain: 1.2.840.113556.1.4.1049
systemMayContain: 1.2.840.113556.1.4.1048
systemMayContain: 1.2.840.113556.1.4.1047
systemMayContain: 1.2.840.113556.1.4.1046
systemMayContain: 1.2.840.113556.1.4.1045
systemMayContain: 1.2.840.113556.1.4.1044
systemMayContain: 1.2.840.113556.1.4.1043
systemMayContain: 1.2.840.113556.1.4.1042
systemMayContain: 1.2.840.113556.1.4.1041
systemMayContain: 1.2.840.113556.1.4.1040
systemMayContain: 1.2.840.113556.1.4.1039
systemMayContain: 1.2.840.113556.1.4.1038
systemMayContain: 1.2.840.113556.1.4.1037
systemMayContain: 1.2.840.113556.1.4.1036
systemMayContain: 1.2.840.113556.1.4.1035
systemMayContain: 1.2.840.113556.1.4.1034
systemMayContain: 1.2.840.113556.1.4.1033
systemMayContain: 1.2.840.113556.1.4.1032
systemMayContain: 1.2.840.113556.1.4.1031
systemMayContain: 1.2.840.113556.1.4.1030
systemMayContain: 1.2.840.113556.1.4.1029
systemMayContain: 1.2.840.113556.1.4.1028
systemMayContain: 1.2.840.113556.1.4.1027
systemMayContain: 1.2.840.113556.1.4.1026
systemMayContain: 1.2.840.113556.1.4.1025
systemMayContain: 1.2.840.113556.1.4.1024
systemMayContain: 1.2.840.113556.1.4.1023
systemMayContain: 1.2.840.113556.1.4.1022
systemMayContain: 1.2.840.113556.1.4.1021
systemMayContain: 1.2.840.113556.1.4.1020
systemMayContain: 1.2.840.113556.1.4.1019
systemMayContain: 1.2.840.113556.1.4.1018
systemMayContain: 1.2.840.113556.1.4.1017
systemMayContain: 1.2.840.113556.1.4.1016
systemMayContain: 1.2.840.113556.1.4.1015
systemMayContain: 1.2.840.113556.1.4.1014
systemMayContain: 1.2.840.113556.1.4.1013
systemMayContain: 1.2.840.113556.1.4.1012
systemMayContain: 1.2.840.113556.1.4.1011
systemMayContain: 1.2.840.113556.1.4.1010
systemMayContain: 1.2.840.113556.1.4.1009
systemMayContain: 1.2.840.113556.1.4.1008
systemMayContain: 1.2.840.113556.1.4.1007
systemMayContain: 1.2.840.113556.1.4.1006
systemMayContain: 1.2.840.113556.1.4.1005
systemMayContain: 1.2.840.113556.1.4.1004
systemMayContain: 1.2.840.113556.1.4.1003
systemMayContain: 1.2.840.113556.1.4.1002
systemMayContain: 1.2.840.113556.1.4.1001
systemMayContain: 1.2.840.113556.1.4.1000
systemMayContain: 1.2.840.113556.1.4.999
systemMayContain: 1.2.840.113556.1.4.998
systemMayContain: 1.2.840.113556.1.4.997
systemMayContain: 1.2.840.113556.1.4.996
systemMayContain: 1.2.840.113556.1.4.995
systemMayContain: 1.2.840.113556.1.4.994
systemMayContain: 1.2.840.113556.1.4.993
systemMayContain: 1.2.840.113556.1.4.992
systemMayContain: 1.2.840.113556.1.4.991
systemMayContain: 1.2.840.113556.1.4.990
systemMayContain: 1.2.840.113556.1.4.989
systemMayContain: 1.2.840.113556.1.4.988
systemMayContain: 1.2.840.113556.1.4.987
systemMayContain: 1.2.840.113556.1.4.986
systemMayContain: 1.2.840.113556.1.4.985
systemMayContain: 1.2.840.113556.1.4.984
systemMayContain: 1.2.840.113556.1.4.983
systemMayContain: 1.2.840.113556.1.4.983
systemMayContain: 1.2.840.113556.1.4.982
systemMayContain: 1.2.840.113556.1.4.981
systemMayContain: 1.2.840.113556.1.4.980
systemMayContain: 1.2.840.113556.1.4.979
systemMayContain: 1.2.840.113556.1.4.978
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 2JAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=msRADIUSProfile,CN=Schema,CN=Configuration,DC=X
dn: CN=MHS-Message-Store,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mHSMessageStore
adminDisplayName: MHS-Message-Store
adminDescription: MHS-Message-Store
governsId: 1.2.840.113556.1.3.56
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemAuxiliaryClass: 1.2.840.113556.1.3.46
systemMustContain: 1.2.840.113556.1.2.241
systemMayContain: 1.2.840.113556.1.2.266
systemMayContain: 1.2.840.113556.1.2.272
systemMayContain: 1.2.840.113556.1.2.458
systemMayContain: 1.2.840.113556.1.2.441
systemMayContain: 1.2.840.113556.1.2.189
systemMayContain: 1.2.840.113556.1.2.106
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: container
schemaIdGuid:: unTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MHS-Message-Store,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-HTTP-Site,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgHTTPSite
adminDisplayName: Protocol-Cfg-HTTP-Site
adminDescription: Protocol-Cfg-HTTP-Site
governsId: 1.2.840.113556.1.3.81
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.79
systemPossSuperiors: 1.2.840.113556.1.3.66
schemaIdGuid:: w3TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-HTTP-Site,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-NNTP-Site,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgNNTPSite
adminDisplayName: Protocol-Cfg-NNTP-Site
adminDescription: Protocol-Cfg-NNTP-Site
governsId: 1.2.840.113556.1.3.73
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.72
systemPossSuperiors: 1.2.840.113556.1.3.66
schemaIdGuid:: zHTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-NNTP-Site,CN=Schema,CN=Configuration,DC=X
dn: CN=msRADIUSVendors,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: msRADIUSVendors
adminDisplayName: msRADIUSVendors
adminDescription: msRADIUSVendors
governsId: 1.2.840.113556.1.5.170
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1182
systemMayContain: 1.2.840.113556.1.4.1192
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 3JAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=msRADIUSVendors,CN=Schema,CN=Configuration,DC=X
dn: CN=MTA-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mTACfg
adminDisplayName: MTA-Cfg
adminDescription: MTA-Cfg
governsId: 1.2.840.113556.1.3.3
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.53
systemMayContain: 1.2.840.113556.1.2.67
systemMayContain: 1.2.840.113556.1.2.84
systemMayContain: 1.2.840.113556.1.2.150
systemMayContain: 1.2.840.113556.1.2.142
systemMayContain: 1.2.840.113556.1.2.137
systemMayContain: 1.2.840.113556.1.2.136
systemMayContain: 1.2.840.113556.1.2.133
systemMayContain: 1.2.840.113556.1.2.329
systemMayContain: 1.2.840.113556.1.2.154
systemMayContain: 1.2.840.113556.1.2.153
systemMayContain: 1.2.840.113556.1.2.151
systemMayContain: 1.2.840.113556.1.2.152
systemMayContain: 1.2.840.113556.1.2.143
systemMayContain: 1.2.840.113556.1.2.134
systemMayContain: 1.2.840.113556.1.2.148
systemMayContain: 1.2.840.113556.1.2.453
systemMayContain: 1.2.840.113556.1.2.145
systemMayContain: 1.2.840.113556.1.2.149
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: qHTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MTA-Cfg,CN=Schema,CN=Configuration,DC=X
dn: CN=Virtual-Computer,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: virtualComputer
adminDisplayName: Virtual-Computer
adminDescription: Virtual-Computer
governsId: 1.2.840.113556.1.5.160
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.30
subClassOf: 1.2.840.113556.1.3.30
schemaIdGuid:: QsMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=X
dn: CN=msNetworkPolicy,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: msNetworkPolicy
adminDisplayName: msNetworkPolicy
adminDescription: msNetworkPolicy
governsId: 1.2.840.113556.1.5.168
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1131
systemMayContain: 1.2.840.113556.1.4.1135
systemMayContain: 1.2.840.113556.1.4.1134
systemMayContain: 1.2.840.113556.1.4.1129
systemMayContain: 1.2.840.113556.1.4.1126
systemMayContain: 1.2.840.113556.1.4.977
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 2pAM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=msNetworkPolicy,CN=Schema,CN=Configuration,DC=X
dn: CN=MHS-Server-Monitoring-Config,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mHSServerMonitoringConfig
adminDisplayName: MHS-Server-Monitoring-Config
adminDescription: MHS-Server-Monitoring-Config
governsId: 1.2.840.113556.1.3.7
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.6
systemMayContain: 1.2.840.113556.1.2.58
systemMayContain: 1.2.840.113556.1.2.162
systemMayContain: 1.2.840.113556.1.2.60
systemMayContain: 1.2.840.113556.1.2.59
systemMayContain: 1.2.840.113556.1.2.161
systemMayContain: 1.2.840.113556.1.2.160
systemMayContain: 1.2.840.113556.1.2.163
systemMayContain: 1.2.840.113556.1.2.166
systemMayContain: 1.2.840.113556.1.2.177
systemMayContain: 1.2.840.113556.1.2.164
systemMayContain: 1.2.840.113556.1.2.165
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: vXTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MHS-Server-Monitoring-Config,CN=Schema,CN=Configuration,DC=X
dn: CN=Cluster-Organizational-Unit,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: clusterOrganizationalUnit
adminDisplayName: Cluster-Organizational-Unit
adminDescription: Cluster-Organizational-Unit
governsId: 1.2.840.113556.1.5.159
objectClassCategory: 1
rdnAttId: 2.5.4.11
subClassOf: 2.5.6.5
schemaIdGuid:: QcMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=Cluster-Organizational-Unit,CN=Schema,CN=Configuration,DC=X
dn: CN=RAS-X400-Link,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: rASX400Link
adminDisplayName: RAS-X400-Link
adminDescription: RAS-X400-Link
governsId: 1.2.840.113556.1.3.34
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.29
systemMayContain: 1.2.840.113556.1.2.78
systemMayContain: 1.2.840.113556.1.2.313
systemMayContain: 1.2.840.113556.1.2.314
systemMayContain: 1.2.840.113556.1.2.315
systemMayContain: 1.2.840.113556.1.2.276
systemMayContain: 1.2.840.113556.1.2.193
systemMayContain: 1.2.840.113556.1.2.202
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 1HTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=RAS-X400-Link,CN=Schema,CN=Configuration,DC=X
dn: CN=X25-Stack,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: x25Stack
adminDisplayName: X25-Stack
adminDescription: X25-Stack
governsId: 1.2.840.113556.1.3.27
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.18
systemMustContain: 1.2.840.113556.1.2.321
systemMayContain: 1.2.840.113556.1.2.372
systemMayContain: 1.2.840.113556.1.2.318
systemMayContain: 1.2.840.113556.1.2.316
systemPossSuperiors: 1.2.840.113556.1.3.49
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: container
schemaIdGuid:: 3nTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=X25-Stack,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-NNTP-Server,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgNNTPServer
adminDisplayName: Protocol-Cfg-NNTP-Server
adminDescription: Protocol-Cfg-NNTP-Server
governsId: 1.2.840.113556.1.3.74
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.72
systemPossSuperiors: 1.2.840.113556.1.3.67
schemaIdGuid:: y3TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-NNTP-Server,CN=Schema,CN=Configuration,DC=X
dn: CN=Residential-Person,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: residentialPerson
adminDisplayName: Residential-Person
adminDescription: Residential-Person
governsId: 2.5.6.10
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.6
systemMayContain: 2.5.4.24
systemMayContain: 2.5.4.12
systemMayContain: 2.5.4.21
systemMayContain: 2.5.4.22
systemMayContain: 2.5.4.9
systemMayContain: 2.5.4.8
systemMayContain: 2.5.4.26
systemMayContain: 2.5.4.28
systemMayContain: 2.5.4.17
systemMayContain: 2.5.4.16
systemMayContain: 2.5.4.18
systemMayContain: 2.5.4.19
systemMayContain: 2.5.4.11
systemMayContain: 2.5.4.7
systemMayContain: 2.5.4.25
systemMayContain: 2.5.4.23
systemMayContain: 2.5.4.27
systemMayContain: 2.5.4.15
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 1nTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Residential-Person,CN=Schema,CN=Configuration,DC=X
dn: CN=TP4-Stack,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: tP4Stack
adminDisplayName: TP4-Stack
adminDescription: TP4-Stack
governsId: 1.2.840.113556.1.3.25
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.18
systemPossSuperiors: 1.2.840.113556.1.3.49
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: container
schemaIdGuid:: 23TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=TP4-Stack,CN=Schema,CN=Configuration,DC=X
dn: CN=MSMQ-Configuration,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mSMQConfiguration
adminDisplayName: MSMQ-Configuration
adminDescription: MSMQ-Configuration
governsId: 1.2.840.113556.1.5.162
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.927
systemMayContain: 1.2.840.113556.1.4.937
systemMayContain: 1.2.840.113556.1.4.930
systemMayContain: 1.2.840.113556.1.4.919
systemMayContain: 1.2.840.113556.1.4.925
systemMayContain: 1.2.840.113556.1.4.925
systemMayContain: 1.2.840.113556.1.4.928
systemMayContain: 1.2.840.113556.1.4.935
systemMayContain: 1.2.840.113556.1.4.921
systemMayContain: 1.2.840.113556.1.4.929
systemMayContain: 1.2.840.113556.1.4.934
systemMayContain: 1.2.840.113556.1.4.936
systemMayContain: 1.2.840.113556.1.4.933
systemPossSuperiors: 1.2.840.113556.1.3.30
schemaIdGuid:: RMMNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=MSMQ-Configuration,CN=Schema,CN=Configuration,DC=X
dn: CN=Local-DXA,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: localDXA
adminDisplayName: Local-DXA
adminDescription: Local-DXA
governsId: 1.2.840.113556.1.3.1
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemAuxiliaryClass: 1.2.840.113556.1.3.46
systemMustContain: 1.2.840.113556.1.2.241
systemMayContain: 1.2.840.113556.1.2.365
systemMayContain: 1.2.840.113556.1.2.364
systemMayContain: 1.2.840.113556.1.2.363
systemMayContain: 1.2.840.113556.1.2.381
systemMayContain: 1.2.840.113556.1.2.189
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: container
schemaIdGuid:: tXTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Local-DXA,CN=Schema,CN=Configuration,DC=X
dn: CN=RAS-Stack,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: rASStack
adminDisplayName: RAS-Stack
adminDescription: RAS-Stack
governsId: 1.2.840.113556.1.3.26
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.18
systemMayContain: 1.2.840.113556.1.2.315
systemMayContain: 1.2.840.113556.1.2.236
systemPossSuperiors: 1.2.840.113556.1.3.49
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: container
schemaIdGuid:: 03TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=RAS-Stack,CN=Schema,CN=Configuration,DC=X
dn: CN=Addr-Type,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: addrType
adminDisplayName: Addr-Type
adminDescription: Addr-Type
governsId: 1.2.840.113556.1.3.57
objectClassCategory: 1
rdnAttId: 2.5.4.3
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.2.328
systemMustContain: 1.2.840.113556.1.2.178
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.2.523
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: q3TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Addr-Type,CN=Schema,CN=Configuration,DC=X
dn: CN=Organizational-Role,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: organizationalRole
adminDisplayName: Organizational-Role
adminDescription: Organizational-Role
governsId: 2.5.6.8
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.3
systemMayContain: 2.5.4.24
systemMayContain: 2.5.4.21
systemMayContain: 2.5.4.22
systemMayContain: 2.5.4.20
systemMayContain: 2.5.4.9
systemMayContain: 2.5.4.8
systemMayContain: 2.5.4.34
systemMayContain: 2.5.4.33
systemMayContain: 2.5.4.26
systemMayContain: 2.5.4.28
systemMayContain: 2.5.4.17
systemMayContain: 2.5.4.16
systemMayContain: 2.5.4.18
systemMayContain: 2.5.4.19
systemMayContain: 2.5.4.11
systemMayContain: 2.5.4.7
systemMayContain: 2.5.4.25
systemMayContain: 2.5.4.23
systemMayContain: 2.5.4.27
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: v3TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Organizational-Role,CN=Schema,CN=Configuration,DC=X
dn: CN=X25-X400-Link,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: x25X400Link
adminDisplayName: X25-X400-Link
adminDescription: X25-X400-Link
governsId: 1.2.840.113556.1.3.35
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.29
systemMayContain: 1.2.840.113556.1.2.373
systemMayContain: 1.2.840.113556.1.2.319
systemMayContain: 1.2.840.113556.1.2.318
systemMayContain: 1.2.840.113556.1.2.317
systemMayContain: 1.2.840.113556.1.2.316
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 33TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=X25-X400-Link,CN=Schema,CN=Configuration,DC=X
dn: CN=msRADIUSDictionary,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: msRADIUSDictionary
adminDisplayName: msRADIUSDictionary
adminDescription: msRADIUSDictionary
governsId: 1.2.840.113556.1.5.169
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1142
systemMustContain: 1.2.840.113556.1.4.1141
systemMayContain: 1.2.840.113556.1.4.1183
systemMayContain: 1.2.840.113556.1.4.1143
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 25AM2/LB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=msRADIUSDictionary,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-POP-Site,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgPOPSite
adminDisplayName: Protocol-Cfg-POP-Site
adminDescription: Protocol-Cfg-POP-Site
governsId: 1.2.840.113556.1.3.70
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.69
systemPossSuperiors: 1.2.840.113556.1.3.66
schemaIdGuid:: z3TfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-POP-Site,CN=Schema,CN=Configuration,DC=X
dn: CN=Attribute-Types,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemFlags
systemFlags: 8000004
-
dn: CN=DIT-Content-Rules,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemFlags
systemFlags: 8000004
-
dn: CN=Extended-Attribute-Info,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemFlags
systemFlags: 8000004
-
dn: CN=Extended-Class-Info,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemFlags
systemFlags: 8000004
-
dn: CN=Modify-Time-Stamp,CN=Schema,CN=Configuration,DC=X
changetype: modify
changetype: modify
delete: systemFlags
systemFlags: 8000004
-
dn: CN=Object-Classes,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemFlags
systemFlags: 8000004
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=SubSchema,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: subSchema
adminDisplayName: SubSchema
adminDescription: SubSchema
governsId: 2.5.20.1
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 2.5.21.6
systemMayContain: 2.5.18.2
systemMayContain: 1.2.840.113556.1.4.908
systemMayContain: 1.2.840.113556.1.4.909
systemMayContain: 2.5.21.2
systemMayContain: 2.5.21.5
systemPossSuperiors: 1.2.840.113556.1.3.9
schemaIdGuid:: YTKLWo3D0RG7yQCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=SubSchema,CN=Schema,CN=Configuration,DC=X
dn: CN=Attribute-Types,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemFlags
systemFlags: 8000004
-
dn: CN=DIT-Content-Rules,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemFlags
systemFlags: 8000004
-
dn: CN=Extended-Attribute-Info,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemFlags
systemFlags: 8000004
-
dn: CN=Extended-Class-Info,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemFlags
systemFlags: 8000004
-
dn: CN=Modify-Time-Stamp,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemFlags
systemFlags: 8000004
-
dn: CN=Object-Classes,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemFlags
systemFlags: 8000004
-
dn: CN=DX-Requestor,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: dXRequestor
adminDisplayName: DX-Requestor
adminDescription: DX-Requestor
governsId: 1.2.840.113556.1.3.19
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.2
systemMayContain: 1.2.840.113556.1.2.73
systemMayContain: 1.2.840.113556.1.2.213
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: rnTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=DX-Requestor,CN=Schema,CN=Configuration,DC=X
dn: CN=TP4-X400-Link,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: tP4X400Link
adminDisplayName: TP4-X400-Link
adminDescription: TP4-X400-Link
governsId: 1.2.840.113556.1.3.33
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.29
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 3HTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=TP4-X400-Link,CN=Schema,CN=Configuration,DC=X
dn: CN=MSMQ-Queue,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: mSMQQueue
adminDisplayName: MSMQ-Queue
adminDescription: MSMQ-Queue
governsId: 1.2.840.113556.1.5.161
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.926
systemMayContain: 1.2.840.113556.1.4.919
systemMayContain: 1.2.840.113556.1.4.917
systemMayContain: 1.2.840.113556.1.4.924
systemMayContain: 1.2.840.113556.1.4.925
systemMayContain: 1.2.840.113556.1.4.922
systemMayContain: 1.2.840.113556.1.4.921
systemMayContain: 1.2.840.113556.1.4.918
systemMayContain: 1.2.840.113556.1.4.920
systemMayContain: 1.2.840.113556.1.4.923
systemPossSuperiors: 1.2.840.113556.1.5.162
schemaIdGuid:: Q8MNmgDB0RG7xQCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=MSMQ-Queue,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-LDAP-Site,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgLDAPSite
adminDisplayName: Protocol-Cfg-LDAP-Site
adminDescription: Protocol-Cfg-LDAP-Site
governsId: 1.2.840.113556.1.3.76
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.75
systemMayContain: 1.2.840.113556.1.2.510
systemPossSuperiors: 1.2.840.113556.1.3.66
schemaIdGuid:: yXTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-LDAP-Site,CN=Schema,CN=Configuration,DC=X
dn: CN=Protocol-Cfg-IMAP-Site,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: protocolCfgIMAPSite
adminDisplayName: Protocol-Cfg-IMAP-Site
adminDescription: Protocol-Cfg-IMAP-Site
governsId: 1.2.840.113556.1.3.86
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.84
systemPossSuperiors: 1.2.840.113556.1.3.66
schemaIdGuid:: xnTfqOrF0RG7ywCAx2ZwwA==
hideFromAB: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Protocol-Cfg-IMAP-Site,CN=Schema,CN=Configuration,DC=X
# Modifies
dn: CN=Class-Schema,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemFlags
systemFlags: 134217728
-
dn: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemFlags
systemFlags: 134217728
-
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1212
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: mail
-
dn: CN=Contact,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: c
-
dn: CN=RID-Available-Pool,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: systemOnly
replace: systemOnly
systemOnly: FALSE
-
dn: CN=Activation-Schedule,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: rangeUpper
rangeUpper: 84
-
add: rangeLower
rangeLower: 84
-
dn: CN=Extension-Attribute-1,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: extensionAttribute1
-
dn: CN=Extension-Attribute-2,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: extensionAttribute2
-
dn: CN=Extension-Attribute-3,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: extensionAttribute3
-
dn: CN=Extension-Attribute-4,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: extensionAttribute4
-
dn: CN=Extension-Attribute-5,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: extensionAttribute5
-
dn: CN=Extension-Attribute-6,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: extensionAttribute6
-
dn: CN=Extension-Attribute-7,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: extensionAttribute7
-
dn: CN=Extension-Attribute-8,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: extensionAttribute8
-
dn: CN=Extension-Attribute-9,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: ldapDisplayName
ldapDisplayName: extensionAttribute9
-
dn: CN=Extension-Attribute-10,CN=Schema,CN=Configuration,DC=X
changetype: modify
changetype: modify
replace: ldapDisplayName
ldapDisplayName: extensionAttribute10
-
dn: CN=Common-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=E-mail-Addresses,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Manager,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Description,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Display-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Attribute-Certificate,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Comment,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Proxied-Object-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemFlags
systemFlags: 2
-
dn: CN=Trust-Partner,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 1
-
dn: CN=User-Cert,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=User-SMIME-Certificate,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
-
dn: CN=Department,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=User-Principal-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Company,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Alternate-Security-Identities,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Division,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Display-Name-Printable,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Alt-Security-Identities,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Reports,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Flat-Name,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 1
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.290
systemMayContain: 1.2.840.113556.1.2.291
systemMayContain: 1.2.840.113556.1.2.292
systemMayContain: 1.2.840.113556.1.2.293
systemMayContain: 1.2.840.113556.1.2.339
systemMayContain: 1.2.840.113556.1.2.340
systemMayContain: 1.2.840.113556.1.2.341
systemMayContain: 1.2.840.113556.1.2.342
systemMayContain: 1.2.840.113556.1.2.469
systemMayContain: 1.2.840.113556.1.4.618
-
-
dn: CN=Organizational-Person,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.25
-
dn: CN=ACS-Policy,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.897
-
dn: CN=Group-Of-Names,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.206
systemMayContain: 1.2.840.113556.1.2.207
systemMayContain: 1.2.840.113556.1.2.297
systemMayContain: 1.2.840.113556.1.2.330
systemMayContain: 1.2.840.113556.1.2.438
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.947
systemMayContain: 1.2.840.113556.1.4.948
systemMayContain: 1.2.840.113556.1.4.1119
systemMayContain: 1.2.840.113556.1.4.1124
systemMayContain: 1.2.840.113556.1.4.1130
systemMayContain: 1.2.840.113556.1.4.1145
systemMayContain: 1.2.840.113556.1.4.1153
systemMayContain: 1.2.840.113556.1.4.1158
systemMayContain: 1.2.840.113556.1.4.1189
systemMayContain: 1.2.840.113556.1.4.1190
systemMayContain: 1.2.840.113556.1.4.1191
-
dn: CN=ACS-Subnet,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.898
systemMayContain: 1.2.840.113556.1.4.899
systemMayContain: 1.2.840.113556.1.4.900
systemMayContain: 1.2.840.113556.1.4.901
systemMayContain: 1.2.840.113556.1.4.902
-
dn: CN=Application-Entity,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMustContain
systemMustContain: 2.5.4.29
-
dn: CN=Certification-Authority,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.562
systemMayContain: 1.2.840.113556.1.2.563
systemMayContain: 1.2.840.113556.1.2.564
systemMayContain: 1.2.840.113556.1.2.565
systemMayContain: 1.2.840.113556.1.2.566
systemMayContain: 1.2.840.113556.1.2.567
-
dn: CN=Server,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.452
systemMayContain: 1.2.840.113556.1.4.515
systemMayContain: 2.5.4.5
-
dn: CN=Mailbox,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.79
systemMayContain: 1.2.840.113556.1.2.444
systemMayContain: 1.2.840.113556.1.2.596
systemMayContain: 1.2.840.113556.1.2.607
systemMayContain: 1.2.840.113556.1.2.608
systemMayContain: 1.2.840.113556.1.2.609
systemMayContain: 1.2.840.113556.1.2.610
systemMayContain: 1.2.840.113556.1.2.611
systemMayContain: 1.2.840.113556.1.2.612
systemMayContain: 1.2.840.113556.1.2.613
systemMayContain: 1.2.840.113556.1.4.1213
-
dn: CN=Container,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.17
systemPossSuperiors: 1.2.840.113556.1.5.161
-
dn: CN=Print-Queue,CN=Schema,CN=Configuration,DC=X
changetype: modify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.141
systemMayContain: 1.2.840.113556.1.4.223
systemMayContain: 1.2.840.113556.1.4.300
-
add: systemMustContain
systemMustContain: 1.2.840.113556.1.4.141
systemMustContain: 1.2.840.113556.1.4.223
systemMustContain: 1.2.840.113556.1.4.300
systemMustContain: 1.2.840.113556.1.4.1209
-
dn: CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=Site,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.953
-
dn: CN=Mail-Recipient,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.47
systemMayContain: 1.2.840.113556.1.2.144
systemMayContain: 1.2.840.113556.1.2.221
systemMayContain: 0.9.2342.19200300.100.1.2
systemMayContain: 1.2.840.113556.1.2.129
-
dn: CN=Remote-Address,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.79
systemMayContain: 1.2.840.113556.1.2.444
systemMayContain: 1.2.840.113556.1.2.596
systemMayContain: 1.2.840.113556.1.2.609
systemMayContain: 1.2.840.113556.1.2.610
systemMayContain: 1.2.840.113556.1.2.611
systemMayContain: 1.2.840.113556.1.2.612
systemMayContain: 1.2.840.113556.1.2.613
systemMayContain: 1.2.840.113556.1.4.1213
-
dn: CN=When-Created,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: omSyntax
omSyntax: 24
-
dn: CN=When-Changed,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: omSyntax
omSyntax: 24
-
dn: CN=Schema-Update,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: omSyntax
omSyntax: 24
-
dn: CN=Schema-Update-Now,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: omSyntax
omSyntax: 24
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Aggregate,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: subschema
dn: CN=User-Change-Password,CN=Extended-Rights,CN=Configuration,DC=X
changetype: modify
add: appliesTo
appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
-
replace: displayName
displayName: Change Password
-
dn: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=X
changetype: modify
add: appliesTo
appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
-
dn: CN=Receive-As,CN=Extended-Rights,CN=Configuration,DC=X
changetype: modify
add: appliesTo
appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
-
dn: CN=Email-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: modify
add: appliesTo
appliesTo: bf967a9c-0de6-11d0-a285-00aa003049e2
-
dn: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: modify
add: appliesTo
appliesTo: 5cb41ed0-0e4c-11d0-a286-00aa003049e2
-
dn: CN=Web-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: modify
add: appliesTo
appliesTo: 5cb41ed0-0e4c-11d0-a286-00aa003049e2
-
dn: CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: add
objectClass: controlAccessRight
appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2
appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
displayName: Public Information
rightsGUID: e48d0154-bcf8-11d1-8702-00c04fb96050
hideFromAB: TRUE
dn: CN=RRAS,CN=Services,CN=Configuration,DC=X
changetype: add
objectClass: container
hideFromAb: TRUE
dn: CN=Radius,CN=Services,CN=Configuration,DC=X
changetype: add
objectClass: container
hideFromAb: TRUE
dn: CN=EAPEntries,CN=Services,CN=Configuration,DC=X
changetype: add
objectClass: container
hideFromAb: TRUE
dn: CN=IdentityDictionary,CN=RRAS,CN=Services,CN=Configuration,DC=X
changetype: add
objectClass: rRASAdministrationDictionary
hideFromAb: TRUE
msRRASVendorAttributeEntry: 311:0:8:RIP (version 1 or 2)
msRRASVendorAttributeEntry: 311:0:13:OSPF
msRRASVendorAttributeEntry: 311:1:10:IGMP Only
msRRASVendorAttributeEntry: 311::5:1:IPX RIP
msRRASVendorAttributeEntry: 311:5:2:IPX SAP
msRRASVendorAttributeEntry: 311:6:501:IP Forwarding Enabled
msRRASVendorAttributeEntry: 311:6:502:IPX Forwarding Enabled
msRRASVendorAttributeEntry: 311:6:503:AppleTalk Forwarding Enabled
msRRASVendorAttributeEntry: 311:6:601:LAN-to- LAN Router
msRRASVendorAttributeEntry: 311:6:602:Remote Access Server
msRRASVendorAttributeEntry: 311:6:603:Demand Dial Router
msRRASVendorAttributeEntry: 311:6:604:Network Address and Port Translation
msRRASVendorAttributeEntry: 311:6:701:Point-to-Point Tunneling Protocol
msRRASVendorAttributeEntry: 311:6:702:Layer 2 Tunneling Protocol
msRRASVendorAttributeEntry: 311:6:703:Frame Relay
msRRASVendorAttributeEntry: 311:6:704:ATM
msRRASVendorAttributeEntry: 311:6:705:ISDN
msRRASVendorAttributeEntry: 311:6:706:Modem
msRRASVendorAttributeEntry: 311:6:707:SONET
msRRASVendorAttributeEntry: 311:6:708:Switched 56
msRRASVendorAttributeEntry: 311:6:709:IrDA
msRRASVendorAttributeEntry: 311:6:710:X.25
msRRASVendorAttributeEntry: 311:6:711:Generic WAN
msRRASVendorAttributeEntry: 311:6:711:Generic WAN
msRRASVendorAttributeEntry: 311:6:712:Generic LAN
msRRASVendorAttributeEntry: 311:6:713:Point to point serial connection
msRRASVendorAttributeEntry: 311:6:714:Point to point parallel connection
msRRASVendorAttributeEntry: 311:6:801:NT Domain Authentication
msRRASVendorAttributeEntry: 311:6:802:RADIUS Authentication
msRRASVendorAttributeEntry: 311:6:803:RADIUS Accouting
dn: CN=RadiusProfiles,CN=Radius,CN=Services,CN=Configuration,DC=X
changetype: add
objectClass: container
hideFromAB: TRUE
dn: CN=NetworkPolicy,CN=Radius,CN=Services,CN=Configuration,DC=X
changetype: add
objectClass: container
hideFromAB: TRUE
dn: CN=Dictionary,CN=Radius,CN=Services,CN=Configuration,DC=X
changetype: add
objectClass: container
hideFromAB: TRUE
dn: CN=Vendors,CN=Radius,CN=Services,CN=Configuration,DC=X
changetype: add
objectClass: container
hideFromAB: TRUE
dn: CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: objectVersion
objectVersion: 4
-
Sch5.ldf
Sch6.ldf
dn: CN=Hide-From-Address-Book,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModRdn
changetype: ntdsSchemaModRdn
newrdn: Show-In-Advanced-View-Only
deleteoldrdn: 1
dn: CN=Show-In-Advanced-View-Only,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: adminDisplayName
adminDisplayName: Show-In-Advanced-View-Only
-
replace: adminDescription
adminDescription: Show-In-Advanced-View-Only
-
replace: ldapDisplayName
ldapDisplayName: showInAdvancedViewOnly
-
dn: CN=Creation-Time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: ldapDisplayName
ldapDisplayName: creationTime
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Create-Time-Stamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
lDAPDisplayName: createTimeStamp
adminDescription: Create-Time-Stamp
adminDisplayName: Create-Time-Stamp
attributeID: 2.5.18.1
attributeSyntax: 2.5.5.11
oMSyntax: 24
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIDGUID:: cw35LZ8A0hGqTADAT9fYOg==
systemFlags: 134217732
showInAdvancedViewOnly: TRUE
dn: CN=msCiscoAV,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msCiscoAV
adminDisplayName: msCiscoAV
adminDescription: msCiscoAV
attributeId: 1.2.840.113556.1.4.1230
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: eg35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=Parent-GUID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: parentGUID
adminDisplayName: Parent-GUID
adminDescription: Parent-GUID
attributeId: 1.2.840.113556.1.4.1224
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: dA35LZ8A0hGqTADAT9fYOg==
systemFlags: 134217732
showInAdvancedViewOnly: TRUE
dn: CN=msNPAction,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msNPAction
adminDisplayName: msNPAction
adminDescription: msNPAction
attributeId: 1.2.840.113556.1.4.1234
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fg35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=msRASFilter,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msRASFilter
adminDisplayName: msRASFilter
adminDescription: msRASFilter
attributeId: 1.2.840.113556.1.4.1229
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: eQ35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=MSMQ-Ds-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQDsService
adminDisplayName: MSMQ-Ds-Service
adminDescription: MSMQ-Ds-Service
attributeId: 1.2.840.113556.1.4.1238
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gg35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=Netboot-SIF-File,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: netbootSIFFile
adminDisplayName: Netboot-SIF-File
adminDescription: Netboot-SIF-File
attributeId: 1.2.840.113556.1.4.1240
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: hA35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=MSMQ-Ds-Services,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQDsServices
adminDisplayName: MSMQ-Ds-Services
adminDescription: MSMQ-Ds-Services
attributeId: 1.2.840.113556.1.4.1228
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: eA35LZ8A0hGqTADAT9fYOg==
isMemberOfPartialAttributeSet: TRUE
showInAdvancedViewOnly: TRUE
dn: CN=MSMQ-Queue-Name-Ext,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQQueueNameExt
adminDisplayName: MSMQ-Queue-Name-Ext
adminDescription: MSMQ-Queue-Name-Ext
attributeId: 1.2.840.113556.1.4.1243
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 92
schemaIdGuid:: hw35LZ8A0hGqTADAT9fYOg==
isMemberOfPartialAttributeSet: TRUE
showInAdvancedViewOnly: TRUE
dn: CN=DN-Reference-Update,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: dNReferenceUpdate
adminDisplayName: DN-Reference-Update
adminDescription: DN-Reference-Update
attributeId: 1.2.840.113556.1.4.1242
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: hg35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=MSMQ-Prev-Site-Gates,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQPrevSiteGates
adminDisplayName: MSMQ-Prev-Site-Gates
adminDescription: MSMQ-Prev-Site-Gates
attributeId: 1.2.840.113556.1.4.1225
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: dQ35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=MSMQ-Routing-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQRoutingService
ldapDisplayName: mSMQRoutingService
adminDisplayName: MSMQ-Routing-Service
adminDescription: MSMQ-Routing-Service
attributeId: 1.2.840.113556.1.4.1237
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gQ35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=MSMQ-Routing-Services,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQRoutingServices
adminDisplayName: MSMQ-Routing-Services
adminDescription: MSMQ-Routing-Services
attributeId: 1.2.840.113556.1.4.1227
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: dw35LZ8A0hGqTADAT9fYOg==
isMemberOfPartialAttributeSet: TRUE
showInAdvancedViewOnly: TRUE
dn: CN=msRADIUSReplyMessage,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msRADIUSReplyMessage
adminDisplayName: msRADIUSReplyMessage
adminDescription: msRADIUSReplyMessage
attributeId: 1.2.840.113556.1.4.1235
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fw35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=Netboot-Mirror-Data-File,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: netbootMirrorDataFile
adminDisplayName: Netboot-Mirror-Data-File
adminDescription: Netboot-Mirror-Data-File
attributeId: 1.2.840.113556.1.4.1241
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: hQ35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=msNPOverrideUserDialin,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msNPOverrideUserDialin
adminDisplayName: msNPOverrideUserDialin
adminDescription: msNPOverrideUserDialin
attributeId: 1.2.840.113556.1.4.1233
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
searchFlags: 0
schemaIdGuid:: fQ35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=msNPAuthenticationType2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msNPAuthenticationType2
adminDisplayName: msNPAuthenticationType2
adminDescription: msNPAuthenticationType2
attributeId: 1.2.840.113556.1.4.1236
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gA35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=MSMQ-Dependent-Client-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQDependentClientService
adminDisplayName: MSMQ-Dependent-Client-Service
adminDescription: MSMQ-Dependent-Client-Service
attributeId: 1.2.840.113556.1.4.1239
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gw35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=msRADIUSRasServerGroupGUID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msRADIUSRasServerGroupGUID
adminDisplayName: msRADIUSRasServerGroupGUID
adminDescription: msRADIUSRasServerGroupGUID
attributeId: 1.2.840.113556.1.4.1231
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ew35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=MSMQ-Dependent-Client-Services,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQDependentClientServices
adminDisplayName: MSMQ-Dependent-Client-Services
adminDescription: MSMQ-Dependent-Client-Services
attributeId: 1.2.840.113556.1.4.1226
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: dg35LZ8A0hGqTADAT9fYOg==
isMemberOfPartialAttributeSet: TRUE
showInAdvancedViewOnly: TRUE
dn: CN=msRADIUSRasServerSetupFlags,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msRADIUSRasServerSetupFlags
ldapDisplayName: msRADIUSRasServerSetupFlags
adminDisplayName: msRADIUSRasServerSetupFlags
adminDescription: msRADIUSRasServerSetupFlags
attributeId: 1.2.840.113556.1.4.1232
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fA35LZ8A0hGqTADAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=Address-Book-Roots,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: addressBookRoots
adminDisplayName: Address-Book-Roots
adminDescription: Address-Book-Roots
attributeId: 1.2.840.113556.1.4.1244
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: SG4L9/QG0hGqUwDAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=Global-Address-List,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: globalAddressList
adminDisplayName: Global-Address-List
adminDescription: Global-Address-List
attributeId: 1.2.840.113556.1.4.1245
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: SMdU9/QG0hGqUwDAT9fYOg==
showInAdvancedViewOnly: TRUE
dn: CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: infrastructureUpdate
adminDisplayName: Infrastructure-Update
adminDescription: Infrastructure-Update
governsId: 1.2.840.113556.1.5.175
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1242
systemPossSuperiors: 1.2.840.113556.1.5.175
systemPossSuperiors: 1.2.840.113556.1.5.66
schemaIdGuid:: iQ35LZ8A0hGqTADAT9fYOg==
defaultHidingValue: TRUE
systemOnly: TRUE
defaultObjectCategory: CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=X
showInAdvancedViewOnly: TRUE
dn: CN=msRADIUSConfigSettings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msRADIUSConfigSettings
adminDisplayName: msRADIUSConfigSettings
adminDescription: msRADIUSConfigSettings
governsId: 1.2.840.113556.1.5.174
governsId: 1.2.840.113556.1.5.174
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1232
systemMayContain: 1.2.840.113556.1.4.1231
systemMayContain: 1.2.840.113556.1.4.1233
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: iA35LZ8A0hGqTADAT9fYOg==
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=msRADIUSConfigSettings,CN=Schema,CN=Configuration,DC=X
showInAdvancedViewOnly: TRUE
dn: CN=msExch-Configuration-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msExchConfigurationContainer
adminDisplayName: msExch-Configuration-Container
adminDescription: msExch-Configuration-Container
governsId: 1.2.840.113556.1.5.176
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.23
systemMayContain: 1.2.840.113556.1.4.1244
systemMayContain: 1.2.840.113556.1.4.1245
schemaIdGuid:: WGg90PQG0hGqUwDAT9fYOg==
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=msExch-Configuration-Container,CN=Schema,CN=Configuration,DC=X
dn: CN=Display-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rangeLower
rangeLower: 0
-
replace: attributeSecurityGUID
attributeSecurityGUID:: Qi+6WaJ50BGQIADAT8LTzw==
-
dn: CN=MSMQ-Site-Gates,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: oMObjectClass
oMObjectClass:: KwwCh3McAIVK
-
dn: CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCRCWOWDSDSW;;;DA)(A;;RPWPCRCCDCLCRCWOWDSDSW;;;SY)
(A;;RPLCRC;;;AU)(OA;;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)S:(AU;SAFA;WDWOSDWPCRCCDCSW;;;WD)
-
dn: CN=Dns-Zone,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;ED)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;CC;;;AU)(A;;RPLCLORC;;;WD)S:(AU;SAFA;WDWOSDDTWPCRCCDCSW;;;WD)
-
dn: CN=Dns-Node,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;ED)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)(A;;RPLCLORC;;;WD)S:
(AU;SAFA;WDWOSDDTWPCRCCDCSW;;;WD)
-
dn: CN=Sam-Domain,CN=Schema,CN=Configuration,DC=X
dn: CN=Sam-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RP;;;WD)(OA;;RPWPCR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;RPWPCR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RPWPCR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;RPWPCR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;RPWPCR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;;RPWPCR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCRC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)
(A;CIOI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDSW;;;SY)S:(AU;SAFA;WDWOSDWPCRCCDCSW;;;WD)
-
dn: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RP;;;WD)(OA;;RPWPCR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;RPWPCR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RPWPCR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;RPWPCR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;RPWPCR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;;RPWPCR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCRC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA)
(A;CIOI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDSW;;;SY)S:(AU;SAFA;WDWOSDWPCRCCDCSW;;;WD)
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 2.5.18.1
systemMayContain: 2.5.18.2
-
dn: CN=RID-Set,CN=Schema,CN=configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: User
-
dn: CN=NTFRS-Subscriptions,CN=Schema,CN=configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: User
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1171
-
dn: CN=Contact,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemAuxiliaryClass
systemAuxiliaryClass: 1.2.840.113556.1.3.46
-
dn: CN=Intellimirror-Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingValue: FALSE
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1240
systemMayContain: 1.2.840.113556.1.4.1241
-
dn: CN=MSMQ-Queue,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1243
-
dn: CN=MSMQ-Configuration,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1226
systemMayContain: 1.2.840.113556.1.4.1227
systemMayContain: 1.2.840.113556.1.4.1228
-
dn: CN=MSMQ-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1237
systemMayContain: 1.2.840.113556.1.4.1238
systemMayContain: 1.2.840.113556.1.4.1239
-
dn: CN=msRADIUSProfile,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1229
systemMayContain: 1.2.840.113556.1.4.1230
systemMayContain: 1.2.840.113556.1.4.1233
systemMayContain: 1.2.840.113556.1.4.1235
systemMayContain: 1.2.840.113556.1.4.1236
-
dn: CN=msNetworkPolicy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1234
-
dn: CN=Postal-Address,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: mAPIID
mAPIID: 33036
-
dn: CN=Company,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: mAPIID
mAPIID: 14870
-
dn: CN=Telephone-Number,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: mAPIID
mAPIID: 14856
-
dn: CN=Phone-Pager-Other,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: mAPIID
mAPIID: 35950
-
dn: CN=Owner,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: mAPIID
-
dn: CN=Owner-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: mAPIID
delete: mAPIID
-
dn: CN=Managed-By,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mAPIID
mAPIID: 32780
-
dn: CN=Managed-Objects,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mAPIID
mAPIID: 32804
-
dn: CN=Auth-Orig,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: mAPIID
-
dn: CN=Unauth-Orig,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: mAPIID
-
dn: CN=DL-Mem-Submit-Perms,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: mAPIID
-
dn: CN=DL-Mem-Reject-Perms,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: mAPIID
-
dn: CN=Presentation-Address,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: mAPIID
-
dn: CN=Additional-Information,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: mAPIID
-
dn: CN=Tagged-X509-Cert,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: mAPIID
-
dn: CN=Show-In-Address-Book,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Legacy-Exchange-DN,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=msNPAllowDialin,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: +IhwA+EK0hG0IgCgyWj5OQ==
-
dn: CN=msNPCallingStationId,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: +IhwA+EK0hG0IgCgyWj5OQ==
-
dn: CN=msNPConstraint,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: +IhwA+EK0hG0IgCgyWj5OQ==
-
dn: CN=msRADIUSCallbackNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: +IhwA+EK0hG0IgCgyWj5OQ==
-
dn: CN=msRADIUSFramedIPAddress,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: +IhwA+EK0hG0IgCgyWj5OQ==
-
dn: CN=msRADIUSFramedRoute,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: +IhwA+EK0hG0IgCgyWj5OQ==
-
dn: CN=msRADIUSServiceType,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: +IhwA+EK0hG0IgCgyWj5OQ==
-
dn: CN=Obj-Dist-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Object-Guid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=System-Flags,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Allowed-Attributes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Allowed-Attributes-Effective,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Allowed-Child-Classes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: VAGN5Pi80RGHAgDAT7lgUA==
-
-
dn: CN=Allowed-Child-Classes-Effective,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=COM-ClassID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: rangeLower
-
delete: rangeUpper
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Apply-Group-Policy,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
showInAdvancedViewOnly: TRUE
rightsGUID: edacfd8f-ffb3-11d1-b41d-00a0c968f939
displayName: Apply Group Policy
appliesTo: f30e3bc2-9ff0-11d1-b603-0000f80367c1
dn: CN=RAS-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
showInAdvancedViewOnly: TRUE
appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2
displayName: Remote Access Information
rightsGUID: 037088f8-0ae1-11d2-b422-00a0c968f939
dn: CN=msmq-Open-Conector,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemFlags
systemFlags: 1073741824
-
dn: CN=msmq-Open-Conector,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModRdn
newrdn: msmq-Open-Connector
deleteoldrdn: 1
dn: CN=msmq-Open-Connector,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemFlags
-
dn: CN=user-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: userFullName,User Full Name
-
-
add: attributeDisplayNames
attributeDisplayNames: displayName,Display Name
-
dn: CN=user-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
delete: adminContextMenu
adminContextMenu: 2,{8c5b1b50-d46e-11d1-8091-00a024c48131}
-
delete: adminPropertyPages
adminPropertyPages: 7,{8c5b1b50-d46e-11d1-8091-00a024c48131}
-
dn: CN=group-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=domainDNS-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=contact-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=domainPolicy-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=localPolicy-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=serviceAdministrationPoint-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=computer-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=printQueue-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=site-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
-
dn: CN=server-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=nTDSSettings-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=nTDSDSA-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=nTDSConnection-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=nTFRSSettings-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=nTFRSReplicaSet-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=subnet-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=siteLink-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=siteLinkBridge-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=interSiteTransport-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=licensingSiteSettings-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=nTDSSiteSettings-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=nTFRSMember-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=nTFRSSubscriber-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=nTFRSSubscriptions-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=organizationalUnit-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=container-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=rpcContainer-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=trustedDomain-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=volume-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=sitesContainer-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=interSiteTransportContainer-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=subnetContainer-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=serversContainer-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=nTDSService-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=queryPolicy-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminContextMenu
adminContextMenu: 0,{6971d64e-f335-11d0-b0bc-00c04fd8dca6}
-
dn: CN=mSMQQueue-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: creationWizard
creationWizard: {E62F8206-B71C-11D1-808D-00A024C48131}
-
dn: CN=mSMQSiteLink-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: creationWizard
creationWizard: {87b31390-d46d-11d1-8091-00a024c48131}
-
dn: CN=remoteStorageServicePoint-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: Remote Storage Service
-
delete: adminContextMenu
adminContextMenu: 0,&Manage ...,RsAdmin.msc
-
add: adminContextMenu
adminContextMenu: 0,&Manage...,RsAdmin.msc
-
dn: CN=foreignSecurityPrincipal-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: displaySpecifier
adminPropertyPages: 1,{6dfe6486-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminContextMenu: 1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
classDisplayName: Foreign Security Principal
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
showInAdvancedViewOnly: TRUE
dn: CN=Settings,CN=Radius,CN=Services,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: container
showInAdvancedViewOnly: TRUE
dn: CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: objectVersion
objectVersion: 6
-
Sch7.ldf
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.606
-
dn: CN=Proxied-Object-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModRdn
newrdn: Proxied-Object-Name-Unused
deleteoldrdn: 1
dn: CN=Proxied-Object-Name-Unused,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: adminDisplayName
adminDisplayName: Proxied-Object-Name-Unused
-
replace: adminDescription
adminDescription: Proxied-Object-Name-Unused
-
replace: ldapDisplayName
ldapDisplayName: proxiedObjectNameUnused
-
replace: schemaIdGuid
schemaIdGuid:: X55550su0hG6vZjY/cfjDw==
-
dn: CN=Proxied-Object-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: proxiedObjectName
adminDisplayName: Proxied-Object-Name
adminDescription: Proxied-Object-Name
attributeId: 1.2.840.113556.1.4.1249
attributeSyntax: 2.5.5.7
omSyntax: 127
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: AqSu4VvN0BGv/wAA+ANnwQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
systemFlags: 2
dn: CN=Proxied-Object-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: omObjectClass
omObjectClass:: KoZIhvcUAQEBCw==
-
dn: CN=Inter-Site-Topology-Renew,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: interSiteTopologyRenew
adminDisplayName: Inter-Site-Topology-Renew
adminDescription: Inter-Site-Topology-Renew
attributeId: 1.2.840.113556.1.4.1247
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: X57Gt8cs0hGFTgCgyYP2CA==
showInAdvancedViewOnly: TRUE
dn: CN=Inter-Site-Topology-Failover,CN=Schema,CN=Configuration,DC=X
dn: CN=Inter-Site-Topology-Failover,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: interSiteTopologyFailover
adminDisplayName: Inter-Site-Topology-Failover
adminDescription: Inter-Site-Topology-Failover
attributeId: 1.2.840.113556.1.4.1248
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: YJ7Gt8cs0hGFTgCgyYP2CA==
showInAdvancedViewOnly: TRUE
dn: CN=Inter-Site-Topology-Generator,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: interSiteTopologyGenerator
adminDisplayName: Inter-Site-Topology-Generator
adminDescription: Inter-Site-Topology-Generator
attributeId: 1.2.840.113556.1.4.1246
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: Xp7Gt8cs0hGFTgCgyYP2CA==
showInAdvancedViewOnly: TRUE
dn: CN=Token-Groups,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: tokenGroups
adminDisplayName: Token-Groups
adminDescription: Token-Groups
attributeId: 1.2.840.113556.1.4.1301
attributeSyntax: 2.5.5.17
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: bZ7Gt8cs0hGFTgCgyYP2CA==
attributeSecurityGuid:: ksMPBN8z0hGYsgAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 134217732
dn: CN=Token-Groups-No-GC-Acceptable,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: tokenGroupsNoGCAcceptable
adminDisplayName: Token-Groups-No-GC-Acceptable
adminDescription: Token-Groups-No-GC-Acceptable
attributeId: 1.2.840.113556.1.4.1303
attributeSyntax: 2.5.5.17
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ksMPBN8z0hGYsgAA+HpX1A==
attributeSecurityGuid:: ksMPBN8z0hGYsgAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 134217732
dn: CN=SD-Rights-Effective,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: sDRightsEffective
adminDisplayName: SD-Rights-Effective
adminDisplayName: SD-Rights-Effective
adminDescription: SD-Rights-Effective
attributeId: 1.2.840.113556.1.4.1304
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: pq/bw98z0hGYsgAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 134217732
dn: CN=Parent-GUID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 134217732
-
dn: CN=DN-Reference-Update,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 8
-
dn: CN=Sub-Class-Of,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 8
-
dn: CN=Object-Class,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 8
-
dn: CN=Instance-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 8
-
dn: CN=RDN,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 9
-
dn: CN=Object-Guid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 9
-
dn: CN=Repl-Property-Meta-Data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 8
-
dn: CN=User-Account-Control,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 9
-
dn: CN=NC-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 8
searchFlags: 8
-
dn: CN=USN-Created,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 9
-
dn: CN=Governs-ID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 8
-
dn: CN=Attribute-ID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 8
-
dn: CN=Attribute-Syntax,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 8
-
dn: CN=Obj-Dist-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 8
-
dn: CN=USN-Changed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 9
-
dn: CN=Legacy-Exchange-DN,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 13
-
dn: CN=Object-Sid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 9
-
dn: CN=SAM-Account-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 13
-
dn: CN=OM-Syntax,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 8
-
dn: CN=Group-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 9
-
dn: CN=NT-Security-Descriptor,CN=Schema,CN=Configuration,DC=X
dn: CN=NT-Security-Descriptor,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 8
-
dn: CN=System-Flags,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 8
-
dn: CN=MSMQ-Owner-ID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 9
-
dn: CN=LDAP-Display-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 9
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1249
systemMayContain: 1.2.840.113556.1.4.1304
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.549
systemMayContain: 1.2.840.113556.1.4.550
systemMayContain: 1.2.840.113556.1.4.551
systemMayContain: 1.2.840.113556.1.4.552
systemMayContain: 1.2.840.113556.1.4.553
systemMayContain: 1.2.840.113556.1.4.554
systemMayContain: 1.2.840.113556.1.4.555
systemMayContain: 1.2.840.113556.1.4.556
-
dn: CN=DHCP-Class,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 2.5.4.13
-
dn: CN=Sam-Server,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.145
systemMayContain: 1.2.840.113556.1.2.281
-
dn: CN=Security-Principal,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1301
systemMayContain: 1.2.840.113556.1.4.1303
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.194
systemMayContain: 1.2.840.113556.1.2.226
systemMayContain: 1.2.840.113556.1.4.112
systemMayContain: 1.2.840.113556.1.4.145
systemMayContain: 1.2.840.113556.1.4.201
-
dn: CN=Organizational-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 2.5.4.4
systemMayContain: 2.5.4.20
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 2.5.4.13
-
dn: CN=DMD,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.482
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.25
-
dn: CN=Cross-Ref,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.557
-
dn: CN=Configuration,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 2.5.4.13
-
dn: CN=Connection-Point,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 2.5.4.13
-
dn: CN=Certification-Authority,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.69
-
dn: CN=Server,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.452
systemMayContain: 1.2.840.113556.1.4.69
-
dn: CN=Domain-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 2.5.4.13
-
dn: CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.13
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.69
systemMayContain: 1.2.840.113556.1.4.344
systemMayContain: 1.2.840.113556.1.4.345
systemMayContain: 1.2.840.113556.1.4.771
systemMayContain: 2.5.4.13
systemMayContain: 2.5.4.36
-
dn: CN=Site,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.211
-
dn: CN=MSMQ-Configuration,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=MSMQ-Enterprise-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=MSMQ-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=Mail-Recipient,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.13
systemMayContain: 1.2.840.113556.1.2.169
systemMayContain: 1.2.840.113556.1.2.210
systemMayContain: 1.2.840.113556.1.2.353
systemMayContain: 1.2.840.113556.1.2.464
-
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.211
-
dn: CN=Application-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 2.5.4.13
-
dn: CN=Application-Site-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 2.5.4.13
-
dn: CN=NTDS-Site-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1246
systemMayContain: 1.2.840.113556.1.4.1247
systemMayContain: 1.2.840.113556.1.4.1248
-
delete: systemMayContain
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.211
-
dn: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.13
-
dn: CN=Control-Access-Right,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.13
-
dn: CN=Assoc-Remote-DXA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: LinkID
LinkID: 123
-
dn: CN=NNTP-Newsfeeds,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: LinkID
LinkID: 141
-
dn: CN=Supporting-Stack-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: LinkID
LinkID: 133
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=msmq-Peak-Dead-Letter,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemFlags
systemFlags: 1073741824
-
dn: CN=msmq-Peak-Dead-Letter,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModRdn
newrdn: msmq-Peek-Dead-Letter
deleteoldrdn: 1
dn: CN=msmq-Peek-Dead-Letter,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemFlags
-
dn: CN=msmq-Receive-machine-Journal,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemFlags
systemFlags: 1073741824
-
dn: CN=msmq-Receive-machine-Journal,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModRdn
newrdn: msmq-Receive-computer-Journal
deleteoldrdn: 1
dn: CN=msmq-Receive-computer-Journal,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemFlags
-
dn: CN=msmq-Peak-machine-Journal,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemFlags
systemFlags: 1073741824
-
dn: CN=msmq-Peak-machine-Journal,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModRdn
newrdn: msmq-Peek-computer-Journal
deleteoldrdn: 1
dn: CN=msmq-Peek-computer-Journal,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemFlags
-
dn: CN=msmq-Peak,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemFlags
systemFlags: 1073741824
-
dn: CN=msmq-Peak,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModRdn
newrdn: msmq-Peek
deleteoldrdn: 1
dn: CN=msmq-Peek,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemFlags
-
dn: CN=msmq-Peek-Dead-Letter,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: displayName
displayName: Peek Dead Letter
-
dn: CN=msmq-Receive-computer-Journal,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: displayName
displayName: Receive Computer Journal
-
dn: CN=msmq-Peek-computer-Journal,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: displayName
displayName: Peek Computer Journal
-
dn: CN=msmq-Peek,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: displayName
displayName: Peek Message
-
dn: CN=mSMQQueue-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: MSMQ Queue
-
add: treatAsLeaf
treatAsLeaf: TRUE
-
-
dn: CN=mSMQConfiguration-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: MSMQ Configuration
-
dn: CN=mSMQEnterpriseSettings-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: MSMQ Enterprise
-
dn: CN=mSMQSiteLink-display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: MSMQ Site Link
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 7
-
Sch8.ldf
dn: CN=Print-Duplex-Supported,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModRdn
newrdn: Print-Duplex-Supported-Unused
deleteoldrdn: 1
dn: CN=Print-Duplex-Supported-Unused,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: adminDisplayName
adminDisplayName: Print-Duplex-Supported-Unused
-
replace: adminDescription
adminDescription: Print-Duplex-Supported-Unused
-
replace: ldapDisplayName
ldapDisplayName: printDuplexSupportedUnused
-
replace: schemaIdGuid
schemaIdGuid:: AsPDrFY80hGf8LYGeY0bDw==
-
dn: CN=Assoc-NT-Account-Unused,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModRdn
newrdn: DS-Heuristics
deleteoldrdn: 1
dn: CN=DS-Heuristics,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: adminDisplayName
adminDisplayName: DS-Heuristics
-
replace: adminDescription
adminDescription: DS-Heuristics
-
replace: ldapDisplayName
ldapDisplayName: dSHeuristics
-
delete: mapiID
-
dn: cn=print-duplex-supported,cn=schema,cn=configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
lDAPDisplayName: printDuplexSupported
adminDescription: Print-Duplex-Supported
adminDisplayName: Print-Duplex-Supported
attributeID: 1.2.840.113556.1.4.1311
attributeSyntax: 2.5.5.8
oMSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: zBYUKGgZ0BGijwCqADBJ4g==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=Move-Tree-State,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: moveTreeState
adminDisplayName: Move-Tree-State
adminDescription: Move-Tree-State
attributeId: 1.2.840.113556.1.4.1305
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: yMIqH3E70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=PKI-Key-Usage,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: pKIKeyUsage
adminDisplayName: PKI-Key-Usage
adminDescription: PKI-Key-Usage
attributeId: 1.2.840.113556.1.4.1328
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fqiw6Z070hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=DNS-Property,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: dNSProperty
adminDisplayName: DNS-Property
adminDescription: DNS-Property
attributeId: 1.2.840.113556.1.4.1306
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: /hVaZ3A70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=DS-Heuristics,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: dSHeuristics
adminDisplayName: DS-Heuristics
adminDescription: DS-Heuristics
adminDescription: DS-Heuristics
attributeId: 1.2.840.113556.1.2.212
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: hv/48JER0BGgYACqAGwz7Q==
showInAdvancedViewOnly: TRUE
dn: CN=MSMQ-Interval1,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQInterval1
adminDisplayName: MSMQ-Interval1
adminDescription: MSMQ-Interval1
attributeId: 1.2.840.113556.1.4.1308
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: qiWojns70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=MSMQ-Interval2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQInterval2
adminDisplayName: MSMQ-Interval2
adminDescription: MSMQ-Interval2
attributeId: 1.2.840.113556.1.4.1309
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Uo+4mXs70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=ACS-Server-List,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: aCSServerList
adminDisplayName: ACS-Server-List
adminDescription: ACS-Server-List
attributeId: 1.2.840.113556.1.4.1312
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: pVm9fJA70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=PKI-Default-CSPs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: pKIDefaultCSPs
adminDisplayName: PKI-Default-CSPs
adminDescription: PKI-Default-CSPs
attributeId: 1.2.840.113556.1.4.1334
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: bjP2Hp470hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=MSMQ-Site-Gates-Mig,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQSiteGatesMig
adminDisplayName: MSMQ-Site-Gates-Mig
adminDescription: MSMQ-Site-Gates-Mig
attributeId: 1.2.840.113556.1.4.1310
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: Ukhw4ns70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=PKI-Overlap-Period,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: pKIOverlapPeriod
adminDisplayName: PKI-Overlap-Period
adminDescription: PKI-Overlap-Period
attributeId: 1.2.840.113556.1.4.1332
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 7KMZEp470hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=PKI-Default-Key-Spec,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: pKIDefaultKeySpec
adminDisplayName: PKI-Default-Key-Spec
adminDescription: PKI-Default-Key-Spec
attributeId: 1.2.840.113556.1.4.1327
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: bq5sQp070hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=ACS-Minimum-Latency,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: aCSMinimumLatency
adminDisplayName: ACS-Minimum-Latency
adminDescription: ACS-Minimum-Latency
attributeId: 1.2.840.113556.1.4.1316
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: +/4XlZA70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=ACS-Maximum-SDU-Size,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: aCSMaximumSDUSize
adminDisplayName: ACS-Maximum-SDU-Size
adminDisplayName: ACS-Maximum-SDU-Size
adminDescription: ACS-Maximum-SDU-Size
attributeId: 1.2.840.113556.1.4.1314
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: +diih5A70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=Account-Name-History,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: accountNameHistory
adminDisplayName: Account-Name-History
adminDescription: Account-Name-History
attributeId: 1.2.840.113556.1.4.1307
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 7FIZA3I70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=PKI-Max-Issuing-Depth,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: pKIMaxIssuingDepth
adminDisplayName: PKI-Max-Issuing-Depth
adminDescription: PKI-Max-Issuing-Depth
attributeId: 1.2.840.113556.1.4.1329
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: +t6/8J070hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=PKI-Extended-Key-Usage,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: pKIExtendedKeyUsage
adminDisplayName: PKI-Extended-Key-Usage
adminDescription: PKI-Extended-Key-Usage
attributeId: 1.2.840.113556.1.4.1333
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 9mqXGJ470hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=PKI-Expiration-Period,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: pKIExpirationPeriod
adminDisplayName: PKI-Expiration-Period
adminDescription: PKI-Expiration-Period
attributeId: 1.2.840.113556.1.4.1331
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 0nAVBJ470hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=ACS-Minimum-Policed-Size,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: aCSMinimumPolicedSize
adminDisplayName: ACS-Minimum-Policed-Size
adminDescription: ACS-Minimum-Policed-Size
attributeId: 1.2.840.113556.1.4.1315
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: lXEOjZA70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=PKI-Critical-Extensions,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: pKICriticalExtensions
adminDisplayName: PKI-Critical-Extensions
adminDescription: PKI-Critical-Extensions
attributeId: 1.2.840.113556.1.4.1330
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: BpFa/J070hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=ACS-Non-Reserved-Peak-Rate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: aCSNonReservedPeakRate
adminDisplayName: ACS-Non-Reserved-Peak-Rate
adminDescription: ACS-Non-Reserved-Peak-Rate
attributeId: 1.2.840.113556.1.4.1318
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: P6cxo5A70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=ACS-Non-Reserved-Token-Size,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: aCSNonReservedTokenSize
adminDisplayName: ACS-Non-Reserved-Token-Size
adminDescription: ACS-Non-Reserved-Token-Size
attributeId: 1.2.840.113556.1.4.1319
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ydcWqZA70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=ACS-Minimum-Delay-Variation,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: aCSMinimumDelayVariation
adminDisplayName: ACS-Minimum-Delay-Variation
adminDescription: ACS-Minimum-Delay-Variation
attributeId: 1.2.840.113556.1.4.1317
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: mzJlnJA70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=ACS-Max-Token-Bucket-Per-Flow,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: aCSMaxTokenBucketPerFlow
adminDisplayName: ACS-Max-Token-Bucket-Per-Flow
adminDescription: ACS-Max-Token-Bucket-Per-Flow
attributeId: 1.2.840.113556.1.4.1313
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 3+D2gZA70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=ACS-Non-Reserved-Max-SDU-Size,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: aCSNonReservedMaxSDUSize
adminDisplayName: ACS-Non-Reserved-Max-SDU-Size
adminDescription: ACS-Non-Reserved-Max-SDU-Size
attributeId: 1.2.840.113556.1.4.1320
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 48/CrpA70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=ACS-Non-Reserved-Min-Policed-Size,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: aCSNonReservedMinPolicedSize
adminDisplayName: ACS-Non-Reserved-Min-Policed-Size
adminDescription: ACS-Non-Reserved-Min-Policed-Size
attributeId: 1.2.840.113556.1.4.1321
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: FzmHtpA70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=MSMQ-User-Sid,CN=Schema,CN=Configuration,DC=arobindg15,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQUserSid
adminDisplayName: MSMQ-User-Sid
adminDescription: MSMQ-User-Sid
attributeId: 1.2.840.113556.1.4.1337
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
searchFlags: 0
rangeLower: 0
rangeUpper: 128
schemaIdGuid:: Mq6KxflW0hGQ0ADAT9kasQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=Repl-Interval,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: replInterval
adminDisplayName: Repl-Interval
adminDescription: Repl-Interval
attributeId: 1.2.840.113556.1.4.1336
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Gp26RfpW0hGQ0ADAT9kasQ==
showInAdvancedViewOnly: TRUE
dn: CN=PKI-Enrollment-Access,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: pKIEnrollmentAccess
adminDisplayName: PKI-Enrollment-Access
adminDescription: PKI-Enrollment-Access
attributeId: 1.2.840.113556.1.4.1335
attributeSyntax: 2.5.5.15
omSyntax: 66
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: eOJrkvlW0hGQ0ADAT9kasQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
dn: CN=SPN-Mappings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: sPNMappings
adminDisplayName: SPN-Mappings
adminDescription: SPN-Mappings
attributeId: 1.2.840.113556.1.4.1347
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: bOewKkFw0hGZBQAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Template-Roots,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: templateRoots
adminDisplayName: Template-Roots
adminDescription: Template-Roots
attributeId: 1.2.840.113556.1.4.1346
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: oOmd7UFw0hGZBQAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
systemFlags: 16
dn: CN=DS-UI-Admin-Maximum,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: dSUIAdminMaximum
adminDisplayName: DS-UI-Admin-Maximum
adminDescription: DS-UI-Admin-Maximum
attributeId: 1.2.840.113556.1.4.1344
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 4AqN7pFv0hGZBQAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=DS-UI-Shell-Maximum,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: dSUIShellMaximum
adminDisplayName: DS-UI-Shell-Maximum
adminDescription: DS-UI-Shell-Maximum
attributeId: 1.2.840.113556.1.4.1345
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: anbK/JFv0hGZBQAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=DS-UI-Admin-Notification,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: dSUIAdminNotification
adminDisplayName: DS-UI-Admin-Notification
adminDescription: DS-UI-Admin-Notification
attributeId: 1.2.840.113556.1.4.1343
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: lArq9pFv0hGZBQAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Localization-Display-Id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: localizationDisplayId
adminDisplayName: Localization-Display-Id
adminDescription: Localization-Display-Id
attributeId: 1.2.840.113556.1.4.1353
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 0fBGp9B40hGZFgAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=GPC-User-Extension-Names,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
objectClass: attributeSchema
ldapDisplayName: gPCUserExtensionNames
adminDisplayName: GPC-User-Extension-Names
adminDescription: GPC-User-Extension-Names
attributeId: 1.2.840.113556.1.4.1349
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: xl+nQj940hGZFgAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=GPC-Machine-Extension-Names,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: gPCMachineExtensionNames
adminDisplayName: GPC-Machine-Extension-Names
adminDescription: GPC-Machine-Extension-Names
attributeId: 1.2.840.113556.1.4.1348
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: zI7/Mj940hGZFgAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Scope-Flags,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: scopeFlags
adminDisplayName: Scope-Flags
adminDescription: Scope-Flags
attributeId: 1.2.840.113556.1.4.1354
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: wqTzFnl+0hGZIQAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Query-Filter,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: queryFilter
adminDisplayName: Query-Filter
adminDescription: Query-Filter
attributeId: 1.2.840.113556.1.4.1355
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Jgr3y3h+0hGZIQAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Valid-Accesses,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: validAccesses
adminDisplayName: Valid-Accesses
adminDescription: Valid-Accesses
attributeId: 1.2.840.113556.1.4.1356
attributeId: 1.2.840.113556.1.4.1356
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gKMvTVR/0hGZKgAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=DS-Core-Propagation-Data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
lDAPDisplayName: dSCorePropagationData
adminDescription: DS-Core-Propagation-Data
adminDisplayName: DS-Core-Propagation-Data
attributeID: 1.2.840.113556.1.4.1357
attributeSyntax: 2.5.5.11
oMSyntax: 24
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
schemaIDGUID:: S6pn0QiL0hGZOQAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=Schema-Info,CN=schema,CN=configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
lDAPDisplayName: schemaInfo
adminDescription: Schema-Info
adminDisplayName: Schema-Info
attributeID: 1.2.840.113556.1.4.1358
attributeSyntax: 2.5.5.10
oMSyntax: 4
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
schemaIDGUID:: rmT7+bST0hGZRQAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=DS-UI-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: dSUISettings
adminDisplayName: DS-UI-Settings
adminDescription: DS-UI-Settings
governsId: 1.2.840.113556.1.5.183
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1345
systemMayContain: 1.2.840.113556.1.4.1343
systemMayContain: 1.2.840.113556.1.4.1344
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: FA+xCZNv0hGZBQAA+HpX1A==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=DS-UI-Settings,CN=Schema,CN=Configuration,DC=X
dn: CN=PKI-Enrollment-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: pKIEnrollmentService
adminDisplayName: PKI-Enrollment-Service
adminDisplayName: PKI-Enrollment-Service
adminDescription: PKI-Enrollment-Service
governsId: 1.2.840.113556.1.5.178
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.824
systemMayContain: 1.2.840.113556.1.4.825
systemMayContain: 1.2.840.113556.1.4.619
systemMayContain: 1.2.840.113556.1.4.823
systemMayContain: 1.2.840.113556.1.4.697
systemMayContain: 2.5.4.37
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: kqZK7ro70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=PKI-Enrollment-Service,CN=Schema,CN=Configuration,DC=X
dn: CN=PKI-Certificate-Template,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: pKICertificateTemplate
adminDisplayName: PKI-Certificate-Template
adminDescription: PKI-Certificate-Template
governsId: 1.2.840.113556.1.5.177
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1332
systemMayContain: 1.2.840.113556.1.4.1329
systemMayContain: 1.2.840.113556.1.4.1328
systemMayContain: 1.2.840.113556.1.4.1333
systemMayContain: 1.2.840.113556.1.4.1331
systemMayContain: 1.2.840.113556.1.4.1334
systemMayContain: 1.2.840.113556.1.4.1327
systemMayContain: 1.2.840.113556.1.4.1330
systemMayContain: 1.2.840.113556.1.4.38
systemMayContain: 1.2.840.113556.1.2.13
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: opwg5bo70hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=PKI-Certificate-Template,CN=Schema,CN=Configuration,DC=X
dn: CN=MSMQ-Migrated-User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: mSMQMigratedUser
adminDisplayName: MSMQ-Migrated-User
adminDescription: MSMQ-Migrated-User
governsId: 1.2.840.113556.1.5.179
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.967
systemMayContain: 1.2.840.113556.1.4.947
systemMayContain: 1.2.840.113556.1.4.966
systemMayContain: 1.2.840.113556.1.4.948
systemMayContain: 1.2.840.113556.1.4.146
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.5.67
systemPossSuperiors: 1.2.840.113556.1.5.4
schemaIdGuid:: l2l3UD080hGQzADAT9kasQ==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MSMQ-Migrated-User,CN=Schema,CN=Configuration,DC=X
dn: CN=DMD,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1358
-
dn: CN=Display-Specifier,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1354
systemMayContain: 1.2.840.113556.1.4.1355
-
dn: CN=Control-Access-Right,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1356
-
dn: CN=msExch-Configuration-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1346
-
dn: CN=NTDS-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1347
-
dn: CN=NTDS-Site-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.211
-
dn: CN=NTFRS-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.89
-
dn: CN=Inter-Site-Transport,CN=Schema,CN=Configuration,DC=arobindg15,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1336
systemMayContain: 1.2.840.113556.1.4.307
-
dn: CN=Site-Link,CN=Schema,CN=Configuration,DC=arobindg15,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.307
systemMayContain: 1.2.840.113556.1.4.1336
-
dn: CN=PKI-Certificate-Template,CN=Schema,CN=Configuration,DC=arobindg15,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1335
-
dn: CN=MSMQ-Migrated-User,CN=Schema,CN=Configuration,DC=arobindg15,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1337
-
-
dn: CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1348
systemMayContain: 1.2.840.113556.1.4.1349
-
dn: CN=Control-Access-Right,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1353
-
dn: CN=E-Mail-Addresses,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mapiID
mapiID: 14846
-
dn: CN=Assoc-NT-Account,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mapiID
mapiID: 32807
-
dn: CN=Assoc-NT-Account,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: mapiID
-
dn: CN=Object-Sid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mapiID
mapiID: 32807
-
dn: CN=Keywords,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 1
-
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=Netboot-Machine-File-Path,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=Netboot-GUID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=MSMQ-Digests-Mig,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=MSMQ-Sign-Certificates-Mig,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
-
dn: CN=Manager,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=Service-Binding-Information,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=Global-Address-List,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isSingleValued
isSingleValued: FALSE
-
dn: CN=Site-Server,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isSingleValued
isSingleValued: FALSE
-
dn: CN=Directory-Cfg,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.212
-
dn: CN=Security-Principal,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1307
-
dn: CN=ACS-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1313
systemMayContain: 1.2.840.113556.1.4.1314
systemMayContain: 1.2.840.113556.1.4.1315
systemMayContain: 1.2.840.113556.1.4.1316
systemMayContain: 1.2.840.113556.1.4.1317
-
dn: CN=ACS-Subnet,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1312
systemMayContain: 1.2.840.113556.1.4.1318
systemMayContain: 1.2.840.113556.1.4.1319
systemMayContain: 1.2.840.113556.1.4.1320
systemMayContain: 1.2.840.113556.1.4.1321
-
dn: CN=Lost-And-Found,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: FALSE
-
dn: CN=Lost-And-Found,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1305
-
dn: CN=Mailbox,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.212
-
dn: CN=Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.96
-
dn: CN=Print-Queue,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1311
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.236
-
dn: CN=Intellimirror-Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.222
-
dn: CN=Site,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.222
systemMayContain: 1.2.840.113556.1.4.1308
systemMayContain: 1.2.840.113556.1.4.1309
-
dn: CN=MSMQ-Enterprise-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1308
systemMayContain: 1.2.840.113556.1.4.1309
-
dn: CN=MSMQ-Site-Link,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1310
-
dn: CN=Remote-Address,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.212
-
dn: CN=NTDS-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.212
-
dn: CN=NNTP-Newsfeed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.212
-
dn: CN=Dns-Zone,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1306
-
dn: CN=Dns-Node,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1306
-
dn: CN=Subnet,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.222
-
dn: CN=rpc-Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.114
-
delete: systemMustContain
systemMustContain: 1.2.840.113556.1.4.114
-
dn: CN=rpc-Profile-Element,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.118
-
delete: systemMustContain
systemMustContain: 1.2.840.113556.1.4.118
-
dn: CN=Company,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: ldapDisplayName
ldapDisplayName: company
-
dn: CN=Text-Country,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: ldapDisplayName
ldapDisplayName: co
-
dn: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: container
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;RPWPCR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)
(OA;;RPWPCR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWPCR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)
(OA;;RPWPCR;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWPCR;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS)
(OA;;RPWPCR;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)
(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)
(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-
0000F80367C1;;AU)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-
0000F80367C1;;AU)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-
00c04fb96050;;AU)(OA;;RPWPCR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-
00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)(A;;RPLCLORC;;;AU)(OA;;RPWPCR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)
(OA;;CCDC;;;PS)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;;RPWP;bf967a7f-0de6-11d0-a285-
00aa003049e2;;CA)
-
dn: CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:P(A;;RPWPCCDCLCLOLORCWOWDSDDTSW;;;DA)(A;CIOI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;EA)
(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(OA;;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
-
dn: CN=X509-Cert,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: attributeSecurityGuid
attributeSecurityGUID:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Country,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.131
-
dn: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.131
-
dn: CN=Organizational-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.131
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1357
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Config NC changes
dn: CN=nTDSSettings-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: Settings
-
dn: CN=nTDSDSA-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: Domain Controller Settings
-
dn: CN=nTDSConnection-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: Connection
-
dn: CN=nTFRSSettings-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: FRS Settings
-
dn: CN=nTFRSReplicaSet-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: FRS Replica Set
-
dn: CN=nTDSSiteSettings-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: Site Settings
-
dn: CN=nTFRSMember-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: FRS Member
-
dn: CN=nTFRSSubscriber-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: FRS Subscriber
-
dn: CN=nTFRSSubscriptions-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: FRS Subscriptions
-
dn: CN=nTDSService-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: Service
-
dn: CN=mSMQSiteLink-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: MSMQ Routing Link
-
dn: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminPropertyPages
adminPropertyPages: 7,{8c5b1b50-d46e-11d1-8091-00a024c48131}
-
dn: CN=printQueue-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: whenCreated,Date Published
-
dn: CN=MsmqServices,CN=Services,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: mSMQEnterpriseSettings
mSmQVersion: 200
showInAdvancedViewOnly: TRUE
dn: CN=DS-Install-Replica,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
displayName: Add/Remove Replica In Domain
rightsGUID: 9923a32a-3607-11d2-b9be-0000f87a36b2
showInAdvancedViewOnly: TRUE
dn: CN=Change-Infrastructure-Master,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
appliesTo: 2df90d89-009f-11d2-aa4c-00c04fd7d83a
displayName: Change Infrastructure Master
rightsGUID: cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd
showInAdvancedViewOnly: TRUE
dn: CN=sitesContainer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminPropertyPages
adminPropertyPages: 1,{6384e23e-736d-11d1-bd0d-00c04fd8d5b6}
-
dn: CN=interSiteTransportContainer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminPropertyPages
adminPropertyPages: 1,{6384e23e-736d-11d1-bd0d-00c04fd8d5b6}
-
dn: CN=interSiteTransport-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminPropertyPages
adminPropertyPages: 1,{6dfe6491-a212-11d0-bcd5-00c04fd8d5b6}
-
delete: adminPropertyPages
adminPropertyPages: 1,{6DFE6491-AC8D-11D0-B945-00C04FD8D5B0}
-
dn: CN=subnetContainer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminPropertyPages
adminPropertyPages: 1,{6384e23e-736d-11d1-bd0d-00c04fd8d5b6}
-
dn: CN=serversContainer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminPropertyPages
adminPropertyPages: 1,{6384e23e-736d-11d1-bd0d-00c04fd8d5b6}
-
dn: CN=nTDSService-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminPropertyPages
adminPropertyPages: 1,{6384e23e-736d-11d1-bd0d-00c04fd8d5b6}
-
dn: CN=queryPolicy-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminPropertyPages
adminPropertyPages: 1,{6384e23e-736d-11d1-bd0d-00c04fd8d5b6}
-
dn: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
delete: attributeDisplayNames
attributeDisplayNames: countryCode,Country Code
attributeDisplayNames: comment,User Account Comment
-
add: attributeDisplayNames
attributeDisplayNames: comment,Comment
attributeDisplayNames: samAccountName,Downlevel Logon Name
-
dn: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: co,Company
-
add: attributeDisplayNames
attributeDisplayNames: company,Company
-
dn: CN=contact-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: co,Company
-
add: attributeDisplayNames
attributeDisplayNames: company,Company
-
dn: CN=computer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: type,Type
-
add: attributeDisplayNames
attributeDisplayNames: managedBy,Managed By
-
dn: CN=computer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminPropertyPages
-
dn: CN=computer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminPropertyPages
adminPropertyPages: 1,{6dfe6492-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 2,{9da6fd64-c63b-11d0-b94d-00c04fd8d5b0}
adminPropertyPages: 3,{77597368-7b15-11d0-a0c2-080036af3f03}
adminPropertyPages: 4,{6dfe648b-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 5,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 6,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminPropertyPages: 10,{0F65B1BF-740F-11d1-BBE6-0060081692B3}
-
dn: CN=computer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: createWizardExt
createWizardExt: 1,{D6D8C25A-4E83-11d2-8424-00C04FA372D4}
-
dn: CN=site-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminPropertyPages
-
dn: CN=site-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminPropertyPages
adminPropertyPages: 1,{717EF4FA-AC8D-11D0-B945-00C04FD8D5B0}
adminPropertyPages: 2,{77597368-7b15-11d0-a0c2-080036af3f03}
adminPropertyPages: 3,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 4,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminPropertyPages: 5,{bc019ba0-d46d-11d1-8091-00a024c48131}
-
dn: CN=subnet-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminPropertyPages
-
dn: CN=subnet-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminPropertyPages
adminPropertyPages: 1,{9da6fd62-c63b-11d0-b94d-00c04fd8d5b0}
adminPropertyPages: 2,{77597368-7b15-11d0-a0c2-080036af3f03}
adminPropertyPages: 3,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 4,{4E40F770-369C-11d0-8922-00A024AB2DBB}
-
dn: CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeDisplayNames
attributeDisplayNames: managedBy,Managed By
-
dn: CN=volume-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeDisplayNames
attributeDisplayNames: managedBy,Managed By
attributeDisplayNames: keywords,Keywords
-
dn: CN=pKICertificateTemplate-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: displaySpecifier
adminPropertyPages: 1,{9bff616c-3e02-11d2-a4ca-00c04fb93209}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4e40f770-369c-11d0-8922-00a024ab2dbb}
shellPropertyPages: 1,{9bff616c-3e02-11d2-a4ca-00c04fb93209}
contextMenu: 0,{9bff616c-3e02-11d2-a4ca-00c04fb93209}
adminContextMenu: 0,{9bff616c-3e02-11d2-a4ca-00c04fb93209}
classDisplayName: Certificate Template
attributeDisplayNames: cn,Name
attributeDisplayNames: description,Description
iconPath: 0,capesnpn.dll,-227
showInAdvancedViewOnly: TRUE
dn: CN=DS-UI-Default-Settings,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: dSUISettings
showInAdvancedViewOnly: TRUE
dn: CN=RAS-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: displayName
displayName: Modify Remote Access Information
-
dn: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
changetype: ntdsSchemaModify
delete: adminPropertyPages
adminPropertyPages: 2,{9da6fd66-c63b-11d0-b94d-00c04fd8d5b0}
-
dn: CN=contact-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminPropertyPages
adminPropertyPages: 2,{9da6fd66-c63b-11d0-b94d-00c04fd8d5b0}
-
dn: CN=serviceAdministrationPoint-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminPropertyPages
adminPropertyPages: 2,{9da6fd64-c63b-11d0-b94d-00c04fd8d5b0}
-
dn: CN=computer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminPropertyPages
adminPropertyPages: 2,{9da6fd64-c63b-11d0-b94d-00c04fd8d5b0}
-
dn: CN=volume-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminPropertyPages
adminPropertyPages: 2,{9da6fd64-c63b-11d0-b94d-00c04fd8d5b0}
-
dn: CN=domainDNS-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminPropertyPages
adminPropertyPages: 2,{9da6fd65-c63b-11d0-b94d-00c04fd8d5b0}
-
dn: CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminPropertyPages
adminPropertyPages: 2,{9da6fd65-c63b-11d0-b94d-00c04fd8d5b0}
-
dn: CN=mSMQQueue-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminPropertyPages
adminPropertyPages: 2,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminPropertyPages: 3,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
-
dn: CN=mSMQConfiguration-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminPropertyPages
adminPropertyPages: 2,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminPropertyPages: 3,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
-
dn: CN=mSMQEnterpriseSettings-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminPropertyPages
adminPropertyPages: 2,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminPropertyPages: 3,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
-
add: adminPropertyPages
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
-
dn: CN=mSMQSettings-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminPropertyPages
adminPropertyPages: 2,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminPropertyPages: 2,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminPropertyPages: 3,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
-
add: adminPropertyPages
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
-
dn: CN=mSMQSiteLink-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: adminPropertyPages
adminPropertyPages: 2,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminPropertyPages: 3,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
-
add: adminPropertyPages
adminPropertyPages: 3,{4E40F770-369C-11d0-8922-00A024AB2DBB}
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
-
dn: CN=Domain-Administer-Server,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 1
-
add: validAccesses
validAccesses: 256
-
dn: CN=User-Change-Password,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 2
-
add: validAccesses
validAccesses: 256
-
dn: CN=User-Force-Change-Password,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 3
-
add: validAccesses
validAccesses: 256
-
dn: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 4
-
add: validAccesses
validAccesses: 256
-
dn: CN=Receive-As,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 5
-
add: validAccesses
validAccesses: 256
-
dn: CN=Send-To,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 6
-
add: validAccesses
validAccesses: 256
-
dn: CN=Domain-Password,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 7
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Domain Password & Lockout Policie
-
dn: CN=General-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 8
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: General Information
-
dn: CN=User-Account-Restrictions,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 9
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Account Restrictions
-
dn: CN=User-Logon,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 10
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Logon Information
-
dn: CN=Membership,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 11
-
add: validAccesses
validAccesses: 256
-
dn: CN=Lockout-Policy,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 12
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Lockout Policy
-
dn: CN=Password-Policy,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 13
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Password Policy
-
dn: CN=Domain-Configuration,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 14
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Domain Policy Configuration
-
dn: CN=Domain-Policy-Ref,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 15
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Domain Policy Reference
-
dn: CN=Privileges,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 16
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Privileges
-
dn: CN=Administrative-Access,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 17
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Logon Rights
-
dn: CN=Local-Policy-Ref,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 18
localizationDisplayId: 18
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Local Policy Reference
-
dn: CN=Audit-Policy,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 19
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Audit Policy
-
dn: CN=Builtin-Local-Groups,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 20
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Administrative Roles
-
dn: CN=Open-Address-Book,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 21
-
add: validAccesses
validAccesses: 256
-
dn: CN=Email-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 22
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Phone and Mail Options
-
dn: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 23
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Personal Information
-
dn: CN=Web-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 24
localizationDisplayId: 24
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Web Information
-
dn: CN=DS-Replication-Get-Changes,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 25
-
add: validAccesses
validAccesses: 256
-
dn: CN=DS-Replication-Synchronize,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 26
-
add: validAccesses
validAccesses: 256
-
dn: CN=DS-Replication-Manage-Topology,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 27
-
add: validAccesses
validAccesses: 256
-
dn: CN=Change-Schema-Master,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 28
-
add: validAccesses
validAccesses: 256
-
dn: CN=Change-Rid-Master,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 29
-
add: validAccesses
validAccesses: 256
-
dn: CN=Abandon-Replication,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 30
-
add: validAccesses
validAccesses: 256
-
dn: CN=Do-Garbage-Collection,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 31
-
add: validAccesses
validAccesses: 256
validAccesses: 256
-
dn: CN=Recalculate-Hierarchy,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 32
-
add: validAccesses
validAccesses: 256
-
dn: CN=Allocate-Rids,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 33
-
add: validAccesses
validAccesses: 256
-
dn: CN=Change-PDC,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 34
-
add: validAccesses
validAccesses: 256
-
dn: CN=Add-GUID,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 35
-
add: validAccesses
validAccesses: 256
-
dn: CN=Change-Domain-Master,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 36
-
add: validAccesses
validAccesses: 256
-
dn: CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 37
-
add: validAccesses
validAccesses: 48
-
replace: displayName
displayName: Public Information
-
dn: CN=msmq-Receive-Dead-Letter,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 38
-
add: validAccesses
validAccesses: 256
-
dn: CN=msmq-Peek-Dead-Letter,CN=Extended-Rights,CN=Configuration,DC=X
dn: CN=msmq-Peek-Dead-Letter,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 39
-
add: validAccesses
validAccesses: 256
-
dn: CN=msmq-Receive-computer-Journal,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 40
-
add: validAccesses
validAccesses: 256
-
dn: CN=msmq-Peek-computer-Journal,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 41
-
add: validAccesses
validAccesses: 256
-
dn: CN=msmq-Receive,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 42
-
add: validAccesses
validAccesses: 256
-
dn: CN=msmq-Peek,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 43
-
add: validAccesses
validAccesses: 256
-
dn: CN=msmq-Send,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 44
-
add: validAccesses
validAccesses: 256
-
dn: CN=msmq-Receive-journal,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 45
-
add: validAccesses
validAccesses: 256
-
dn: CN=msmq-Open-Connector,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 46
-
add: validAccesses
validAccesses: 256
validAccesses: 256
-
dn: CN=Apply-Group-Policy,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 47
-
add: validAccesses
validAccesses: 256
-
dn: CN=RAS-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 48
-
add: validAccesses
validAccesses: 256
-
dn: CN=DS-Install-Replica,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 49
-
add: validAccesses
validAccesses: 256
-
dn: CN=Change-Infrastructure-Master,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: localizationDisplayId
localizationDisplayId: 50
-
add: validAccesses
validAccesses: 256
-
dn: CN=Update-Schema-Cache,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
showInAdvancedViewOnly: TRUE
appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2
displayName: Update Schema Cache
localizationDisplayId: 51
rightsGUID: be2bb760-7f46-11d2-b9ad-00c04f79f805
validAccesses: 256
dn: CN=Recalculate-Security-Inheritance,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
showInAdvancedViewOnly: TRUE
appliesTo: f0f8ffab-1191-11d0-a060-00aa006c33ed
displayName: Recalculate Security Inheritance
localizationDisplayId: 52
rightsGUID: 62dd28a8-7f46-11d2-b9ad-00c04f79f805
validAccesses: 256
dn: CN=DS-Check-Stale-Phantoms,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
showInAdvancedViewOnly: TRUE
appliesTo: f0f8ffab-1191-11d0-a060-00aa006c33ed
displayName: Check Stale Phantoms
localizationDisplayId: 53
rightsGUID: 69ae6200-7f46-11d2-b9ad-00c04f79f805
validAccesses: 256
dn: CN=Certificate-Enrollment,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
showInAdvancedViewOnly: TRUE
appliesTo: e5209ca2-3bba-11d2-90cc-00c04fd91ab1
displayname: Enroll
localizationDisplayId: 54
rightsGuid: 0e10c968-78fb-11d2-90d4-00c04f79dc55
validAccesses: 256
dn: CN=IntellimirrorGroup-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: Intellimirror Group
-
dn: CN=IntellimirrorSCP-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: Intellimirror Service
-
dn: CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: cn,Name
-
add: attributeDisplayNames
attributeDisplayNames: cn,Common Name
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 8
-
Sch9.ldf
dn: CN=msExch-Configuration-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModRdn
newrdn: ms-Exch-Configuration-Container
deleteoldrdn: 1
dn: CN=ms-Exch-Configuration-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: adminDisplayName
adminDisplayName: ms-Exch-Configuration-Container
-
replace: adminDescription
adminDescription: ms-Exch-Configuration-Container
-
dn: CN=Mime-Types,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModRdn
newrdn: Mime-Types-Unused
deleteoldrdn: 1
dn: CN=Mime-Types-Unused,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: adminDisplayName
adminDisplayName: Mime-Types-Unused
-
replace: adminDescription
adminDescription: Mime-Types-Unused
-
replace: ldapDisplayName
ldapDisplayName: mimeTypesUnused
-
dn: CN=DS-Core-Propagation-Data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
lDAPDisplayName: dSCorePropagationData
adminDescription: DS-Core-Propagation-Data
adminDisplayName: DS-Core-Propagation-Data
attributeID: 1.2.840.113556.1.4.1357
attributeSyntax: 2.5.5.11
oMSyntax: 24
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
schemaIDGUID:: S6pn0QiL0hGZOQAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=Schema-Info,CN=schema,CN=configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
lDAPDisplayName: schemaInfo
adminDescription: Schema-Info
adminDisplayName: Schema-Info
attributeID: 1.2.840.113556.1.4.1358
attributeSyntax: 2.5.5.10
oMSyntax: 4
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
schemaIDGUID:: rmT7+bST0hGZRQAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Other-Well-Known-Objects,CN=schema,CN=configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
lDAPDisplayName: otherWellKnownObjects
adminDescription: Other-Well-Known-Objects
adminDisplayName: Other-Well-Known-Objects
attributeID: 1.2.840.113556.1.4.1359
attributeSyntax: 2.5.5.7
oMSyntax: 127
oMObjectClass:: KoZIhvcUAQEBCw==
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: XU6mHg+s0hGQ3wDAT9kasQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-DS-Consistency-Child-Count,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
lDAPDisplayName: mS-DS-ConsistencyChildCount
adminDescription: MS-DS-Consistency-Child-Count
adminDisplayName: MS-DS-Consistency-Child-Count
attributeID: 1.2.840.113556.1.4.1361
attributeSyntax: 2.5.5.9
oMSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: wnuLFzq20hGQ4QDAT9kasQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-DS-Consistency-Guid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
lDAPDisplayName: mS-DS-ConsistencyGuid
adminDescription: MS-DS-Consistency-Guid
adminDisplayName: MS-DS-Consistency-Guid
attributeID: 1.2.840.113556.1.4.1360
attributeSyntax: 2.5.5.10
oMSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIDGUID:: wj13Izq20hGQ4QDAT9kasQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-SPX,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-SPX
adminDisplayName: MS-SQL-SPX
adminDescription: MS-SQL-SPX
attributeId: 1.2.840.113556.1.4.1376
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: BICwhu7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-Name,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Name
adminDisplayName: MS-SQL-Name
adminDescription: MS-SQL-Name
attributeId: 1.2.840.113556.1.4.1363
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: 2N8yNe7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
systemFlags: 16
dn: CN=MS-SQL-Size,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Size
adminDisplayName: MS-SQL-Size
adminDescription: MS-SQL-Size
attributeId: 1.2.840.113556.1.4.1396
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: hIAJ6e7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-Type,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Type
adminDisplayName: MS-SQL-Type
adminDescription: MS-SQL-Type
attributeId: 1.2.840.113556.1.4.1391
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: qOtIyu7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-Alias,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Alias
adminDisplayName: MS-SQL-Alias
adminDescription: MS-SQL-Alias
attributeId: 1.2.840.113556.1.4.1395
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: rrrG4O7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
systemFlags: 16
dn: CN=MS-SQL-Build,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Build
adminDisplayName: MS-SQL-Build
adminDescription: MS-SQL-Build
attributeId: 1.2.840.113556.1.4.1368
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: xJQ+YO7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-TCPIP,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-TCPIP
adminDisplayName: MS-SQL-TCPIP
adminDescription: MS-SQL-TCPIP
attributeId: 1.2.840.113556.1.4.1377
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: pmPCiu7M0hGZkwAA+HpX1A==
schemaIdGuid:: pmPCiu7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-Vines,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Vines
adminDisplayName: MS-SQL-Vines
adminDescription: MS-SQL-Vines
attributeId: 1.2.840.113556.1.4.1379
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: lGPFlO7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-Memory,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Memory
adminDisplayName: MS-SQL-Memory
adminDescription: MS-SQL-Memory
attributeId: 1.2.840.113556.1.4.1367
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: jERdW+7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-Status,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Status
adminDisplayName: MS-SQL-Status
adminDescription: MS-SQL-Status
attributeId: 1.2.840.113556.1.4.1380
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: cEd9mu7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-Contact,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Contact
adminDisplayName: MS-SQL-Contact
adminDescription: MS-SQL-Contact
attributeId: 1.2.840.113556.1.4.1365
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 2L1sT+7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-Version,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Version
adminDisplayName: MS-SQL-Version
adminDescription: MS-SQL-Version
attributeId: 1.2.840.113556.1.4.1388
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: 0MF8wO7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
systemFlags: 16
dn: CN=MS-SQL-Database,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Database
adminDisplayName: MS-SQL-Database
adminDescription: MS-SQL-Database
attributeId: 1.2.840.113556.1.4.1393
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: 3Nug1e7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
systemFlags: 16
dn: CN=MS-SQL-Language,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Language
adminDisplayName: MS-SQL-Language
adminDescription: MS-SQL-Language
attributeId: 1.2.840.113556.1.4.1389
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 9HJ/xe7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-Location,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Location
adminDisplayName: MS-SQL-Location
adminDescription: MS-SQL-Location
attributeId: 1.2.840.113556.1.4.1366
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: RJYcVu7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-Keywords,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Keywords
adminDisplayName: MS-SQL-Keywords
adminDisplayName: MS-SQL-Keywords
adminDescription: MS-SQL-Keywords
attributeId: 1.2.840.113556.1.4.1401
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: iqnpAe/M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-NamedPipe,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-NamedPipe
adminDisplayName: MS-SQL-NamedPipe
adminDescription: MS-SQL-NamedPipe
attributeId: 1.2.840.113556.1.4.1374
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: QMiRe+7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-AppleTalk,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-AppleTalk
adminDisplayName: MS-SQL-AppleTalk
adminDescription: MS-SQL-AppleTalk
attributeId: 1.2.840.113556.1.4.1378
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 9Inaj+7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-GPSHeight,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-GPSHeight
adminDisplayName: MS-SQL-GPSHeight
adminDescription: MS-SQL-GPSHeight
attributeId: 1.2.840.113556.1.4.1387
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Dk/dvO7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-Clustered,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Clustered
adminDisplayName: MS-SQL-Clustered
adminDescription: MS-SQL-Clustered
attributeId: 1.2.840.113556.1.4.1373
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: kL14d+7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-SortOrder,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-SortOrder
adminDisplayName: MS-SQL-SortOrder
adminDescription: MS-SQL-SortOrder
attributeId: 1.2.840.113556.1.4.1371
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: wELcbe7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-Description,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Description
adminDisplayName: MS-SQL-Description
adminDescription: MS-SQL-Description
attributeId: 1.2.840.113556.1.4.1390
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: PGCGg+/M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-GPSLatitude,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-GPSLatitude
adminDisplayName: MS-SQL-GPSLatitude
adminDescription: MS-SQL-GPSLatitude
attributeId: 1.2.840.113556.1.4.1385
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Droisu7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-CreationDate,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-CreationDate
adminDisplayName: MS-SQL-CreationDate
adminDescription: MS-SQL-CreationDate
attributeId: 1.2.840.113556.1.4.1397
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: VEfh7e7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-CharacterSet,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-CharacterSet
adminDisplayName: MS-SQL-CharacterSet
adminDescription: MS-SQL-CharacterSet
attributeId: 1.2.840.113556.1.4.1370
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: pndhae7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-Applications,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-Applications
adminDisplayName: MS-SQL-Applications
adminDescription: MS-SQL-Applications
attributeId: 1.2.840.113556.1.4.1400
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 6qLN++7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-GPSLongitude,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-GPSLongitude
adminDisplayName: MS-SQL-GPSLongitude
adminDescription: MS-SQL-GPSLongitude
attributeId: 1.2.840.113556.1.4.1386
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: lHxXt+7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-ConnectionURL,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-ConnectionURL
adminDisplayName: MS-SQL-ConnectionURL
adminDescription: MS-SQL-ConnectionURL
attributeId: 1.2.840.113556.1.4.1383
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 2iMtqe7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-MultiProtocol,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-MultiProtocol
adminDisplayName: MS-SQL-MultiProtocol
adminDescription: MS-SQL-MultiProtocol
attributeId: 1.2.840.113556.1.4.1375
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: OPpXge7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-LastBackupDate,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-LastBackupDate
adminDisplayName: MS-SQL-LastBackupDate
adminDescription: MS-SQL-LastBackupDate
attributeId: 1.2.840.113556.1.4.1398
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: yqu28u7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-ServiceAccount,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-ServiceAccount
adminDisplayName: MS-SQL-ServiceAccount
adminDescription: MS-SQL-ServiceAccount
attributeId: 1.2.840.113556.1.4.1369
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: PjqTZO7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-PublicationURL,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-PublicationURL
adminDisplayName: MS-SQL-PublicationURL
adminDescription: MS-SQL-PublicationURL
attributeId: 1.2.840.113556.1.4.1384
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: uBEMru7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-InformationURL,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-InformationURL
adminDisplayName: MS-SQL-InformationURL
adminDescription: MS-SQL-InformationURL
attributeId: 1.2.840.113556.1.4.1382
attributeSyntax: 2.5.5.12
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ENUspO7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-LastUpdatedDate,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-LastUpdatedDate
adminDisplayName: MS-SQL-LastUpdatedDate
adminDescription: MS-SQL-LastUpdatedDate
attributeId: 1.2.840.113556.1.4.1381
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 1EPMn+7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-RegisteredOwner,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-RegisteredOwner
adminDisplayName: MS-SQL-RegisteredOwner
adminDescription: MS-SQL-RegisteredOwner
attributeId: 1.2.840.113556.1.4.1364
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 6kT9SO7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-UnicodeSortOrder,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-UnicodeSortOrder
adminDisplayName: MS-SQL-UnicodeSortOrder
adminDescription: MS-SQL-UnicodeSortOrder
attributeId: 1.2.840.113556.1.4.1372
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ipHccu7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-LastDiagnosticDate,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-LastDiagnosticDate
adminDisplayName: MS-SQL-LastDiagnosticDate
adminDescription: MS-SQL-LastDiagnosticDate
attributeId: 1.2.840.113556.1.4.1399
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: iN3W9u7M0hGZkwAA+HpX1A==
schemaIdGuid:: iN3W9u7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-InformationDirectory,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-InformationDirectory
adminDisplayName: MS-SQL-InformationDirectory
adminDescription: MS-SQL-InformationDirectory
attributeId: 1.2.840.113556.1.4.1392
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Ltuu0O7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-
AllowAnonymousSubscription,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mS-SQL-AllowAnonymousSubscription
adminDisplayName: MS-SQL-AllowAnonymousSubscription
adminDescription: MS-SQL-AllowAnonymousSubscription
attributeId: 1.2.840.113556.1.4.1394
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Sr532+7M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-SQL-SQLServer,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: mS-SQL-SQLServer
adminDisplayName: MS-SQL-SQLServer
adminDescription: MS-SQL-SQLServer
governsId: 1.2.840.113556.1.5.184
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.126
systemMayContain: 1.2.840.113556.1.4.1401
systemMayContain: 1.2.840.113556.1.4.1387
systemMayContain: 1.2.840.113556.1.4.1386
systemMayContain: 1.2.840.113556.1.4.1385
systemMayContain: 1.2.840.113556.1.4.1382
systemMayContain: 1.2.840.113556.1.4.1381
systemMayContain: 1.2.840.113556.1.4.1380
systemMayContain: 1.2.840.113556.1.4.1379
systemMayContain: 1.2.840.113556.1.4.1378
systemMayContain: 1.2.840.113556.1.4.1377
systemMayContain: 1.2.840.113556.1.4.1376
systemMayContain: 1.2.840.113556.1.4.1375
systemMayContain: 1.2.840.113556.1.4.1374
systemMayContain: 1.2.840.113556.1.4.1373
systemMayContain: 1.2.840.113556.1.4.1372
systemMayContain: 1.2.840.113556.1.4.1371
systemMayContain: 1.2.840.113556.1.4.1370
systemMayContain: 1.2.840.113556.1.4.1369
systemMayContain: 1.2.840.113556.1.4.1368
systemMayContain: 1.2.840.113556.1.4.1367
systemMayContain: 1.2.840.113556.1.4.1366
systemMayContain: 1.2.840.113556.1.4.1365
systemMayContain: 1.2.840.113556.1.4.1364
systemMayContain: 1.2.840.113556.1.4.1364
systemMayContain: 1.2.840.113556.1.4.1363
systemPossSuperiors: 1.2.840.113556.1.5.126
schemaIdGuid:: eMj2Be/M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MS-SQL-
SQLServer,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
dn: CN=MS-SQL-OLAPServer,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: mS-SQL-OLAPServer
adminDisplayName: MS-SQL-OLAPServer
adminDescription: MS-SQL-OLAPServer
governsId: 1.2.840.113556.1.5.185
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.126
systemMayContain: 1.2.840.113556.1.4.1401
systemMayContain: 1.2.840.113556.1.4.1384
systemMayContain: 1.2.840.113556.1.4.1382
systemMayContain: 1.2.840.113556.1.4.1380
systemMayContain: 1.2.840.113556.1.4.1389
systemMayContain: 1.2.840.113556.1.4.1369
systemMayContain: 1.2.840.113556.1.4.1365
systemMayContain: 1.2.840.113556.1.4.1364
systemMayContain: 1.2.840.113556.1.4.1368
systemMayContain: 1.2.840.113556.1.4.1388
systemMayContain: 1.2.840.113556.1.4.1363
systemPossSuperiors: 1.2.840.113556.1.5.126
schemaIdGuid:: 6hh+DO/M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MS-SQL-
OLAPServer,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
dn: CN=MS-SQL-SQLPublication,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: mS-SQL-SQLPublication
adminDisplayName: MS-SQL-SQLPublication
adminDescription: MS-SQL-SQLPublication
governsId: 1.2.840.113556.1.5.187
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1394
systemMayContain: 1.2.840.113556.1.4.1393
systemMayContain: 1.2.840.113556.1.4.1391
systemMayContain: 1.2.840.113556.1.4.1380
systemMayContain: 1.2.840.113556.1.4.1390
systemMayContain: 1.2.840.113556.1.4.1363
systemPossSuperiors: 1.2.840.113556.1.5.184
schemaIdGuid:: TvbCF+/M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MS-SQL-
SQLPublication,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
dn: CN=MS-SQL-OLAPDatabase,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: mS-SQL-OLAPDatabase
adminDisplayName: MS-SQL-OLAPDatabase
adminDescription: MS-SQL-OLAPDatabase
governsId: 1.2.840.113556.1.5.189
governsId: 1.2.840.113556.1.5.189
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1401
systemMayContain: 1.2.840.113556.1.4.1384
systemMayContain: 1.2.840.113556.1.4.1383
systemMayContain: 1.2.840.113556.1.4.1382
systemMayContain: 1.2.840.113556.1.4.1380
systemMayContain: 1.2.840.113556.1.4.1400
systemMayContain: 1.2.840.113556.1.4.1398
systemMayContain: 1.2.840.113556.1.4.1381
systemMayContain: 1.2.840.113556.1.4.1396
systemMayContain: 1.2.840.113556.1.4.1391
systemMayContain: 1.2.840.113556.1.4.1390
systemMayContain: 1.2.840.113556.1.4.1365
systemMayContain: 1.2.840.113556.1.4.1363
systemPossSuperiors: 1.2.840.113556.1.5.185
schemaIdGuid:: GgOvIO/M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MS-SQL-
OLAPDatabase,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
dn: CN=MS-SQL-SQLRepository,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: mS-SQL-SQLRepository
adminDisplayName: MS-SQL-SQLRepository
adminDescription: MS-SQL-SQLRepository
governsId: 1.2.840.113556.1.5.186
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1392
systemMayContain: 1.2.840.113556.1.4.1388
systemMayContain: 1.2.840.113556.1.4.1390
systemMayContain: 1.2.840.113556.1.4.1380
systemMayContain: 1.2.840.113556.1.4.1368
systemMayContain: 1.2.840.113556.1.4.1365
systemMayContain: 1.2.840.113556.1.4.1363
systemPossSuperiors: 1.2.840.113556.1.5.184
schemaIdGuid:: XDzUEe/M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MS-SQL-
SQLRepository,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
dn: CN=MS-SQL-SQLDatabase,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: mS-SQL-SQLDatabase
adminDisplayName: MS-SQL-SQLDatabase
adminDescription: MS-SQL-SQLDatabase
governsId: 1.2.840.113556.1.5.188
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1401
systemMayContain: 1.2.840.113556.1.4.1382
systemMayContain: 1.2.840.113556.1.4.1380
systemMayContain: 1.2.840.113556.1.4.1400
systemMayContain: 1.2.840.113556.1.4.1399
systemMayContain: 1.2.840.113556.1.4.1398
systemMayContain: 1.2.840.113556.1.4.1397
systemMayContain: 1.2.840.113556.1.4.1396
systemMayContain: 1.2.840.113556.1.4.1365
systemMayContain: 1.2.840.113556.1.4.1365
systemMayContain: 1.2.840.113556.1.4.1395
systemMayContain: 1.2.840.113556.1.4.1390
systemMayContain: 1.2.840.113556.1.4.1363
systemPossSuperiors: 1.2.840.113556.1.5.184
schemaIdGuid:: SmkIHe/M0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MS-SQL-
SQLDatabase,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
dn: CN=MS-SQL-OLAPCube,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: mS-SQL-OLAPCube
adminDisplayName: MS-SQL-OLAPCube
adminDescription: MS-SQL-OLAPCube
governsId: 1.2.840.113556.1.5.190
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1401
systemMayContain: 1.2.840.113556.1.4.1384
systemMayContain: 1.2.840.113556.1.4.1382
systemMayContain: 1.2.840.113556.1.4.1380
systemMayContain: 1.2.840.113556.1.4.1381
systemMayContain: 1.2.840.113556.1.4.1396
systemMayContain: 1.2.840.113556.1.4.1390
systemMayContain: 1.2.840.113556.1.4.1365
systemMayContain: 1.2.840.113556.1.4.1363
systemPossSuperiors: 1.2.840.113556.1.5.189
schemaIdGuid:: alDwCSjN0hGZkwAA+HpX1A==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MS-SQL-
OLAPCube,CN=Schema,CN=Configuration,DC=arobindg1,DC=nttest,DC=microsoft,DC=com
dn: CN=DMD,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1358
-
dn: CN=NTDS-Site-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.211
-
dn: CN=E-Mail-Addresses,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mapiID
mapiID: 14846
-
dn: CN=Address-Home,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemFlags
systemFlags: 16
-
dn: CN=Extension-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemFlags
systemFlags: 16
-
dn: CN=Text-Country,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemFlags
systemFlags: 16
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)
(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)
(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS)
(OA;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)
(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)
(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-
0000F80367C1;;AU)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-
00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-
00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)(A;;RPLCLORC;;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)
(OA;;CCDC;;;PS)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;;RPWP;bf967a7f-0de6-11d0-a285-
00aa003049e2;;CA)
-
dn: CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:P(A;;RPWPCCDCLCLOLORCWOWDSDDTSW;;;DA)(A;CIOI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;EA)
(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(OA;;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
-
dn: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a55-1e2f-11d0-9819-
00aa0040529b;;AU)
-
dn: CN=Servers-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;BA)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
-
dn: CN=Sam-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-
9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-
f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-
00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;BA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CIOI;RPWPCRLCLOCCRCWDWOSDDTSW;;;EA)S:
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CIOI;RPWPCRLCLOCCRCWDWOSDDTSW;;;EA)S:
(AU;CIOISAFA;WDWOSDDTWPCRCCDCSW;;;WD)
-
dn: CN=Country,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.131
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)(A;;RPLCLORC;;;AU)(OA;;CR;ab721a53-
1e2f-11d0-9819-00aa0040529b;;WD)(OA;;CCDC;;;PS)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)
(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)
-
dn: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)
(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)
(A;;RPLCLORC;;;AU)
-
dn: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.131
-
dn: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.3.23
-
dn: CN=Organizational-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.131
-
dn: CN=Service-Principal-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Well-Known-Objects,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 18
-
dn: CN=RDN,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 13
-
dn: CN=PKI-Certificate-Template,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingVale: TRUE
-
dn: CN=PKI-Enrollment-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingVale: TRUE
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1357
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1359
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1360
systemMayContain: 1.2.840.113556.1.4.1361
-
dn: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.25
-
dn: CN=GP-Link,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=Sid-History,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 1
-
dn: CN=Sid-History,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: Qi+6WaJ50BGQIADAT8LTzw==
-
dn: CN=MSMQ-Digests,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=MSMQ-Sign-Certificates,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=E-Mail-Addresses,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=Given-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=Surname,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=Show-In-Advanced-View-Only,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: mapiID
-
dn: CN=Additional-Information,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: ldapDisplayName
ldapDisplayName: ms-info
-
dn: CN=Comment,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: ldapDisplayName
ldapDisplayName: info
-
dn: CN=Additional-Information,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: ldapDisplayName
ldapDisplayName: notes
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: gPLink
systemMayContain: gPOptions
-
dn: CN=Object-Guid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 19
-
dn: CN=Obj-Dist-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 19
-
dn: CN=Common-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 18
-
dn: CN=Country-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 18
-
dn: CN=Domain-Component,CN=Schema,CN=Configuration,DC=X
dn: CN=Domain-Component,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 18
-
dn: CN=Organization-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 18
-
dn: CN=Organizational-Unit-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 18
-
dn: CN=State-Or-Province-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 18
-
dn: CN=Street-Address,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 18
-
dn: CN=Locality-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 18
-
dn: CN=DS-Core-Propagation-Data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 19
-
dn: CN=Partial-Attribute-Deletion-List,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 19
-
dn: CN=Partial-Attribute-Set,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 19
-
dn: CN=Sub-Refs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 19
-
dn: CN=USN-Last-Obj-Rem,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 19
-
dn: CN=Repl-Property-Meta-Data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 19
systemFlags: 19
-
dn: CN=Repl-UpToDate-Vector,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 19
-
dn: CN=Reps-From,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 19
-
dn: CN=Reps-To,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 19
-
dn: CN=USN-Changed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 19
-
dn: CN=USN-Created,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 19
-
dn: CN=When-Changed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 19
-
dn: CN=Telephone-Number,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=Legacy-Exchange-DN,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=IntellimirrorGroup-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: Intellimirror Group
-
dn: CN=IntellimirrorSCP-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: classDisplayName
classDisplayName: Intellimirror Service
-
dn: CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: cn,Name
-
dn: CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: cn,Common Name
-
dn: CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeDisplayNames
attributeDisplayNames: ou,Name
-
dn: CN=DS-UI-Default-Settings,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: dSUIAdminNotification
dSUIAdminNotification: 1,{E62F8206-B71C-11D1-808D-00A024C48131}
-
dn: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: notes,Notes
-
dn: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeDisplayNames
attributeDisplayNames: info,Notes
-
dn: CN=group-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: notes,Notes
-
dn: CN=group-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeDisplayNames
attributeDisplayNames: info,Notes
-
dn: CN=contact-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: info,Notes
-
dn: CN=contact-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeDisplayNames
attributeDisplayNames: notes,Notes
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 9
-
Sch10.ldf
Sch11.ldf
dn: CN=MS-DS-Replicates-NC-Reason,CN=schema,CN=configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
adminDescription: MS-DS-Replicates-NC-Reason
adminDisplayName: MS-DS-Replicates-NC-Reason
attributeID: 1.2.840.113556.1.4.1408
attributeSyntax: 2.5.5.7
oMSyntax: 127
oMObjectClass:: KoZIhvcUAQEBCw==
lDAPDisplayName: mS-DS-ReplicatesNCReason
isSingleValued: FALSE
systemOnly: FALSE
schemaIDGUID:: hCuhDrMI0xGRvAAA+HpX1A==
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Mastered-By,CN=schema,CN=configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
adminDescription: Mastered-By
adminDisplayName: Mastered-By
attributeID: 1.2.840.113556.1.4.1409
attributeSyntax: 2.5.5.1
oMSyntax: 127
oMObjectClass:: KwwCh3McAIVK
lDAPDisplayName: masteredBy
isSingleValued: FALSE
systemOnly: TRUE
schemaIDGUID:: 4GSO5MkS0xGRAgDAT9kasQ==
searchFlags: 0
linkID: 77
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=MS-DS-Machine-Account-Quota,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
adminDescription: MS-DS-Machine-Account-Quota
adminDisplayName: MS-DS-Machine-Account-Quota
attributeID: 1.2.840.113556.1.4.1411
attributeSyntax: 2.5.5.9
oMSyntax: 2
lDAPDisplayName: mS-DS-MachineAccountQuota
isSingleValued: TRUE
schemaIDGUID:: aPtk0IAU0xGRwQAA+HpX1A==
systemOnly: FALSE
searchFlags: 0
showInAdvancedViewOnly: TRUE
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-DS-Creator-Sid,CN=Schema,CN=Configuration,DC=arobindg6,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
adminDescription: MS-DS-Creator-SID
adminDisplayName: MS-DS-Creator-SID
attributeID: 1.2.840.113556.1.4.1410
attributeSyntax: 2.5.5.17
oMSyntax: 4
lDAPDisplayName: mS-DS-CreatorSID
isSingleValued: TRUE
schemaIDGUID:: MgHmxYAU0xGRwQAA+HpX1A==
systemOnly: TRUE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Display-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 5
-
dn: CN=Surname,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 5
-
dn: CN=Facsimile-Telephone-Number,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rangeUpper
rangeUpper: 64
-
dn: CN=Telephone-Number,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rangeUpper
rangeUpper: 64
-
dn: CN=Poss-Superiors,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=System-Poss-Superiors,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=Range-Upper,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=Range-Lower,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=Ldap-Display-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=ms-RRAS-Attribute,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=When-Created,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=User-Cert,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=X509-Cert,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=User-SMIME-Certificate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=Proxy-Addresses,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Text-Country,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Member,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGUID:: QMIKvKl50BGQIADAT8LUzw==
-
dn: CN=Bridgehead-Server-List-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: TRUE
-
dn: CN=Frs-Computer-Reference-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: TRUE
-
dn: CN=FRS-Member-Reference-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: TRUE
-
dn: CN=Is-Privilege-Holder,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: TRUE
-
dn: CN=Managed-Objects,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: TRUE
-
dn: CN=netboot-SCP-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: TRUE
-
dn: CN=Non-Security-Member-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: TRUE
-
dn: CN=Query-Policy-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: TRUE
-
dn: CN=Server-Reference-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: TRUE
-
dn: CN=Site-Object-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: TRUE
-
dn: CN=NTDS-Connection,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1408
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1409
-
dn: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: uPNSuffixes
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1410
-
dn: CN=Sam-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1411
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPCRLCLORCSDDT;;;CO)(OA;;WP;4c164200-20c0-11d0-a768-
00aa006e0529;;CO)(A;;RPLCLORC;;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;CCDC;;;PS)
(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)
(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)
(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;PS)
-
dn: CN=FT-Dfs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)(A;;RPLCLORC;;;AU)
-
dn: CN=Manager,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Assistant,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Show-In-Address-Book,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Division,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Account-Expires,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Profile-Path,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Primary-Group-ID,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 17
-
dn: CN=Preferred-OU,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
searchFlags: 16
-
dn: CN=Other-Login-Workstations,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=User-Workstations,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Max-Storage,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Logon-Workstation,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Logon-Hours,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Script-Path,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Locale-Id,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Home-Drive,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Home-Directory,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Country-Code,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Code-Page,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=User-Account-Control,CN=schema,CN=configuration,DC=x
dn: CN=User-Account-Control,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 25
-
dn: CN=Employee-Type,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Show-In-Advanced-View-Only,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 17
-
dn: CN=Company,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Department,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Text-Country,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Is-Member-Of-DL,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Post-Office-Box,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Postal-Code,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Postal-Address,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Street-Address,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=State-Or-Province-Name,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
searchFlags: 16
-
dn: CN=Locality-Name,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 17
-
dn: CN=Country-Name,CN=schema,CN=configuration,DC=x
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=Sam-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-
9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-
f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-
00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)S:
(AU;CISAFA;WDWOSDDTWPCRCCDCSW;;;WD)
-
dn: CN=Servers-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;BA)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
-
dn: CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:P(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;EA)
(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)
(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
-
dn: CN=Alt-Security-Identities,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 18
-
dn: CN=NT-Security-Descriptor,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rangeUpper
rangeUpper: 132096
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Config NC changes
dn: CN=Lockout-Policy,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaDelete
dn: CN=Password-Policy,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaDelete
dn: CN=Domain-Configuration,CN=Extended-Rights,CN=Configuration,DC=X
dn: CN=Domain-Configuration,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaDelete
dn: CN=Domain-Policy-Ref,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaDelete
dn: CN=Privileges,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaDelete
dn: CN=Administrative-Access,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaDelete
dn: CN=Local-Policy-Ref,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaDelete
dn: CN=Audit-Policy,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaDelete
dn: CN=Builtin-Local-Groups,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaDelete
dn: CN=RAS-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: validAccesses
validAccesses: 48
-
dn: CN=Membership,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: validAccesses
validAccesses: 48
-
dn: CN=RAS-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: displayName
displayName: Remote Access Information
-
dn: CN=Membership,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: displayName
displayName: Group Membership
-
dn: CN=Open-Address-Book,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: displayName
displayName: Open Address List
-
dn: CN=Self-Membership,CN=extended-rights,CN=configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
rightsGuid: bf9679c0-0de6-11d0-a285-00aa003049e2
appliesTo: bf967a9c-0de6-11d0-a285-00aa003049e2
displayName: Add/Remove self as member
localizationDisplayId: 12
validAccesses: 8
showInAdvancedViewOnly: TRUE
dn: CN=Validated-DNS-Host-Name,CN=extended-rights,CN=configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
rightsGuid: 72e39547-7b18-11d1-adef-00c04fd8d5cd
appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
displayName: Validated write to DNS host name
localizationDisplayId: 13
validAccesses: 8
showInAdvancedViewOnly: TRUE
dn: CN=Validated-SPN,CN=extended-rights,CN=configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
rightsGuid: f3a64788-5306-11d1-a9c5-0000f80367c1
appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2
appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
displayName: Validated write to service principal name
localizationDisplayId: 14
validAccesses: 8
showInAdvancedViewOnly: TRUE
dn: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: facsimileTelephoneNumber,Facsimile Telephone Number
attributeDisplayNames: otherFacsimileTelephoneNumber,Facsimile Telephone Number (Others)
attributeDisplayNames: otherTelephone,Office Telephone Number (Others)
attributeDisplayNames: mobile,Primary Mobile Phone Number
attributeDisplayNames: otherMobile,Mobile Phone Number (Others)
-
dn: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeDisplayNames
attributeDisplayNames: facsimileTelephoneNumber,Fax Number
attributeDisplayNames: otherFacsimileTelephoneNumber,Fax Number (Others)
attributeDisplayNames: otherTelephone,Phone Number (Others)
attributeDisplayNames: mobile,Mobile Number
attributeDisplayNames: otherMobile,Mobile Number (Others)
-
# The following add is preceded by a delete separately since some DCs may have it.
# If not, this is just skipped
dn: CN=Contact-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: otherFacsimileTelephoneNumber,Facsimile Telephone Number (Others)
-
dn: CN=contact-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: facsimileTelephoneNumber,Facsimile Telephone Number
attributeDisplayNames: otherTelephone,Telephone Number (Others)
attributeDisplayNames: mobile,Primary Mobile Phone Number
attributeDisplayNames: otherMobile,Mobile Phone Number (Others)
-
dn: CN=contact-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeDisplayNames
attributeDisplayNames: facsimileTelephoneNumber,Fax Number
attributeDisplayNames: otherFacsimileTelephoneNumber,Fax Number (Others)
attributeDisplayNames: otherTelephone,Phone Number (Others)
attributeDisplayNames: mobile,Mobile Number
attributeDisplayNames: otherMobile,Mobile Number (Others)
-
dn: CN=mSMQMigratedUser-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: displaySpecifier
classDisplayName: MSMQ Upgraded User
adminPropertyPages: 1,{fc5bf656-0b7f-11d3-883f-006094eb6406}
adminContextMenu: 1,{fc5bf656-0b7f-11d3-883f-006094eb6406}
showInAdvancedViewOnly: TRUE
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 11
-
Sch12.ldf
dn: CN=DNS-Tombstoned,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
lDAPDisplayName: dNSTombstoned
adminDescription: DNS-Tombstoned
adminDisplayName: DNS-Tombstoned
attributeID: 1.2.840.113556.1.4.1414
attributeSyntax: 2.5.5.8
oMSyntax: 1
isSingleValued: TRUE
searchFlags: 1
systemOnly: FALSE
schemaIDGUID:: ty7r1U6+O0aiFGNKRNc5Lg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Primary-Group-Token,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
lDAPDisplayName: primaryGroupToken
adminDescription: Primary-Group-Token
adminDisplayName: Primary-Group-Token
attributeID: 1.2.840.113556.1.4.1412
attributeSyntax: 2.5.5.9
oMSyntax: 2
isSingleValued: TRUE
searchFlags: 0
systemOnly: TRUE
schemaIDGUID:: OIftwP1+gUSE2WbS24vjaQ==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ACS-Resource-Limits,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
lDAPDisplayName: aCSResourceLimits
adminDescription: ACS-Resource-Limits
adminDisplayName: ACS-Resource-Limits
governsID: 1.2.840.113556.1.5.191
objectClassCategory: 1
rDNAttID: cn
subClassOf: top
systemMayContain: aCSMaxTokenRatePerFlow
systemMayContain: aCSServiceType
systemMayContain: aCSMaxPeakBandwidthPerFlow
systemMayContain: aCSMaxPeakBandwidth
systemMayContain: aCSAllocableRSVPBandwidth
systemPossSuperiors: container
schemaIDGUID:: BJuJLjQo0xGR1AAA+HpX1A==
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
systemFlags: 16
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
dn: CN=Street-Address,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rangeUpper
rangeUpper: 1024
-
dn: CN=Phone-Home-Primary,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPCRLCLORCSDDT;;;CO)(OA;;WP;4c164200-20c0-11d0-a768-
00aa006e0529;;CO)(A;;RPLCLORC;;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;CCDC;;;PS)
(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)
(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)
(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;PS)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;CO)
(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;CO)
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1412
-
dn: CN=Sam-Account-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rangeUpper
rangeUpper: 256
-
dn: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMustContain
systemMustContain: objectSid
-
dn: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: objectSid
-
dn: CN=Dns-Node,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1414
-
dn: CN=Link-Track-Vol-Entry,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Config NC changes
dn: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
-
dn: CN=User-Account-Restrictions,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
-
dn: CN=Validated-SPN,CN=extended-rights,CN=configuration,DC=X
changetype: ntdsSchemaModify
delete: appliesTo
appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2
-
dn: CN=IntellimirrorSCP-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminPropertyPages
adminPropertyPages: 2,{6dfe6488-a212-11d0-bcd5-00c04fd8d5b6}
adminPropertyPages: 3,{4e40f770-369c-11d0-8922-00a024ab2dbb}
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 12
-
Sch13.ldf
# Schema NC changes
dn: CN=Initials,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=Comment,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: attributeSecurityGuid
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
-
dn: CN=Sam-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-
9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-
9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-
f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-
00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)
(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-
11d0-a285-00aa003049e2;RU)S:(AU;CISAFA;WDWOSDDTWPCRCCDCSW;;;WD)
-
dn: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-
9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-
f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-
00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)
(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-
11d0-a285-00aa003049e2;RU)S:(AU;CISAFA;WDWOSDDTWPCRCCDCSW;;;WD)
-
dn: CN=SD-Rights-Effective,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: Qi+6WaJ50BGQIADAT8LTzw==
-
dn: CN=MSMQ-Label-Ex,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQLabelEx
adminDisplayName: MSMQ-Label-Ex
adminDescription: MSMQ-Label-Ex
attributeId: 1.2.840.113556.1.4.1415
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
rangeLower: 0
rangeUpper: 124
schemaIdGuid:: Ja2ARQfU0kitJEPm5WeT1w==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
systemFlags: 16
dn: CN=MSMQ-Site-Name-Ex,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQSiteNameEx
adminDisplayName: MSMQ-Site-Name-Ex
adminDescription: MSMQ-Site-Name-Ex
attributeId: 1.2.840.113556.1.4.1416
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: +kQhQn/BSUaU1pcx7SeE7Q==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MSMQ-Computer-Type-Ex,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: mSMQComputerTypeEx
adminDisplayName: MSMQ-Computer-Type-Ex
adminDescription: MSMQ-Computer-Type-Ex
attributeId: 1.2.840.113556.1.4.1417
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 6A0SGMT0QUO9lTLrW898gA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Token-Groups-Global-And-Universal,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: tokenGroupsGlobalAndUniversal
adminDisplayName: Token-Groups-Global-And-Universal
adminDescription: Token-Groups-Global-And-Universal
attributeId: 1.2.840.113556.1.4.1418
attributeSyntax: 2.5.5.17
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: HbGpRq5gWkC36P+KWNRW0g==
attributeSecurityGuid:: +IhwA+EK0hG0IgCgyWj5OQ==
showInAdvancedViewOnly: TRUE
systemFlags: 134217748
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=MSMQ-Queue,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1415
-
dn: CN=MSMQ-Configuration,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1417
-
dn: CN=MSMQ-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1416
-
dn: CN=Security-Principal,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1418
-
dn: CN=Server,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
-
dn: CN=Site,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
-
dn: CN=Servers-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;CC;;;BA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Config NC changes
dn: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminPropertyPages
adminPropertyPages: 8,{0910dd01-df8c-11d1-ae27-00c04fa35813}
-
dn: CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: generationQualifier,Name Suffix
attributeDisplayNames: homeDirectory,Home Directory
attributeDisplayNames: samAccountName,Downlevel Logon Name
attributeDisplayNames: st,State
attributeDisplayNames: streetAddress,Other Address
attributeDisplayNames: telephoneNumber,Primary Phone
-
add: attributeDisplayNames
attributeDisplayNames: co,Country
attributeDisplayNames: generationQualifier,Generational Suffix
attributeDisplayNames: homeDirectory,Home Folder
attributeDisplayNames: samAccountName,Logon Name (pre-Windows 2000)
attributeDisplayNames: st,State/Province
attributeDisplayNames: streetAddress,Street Address
attributeDisplayNames: telephoneNumber,Telephone Number
attributeDisplayNames: title,Job Title
-
dn: CN=group-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: physicalDeliveryOfficeName,Delivery Office
attributeDisplayNames: url,Web Page Address
-
add: attributeDisplayNames
attributeDisplayNames: physicalDeliveryOfficeName,Office Location
attributeDisplayNames: samAccountName,Group name (pre-Windows 2000)
attributeDisplayNames: url,Web Page Address (Others)
attributeDisplayNames: wWWHomePage,Web Page Address
-
dn: CN=contact-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
changetype: ntdsSchemaModify
delete: attributeDisplayNames
attributeDisplayNames: generationQualifier,Name Suffix
attributeDisplayNames: notes,Notes
attributeDisplayNames: personalTitle,Personal Title
attributeDisplayNames: st,State
attributeDisplayNames: streetAddress,Other Address
attributeDisplayNames: telephoneNumber,Primary Phone
-
add: attributeDisplayNames
attributeDisplayNames: c,Country Abbreviation
attributeDisplayNames: co,Country
attributeDisplayNames: displayName,Display Name
attributeDisplayNames: generationQualifier,Generational Suffix
attributeDisplayNames: info,Notes
attributeDisplayNames: pager,Pager Number
attributeDisplayNames: personalTitle,Title
attributeDisplayNames: st,State/Province
attributeDisplayNames: streetAddress,Street Address
attributeDisplayNames: telephoneNumber,Telephone Number
attributeDisplayNames: title,Job Title
-
dn: CN=computer-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeDisplayNames
attributeDisplayNames: samAccountName,Computer name (pre-Windows 2000)
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 13
-
Sch14.ldf
# Schema NC changes
dn: CN=When-Created,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 18
-
dn: CN=Server-Reference-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isSingleValued
isSingleValued: FALSE
-
dn: CN=SID-History,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: FALSE
-
dn: CN=Object-Sid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: TRUE
-
dn: CN=System-Poss-Superiors,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 18
-
dn: CN=MSMQ-User-Sid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 18
-
dn: CN=netboot-SCP-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isSingleValued
isSingleValued: FALSE
-
dn: CN=ms-PKI-RA-Policies,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-RA-Policies
adminDisplayName: ms-PKI-RA-Policies
adminDescription: ms-PKI-RA-Policies
attributeId: 1.2.840.113556.1.4.1438
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Iq5G1VEJR02BfhyflvqtRg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-RA-Signature,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-RA-Signature
adminDisplayName: ms-PKI-RA-Signature
adminDescription: MS PKI Number Of RA Signature Required In Request
attributeId: 1.2.840.113556.1.4.1429
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: S+AX/n2Tfk+ODpKSyNVoPg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-Enrollment-Flag,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-Enrollment-Flag
adminDisplayName: ms-PKI-Enrollment-Flag
adminDescription: ms-PKI-Enrollment-Flag
attributeId: 1.2.840.113556.1.4.1430
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 2Pde0Sby20auebNOVgvRLA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-Private-Key-Flag,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-Private-Key-Flag
ldapDisplayName: msPKI-Private-Key-Flag
adminDisplayName: ms-PKI-Private-Key-Flag
adminDescription: ms-PKI-Private-Key-Flag
attributeId: 1.2.840.113556.1.4.1431
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: wkqwujUECUeTByg4DnxwAQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-Minimal-Key-Size,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-Minimal-Key-Size
adminDisplayName: ms-PKI-Minimal-Key-Size
adminDescription: ms-PKI-Minimal-Key-Size
attributeId: 1.2.840.113556.1.4.1433
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 9WNq6X9B00a+Utt3A8UD3w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-Cert-Template-OID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-Cert-Template-OID
adminDisplayName: ms-PKI-Cert-Template-OID
adminDescription: ms-PKI-Cert-Template-OID
attributeId: 1.2.840.113556.1.4.1436
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: asNkMSa6jEaL2sHlzCVnKA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-Certificate-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-Certificate-Policy
adminDisplayName: ms-PKI-Certificate-Policy
adminDescription: ms-PKI-Certificate-Policy
attributeId: 1.2.840.113556.1.4.1439
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: RiOUOFvMS0Kn2G/9EgKcXw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-Supersede-Templates,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-Supersede-Templates
adminDisplayName: ms-PKI-Supersede-Templates
adminDescription: ms-PKI-Supersede-Templates
attributeId: 1.2.840.113556.1.4.1437
attributeSyntax: 2.5.5.12
omSyntax: 64
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fa7onVt6HUK15AYfed/V1w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-Certificate-Name-Flag,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-Certificate-Name-Flag
adminDisplayName: ms-PKI-Certificate-Name-Flag
adminDescription: ms-PKI-Certificate-Name-Flag
attributeId: 1.2.840.113556.1.4.1432
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: xN0d6v9gbkGMwBfO5TS85w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-Template-Schema-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-Template-Schema-Version
adminDisplayName: ms-PKI-Template-Schema-Version
adminDescription: ms-PKI-Template-Schema-Version
attributeId: 1.2.840.113556.1.4.1434
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 9ekVDB1JlEWRjzKBOgkdqQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-Template-Minor-Revision,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-Template-Minor-Revision
adminDisplayName: ms-PKI-Template-Minor-Revision
adminDescription: ms-PKI-Template-Minor-Revision
attributeId: 1.2.840.113556.1.4.1435
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: bCP1E4QYsUa10EhOOJkNWA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-Key-Recovery-Agent,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msPKI-Key-Recovery-Agent
adminDisplayName: ms-PKI-Key-Recovery-Agent
adminDescription: ms-PKI-Key-Recovery-Agent
governsId: 1.2.840.113556.1.5.195
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.9
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: OPLMJo6ghkuagqjJrH7lyw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-PKI-Key-Recovery-Agent,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-ds-Schema-Extensions,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDs-Schema-Extensions
adminDisplayName: ms-ds-Schema-Extensions
adminDescription: ms-ds-Schema-Extensions
attributeId: 1.2.840.113556.1.4.1440
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: vmGaswftq0yaSklj7QFB4Q==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Entry-TTL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: entryTTL
adminDisplayName: Entry-TTL
adminDescription: Entry-TTL
attributeId: 1.3.6.1.4.1.1466.101.119.3
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 31557600
schemaIdGuid:: zN4T0hrYhEOqwtz8/WMc+A==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-Other-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Other-Settings
adminDisplayName: ms-DS-Other-Settings
adminDescription: ms-DS-Other-Settings
attributeId: 1.2.840.113556.1.4.1621
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: TPPSeX2du0KDj4ZrPkQA4g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Entry-Time-To-Die,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Entry-Time-To-Die
adminDisplayName: ms-DS-Entry-Time-To-Die
adminDescription: ms-DS-Entry-Time-To-Die
attributeId: 1.2.840.113556.1.4.1622
attributeSyntax: 2.5.5.11
omSyntax: 24
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 9
schemaIdGuid:: 17rp4d3GAUGoQ3lM7IWwOA==
schemaIdGuid:: 17rp4d3GAUGoQ3lM7IWwOA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Site-Affinity,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Site-Affinity
adminDisplayName: ms-DS-Site-Affinity
adminDescription: ms-DS-Site-Affinity
attributeId: 1.2.840.113556.1.4.1443
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: AlZ8wbe88EaWVmNwyohLcg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Preferred-GC-Site,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Preferred-GC-Site
adminDisplayName: ms-DS-Preferred-GC-Site
adminDescription: ms-DS-Prefered-GC-Site
attributeId: 1.2.840.113556.1.4.1444
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: CrUh2bIKzUKH9gnPg6kYVA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Cached-Membership,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Cached-Membership
adminDisplayName: ms-DS-Cached-Membership
adminDescription: ms-DS-Cached-Membership
attributeId: 1.2.840.113556.1.4.1441
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: CLDKadTNyUu6uA/zfv4bIA==
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Cached-Membership-Time-Stamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Cached-Membership-Time-Stamp
adminDisplayName: ms-DS-Cached-Membership-Time-Stamp
adminDescription: ms-DS-Cached-Membership-Time-Stamp
attributeId: 1.2.840.113556.1.4.1442
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: H79mNe6+y02Kvu+J/P7GwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Auxiliary-Classes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Auxiliary-Classes
adminDisplayName: ms-DS-Auxiliary-Classes
adminDescription: ms-DS-Auxiliary-Classes
attributeId: 1.2.840.113556.1.4.1458
attributeSyntax: 2.5.5.2
omSyntax: 6
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 8
schemaIdGuid:: cxCvxFDu4Eu4wImkH+mavg==
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=Structural-Object-Class,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: structuralObjectClass
adminDisplayName: Structural-Object-Class
adminDescription: The class hierarchy without auxiliary classes
attributeId: 2.5.21.9
attributeSyntax: 2.5.5.2
omSyntax: 6
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: n5RgOKj2OEuZUIHstrwpgg==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-Replication-Notify-Subsequent-DSA-Delay,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Replication-Notify-Subsequent-DSA-Delay
adminDisplayName: ms-DS-Replication-Notify-Subsequent-DSA-Delay
adminDescription: This attribute controls the delay between notification of each subsequent replica partner
for an NC.
attributeId: 1.2.840.113556.1.4.1664
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: hbM91pLdUkux2A0+zA6Gtg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-WMI-ID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-ID
adminDisplayName: ms-WMI-ID
adminDescription: ms-WMI-ID
attributeId: 1.2.840.113556.1.4.1627
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: A6g5k7iU90eRI6hTuf9+RQ==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-Mof,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-Mof
adminDisplayName: ms-WMI-Mof
adminDescription: ms-WMI-Mof
attributeId: 1.2.840.113556.1.4.1638
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: n4A2Z2QgPkShRYEmKx8TZg==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-Name
adminDisplayName: ms-WMI-Name
adminDescription: ms-WMI-Name
attributeId: 1.2.840.113556.1.4.1639
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 5azIxoF+r0KtcndBLFlBxA==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-Query,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-Query
adminDisplayName: ms-WMI-Query
adminDescription: ms-WMI-Query
attributeId: 1.2.840.113556.1.4.1642
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Pvn/ZeM1o0WFrodsZxgpfw==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-intMin,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-IntMin
adminDisplayName: ms-WMI-intMin
adminDescription: ms-WMI-intMin
attributeId: 1.2.840.113556.1.4.1630
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: uuPCaDeYcEyY4PDDNpXQIw==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-intMax,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-IntMax
adminDisplayName: ms-WMI-intMax
adminDescription: ms-WMI-intMax
attributeId: 1.2.840.113556.1.4.1629
attributeSyntax: 2.5.5.9
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: LAyS+5TyJkSKwdJLQqorzg==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-Author,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-Author
adminDisplayName: ms-WMI-Author
adminDescription: ms-WMI-Author
attributeId: 1.2.840.113556.1.4.1623
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: wcBmY3JpZk6zpR1SrQwFRw==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-int8Min,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-Int8Min
adminDisplayName: ms-WMI-int8Min
adminDescription: ms-WMI-int8Min
attributeId: 1.2.840.113556.1.4.1634
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 0YkU7cxUZkCzaKANqiZk8Q==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-int8Max,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-Int8Max
adminDisplayName: ms-WMI-int8Max
adminDescription: ms-WMI-int8Max
attributeId: 1.2.840.113556.1.4.1633
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: R7XY4z0ARkmjK9x87clrdA==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-COM-ObjectId,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msCOM-ObjectId
adminDisplayName: ms-COM-ObjectId
adminDescription: Object ID that COM+ uses. Default = adminDisplayName
attributeId: 1.2.840.113556.1.4.1428
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: i2cPQ5+I8kGYQyA7WmVXLw==
schemaIdGuid:: i2cPQ5+I8kGYQyA7WmVXLw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-COM-UserPartitionSetLink,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msCOM-UserPartitionSetLink
adminDisplayName: ms-COM-UserPartitionSetLink
adminDescription: Link from a User to a PartitionSet. Default = adminDisplayName
attributeId: 1.2.840.113556.1.4.1426
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: igyUjnfkZ0Owjf8v+ULc1w==
linkID: 1048
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-COM-UserLink,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msCOM-UserLink
adminDisplayName: ms-COM-UserLink
adminDescription: Link from a PartitionSet to a User. Default = adminDisplayName
attributeId: 1.2.840.113556.1.4.1425
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: TTpvniwkN0+waDa1f5/IUg==
linkID: 1049
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-WMI-ChangeDate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-ChangeDate
adminDisplayName: ms-WMI-ChangeDate
adminDescription: ms-WMI-ChangeDate
attributeId: 1.2.840.113556.1.4.1624
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: oPfN+UTsN0mnm82RUis6qA==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-intDefault,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-IntDefault
adminDisplayName: ms-WMI-intDefault
adminDescription: ms-WMI-intDefault
attributeId: 1.2.840.113556.1.4.1628
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: +AcMG912YECh4XAIRhnckA==
showInAdvancedViewOnly: FALSE
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-TargetPath,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-TargetPath
adminDisplayName: ms-WMI-TargetPath
adminDescription: ms-WMI-TargetPath
attributeId: 1.2.840.113556.1.4.1648
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: mqcGUP5rYUWfUhPPTdPlYA==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-TargetType,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-TargetType
adminDisplayName: ms-WMI-TargetType
adminDescription: ms-WMI-TargetType
attributeId: 1.2.840.113556.1.4.1649
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Higqyism90+0GbwSM1Kk6Q==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-int8Default,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-Int8Default
adminDisplayName: ms-WMI-int8Default
adminDescription: ms-WMI-int8Default
attributeId: 1.2.840.113556.1.4.1632
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: WgjY9FuMhUeVm9xYVWbkRQ==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-TargetClass,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-TargetClass
adminDisplayName: ms-WMI-TargetClass
adminDescription: ms-WMI-TargetClass
attributeId: 1.2.840.113556.1.4.1645
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 1ti2lejJYUaivGpcq8BMYg==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-CreationDate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
objectClass: attributeSchema
ldapDisplayName: msWMI-CreationDate
adminDisplayName: ms-WMI-CreationDate
adminDescription: ms-WMI-CreationDate
attributeId: 1.2.840.113556.1.4.1626
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: LgqLdFEzP0uxcS8XQU6neQ==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-TargetObject,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-TargetObject
adminDisplayName: ms-WMI-TargetObject
adminDescription: ms-WMI-TargetObject
attributeId: 1.2.840.113556.1.4.1647
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: pWdPxOV9H0qS2WYrVzZLdw==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-PropertyName,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-PropertyName
adminDisplayName: ms-WMI-PropertyName
adminDescription: ms-WMI-PropertyName
attributeId: 1.2.840.113556.1.4.1641
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: gwiSq/jnck20oMBEmJdQnQ==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-COM-PartitionLink,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msCOM-PartitionLink
adminDisplayName: ms-COM-PartitionLink
adminDescription: Link from a PartitionSet to a Partition. Default = adminDisplayName
attributeId: 1.2.840.113556.1.4.1423
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: YqyrCT8EAkesK2yhXu5XVA==
linkID: 1040
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-WMI-QueryLanguage,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-QueryLanguage
adminDisplayName: ms-WMI-QueryLanguage
adminDescription: ms-WMI-QueryLanguage
adminDescription: ms-WMI-QueryLanguage
attributeId: 1.2.840.113556.1.4.1643
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: mPo8fXvBVEKL103puTKjRQ==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-stringDefault,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-StringDefault
adminDisplayName: ms-WMI-stringDefault
adminDescription: ms-WMI-stringDefault
attributeId: 1.2.840.113556.1.4.1636
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: tkIuFcU3VU+rSBYGOEqa6g==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-intValidValues,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-IntValidValues
adminDisplayName: ms-WMI-intValidValues
adminDescription: ms-WMI-intValidValues
attributeId: 1.2.840.113556.1.4.1631
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 9mX1akmnckuWNDxdR+a04A==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-DS-Behavior-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Behavior-Version
adminDisplayName: ms-DS-Behavior-Version
adminDescription: ms-DS-Behavior-Version
attributeId: 1.2.840.113556.1.4.1459
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
rangeLower: 0
schemaIdGuid:: V4ca00ckRUWAgTu2EMrL8g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-WMI-int8ValidValues,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-Int8ValidValues
adminDisplayName: ms-WMI-int8ValidValues
adminDescription: ms-WMI-int8ValidValues
attributeId: 1.2.840.113556.1.4.1635
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: qRk1EALAG0SYGrCz4BLIAw==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-TargetNameSpace,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-TargetNameSpace
adminDisplayName: ms-WMI-TargetNameSpace
adminDescription: ms-WMI-TargetNameSpace
attributeId: 1.2.840.113556.1.4.1646
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: H7ZKHCA05USEnYtdv2D+tw==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-ClassDefinition,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-ClassDefinition
adminDisplayName: ms-WMI-ClassDefinition
adminDescription: ms-WMI-ClassDefinition
attributeId: 1.2.840.113556.1.4.1625
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: vA6cK3LCy0WZ0k0OaRYy4A==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-WMI-NormalizedClass,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-NormalizedClass
adminDisplayName: ms-WMI-NormalizedClass
adminDescription: ms-WMI-NormalizedClass
attributeId: 1.2.840.113556.1.4.1640
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: j2K66o7r6U+D/Gk75pVVmw==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-COM-PartitionSetLink,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msCOM-PartitionSetLink
adminDisplayName: ms-COM-PartitionSetLink
adminDescription: Link from a Partition to a PartitionSet. Default = adminDisplayName
attributeId: 1.2.840.113556.1.4.1424
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 3CHxZwJ9fUyC9ZrUyVCsNA==
schemaIdGuid:: 3CHxZwJ9fUyC9ZrUyVCsNA==
linkID: 1041
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-WMI-stringValidValues,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-StringValidValues
adminDisplayName: ms-WMI-stringValidValues
adminDescription: ms-WMI-stringValidValues
attributeId: 1.2.840.113556.1.4.1637
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: MZ1gN7+iWEuPUytk5XoHbQ==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-DS-NC-Replica-Locations,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-NC-Replica-Locations
adminDisplayName: ms-DS-NC-Replica-Locations
adminDescription: This is a list of servers that are the replica set for the corresponding Non-Domain Naming
Context.
attributeId: 1.2.840.113556.1.4.1661
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: FZbelze1vEasDxByDzkJ8w==
linkID: 1044
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-WMI-SourceOrganization,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-SourceOrganization
adminDisplayName: ms-WMI-SourceOrganization
adminDescription: ms-WMI-SourceOrganization
attributeId: 1.2.840.113556.1.4.1644
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: bO33NF1hjUGqAFSafXvgPg==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=ms-COM-DefaultPartitionLink,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msCOM-DefaultPartitionLink
adminDisplayName: ms-COM-DefaultPartitionLink
adminDescription: Link to a the default Partition for the PartitionSet. Default = adminDisplayName
attributeId: 1.2.840.113556.1.4.1427
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 9xCLmRqqZEO4Z3U9GX/mcA==
schemaIdGuid:: 9xCLmRqqZEO4Z3U9GX/mcA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-User-Account-Control-Computed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-User-Account-Control-Computed
adminDisplayName: ms-DS-User-Account-Control-Computed
adminDescription: ms-DS-User-Account-Control-Computed
attributeId: 1.2.840.113556.1.4.1460
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: NrjELD+2QEmNI+p6zwavVg==
attributeSecurityGuid:: AEIWTMAg0BGnaACqAG4FKQ==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-Replication-Notify-First-DSA-Delay,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Replication-Notify-First-DSA-Delay
adminDisplayName: ms-DS-Replication-Notify-First-DSA-Delay
adminDescription: This attribute controls the delay between changes to the DS, and notification of the first
replica partner for an NC.
attributeId: 1.2.840.113556.1.4.1663
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 9NSrhYkKSU697G81uyViug==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Approx-Immed-Subordinates,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Approx-Immed-Subordinates
adminDisplayName: ms-DS-Approx-Immed-Subordinates
adminDescription: ms-DS-Approx-Immed-Subordinates
attributeId: 1.2.840.113556.1.4.1669
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: Q9KF4c7220q0lrDABdeCPA==
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
showInAdvancedViewOnly: TRUE
systemFlags: 20
# Load new attributes into the schema cache for inclusion below
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=PKI-Certificate-Template,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1429
systemMayContain: 1.2.840.113556.1.4.1430
systemMayContain: 1.2.840.113556.1.4.1431
systemMayContain: 1.2.840.113556.1.4.1432
systemMayContain: 1.2.840.113556.1.4.1432
systemMayContain: 1.2.840.113556.1.4.1433
systemMayContain: 1.2.840.113556.1.4.1434
systemMayContain: 1.2.840.113556.1.4.1435
systemMayContain: 1.2.840.113556.1.4.1436
systemMayContain: 1.2.840.113556.1.4.1437
systemMayContain: 1.2.840.113556.1.4.1438
systemMayContain: 1.2.840.113556.1.4.1439
-
dn: CN=ms-PKI-Enterprise-Oid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msPKI-Enterprise-Oid
adminDisplayName: ms-PKI-Enterprise-Oid
adminDescription: ms-PKI-Enterprise-Oid
governsId: 1.2.840.113556.1.5.196
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1436
systemPossSuperiors: 1.2.840.113556.1.5.196
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: XNjPNxln2EqPnoZ4umJ1Yw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-PKI-Enterprise-Oid,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=Class-Schema,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1440
-
dn: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1440
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1441
systemMayContain: 1.2.840.113556.1.4.1442
systemMayContain: 1.2.840.113556.1.4.1443
-
dn: CN=NTDS-Site-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1444
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 2.5.21.9
-
dn: CN=ms-WMI-Som,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-Som
adminDisplayName: ms-WMI-Som
adminDescription: ms-WMI-Som
adminDescription: ms-WMI-Som
governsId: 1.2.840.113556.1.5.213
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1639
systemMustContain: 1.2.840.113556.1.4.1644
systemMustContain: 1.2.840.113556.1.4.1623
systemMustContain: 1.2.840.113556.1.4.1624
systemMustContain: 1.2.840.113556.1.4.1626
systemMustContain: 1.2.840.113556.1.4.1627
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: eHCFq0IBBkSUWzTJtrEzcg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPCCDCLCLODTRC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-Som,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-WMI-PolicyTemplate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-PolicyTemplate
adminDisplayName: ms-WMI-PolicyTemplate
adminDescription: ms-WMI-PolicyTemplate
governsId: 1.2.840.113556.1.5.200
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1626
systemMustContain: 1.2.840.113556.1.4.1624
systemMustContain: 1.2.840.113556.1.4.1623
systemMustContain: 1.2.840.113556.1.4.1644
systemMustContain: 1.2.840.113556.1.4.1640
systemMustContain: 1.2.840.113556.1.4.1648
systemMustContain: 1.2.840.113556.1.4.1645
systemMustContain: 1.2.840.113556.1.4.1646
systemMustContain: 1.2.840.113556.1.4.1639
systemMustContain: 1.2.840.113556.1.4.1627
systemMayContain: 1.2.840.113556.1.4.1649
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 8YC84kokWU2sxspcT4Lm4Q==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPCCDCLCLODTRC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-PolicyTemplate,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-WMI-WMIGPO,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-WMIGPO
adminDisplayName: ms-WMI-WMIGPO
adminDescription: ms-WMI-WMIGPO
governsId: 1.2.840.113556.1.5.215
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1645
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: AABjBSc53k6/J8qR8nXCbw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPCCDCLCLODTRC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-WMIGPO,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-COM-Partition,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msCOM-Partition
adminDisplayName: ms-COM-Partition
adminDescription: Partition class. Default = adminDisplayName
governsId: 1.2.840.113556.1.5.193
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1428
systemPossSuperiors: 1.2.840.113556.1.5.67
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: dA4ByVhO90mKiV4+I0D8+A==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-COM-Partition,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-WMI-PolicyType,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-PolicyType
adminDisplayName: ms-WMI-PolicyType
adminDescription: ms-WMI-PolicyType
governsId: 1.2.840.113556.1.5.211
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1626
systemMustContain: 1.2.840.113556.1.4.1624
systemMustContain: 1.2.840.113556.1.4.1623
systemMustContain: 1.2.840.113556.1.4.1644
systemMustContain: 1.2.840.113556.1.4.1647
systemMustContain: 1.2.840.113556.1.4.1627
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: EyZbWQlBd06QE6O7TvJ3xw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPCCDCLCLODTRC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-PolicyType,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-WMI-ShadowObject,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-ShadowObject
adminDisplayName: ms-WMI-ShadowObject
adminDescription: ms-WMI-ShadowObject
governsId: 1.2.840.113556.1.5.212
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1647
systemPossSuperiors: 1.2.840.113556.1.5.211
schemaIdGuid:: 30vk8dONNUKchvkfMfW1aQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-ShadowObject,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-COM-PartitionSet,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msCOM-PartitionSet
adminDisplayName: ms-COM-PartitionSet
adminDescription: PartitionSet class. Default = adminDisplayName
governsId: 1.2.840.113556.1.5.194
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1423
systemMayContain: 1.2.840.113556.1.4.1427
systemMayContain: 1.2.840.113556.1.4.1428
systemPossSuperiors: 1.2.840.113556.1.5.67
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: q2QEJRfEekmXWp4NRZp8oQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-COM-PartitionSet,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-WMI-Rule,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-Rule
adminDisplayName: ms-WMI-Rule
adminDescription: ms-WMI-Rule
governsId: 1.2.840.113556.1.5.214
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1643
systemMustContain: 1.2.840.113556.1.4.1646
systemMustContain: 1.2.840.113556.1.4.1642
systemPossSuperiors: 1.2.840.113556.1.5.213
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: g29+PA7dG0igwnTNlu8qZg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-Rule,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1426
systemMayContain: 1.2.840.113556.1.4.1460
-
dn: CN=Cross-Ref,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1661
systemMayContain: 1.2.840.113556.1.4.1663
systemMayContain: 1.2.840.113556.1.4.1664
-
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1459
-
dn: CN=Cross-Ref-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1459
-
dn: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1459
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1669
-
dn: CN=Dynamic-Object,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: dynamicObject
adminDisplayName: Dynamic-Object
adminDescription: Dynamic-Object
governsId: 1.3.6.1.4.1.1466.101.119.2
objectClassCategory: 3
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1622
systemMayContain: 1.3.6.1.4.1.1466.101.119.3
schemaIdGuid:: SRLVZlUzH0yyToHyUqyiOw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=Dynamic-Object,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=NTDS-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1621
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-WMI-MergeablePolicyTemplate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-MergeablePolicyTemplate
adminDisplayName: ms-WMI-MergeablePolicyTemplate
adminDescription: ms-WMI-MergeablePolicyTemplate
governsId: 1.2.840.113556.1.5.202
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.200
subClassOf: 1.2.840.113556.1.5.200
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: FCRQB8r9UUiwShNkWxHSJg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPCCDCLCLODTRC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-MergeablePolicyTemplate,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-WMI-RangeParam,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-RangeParam
adminDisplayName: ms-WMI-RangeParam
adminDescription: ms-WMI-RangeParam
governsId: 1.2.840.113556.1.5.203
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1649
systemMustContain: 1.2.840.113556.1.4.1645
systemMustContain: 1.2.840.113556.1.4.1641
systemPossSuperiors: 1.2.840.113556.1.5.202
schemaIdGuid:: V1r7RRhQD02QVpl8jJEi2Q==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPCCDCLCLODTRC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-RangeParam,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-WMI-StringSetParam,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-StringSetParam
adminDisplayName: ms-WMI-StringSetParam
adminDescription: ms-WMI-StringSetParam
governsId: 1.2.840.113556.1.5.210
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.203
systemMustContain: 1.2.840.113556.1.4.1636
systemMayContain: 1.2.840.113556.1.4.1637
systemPossSuperiors: 1.2.840.113556.1.5.202
schemaIdGuid:: onnFC6cd6ky2mYB/O51jpA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPCCDCLCLODTRC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-StringSetParam,CN=Schema,CN=Configuration,DC=X
defaultObjectCategory: CN=ms-WMI-StringSetParam,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-WMI-UnknownRangeParam,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-UnknownRangeParam
adminDisplayName: ms-WMI-UnknownRangeParam
adminDescription: ms-WMI-UnknownRangeParam
governsId: 1.2.840.113556.1.5.204
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.203
systemMustContain: 1.2.840.113556.1.4.1647
systemMustContain: 1.2.840.113556.1.4.1640
systemPossSuperiors: 1.2.840.113556.1.5.202
schemaIdGuid:: a8IquNvGmECSxknBijM24Q==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-UnknownRangeParam,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-WMI-RealRangeParam,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-RealRangeParam
adminDisplayName: ms-WMI-RealRangeParam
adminDescription: ms-WMI-RealRangeParam
governsId: 1.2.840.113556.1.5.209
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.203
systemMustContain: 1.2.840.113556.1.4.1632
systemMayContain: 1.2.840.113556.1.4.1633
systemMayContain: 1.2.840.113556.1.4.1634
systemPossSuperiors: 1.2.840.113556.1.5.202
schemaIdGuid:: 4o/+arxwzkyxZqlvc1nFFA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-RealRangeParam,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-WMI-SimplePolicyTemplate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-SimplePolicyTemplate
adminDisplayName: ms-WMI-SimplePolicyTemplate
adminDescription: ms-WMI-SimplePolicyTemplate
governsId: 1.2.840.113556.1.5.201
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.200
systemMustContain: 1.2.840.113556.1.4.1647
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: tbLIbN8S9kSDB+dPXN7jaQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPCCDCLCLODTRC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-SimplePolicyTemplate,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-WMI-IntSetParam,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-WMI-IntSetParam,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-IntSetParam
adminDisplayName: ms-WMI-IntSetParam
adminDescription: ms-WMI-IntSetParam
governsId: 1.2.840.113556.1.5.206
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.203
systemMustContain: 1.2.840.113556.1.4.1628
systemMayContain: 1.2.840.113556.1.4.1631
systemPossSuperiors: 1.2.840.113556.1.5.202
schemaIdGuid:: mg0vKXbPsEKEH7ZQ8zHfYg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPCCDCLCLODTRC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-IntSetParam,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-WMI-UintSetParam,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-UintSetParam
adminDisplayName: ms-WMI-UintSetParam
adminDescription: ms-WMI-UintSetParam
governsId: 1.2.840.113556.1.5.208
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.203
systemMustContain: 1.2.840.113556.1.4.1628
systemMayContain: 1.2.840.113556.1.4.1631
systemPossSuperiors: 1.2.840.113556.1.5.202
schemaIdGuid:: MetLjxlO9UaTLl+gPDObHQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPCCDCLCLODTRC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-UintSetParam,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-WMI-IntRangeParam,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-IntRangeParam
adminDisplayName: ms-WMI-IntRangeParam
adminDescription: ms-WMI-IntRangeParam
governsId: 1.2.840.113556.1.5.205
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.203
systemMustContain: 1.2.840.113556.1.4.1628
systemMayContain: 1.2.840.113556.1.4.1629
systemMayContain: 1.2.840.113556.1.4.1630
systemPossSuperiors: 1.2.840.113556.1.5.202
schemaIdGuid:: fV3KUItc806531tm1JHlJg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-IntRangeParam,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-WMI-UintRangeParam,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
objectClass: classSchema
ldapDisplayName: msWMI-UintRangeParam
adminDisplayName: ms-WMI-UintRangeParam
adminDescription: ms-WMI-UintRangeParam
governsId: 1.2.840.113556.1.5.207
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.203
systemMustContain: 1.2.840.113556.1.4.1628
systemMayContain: 1.2.840.113556.1.4.1629
systemMayContain: 1.2.840.113556.1.4.1630
systemPossSuperiors: 1.2.840.113556.1.5.202
schemaIdGuid:: spmn2fPOs0i1rfuF+N0yFA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-UintRangeParam,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Config NC changes
dn: CN=Generate-RSoP,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: bf967aa5-0de6-11d0-a285-00aa003049e2
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
displayName: Generate Resultant Set of Policy
localizationDisplayId: 55
rightsGUID: b7b1b3dd-ab09-4242-9e30-9980e5d322f7
validAccesses: 256
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 14
-
Sch15.ldf
# Schema NC changes
dn: CN=ms-WMI-Parm1,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-Parm1
adminDisplayName: ms-WMI-Parm1
adminDescription: ms-WMI-Parm1
attributeId: 1.2.840.113556.1.4.1682
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: hRToJ7Cxi0q+3c4ZqDfibg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-WMI-Parm2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-Parm2
adminDisplayName: ms-WMI-Parm2
adminDescription: ms-WMI-Parm2
attributeId: 1.2.840.113556.1.4.1683
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: jlADAEKcdkqo9Di/ZLqw3g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-WMI-Parm3,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-Parm3
adminDisplayName: ms-WMI-Parm3
adminDescription: ms-WMI-Parm3
attributeId: 1.2.840.113556.1.4.1684
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: to+VRb1Szkifn8JxLZ8r/A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-WMI-Parm4,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-Parm4
adminDisplayName: ms-WMI-Parm4
adminDescription: ms-WMI-Parm4
attributeId: 1.2.840.113556.1.4.1685
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: o9UAOM7xgkulmhUo6nlfWQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-WMI-Class,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-Class
adminDisplayName: ms-WMI-Class
adminDescription: ms-WMI-Class
attributeId: 1.2.840.113556.1.4.1676
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: X5LBkCRKB0uyAr4y6zyLdA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-WMI-Genus,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-Genus
adminDisplayName: ms-WMI-Genus
adminDescription: ms-WMI-Genus
attributeId: 1.2.840.113556.1.4.1677
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: OmfIUFaPFEaTCJ4TQPua8w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-OID-CPS,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-OID-CPS
adminDisplayName: ms-PKI-OID-CPS
adminDescription: ms-PKI-OID-CPS
attributeId: 1.2.840.113556.1.4.1672
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: DpRJX5+nUUq7bz1EalTcaw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=GPC-WQL-Filter,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: gPCWQLFilter
adminDisplayName: GPC-WQL-Filter
adminDescription: GPC-WQL-Filter
attributeId: 1.2.840.113556.1.4.1694
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: psfUe90aNkSMBDmZqIAVTA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Extra-Columns,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: extraColumns
adminDisplayName: Extra-Columns
adminDescription: Extra-Columns
attributeId: 1.2.840.113556.1.4.1687
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: RihO0tkdz0uZ16YifMhtpw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-WMI-intFlags1,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-intFlags1
adminDisplayName: ms-WMI-intFlags1
adminDescription: ms-WMI-intFlags1
attributeId: 1.2.840.113556.1.4.1678
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: uQbgGEVk40idz7Xs+8Tfjg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-WMI-intFlags2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-intFlags2
adminDisplayName: ms-WMI-intFlags2
adminDescription: ms-WMI-intFlags2
attributeId: 1.2.840.113556.1.4.1679
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: yUJaB1rFsUWsk+sIazH2EA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-WMI-intFlags3,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-intFlags3
adminDisplayName: ms-WMI-intFlags3
adminDescription: ms-WMI-intFlags3
attributeId: 1.2.840.113556.1.4.1680
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Nqef8gne5EuyOuc0wSS6zA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-WMI-intFlags4,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-intFlags4
adminDisplayName: ms-WMI-intFlags4
adminDescription: ms-WMI-intFlags4
attributeId: 1.2.840.113556.1.4.1681
attributeSyntax: 2.5.5.9
omSyntax: 2
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: rKd0vZPEnEy9+lx7EZymsg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-WMI-ScopeGuid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msWMI-ScopeGuid
adminDisplayName: ms-WMI-ScopeGuid
adminDescription: ms-WMI-ScopeGuid
attributeId: 1.2.840.113556.1.4.1686
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: UY23h19Af0uA7SvSh4b0jQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-FRS-Hub-Member,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msFRS-Hub-Member
adminDisplayName: ms-FRS-Hub-Member
adminDescription: ms-FRS-Hub-Member
attributeId: 1.2.840.113556.1.4.1693
attributeSyntax: 2.5.5.1
omSyntax: 127
omObjectClass:: KwwCh3McAIVK
linkID: 1046
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: gf9DVrY1qUyVErrwvQoncg==
showInAdvancedViewOnly: TRUE
dn: CN=ms-PKI-OID-Attribute,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-OID-Attribute
adminDisplayName: ms-PKI-OID-Attribute
adminDescription: ms-PKI-OID-Attribute
attributeId: 1.2.840.113556.1.4.1671
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: iBKejChQT0+nBHbQJvJG7w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-FRS-Topology-Pref,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msFRS-Topology-Pref
adminDisplayName: ms-FRS-Topology-Pref
adminDescription: ms-FRS-Topology-Pref
attributeId: 1.2.840.113556.1.4.1692
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: 4CeqklBcLUCewe6Efe+XiA==
showInAdvancedViewOnly: TRUE
dn: CN=ms-PKI-OID-User-Notice,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-OID-User-Notice
adminDisplayName: ms-PKI-OID-User-Notice
adminDescription: ms-PKI-OID-User-Notice
attributeId: 1.2.840.113556.1.4.1673
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: etrEBBThaU6I3uKT8tOzlQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-RA-Application-Policies,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-RA-Application-Policies
adminDisplayName: ms-PKI-RA-Application-Policies
adminDescription: ms-PKI-RA-Application-Policies
attributeId: 1.2.840.113556.1.4.1675
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: v/uRPHNHzUyoe4XVPnvPag==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Admin-Multiselect-Property-Pages,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: adminMultiselectPropertyPages
adminDisplayName: Admin-Multiselect-Property-Pages
adminDescription: Admin-Multiselect-Property-Pages
attributeId: 1.2.840.113556.1.4.1690
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: fbb5GMZaO0uX29CkBq+3ug==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Security-Group-Extra-Classes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Security-Group-Extra-Classes
adminDisplayName: ms-DS-Security-Group-Extra-Classes
adminDescription: ms-DS-Security-Group-Extra-Classes
attributeId: 1.2.840.113556.1.4.1688
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 6GoUT/6kAUinMfUYSKT05A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-Certificate-Application-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-Certificate-Application-Policy
adminDisplayName: ms-PKI-Certificate-Application-Policy
adminDisplayName: ms-PKI-Certificate-Application-Policy
adminDescription: ms-PKI-Certificate-Application-Policy
attributeId: 1.2.840.113556.1.4.1674
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: SAXZ2zeqAkKZZoxTe6XOMg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Non-Security-Group-Extra-Classes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Non-Security-Group-Extra-Classes
adminDisplayName: Non-Security-Group-Extra-Classes
adminDescription: ms-DS-Non-Security-Group-Extra-Classes
attributeId: 1.2.840.113556.1.4.1689
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: /EThLVIfb0i99Bb8wwhOVA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MSMQ-Recipient-FormatName,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msMQ-Recipient-FormatName
adminDisplayName: MSMQ-Recipient-FormatName
adminDescription: MSMQ-Recipient-FormatName
attributeId: 1.2.840.113556.1.4.1695
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 255
schemaIdGuid:: SGf+O0S1WkiwZxsxDEM0vw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Last-Logon-Timestamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: lastLogonTimestamp
adminDisplayName: Last-Logon-Timestamp
adminDescription: Last-Logon-Timestamp
attributeId: 1.2.840.113556.1.4.1696
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: BAriwFoO80+Ugl7+rs1wYA==
attributeSecurityGuid:: ECAgX6V50BGQIADAT8LUzw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Settings
adminDisplayName: ms-DS-Settings
adminDescription: ms-DS-Settings
attributeId: 1.2.840.113556.1.4.1697
attributeId: 1.2.840.113556.1.4.1697
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 10cbDqNASEuNG0ysDBzfIQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TAPI-Unique-Identifier,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTAPI-uid
adminDisplayName: msTAPI-uid
adminDescription: msTAPI-uid
attributeId: 1.2.840.113556.1.4.1698
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 120
schemaIdGuid:: 6uekcLmzQ0aJGObdJHG/1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TAPI-Ip-Address,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTAPI-IpAddress
adminDisplayName: msTAPI-IpAddress
adminDescription: msTAPI-IpAddress
attributeId: 1.2.840.113556.1.4.1701
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 99fX744XZ0eH+viha4QFRA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TAPI-Protocol-Id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTAPI-ProtocolId
adminDisplayName: msTAPI-ProtocolId
adminDescription: msTAPI-ProtocolId
attributeId: 1.2.840.113556.1.4.1699
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: z+vBiV96/UGZyskAsyKZqw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TAPI-Conference-Blob,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTAPI-ConferenceBlob
adminDisplayName: msTAPI-ConferenceBlob
adminDescription: msTAPI-ConferenceBlob
attributeId: 1.2.840.113556.1.4.1700
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: HmDETAFyQUGryD5SmuiIYw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Is-Member-Of-DL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: QMIKvKl50BGQIADAT8LUzw==
-
dn: CN=ms-DS-Entry-Time-To-Die,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 9
-
dn: CN=ms-DS-Trust-Forest-Trust-Info,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-TrustForestTrustInfo
adminDisplayName: ms-DS-Trust-Forest-Trust-Info
adminDescription: ms-DS-Trust-Forest-Trust-Info
attributeId: 1.2.840.113556.1.4.1702
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: bobMKdNJaUmULh28CSXRgw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Exch-Owner-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
lDAPDisplayName: ownerBL
adminDescription: ms-Exch-Owner-BL
adminDisplayName: ms-Exch-Owner-BL
attributeID: 1.2.840.113556.1.2.104
attributeSyntax: 2.5.5.1
oMSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
oMObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 9HmWv+YN0BGihQCqADBJ4g==
linkID: 45
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-WMI-ObjectEncoding,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msWMI-ObjectEncoding
adminDisplayName: ms-WMI-ObjectEncoding
adminDescription: ms-WMI-ObjectEncoding
governsId: 1.2.840.113556.1.5.217
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1676
systemMustContain: 1.2.840.113556.1.4.1686
systemMustContain: 1.2.840.113556.1.4.1682
systemMustContain: 1.2.840.113556.1.4.1683
systemMustContain: 1.2.840.113556.1.4.1684
systemMustContain: 1.2.840.113556.1.4.1685
systemMustContain: 1.2.840.113556.1.4.1677
systemMustContain: 1.2.840.113556.1.4.1678
systemMustContain: 1.2.840.113556.1.4.1679
systemMustContain: 1.2.840.113556.1.4.1680
systemMustContain: 1.2.840.113556.1.4.1681
systemMustContain: 1.2.840.113556.1.4.1627
systemMustContain: 1.2.840.113556.1.4.1647
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: yYHdVRLD+UGoTcatvfHo4Q==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-WMI-ObjectEncoding,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=Application-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: applicationVersion
adminDisplayName: Application-Version
adminDescription: Stores versioning information for an application and its schema.
governsId: 1.2.840.113556.1.5.216
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.7000.49
systemMayContain: 1.2.840.113556.1.4.329
systemMayContain: 1.2.840.113556.1.4.328
systemMayContain: 1.2.840.113556.1.4.141
systemMayContain: 1.2.840.113556.1.4.255
systemMayContain: 1.2.840.113556.1.4.848
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: rJDH3U2vKkSPD6HUyqfdkg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=Application-Version,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1424
systemMayContain: 1.2.840.113556.1.4.1425
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.104
-
dn: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1426
-
dn: CN=Configuration,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.892
systemMayContain: 1.2.840.113556.1.4.891
-
dn: CN=Connection-Point,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.3.30
-
dn: CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1694
-
dn: CN=FT-Dfs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.137
-
dn: CN=PKI-Certificate-Template,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1674
systemMayContain: 1.2.840.113556.1.4.1675
-
dn: CN=ms-PKI-Enterprise-Oid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1671
systemMayContain: 1.2.840.113556.1.4.1672
systemMayContain: 1.2.840.113556.1.4.1673
-
dn: CN=ms-WMI-PolicyTemplate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA)(A;;CC;;;PA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
-
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1678
systemMayContain: 1.2.840.113556.1.4.1679
systemMayContain: 1.2.840.113556.1.4.1680
systemMayContain: 1.2.840.113556.1.4.1681
systemMayContain: 1.2.840.113556.1.4.1682
systemMayContain: 1.2.840.113556.1.4.1683
systemMayContain: 1.2.840.113556.1.4.1684
systemMayContain: 1.2.840.113556.1.4.1685
-
dn: CN=ms-WMI-PolicyType,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA)(A;;CC;;;PA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
-
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1685
systemMayContain: 1.2.840.113556.1.4.1684
systemMayContain: 1.2.840.113556.1.4.1683
systemMayContain: 1.2.840.113556.1.4.1682
systemMayContain: 1.2.840.113556.1.4.1681
systemMayContain: 1.2.840.113556.1.4.1681
systemMayContain: 1.2.840.113556.1.4.1680
systemMayContain: 1.2.840.113556.1.4.1679
systemMayContain: 1.2.840.113556.1.4.1678
-
dn: CN=Display-Specifier,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1687
systemMayContain: 1.2.840.113556.1.4.1690
-
dn: CN=DS-UI-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1688
systemMayContain: 1.2.840.113556.1.4.1689
-
dn: CN=ms-WMI-Som,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA)(A;;CC;;;PA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
-
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1685
systemMayContain: 1.2.840.113556.1.4.1684
systemMayContain: 1.2.840.113556.1.4.1683
systemMayContain: 1.2.840.113556.1.4.1682
systemMayContain: 1.2.840.113556.1.4.1681
systemMayContain: 1.2.840.113556.1.4.1680
systemMayContain: 1.2.840.113556.1.4.1679
systemMayContain: 1.2.840.113556.1.4.1678
-
dn: CN=ms-WMI-WMIGPO,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA)(A;;CC;;;PA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
-
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1685
systemMayContain: 1.2.840.113556.1.4.1684
systemMayContain: 1.2.840.113556.1.4.1683
systemMayContain: 1.2.840.113556.1.4.1682
systemMayContain: 1.2.840.113556.1.4.1681
systemMayContain: 1.2.840.113556.1.4.1680
systemMayContain: 1.2.840.113556.1.4.1679
systemMayContain: 1.2.840.113556.1.4.1678
-
dn: CN=NTFRS-Replica-Set,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1692
systemMayContain: 1.2.840.113556.1.4.1693
-
dn: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.141
systemMayContain: 1.2.840.113556.1.4.255
systemMayContain: 1.2.840.113556.1.4.328
systemMayContain: 1.2.840.113556.1.4.329
systemMayContain: 1.2.840.113556.1.4.848
-
-
dn: CN=MSMQ-Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msMQ-Group
adminDisplayName: MSMQ-Group
adminDescription: MSMQ-Group
governsId: 1.2.840.113556.1.5.219
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.31
systemPossSuperiors: 2.5.6.5
schemaIdGuid:: rHqyRvqq+0+3c+W/Yh7oew==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MSMQ-Group,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=MSMQ-Custom-Recipient,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msMQ-Custom-Recipient
adminDisplayName: MSMQ-Custom-Recipient
adminDescription: MSMQ-Custom-Recipient
governsId: 1.2.840.113556.1.5.218
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1695
systemPossSuperiors: 2.5.6.5
schemaIdGuid:: F2hth8w1bEOs6l73F03Zvg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=MSMQ-Custom-Recipient,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1696
-
dn: CN=FT-Dfs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.48
systemMayContain: 1.2.840.113556.1.4.653
-
dn: CN=ms-DS-App-Configuration,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-App-Configuration
adminDisplayName: ms-DS-App-Configuration
adminDescription: Stores configuration parameters for an application.
governsId: 1.2.840.113556.1.5.220
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.7000.49
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: PjzfkFQYVUSl18rUDVZleg==
schemaIdGuid:: PjzfkFQYVUSl18rUDVZleg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-App-Configuration,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=Connection-Point,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1697
-
dn: CN=Application-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1697
-
dn: CN=ms-TAPI-Rt-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msTAPI-RtPerson
adminDisplayName: msTAPI-RtPerson
adminDescription: msTAPI-RtPerson
governsId: 1.2.840.113556.1.5.222
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1701
systemPossSuperiors: 2.5.6.4
systemPossSuperiors: 2.5.6.5
schemaIdGuid:: tRzqUwS3+U2Bj1y07IbKwQ==
defaultSecurityDescriptor: D:(A;;GA;;;WD)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-TAPI-Rt-Person,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-TAPI-Rt-Conference,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msTAPI-RtConference
adminDisplayName: msTAPI-RtConference
adminDescription: msTAPI-RtConference
governsId: 1.2.840.113556.1.5.221
objectClassCategory: 1
rdnAttId: 1.2.840.113556.1.4.1698
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1698
systemMayContain: 1.2.840.113556.1.4.1700
systemMayContain: 1.2.840.113556.1.4.1699
systemPossSuperiors: 2.5.6.5
schemaIdGuid:: NZd7yipLSU6Jw5kCUzTclA==
defaultSecurityDescriptor: D:(A;;GA;;;WD)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-TAPI-Rt-Conference,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1702
-
# Reload the schema cache to pick up altered classes and attributes
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Config NC changes
dn: CN=msmq-Send,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 46b27aac-aafa-4ffb-b773-e5bf621ee87b
-
dn: CN=Refresh-Group-Cache,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: f0f8ffab-1191-11d0-a060-00aa006c33ed
displayName: Refresh Group Cache for Logons
localizationDisplayId: 56
rightsGUID: 9432c620-033c-4db7-8b58-14ef6d0bf477
validAccesses: 256
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 15
-
Sch16.ldf
# Schema NC changes
dn: CN=Well-Known-Objects,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeLower
rangeLower: 16
-
add: rangeUpper
rangeUpper: 16
-
dn: CN=Other-Well-Known-Objects,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeLower
rangeLower: 16
-
add: rangeUpper
rangeUpper: 16
-
dn: CN=ms-WMI-PolicyTemplate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1623
systemMayContain: 1.2.840.113556.1.4.1624
systemMayContain: 1.2.840.113556.1.4.1626
systemMayContain: 1.2.840.113556.1.4.1644
-
delete: systemMustContain
delete: systemMustContain
systemMustContain: 1.2.840.113556.1.4.1623
systemMustContain: 1.2.840.113556.1.4.1624
systemMustContain: 1.2.840.113556.1.4.1626
systemMustContain: 1.2.840.113556.1.4.1644
-
dn: CN=ms-WMI-PolicyType,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1623
systemMayContain: 1.2.840.113556.1.4.1624
systemMayContain: 1.2.840.113556.1.4.1626
systemMayContain: 1.2.840.113556.1.4.1644
-
delete: systemMustContain
systemMustContain: 1.2.840.113556.1.4.1623
systemMustContain: 1.2.840.113556.1.4.1624
systemMustContain: 1.2.840.113556.1.4.1626
systemMustContain: 1.2.840.113556.1.4.1644
-
dn: CN=ms-WMI-Som,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1623
systemMayContain: 1.2.840.113556.1.4.1624
systemMayContain: 1.2.840.113556.1.4.1626
systemMayContain: 1.2.840.113556.1.4.1644
-
delete: systemMustContain
systemMustContain: 1.2.840.113556.1.4.1623
systemMustContain: 1.2.840.113556.1.4.1624
systemMustContain: 1.2.840.113556.1.4.1626
systemMustContain: 1.2.840.113556.1.4.1644
-
dn: CN=Application-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=ms-DS-App-Configuration,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=ms-TAPI-Unique-Identifier,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rangeUpper
rangeUpper: 256
-
dn: CN=ms-TAPI-Rt-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1698
-
dn: CN=ms-DS-NC-Repl-Cursors,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-NCReplCursors
adminDisplayName: ms-DS-NC-Repl-Cursors
adminDescription: ms-DS-NC-Repl-Cursors
attributeId: 1.2.840.113556.1.4.1704
attributeSyntax: 2.5.5.12
omSyntax: 64
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 5HwWiuj560eNePf+gKuyzA==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-Filter-Containers,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-FilterContainers
adminDisplayName: ms-DS-Filter-Containers
adminDescription: ms-DS-Filter-Containers
attributeId: 1.2.840.113556.1.4.1703
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: 39wA+zesOkicEqxTpmAwMw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Repl-Value-Meta-Data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ReplValueMetaData
adminDisplayName: ms-DS-Repl-Value-Meta-Data
adminDescription: ms-DS-Repl-Value-Meta-Data
attributeId: 1.2.840.113556.1.4.1708
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: RYFcL73hC0GJV4v6gdWs/Q==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-Repl-Attribute-Meta-Data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ReplAttributeMetaData
adminDisplayName: ms-DS-Repl-Attribute-Meta-Data
adminDescription: ms-DS-Repl-Attribute-Meta-Data
attributeId: 1.2.840.113556.1.4.1707
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: QjLF105yOUydTC34ydZseg==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-NC-Repl-Inbound-Neighbors,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-NCReplInboundNeighbors
adminDisplayName: ms-DS-NC-Repl-Inbound-Neighbors
adminDescription: ms-DS-NC-Repl-Inbound-Neighbors
attributeId: 1.2.840.113556.1.4.1705
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Wqjbnp4+G0ObGqW26e2nlg==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-NC-Repl-Outbound-Neighbors,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-NCReplOutboundNeighbors
adminDisplayName: ms-DS-NC-Repl-Outbound-Neighbors
adminDescription: ms-DS-NC-Repl-Outbound-Neighbors
attributeId: 1.2.840.113556.1.4.1706
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 9S5fhcWhxEy6bTJSKEi2Hw==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-Has-Instantiated-NCs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-HasInstantiatedNCs
adminDisplayName: ms-DS-Has-Instantiated-NCs
adminDescription: DS replication information detailing the state of the NCs present on a particular server.
attributeId: 1.2.840.113556.1.4.1709
attributeSyntax: 2.5.5.7
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
rangeLower: 4
rangeUpper: 4
omObjectClass:: KoZIhvcUAQEBCw==
schemaIdGuid:: vKXpERdFSUCvnFFVT7D8CQ==
linkID: 2002
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Allowed-DNS-Suffixes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AllowedDNSSuffixes
adminDisplayName: ms-DS-Allowed-DNS-Suffixes
adminDescription: Allowed suffixes for dNSHostName on computer
attributeId: 1.2.840.113556.1.4.1710
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 2048
schemaIdGuid:: G0RphMSaRU6CBb0hnb9nLQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Country-Code,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeLower
rangeLower: 0
-
add: rangeUpper
rangeUpper: 65535
-
dn: CN=ms-DS-SD-Reference-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-SDReferenceDomain
adminDisplayName: ms-DS-SD-Reference-Domain
adminDescription: The domain to be used for default security descriptor translation for a Non-Domain Naming
Context.
attributeId: 1.2.840.113556.1.4.1711
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: FuNRTCj2pUOwa/+2lfy08w==
linkID: 2000
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1704
systemMayContain: 1.2.840.113556.1.4.1705
systemMayContain: 1.2.840.113556.1.4.1706
systemMayContain: 1.2.840.113556.1.4.1707
systemMayContain: 1.2.840.113556.1.4.1708
-
dn: CN=DS-UI-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1703
-
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1709
-
dn: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1710
-
dn: CN=Cross-Ref,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1711
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Config NC changes
# Config NC changes
dn: CN=SAM-Enumerate-Entire-Domain,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: bf967aad-0de6-11d0-a285-00aa003049e2
displayName: Enumerate Entire SAM Domain
localizationDisplayId: 57
rightsGUID: 91d67418-0135-4acc-8d79-c08e857cfbec
validAccesses: 256
dn: CN=Generate-RSoP-Logging,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: bf967aa5-0de6-11d0-a285-00aa003049e2
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
displayName: Generate Resultant Set of Policy (Logging)
localizationDisplayId: 58
rightsGUID: b7b1b3de-ab09-4242-9e30-9980e5d322f7
validAccesses: 256
dn: CN=Generate-RSoP,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemFlags
systemFlags: 1073741824
-
dn: CN=Generate-RSoP,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModRdn
newrdn: Generate-RSoP-Planning
deleteoldrdn: 1
dn: CN=Generate-RSoP-Planning,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemFlags
-
dn: CN=Generate-RSoP-Planning,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: displayName
displayName: Generate Resultant Set of Policy (Planning)
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 16
-
Sch17.ldf
# Schema NC changes
dn: CN=Repl-Property-Meta-Data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 27
-
dn: CN=ms-DS-Entry-Time-To-Die,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 24
-
dn: CN=NT-Security-Descriptor,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 26
-
dn: CN=ms-PKI-OID-LocalizedName,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-OIDLocalizedName
adminDisplayName: ms-PKI-OID-LocalizedName
adminDescription: ms-PKI-OID-LocalizedName
attributeId: 1.2.840.113556.1.4.1712
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 512
schemaIdGuid:: FqhZfQW7ckqXH1wTMfZ1WQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MSMQ-Secured-Source,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: MSMQ-SecuredSource
adminDisplayName: MSMQ-Secured-Source
adminDescription: MSMQ-Secured-Source
attributeId: 1.2.840.113556.1.4.1713
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: GyLwiwZ6Y02R8BSZlBgT0w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MSMQ-Multicast-Address,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: MSMQ-MulticastAddress
adminDisplayName: MSMQ-Multicast-Address
adminDescription: MSMQ-Multicast-Address
attributeId: 1.2.840.113556.1.4.1714
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 9
schemaIdGuid:: EkQvHQ3xN0ObSG5bElzSZQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-SPN-Suffixes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-SPNSuffixes
adminDisplayName: ms-DS-SPN-Suffixes
adminDescription: ms-DS-SPN-Suffixes
attributeId: 1.2.840.113556.1.4.1715
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 255
schemaIdGuid:: 6+GeeI6MTE6M7HmzG3YXtQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Has-Instantiated-NCs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: linkID
linkID: 2002
-
dn: CN=ms-DS-IntId,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-IntId
adminDisplayName: ms-DS-IntId
adminDescription: ms-DS-IntId
attributeId: 1.2.840.113556.1.4.1716
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 8
schemaIdGuid:: aglgvEcbMEuId2Ask/VlMg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Invocation-Id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 1
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-PKI-Private-Key-Recovery-Agent,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msPKI-PrivateKeyRecoveryAgent
adminDisplayName: ms-PKI-Private-Key-Recovery-Agent
adminDescription: ms-PKI-Private-Key-Recovery-Agent
governsId: 1.2.840.113556.1.5.223
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.36
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: MqZiFblEfkqi0+QmyWo6zA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-PKI-Private-Key-Recovery-Agent,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-PKI-Enterprise-Oid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1712
systemMayContain: 1.2.840.113556.1.4.1712
-
dn: CN=MSMQ-Queue,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1713
systemMayContain: 1.2.840.113556.1.4.1714
-
dn: CN=MSMQ-Custom-Recipient,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingValue: FALSE
-
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1695
-
delete: systemMustContain
systemMustContain: 1.2.840.113556.1.4.1695
-
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.67
systemPossSuperiors: 1.2.840.113556.1.3.23
-
dn: CN=Cross-Ref-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1715
-
dn: CN=DMD,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1440
systemMayContain: 1.2.840.113556.1.4.1716
-
dn: CN=Class-Schema,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1716
-
dn: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1716
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Config NC changes
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 17
-
Sch18.ldf
dn: CN=ms-Exch-Assistant-Name,CN=Schema,CN=Configuration,DC=X
changetype: NtdsSchemaAdd
adminDescription: ms-Exch-Assistant-Name
adminDisplayName: ms-Exch-Assistant-Name
attributeID: 1.2.840.113556.1.2.444
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
lDAPDisplayName: msExchAssistantName
mapiId: 14896
oMSyntax: 64
objectClass: attributeSchema
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: lHPfqOrF0RG7ywCAx2ZwwA==
searchFlags: 0
dn: CN=ms-Exch-LabeledURI,CN=Schema,CN=Configuration,DC=X
changetype: NtdsSchemaAdd
adminDescription: ms-Exch-LabeledURI
adminDisplayName: ms-Exch-LabeledURI
attributeID: 1.2.840.113556.1.2.593
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
lDAPDisplayName: msExchLabeledURI
mapiId: 35921
name: ms-Exch-LabeledURI
oMSyntax: 64
objectClass: attributeSchema
rangeLower: 1
rangeUpper: 1024
schemaIdGuid:: IFh3FvNH0RGpwwAA+ANnwQ==
searchFlags: 0
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-Exch-Assistant-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: lDAPDisplayName
lDAPDisplayName: msExchAssistantName
-
dn: CN=ms-Exch-LabeledURI,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: lDAPDisplayName
lDAPDisplayName: msExchLabeledURI
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Schema NC changes
dn: CN=uid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
objectClass: attributeSchema
ldapDisplayName: uid
adminDisplayName: uid
adminDescription: A user ID.
attributeId: 0.9.2342.19200300.100.1.1
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 8
schemaIdGuid:: oPywC4ken0KQGhQTiU2fWQ==
attributeSecurityGuid:: Qi+6WaJ50BGQIADAT8LTzw==
showInAdvancedViewOnly: FALSE
systemFlags: 0
dn: CN=audio,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: audio
adminDisplayName: audio
adminDescription: The Audio attribute type allows the storing of sounds in the Directory.
attributeId: 0.9.2342.19200300.100.1.55
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 250000
schemaIdGuid:: JNLh0KDhzkKi2nk7pSRPNQ==
showInAdvancedViewOnly: FALSE
systemFlags: 0
dn: CN=photo,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: photo
adminDisplayName: photo
adminDescription: An object encoded in G3 fax as explained in recommendation T.4, with an ASN.1 wrapper to
make it compatible with an X.400 BodyPart as defined in X.420.
attributeId: 0.9.2342.19200300.100.1.7
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: aJeXnBq6CEyWMsalwe1kmg==
showInAdvancedViewOnly: FALSE
systemFlags: 0
dn: CN=jpegPhoto,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: jpegPhoto
adminDisplayName: jpegPhoto
adminDescription: Used to store one or more images of a person using the JPEG File Interchange Format
[JFIF].
attributeId: 0.9.2342.19200300.100.1.60
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: cgXIusQJqU+a5nYo162+Dg==
showInAdvancedViewOnly: FALSE
systemFlags: 0
dn: CN=secretary,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: secretary
ldapDisplayName: secretary
adminDisplayName: secretary
adminDescription: Specifies the secretary of a person.
attributeId: 0.9.2342.19200300.100.1.21
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: mi0HAa2YU0qXROg+KHJ4+w==
showInAdvancedViewOnly: FALSE
systemFlags: 0
dn: CN=userPKCS12,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: userPKCS12
adminDisplayName: userPKCS12
adminDescription: PKCS #12 PFX PDU for exchange of personal identity information.
attributeId: 2.16.840.1.113730.3.1.216
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: tYqZI/hwB0CkwahKODEfmg==
showInAdvancedViewOnly: FALSE
systemFlags: 0
dn: CN=carLicense,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: carLicense
adminDisplayName: carLicense
adminDescription: Vehicle license or registration plate.
attributeId: 2.16.840.1.113730.3.1.1
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: kpwV1H2Vh0qKZ40pNOAWSQ==
showInAdvancedViewOnly: FALSE
systemFlags: 0
dn: CN=labeledURI,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: labeledURI
adminDisplayName: labeledURI
adminDescription: A Uniform Resource Identifier followed by a label. The label is used to describe the
resource to which the URI points, and is intended as a friendly name fit for human consumption.
attributeId: 1.3.6.1.4.1.250.1.57
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: RrtpxYDGvESic+bCJ9cbRQ==
showInAdvancedViewOnly: FALSE
systemFlags: 0
dn: CN=roomNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: roomNumber
adminDisplayName: roomNumber
adminDescription: The room number of an object.
attributeId: 0.9.2342.19200300.100.1.6
attributeId: 0.9.2342.19200300.100.1.6
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: wvjXgSfjDUqRxrQtQAkRXw==
showInAdvancedViewOnly: FALSE
systemFlags: 0
dn: CN=uniqueMember,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: uniqueMember
adminDisplayName: uniqueMember
adminDescription: The distinguished name for the member of a group. Used by groupOfUniqueNames.
attributeId: 2.5.4.50
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: JoeIjwr410Sx7sud8hOSyA==
showInAdvancedViewOnly: FALSE
systemFlags: 0
dn: CN=departmentNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: departmentNumber
adminDisplayName: departmentNumber
adminDescription: Identifies a department within an organization.
attributeId: 2.16.840.1.113730.3.1.2
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 7vaevsfLIk+ye5aWfn7lhQ==
showInAdvancedViewOnly: FALSE
systemFlags: 0
dn: CN=unstructuredName,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: unstructuredName
adminDisplayName: unstructuredName
adminDescription: The DNS name of the router. For example, router1.microsoft.com. PKCS #9
attributeId: 1.2.840.113549.1.9.2
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 256
schemaIdGuid:: d/GOnM9ByUWWc3cWwMiQGw==
showInAdvancedViewOnly: TRUE
systemFlags: 0
dn: CN=preferredLanguage,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: preferredLanguage
adminDisplayName: preferredLanguage
adminDescription: The preferred written or spoken language for a person.
attributeId: 2.16.840.1.113730.3.1.39
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 0OBrhecY4UaPX37k2QIODQ==
showInAdvancedViewOnly: FALSE
systemFlags: 0
dn: CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: x500uniqueIdentifier
adminDisplayName: x500uniqueIdentifier
adminDescription: Used to distinguish between objects when a distinguished name has been reused. This is a
different attribute type from both the "uid" and "uniqueIdentifier" types.
attributeId: 2.5.4.45
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: H6F90D2KtkKwqnbJYr5xmg==
showInAdvancedViewOnly: FALSE
systemFlags: 0
dn: CN=unstructuredAddress,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: unstructuredAddress
adminDisplayName: unstructuredAddress
adminDescription: The IP address of the router. For example, 100.11.22.33. PKCS #9
attributeId: 1.2.840.113549.1.9.8
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 256
schemaIdGuid:: OQiVUEzMkUSGOvz5QtaEtw==
showInAdvancedViewOnly: TRUE
systemFlags: 0
dn: CN=attributeCertificateAttribute,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: attributeCertificateAttribute
adminDisplayName: attributeCertificateAttribute
adminDescription: A digitally signed or certified identity and set of attributes. Used to bind authorization
information to an identity. X.509
attributeId: 2.5.4.58
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: u5NG+sJ7uUyBqMmcQ7eQXg==
showInAdvancedViewOnly: TRUE
systemFlags: 0
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: inetOrgPerson
adminDisplayName: inetOrgPerson
adminDescription: Represents people who are associated with an organization in some way.
governsId: 2.16.840.1.113730.3.2.2
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.9
systemMayContain: 2.5.4.45
systemMayContain: 2.16.840.1.113730.3.140
systemMayContain: 2.16.840.1.113730.3.1.216
systemMayContain: 2.5.4.36
systemMayContain: 0.9.2342.19200300.100.1.1
systemMayContain: 0.9.2342.19200300.100.1.21
systemMayContain: 0.9.2342.19200300.100.1.6
systemMayContain: 2.16.840.1.113730.3.1.39
systemMayContain: 0.9.2342.19200300.100.1.7
systemMayContain: 0.9.2342.19200300.100.1.42
systemMayContain: 2.5.4.10
systemMayContain: 0.9.2342.19200300.100.1.41
systemMayContain: 0.9.2342.19200300.100.1.10
systemMayContain: 0.9.2342.19200300.100.1.3
systemMayContain: 1.3.6.1.4.1.250.1.57
systemMayContain: 0.9.2342.19200300.100.1.60
systemMayContain: 2.5.4.43
systemMayContain: 1.2.840.113556.1.2.617
systemMayContain: 0.9.2342.19200300.100.1.20
systemMayContain: 2.5.4.42
systemMayContain: 1.2.840.113556.1.2.613
systemMayContain: 1.2.840.113556.1.2.610
systemMayContain: 1.2.840.113556.1.2.13
systemMayContain: 2.16.840.1.113730.3.1.2
systemMayContain: 2.16.840.1.113730.3.1.1
systemMayContain: 2.5.4.15
systemMayContain: 0.9.2342.19200300.100.1.55
systemPossSuperiors: 1.2.840.113556.1.5.67
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: FMwoSDcUvEWbB61vAV5fKA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)
(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)
(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS)
(OA;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)
(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)
(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-
0000F80367C1;;AU)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-
00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-
00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)
showInAdvancedViewOnly: FALSE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=Person,CN=Schema,CN=Configuration,DC=X
systemFlags: 0
dn: CN=groupOfUniqueNames,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: groupOfUniqueNames
adminDisplayName: groupOfUniqueNames
adminDescription: Defines the entries for a group of unique names.
governsId: 2.5.6.17
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.50
systemMustContain: 2.5.4.3
systemMayContain: 2.5.4.34
systemMayContain: 2.5.4.32
systemMayContain: 2.5.4.11
systemMayContain: 2.5.4.10
systemMayContain: 2.5.4.13
systemMayContain: 2.5.4.15
systemPossSuperiors: 1.2.840.113556.1.5.67
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: EakQA6OTIU6no1XYWrLEiw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)
showInAdvancedViewOnly: FALSE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=groupOfUniqueNames,CN=Schema,CN=Configuration,DC=X
systemFlags: 0
dn: CN=Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 2.5.4.5
systemMayContain: 2.5.4.58
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.2.13
systemMayContain: 1.2.840.113556.1.2.610
systemMayContain: 1.2.840.113556.1.2.613
systemMayContain: 1.2.840.113556.1.2.617
systemMayContain: 2.5.4.10
systemMayContain: 2.5.4.15
systemMayContain: 2.5.4.42
systemMayContain: 2.5.4.43
systemMayContain: 2.5.4.45
systemMayContain: 0.9.2342.19200300.100.1.1
systemMayContain: 0.9.2342.19200300.100.1.3
systemMayContain: 0.9.2342.19200300.100.1.6
systemMayContain: 0.9.2342.19200300.100.1.7
systemMayContain: 0.9.2342.19200300.100.1.10
systemMayContain: 0.9.2342.19200300.100.1.20
systemMayContain: 0.9.2342.19200300.100.1.21
systemMayContain: 0.9.2342.19200300.100.1.41
systemMayContain: 0.9.2342.19200300.100.1.42
systemMayContain: 0.9.2342.19200300.100.1.55
systemMayContain: 0.9.2342.19200300.100.1.60
systemMayContain: 2.16.840.1.113730.3.1.1
systemMayContain: 2.16.840.1.113730.3.1.2
systemMayContain: 2.16.840.1.113730.3.1.39
systemMayContain: 2.16.840.1.113730.3.1.216
systemMayContain: 1.3.6.1.4.1.250.1.57
systemMayContain: 2.16.840.1.113730.3.140
-
dn: CN=Mail-Recipient,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.2.444
mayContain: 1.2.840.113556.1.2.593
mayContain: 1.3.6.1.4.1.250.1.57
mayContain: 0.9.2342.19200300.100.1.21
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Mail-Recipient,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.3.6.1.4.1.250.1.57
mayContain: 0.9.2342.19200300.100.1.21
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Config NC changes
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 18
-
Sch19.ldf
# attributes
dn: CN=ms-DS-Auxiliary-Classes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 20
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# class changes
dn: CN=groupOfUniqueNames,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)
-
dn: CN=Force-Logoff,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: 0J8RuPYEYkerekmGx2s/mg==
-
dn: CN=OEM-Information,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: 0J8RuPYEYkerekmGx2s/mg==
-
dn: CN=Server-State,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: 0J8RuPYEYkerekmGx2s/mg==
-
dn: CN=UAS-Compat,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: 0J8RuPYEYkerekmGx2s/mg==
-
dn: CN=Server-Role,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: 0J8RuPYEYkerekmGx2s/mg==
-
dn: CN=Domain-Replica,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: 0J8RuPYEYkerekmGx2s/mg==
-
dn: CN=Modified-Count,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: 0J8RuPYEYkerekmGx2s/mg==
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Config NC changes
dn: CN=Domain-Other-Parameters,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
displayName: Other Domain Parameters (for use by SAM)
localizationDisplayId: 59
rightsGUID: b8119fd0-04f6-4762-ab7a-4986c76b3f9a
validAccesses: 48
dn: CN=Email-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 4828CC14-1437-45bc-9B07-AD6F015E5F28
-
dn: CN=General-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 4828CC14-1437-45bc-9B07-AD6F015E5F28
-
dn: CN=Membership,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
add: appliesTo
appliesTo: 4828CC14-1437-45bc-9B07-AD6F015E5F28
-
dn: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 4828CC14-1437-45bc-9B07-AD6F015E5F28
-
dn: CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 4828CC14-1437-45bc-9B07-AD6F015E5F28
-
dn: CN=RAS-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 4828CC14-1437-45bc-9B07-AD6F015E5F28
-
dn: CN=Receive-As,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 4828CC14-1437-45bc-9B07-AD6F015E5F28
-
dn: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 4828CC14-1437-45bc-9B07-AD6F015E5F28
-
dn: CN=User-Account-Restrictions,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 4828CC14-1437-45bc-9B07-AD6F015E5F28
-
dn: CN=User-Change-Password,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 4828CC14-1437-45bc-9B07-AD6F015E5F28
-
dn: CN=User-Force-Change-Password,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 4828CC14-1437-45bc-9B07-AD6F015E5F28
-
dn: CN=User-Logon,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 4828CC14-1437-45bc-9B07-AD6F015E5F28
-
dn: CN=Web-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 4828CC14-1437-45bc-9B07-AD6F015E5F28
-
dn: CN=Domain-Password,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
-
# Increase object version
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 19
-
Sch20.ldf
# attributes
dn: CN=ms-DS-DnsRootAlias,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-DnsRootAlias
adminDisplayName: ms-DS-DnsRootAlias
adminDescription: ms-DS-DnsRootAlias
attributeId: 1.2.840.113556.1.4.1719
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 255
schemaIdGuid:: yqxDIa3uKU21kYX6Sc6Rcw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-UpdateScript,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-UpdateScript
adminDisplayName: ms-DS-UpdateScript
adminDescription: ms-DS-UpdateScript
attributeId: 1.2.840.113556.1.4.1721
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ObZuFJ+7wU+oJeKeAMd5IA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-ReplicationEpoch,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ReplicationEpoch
adminDisplayName: ms-DS-ReplicationEpoch
adminDescription: ms-DS-ReplicationEpoch
attributeId: 1.2.840.113556.1.4.1720
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: earjCBzrtUWve4+UJGyOQQ==
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Additional-Dns-Host-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AdditionalDnsHostName
adminDisplayName: ms-DS-Additional-Dns-Host-Name
adminDescription: ms-DS-Additional-Dns-Host-Name
attributeId: 1.2.840.113556.1.4.1717
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 2048
schemaIdGuid:: kTeGgOnbuE6Dfn8KtV2axw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Additional-Sam-Account-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AdditionalSamAccountName
adminDisplayName: ms-DS-Additional-Sam-Account-Name
adminDescription: ms-DS-Additional-Sam-Account-Name
attributeId: 1.2.840.113556.1.4.1718
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 13
rangeLower: 0
rangeUpper: 256
schemaIdGuid:: 33FVl9WkmkKfWc3GWB2R5g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Hide-From-AB,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: hideFromAB
adminDisplayName: Hide-From-AB
adminDescription: Hide-From-AB
attributeId: 1.2.840.113556.1.4.1780
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ULcF7Hep/k6OjbpsGm4zqA==
showInAdvancedViewOnly: TRUE
systemFlags: 0
dn: CN=ms-DS-ExecuteScriptPassword,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ExecuteScriptPassword
adminDisplayName: ms-DS-ExecuteScriptPassword
adminDescription: ms-DS-ExecuteScriptPassword
attributeId: 1.2.840.113556.1.4.1783
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 64
schemaIdGuid:: WkoFnYfRwUadhULfxEpW3Q==
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=preferredLanguage,CN=Schema,CN=Configuration,DC=X
dn: CN=preferredLanguage,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: ldapDisplayName
ldapDisplayName: preferredLanguage
-
replace: adminDisplayName
adminDisplayName: preferredLanguage
-
dn: CN=Code-Page,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rangeLower
rangeLower: 0
-
replace: rangeUpper
rangeUpper: 65535
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# class changes
dn: CN=Cross-Ref,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1719
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1717
systemMayContain: 1.2.840.113556.1.4.1718
-
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1720
-
dn: CN=Cross-Ref-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1721
systemMayContain: 1.2.840.113556.1.4.1783
-
dn: CN=ms-TAPI-Rt-Conference,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
-
dn: CN=ms-TAPI-Rt-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
-
# Reload the schema cache to pick up altered classes and attributes
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Abandon-Replication,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaDelete
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 20
-
Sch21.ldf
# attributes
dn: CN=ms-DS-Logon-Time-Sync-Interval,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-LogonTimeSyncInterval
adminDisplayName: ms-DS-Logon-Time-Sync-Interval
adminDescription: ms-DS-Logon-Time-Sync-Interval
attributeId: 1.2.840.113556.1.4.1784
attributeSyntax: 2.5.5.9
oMSyntax: 2
rangeLower: 0
isSingleValued: TRUE
searchFlags: 0
systemOnly: FALSE
showInAdvancedViewOnly: TRUE
schemaIdGuid:: +EB5rTrkQkqDvNaI5Z6mBQ==
systemFlags: 16
dn: CN=ms-DS-Allowed-To-Delegate-To,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
lDAPDisplayName: msDS-AllowedToDelegateTo
adminDisplayName: ms-DS-Allowed-To-Delegate-To
adminDescription: Allowed-To-Delegate-To contains a list of SPNs that are used for Constrained Delegation
attributeId: 1.2.840.113556.1.4.1787
attributeSecurityGUID:: VAGN5Pi80RGHAgDAT7lgUA==
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 0
systemOnly: FALSE
showInAdvancedViewOnly: TRUE
schemaIdGuid:: 15QNgKG3oUKxTXyuFCPQfw==
systemFlags: 16
dn: CN=ms-IIS-FTP-Root,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
adminDescription: Virtual FTP Root where user home directory resides.
adminDisplayName: ms-IIS-FTP-Root
attributeID: 1.2.840.113556.1.4.1785
attributeSyntax: 2.5.5.12
attributeSyntax: 2.5.5.12
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: msIIS-FTPRoot
objectClass: attributeSchema
oMSyntax: 64
rangeLower: 1
rangeUpper: 256
searchFlags: 0
showInAdvancedViewOnly: TRUE
schemaIdGuid:: pCd4KoMUpUmdhFLjgSFWtA==
systemOnly: FALSE
systemFlags: 16
dn: CN=ms-IIS-FTP-Dir,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaadd
adminDescription: Relative user directory on an FTP Root share.
adminDisplayName: ms-IIS-FTP-Dir
attributeID: 1.2.840.113556.1.4.1786
attributeSyntax: 2.5.5.12
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: msIIS-FTPDir
objectClass: attributeSchema
oMSyntax: 64
rangeLower: 1
rangeUpper: 256
searchFlags: 0
showInAdvancedViewOnly: TRUE
schemaIdGuid:: 6ZlcijAi60a46OWdcS657g==
systemOnly: FALSE
systemFlags: 16
dn: CN=dhcp-Servers,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: extendedCharsAllowed
extendedCharsAllowed: TRUE
-
dn: CN=Extended-Chars-Allowed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: FALSE
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# classes
dn: CN=Cross-Ref,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.357
-
dn: CN=Sam-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1784
-
dn: CN=Organizational-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1787
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1785
-
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1786
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 21
-
Sch22.ldf
# attributes
dn: CN=uid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=audio,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=photo,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=jpegPhoto,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=userPKCS12,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=carLicense,CN=Schema,CN=Configuration,DC=X
dn: CN=carLicense,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=roomNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=uniqueMember,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=departmentNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=unstructuredName,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=preferredLanguage,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=unstructuredAddress,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=attributeCertificateAttribute,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=DNS-Host-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: R5Xjchh70RGt7wDAT9jVzQ==
-
dn: CN=ms-DS-Additional-Dns-host-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: R5Xjchh70RGt7wDAT9jVzQ==
-
dn: CN=MS-DS-Per-User-Trust-Quota,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PerUserTrustQuota
ldapDisplayName: msDS-PerUserTrustQuota
adminDisplayName: MS-DS-Per-User-Trust-Quota
adminDescription: Used to enforce a per-user quota for creating Trusted-Domain objects authorized by the
control access right, "Create inbound Forest trust". This attribute limits the number of Trusted-Domain
objects that can be created by a single non-admin user in the domain.
attributeId: 1.2.840.113556.1.4.1788
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 8K1h0STKk0mjqossmBMC6A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-DS-All-Users-Trust-Quota,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AllUsersTrustQuota
adminDisplayName: MS-DS-All-Users-Trust-Quota
adminDescription: Used to enforce a combined users quota on the total number of Trusted-Domain objects
created by using the control access right, "Create inbound Forest trust".
attributeId: 1.2.840.113556.1.4.1789
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: XEqq0wNOEEiXqisznnpDSw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-DS-Per-User-Trust-Tombstones-Quota,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PerUserTrustTombstonesQuota
adminDisplayName: MS-DS-Per-User-Trust-Tombstones-Quota
adminDescription: Used to enforce a per-user quota for deleting Trusted-Domain objects when authorization is
based on matching the user's SID to the value of MS-DS-Creator-SID on the Trusted-Domain object.
attributeId: 1.2.840.113556.1.4.1790
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: xqZwi/lQo0+nHhzgMEBEmw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Logon-Time-Sync-Interval,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rangeLower
rangeLower: 0
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# classes
dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
systemFlags: 0
-
dn: CN=groupOfUniqueNames,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=Cross-Ref,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1459
-
dn: CN=Sam-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1788
systemMayContain: 1.2.840.113556.1.4.1789
systemMayContain: 1.2.840.113556.1.4.1790
-
dn: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1410
-
dn: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 2.5.6.2
-
dn: CN=Country,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 2.5.6.4
systemPossSuperiors: 1.2.840.113556.1.5.67
-
replace: objectClassCategory
objectClassCategory: 0
-
dn: CN=Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectClassCategory
objectClassCategory: 0
-
dn: CN=Organizational-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectClassCategory
objectClassCategory: 0
-
dn: CN=Group-Of-Names,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectClassCategory
objectClassCategory: 0
-
dn: CN=Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectClassCategory
objectClassCategory: 0
-
dn: CN=Certification-Authority,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectClassCategory
objectClassCategory: 0
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=DNS-Host-Name-Attributes,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
displayName: DNS Host Name Attributes
localizationDisplayId: 60
rightsGUID: 72e39547-7b18-11d1-adef-00c04fd8d5cd
validAccesses: 48
dn: CN=Create-Inbound-Forest-Trust,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
displayName: Create Inbound Forest Trust
localizationDisplayId: 61
rightsGUID: e2a36dc9-ae17-47c3-b58b-be34c55ba633
validAccesses: 256
dn: CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: wellKnownObjects
wellKnownObjects: B:32:ab8153b7768811d1aded00c04fd8d5cd:CN=LostAndFound,CN=Configuration,DC=X
-
dn: CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: wellKnownObjects
wellKnownObjects: B:32:ab8153b7768811d1aded00c04fd8d5cd:CN=LostAndFoundConfig,CN=Configuration,DC=X
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 22
-
Sch23.ldf
# attributes
dn: CN=Script-Path,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: attributeSecurityGuid
attributeSecurityGuid:: ECAgX6V50BGQIADAT8LUzw==
attributeSecurityGuid:: ECAgX6V50BGQIADAT8LUzw==
-
dn: CN=User-Workstations,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: attributeSecurityGuid
attributeSecurityGuid:: ECAgX6V50BGQIADAT8LUzw==
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# classes
dn: CN=Country,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace:defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace:defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=Organizational-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace:defaultHidingValue
defaultHidingValue: TRUE
-
dn: CN=Group-Of-Names,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace:defaultHidingValue
defaultHidingValue: TRUE
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=DS-Replication-Get-Changes-All,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
appliesTo: bf967a87-0de6-11d0-a285-00aa003049e2
appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2
displayName: Replicating Directory Changes All
localizationDisplayId: 62
rightsGUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
validAccesses: 256
dn: CN=Schema,CN=Configuration,DC=X
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 23
-
Sch24.ldf
# attributes
dn: CN=Employee-Number,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=Employee-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=Address-Home,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=User-SMIME-Certificate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemFlags
systemFlags: 0
-
dn: CN=Lockout-Threshold,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rangeUpper
rangeUpper: 65535
-
dn: CN=ms-ds-dnsrootalias,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rangeUpper
rangeUpper: 255
-
dn: CN=ms-DS-Az-LDAP-Query,CN=Schema,CN=Configuration,DC=X
changetype: NtdsSchemaAdd
objectClass: attributeSchema
attributeID: 1.2.840.113556.1.4.1792
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
rangeLower: 0
rangeUpper: 4096
showInAdvancedViewOnly: TRUE
adminDisplayName: MS-DS-Az-LDAP-Query
adminDescription: ms-DS-Az-LDAP-Query
oMSyntax: 64
searchFlags: 0
lDAPDisplayName: msDS-AzLDAPQuery
schemaIDGUID:: izZTXpT8yEWdfdrzHucRLQ==
systemOnly: FALSE
systemFlags: 16
dn: CN=ms-DS-Non-Members,CN=Schema,CN=Configuration,DC=X
changetype: NtdsSchemaAdd
changetype: NtdsSchemaAdd
objectClass: attributeSchema
attributeID: 1.2.840.113556.1.4.1793
attributeSyntax: 2.5.5.1
isSingleValued: FALSE
linkID: 2014
showInAdvancedViewOnly: TRUE
adminDisplayName: MS-DS-Non-Members
oMObjectClass:: KwwCh3McAIVK
adminDescription: ms-DS-Non-Members
oMSyntax: 127
searchFlags: 0
lDAPDisplayName: msDS-NonMembers
schemaIDGUID:: 3rH8yjzytUat9x5klXvV2w==
systemOnly: FALSE
systemFlags: 16
dn: CN=ms-DS-Non-Members-BL,CN=Schema,CN=Configuration,DC=X
changetype: NtdsSchemaAdd
objectClass: attributeSchema
attributeID: 1.2.840.113556.1.4.1794
attributeSyntax: 2.5.5.1
isSingleValued: FALSE
linkID: 2015
showInAdvancedViewOnly: TRUE
adminDisplayName: MS-DS-Non-Members-BL
oMObjectClass:: KwwCh3McAIVK
adminDescription: ms-DS-Non-Members-BL
oMSyntax: 127
searchFlags: 0
lDAPDisplayName: msDS-NonMembersBL
schemaIDGUID:: /GiMKno6h06HIP53xRy+dA==
systemOnly: TRUE
systemFlags: 16
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# classes
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1794
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1792
systemMayContain: 1.2.840.113556.1.4.1793
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 24
-
Sch25.ldf
dn: CN=ms-DS-Az-Class-ID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzClassId
adminDisplayName: MS-DS-Az-Class-ID
adminDescription: A class ID required by the AzRoles UI on the AzApplication object
attributeId: 1.2.840.113556.1.4.1816
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 40
schemaIdGuid:: d3I6AS1c70mn3rdls2o/bw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Biz-Rule,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzBizRule
adminDisplayName: MS-DS-Az-Biz-Rule
adminDescription: Text of the script implementing the business rule
attributeId: 1.2.840.113556.1.4.1801
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 65536
schemaIdGuid:: qB7UM8nAkkyUlPEEh4QT/Q==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Scope-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzScopeName
adminDisplayName: MS-DS-Az-Scope-Name
adminDescription: A string that uniquely identifies a scope object
attributeId: 1.2.840.113556.1.4.1799
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 65536
schemaIdGuid:: BmtaURcmc0GAmdVgXfBDxg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Operation-ID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzOperationID
adminDisplayName: MS-DS-Az-Operation-ID
adminDescription: Application specific ID that makes the operation unique to the application
attributeId: 1.2.840.113556.1.4.1800
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
schemaIdGuid:: U7XzpXZdvky6P0MSFSyrGA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Tasks-For-Az-Role,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-TasksForAzRole
adminDisplayName: MS-DS-Tasks-For-Az-Role
adminDescription: List of tasks for Az-Role
attributeId: 1.2.840.113556.1.4.1814
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: gpAxNUqMRkaThsKUnUmJTQ==
linkID: 2024
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Tasks-For-Az-Task,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-TasksForAzTask
adminDisplayName: MS-DS-Tasks-For-Az-Task
adminDescription: List of tasks linked to Az-Task
attributeId: 1.2.840.113556.1.4.1810
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 4o4csc1fp0aV8PODM/CWzw==
linkID: 2020
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Domain-Timeout,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzDomainTimeout
adminDisplayName: MS-DS-Az-Domain-Timeout
adminDescription: Time (in ms) after a domain is detected to be un-reachable, and before the DC is tried
again
attributeId: 1.2.840.113556.1.4.1795
attributeId: 1.2.840.113556.1.4.1795
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
schemaIdGuid:: avVIZHDKLk6wr9IOTOZT0A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Script-Timeout,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzScriptTimeout
adminDisplayName: MS-DS-Az-Script-Timeout
adminDescription: Maximum time (in ms) to wait for a script to finish auditing a specific policy
attributeId: 1.2.840.113556.1.4.1797
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
schemaIdGuid:: QfvQh4ss9kG5chH9/VDWsA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Generate-Audits,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzGenerateAudits
adminDisplayName: MS-DS-Az-Generate-Audits
adminDescription: A boolean field indicating if runtime audits need to be turned on (include audits for
access checks, etc.)
attributeId: 1.2.840.113556.1.4.1805
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: sLoK+WwYGES7hYhEfIciKg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Members-For-Az-Role,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-MembersForAzRole
adminDisplayName: MS-DS-Members-For-Az-Role
adminDescription: List of member application groups or users linked to Az-Role
attributeId: 1.2.840.113556.1.4.1806
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: zeb3y6SFFEOJOYv+gFl4NQ==
linkID: 2016
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-KeyVersionNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-KeyVersionNumber
adminDisplayName: ms-DS-KeyVersionNumber
adminDescription: The Kerberos version number of the current key for this account. This is a constructed
attribute.
attribute.
attributeId: 1.2.840.113556.1.4.1782
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: wOkjxbUzyEqJI7V7kn9C9g==
showInAdvancedViewOnly: FALSE
systemFlags: 20
dn: CN=ms-DS-Az-Application-Data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzApplicationData
adminDisplayName: MS-DS-Az-Application-Data
adminDescription: A string that is used by individual applications to store whatever information they may
need to
attributeId: 1.2.840.113556.1.4.1819
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
schemaIdGuid:: 6MM/UMYcGkaZo57uBPQCpw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Application-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzApplicationName
adminDisplayName: MS-DS-Az-Application-Name
adminDescription: A string that uniquely identifies an application object
attributeId: 1.2.840.113556.1.4.1798
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 512
schemaIdGuid:: KAdb2whidkiDt5XT5WlSdQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Biz-Rule-Language,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzBizRuleLanguage
adminDisplayName: MS-DS-Az-Biz-Rule-Language
adminDescription: Language that the business rule script is in (Jscript, VBScript)
attributeId: 1.2.840.113556.1.4.1802
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 64
schemaIdGuid:: VkuZUmwOB06qXO+df1oOJQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Operations-For-Az-Role,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-OperationsForAzRole
ldapDisplayName: msDS-OperationsForAzRole
adminDisplayName: MS-DS-Operations-For-Az-Role
adminDescription: List of operations linked to Az-Role
attributeId: 1.2.840.113556.1.4.1812
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: vgH3k0z6tkO8L02+pxj/qw==
linkID: 2022
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Operations-For-Az-Task,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-OperationsForAzTask
adminDisplayName: MS-DS-Operations-For-Az-Task
adminDescription: List of operations linked to Az-Task
attributeId: 1.2.840.113556.1.4.1808
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: NrSsGp0uqUSSmM5N6+tuvw==
linkID: 2018
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Application-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzApplicationVersion
adminDisplayName: MS-DS-Az-Application-Version
adminDescription: A version number to indicate that the AzApplication is updated
attributeId: 1.2.840.113556.1.4.1817
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
schemaIdGuid:: IKGEccQ6rkeEj/4KsgeE1A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Script-Engine-Cache-Max,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzScriptEngineCacheMax
adminDisplayName: MS-DS-Az-Script-Engine-Cache-Max
adminDescription: Maximum number of scripts that are cached by the application
attributeId: 1.2.840.113556.1.4.1796
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
schemaIdGuid:: avYpJpUf80uilo6de54wyA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Task-Is-Role-Definition,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzTaskIsRoleDefinition
adminDisplayName: MS-DS-Az-Task-Is-Role-Definition
adminDescription: A Boolean field which indicates whether AzTask is a classic task or a role definition
attributeId: 1.2.840.113556.1.4.1818
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: RIUHe4Js6U+HL/9IrSsuJg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Last-Imported-Biz-Rule-Path,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzLastImportedBizRulePath
adminDisplayName: MS-DS-Az-Last-Imported-Biz-Rule-Path
adminDescription: Last imported business rule path
attributeId: 1.2.840.113556.1.4.1803
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 65536
schemaIdGuid:: XMtaZpK7vE2MWbNjjqsJsw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Tasks-For-Az-Role-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-TasksForAzRoleBL
adminDisplayName: MS-DS-Tasks-For-Az-Role-BL
adminDescription: Back-link from Az-Task to Az-Role object(s) linking to it
attributeId: 1.2.840.113556.1.4.1815
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: NtXcoFhR/kKMQMAKetN5WQ==
linkID: 2025
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Tasks-For-Az-Task-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-TasksForAzTaskBL
adminDisplayName: MS-DS-Tasks-For-Az-Task-BL
adminDescription: Back-link from Az-Task to the Az-Task object(s) linking to it
attributeId: 1.2.840.113556.1.4.1811
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: Um5E3/q1okykLxP5ilJsjw==
linkID: 2021
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Members-For-Az-Role-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-MembersForAzRoleBL
adminDisplayName: MS-DS-Members-For-Az-Role-BL
adminDescription: Back-link from member application group or user to Az-Role object(s) linking to it
attributeId: 1.2.840.113556.1.4.1807
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: IM3s7OCniEaczwLs5eKH9Q==
linkID: 2017
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Operations-For-Az-Role-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-OperationsForAzRoleBL
adminDisplayName: MS-DS-Operations-For-Az-Role-BL
adminDescription: Back-link from Az-Operation to Az-Role object(s) linking to it
attributeId: 1.2.840.113556.1.4.1813
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: KGJb+DQ3JUW2tz87siCQLA==
linkID: 2023
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Operations-For-Az-Task-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-OperationsForAzTaskBL
adminDisplayName: MS-DS-Operations-For-Az-Task-BL
adminDescription: Back-link from Az-Operation to Az-Task object(s) linking to it
attributeId: 1.2.840.113556.1.4.1809
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: EdI3pjlX0U6JsoiXRUi8WQ==
linkID: 2019
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Az-Admin-Manager,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
objectClass: classSchema
ldapDisplayName: msDS-AzAdminManager
adminDisplayName: MS-DS-Az-Admin-Manager
adminDescription: Root of Authorization Policy store instance
governsId: 1.2.840.113556.1.5.234
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1819
systemMayContain: 1.2.840.113556.1.4.1805
systemMayContain: 1.2.840.113556.1.4.1797
systemMayContain: 1.2.840.113556.1.4.1796
systemMayContain: 1.2.840.113556.1.4.1795
systemMayContain: 2.5.4.13
systemPossSuperiors: 1.2.840.113556.1.5.67
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: URDuzyhfrkuoY10MwYqO0Q==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Az-Admin-Manager,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Az-Application,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-AzApplication
adminDisplayName: MS-DS-Az-Application
adminDescription: Defines an installed instance of an application bound to a particular policy store.
governsId: 1.2.840.113556.1.5.235
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1819
systemMayContain: 1.2.840.113556.1.4.1805
systemMayContain: 1.2.840.113556.1.4.1817
systemMayContain: 1.2.840.113556.1.4.1816
systemMayContain: 1.2.840.113556.1.4.1798
systemMayContain: 2.5.4.13
systemPossSuperiors: 1.2.840.113556.1.5.234
schemaIdGuid:: m9743aXLEk6ELijYtm917A==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Az-Application,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Az-Scope,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-AzScope
adminDisplayName: MS-DS-Az-Scope
adminDescription: Describes a set of objects managed by an application
governsId: 1.2.840.113556.1.5.237
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1799
systemMayContain: 1.2.840.113556.1.4.1819
systemMayContain: 2.5.4.13
systemPossSuperiors: 1.2.840.113556.1.5.235
schemaIdGuid:: VODqT1XOu0eGDlsSBjpR3g==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)
showInAdvancedViewOnly: TRUE
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Az-Scope,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Az-Operation,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-AzOperation
adminDisplayName: MS-DS-Az-Operation
adminDescription: Describes a particular operation supported by an application
governsId: 1.2.840.113556.1.5.236
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1800
systemMayContain: 1.2.840.113556.1.4.1819
systemMayContain: 2.5.4.13
systemPossSuperiors: 1.2.840.113556.1.5.235
schemaIdGuid:: N74KhpuapE+z0ris5d+exQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Az-Operation,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Az-Task,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-AzTask
adminDisplayName: MS-DS-Az-Task
adminDescription: Describes a set of operations
governsId: 1.2.840.113556.1.5.238
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1810
systemMayContain: 1.2.840.113556.1.4.1808
systemMayContain: 1.2.840.113556.1.4.1819
systemMayContain: 1.2.840.113556.1.4.1818
systemMayContain: 1.2.840.113556.1.4.1803
systemMayContain: 1.2.840.113556.1.4.1802
systemMayContain: 1.2.840.113556.1.4.1801
systemMayContain: 2.5.4.13
systemPossSuperiors: 1.2.840.113556.1.5.237
systemPossSuperiors: 1.2.840.113556.1.5.235
schemaIdGuid:: c6TTHhubikG/oDo3uVpTBg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Az-Task,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Az-Role,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-AzRole
adminDisplayName: MS-DS-Az-Role
adminDescription: Defines a set of operations that can be performed by a particular set of users within a
particular scope
governsId: 1.2.840.113556.1.5.239
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1819
systemMayContain: 1.2.840.113556.1.4.1819
systemMayContain: 1.2.840.113556.1.4.1814
systemMayContain: 1.2.840.113556.1.4.1812
systemMayContain: 1.2.840.113556.1.4.1806
systemMayContain: 2.5.4.13
systemPossSuperiors: 1.2.840.113556.1.5.237
systemPossSuperiors: 1.2.840.113556.1.5.235
schemaIdGuid:: yeoTglWd3ESSXOmlK5J2RA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Az-Role,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1807
systemMayContain: 1.2.840.113556.1.4.1809
systemMayContain: 1.2.840.113556.1.4.1811
systemMayContain: 1.2.840.113556.1.4.1813
systemMayContain: 1.2.840.113556.1.4.1815
-
dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 2.5.4.45
mayContain: 2.16.840.1.113730.3.140
mayContain: 2.16.840.1.113730.3.1.216
mayContain: 2.5.4.36
mayContain: 0.9.2342.19200300.100.1.1
mayContain: 0.9.2342.19200300.100.1.21
mayContain: 0.9.2342.19200300.100.1.6
mayContain: 2.16.840.1.113730.3.1.39
mayContain: 0.9.2342.19200300.100.1.7
mayContain: 0.9.2342.19200300.100.1.42
mayContain: 2.5.4.10
mayContain: 0.9.2342.19200300.100.1.41
mayContain: 0.9.2342.19200300.100.1.10
mayContain: 0.9.2342.19200300.100.1.3
mayContain: 1.3.6.1.4.1.250.1.57
mayContain: 0.9.2342.19200300.100.1.60
mayContain: 2.5.4.43
mayContain: 1.2.840.113556.1.2.617
mayContain: 0.9.2342.19200300.100.1.20
mayContain: 2.5.4.42
mayContain: 1.2.840.113556.1.2.613
mayContain: 1.2.840.113556.1.2.610
mayContain: 1.2.840.113556.1.2.13
mayContain: 2.16.840.1.113730.3.1.2
mayContain: 2.16.840.1.113730.3.1.1
mayContain: 2.5.4.15
mayContain: 0.9.2342.19200300.100.1.55
-
delete: systemMayContain
systemMayContain: 2.5.4.45
systemMayContain: 2.16.840.1.113730.3.140
systemMayContain: 2.16.840.1.113730.3.1.216
systemMayContain: 2.5.4.36
systemMayContain: 0.9.2342.19200300.100.1.1
systemMayContain: 0.9.2342.19200300.100.1.21
systemMayContain: 0.9.2342.19200300.100.1.6
systemMayContain: 2.16.840.1.113730.3.1.39
systemMayContain: 0.9.2342.19200300.100.1.7
systemMayContain: 0.9.2342.19200300.100.1.42
systemMayContain: 2.5.4.10
systemMayContain: 0.9.2342.19200300.100.1.41
systemMayContain: 0.9.2342.19200300.100.1.41
systemMayContain: 0.9.2342.19200300.100.1.10
systemMayContain: 0.9.2342.19200300.100.1.3
systemMayContain: 1.3.6.1.4.1.250.1.57
systemMayContain: 0.9.2342.19200300.100.1.60
systemMayContain: 2.5.4.43
systemMayContain: 1.2.840.113556.1.2.617
systemMayContain: 0.9.2342.19200300.100.1.20
systemMayContain: 2.5.4.42
systemMayContain: 1.2.840.113556.1.2.613
systemMayContain: 1.2.840.113556.1.2.610
systemMayContain: 1.2.840.113556.1.2.13
systemMayContain: 2.16.840.1.113730.3.1.2
systemMayContain: 2.16.840.1.113730.3.1.1
systemMayContain: 2.5.4.15
systemMayContain: 0.9.2342.19200300.100.1.55
-
add: possSuperiors
possSuperiors: 1.2.840.113556.1.5.67
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
-
delete: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.67
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.3.23
-
dn: CN=Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 2.5.4.58
-
delete: systemMayContain
systemMayContain: 2.5.4.58
-
dn: CN=Security-Principal,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1782
-
dn: CN=Organizational-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.2.617
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.617
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.234
systemPossSuperiors: 1.2.840.113556.1.5.235
systemPossSuperiors: 1.2.840.113556.1.5.237
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 2.5.4.45
mayContain: 2.16.840.1.113730.3.140
mayContain: 2.16.840.1.113730.3.1.216
mayContain: 0.9.2342.19200300.100.1.1
mayContain: 0.9.2342.19200300.100.1.21
mayContain: 0.9.2342.19200300.100.1.6
mayContain: 2.16.840.1.113730.3.1.39
mayContain: 0.9.2342.19200300.100.1.7
mayContain: 1.3.6.1.4.1.250.1.57
mayContain: 0.9.2342.19200300.100.1.60
mayContain: 1.2.840.113556.1.2.617
mayContain: 2.5.4.42
mayContain: 1.2.840.113556.1.2.613
mayContain: 1.2.840.113556.1.2.610
mayContain: 1.2.840.113556.1.2.13
mayContain: 2.16.840.1.113730.3.1.2
mayContain: 2.16.840.1.113730.3.1.1
mayContain: 0.9.2342.19200300.100.1.55
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.2.13
systemMayContain: 1.2.840.113556.1.2.610
systemMayContain: 1.2.840.113556.1.2.613
systemMayContain: 1.2.840.113556.1.2.617
systemMayContain: 2.5.4.42
systemMayContain: 2.5.4.45
systemMayContain: 0.9.2342.19200300.100.1.1
systemMayContain: 0.9.2342.19200300.100.1.6
systemMayContain: 0.9.2342.19200300.100.1.7
systemMayContain: 0.9.2342.19200300.100.1.21
systemMayContain: 0.9.2342.19200300.100.1.55
systemMayContain: 0.9.2342.19200300.100.1.60
systemMayContain: 2.16.840.1.113730.3.1.1
systemMayContain: 2.16.840.1.113730.3.1.2
systemMayContain: 2.16.840.1.113730.3.1.39
systemMayContain: 2.16.840.1.113730.3.1.216
systemMayContain: 1.3.6.1.4.1.250.1.57
systemMayContain: 2.16.840.1.113730.3.140
-
dn: CN=groupOfUniqueNames,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 2.5.4.34
mayContain: 2.5.4.32
mayContain: 2.5.4.11
mayContain: 2.5.4.10
mayContain: 2.5.4.13
mayContain: 2.5.4.15
-
delete: systemMayContain
systemMayContain: 2.5.4.34
systemMayContain: 2.5.4.32
systemMayContain: 2.5.4.11
systemMayContain: 2.5.4.10
systemMayContain: 2.5.4.13
systemMayContain: 2.5.4.15
-
add: mustContain
mustContain: 2.5.4.50
mustContain: 2.5.4.3
-
delete: systemMustContain
systemMustContain: 2.5.4.50
systemMustContain: 2.5.4.3
-
add: possSuperiors
possSuperiors: 1.2.840.113556.1.5.67
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
-
delete: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.67
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.3.23
-
dn: CN=Mail-Recipient,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 2.16.840.1.113730.3.140
-
delete: systemMayContain
systemMayContain: 2.16.840.1.113730.3.140
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Config NC changes
dn: CN=Reanimate-Tombstones,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
appliesTo: bf967a87-0de6-11d0-a285-00aa003049e2
appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2
displayName:Reanimate Tombstones
localizationDisplayId: 64
rightsGUID: 45EC5156-DB7E-47bb-B53F-DBEB2D03C40F
validAccesses: 256
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 25
-
Sch26.ldf
dn: CN=ms-ieee-80211-ID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msieee80211-ID
adminDisplayName: ms-ieee-80211-ID
adminDescription: an indentifier used for wireless policy object on AD
attributeId: 1.2.840.113556.1.4.1823
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: de9zf8kUI0yB3t0HoG+eiw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-ieee-80211-Data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msieee80211-Data
adminDisplayName: ms-ieee-80211-Data
adminDescription: Stores list of preferred network configurations for Group Policy for Wireless
attributeId: 1.2.840.113556.1.4.1821
attributeId: 1.2.840.113556.1.4.1821
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: OAkNDlgmgEWp9noKx7Vmyw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Has-Domain-NCs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-HasDomainNCs
adminDisplayName: ms-DS-Has-Domain-NCs
adminDescription: DS replication information detailing the domain NCs present on a particular server.
attributeId: 1.2.840.113556.1.4.1820
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
rangeLower: 4
rangeUpper: 4
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: R+MXb0KomES4sxXgB9pP7Q==
linkID: 2026
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-ieee-80211-Data-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msieee80211-DataType
adminDisplayName: ms-ieee-80211-Data-Type
adminDescription: internally used data type for msieee80211-Data blob
attributeId: 1.2.840.113556.1.4.1822
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: gLFYZdo1/k6+7VIfj0jK+w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Major-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzMajorVersion
adminDisplayName: MS-DS-Az-Major-Version
adminDescription: Major version number for AzRoles
attributeId: 1.2.840.113556.1.4.1824
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
schemaIdGuid:: t625z7fEWUCVaB7Z22tySA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Minor-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzMinorVersion
adminDisplayName: MS-DS-Az-Minor-Version
adminDescription: Minor version number for AzRoles
attributeId: 1.2.840.113556.1.4.1825
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
schemaIdGuid:: k+2F7gmyiEeBZecC9Rv78w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Locality,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.67
-
dn: CN=Organization,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 2.5.6.3
-
dn: CN=Organizational-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 2.5.6.4
systemPossSuperiors: 2.5.6.5
-
dn: CN=Organizational-Role,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 2.5.6.4
systemPossSuperiors: 2.5.6.5
-
dn: CN=Group-Of-Names,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 2.5.6.3
systemPossSuperiors: 2.5.6.4
systemPossSuperiors: 2.5.6.5
-
dn: CN=Residential-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 2.5.6.3
-
dn: CN=Application-Process,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 2.5.6.4
systemPossSuperiors: 2.5.6.5
-
dn: CN=Application-Entity,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 2.5.6.11
-
dn: CN=Device,CN=Schema,CN=Configuration,DC=X
dn: CN=Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 2.5.6.4
systemPossSuperiors: 2.5.6.5
-
dn: CN=Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 2.5.6.5
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-ieee-80211-Policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msieee80211-Policy
adminDisplayName: ms-ieee-80211-Policy
adminDescription: class to store Wireless Network Policy Object
governsId: 1.2.840.113556.1.5.240
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1823
systemMayContain: 1.2.840.113556.1.4.1822
systemMayContain: 1.2.840.113556.1.4.1821
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.3.23
systemPossSuperiors: 1.2.840.113556.1.3.30
schemaIdGuid:: ki2ae+u3gkOXcsPg+bqvlA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-ieee-80211-Policy,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1820
-
dn: CN=Container,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.234
systemPossSuperiors: 1.2.840.113556.1.5.235
-
dn: CN=ms-DS-Az-Operation,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.3.23
-
dn: CN=ms-DS-Az-Task,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.3.23
systemPossSuperiors: 1.2.840.113556.1.3.23
-
dn: CN=ms-DS-Az-Role,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.3.23
-
dn: CN=ms-DS-Az-Admin-Manager,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1824
systemMayContain: 1.2.840.113556.1.4.1825
-
dn: CN=Container,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.237
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Allowed-To-Authenticate,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2
appliesTo: 4828cc14-1437-45bc-9b07-ad6f015e5f28
displayName: Allowed to Authenticate
localizationDisplayId: 65
rightsGUID: 68B1D179-0D15-4d4f-AB71-46152E79A7BC
validAccesses: 256
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 26
-
Sch27.ldf
dn: CN=ms-Exch-House-Identifier,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msExchHouseIdentifier
adminDisplayName: ms-Exch-House-Identifier
adminDescription: ms-Exch-House-Identifier
attributeId: 1.2.840.113556.1.2.596
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
rangeLower: 1
rangeUpper: 128
schemaIdGuid:: B3TfqOrF0RG7ywCAx2ZwwA==
mapiID: 35924
dn: CN=ms-Exch-House-Identifier,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: ldapDisplayName
ldapDisplayName: msExchHouseIdentifier
-
dn: CN=host,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: host
adminDisplayName: host
adminDescription: The host attribute type specifies a host computer.
attributeId: 0.9.2342.19200300.100.1.9
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: cd9DYEj6z0arfMvVRkSyLQ==
showInAdvancedViewOnly: TRUE
dn: CN=drink,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: drink
adminDisplayName: drink
adminDescription: The drink (Favourite Drink) attribute type specifies the favorite drink of an object (or
person).
attributeId: 0.9.2342.19200300.100.1.5
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: taUaGi4m9k2vBCz2sNgASA==
showInAdvancedViewOnly: TRUE
dn: CN=userClass,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: userClass
adminDisplayName: userClass
adminDescription: The userClass attribute type specifies a category of computer user.
attributeId: 0.9.2342.19200300.100.1.8
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: iipzEU3hxUy5L9k/UcbY5A==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Integer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-Integer
adminDisplayName: ms-DS-Integer
adminDescription: An attribute for storing an integer.
attributeId: 1.2.840.113556.1.4.1835
attributeSyntax: 2.5.5.9
omSyntax: 2
omSyntax: 2
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 6kzGe07AGEOxAj4HKTcaZQ==
showInAdvancedViewOnly: FALSE
dn: CN=buildingName,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: buildingName
adminDisplayName: buildingName
adminDescription: The buildingName attribute type specifies the name of the building where an organization
or organizational unit is based.
attributeId: 0.9.2342.19200300.100.1.48
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: S6V/+MWy10+IwNrMsh2TxQ==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Date-Time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-DateTime
adminDisplayName: ms-DS-Date-Time
adminDescription: An attribute for storing a data and time value.
attributeId: 1.2.840.113556.1.4.1832
attributeSyntax: 2.5.5.11
omSyntax: 24
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 2MtPI1L7CEmjKP2fbljkAw==
showInAdvancedViewOnly: FALSE
dn: CN=documentTitle,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: documentTitle
adminDisplayName: documentTitle
adminDescription: The documentTitle attribute type specifies the title of a document.
attributeId: 0.9.2342.19200300.100.1.12
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: nFom3iz/uUeR3G5v4sQwYg==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Byte-Array,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ByteArray
adminDisplayName: ms-DS-Byte-Array
adminDescription: An attribute for storing binary data.
attributeId: 1.2.840.113556.1.4.1831
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 1000000
rangeUpper: 1000000
schemaIdGuid:: LpfY8Fvd5UClHQRMfBfs5w==
showInAdvancedViewOnly: FALSE
dn: CN=associatedName,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: associatedName
adminDisplayName: associatedName
adminDescription: The associatedName attribute type specifies an entry in the organizational DIT associated
with a DNS domain.
attributeId: 0.9.2342.19200300.100.1.38
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: Rfz796uFpEKkNXgOYveFiw==
showInAdvancedViewOnly: TRUE
dn: CN=documentAuthor,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: documentAuthor
adminDisplayName: documentAuthor
adminDescription: The documentAuthor attribute type specifies the distinguished name of the author of a
document.
attributeId: 0.9.2342.19200300.100.1.14
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: GY6K8V+veESwlm81wn64Pw==
showInAdvancedViewOnly: TRUE
dn: CN=houseIdentifier,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: houseIdentifier
adminDisplayName: houseIdentifier
adminDescription: The houseIdentifier attribute type specifies a linguistic construct used to identify a
particular building, for example a house number or house name relative to a street, avenue, town or city,
etc.
attributeId: 2.5.4.51
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 32768
schemaIdGuid:: t5hTpErEtk6C0xPBCUbb/g==
showInAdvancedViewOnly: TRUE
dn: CN=documentVersion,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: documentVersion
adminDisplayName: documentVersion
adminDescription: The documentVersion attribute type specifies the version number of a document.
attributeId: 0.9.2342.19200300.100.1.13
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: qaizlBPW7EyarV+8wQRrQw==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-External-Key,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ExternalKey
adminDisplayName: ms-DS-External-Key
adminDescription: A string to identifiy an object in an external store such as a record in a database.
attributeId: 1.2.840.113556.1.4.1833
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 10000
schemaIdGuid:: KNUvuaw41ECBjQQzOAg3wQ==
showInAdvancedViewOnly: FALSE
dn: CN=associatedDomain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: associatedDomain
adminDisplayName: associatedDomain
adminDescription: The associatedDomain attribute type specifies a DNS domain which is associated with an
object.
attributeId: 0.9.2342.19200300.100.1.37
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 256
schemaIdGuid:: OPwgM3nDF0ylEBvfYTPF2g==
showInAdvancedViewOnly: TRUE
dn: CN=documentLocation,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: documentLocation
adminDisplayName: documentLocation
adminDescription: The documentLocation attribute type specifies the location of the document original.
attributeId: 0.9.2342.19200300.100.1.15
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: TrFYuW2sxE6Ikr5wtp9ygQ==
showInAdvancedViewOnly: TRUE
dn: CN=uniqueIdentifier,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: uniqueIdentifier
adminDisplayName: uniqueIdentifier
adminDescription: The uniqueIdentifier attribute type specifies a "unique identifier" for an object
represented in the Directory.
attributeId: 0.9.2342.19200300.100.1.44
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
rangeUpper: 256
schemaIdGuid:: x4QBusU47UulJnVCFHBYDA==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Has-Master-NCs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-hasMasterNCs
adminDisplayName: ms-DS-Has-Master-NCs
adminDescription: A list of the naming contexts contained by a DC. Deprecates hasMasterNCs.
attributeId: 1.2.840.113556.1.4.1836
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 4uAtrtdZR02NR+1N/kNXrQ==
linkID: 2036
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=documentPublisher,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: documentPublisher
adminDisplayName: documentPublisher
adminDescription: The documentPublisher attribute is the person and/or organization that published a
document.
attributeId: 0.9.2342.19200300.100.1.56
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: 1wkPF2nrikSaMPGv7P0y1w==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-External-Store,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ExternalStore
adminDisplayName: ms-DS-External-Store
adminDescription: A string to identifiy the location of an external store such as a database.
attributeId: 1.2.840.113556.1.4.1834
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 10000
schemaIdGuid:: zXdIYNucx0ewPT2q2wRJEA==
showInAdvancedViewOnly: FALSE
dn: CN=documentIdentifier,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: documentIdentifier
adminDisplayName: documentIdentifier
adminDescription: The documentIdentifier attribute type specifies a unique identifier for a document.
attributeId: 0.9.2342.19200300.100.1.11
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: gs4hC2P/2UaQ+8i58k6XuQ==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Object-Reference,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ObjectReference
adminDisplayName: ms-DS-Object-Reference
adminDescription: A link to the object that uses the data stored in the object that contains this attribute.
attributeId: 1.2.840.113556.1.4.1840
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 6MKOY+cinECF0hGyG+5y3g==
linkID: 2038
showInAdvancedViewOnly: FALSE
dn: CN=organizationalStatus,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: organizationalStatus
adminDisplayName: organizationalStatus
adminDescription: The organizationalStatus attribute type specifies a category by which a person is often
referred to in an organization.
attributeId: 0.9.2342.19200300.100.1.45
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 256
schemaIdGuid:: GWBZKElzL02t/1pimWH5Qg==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Retired-Repl-NC-Signatures,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-RetiredReplNCSignatures
adminDisplayName: ms-DS-Retired-Repl-NC-Signatures
adminDescription: Information about naming contexts that are no longer held on this computer
attributeId: 1.2.840.113556.1.4.1826
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: BlWz1dYZJk2a+xE1esmbXg==
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=simpleSecurityObject,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: simpleSecurityObject
adminDisplayName: simpleSecurityObject
adminDescription: The simpleSecurityObject object class is used to allow an entry to have a userPassword
attribute when an entry's principal object classes do not allow userPassword as an attribute type.
governsId: 0.9.2342.19200300.100.4.19
objectClassCategory: 3
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 2.5.4.35
schemaIdGuid:: C5vmX0bhFU+wq8Hl1IjglA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=simpleSecurityObject,CN=Schema,CN=Configuration,DC=X
dn: CN=X509-Cert,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 32768
-
dn: CN=Certificate-Revocation-List,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 10485760
-
dn: CN=Authority-Revocation-List,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 10485760
-
dn: CN=Crl-Partitioned-Revocation-List,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 10485760
-
dn: CN=Delta-Revocation-List,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 10485760
-
dn: CN=Cross-Certificate-Pair,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 32768
-
dn: CN=ms-PKI-OID-CPS,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 32768
-
dn: CN=ms-PKI-OID-User-Notice,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 32768
-
dn: CN=User-SMIME-Certificate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 32768
-
dn: CN=User-Principal-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 1024
-
dn: CN=ms-DS-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
add: rangeUpper
rangeUpper: 1000000
-
replace: systemFlags
systemFlags: 0
-
dn: CN=PKT,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 10485760
-
dn: CN=Phone-Ip-Primary,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 64
-
dn: CN=Additional-Information,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 32768
-
dn: CN=MSMQ-Sign-Certificates,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 1048576
-
dn: CN=MSMQ-Sign-Certificates-Mig,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 1048576
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Mastered-By,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDs-masteredBy
adminDisplayName: ms-DS-Mastered-By
adminDescription: Back link for msDS-hasMasterNCs.
attributeId: 1.2.840.113556.1.4.1837
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: aUcjYBlIFUahsknS8RmstQ==
linkID: 2037
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Object-Reference-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ObjectReferenceBL
adminDisplayName: ms-DS-Object-Reference-BL
adminDescription: Back link for ms-DS-Object-Reference.
attributeId: 1.2.840.113556.1.4.1841
attributeSyntax: 2.5.5.1
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: FSVwK/fBO0uxSMDkxs7stA==
linkID: 2039
showInAdvancedViewOnly: FALSE
systemFlags: 1
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-App-Data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-AppData
adminDisplayName: ms-DS-App-Data
adminDescription: Stores data that is to be used by an object. For example, profile information for a user
object.
governsId: 1.2.840.113556.1.5.241
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.7000.49
mayContain: 2.5.4.32
mayContain: 1.2.840.113556.1.4.1840
mayContain: 1.2.840.113556.1.4.1835
mayContain: 1.2.840.113556.1.4.1832
mayContain: 1.2.840.113556.1.4.1831
mayContain: 1.2.840.113556.1.4.653
mayContain: 1.2.840.113556.1.4.48
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.30
possSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: YddnnifjVU28lWgvh14vjg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-App-Data,CN=Schema,CN=Configuration,DC=X
dn: CN=rFC822LocalPart,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: rFC822LocalPart
adminDisplayName: rFC822LocalPart
adminDescription: The rFC822LocalPart object class is used to define entries which represent the local part
of mail addresses.
governsId: 0.9.2342.19200300.100.4.14
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.66
mayContain: 2.5.4.24
mayContain: 2.5.4.21
mayContain: 2.5.4.22
mayContain: 2.5.4.20
mayContain: 2.5.4.9
mayContain: 2.5.4.4
mayContain: 2.5.4.34
mayContain: 2.5.4.26
mayContain: 2.5.4.28
mayContain: 2.5.4.18
mayContain: 2.5.4.17
mayContain: 2.5.4.16
mayContain: 2.5.4.19
mayContain: 2.5.4.19
mayContain: 2.5.4.25
mayContain: 2.5.4.23
mayContain: 2.5.4.27
mayContain: 2.5.4.13
mayContain: 2.5.4.3
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: eDo+ua7LXkige170rlBWhg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=rFC822LocalPart,CN=Schema,CN=Configuration,DC=X
dn: CN=room,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: room
adminDisplayName: room
adminDescription: The room object class is used to define entries representing rooms.
governsId: 0.9.2342.19200300.100.4.7
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 2.5.4.3
mayContain: 1.2.840.113556.1.4.222
mayContain: 2.5.4.20
mayContain: 2.5.4.34
mayContain: 2.5.4.13
mayContain: 0.9.2342.19200300.100.1.6
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 0uVgeLDIu0y9RdlFW+uSBg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=room,CN=Schema,CN=Configuration,DC=X
dn: CN=documentSeries,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: documentSeries
adminDisplayName: documentSeries
adminDescription: The documentSeries object class is used to define an entry which represents a series of
documents.
governsId: 0.9.2342.19200300.100.4.9
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 2.5.4.3
mayContain: 2.5.4.20
mayContain: 2.5.4.11
mayContain: 2.5.4.10
mayContain: 2.5.4.7
mayContain: 2.5.4.34
mayContain: 2.5.4.13
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: fOArei8wlku8kAeV1miF+A==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=documentSeries,CN=Schema,CN=Configuration,DC=X
dn: CN=friendlyCountry,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: friendlyCountry
adminDisplayName: friendlyCountry
adminDescription: The friendlyCountry object class is used to define country entries in the DIT.
governsId: 0.9.2342.19200300.100.4.18
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.2
mustContain: 1.2.840.113556.1.2.131
schemaIdGuid:: UvGYxGvcSkefUnzbo9fTUQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=friendlyCountry,CN=Schema,CN=Configuration,DC=X
dn: CN=account,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: account
adminDisplayName: account
adminDescription: The account object class is used to define entries representing computer accounts.
governsId: 0.9.2342.19200300.100.4.5
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 0.9.2342.19200300.100.1.1
mayContain: 0.9.2342.19200300.100.1.9
mayContain: 2.5.4.11
mayContain: 2.5.4.10
mayContain: 2.5.4.7
mayContain: 2.5.4.34
mayContain: 2.5.4.13
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: aqQoJq2m4Eq4VCsS2f5vng==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=account,CN=Schema,CN=Configuration,DC=X
dn: CN=document,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: document
adminDisplayName: document
adminDescription: The document object class is used to define entries which represent documents.
governsId: 0.9.2342.19200300.100.4.6
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 0.9.2342.19200300.100.1.11
mayContain: 0.9.2342.19200300.100.1.56
mayContain: 0.9.2342.19200300.100.1.15
mayContain: 0.9.2342.19200300.100.1.14
mayContain: 0.9.2342.19200300.100.1.13
mayContain: 0.9.2342.19200300.100.1.12
mayContain: 2.5.4.11
mayContain: 2.5.4.10
mayContain: 2.5.4.7
mayContain: 2.5.4.34
mayContain: 2.5.4.13
mayContain: 2.5.4.3
possSuperiors: 2.5.6.5
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: bdm6OdbCr0uIq35CB2ABFw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=document,CN=Schema,CN=Configuration,DC=X
dn: CN=domainRelatedObject,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: domainRelatedObject
adminDisplayName: domainRelatedObject
adminDescription: The domainRelatedObject object class is used to define an entry which represents a series
of documents.
governsId: 0.9.2342.19200300.100.4.17
objectClassCategory: 3
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 0.9.2342.19200300.100.1.37
schemaIdGuid:: PS39i9rvSUWFLPheE3rtxg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=domainRelatedObject,CN=Schema,CN=Configuration,DC=X
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.4.1841
-
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1837
-
dn: CN=DMD,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemPossSuperiors
systemPossSuperiors: 2.5.6.4
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 2.5.6.11
systemPossSuperiors: 1.2.840.113556.1.3.23
-
replace:systemOnly
systemOnly: TRUE
-
dn: CN=Configuration,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace:systemOnly
systemOnly: TRUE
-
dn: CN=Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.4.1840
-
dn: CN=Container,CN=Schema,CN=Configuration,DC=X
changeType: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.237
-
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1826
systemMayContain: 1.2.840.113556.1.4.1836
-
dn: CN=Application-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 2.5.4.32
mayContain: 1.2.840.113556.1.4.653
mayContain: 1.2.840.113556.1.4.48
mayContain: 1.2.840.113556.1.4.329
mayContain: 1.2.840.113556.1.4.328
mayContain: 1.2.840.113556.1.4.141
mayContain: 1.2.840.113556.1.4.255
mayContain: 1.2.840.113556.1.4.848
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.329
systemMayContain: 1.2.840.113556.1.4.328
systemMayContain: 1.2.840.113556.1.4.141
systemMayContain: 1.2.840.113556.1.4.255
systemMayContain: 1.2.840.113556.1.4.848
-
add: possSuperiors
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.30
possSuperiors: 1.2.840.113556.1.3.23
-
delete: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.3.23
-
dn: CN=ms-DS-App-Configuration,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 2.5.4.32
mayContain: 1.2.840.113556.1.4.1840
mayContain: 1.2.840.113556.1.4.1835
mayContain: 1.2.840.113556.1.4.1832
mayContain: 1.2.840.113556.1.4.1831
mayContain: 1.2.840.113556.1.4.653
mayContain: 1.2.840.113556.1.4.48
-
add: possSuperiors
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.30
possSuperiors: 1.2.840.113556.1.3.23
-
delete: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.3.23
-
dn: CN=Organizational-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.2.596
-
dn: CN=Organizational-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 2.5.4.51
-
dn: CN=Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.161
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=DS-Execute-Intentions-Script,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: ef9e60e0-56f7-11d1-a9c6-0000f80367c1
displayName: Execute Forest Update Script
localizationDisplayId: 66
rightsGUID: 2f16c4a5-b98e-432c-952a-cb388ba33f2e
validAccesses: 256
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 27
-
Sch28.ldf
dn: CN=DS-Replication-Monitor-Topology,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
appliesTo: bf967a87-0de6-11d0-a285-00aa003049e2
appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2
displayName: Monitor Active Directory Replication
localizationDisplayId: 67
rightsGUID: f98340fb-7c5b-4cdb-a00b-2ebdfa115a96
validAccesses: 256
dn: CN=Update-Password-Not-Required-Bit,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
displayName: Update Password Not Required Bit
localizationDisplayId: 68
rightsGUID: 280f369c-67c7-438e-ae98-1d46f3c6f541
validAccesses: 256
dn: CN=Unexpire-Password,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
displayName: Unexpire Password
localizationDisplayId: 69
rightsGUID: ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501
validAccesses: 256
dn: CN=Enable-Per-User-Reversibly-Encrypted-Password,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
displayName: Enable Per User Reversibly Encrypted Password
localizationDisplayId: 70
rightsGUID: 05c74c5e-4deb-43b4-bd9f-86664c2a7fd5
validAccesses: 256
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 28
-
Sch29.ldf
dn: CN=ms-DS-Max-Values,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDs-MaxValues
adminDisplayName: ms-DS-Max-Values
adminDescription: Max values allowed.
attributeId: 1.2.840.113556.1.4.1842
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
schemaIdGuid:: pGnh0enrv0mPy4rvOHRZLQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-DRM-Identity-Certificate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDRM-IdentityCertificate
adminDisplayName: ms-DRM-Identity-Certificate
adminDescription: The XrML digital rights management certificates for this user.
attributeId: 1.2.840.113556.1.4.1843
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 10240
schemaIdGuid:: BBJe6DQ0rUGbVuKQEij/8A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1843
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 29
-
Sch30.ldf
dn: CN=ms-DS-Quota-Used,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
objectClass: attributeSchema
ldapDisplayName: msDS-QuotaUsed
adminDisplayName: ms-DS-Quota-Used
adminDescription: The current quota consumed by a security principal in the directory database.
attributeId: 1.2.840.113556.1.4.1849
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: CEOotV1ht0uwXy8XRqpDnw==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-Quota-Amount,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-QuotaAmount
adminDisplayName: ms-DS-Quota-Amount
adminDescription: The assigned quota in terms of number of objects owned in the database.
attributeId: 1.2.840.113556.1.4.1845
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: DaC5+4w6M0Kc+XGJJkkDoQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Default-Quota,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-DefaultQuota
adminDisplayName: ms-DS-Default-Quota
adminDescription: The default quota that will apply to a security principal creating an object in the NC if
no quota specification exists that covers the security principal.
attributeId: 1.2.840.113556.1.4.1846
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: JvcYaEtnG0SKOvQFljdM6g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Quota-Trustee,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-QuotaTrustee
adminDisplayName: ms-DS-Quota-Trustee
adminDescription: The SID of the security principal for which quota is being assigned.
attributeId: 1.2.840.113556.1.4.1844
attributeSyntax: 2.5.5.17
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 28
schemaIdGuid:: Bok3FqVOvkmo0b/UHf9PZQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Top-Quota-Usage,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-TopQuotaUsage
adminDisplayName: ms-DS-Top-Quota-Usage
adminDescription: The list of top quota users ordered by decreasing quota usage currently in the directory
database.
attributeId: 1.2.840.113556.1.4.1850
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: T858e/Xxtku36yNQSvGedQ==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-Quota-Effective,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-QuotaEffective
adminDisplayName: ms-DS-Quota-Effective
adminDescription: The effective quota for a security principal computed from the assigned quotas for a
directory partition.
attributeId: 1.2.840.113556.1.4.1848
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: UrFVZhwQtEizR+H868YBVw==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=MS-DRM-Identity-Certificate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDRM-IdentityCertificate
adminDisplayName: ms-DRM-Identity-Certificate
adminDescription: The XrML digital rights management certificates for this user.
attributeId: 1.2.840.113556.1.4.1843
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
searchFlags: 0
rangeLower: 1
rangeUpper: 10240
schemaIdGuid:: BBJe6DQ0rUGbVuKQEij/8A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Tombstone-Quota-Factor,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-TombstoneQuotaFactor
adminDisplayName: ms-DS-Tombstone-Quota-Factor
adminDescription: The factor by which tombstone object count should be reduced for the purpose of quota
accounting.
attributeId: 1.2.840.113556.1.4.1847
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 100
schemaIdGuid:: 10QXRrbzukWHU/uVUqXfMg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=Terminal-Server,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
changetype: ntdsSchemaModify
replace: rangeUpper
rangeUpper: 20480
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Quota-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-QuotaContainer
adminDisplayName: ms-DS-Quota-Container
adminDescription: A special container that holds all quota specifications for the directory database.
governsId: 1.2.840.113556.1.5.242
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 2.5.4.3
systemMayContain: 1.2.840.113556.1.4.1850
systemMayContain: 1.2.840.113556.1.4.1849
systemMayContain: 1.2.840.113556.1.4.1848
systemMayContain: 1.2.840.113556.1.4.1847
systemMayContain: 1.2.840.113556.1.4.1846
systemPossSuperiors: 1.2.840.113556.1.5.12
systemPossSuperiors: 1.2.840.113556.1.5.67
schemaIdGuid:: T/yD2m8H6kq03I9Nq5tZkw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPLCLORC;;;BA)(OA;;CR;4ecc03fe-ffc0-
4947-b630-eb672a8a9dbc;;WD)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Quota-Container,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Quota-Control,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-QuotaControl
adminDisplayName: ms-DS-Quota-Control
adminDescription: A class used to represent quota specifications for the directory database.
governsId: 1.2.840.113556.1.5.243
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1845
systemMustContain: 1.2.840.113556.1.4.1844
systemMustContain: 2.5.4.3
systemPossSuperiors: 1.2.840.113556.1.5.242
schemaIdGuid:: JvyR3gK9UkuuJnlZmelvxw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPLCLORC;;;BA)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Quota-Control,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=DS-Query-Self-Quota,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo:da83fc4f-076f-4aea-b4dc-8f4dab9b5993
displayName:Query Self Quota
localizationDisplayId: 71
rightsGUID:4ecc03fe-ffc0-4947-b630-eb672a8a9dbc
validAccesses: 256
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 30
-
Sch31.ldf
dn: CN=Gecos,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: gecos
adminDisplayName: gecos
adminDescription: The GECOS field; the common name (RFC 2307)
attributeId: 1.3.6.1.1.1.1.2
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 10240
schemaIdGuid:: Hz/go1UdU0KgrzDCp4Tkbg==
showInAdvancedViewOnly: TRUE
dn: CN=BootFile,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: bootFile
adminDisplayName: bootFile
adminDescription: Boot image name
attributeId: 1.3.6.1.1.1.1.24
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 10240
schemaIdGuid:: Tsvz4yAP60KXA9L/JuUmZw==
showInAdvancedViewOnly: TRUE
dn: CN=MemberUid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: memberUid
adminDisplayName: memberUid
adminDescription: This multivalued attribute holds the login names of the members of a group.
attributeId: 1.3.6.1.1.1.1.12
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 256000
schemaIdGuid:: NrLaAy5nYU+rZPd9LcL/qw==
showInAdvancedViewOnly: TRUE
dn: CN=GidNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: gidNumber
adminDisplayName: gidNumber
adminDescription: An integer uniquely identifying a group in an administrative domain (RFC 2307)
attributeId: 1.3.6.1.1.1.1.1
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: DF+5xZ7sxEGEnLRll+1mlg==
showInAdvancedViewOnly: TRUE
dn: CN=ShadowMin,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: shadowMin
adminDisplayName: shadowMin
adminDescription: Minimum number of days between shadow changes.
attributeId: 1.3.6.1.1.1.1.6
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: N4drp6HlaEWwV9wS4Evksg==
showInAdvancedViewOnly: TRUE
dn: CN=UidNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: uidNumber
adminDisplayName: uidNumber
adminDescription: An integer uniquely identifying a user in an administrative domain (RFC 2307)
attributeId: 1.3.6.1.1.1.1.0
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: j8wPhWuc4Ue2cXxlS+TVsw==
showInAdvancedViewOnly: TRUE
dn: CN=ShadowMax,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: shadowMax
adminDisplayName: shadowMax
adminDescription: Maximum number of days password is valid.
attributeId: 1.3.6.1.1.1.1.7
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: UsmF8t1QnkSRYDuIDZmYjQ==
showInAdvancedViewOnly: TRUE
dn: CN=MacAddress,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: macAddress
adminDisplayName: macAddress
adminDescription: MAC address in maximal, colon separated hex notation
attributeId: 1.3.6.1.1.1.1.22
attributeSyntax: 2.5.5.5
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 128
schemaIdGuid:: 3SKl5nCX4UOJ3h3lBEMo9w==
showInAdvancedViewOnly: TRUE
dn: CN=ShadowFlag,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: shadowFlag
adminDisplayName: shadowFlag
adminDescription: This is a part of the shadow map used to store the flag value.
attributeId: 1.3.6.1.1.1.1.11
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Dbf+jdvFtkaxXqQ4nmzumw==
showInAdvancedViewOnly: TRUE
dn: CN=NisMapName,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: nisMapName
adminDisplayName: nisMapName
adminDescription: The attribute contains the name of the map to which the object belongs.
attributeId: 1.3.6.1.1.1.1.26
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 1024
schemaIdGuid:: eTydlpoOlU2wrL3ef/jzoQ==
showInAdvancedViewOnly: TRUE
dn: CN=LoginShell,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: loginShell
adminDisplayName: loginShell
adminDescription: The path to the login shell (RFC 2307)
attributeId: 1.3.6.1.1.1.1.4
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 1024
schemaIdGuid:: LNFTpTEyXkyK340YlpdyHg==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30Name
adminDisplayName: msSFU-30-Name
adminDescription: stores the name of a map
attributeId: 1.2.840.113556.1.6.18.1.309
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
rangeUpper: 1024
schemaIdGuid:: 09HFFsI1YUCocKXO/agE8A==
schemaIdGuid:: 09HFFsI1YUCocKXO/agE8A==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-Flags,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-Flags
adminDisplayName: ms-DFSR-Flags
adminDescription: DFSR Object Flags
attributeId: 1.2.840.113556.1.6.13.3.16
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: lVZR/mE/yEWb+hnBSMV7CQ==
showInAdvancedViewOnly: TRUE
dn: CN=NisMapEntry,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: nisMapEntry
adminDisplayName: nisMapEntry
adminDescription: This holds one map entry of a non standard map.
attributeId: 1.3.6.1.1.1.1.27
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 1024
schemaIdGuid:: biGVSsD8LkC1f1lxYmFIqQ==
showInAdvancedViewOnly: TRUE
dn: CN=OncRpcNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: oncRpcNumber
adminDisplayName: oncRpcNumber
adminDescription: This is a part of the rpc map and stores the RPC number for UNIX RPCs.
attributeId: 1.3.6.1.1.1.1.18
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 9SVoltkBXEqgEdFa6E76VQ==
showInAdvancedViewOnly: TRUE
dn: CN=IpHostNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ipHostNumber
adminDisplayName: ipHostNumber
adminDescription: IP address as a dotted decimal omitting leading zeros
attributeId: 1.3.6.1.1.1.1.19
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 128
schemaIdGuid:: IbeL3tyF3k+2h5ZXaI5mfg==
showInAdvancedViewOnly: TRUE
dn: CN=ShadowExpire,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: shadowExpire
adminDisplayName: shadowExpire
adminDescription: Absolute date to expire account
adminDescription: Absolute date to expire account
attributeId: 1.3.6.1.1.1.1.10
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: AJoVdf8f9EyL/07yaVz2Qw==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-Enabled,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-Enabled
adminDisplayName: ms-DFSR-Enabled
adminDescription: Specify if the object enabled
attributeId: 1.2.840.113556.1.6.13.3.9
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: 52pyA32ORkSKrqkWV8AJkw==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-DfsPath,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-DfsPath
adminDisplayName: ms-DFSR-DfsPath
adminDescription: Full path of associated DFS link
attributeId: 1.2.840.113556.1.6.13.3.21
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 1
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: 4gPJLIw5O0Sshv9rAerHug==
showInAdvancedViewOnly: TRUE
dn: CN=BootParameter,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: bootParameter
adminDisplayName: bootParameter
adminDescription: rpc.bootparamd parameter
attributeId: 1.3.6.1.1.1.1.23
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 10240
schemaIdGuid:: UAcq13yMbkGHFOZfEekIvg==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Aliases,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30Aliases
adminDisplayName: msSFU-30-Aliases
adminDescription: part of the NIS mail map
attributeId: 1.2.840.113556.1.6.18.1.323
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 153600
schemaIdGuid:: cfHrIJrGMUyyndy4N9iRLQ==
schemaIdGuid:: cfHrIJrGMUyyndy4N9iRLQ==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Domains,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30Domains
adminDisplayName: msSFU-30-Domains
adminDescription: stores the list of UNIX NIS domains migrated to the same AD NIS domain
attributeId: 1.2.840.113556.1.6.18.1.340
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 1
rangeUpper: 256000
schemaIdGuid:: 014JkzBv3Uu3NGXVafX3yQ==
showInAdvancedViewOnly: TRUE
dn: CN=IpServicePort,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ipServicePort
adminDisplayName: ipServicePort
adminDescription: This is a part of the services map and contains the port at which the UNIX service is
available.
attributeId: 1.3.6.1.1.1.1.15
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: v64t/2P0WkmEBT5INkHqog==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-Version
adminDisplayName: ms-DFSR-Version
adminDescription: DFSR version number
attributeId: 1.2.840.113556.1.6.13.3.1
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
rangeUpper: 256
searchFlags: 0
schemaIdGuid:: CBSGGsM46km6dYVIGnfGVQ==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-Options,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-Options
adminDisplayName: ms-DFSR-Options
adminDescription: DFSR object options
attributeId: 1.2.840.113556.1.6.13.3.17
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: hHDW1iDHfUGGR7aWI3oRTA==
showInAdvancedViewOnly: TRUE
dn: CN=ShadowWarning,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: shadowWarning
adminDisplayName: shadowWarning
adminDescription: Number of days before password expiry to warn user
attributeId: 1.3.6.1.1.1.1.8
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: nJzoenYpRkq7ijQPiFYBFw==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-Schedule,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-Schedule
adminDisplayName: ms-DFSR-Schedule
adminDescription: DFSR Replication schedule
attributeId: 1.2.840.113556.1.6.13.3.14
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 0
rangeLower: 336
rangeUpper: 336
schemaIdGuid:: X/GZRh+n4kif9ViXwHWSBQ==
showInAdvancedViewOnly: TRUE
dn: CN=ShadowInactive,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: shadowInactive
adminDisplayName: shadowInactive
adminDescription: Number of days before password expiry to warn user
attributeId: 1.3.6.1.1.1.1.9
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Hx2HhhAzEkOO/a9J3PsmcQ==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-RootPath,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-RootPath
adminDisplayName: ms-DFSR-RootPath
adminDescription: Full path of the root directory
attributeId: 1.2.840.113556.1.6.13.3.3
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: wejV1x/mT0afzyC74KLsVA==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-Keywords,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-Keywords
adminDisplayName: ms-DFSR-Keywords
adminDescription: User defined keywords
attributeId: 1.2.840.113556.1.6.13.3.15
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: kkaLBCdiZ0ugdMRDcIPhSw==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-RootFence,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-RootFence
adminDisplayName: ms-DFSR-RootFence
adminDescription: Root directory fence value
attributeId: 1.2.840.113556.1.6.13.3.22
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: lI6SUdgsvkq1UuUEEkRDcA==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Nis-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30NisDomain
adminDisplayName: msSFU-30-Nis-Domain
adminDescription: This attribute is used to store the NIS domain
attributeId: 1.2.840.113556.1.6.18.1.339
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
rangeUpper: 1024
systemOnly: FALSE
searchFlags: 9
schemaIdGuid:: 47LjnvPH+EWMnxOCvkmE0g==
showInAdvancedViewOnly: TRUE
dn: CN=IpNetmaskNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ipNetmaskNumber
adminDisplayName: ipNetmaskNumber
adminDescription: IP netmask as a dotted decimal, omitting leading zeros
attributeId: 1.3.6.1.1.1.1.21
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 128
schemaIdGuid:: zU/2by5GYk+0SppTR2WeuQ==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Map-Filter,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30MapFilter
adminDisplayName: msSFU-30-Map-Filter
adminDescription: stores a string containing map keys, domain name and so on. The string is used to filter
data in a map
attributeId: 1.2.840.113556.1.6.18.1.306
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 1024
schemaIdGuid:: AW6xt08CI06tDXHxpAa2hA==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-Extension,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-Extension
adminDisplayName: ms-DFSR-Extension
adminDescription: DFSR Extension attribute
attributeId: 1.2.840.113556.1.6.13.3.2
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 65536
schemaIdGuid:: 7BHweGanGUutz3uB7XgaTQ==
showInAdvancedViewOnly: TRUE
dn: CN=IpNetworkNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ipNetworkNumber
adminDisplayName: ipNetworkNumber
adminDescription: IP network as a dotted decimal, omitting leading zeros
attributeId: 1.3.6.1.1.1.1.20
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 128
schemaIdGuid:: 9FQ4TocwpEKoE7sMUolY0w==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Key-Values,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30KeyValues
adminDisplayName: msSFU-30-Key-Values
adminDescription: This attribute is internal to Server for NIS and is used as a scratch pad
attributeId: 1.2.840.113556.1.6.18.1.324
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
rangeUpper: 10240
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: NQKDN+nl8kaSK9jUTwPnrg==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Yp-Servers,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30YpServers
adminDisplayName: msSFU-30-Yp-Servers
adminDescription: Stores ypserves list, list of "Servers for NIS" in a NIS domain
attributeId: 1.2.840.113556.1.6.18.1.341
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
rangeUpper: 20480
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: S5RKCFDh/kuTRUDhrtrrug==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-RdcEnabled,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-RdcEnabled
adminDisplayName: ms-DFSR-RdcEnabled
adminDescription: Enable and disable RDC
attributeId: 1.2.840.113556.1.6.13.3.19
attributeId: 1.2.840.113556.1.6.13.3.19
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: BU6046f0eECnMPSGcKdD+A==
showInAdvancedViewOnly: TRUE
dn: CN=ShadowLastChange,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: shadowLastChange
adminDisplayName: shadowLastChange
adminDescription: Last change of shadow information.
attributeId: 1.3.6.1.1.1.1.5
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: nGjy+OgpQ0iBd+i5jhXurA==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-FileFilter,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-FileFilter
adminDisplayName: ms-DFSR-FileFilter
adminDescription: Filter string applied to files
attributeId: 1.2.840.113556.1.6.13.3.12
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: rHCC1tylQUimrM1ovjjBgQ==
showInAdvancedViewOnly: TRUE
dn: CN=IpProtocolNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ipProtocolNumber
adminDisplayName: ipProtocolNumber
adminDescription: This is part of the protocols map and stores the unique number that identifies the
protocol.
attributeId: 1.3.6.1.1.1.1.17
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 68b16y0OFUSWcBCBmTtCEQ==
showInAdvancedViewOnly: TRUE
dn: CN=UnixUserPassword,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: unixUserPassword
adminDisplayName: unixUserPassword
adminDescription: userPassword compatible with Unix system.
attributeId: 1.2.840.113556.1.4.1910
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 128
rangeLower: 1
rangeUpper: 128
schemaIdGuid:: R7csYejAkk+SIf3V8VtVDQ==
schemaIdGuid:: R7csYejAkk+SIf3V8VtVDQ==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-StagingPath,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-StagingPath
adminDisplayName: ms-DFSR-StagingPath
adminDescription: Full path of the staging directory
attributeId: 1.2.840.113556.1.6.13.3.5
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: nqa5hqbwXUCZu3fZd5ksKg==
showInAdvancedViewOnly: TRUE
dn: CN=MemberNisNetgroup,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: memberNisNetgroup
adminDisplayName: memberNisNetgroup
adminDescription: A multivalued attribute that holds the list of netgroups that are members of this
netgroup.
attributeId: 1.3.6.1.1.1.1.13
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
rangeUpper: 153600
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 3BdqD+VT6EuUQo884vkBKg==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Order-Number,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30OrderNumber
adminDisplayName: msSFU-30-Order-Number
adminDescription: Every time the data stored in the msSFU-30-Domain-Info object is changed, the value of
this attribute is incremented. Server for NIS uses this object to check if the map has changed. This number
is used to track data changes between ypxfer calls
attributeId: 1.2.840.113556.1.6.18.1.308
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
rangeUpper: 1024
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: BV9iAu7Rn0+zZlUma+y5XA==
showInAdvancedViewOnly: TRUE
dn: CN=IpServiceProtocol,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ipServiceProtocol
adminDisplayName: ipServiceProtocol
adminDescription: This is a part of the services map and stores the protocol number for a UNIX service.
attributeId: 1.3.6.1.1.1.1.16
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
rangeUpper: 1024
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: C+yWzdYetEOya/FwtkWIPw==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Posix-Member,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30PosixMember
adminDisplayName: msSFU-30-Posix-Member
adminDescription: This attribute is used to stores the DN display name of users??? part of a group
attributeId: 1.2.840.113556.1.6.18.1.346
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: Ldh1yEgo7Ey7UDxUhtCdVw==
linkID: 2030
showInAdvancedViewOnly: TRUE
dn: CN=UnixHomeDirectory,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: unixHomeDirectory
adminDisplayName: unixHomeDirectory
adminDescription: The absolute path to the home directory (RFC 2307)
attributeId: 1.3.6.1.1.1.1.3
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
rangeUpper: 2048
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ErotvA8ATUa/HQgIRl2IQw==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Crypt-Method,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30CryptMethod
adminDisplayName: msSFU-30-Crypt-Method
adminDescription: used to store the method used for encrypting the UNIX passwords, either MD5 or crypt.
attributeId: 1.2.840.113556.1.6.18.1.352
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
rangeUpper: 1024
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: o9IDRXA9uEGwd9/xI8FYZQ==
showInAdvancedViewOnly: TRUE
dn: CN=NisNetgroupTriple,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: nisNetgroupTriple
adminDisplayName: nisNetgroupTriple
adminDescription: This attribute represents one entry from a netgroup map.
attributeId: 1.3.6.1.1.1.1.14
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
rangeUpper: 153600
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: dC4DqO8w9U+v/A/CF3g/7A==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-ConflictPath,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-ConflictPath
ldapDisplayName: msDFSR-ConflictPath
adminDisplayName: ms-DFSR-ConflictPath
adminDescription: Full path of the conflict directory
attributeId: 1.2.840.113556.1.6.13.3.7
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: yLzwXPdg/0u9pq6gNE6xUQ==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Max-Gid-Number,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30MaxGidNumber
adminDisplayName: msSFU-30-Max-Gid-Number
adminDescription: stores the maximum number of groups migrated to a NIS domain
attributeId: 1.2.840.113556.1.6.18.1.342
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: pmruBDv4mka/WjwA02NGaQ==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Max-Uid-Number,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30MaxUidNumber
adminDisplayName: msSFU-30-Max-Uid-Number
adminDescription: stores the maximum number of users migrated to a NIS domain
attributeId: 1.2.840.113556.1.6.18.1.343
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: N4SZ7ETZKEqFACF1iK38dQ==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-RootSizeInMb,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-RootSizeInMb
adminDisplayName: ms-DFSR-RootSizeInMb
adminDescription: Size of the root directory in MB
attributeId: 1.2.840.113556.1.6.13.3.4
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: -1
schemaIdGuid:: rGm3kBNEz0OteoZxQudAow==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-DfsLinkTarget,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-DfsLinkTarget
adminDisplayName: ms-DFSR-DfsLinkTarget
adminDescription: Link target used for the subscription
attributeId: 1.2.840.113556.1.6.13.3.24
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: qVu49/k7j0KqtC7ubVbwYw==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Posix-Member-Of,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30PosixMemberOf
adminDisplayName: msSFU-30-Posix-Member-Of
adminDescription: stores the display names of groups to which this user belongs to
attributeId: 1.2.840.113556.1.6.18.1.347
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: kmvXe0QyikOtpiT16jQ4Hg==
linkID: 2031
showInAdvancedViewOnly: TRUE
systemFlags: 1
dn: CN=msSFU-30-Key-Attributes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30KeyAttributes
adminDisplayName: msSFU-30-Key-Attributes
adminDescription: stores the names of the attributes which the Server for NIS will use as keys to search a
map
attributeId: 1.2.840.113556.1.6.18.1.301
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
rangeUpper: 1024
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: mNbsMp7OlEihNHrXawgugw==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Field-Separator,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30FieldSeparator
adminDisplayName: msSFU-30-Field-Separator
adminDescription: stores Field Separator for each NIS map
attributeId: 1.2.840.113556.1.6.18.1.302
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
rangeUpper: 50
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: QhrhooHnoUyn+uwwf2K2oQ==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-ContentSetGuid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-ContentSetGuid
adminDisplayName: ms-DFSR-ContentSetGuid
adminDescription: DFSR Content set guid
attributeId: 1.2.840.113556.1.6.13.3.18
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 0
rangeLower: 16
rangeLower: 16
rangeUpper: 16
schemaIdGuid:: 4ag1EKhnIUy3uwMc35nXoA==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-MemberReference,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-MemberReference
adminDisplayName: ms-DFSR-MemberReference
adminDescription: Forward link to DFSR-Member object
attributeId: 1.2.840.113556.1.6.13.3.100
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: qjcTJsPxskS76siNSebwxw==
linkID: 2052
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Search-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30SearchContainer
adminDisplayName: msSFU-30-Search-Container
adminDescription: stores the identifier of an object from where each search will begin
attributeId: 1.2.840.113556.1.6.18.1.300
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
rangeUpper: 2048
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: or/uJ+v7jk+q1sUCR5lCkQ==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-StagingSizeInMb,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-StagingSizeInMb
adminDisplayName: ms-DFSR-StagingSizeInMb
adminDescription: Size of the staging directory in MB
attributeId: 1.2.840.113556.1.6.13.3.6
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: -1
schemaIdGuid:: II8KJfz2WUWuZeSyTGeuvg==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-DirectoryFilter,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-DirectoryFilter
adminDisplayName: ms-DFSR-DirectoryFilter
adminDescription: Filter string applied to directories
attributeId: 1.2.840.113556.1.6.13.3.13
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: d7THky4fQEu3vwB+jQOMzw==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-ConflictSizeInMb,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DFSR-ConflictSizeInMb,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-ConflictSizeInMb
adminDisplayName: ms-DFSR-ConflictSizeInMb
adminDescription: Size of the Conflict directory in MB
attributeId: 1.2.840.113556.1.6.13.3.8
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: -1
schemaIdGuid:: yT/Tms+qmUK7PtH8bqiOSQ==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Is-Valid-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30IsValidContainer
adminDisplayName: msSFU-30-Is-Valid-Container
adminDescription: internal to Server for NIS and stores whether the current search root is valid
attributeId: 1.2.840.113556.1.6.18.1.350
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: 9ULqDY0nV0G0p0m1lmSRWw==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Search-Attributes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30SearchAttributes
adminDisplayName: msSFU-30-Search-Attributes
adminDescription: stores the names of the attributes Server for NIS needs while searching a map
attributeId: 1.2.840.113556.1.6.18.1.304
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
rangeUpper: 1024
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 8C2a71cuyEiJUAzGdABHMw==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Master-Server-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30MasterServerName
adminDisplayName: msSFU-30-Master-Server-Name
adminDescription: The value in this container is returned when Server for NIS processes a yp_master API call
attributeId: 1.2.840.113556.1.6.18.1.307
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
rangeUpper: 1024
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: ogjJTBieDkGEWfF8xCICCg==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Result-Attributes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30ResultAttributes
adminDisplayName: msSFU-30-Result-Attributes
adminDescription: Server for NIS uses this object as a scratch pad
attributeId: 1.2.840.113556.1.6.18.1.305
attributeId: 1.2.840.113556.1.6.18.1.305
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
rangeUpper: 1024
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: trBn4UVAM0SsNVP5ctRcug==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-MemberReferenceBL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-MemberReferenceBL
adminDisplayName: ms-DFSR-MemberReferenceBL
adminDescription: Backlink attribute for ms-DFSR-MemberReference
attributeId: 1.2.840.113556.1.6.13.3.102
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: xmLerYAY7UG9PDC30l4U8A==
linkID: 2053
showInAdvancedViewOnly: TRUE
systemFlags: 1
dn: CN=ms-DFSR-ComputerReference,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-ComputerReference
adminDisplayName: ms-DFSR-ComputerReference
adminDescription: Forward link to Computer object
attributeId: 1.2.840.113556.1.6.13.3.101
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: hVd7bCE9v0GKimJ5QVRNWg==
linkID: 2050
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-RdcMinFileSizeInKb,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-RdcMinFileSizeInKb
adminDisplayName: ms-DFSR-RdcMinFileSizeInKb
adminDescription: Minimum file size to apply RDC
attributeId: 1.2.840.113556.1.6.13.3.20
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: -1
schemaIdGuid:: MKMC9OWswU2MyXTZAL+K4A==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-NSMAP-Field-Position,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30NSMAPFieldPosition
adminDisplayName: msSFU-30-NSMAP-Field-Position
adminDescription: This attribute stores the "field position", to extract the key from a non-standard map
attributeId: 1.2.840.113556.1.6.18.1.345
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
rangeUpper: 1024
rangeUpper: 1024
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Xp1cWJn1B0+c+UNzr0uJ0w==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-ComputerReferenceBL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-ComputerReferenceBL
adminDisplayName: ms-DFSR-ComputerReferenceBL
adminDescription: Backlink attribute for ms-DFSR-ComputerReference
attributeId: 1.2.840.113556.1.6.13.3.103
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 1ya1XhvXrkSMxpVGAFLmrA==
linkID: 2051
showInAdvancedViewOnly: TRUE
systemFlags: 1
dn: CN=msSFU-30-Intra-Field-Separator,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30IntraFieldSeparator
adminDisplayName: msSFU-30-Intra-Field-Separator
adminDescription: This attribute stores intra field separators for each NIS map
attributeId: 1.2.840.113556.1.6.18.1.303
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
rangeUpper: 50
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 8K6yleQnuUyICqLZqeojuA==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-ReplicationGroupGuid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-ReplicationGroupGuid
adminDisplayName: ms-DFSR-ReplicationGroupGuid
adminDescription: Replication group guid
attributeId: 1.2.840.113556.1.6.13.3.23
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 1
rangeLower: 16
rangeUpper: 16
schemaIdGuid:: loetLRl2+E+Wbgpcxnsofw==
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Netgroup-Host-At-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30NetgroupHostAtDomain
adminDisplayName: msSFU-30-Netgroup-Host-At-Domain
adminDescription: Part of the netgroup map.This attribute represents computed strings such as host@domain
attributeId: 1.2.840.113556.1.6.18.1.348
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
rangeUpper: 2048
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: Zb/Sl2YEUkiiWuwg9X7jbA==
showInAdvancedViewOnly: TRUE
showInAdvancedViewOnly: TRUE
dn: CN=msSFU-30-Netgroup-User-At-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msSFU30NetgroupUserAtDomain
adminDisplayName: msSFU-30-Netgroup-User-At-Domain
adminDescription: Part of the netgroup map.This attribute represents computed strings such as user@domain
attributeId: 1.2.840.113556.1.6.18.1.349
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
rangeUpper: 2048
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: 7U7oqTDmZ0u0s8rSqC00Xg==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-ReplicationGroupType,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-ReplicationGroupType
adminDisplayName: ms-DFSR-ReplicationGroupType
adminDescription: Type of Replication Group
attributeId: 1.2.840.113556.1.6.13.3.10
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: yA/t7gEQ7UWAzLv3RJMHIA==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-TombstoneExpiryInMin,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-TombstoneExpiryInMin
adminDisplayName: ms-DFSR-TombstoneExpiryInMin
adminDescription: Tombstone record lifetime in minutes
attributeId: 1.2.840.113556.1.6.13.3.11
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 2147483647
schemaIdGuid:: TF3jIyTjYUiiL+GZFA2uAA==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Source-Object-DN,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-SourceObjectDN
adminDisplayName: ms-DS-Source-Object-DN
adminDescription: The string representation of the DN of the object in another forest that corresponds to
this object.
attributeId: 1.2.840.113556.1.4.1879
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 10240
schemaIdGuid:: r5M+d7TT1Eiz+QZFdgLT0A==
showInAdvancedViewOnly: TRUE
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DFSR-LocalSettings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDFSR-LocalSettings
adminDisplayName: ms-DFSR-LocalSettings
adminDescription: DFSR settings applicable to local computer
governsId: 1.2.840.113556.1.6.13.4.1
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 1.2.840.113556.1.6.13.3.2
mayContain: 1.2.840.113556.1.6.13.3.17
mayContain: 1.2.840.113556.1.6.13.3.16
mayContain: 1.2.840.113556.1.6.13.3.1
possSuperiors: 1.2.840.113556.1.3.30
schemaIdGuid:: kcWF+n8ZfkeDvepaQ98iOQ==
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;CO)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DFSR-LocalSettings,CN=Schema,CN=Configuration,DC=X
dn: CN=NisMap,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: nisMap
adminDisplayName: nisMap
adminDescription: A generic abstraction of a nis map
governsId: 1.3.6.1.1.1.2.9
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 1.3.6.1.1.1.1.26
mustContain: 2.5.4.3
mayContain: 2.5.4.13
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
possSuperiors: 1.2.840.113556.1.5.67
schemaIdGuid:: bGZydsECM0+ez/ZJwd2bfA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=NisMap,CN=Schema,CN=Configuration,DC=X
dn: CN=IpProtocol,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: ipProtocol
adminDisplayName: ipProtocol
adminDescription: Abstraction of an IP protocol
governsId: 1.3.6.1.1.1.2.4
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 1.3.6.1.1.1.1.17
mustContain: 2.5.4.3
mayContain: 1.2.840.113556.1.6.18.1.323
mayContain: 1.3.6.1.1.1.1.26
mayContain: 1.2.840.113556.1.6.18.1.339
mayContain: 1.2.840.113556.1.6.18.1.309
mayContain: 2.5.4.13
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
possSuperiors: 1.3.6.1.1.1.2.9
possSuperiors: 1.2.840.113556.1.5.67
schemaIdGuid:: 0sstnPD7x02s4INW3NDwEw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=IpProtocol,CN=Schema,CN=Configuration,DC=X
dn: CN=PosixGroup,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: posixGroup
adminDisplayName: posixGroup
adminDescription: Abstraction of a group of acconts
governsId: 1.3.6.1.1.1.2.2
objectClassCategory: 3
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 1.3.6.1.1.1.1.12
mayContain: 1.3.6.1.1.1.1.1
mayContain: 2.5.4.13
mayContain: 1.2.840.113556.1.4.1910
mayContain: 2.5.4.35
mayContain: 2.5.4.3
schemaIdGuid:: uFCTKiwG0E6ZA93hDQbeug==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=PosixGroup,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DFSR-GlobalSettings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDFSR-GlobalSettings
adminDisplayName: ms-DFSR-GlobalSettings
adminDescription: Global settings applicable to all replication group members
governsId: 1.2.840.113556.1.6.13.4.4
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 1.2.840.113556.1.6.13.3.2
mayContain: 1.2.840.113556.1.6.13.3.17
mayContain: 1.2.840.113556.1.6.13.3.16
possSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: rds1e+yzakiq1C/snW6m9g==
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;CO)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DFSR-GlobalSettings,CN=Schema,CN=Configuration,DC=X
dn: CN=IEEE802Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: ieee802Device
adminDisplayName: ieee802Device
adminDescription: A device with a MAC address
governsId: 1.3.6.1.1.1.2.11
objectClassCategory: 3
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 1.3.6.1.1.1.1.22
mayContain: 2.5.4.3
schemaIdGuid:: KeWZpjemfUug+13EZqC4pw==
schemaIdGuid:: KeWZpjemfUug+13EZqC4pw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=IEEE802Device,CN=Schema,CN=Configuration,DC=X
dn: CN=msSFU-30-Net-Id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msSFU30NetId
adminDisplayName: msSFU-30-Net-Id
adminDescription: stores the netword ID
governsId: 1.2.840.113556.1.6.18.2.212
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 1.3.6.1.1.1.1.26
mayContain: 1.2.840.113556.1.6.18.1.339
mayContain: 1.2.840.113556.1.6.18.1.309
mayContain: 1.2.840.113556.1.6.18.1.324
possSuperiors: 1.2.840.113556.1.3.23
possSuperiors: 1.3.6.1.1.1.2.9
possSuperiors: 1.2.840.113556.1.5.67
schemaIdGuid:: LBlj4gIq30iXkpTyMoeBoA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=msSFU-30-Net-Id,CN=Schema,CN=Configuration,DC=X
dn: CN=NisNetgroup,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: nisNetgroup
adminDisplayName: nisNetgroup
adminDescription: Abstraction of a netgroup. May refer to other netgroups
governsId: 1.3.6.1.1.1.2.8
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 2.5.4.3
mayContain: 1.2.840.113556.1.6.18.1.349
mayContain: 1.2.840.113556.1.6.18.1.348
mayContain: 1.3.6.1.1.1.1.26
mayContain: 1.2.840.113556.1.6.18.1.339
mayContain: 1.2.840.113556.1.6.18.1.309
mayContain: 1.3.6.1.1.1.1.14
mayContain: 1.3.6.1.1.1.1.13
mayContain: 2.5.4.13
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
possSuperiors: 1.3.6.1.1.1.2.9
possSuperiors: 1.2.840.113556.1.5.67
schemaIdGuid:: hL/vcntuXEqo24p1p8rSVA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=NisNetgroup,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DFSR-ReplicationGroup,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDFSR-ReplicationGroup
adminDisplayName: ms-DFSR-ReplicationGroup
adminDescription: Replication Group container
adminDescription: Replication Group container
governsId: 1.2.840.113556.1.6.13.4.5
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 1.2.840.113556.1.6.13.3.10
mayContain: 1.2.840.113556.1.6.13.3.1
mayContain: 1.2.840.113556.1.6.13.3.14
mayContain: 1.2.840.113556.1.6.13.3.2
mayContain: 1.2.840.113556.1.6.13.3.17
mayContain: 1.2.840.113556.1.6.13.3.16
mayContain: 1.2.840.113556.1.6.13.3.11
mayContain: 2.5.4.13
possSuperiors: 1.2.840.113556.1.6.13.4.4
schemaIdGuid:: 4C8zHCoMMk+vyiPF5Fqedw==
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;CO)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DFSR-ReplicationGroup,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DFSR-Topology,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDFSR-Topology
adminDisplayName: ms-DFSR-Topology
adminDescription: Container for objects that form the replication topology
governsId: 1.2.840.113556.1.6.13.4.8
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 1.2.840.113556.1.6.13.3.2
mayContain: 1.2.840.113556.1.6.13.3.17
mayContain: 1.2.840.113556.1.6.13.3.16
possSuperiors: 1.2.840.113556.1.6.13.4.5
schemaIdGuid:: qYqCBEJugE65YuL+AHVNFw==
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;CO)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DFSR-Topology,CN=Schema,CN=Configuration,DC=X
dn: CN=PosixAccount,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: posixAccount
adminDisplayName: posixAccount
adminDescription: Abstraction of an account with posix attributes
governsId: 1.3.6.1.1.1.2.0
objectClassCategory: 3
rdnAttId: 0.9.2342.19200300.100.1.1
subClassOf: 2.5.6.0
mayContain: 2.5.4.13
mayContain: 1.3.6.1.1.1.1.2
mayContain: 1.3.6.1.1.1.1.4
mayContain: 1.2.840.113556.1.4.1910
mayContain: 2.5.4.35
mayContain: 1.2.840.113556.1.4.44
mayContain: 1.3.6.1.1.1.1.3
mayContain: 1.3.6.1.1.1.1.1
mayContain: 1.3.6.1.1.1.1.0
mayContain: 2.5.4.3
mayContain: 0.9.2342.19200300.100.1.1
schemaIdGuid:: QbtErdVniE21dXsgZ0522A==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=PosixAccount,CN=Schema,CN=Configuration,DC=X
dn: CN=ShadowAccount,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: shadowAccount
adminDisplayName: shadowAccount
adminDescription: Additional attributes for shadow passwords
governsId: 1.3.6.1.1.1.2.1
objectClassCategory: 3
rdnAttId: 0.9.2342.19200300.100.1.1
subClassOf: 2.5.6.0
mayContain: 1.3.6.1.1.1.1.11
mayContain: 1.3.6.1.1.1.1.10
mayContain: 1.3.6.1.1.1.1.9
mayContain: 1.3.6.1.1.1.1.8
mayContain: 1.3.6.1.1.1.1.7
mayContain: 1.3.6.1.1.1.1.6
mayContain: 1.3.6.1.1.1.1.5
mayContain: 2.5.4.13
mayContain: 2.5.4.35
mayContain: 0.9.2342.19200300.100.1.1
schemaIdGuid:: Z4RtWxgadEGzUJzG57SsjQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ShadowAccount,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DFSR-Content,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDFSR-Content
adminDisplayName: ms-DFSR-Content
adminDescription: Container for DFSR-ContentSet objects
governsId: 1.2.840.113556.1.6.13.4.6
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 1.2.840.113556.1.6.13.3.2
mayContain: 1.2.840.113556.1.6.13.3.17
mayContain: 1.2.840.113556.1.6.13.3.16
possSuperiors: 1.2.840.113556.1.6.13.4.5
schemaIdGuid:: NZt1ZKHT5EK18aPeFiEJsw==
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;CO)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DFSR-Content,CN=Schema,CN=Configuration,DC=X
dn: CN=BootableDevice,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: bootableDevice
adminDisplayName: bootableDevice
adminDescription: A device with boot parameters
governsId: 1.3.6.1.1.1.2.12
objectClassCategory: 3
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 1.3.6.1.1.1.1.24
mayContain: 1.3.6.1.1.1.1.23
mayContain: 2.5.4.3
schemaIdGuid:: dyTLS7NLRUWp/Ptm4Ta0NQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=BootableDevice,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-Print-ConnectionPolicy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msPrint-ConnectionPolicy
adminDisplayName: ms-Print-ConnectionPolicy
adminDescription: Pushed Printer Connection Policy1
governsId: 1.2.840.113556.1.6.23.2
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 2.5.4.3
mayContain: 1.2.840.113556.1.4.137
mayContain: 1.2.840.113556.1.4.223
mayContain: 1.2.840.113556.1.4.247
mayContain: 1.2.840.113556.1.4.300
possSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: xzNvodZ/KEiTZENROP2gjQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-Print-ConnectionPolicy,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DFSR-Member,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDFSR-Member
adminDisplayName: ms-DFSR-Member
adminDescription: Replication group member
governsId: 1.2.840.113556.1.6.13.4.9
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 1.2.840.113556.1.6.13.3.101
mayContain: 1.2.840.113556.1.6.13.3.2
mayContain: 1.2.840.113556.1.6.13.3.17
mayContain: 1.2.840.113556.1.6.13.3.16
mayContain: 1.2.840.113556.1.6.13.3.15
mayContain: 1.2.840.113556.1.4.515
possSuperiors: 1.2.840.113556.1.6.13.4.8
schemaIdGuid:: l8gpQhHCfEOlrtv3BbaW5Q==
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;CO)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DFSR-Member,CN=Schema,CN=Configuration,DC=X
dn: CN=OncRpc,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: oncRpc
adminDisplayName: oncRpc
adminDescription: Abstraction of an Open Network Computing (ONC) [RFC1057] Remote Procedure Call (RPC)
binding
governsId: 1.3.6.1.1.1.2.5
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 1.3.6.1.1.1.1.18
mustContain: 2.5.4.3
mayContain: 1.2.840.113556.1.6.18.1.323
mayContain: 1.3.6.1.1.1.1.26
mayContain: 1.2.840.113556.1.6.18.1.339
mayContain: 1.2.840.113556.1.6.18.1.309
mayContain: 2.5.4.13
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
possSuperiors: 1.3.6.1.1.1.2.9
possSuperiors: 1.2.840.113556.1.5.67
schemaIdGuid:: Xh7dyvz+P0+1qXDplCBDAw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=OncRpc,CN=Schema,CN=Configuration,DC=X
dn: CN=IpHost,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: ipHost
adminDisplayName: ipHost
adminDescription: Abstraction of a host, an IP device.
governsId: 1.3.6.1.1.1.2.6
objectClassCategory: 3
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 2.5.4.7
mayContain: 0.9.2342.19200300.100.1.1
mayContain: 1.3.6.1.1.1.1.19
mayContain: 2.5.4.13
mayContain: 2.5.4.3
mayContain: 0.9.2342.19200300.100.1.10
schemaIdGuid:: RhaRqyeIlU+HgFqPAI62jw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=IpHost,CN=Schema,CN=Configuration,DC=X
dn: CN=msSFU-30-Domain-Info,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msSFU30DomainInfo
adminDisplayName: msSFU-30-Domain-Info
adminDescription: Represents an internal data structure used by Server for NIS.
governsId: 1.2.840.113556.1.6.18.2.215
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 1.2.840.113556.1.6.18.1.352
mayContain: 1.2.840.113556.1.6.18.1.343
mayContain: 1.2.840.113556.1.6.18.1.342
mayContain: 1.2.840.113556.1.6.18.1.308
mayContain: 1.2.840.113556.1.6.18.1.307
mayContain: 1.2.840.113556.1.6.18.1.350
mayContain: 1.2.840.113556.1.6.18.1.300
mayContain: 1.2.840.113556.1.6.18.1.341
mayContain: 1.2.840.113556.1.6.18.1.340
possSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: zn0pNmtlI0SrZdq7J3CBng==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=msSFU-30-Domain-Info,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DFSR-Connection,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDFSR-Connection
adminDisplayName: ms-DFSR-Connection
adminDescription: Directional connection between two members
governsId: 1.2.840.113556.1.6.13.4.10
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 1.2.840.113556.1.4.40
mayContain: 1.2.840.113556.1.6.13.3.2
mayContain: 1.2.840.113556.1.6.13.3.17
mayContain: 1.2.840.113556.1.6.13.3.16
mayContain: 1.2.840.113556.1.6.13.3.14
mayContain: 1.2.840.113556.1.6.13.3.15
mayContain: 1.2.840.113556.1.6.13.3.20
mayContain: 1.2.840.113556.1.6.13.3.19
mayContain: 1.2.840.113556.1.6.13.3.9
possSuperiors: 1.2.840.113556.1.6.13.4.9
schemaIdGuid:: LpeP5bVk70aNi7vD4Yl+qw==
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;CO)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DFSR-Connection,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DFSR-Subscriber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDFSR-Subscriber
adminDisplayName: ms-DFSR-Subscriber
adminDescription: Represents local computer membership of a replication group
governsId: 1.2.840.113556.1.6.13.4.2
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 1.2.840.113556.1.6.13.3.23
mustContain: 1.2.840.113556.1.6.13.3.100
mayContain: 1.2.840.113556.1.6.13.3.2
mayContain: 1.2.840.113556.1.6.13.3.17
mayContain: 1.2.840.113556.1.6.13.3.16
possSuperiors: 1.2.840.113556.1.6.13.4.1
schemaIdGuid:: 1wUV4cSS50O/XClYMv/Ilg==
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;CO)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DFSR-Subscriber,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DFSR-ContentSet,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDFSR-ContentSet
adminDisplayName: ms-DFSR-ContentSet
adminDescription: DFSR Content Set
governsId: 1.2.840.113556.1.6.13.4.7
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 1.2.840.113556.1.6.13.3.2
mayContain: 1.2.840.113556.1.6.13.3.17
mayContain: 1.2.840.113556.1.6.13.3.16
mayContain: 1.2.840.113556.1.6.13.3.13
mayContain: 1.2.840.113556.1.6.13.3.12
mayContain: 1.2.840.113556.1.6.13.3.21
mayContain: 2.5.4.13
possSuperiors: 1.2.840.113556.1.6.13.4.6
possSuperiors: 1.2.840.113556.1.6.13.4.6
schemaIdGuid:: DfQ3SdymSE2Xygbl+/0/Fg==
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;CO)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DFSR-ContentSet,CN=Schema,CN=Configuration,DC=X
dn: CN=msSFU-30-Mail-Aliases,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msSFU30MailAliases
adminDisplayName: msSFU-30-Mail-Aliases
adminDescription: represents UNIX mail file data
governsId: 1.2.840.113556.1.6.18.2.211
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 1.3.6.1.1.1.1.26
mayContain: 1.2.840.113556.1.6.18.1.323
mayContain: 1.2.840.113556.1.6.18.1.339
mayContain: 1.2.840.113556.1.6.18.1.309
possSuperiors: 1.2.840.113556.1.3.23
possSuperiors: 1.3.6.1.1.1.2.9
possSuperiors: 1.2.840.113556.1.5.67
schemaIdGuid:: hQdx1v+Gt0SFtfH4aJUizg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=msSFU-30-Mail-Aliases,CN=Schema,CN=Configuration,DC=X
dn: CN=msSFU-30-Network-User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msSFU30NetworkUser
adminDisplayName: msSFU-30-Network-User
adminDescription: represents network file data
governsId: 1.2.840.113556.1.6.18.2.216
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 1.3.6.1.1.1.1.26
mayContain: 1.2.840.113556.1.6.18.1.339
mayContain: 1.2.840.113556.1.6.18.1.309
mayContain: 1.2.840.113556.1.6.18.1.324
possSuperiors: 1.2.840.113556.1.3.23
possSuperiors: 1.3.6.1.1.1.2.9
possSuperiors: 1.2.840.113556.1.5.67
schemaIdGuid:: ozRT4fALJ0S2chH12ErMkg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=msSFU-30-Network-User,CN=Schema,CN=Configuration,DC=X
dn: CN=msSFU-30-NIS-Map-Config,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msSFU30NISMapConfig
adminDisplayName: msSFU-30-NIS-Map-Config
adminDescription: represents an internal Data Structure used by Server for NIS
governsId: 1.2.840.113556.1.6.18.2.217
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: 1.2.840.113556.1.6.18.1.306
mayContain: 1.2.840.113556.1.6.18.1.306
mayContain: 1.2.840.113556.1.6.18.1.305
mayContain: 1.2.840.113556.1.6.18.1.304
mayContain: 1.2.840.113556.1.6.18.1.303
mayContain: 1.2.840.113556.1.6.18.1.345
mayContain: 1.2.840.113556.1.6.18.1.302
mayContain: 1.2.840.113556.1.6.18.1.301
possSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: 0DP3+uv4z02NdfF1OvalCw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=msSFU-30-NIS-Map-Config,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DFSR-Subscription,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDFSR-Subscription
adminDisplayName: ms-DFSR-Subscription
adminDescription: Represents local computer participation of a content set
governsId: 1.2.840.113556.1.6.13.4.3
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 1.2.840.113556.1.6.13.3.23
mustContain: 1.2.840.113556.1.6.13.3.18
mayContain: 1.2.840.113556.1.6.13.3.2
mayContain: 1.2.840.113556.1.6.13.3.17
mayContain: 1.2.840.113556.1.6.13.3.16
mayContain: 1.2.840.113556.1.6.13.3.24
mayContain: 1.2.840.113556.1.6.13.3.22
mayContain: 1.2.840.113556.1.6.13.3.9
mayContain: 1.2.840.113556.1.6.13.3.8
mayContain: 1.2.840.113556.1.6.13.3.7
mayContain: 1.2.840.113556.1.6.13.3.6
mayContain: 1.2.840.113556.1.6.13.3.5
mayContain: 1.2.840.113556.1.6.13.3.4
mayContain: 1.2.840.113556.1.6.13.3.3
possSuperiors: 1.2.840.113556.1.6.13.4.2
schemaIdGuid:: FCQhZ8x7CUaH4AiNrYq97g==
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;CO)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DFSR-Subscription,CN=Schema,CN=Configuration,DC=X
dn: CN=NisObject,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: nisObject
adminDisplayName: nisObject
adminDescription: An entry in a NIS map
governsId: 1.3.6.1.1.1.2.10
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 1.3.6.1.1.1.1.27
mustContain: 1.3.6.1.1.1.1.26
mustContain: 2.5.4.3
mayContain: 1.2.840.113556.1.6.18.1.339
mayContain: 1.2.840.113556.1.6.18.1.309
mayContain: 2.5.4.13
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
possSuperiors: 1.3.6.1.1.1.2.9
possSuperiors: 1.2.840.113556.1.5.67
schemaIdGuid:: k4pPkFRJX0yx4VPAl6MeEw==
schemaIdGuid:: k4pPkFRJX0yx4VPAl6MeEw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=NisObject,CN=Schema,CN=Configuration,DC=X
dn: CN=IpService,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: ipService
adminDisplayName: ipService
adminDescription: Abstraction of an Internet Protocol service.
governsId: 1.3.6.1.1.1.2.3
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 2.5.4.3
mustContain: 1.3.6.1.1.1.1.15
mustContain: 1.3.6.1.1.1.1.16
mayContain: 1.3.6.1.1.1.1.26
mayContain: 1.2.840.113556.1.6.18.1.323
mayContain: 1.2.840.113556.1.6.18.1.339
mayContain: 1.2.840.113556.1.6.18.1.309
mayContain: 2.5.4.13
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
possSuperiors: 1.3.6.1.1.1.2.9
possSuperiors: 1.2.840.113556.1.5.67
schemaIdGuid:: 3/oXJZf6rUid5nmsVyH4ZA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=IpService,CN=Schema,CN=Configuration,DC=X
dn: CN=IpNetwork,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: ipNetwork
adminDisplayName: ipNetwork
adminDescription: Abstraction of a network. The distinguished value of the cn attribute denotes the
network's canonical name
governsId: 1.3.6.1.1.1.2.7
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mustContain: 1.3.6.1.1.1.1.20
mustContain: 2.5.4.3
mayContain: 1.2.840.113556.1.6.18.1.323
mayContain: 1.3.6.1.1.1.1.26
mayContain: 1.2.840.113556.1.6.18.1.339
mayContain: 1.2.840.113556.1.6.18.1.309
mayContain: 2.5.4.7
mayContain: 0.9.2342.19200300.100.1.1
mayContain: 1.3.6.1.1.1.1.21
mayContain: 2.5.4.13
mayContain: 0.9.2342.19200300.100.1.10
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
possSuperiors: 1.3.6.1.1.1.2.9
possSuperiors: 1.2.840.113556.1.5.67
schemaIdGuid:: wzZY2T4U+0OZKrBX8eyt+Q==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=IpNetwork,CN=Schema,CN=Configuration,DC=X
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.102
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.103
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.18.1.347
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.18.1.346
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.18.1.339
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.18.1.309
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: auxiliaryClass
auxiliaryClass: 1.3.6.1.1.1.2.2
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.4.1879
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.18.1.309
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.18.1.339
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: auxiliaryClass
auxiliaryClass: 1.3.6.1.1.1.2.0
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: auxiliaryClass
auxiliaryClass: 1.3.6.1.1.1.2.1
-
dn: CN=Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.18.1.323
-
dn: CN=Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.3.6.1.1.1.1.26
-
dn: CN=Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.18.1.339
-
dn: CN=Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.18.1.309
-
dn: CN=Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: auxiliaryClass
auxiliaryClass: 1.3.6.1.1.1.2.12
-
dn: CN=Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: auxiliaryClass
auxiliaryClass: 1.3.6.1.1.1.2.11
-
dn: CN=Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: auxiliaryClass
auxiliaryClass: 1.3.6.1.1.1.2.6
-
dn: CN=Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.67
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.18.1.309
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.3.6.1.1.1.1.26
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.18.1.339
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.18.1.323
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: auxiliaryClass
auxiliaryClass: 1.3.6.1.1.1.2.6
-
dn: CN=Contact,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.4.1879
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 31
-
Sch32.ldf
dn: CN=ms-DS-KrbTgt-Link,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-KrbTgtLink
adminDisplayName: ms-DS-KrbTgt-Link
adminDescription: For a computer, Identifies the user object (krbtgt), acting as the domain or secondary
domain master secret. Depends on which domain or secondary domain the computer resides in.
attributeId: 1.2.840.113556.1.4.1923
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: yfWPd05vdEuFataDgzE5EA==
linkID: 2100
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Revealed-Users,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-RevealedUsers
adminDisplayName: ms-DS-Revealed-Users
adminDescription: For a Directory instance (DSA), Identifies the user objects whose secrets have been
disclosed to that instance
attributeId: 1.2.840.113556.1.4.1924
attributeSyntax: 2.5.5.7
omSyntax: 127
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KoZIhvcUAQEBCw==
schemaIdGuid:: IXhcGEk3OkS9aiiImQca2w==
linkID: 2102
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Revealed-List,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-RevealedList
adminDisplayName: ms-DS-Revealed-List
adminDescription: For a Directory instance (DSA), Identifies the user objects whose secrets have been
disclosed to that instance
attributeId: 1.2.840.113556.1.4.1940
attributeSyntax: 2.5.5.14
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KoZIhvcUAQEBDA==
schemaIdGuid:: HNHay+x/ezhiGToGJ9mvgQ==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-Has-Full-Replica-NCs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-hasFullReplicaNCs
adminDisplayName: ms-DS-Has-Full-Replica-NCs
adminDescription: For a Directory instance (DSA), identifies the partitions held as full replicas
attributeId: 1.2.840.113556.1.4.1925
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: GC08HdBCaEiZ/g7KHm+p8w==
linkID: 2104
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Never-Reveal-Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-NeverRevealGroup
adminDisplayName: ms-DS-Never-Reveal-Group
adminDescription: For a Directory instance (DSA), identifies the security group whose users will never have
their secrets disclosed to that instance
attributeId: 1.2.840.113556.1.4.1926
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: mVlYFUn9Zk2yXe65arqBdA==
linkID: 2106
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Reveal-OnDemand-Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-RevealOnDemandGroup
adminDisplayName: ms-DS-Reveal-OnDemand-Group
adminDescription: For a Directory instance (DSA), identifies the security group whose users may have their
secrets disclosed to that instance
attributeId: 1.2.840.113556.1.4.1928
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: Sp89MNYdOEuPxTOv6MmIrQ==
linkID: 2110
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Secondary-KrbTgt-Number,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-SecondaryKrbTgtNumber
adminDisplayName: ms-DS-Secondary-KrbTgt-Number
adminDescription: For a user object (krbtgt), acting as a secondary domain master secret, identifies the
protocol identification number associated with the secondary domain.
attributeId: 1.2.840.113556.1.4.1929
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 1
rangeLower: 65536
rangeUpper: 65536
schemaIdGuid:: EmYVqpYjfkataijSP9sYZQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Revealed-DSAs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-RevealedDSAs
adminDisplayName: ms-DS-Revealed-DSAs
adminDescription: Backlink for ms-DS-Revealed-Users; for a user, identifies which Directory instances (DSA)
hold that user's secret
attributeId: 1.2.840.113556.1.4.1930
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: rPL2lG3HXku3H/Myw+k8Ig==
linkID: 2103
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-KrbTgt-Link-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-KrbTgtLinkBl
adminDisplayName: ms-DS-KrbTgt-Link-BL
adminDescription: Backlink for ms-DS-KrbTgt-Link; for a user object (krbtgt) acting as a domain or secondary
domain master secret, identifies which computers are in that domain or secondary domain
attributeId: 1.2.840.113556.1.4.1931
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: QYzWXd+/i0ObXTnZYYvyYA==
linkID: 2101
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Is-Domain-For,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-IsDomainFor
adminDisplayName: ms-DS-Is-Domain-For
adminDescription: Backlink for ms-DS-Has-Domain-NCs; for a partition root object, identifies which Directory
instances (DSA) hold that partition as their primary domain
attributeId: 1.2.840.113556.1.4.1933
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: KloV/+VE4E2DGBOliYjeTw==
linkID: 2027
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Is-Full-Replica-For,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-IsFullReplicaFor
adminDisplayName: ms-DS-Is-Full-Replica-For
adminDescription: Backlink for ms-Ds-Has-Full-Replica-NCs; for a partition root object, identifies which
Directory instances (DSA) hold that partition as a full replica
attributeId: 1.2.840.113556.1.4.1932
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 4HK8yLSm8EiUpf12qIyZhw==
linkID: 2105
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Is-Partial-Replica-For,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-IsPartialReplicaFor
adminDisplayName: ms-DS-Is-Partial-Replica-For
adminDescription: Backlink for has-Partial-Replica-NCs; for a partition root object, identifies which
Directory instances (DSA) hold that partition as a partial replica
attributeId: 1.2.840.113556.1.4.1934
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 9k/JN9TGj0my+cb3+GR4CQ==
linkID: 75
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1931
systemMayContain: 1.2.840.113556.1.4.1930
systemMayContain: 1.2.840.113556.1.4.1932
systemMayContain: 1.2.840.113556.1.4.1933
systemMayContain: 1.2.840.113556.1.4.1934
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1929
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1923
-
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1925
systemMayContain: 1.2.840.113556.1.4.1928
systemMayContain: 1.2.840.113556.1.4.1926
systemMayContain: 1.2.840.113556.1.4.1924
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 32
-
Sch33.ldf
dn: CN=ms-DS-isGC,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-isGC
adminDisplayName: ms-DS-isGC
adminDescription: For a Directory instance (DSA), Identifies the state of the Global Catalog on the DSA
attributeId: 1.2.840.113556.1.4.1959
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: M8/1HeUPnkmQ4elLQnGKRg==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-isRODC,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-isRODC
adminDisplayName: ms-DS-isRODC
adminDescription: For a Directory instance (DSA), Identifies whether the DSA is a Read-Only DSA
attributeId: 1.2.840.113556.1.4.1960
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: I6roqGc+8Uqdei8aHWM6yQ==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-SiteName,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-SiteName
adminDisplayName: ms-DS-SiteName
adminDescription: For a Directory instance (DSA), Identifies the site name that contains the DSA
attributeId: 1.2.840.113556.1.4.1961
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: bfOnmJU1ikSeb2uJZbrtnA==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-AuthenticatedAt-DC,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AuthenticatedAtDC
adminDisplayName: ms-DS-AuthenticatedAt-DC
adminDescription: Forwardlink for ms-DS-AuthenticatedTo-Accountlist; for a User, identifies which DC a user
has authenticated to
attributeId: 1.2.840.113556.1.4.1958
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: nOkePgRmiUSJ2YR5iolRWg==
linkID: 2112
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Promotion-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PromotionSettings
adminDisplayName: ms-DS-Promotion-Settings
adminDescription: For a Computer, contains a XML string to be used for delegated DSA promotion
attributeId: 1.2.840.113556.1.4.1962
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
rangeUpper: 65536
schemaIdGuid:: 4rSByMBDvk65u1JQqptDTA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Supported-Encryption-Types,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-SupportedEncryptionTypes
adminDisplayName: msDS-SupportedEncryptionTypes
adminDescription: The encryption algorithms supported by user, computer or trust accounts. The KDC uses this
information while generating a service ticket for this account. Services/Computers may automatically update
information while generating a service ticket for this account. Services/Computers may automatically update
this attribute on their respective accounts in Active Directory, and therefore need write access to this
attribute.
attributeId: 1.2.840.113556.1.4.1963
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: Z5gRIAQdt0qTcc/D1d8K/Q==
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-AuthenticatedTo-Accountlist,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AuthenticatedToAccountlist
adminDisplayName: ms-DS-AuthenticatedTo-Accountlist
adminDescription: Backlink for ms-DS-AuthenticatedAt-DC; for a Computer, identifies which users have
authenticated to this Computer
attributeId: 1.2.840.113556.1.4.1957
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: ccmy6N+mvEeNb2J3DVJ6pQ==
linkID: 2113
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DS-Never-Reveal-Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isSingleValued
isSingleValued: FALSE
-
dn: CN=ms-DS-Reveal-OnDemand-Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isSingleValued
isSingleValued: FALSE
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1957
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1963
-
dn: CN=Server,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1959
systemMayContain: 1.2.840.113556.1.4.1960
systemMayContain: 1.2.840.113556.1.4.1961
-
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1783
systemMayContain: 1.2.840.113556.1.4.1924
systemMayContain: 1.2.840.113556.1.4.1940
systemMayContain: 1.2.840.113556.1.4.1958
systemMayContain: 1.2.840.113556.1.4.1959
systemMayContain: 1.2.840.113556.1.4.1960
systemMayContain: 1.2.840.113556.1.4.1961
systemMayContain: 1.2.840.113556.1.4.1962
systemMayContain: 1.2.840.113556.1.4.1926
systemMayContain: 1.2.840.113556.1.4.1928
-
dn: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1963
-
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1959
systemMayContain: 1.2.840.113556.1.4.1960
systemMayContain: 1.2.840.113556.1.4.1961
-
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1927
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 33
-
Sch34.ldf
dn: CN=ms-DFSR-ReadOnly,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-ReadOnly
adminDisplayName: DFSR-ReadOnly
adminDescription: Specify whether the content is read-only or read-write
attributeId: 1.2.840.113556.1.6.13.3.28
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: IYDEWkfk50adI5LAxqkN+w==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-Priority,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
objectClass: attributeSchema
ldapDisplayName: msDFSR-Priority
adminDisplayName: DFSR-Priority
adminDescription: Priority level
attributeId: 1.2.840.113556.1.6.13.3.25
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: 1ucg660y3kKxQRatJjGwGw==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Az-Object-Guid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzObjectGuid
adminDisplayName: MS-DS-Az-Object-Guid
adminDescription: The unique and portable identifier of AzMan objects
attributeId: 1.2.840.113556.1.4.1949
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 1
rangeLower: 16
rangeUpper: 16
schemaIdGuid:: SOWRhDhsZUOnMq8EFWmwLA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Az-Generic-Data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-AzGenericData
adminDisplayName: MS-DS-Az-Generic-Data
adminDescription: AzMan specific generic data
attributeId: 1.2.840.113556.1.4.1950
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 65536
schemaIdGuid:: SeP3tVt6fECjNKMcP1OLmA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DFSR-CachePolicy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-CachePolicy
adminDisplayName: DFSR-CachePolicy
adminDescription: On-demand cache policy options
attributeId: 1.2.840.113556.1.6.13.3.29
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: 5wh623b8aUWkX/XstmqItQ==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-DeletedPath,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-DeletedPath
adminDisplayName: DFSR-DeletedPath
adminDescription: Full path of the Deleted directory
attributeId: 1.2.840.113556.1.6.13.3.26
attributeSyntax: 2.5.5.12
omSyntax: 64
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
rangeUpper: 32767
schemaIdGuid:: uPB8gZXbFEm4M1oHnvZXZA==
showInAdvancedViewOnly: TRUE
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msFVE-RecoveryGuid
adminDisplayName: FVE-RecoveryGuid
adminDescription: This attribute contains the GUID associated with a Full Volume Encryption (FVE) recovery
password.
attributeId: 1.2.840.113556.1.4.1965
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 9
schemaIdGuid:: vAlp93jmoEews/hqAETAbQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTPM-OwnerInformation
adminDisplayName: TPM-OwnerInformation
adminDescription: This attribute contains the owner information of a particular TPM.
attributeId: 1.2.840.113556.1.4.1966
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 8
schemaIdGuid:: bRpOqg1VBU6MNUr8uRep/g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-DPAPIMasterKeys,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKIDPAPIMasterKeys
adminDisplayName: MS-PKI-DPAPIMasterKeys
adminDescription: Storage of encrypted DPAPI Master Keys for user
attributeId: 1.2.840.113556.1.4.1893
attributeSyntax: 2.5.5.7
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 128
omObjectClass:: KoZIhvcUAQEBCw==
schemaIdGuid:: IzD5szmSfE+5nGdF2Hrbwg==
attributeSecurityGuid:: 3kfmkW/ZcEuVV9Y/9PPM2A==
linkID: 2046
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Phonetic-Last-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PhoneticLastName
adminDisplayName: ms-DS-Phonetic-Last-Name
adminDescription: Contains the phonetic last name of the person.
attributeId: 1.2.840.113556.1.4.1943
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 5
rangeLower: 1
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: 7OQX8jYIkEuIry9dS72ivA==
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
mapiID: 35983
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-RoamingTimeStamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKIRoamingTimeStamp
adminDisplayName: MS-PKI-RoamingTimeStamp
adminDescription: Time stamp for last change to roaming tokens
attributeId: 1.2.840.113556.1.4.1892
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 128
schemaIdGuid:: rOQXZvGiq0O2DBH70frPBQ==
attributeSecurityGuid:: 3kfmkW/ZcEuVV9Y/9PPM2A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DFSR-DeletedSizeInMb,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-DeletedSizeInMb
adminDisplayName: DFSR-DeletedSizeInMb
adminDescription: Size of the Deleted directory in MB
attributeId: 1.2.840.113556.1.6.13.3.27
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
searchFlags: 0
rangeUpper: -1
schemaIdGuid:: 0ZrtU3WZ9EGD9QwGGhJVOg==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Phonetic-First-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PhoneticFirstName
adminDisplayName: ms-DS-Phonetic-First-Name
adminDescription: Contains the phonetic given name or first name of the person.
attributeId: 1.2.840.113556.1.4.1942
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 5
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: TrocSy8wNEGsfPAfbHl4Qw==
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
mapiID: 35982
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msFVE-RecoveryPassword
adminDisplayName: FVE-RecoveryPassword
adminDescription: This attribute contains the password required to recover a Full Volume Encryption (FVE)
volume.
attributeId: 1.2.840.113556.1.4.1964
attributeSyntax: 2.5.5.12
omSyntax: 64
omSyntax: 64
isSingleValued: TRUE
searchFlags: 8
schemaIdGuid:: wRoGQ63IzEy3hSv6wg/GCg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Phonetic-Department,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PhoneticDepartment
adminDisplayName: ms-DS-Phonetic-Department
adminDescription: Contains the phonetic department name where the person works.
attributeId: 1.2.840.113556.1.4.1944
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 5
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: rz3VbD4A50mnAm+oluem7w==
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
mapiID: 35984
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-AccountCredentials,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKIAccountCredentials
adminDisplayName: MS-PKI-AccountCredentials
adminDescription: Storage of encrypted user credential token blobs for roaming
attributeId: 1.2.840.113556.1.4.1894
attributeSyntax: 2.5.5.7
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 128
omObjectClass:: KoZIhvcUAQEBCw==
schemaIdGuid:: RKffuNwx8U6sfIS69++dpw==
attributeSecurityGuid:: 3kfmkW/ZcEuVV9Y/9PPM2A==
linkID: 2048
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-RADIUS-FramedIpv6Route,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msRADIUS-FramedIpv6Route
adminDisplayName: ms-RADIUS-FramedIpv6Route
adminDescription: This Attribute provides routing information to be configured for the user on the NAS.
attributeId: 1.2.840.113556.1.4.1917
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 4096
schemaIdGuid:: BKhaWoMwY0iU5QGKeaIuwA==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DS-Phonetic-Display-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PhoneticDisplayName
adminDisplayName: ms-DS-Phonetic-Display-Name
adminDescription: The phonetic display name of an object. In the absence of a phonetic display name the
existing display name is used.
attributeId: 1.2.840.113556.1.4.1946
attributeId: 1.2.840.113556.1.4.1946
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 5
rangeLower: 0
rangeUpper: 256
schemaIdGuid:: 5JQa4mYt5UyzDQ74endv8A==
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
mapiID: 35986
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Phonetic-Company-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PhoneticCompanyName
adminDisplayName: ms-DS-Phonetic-Company-Name
adminDescription: Contains the phonetic company name where the person works.
attributeId: 1.2.840.113556.1.4.1945
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 5
rangeLower: 1
rangeUpper: 64
schemaIdGuid:: jSDVW/TlrkalFFQ7ycR2WQ==
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
mapiID: 35985
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-net-ieee-8023-GP-PolicyData,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-8023-GP-PolicyData
adminDisplayName: ms-net-ieee-8023-GP-PolicyData
adminDescription: This attribute contains all of the settings and data which comprise a group policy
configuration for 802.3 wired networks.
attributeId: 1.2.840.113556.1.4.1955
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 1048576
schemaIdGuid:: i5SYg1d0kU29TY1+1mnJ9w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-net-ieee-8023-GP-PolicyGUID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-8023-GP-PolicyGUID
adminDisplayName: ms-net-ieee-8023-GP-PolicyGUID
adminDescription: This attribute contains a GUID which identifies a specific 802.3 group policy object on
the domain.
attributeId: 1.2.840.113556.1.4.1954
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 64
schemaIdGuid:: WrCnlLK4WU+cJTnmm6oWhA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DFSR-MaxAgeInCacheInMin,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-MaxAgeInCacheInMin
adminDisplayName: DFSR-MaxAgeInCacheInMin
adminDescription: Maximum time in minutes to keep files in full form
attributeId: 1.2.840.113556.1.6.13.3.31
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
searchFlags: 0
rangeUpper: 2147483647
schemaIdGuid:: jeSwKk6s/EqD5aNCQNthmA==
showInAdvancedViewOnly: TRUE
dn: CN=ms-net-ieee-80211-GP-PolicyData,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyData
adminDisplayName: ms-net-ieee-80211-GP-PolicyData
adminDescription: This attribute contains all of the settings and data which comprise a group policy
configuration for 802.11 wireless networks.
attributeId: 1.2.840.113556.1.4.1952
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 4194304
schemaIdGuid:: pZUUnHZNjkaZHhQzsKZ4VQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-RADIUS-FramedIpv6Prefix,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msRADIUS-FramedIpv6Prefix
adminDisplayName: ms-RADIUS-FramedIpv6Prefix
adminDescription: This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the
user.
attributeId: 1.2.840.113556.1.4.1915
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 16
schemaIdGuid:: ENY+9nzWTUmHvs0eJDWaOA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-net-ieee-80211-GP-PolicyGUID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyGUID
adminDisplayName: ms-net-ieee-80211-GP-PolicyGUID
adminDescription: This attribute contains a GUID which identifies a specific 802.11 group policy object on
the domain.
attributeId: 1.2.840.113556.1.4.1951
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 64
schemaIdGuid:: YnBpNa8ei0SsHjiOC+T97g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-RADIUS-FramedInterfaceId,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msRADIUS-FramedInterfaceId
adminDisplayName: ms-RADIUS-FramedInterfaceId
adminDescription: This Attribute indicates the IPv6 interface identifier to be configured for the user.
attributeId: 1.2.840.113556.1.4.1913
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 8
schemaIdGuid:: I0ryplzWZU2mTzX7aHPCuQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-NC-RO-Replica-Locations,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-NC-RO-Replica-Locations
adminDisplayName: ms-DS-NC-RO-Replica-Locations
adminDescription: a linked attribute on a cross ref object for a partition. This attribute lists the DSA
instances which should host the partition in a readonly manner.
attributeId: 1.2.840.113556.1.4.1967
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 35P3PViYF0SnAXNaHs6/dA==
linkID: 2114
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-NC-RO-Replica-Locations-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-NC-RO-Replica-Locations-BL
adminDisplayName: ms-DS-NC-RO-Replica-Locations-BL
adminDescription: backlink attribute for ms-DS-NC-RO-Replica-Locations.
attributeId: 1.2.840.113556.1.4.1968
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: HFFH9SpbzESDWJkqiCWBZA==
linkID: 2115
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DFSR-MinDurationCacheInMin,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-MinDurationCacheInMin
adminDisplayName: DFSR-MinDurationCacheInMin
adminDescription: Minimum time in minutes before truncating files
attributeId: 1.2.840.113556.1.6.13.3.30
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
searchFlags: 0
rangeUpper: 2147483647
schemaIdGuid:: emBdTEnOSkSYYoKpX10fzA==
showInAdvancedViewOnly: TRUE
showInAdvancedViewOnly: TRUE
dn: CN=ms-net-ieee-8023-GP-PolicyReserved,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-8023-GP-PolicyReserved
adminDisplayName: ms-net-ieee-8023-GP-PolicyReserved
adminDescription: Reserved for future use
attributeId: 1.2.840.113556.1.4.1956
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 1048576
schemaIdGuid:: xyfF0wYm602M/RhCb+7Izg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-RADIUS-SavedFramedIpv6Route,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msRADIUS-SavedFramedIpv6Route
adminDisplayName: ms-RADIUS-SavedFramedIpv6Route
adminDescription: This Attribute provides routing information to be configured for the user on the NAS.
attributeId: 1.2.840.113556.1.4.1918
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 4096
schemaIdGuid:: XLtmlp3fQU20Ny7sfifJsw==
showInAdvancedViewOnly: TRUE
dn: CN=ms-net-ieee-80211-GP-PolicyReserved,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyReserved
adminDisplayName: ms-net-ieee-80211-GP-PolicyReserved
adminDescription: Reserved for future use
attributeId: 1.2.840.113556.1.4.1953
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 4194304
schemaIdGuid:: LsZpD44I9U+lOukjzsB8Cg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-RADIUS-SavedFramedIpv6Prefix,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msRADIUS-SavedFramedIpv6Prefix
adminDisplayName: ms-RADIUS-SavedFramedIpv6Prefix
adminDescription: This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the
user.
attributeId: 1.2.840.113556.1.4.1916
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 16
schemaIdGuid:: YqBlCeGxO0C0jVwOsOlSzA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-RADIUS-SavedFramedInterfaceId,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msRADIUS-SavedFramedInterfaceId
adminDisplayName: ms-RADIUS-SavedFramedInterfaceId
adminDescription: This Attribute indicates the IPv6 interface identifier to be configured for the user.
attributeId: 1.2.840.113556.1.4.1914
attributeSyntax: 2.5.5.5
omSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 8
schemaIdGuid:: iXLapKOS5UK2ttrRbSgKyQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=SAM-Domain-Updates,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: samDomainUpdates
adminDisplayName: SAM-Domain-Updates
adminDescription: Contains a bitmask of performed SAM operations on active directory
attributeId: 1.2.840.113556.1.4.1969
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 1024
schemaIdGuid:: FNHSBJn3m0683JDo9bp+vg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DFSR-RootSizeInMb,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: rangeUpper
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-net-ieee-8023-GroupPolicy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: ms-net-ieee-8023-GroupPolicy
adminDisplayName: ms-net-ieee-8023-GroupPolicy
adminDescription: This class represents an 802.3 wired network group policy object. This class contains
identifiers and configuration data relevant to an 802.3 wired network.
governsId: 1.2.840.113556.1.5.252
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1956
systemMayContain: 1.2.840.113556.1.4.1955
systemMayContain: 1.2.840.113556.1.4.1954
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.3.23
systemPossSuperiors: 2.5.6.6
schemaIdGuid:: ajqgmRmrRkSTUAy4eO0tmw==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-net-ieee-8023-GroupPolicy,CN=Schema,CN=Configuration,DC=X
defaultObjectCategory: CN=ms-net-ieee-8023-GroupPolicy,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: ms-net-ieee-80211-GroupPolicy
adminDisplayName: ms-net-ieee-80211-GroupPolicy
adminDescription: This class represents an 802.11 wireless network group policy object. This class contains
identifiers and configuration data relevant to an 802.11 wireless network.
governsId: 1.2.840.113556.1.5.251
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1953
systemMayContain: 1.2.840.113556.1.4.1952
systemMayContain: 1.2.840.113556.1.4.1951
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.3.23
systemPossSuperiors: 2.5.6.6
schemaIdGuid:: Yxi4HCK4eUOeol/3vcY4bQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msFVE-RecoveryInformation
adminDisplayName: FVE-RecoveryInformation
adminDescription: This class contains a Full Volume Encryption recovery password with its associated GUID.
governsId: 1.2.840.113556.1.5.253
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.1965
systemMustContain: 1.2.840.113556.1.4.1964
systemPossSuperiors: 1.2.840.113556.1.3.30
schemaIdGuid:: MF1x6lOP0EC9HmEJGG14LA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=NTDS-DSA-RO,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: nTDSDSARO
adminDisplayName: NTDS-DSA-RO
adminDescription: A subclass of Directory Service Agent which is distinguished by its reduced privilege
level.
governsId: 1.2.840.113556.1.5.254
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.5.7000.47
systemPossSuperiors: 2.5.6.4
systemPossSuperiors: 1.2.840.113556.1.5.17
schemaIdGuid:: wW7RhZEHyEuKs3CYBgL/jA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=NTDS-DSA-RO,CN=Schema,CN=Configuration,DC=X
defaultObjectCategory: CN=NTDS-DSA-RO,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DFSR-Subscription,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.26
mayContain: 1.2.840.113556.1.6.13.3.27
mayContain: 1.2.840.113556.1.6.13.3.28
mayContain: 1.2.840.113556.1.6.13.3.29
mayContain: 1.2.840.113556.1.6.13.3.30
mayContain: 1.2.840.113556.1.6.13.3.31
-
dn: CN=ms-DFSR-ReplicationGroup,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.4
mayContain: 1.2.840.113556.1.6.13.3.6
mayContain: 1.2.840.113556.1.6.13.3.8
mayContain: 1.2.840.113556.1.6.13.3.12
mayContain: 1.2.840.113556.1.6.13.3.13
mayContain: 1.2.840.113556.1.6.13.3.27
-
dn: CN=ms-DFSR-ContentSet,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.4
mayContain: 1.2.840.113556.1.6.13.3.6
mayContain: 1.2.840.113556.1.6.13.3.8
mayContain: 1.2.840.113556.1.6.13.3.25
mayContain: 1.2.840.113556.1.6.13.3.27
-
dn: CN=Organizational-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.4.1942
mayContain: 1.2.840.113556.1.4.1943
mayContain: 1.2.840.113556.1.4.1944
mayContain: 1.2.840.113556.1.4.1945
mayContain: 1.2.840.113556.1.4.1946
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1949
systemMayContain: 1.2.840.113556.1.4.1950
systemMayContain: 1.2.840.113556.1.4.1801
systemMayContain: 1.2.840.113556.1.4.1802
systemMayContain: 1.2.840.113556.1.4.1803
systemMayContain: 1.2.840.113556.1.4.1819
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1892
systemMayContain: 1.2.840.113556.1.4.1893
systemMayContain: 1.2.840.113556.1.4.1894
systemMayContain: 1.2.840.113556.1.4.1913
systemMayContain: 1.2.840.113556.1.4.1914
systemMayContain: 1.2.840.113556.1.4.1915
systemMayContain: 1.2.840.113556.1.4.1916
systemMayContain: 1.2.840.113556.1.4.1917
systemMayContain: 1.2.840.113556.1.4.1918
-
dn: CN=ms-DFSR-Connection,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.25
-
dn: CN=Cross-Ref,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1967
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1966
-
dn: CN=Mail-Recipient,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.4.1946
-
dn: CN=ms-DS-Az-Admin-Manager,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1949
systemMayContain: 1.2.840.113556.1.4.1950
-
dn: CN=ms-DS-Az-Application,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1949
systemMayContain: 1.2.840.113556.1.4.1950
-
dn: CN=ms-DS-Az-Operation,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1949
systemMayContain: 1.2.840.113556.1.4.1950
-
dn: CN=ms-DS-Az-Scope,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1949
systemMayContain: 1.2.840.113556.1.4.1950
-
dn: CN=ms-DS-Az-Task,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1949
systemMayContain: 1.2.840.113556.1.4.1950
-
dn: CN=ms-DS-Az-Role,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1949
systemMayContain: 1.2.840.113556.1.4.1950
-
dn: CN=Sam-Server,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1969
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: cn=Private-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
cn: Private-Information
objectClass: controlAccessRight
displayName: Private Information
appliesTo: 4828cc14-1437-45bc-9b07-ad6f015e5f28
appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2
rightsGUID: 91e647de-d96f-4b70-9557-d63ff4f3ccd8
validAccesses: 48
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 34
-
Sch35.ldf
dn: CN=ms-DS-Last-Successful-Interactive-Logon-Time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-LastSuccessfulInteractiveLogonTime
adminDisplayName: msDS-LastSuccessfulInteractiveLogonTime
adminDescription: The time that the correct password was presented during a C-A-D logon.
attributeId: 1.2.840.113556.1.4.1970
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: 5ikZAV2LWEK2SgCwtJSXRw==
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Failed-Interactive-Logon-Count-At-Last-Successful-Logon,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon
adminDisplayName: ms-DS-Failed-Interactive-Logon-Count-At-Last-Successful-Logon
adminDescription: The total number of failed interactive logons up until the last successful C-A-D logon.
attributeId: 1.2.840.113556.1.4.1973
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: 5TTSxUpkA0SmZeJuCu9emA==
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Failed-Interactive-Logon-Count,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
objectClass: attributeSchema
ldapDisplayName: msDS-FailedInteractiveLogonCount
adminDisplayName: msDS-FailedInteractiveLogonCount
adminDescription: The total number of failed interactive logons since this feature was turned on.
attributeId: 1.2.840.113556.1.4.1972
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: b6g83K1wYEmEJaTWMT2T3Q==
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Last-Failed-Interactive-Logon-Time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-LastFailedInteractiveLogonTime
adminDisplayName: msDS-LastFailedInteractiveLogonTime
adminDescription: The time that an incorrect password was presented during a C-A-D logon.
attributeId: 1.2.840.113556.1.4.1971
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: +trnx8MQi0uazVTxEGN0Lg==
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1970
systemMayContain: 1.2.840.113556.1.4.1971
systemMayContain: 1.2.840.113556.1.4.1972
systemMayContain: 1.2.840.113556.1.4.1973
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 35
-
Sch36.ldf
dn: CN=ms-DS-Revealed-List-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-RevealedListBL
adminDisplayName: ms-DS-Revealed-List-BL
adminDescription: backlink attribute for ms-DS-Revealed-List.
attributeId: 1.2.840.113556.1.4.1975
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: /Ygcqvawn0Kyyp2QImboCA==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=From-Server,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 1
-
dn: CN=msNPAllowDialin,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=msNPCallingStationID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=msNPSavedCallingStationID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=msRADIUSCallbackNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=msRADIUSFramedIPAddress,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=msRADIUSFramedRoute,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=msRADIUSServiceType,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=msRASSavedCallbackNumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=msRASSavedFramedIPAddress,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=msRASSavedFramedRoute,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
replace: searchFlags
searchFlags: 16
-
dn: CN=ms-RADIUS-FramedInterfaceId,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=ms-RADIUS-SavedFramedInterfaceId,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=ms-RADIUS-FramedIpv6Prefix,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=ms-RADIUS-SavedFramedIpv6Prefix,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=ms-RADIUS-FramedIpv6Route,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=ms-RADIUS-SavedFramedIpv6Route,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 16
-
dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 136
-
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 137
-
dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 136
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1975
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: cn=Read-Only-Replication-Secret-Synchronization,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: localizationDisplayId
localizationDisplayId: 72
-
dn: cn=Read-Only-Replication-Secret-Synchronization,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
displayName: Read Only Replication Secret Synchronization
localizationDisplayId: 73
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
appliesTo: bf967a87-0de6-11d0-a285-00aa003049e2
appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2
rightsGUID: 1131f6ae-9c07-11d1-f79f-00c04fc2dcd2
validAccesses: 256
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 36
-
Sch37.ldf
dn: CN=ms-DS-User-Password-Expiry-Time-Computed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-UserPasswordExpiryTimeComputed
adminDisplayName: ms-DS-User-Password-Expiry-Time-Computed
adminDescription: Contains the expiry time for the user's current password
attributeId: 1.2.840.113556.1.4.1996
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: EM/VrQl7SUSa5iU0FI+Kcg==
attributeSecurityGuid:: AEIWTMAg0BGnaACqAG4FKQ==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-Principal-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PrincipalName
adminDisplayName: ms-DS-Principal-Name
adminDescription: Account name for the security principal (constructed)
attributeId: 1.2.840.113556.1.4.1865
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: JZNOVlfQQ8GeO0+eXvRvkw==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DFSR-OnDemandExclusionDirectoryFilter,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-OnDemandExclusionDirectoryFilter
adminDisplayName: DFSR-OnDemandExclusionDirectoryFilter
adminDescription: Filter string applied to on demand replication directories
adminDescription: Filter string applied to on demand replication directories
attributeId: 1.2.840.113556.1.6.13.3.36
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: /zpSfRKQskmZJfkioAGGVg==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-DefaultCompressionExclusionFilter,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-DefaultCompressionExclusionFilter
adminDisplayName: DFSR-DefaultCompressionExclusionFilter
adminDescription: Filter string containing extensions of file types not to be compressed
attributeId: 1.2.840.113556.1.6.13.3.34
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: 1RuBh4vNy0WfXZgPOp4Mlw==
showInAdvancedViewOnly: TRUE
dn: CN=ms-TS-Home-Drive,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSHomeDrive
adminDisplayName: ms-TS-Home-Drive
adminDescription: Terminal Services Home Drive specifies a Home drive for the user. In a network
environment, this property is a string containing a drive specification (a drive letter followed by a colon)
to which the UNC path specified in the TerminalServicesHomeDirectory property is mapped. To set a home
directory in a network environment, you must first set this property and then set the
TerminalServicesHomeDirectory property.
attributeId: 1.2.840.113556.1.4.1978
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: 2SQKX/rf2Uysv6BoDANzHg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TS-Property01,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSProperty01
adminDisplayName: MS-TS-Property01
adminDescription: Placeholder Terminal Server Property 01
attributeId: 1.2.840.113556.1.4.1991
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 1
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: d6mu+lWW10mFPfJ7t6rKDw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TS-Property02,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSProperty02
adminDisplayName: MS-TS-Property02
adminDescription: Placeholder Terminal Server Property 02
attributeId: 1.2.840.113556.1.4.1992
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 1
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: rPaGNbdReEmrQvk2RjGY5w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Allow-Logon,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSAllowLogon
adminDisplayName: ms-TS-Allow-Logon
adminDescription: Terminal Services Allow Logon specifies whether the user is allowed to log on to the
Terminal Server. The value is 1 if logon is allowed, and 0 if logon is not allowed.
attributeId: 1.2.840.113556.1.4.1979
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ZNQMOlS850CTrqZGpuzEtA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TS-ExpireDate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSExpireDate
adminDisplayName: MS-TS-ExpireDate
adminDescription: TS Expiration Date
attributeId: 1.2.840.113556.1.4.1993
attributeSyntax: 2.5.5.11
omSyntax: 24
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: 9U4AcMMlakSXyJlq6FZndg==
showInAdvancedViewOnly: FALSE
systemFlags: 16
dn: CN=MS-TS-ManagingLS,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSManagingLS
adminDisplayName: MS-TS-ManagingLS
adminDescription: TS Managing License Server
attributeId: 1.2.840.113556.1.4.1995
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: R8W887CFLEOawDBFBr8sgw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DFSR-Options2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-Options2
adminDisplayName: DFSR-Options2
adminDescription: Object Options2
attributeId: 1.2.840.113556.1.6.13.3.37
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: GEPiEaZMSU+a/uXrGvo0cw==
showInAdvancedViewOnly: TRUE
dn: CN=ms-TS-Profile-Path,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSProfilePath
adminDisplayName: ms-TS-Profile-Path
adminDescription: Terminal Services Profile Path specifies a roaming or mandatory profile path to use when
the user logs on to the Terminal Server. The profile path is in the following network path format:
\\servername\profiles folder name\username
attributeId: 1.2.840.113556.1.4.1976
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: 2zBc5mwxYECjoDh7CD8JzQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Max-Idle-Time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSMaxIdleTime
adminDisplayName: ms-TS-Max-Idle-Time
adminDescription: Terminal Services Session Maximum Idle Time is maximum amount of time, in minutes, that
the Terminal Services session can remain idle. After the specified number of minutes have elapsed, the
session can be disconnected or terminated.
attributeId: 1.2.840.113556.1.4.1983
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: nJ5z/7drDkayIeJQ894PlQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Home-Directory,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSHomeDirectory
adminDisplayName: ms-TS-Home-Directory
adminDescription: Terminal Services Home Directory specifies the Home directory for the user. Each user on a
Terminal Server has a unique home directory. This ensures that application information is stored separately
for each user in a multi-user environment. To set a home directory on the local computer, specify a local
path; for example, C:\Path. To set a home directory in a network environment, you must first set the
TerminalServicesHomeDrive property, and then set this property to a UNC path.
attributeId: 1.2.840.113556.1.4.1977
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: 8BA1XefEIkG5H6IK3ZDiRg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
systemFlags: 16
dn: CN=ms-TS-Remote-Control,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSRemoteControl
adminDisplayName: ms-TS-Remote-Control
adminDescription: Terminal Services Remote Control specifies the whether to allow remote observation or
remote control of the user's Terminal Services session. For a description of these values, see the
RemoteControl method of the Win32_TSRemoteControlSetting WMI class. 0 - Disable, 1 - EnableInputNotify, 2 -
EnableInputNoNotify, 3 - EnableNoInputNotify and 4 - EnableNoInputNoNotify
attributeId: 1.2.840.113556.1.4.1980
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: JnIXFUKGi0aMSAPd/QBJgg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Work-Directory,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSWorkDirectory
adminDisplayName: ms-TS-Work-Directory
adminDescription: Terminal Services Session Work Directory specifies the working directory path for the
user. To set an initial application to start when the user logs on to the Terminal Server, you must first
set the TerminalServicesInitialProgram property, and then set this property.
attributeId: 1.2.840.113556.1.4.1989
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: ZvZEpzw9yEyDS51Pb2h7iw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Initial-Program,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSInitialProgram
adminDisplayName: ms-TS-Initial-Program
adminDescription: Terminal Services Session Initial Program specifies the Path and file name of the
application that the user wants to start automatically when the user logs on to the Terminal Server. To set
an initial application to start when the user logs on, you must first set this property and then set the
TerminalServicesWorkDirectory property. If you set only the TerminalServicesInitialProgram property, the
application starts in the user's session in the default user directory.
attributeId: 1.2.840.113556.1.4.1990
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: b6wBkmkd+02ALtlVEBCVmQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TS-LicenseVersion,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSLicenseVersion
adminDisplayName: MS-TS-LicenseVersion
adminDescription: TS License Version
attributeId: 1.2.840.113556.1.4.1994
attributeId: 1.2.840.113556.1.4.1994
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: iUrpCi838k2uisZKK8RyeA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Max-Connection-Time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSMaxConnectionTime
adminDisplayName: ms-TS-Max-Connection-Time
adminDescription: Terminal Services Session maximum Connection Time is Maximum duration, in minutes, of the
Terminal Services session. After the specified number of minutes have elapsed, the session can be
disconnected or terminated.
attributeId: 1.2.840.113556.1.4.1982
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: 4g6WHWRklU6ngeO1zV+ViA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Reconnection-Action,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSReconnectionAction
adminDisplayName: ms-TS-Reconnection-Action
adminDescription: Terminal Services Session Reconnection Action specifies whether to allow reconnection to a
disconnected Terminal Services session from any client computer. The value is 1 if reconnection is allowed
from the original client computer only, and 0 if reconnection from any client computer is allowed.
attributeId: 1.2.840.113556.1.4.1984
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: ytduNhg+f0yrrjUaAeS09w==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Connect-Client-Drives,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSConnectClientDrives
adminDisplayName: ms-TS-Connect-Client-Drives
adminDescription: Terminal Services Session Connect Client Drives At Logon specifies whether to reconnect to
mapped client drives at logon. The value is 1 if reconnection is enabled, and 0 if reconnection is disabled.
attributeId: 1.2.840.113556.1.4.1986
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: rypXI90p6kSw+n6EOLmkow==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DFSR-CommonStagingPath,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-CommonStagingPath
adminDisplayName: DFSR-CommonStagingPath
adminDescription: Full path of the common staging directory
attributeId: 1.2.840.113556.1.6.13.3.38
attributeId: 1.2.840.113556.1.6.13.3.38
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: Qaxuk1fSuUu9VfMQo88JrQ==
showInAdvancedViewOnly: TRUE
dn: CN=ms-TS-Max-Disconnection-Time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSMaxDisconnectionTime
adminDisplayName: ms-TS-Max-Disconnection-Time
adminDescription: Terminal Services Session Maximum Disconnection Time is maximum amount of time, in
minutes, that a disconnected Terminal Services session remains active on the Terminal Server. After the
specified number of minutes have elapsed, the session is terminated.
attributeId: 1.2.840.113556.1.4.1981
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: iXBvMthThEe4FEbYU1EQ0g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Default-To-Main-Printer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSDefaultToMainPrinter
adminDisplayName: ms-TS-Default-To-Main-Printer
adminDescription: Terminal Services Default To Main Printer specifies whether to print automatically to the
client's default printer. The value is 1 if printing to the client's default printer is enabled, and 0 if it
is disabled.
attributeId: 1.2.840.113556.1.4.1988
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: veL/wM/Kx02I1WHp6Vdm9g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Connect-Printer-Drives,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSConnectPrinterDrives
adminDisplayName: ms-TS-Connect-Printer-Drives
adminDescription: Terminal Services Session Connect Printer Drives At Logon specifies whether to reconnect
to mapped client printers at logon. The value is 1 if reconnection is enabled, and 0 if reconnection is
disabled.
attributeId: 1.2.840.113556.1.4.1987
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: N6nmjBuHkkyyhdmdQDZoHA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Broken-Connection-Action,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSBrokenConnectionAction
adminDisplayName: ms-TS-Broken-Connection-Action
adminDescription: Terminal Services Session Broken Connection Action specifies the action to take when a
adminDescription: Terminal Services Session Broken Connection Action specifies the action to take when a
Terminal Services session limit is reached. The value is 1 if the client session should be terminated, and 0
if the client session should be disconnected.
attributeId: 1.2.840.113556.1.4.1985
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: uhv0HARWPkaU1hoSh7csow==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DFSR-DisablePacketPrivacy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-DisablePacketPrivacy
adminDisplayName: DFSR-DisablePacketPrivacy
adminDescription: Disable packet privacy on a connection
attributeId: 1.2.840.113556.1.6.13.3.32
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: 5e2Eah50/UOd1qoPYVeGIQ==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-CommonStagingSizeInMb,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-CommonStagingSizeInMb
adminDisplayName: DFSR-CommonStagingSizeInMb
adminDescription: Size of the common staging directory in MB
attributeId: 1.2.840.113556.1.6.13.3.39
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: -1
schemaIdGuid:: DrBeE0ZIi0WOoqN1Wa/UBQ==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-OnDemandExclusionFileFilter,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-OnDemandExclusionFileFilter
adminDisplayName: DFSR-OnDemandExclusionFileFilter
adminDescription: Filter string applied to on demand replication files
attributeId: 1.2.840.113556.1.6.13.3.35
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: 3FmDpoGl5k6QFVOCxg8PtA==
showInAdvancedViewOnly: TRUE
dn: CN=ms-DFSR-StagingCleanupTriggerInPercent,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDFSR-StagingCleanupTriggerInPercent
adminDisplayName: DFSR-StagingCleanupTriggerInPercent
adminDescription: Staging cleanup trigger in percent of free disk space
attributeId: 1.2.840.113556.1.6.13.3.40
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
searchFlags: 0
searchFlags: 0
schemaIdGuid:: I5xL1vrhe0azF2lk10TWMw==
showInAdvancedViewOnly: TRUE
dn: CN=Terminal-Server,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 1
-
dn: CN=MS-TS-ExpireDate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: YrwFWMm9KESl4oVqD0wYXg==
-
dn: CN=MS-TS-LicenseVersion,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: YrwFWMm9KESl4oVqD0wYXg==
-
dn: CN=MS-TS-ManagingLS,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: YrwFWMm9KESl4oVqD0wYXg==
-
dn: CN=Terminal-Server,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: YrwFWMm9KESl4oVqD0wYXg==
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DFSR-LocalSettings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.37
mayContain: 1.2.840.113556.1.6.13.3.38
mayContain: 1.2.840.113556.1.6.13.3.39
mayContain: 1.2.840.113556.1.6.13.3.40
-
dn: CN=ms-DFSR-Subscriber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.37
-
dn: CN=ms-DFSR-Subscription,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.35
mayContain: 1.2.840.113556.1.6.13.3.36
mayContain: 1.2.840.113556.1.6.13.3.37
mayContain: 1.2.840.113556.1.6.13.3.40
-
dn: CN=ms-DFSR-GlobalSettings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.37
-
dn: CN=ms-DFSR-ReplicationGroup,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.34
mayContain: 1.2.840.113556.1.6.13.3.35
mayContain: 1.2.840.113556.1.6.13.3.36
mayContain: 1.2.840.113556.1.6.13.3.37
-
dn: CN=ms-DFSR-Content,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.37
-
dn: CN=ms-DFSR-ContentSet,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.34
mayContain: 1.2.840.113556.1.6.13.3.35
mayContain: 1.2.840.113556.1.6.13.3.36
mayContain: 1.2.840.113556.1.6.13.3.37
-
dn: CN=ms-DFSR-Topology,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.37
-
dn: CN=ms-DFSR-Member,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.37
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1976
systemMayContain: 1.2.840.113556.1.4.1977
systemMayContain: 1.2.840.113556.1.4.1978
systemMayContain: 1.2.840.113556.1.4.1979
systemMayContain: 1.2.840.113556.1.4.1980
systemMayContain: 1.2.840.113556.1.4.1981
systemMayContain: 1.2.840.113556.1.4.1982
systemMayContain: 1.2.840.113556.1.4.1983
systemMayContain: 1.2.840.113556.1.4.1984
systemMayContain: 1.2.840.113556.1.4.1985
systemMayContain: 1.2.840.113556.1.4.1986
systemMayContain: 1.2.840.113556.1.4.1987
systemMayContain: 1.2.840.113556.1.4.1988
systemMayContain: 1.2.840.113556.1.4.1989
systemMayContain: 1.2.840.113556.1.4.1990
systemMayContain: 1.2.840.113556.1.4.1991
systemMayContain: 1.2.840.113556.1.4.1992
systemMayContain: 1.2.840.113556.1.4.1993
systemMayContain: 1.2.840.113556.1.4.1994
systemMayContain: 1.2.840.113556.1.4.1995
-
dn: CN=ms-DFSR-Connection,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.6.13.3.32
mayContain: 1.2.840.113556.1.6.13.3.37
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1991
systemMayContain: 1.2.840.113556.1.4.1992
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1996
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1865
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1957
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1958
-
dn: CN=ms-DS-AuthenticatedTo-Accountlist,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: adminDescription
adminDescription: Backlink for ms-DS-AuthenticatedAt-DC; for a Computer, identifies which users have
authenticated to this Computer
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
displayName: MS-TS-GatewayAccess
rightsGuid: ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501
appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
validAccesses: 48
localizationDisplayId: 74
dn: CN=Terminal-Server-License-Server,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
displayName: Terminal Server License Server
appliesTo: 4828cc14-1437-45bc-9b07-ad6f015e5f28
appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2
rightsGuid: ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501
appliesTo: 5805bc62-bdc9-4428-a5e2-856a0f4c185e
validAccesses: 48
localizationDisplayId: 75
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 37
-
Sch38.ldf
dn: CN=ms-DS-AuthenticatedAt-DC,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: FALSE
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 38
-
Sch39.ldf
dn: CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msFVE-KeyPackage
adminDisplayName: FVE-KeyPackage
adminDescription: This attribute contains a volume's BitLocker encryption key secured by the corresponding
recovery password. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.
attributeId: 1.2.840.113556.1.4.1999
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 152
rangeUpper: 102400
schemaIdGuid:: qF7VH6eI3EeBKQ2qlxhqVA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-FVE-VolumeGuid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msFVE-VolumeGuid
adminDisplayName: FVE-VolumeGuid
adminDescription: This attribute contains the GUID associated with a BitLocker-supported disk volume. Full
Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.
attributeId: 1.2.840.113556.1.4.1998
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 27
rangeUpper: 128
schemaIdGuid:: z6Xlhe7cdUCc/aydtqLyRQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-HAB-Seniority-Index,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-HABSeniorityIndex
adminDisplayName: ms-DS-HAB-Seniority-Index
adminDescription: Contains the seniority index as applied by the organization where the person works.
attributeId: 1.2.840.113556.1.4.1997
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
mapiID: 36000
searchFlags: 1
schemaIdGuid:: 8Un03jv9RUCYz9lljaeItQ==
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: adminDescription
adminDescription: This attribute contains a password that can recover a BitLocker-encrypted volume. Full
Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.
-
add: rangeUpper
rangeUpper: 256
-
replace: searchFlags
searchFlags: 152
-
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: adminDescription
adminDescription: This attribute contains the GUID associated with a BitLocker recovery password. Full
Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.
-
add: rangeUpper
rangeUpper: 128
-
replace: searchFlags
searchFlags: 27
-
dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: rangeUpper
rangeUpper: 128
-
replace: searchFlags
searchFlags: 152
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1958
-
dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: adminDescription
adminDescription: This class contains BitLocker recovery information including GUIDs, recovery passwords,
and keys. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.
-
dn: CN=msSFU-30-Posix-Member,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: adminDescription
adminDescription: This attribute is used to store the DN display name of users which are a part of the group
-
dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1998
systemMayContain: 1.2.840.113556.1.4.1999
-
dn: CN=NTDS-DSA-RO,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: TRUE
-
dn: CN=Organizational-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.4.1997
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 39
-
Sch40.ldf
dn: CN=ms-DS-Password-Reversible-Encryption-Enabled,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PasswordReversibleEncryptionEnabled
adminDisplayName: Password Reversible Encryption Status
adminDescription: Password reversible encryption status for user accounts
attributeId: 1.2.840.113556.1.4.2016
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: j93MdWyvh0S7S2nk04qVnA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-NC-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-NcType
ldapDisplayName: msDS-NcType
adminDisplayName: ms-DS-NC-Type
adminDescription: A bit field that maintains information about aspects of a NC replica that are relevant to
replication.
attributeId: 1.2.840.113556.1.4.2024
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: 16wuWivMz0idmrbxoAJN6Q==
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-PSO-Applies-To,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PSOAppliesTo
adminDisplayName: Password settings object applies to
adminDescription: Links to objects that this password settings object applies to
attributeId: 1.2.840.113556.1.4.2020
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: SA/IZNLNgUiobU6XtvVh/A==
linkID: 2118
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-PSO-Applied,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PSOApplied
adminDisplayName: Password settings object applied
adminDescription: Password settings object applied to this object
attributeId: 1.2.840.113556.1.4.2021
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 16
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: MfBsXqi9yEOspI/uQScAWw==
linkID: 2119
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Resultant-PSO,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-ResultantPSO
adminDisplayName: Resultant password settings object applied
adminDescription: Resultant password settings object applied to this object
attributeId: 1.2.840.113556.1.4.2022
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 16
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: k6B+t9CIgEeamJEfjosdyg==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-Lockout-Duration,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-LockoutDuration
adminDisplayName: Lockout Duration
adminDescription: Lockout duration for locked out user accounts
attributeId: 1.2.840.113556.1.4.2018
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 0
schemaIdGuid:: mogfQi5H5E+OueHQvGBxsg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Lockout-Threshold,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-LockoutThreshold
adminDisplayName: Lockout Threshold
adminDescription: Lockout threshold for lockout of user accounts
attributeId: 1.2.840.113556.1.4.2019
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 65535
schemaIdGuid:: XsPIuBlKlUqZ0Gn+REYobw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Minimum-Password-Age,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-MinimumPasswordAge
adminDisplayName: Minimum Password Age
adminDescription: Minimum Password Age for user accounts
attributeId: 1.2.840.113556.1.4.2012
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 0
schemaIdGuid:: ePh0KpxN+UmXs2dn0cvZow==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Maximum-Password-Age,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-MaximumPasswordAge
adminDisplayName: Maximum Password Age
adminDescription: Maximum Password Age for user accounts
attributeId: 1.2.840.113556.1.4.2011
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 0
schemaIdGuid:: 9TfT/ZlJzk+yUo/5ybQ4dQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Minimum-Password-Length,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-MinimumPasswordLength
adminDisplayName: Minimum Password Length
adminDescription: Minimum Password Length for user accounts
attributeId: 1.2.840.113556.1.4.2013
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 255
schemaIdGuid:: OTQbsjpMHES7XwjyDpsxXg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Password-History-Length,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PasswordHistoryLength
adminDisplayName: Password History Length
adminDescription: Password History Length for user accounts
attributeId: 1.2.840.113556.1.4.2014
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 65535
schemaIdGuid:: txvY/ox2L0yWQSJF3jR5TQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Lockout-Observation-Window,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-LockoutObservationWindow
adminDisplayName: Lockout Observation Window
adminDescription: Observation Window for lockout of user accounts
attributeId: 1.2.840.113556.1.4.2017
attributeSyntax: 2.5.5.16
omSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 0
schemaIdGuid:: idpbsK92ika4khvlVVjsyA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Password-Complexity-Enabled,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PasswordComplexityEnabled
adminDisplayName: Password Complexity Status
adminDescription: Password complexity status for user accounts
attributeId: 1.2.840.113556.1.4.2015
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: SwVo28PJ8EuxWw+1JVKmEA==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Password-Settings-Precedence,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DS-Password-Settings-Precedence,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-PasswordSettingsPrecedence
adminDisplayName: Password Settings Precedence
adminDescription: Password Settings Precedence
attributeId: 1.2.840.113556.1.4.2023
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 1
schemaIdGuid:: rHRjRQofF0aTz7xVp8nTQQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TS-ManagingLS2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSManagingLS2
adminDisplayName: MS-TS-ManagingLS2
adminDescription: Issuer name of the second TS per user CAL.
attributeId: 1.2.840.113556.1.4.2002
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
rangeLower: 0
rangeUpper: 255
schemaIdGuid:: VwefNL1RyE+dZj7O6oolvg==
attributeSecurityGuid:: YrwFWMm9KESl4oVqD0wYXg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TS-ManagingLS3,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSManagingLS3
adminDisplayName: MS-TS-ManagingLS3
adminDescription: Issuer name of the third TS per user CAL.
attributeId: 1.2.840.113556.1.4.2005
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
rangeLower: 0
rangeUpper: 255
schemaIdGuid:: wdzV+jAhh0yhGHUyLNZwUA==
attributeSecurityGuid:: YrwFWMm9KESl4oVqD0wYXg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TS-ManagingLS4,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSManagingLS4
adminDisplayName: MS-TS-ManagingLS4
adminDescription: Issuer name of the fourth TS per user CAL.
attributeId: 1.2.840.113556.1.4.2008
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
rangeLower: 0
rangeUpper: 255
schemaIdGuid:: oLaj9wchQEGzBnXLUhcx5Q==
schemaIdGuid:: oLaj9wchQEGzBnXLUhcx5Q==
attributeSecurityGuid:: YrwFWMm9KESl4oVqD0wYXg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TS-ExpireDate2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSExpireDate2
adminDisplayName: MS-TS-ExpireDate2
adminDescription: Expiration date of the second TS per user CAL.
attributeId: 1.2.840.113556.1.4.2000
attributeSyntax: 2.5.5.11
omSyntax: 24
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: cc/fVD+8C0+dWkskdruJJQ==
attributeSecurityGuid:: YrwFWMm9KESl4oVqD0wYXg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TS-ExpireDate3,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSExpireDate3
adminDisplayName: MS-TS-ExpireDate3
adminDescription: Expiration date of the third TS per user CAL.
attributeId: 1.2.840.113556.1.4.2003
attributeSyntax: 2.5.5.11
omSyntax: 24
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: BH+8QXK+MEm9EB80OUEjhw==
attributeSecurityGuid:: YrwFWMm9KESl4oVqD0wYXg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TS-ExpireDate4,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSExpireDate4
adminDisplayName: MS-TS-ExpireDate4
adminDescription: Expiration date of the fourth TS per user CAL.
attributeId: 1.2.840.113556.1.4.2006
attributeSyntax: 2.5.5.11
omSyntax: 24
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
schemaIdGuid:: Q9wRXkogr0+gCGhjYhxvXw==
attributeSecurityGuid:: YrwFWMm9KESl4oVqD0wYXg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TSLS-Property01,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSLSProperty01
adminDisplayName: MS-TSLS-Property01
adminDescription: Placeholder Terminal Server License Server Property 01
attributeId: 1.2.840.113556.1.4.2009
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 1
rangeLower: 0
rangeUpper: 32767
rangeUpper: 32767
schemaIdGuid:: kDXlhx2XUkqVW0eU0VqErg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TSLS-Property02,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSLSProperty02
adminDisplayName: MS-TSLS-Property02
adminDescription: Placeholder Terminal Server License Server Property 02
attributeId: 1.2.840.113556.1.4.2010
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 1
rangeLower: 0
rangeUpper: 32767
schemaIdGuid:: sHvHR24xL06X8Q1MSPyp3Q==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TS-LicenseVersion2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSLicenseVersion2
adminDisplayName: MS-TS-LicenseVersion2
adminDescription: Version of the second TS per user CAL.
attributeId: 1.2.840.113556.1.4.2001
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
rangeLower: 0
rangeUpper: 255
schemaIdGuid:: A/ENS5eN2UWtaYXDCAuk5w==
attributeSecurityGuid:: YrwFWMm9KESl4oVqD0wYXg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TS-LicenseVersion3,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSLicenseVersion3
adminDisplayName: MS-TS-LicenseVersion3
adminDescription: Version of the third TS per user CAL.
attributeId: 1.2.840.113556.1.4.2004
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
rangeLower: 0
rangeUpper: 255
schemaIdGuid:: gY+6+KtMc0mjyDptpipeMQ==
attributeSecurityGuid:: YrwFWMm9KESl4oVqD0wYXg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=MS-TS-LicenseVersion4,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSLicenseVersion4
adminDisplayName: MS-TS-LicenseVersion4
adminDescription: Version of the fourth TS per user CAL.
attributeId: 1.2.840.113556.1.4.2007
attributeSyntax: 2.5.5.12
omSyntax: 64
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 1
rangeLower: 0
rangeUpper: 255
schemaIdGuid:: l13KcAQjCkmKJ1JnjI0glQ==
attributeSecurityGuid:: YrwFWMm9KESl4oVqD0wYXg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Is-User-Cachable-At-Rodc,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-IsUserCachableAtRodc
adminDisplayName: ms-DS-Is-User-Cachable-At-Rodc
adminDescription: For a Read-Only Directory instance (DSA), Identifies whether the specified user's secrets
are cachable.
attributeId: 1.2.840.113556.1.4.2025
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: WiQB/h80VkWVH0jAM6iQUA==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=Title,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rangeUpper
rangeUpper: 128
-
dn: CN=Last-Logon-Timestamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 1
-
dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 664
-
dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 664
-
dn: CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 664
-
dn: CN=Picture,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: mapiId
mapiId: 35998
-
dn: CN=ms-DS-Source-Object-DN,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: attributeSecurityGuid
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
-
dn: CN=ipServiceProtocol,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isSingleValued
isSingleValued: FALSE
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Device,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.5.67
-
dn: CN=ipService,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.2.840.113556.1.5.67
-
dn: CN=ipService,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.3.6.1.1.1.2.9
-
dn: CN=ipProtocol,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.2.840.113556.1.5.67
-
dn: CN=ipProtocol,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.3.6.1.1.1.2.9
-
dn: CN=ipHost,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 0.9.2342.19200300.100.1.10
-
dn: CN=ipNetwork,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.2.840.113556.1.5.67
-
dn: CN=ipNetwork,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.3.6.1.1.1.2.9
-
dn: CN=ipNetwork,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 0.9.2342.19200300.100.1.10
-
dn: CN=nisNetgroup,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.2.840.113556.1.5.67
-
dn: CN=nisNetGroup,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.3.6.1.1.1.2.9
-
dn: CN=nisMap,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.2.840.113556.1.5.67
-
dn: CN=nisObject,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.2.840.113556.1.5.67
-
dn: CN=nisObject,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.3.6.1.1.1.2.9
-
dn: CN=msSFU-30-Mail-Aliases,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.2.840.113556.1.5.67
-
dn: CN=msSFU-30-Mail-Aliases,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.3.6.1.1.1.2.9
-
dn: CN=msSFU-30-Net-Id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.2.840.113556.1.5.67
-
dn: CN=msSFU-30-Net-Id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.3.6.1.1.1.2.9
-
dn: CN=msSFU-30-Network-User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.2.840.113556.1.5.67
-
dn: CN=msSFU-30-Network-User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: possSuperiors
possSuperiors: 1.3.6.1.1.1.2.9
-
dn: CN=ms-DS-Password-Settings-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-PasswordSettingsContainer
adminDisplayName: ms-DS-Password-Settings-Container
adminDescription: Container for password settings objects
governsId: 1.2.840.113556.1.5.256
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: arAGW/NMwES9FkO8EKmH2g==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Password-Settings-Container,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Password-Settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-PasswordSettings
adminDisplayName: ms-DS-Password-Settings
adminDescription: Password settings object for accounts
governsId: 1.2.840.113556.1.5.255
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.4.2023
systemMustContain: 1.2.840.113556.1.4.2016
systemMustContain: 1.2.840.113556.1.4.2019
systemMustContain: 1.2.840.113556.1.4.2018
systemMustContain: 1.2.840.113556.1.4.2017
systemMustContain: 1.2.840.113556.1.4.2015
systemMustContain: 1.2.840.113556.1.4.2013
systemMustContain: 1.2.840.113556.1.4.2012
systemMustContain: 1.2.840.113556.1.4.2011
systemMustContain: 1.2.840.113556.1.4.2014
systemMayContain: 1.2.840.113556.1.4.2020
systemPossSuperiors: 1.2.840.113556.1.5.256
schemaIdGuid:: uJ3NO0v4HEWVL2xSuB+exg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Password-Settings,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2000
systemMayContain: 1.2.840.113556.1.4.2001
systemMayContain: 1.2.840.113556.1.4.2002
systemMayContain: 1.2.840.113556.1.4.2003
systemMayContain: 1.2.840.113556.1.4.2004
systemMayContain: 1.2.840.113556.1.4.2005
systemMayContain: 1.2.840.113556.1.4.2006
systemMayContain: 1.2.840.113556.1.4.2007
systemMayContain: 1.2.840.113556.1.4.2008
systemMayContain: 1.2.840.113556.1.4.2009
systemMayContain: 1.2.840.113556.1.4.2010
systemMayContain: 1.2.840.113556.1.4.2022
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2021
systemMayContain: 1.2.840.113556.1.4.2024
-
dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: mayContain
mayContain: 1.2.840.113556.1.4.1998
mayContain: 1.2.840.113556.1.4.1999
-
dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1998
systemMayContain: 1.2.840.113556.1.4.1999
-
dn: CN=Server,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2025
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2025
-
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2025
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Reload-SSL-Certificate,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
displayName: Reload SSL/TLS Certificate
rightsGuid: 1a60ea8d-58a6-4b20-bcdc-fb71eb8a9ff8
appliesTo: f0f8ffab-1191-11d0-a060-00aa006c33ed
validAccesses: 256
localizationDisplayId: 76
dn: CN=DS-Replication-Get-Changes-In-Filtered-Set,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
displayName: Replicating Directory Changes In Filtered Set
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
appliesTo: bf967a87-0de6-11d0-a285-00aa003049e2
appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2
rightsGuid: 89e95b76-444d-4c62-991a-0facbeda640c
validAccesses: 256
localizationDisplayId: 77
dn: CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rightsGuid
rightsGuid: ffa6f046-ca4b-4feb-b40d-04dfee722543
-
dn: CN=Terminal-Server-License-Server,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rightsGuid
rightsGuid: 5805bc62-bdc9-4428-a5e2-856a0f4c185e
-
-
delete: appliesTo
appliesTo: 5805bc62-bdc9-4428-a5e2-856a0f4c185e
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 40
-
Sch41.ldf
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1959
-
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1960
-
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1961
-
dn: CN=ms-DS-PSO-Applied,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 0
-
dn: CN=ms-DS-Resultant-PSO,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 0
-
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rightsGuid
rightsGuid: ffa6f046-ca4b-4feb-b40d-04dfee722543
-
dn: CN=Terminal-Server-License-Server,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: rightsGuid
rightsGuid: 5805bc62-bdc9-4428-a5e2-856a0f4c185e
-
delete: appliesTo
appliesTo: 5805bc62-bdc9-4428-a5e2-856a0f4c185e
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 41
-
Sch42.ldf
dn: CN=account-expires,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
-
dn: cn=address,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=address-book-roots,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=address-entry-display-table,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=address-entry-display-table-msdos,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=address-syntax,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=address-type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=admin-count,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=admin-display-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=allowed-attributes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=allowed-attributes-effective,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=allowed-child-classes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=allowed-child-classes-effective,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=alt-security-identities,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=anr,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=attribute-id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=attribute-security-guid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=attribute-syntax,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=attribute-types,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=auditing-policy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=authentication-options,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=auxiliary-class,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=bad-password-time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=bad-pwd-count,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
schemaFlagsEx: 1
-
dn: cn=bridgehead-server-list-bl,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=canonical-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=code-page,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=common-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=cost,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=country-code,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=country-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=create-time-stamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=creation-time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=current-value,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=dbcs-pwd,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=default-hiding-value,CN=Schema,CN=Configuration,DC=X
dn: cn=default-hiding-value,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=default-object-category,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=default-security-descriptor,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=description,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=display-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=display-name-printable,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=dit-content-rules,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=dmd-location,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=dn-reference-update,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=dns-host-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=dns-root,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=domain-component,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
schemaFlagsEx: 1
-
dn: cn=domain-cross-ref,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=domain-replica,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ds-core-propagation-data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ds-heuristics,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=dsa-signature,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=efspolicy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=enabled,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=enabled-connection,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=extended-attribute-info,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=extended-chars-allowed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=extended-class-info,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=flat-name,CN=Schema,CN=Configuration,DC=X
dn: cn=flat-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=force-logoff,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=from-entry,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=from-server,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=fsmo-role-owner,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=garbage-coll-period,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=given-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=global-address-list,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=governs-id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=group-type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=has-master-ncs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=has-partial-replica-ncs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
schemaFlagsEx: 1
-
dn: cn=help-data16,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=help-data32,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=help-file-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=home-directory,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=home-drive,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=initial-auth-incoming,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=initial-auth-outgoing,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=instance-type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=inter-site-topology-failover,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=inter-site-topology-generator,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=inter-site-topology-renew,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=invocation-id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=is-critical-system-object,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=is-defunct,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=is-deleted,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=is-member-of-dl,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=is-member-of-partial-attribute-set,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=is-single-valued,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=keywords,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=last-known-parent,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=last-logoff,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=last-logon,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=last-logon-timestamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=last-set-time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ldap-admin-limits,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ldap-display-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ldap-ipdeny-list,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=legacy-exchange-dn,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=link-id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=lm-pwd-history,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=local-policy-flags,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=locality-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=lock-out-observation-window,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=lockout-duration,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=lockout-threshold,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=lockout-time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=logo,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=logon-count,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=logon-hours,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=machine-role,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=managed-by,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=mapi-id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=mastered-by,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=max-pwd-age,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=max-renew-age,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=max-ticket-age,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=may-contain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=member,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=min-pwd-age,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=min-pwd-length,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=min-ticket-age,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=modified-count,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=modified-count-at-last-prom,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=modify-time-stamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-additional-dns-host-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-additional-sam-account-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-all-users-trust-quota,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-allowed-dns-suffixes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-allowed-to-delegate-to,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-auxiliary-classes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-approx-immed-subordinates,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-authenticatedat-dc,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-authenticatedto-accountlist,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-az-ldap-query,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-behavior-version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-cached-membership,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-cached-membership-time-stamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-creator-sid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-default-quota,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-dnsrootalias,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-entry-time-to-die,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-executescriptpassword,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-has-instantiated-ncs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-has-domain-ncs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-has-master-ncs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-intid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-isgc,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-isrodc,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-keyversionnumber,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-logon-time-sync-interval,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-mastered-by,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-maximum-password-age,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-minimum-password-age,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-minimum-password-length,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-password-history-length,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-password-complexity-enabled,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-password-reversible-encryption-enabled,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-lockout-observation-window,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-lockout-duration,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-lockout-threshold,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-pso-applied,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-resultant-pso,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-password-settings-precedence,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-members-for-az-role,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-nc-type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-non-members,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-phonetic-display-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-sitename,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-supported-encryption-types,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-trust-forest-trust-info,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-tombstone-quota-factor,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-top-quota-usage,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-machine-account-quota,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
-
dn: cn=ms-ds-other-settings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-principal-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-quota-amount,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-quota-effective,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-quota-trustee,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-quota-used,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-nc-repl-cursors,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-nc-repl-inbound-neighbors,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-nc-repl-outbound-neighbors,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-nc-replica-locations,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-nc-ro-replica-locations,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-per-user-trust-quota,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-per-user-trust-tombstones-quota,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-preferred-gc-site,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-repl-attribute-meta-data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-repl-value-meta-data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-replicates-nc-reason,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-replication-notify-first-dsa-delay,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-replication-notify-subsequent-dsa-delay,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-replicationepoch,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-retired-repl-nc-signatures,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-sd-reference-domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-site-affinity,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
-
dn: cn=ms-ds-spn-suffixes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-port-ssl,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-service-account,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-user-account-disabled,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-user-dont-expire-password,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-user-account-auto-locked,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-user-password-expiry-time-computed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-user-account-control-computed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-user-password-expiry-time-computed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-updatescript,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-krbtgt-link,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-revealed-users,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-has-full-replica-ncs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-never-reveal-group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-reveal-ondemand-group,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-secondary-krbtgt-number,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-revealed-dsas,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-krbtgt-link-bl,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-is-user-cachable-at-rodc,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-revealed-list,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-revealed-list-bl,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-last-successful-interactive-logon-time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-last-failed-interactive-logon-time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
-
dn: cn=ms-ds-failed-interactive-logon-count,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=ms-ds-failed-interactive-logon-count-at-last-successful-logon,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=msmq-owner-id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=must-contain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=nc-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=netbios-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=next-rid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=nt-mixed-domain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=nt-pwd-history,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=nt-security-descriptor,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=obj-dist-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=object-category,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=object-class,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=object-class-category,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=object-classes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=object-guid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=object-sid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=object-version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=oem-information,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=om-object-class,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=om-syntax,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=operating-system,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=operating-system-service-pack,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
schemaFlagsEx: 1
-
dn: cn=operating-system-version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=operator-count,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=options,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=organization-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=organizational-unit-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=other-well-known-objects,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=parent-guid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=partial-attribute-deletion-list,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=partial-attribute-set,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=pek-list,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=poss-superiors,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=possible-inferiors,CN=Schema,CN=Configuration,DC=X
dn: cn=possible-inferiors,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=prefix-map,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=primary-group-id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=primary-group-token,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=prior-set-time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=prior-value,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=private-key,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=profile-path,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=proxied-object-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=proxy-addresses,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=proxy-lifetime,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=pwd-history-length,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
schemaFlagsEx: 1
-
dn: cn=pwd-last-set,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=pwd-properties,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=query-policy-object,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=range-lower,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=range-upper,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=rdn,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=rdn-att-id,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=repl-property-meta-data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=repl-topology-stay-of-execution,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=repl-uptodate-vector,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=repl-interval,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=reps-from,CN=Schema,CN=Configuration,DC=X
dn: cn=reps-from,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=reps-to,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=retired-repl-dsa-signatures,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=token-groups,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=token-groups-global-and-universal,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=token-groups-no-gc-acceptable,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=revision,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=rid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=rid-allocation-pool,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=rid-available-pool,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=rid-manager-reference,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=rid-next-rid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
schemaFlagsEx: 1
-
dn: cn=rid-previous-allocation-pool,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=rid-set-references,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=rid-used-pool,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=rights-guid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=root-trust,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=sam-account-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=sam-account-type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=sam-domain-updates,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=schedule,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=schema-id-guid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=schema-info,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=script-path,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=sd-rights-effective,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=search-flags,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=security-identifier,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=server-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=server-reference,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=server-reference-bl,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=server-state,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=service-principal-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=show-in-address-book,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=show-in-advanced-view-only,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=sid-history,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=site-link-list,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=site-list,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=site-object,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=smtp-mail-address,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=spn-mappings,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=state-or-province-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=street-address,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=structural-object-class,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=sub-class-of,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=sub-refs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=subschemasubentry,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=superior-dns-root,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=supplemental-credentials,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=surname,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=system-auxiliary-class,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=system-flags,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=system-may-contain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=system-must-contain,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=system-only,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=system-poss-superiors,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=template-roots,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=tombstone-lifetime,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=transport-address-attribute,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=transport-dll-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=transport-type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=trust-attributes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=trust-auth-incoming,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=trust-auth-outgoing,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=trust-direction,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=trust-parent,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=trust-partner,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=trust-posix-offset,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=trust-type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=uas-compat,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=unicode-pwd,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=upn-suffixes,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=user-account-control,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=user-comment,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=user-parameters,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=user-password,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=user-principal-name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=user-workstations,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=usn-changed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=usn-created,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=usn-dsa-last-obj-removed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=usn-last-obj-rem,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=valid-accesses,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=well-known-objects,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=when-changed,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=when-created,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: cn=schema-flags-ex,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: systemOnly
systemOnly: TRUE
-
dn: CN=Schema-Flags-Ex,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: schemaFlagsEx
schemaFlagsEx: 1
-
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 42
-
Sch43.ldf
dn: CN=ms-DFS-Schema-Major-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DFS-Schema-Major-Version
attributeID: 1.2.840.113556.1.4.2030
attributeSyntax: 2.5.5.9
isSingleValued: TRUE
rangeLower: 2
rangeUpper: 2
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Schema-Major-Version
adminDescription: Major version of schema of DFS metadata.
oMSyntax: 2
searchFlags: 0
lDAPDisplayName: msDFS-SchemaMajorVersion
schemaIDGUID:: VXht7EpwYU+apsSafB1Uxw==
isMemberOfPartialAttributeSet: FALSE
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DFS-Schema-Minor-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DFS-Schema-Minor-Version
attributeID: 1.2.840.113556.1.4.2031
attributeSyntax: 2.5.5.9
isSingleValued: TRUE
rangeLower: 0
rangeUpper: 0
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Schema-Minor-Version
adminDescription: Minor version of schema of DFS metadata.
oMSyntax: 2
searchFlags: 0
lDAPDisplayName: msDFS-SchemaMinorVersion
schemaIDGUID:: Jaf5/vHoq0O9hmoBFc6eOA==
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DFS-Generation-GUID-v2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DFS-Generation-GUID-v2
attributeID: 1.2.840.113556.1.4.2032
attributeSyntax: 2.5.5.10
isSingleValued: TRUE
rangeLower: 16
rangeUpper: 16
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Generation-GUID-v2
adminDescription: To be updated each time the entry containing this attribute is modified.
oMSyntax: 4
searchFlags: 0
lDAPDisplayName: msDFS-GenerationGUIDv2
schemaIDGUID:: 2bO4NY/F1kOTDlBA8vGngQ==
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DFS-Namespace-Identity-GUID-v2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DFS-Namespace-Identity-GUID-v2
attributeID: 1.2.840.113556.1.4.2033
attributeSyntax: 2.5.5.10
isSingleValued: TRUE
rangeLower: 16
rangeUpper: 16
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Namespace-Identity-GUID-v2
adminDescription: To be set only when the namespace is created. Stable across rename/move as long as
namespace is not replaced by another namespace having same name.
oMSyntax: 4
searchFlags: 0
lDAPDisplayName: msDFS-NamespaceIdentityGUIDv2
schemaIDGUID:: zjIEIF/sMUmlJdf0r+NOaA==
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DFS-Last-Modified-v2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DFS-Last-Modified-v2
attributeID: 1.2.840.113556.1.4.2034
attributeID: 1.2.840.113556.1.4.2034
attributeSyntax: 2.5.5.11
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Last-Modified-v2
adminDescription: To be updated on each write to the entry containing the attribute.
oMSyntax: 24
searchFlags: 0
lDAPDisplayName: msDFS-LastModifiedv2
schemaIDGUID:: il4JPE4xW0aD9auCd7zymw==
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DFS-Ttl-v2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DFS-Ttl-v2
attributeID: 1.2.840.113556.1.4.2035
attributeSyntax: 2.5.5.9
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Ttl-v2
adminDescription: TTL associated with DFS root/link. For use at DFS referral time.
oMSyntax: 2
searchFlags: 0
lDAPDisplayName: msDFS-Ttlv2
schemaIDGUID:: MU2U6kqGSUOtpQYuLGFPXg==
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DFS-Comment-v2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DFS-Comment-v2
attributeID: 1.2.840.113556.1.4.2036
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
rangeLower: 0
rangeUpper: 32766
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Comment-v2
adminDescription: Comment associated with DFS root/link.
oMSyntax: 64
searchFlags: 0
lDAPDisplayName: msDFS-Commentv2
schemaIDGUID:: yc6Gt/1hI0WywVzrOGC7Mg==
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DFS-Properties-v2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DFS-Properties-v2
attributeID: 1.2.840.113556.1.4.2037
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
rangeLower: 0
rangeUpper: 1024
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Properties-v2
adminDescription: Properties associated with DFS root/link.
oMSyntax: 64
searchFlags: 0
lDAPDisplayName: msDFS-Propertiesv2
schemaIDGUID:: xVs+DA7r9UCbUzNOlY3/2w==
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DFS-Target-List-v2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DFS-Target-List-v2
attributeID: 1.2.840.113556.1.4.2038
attributeSyntax: 2.5.5.10
isSingleValued: TRUE
rangeLower: 0
rangeUpper: 2097152
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Target-List-v2
adminDescription: Targets corresponding to DFS root/link.
oMSyntax: 4
searchFlags: 0
lDAPDisplayName: msDFS-TargetListv2
schemaIDGUID:: xiaxakH6NkuAnnypFhDUjw==
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DFS-Link-Path-v2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DFS-Link-Path-v2
attributeID: 1.2.840.113556.1.4.2039
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
rangeLower: 0
rangeUpper: 32766
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Link-Path-v2
adminDescription: DFS link path relative to the DFS root target share (i.e. without the server/domain and
DFS namespace name components). Use forward slashes (/) instead of backslashes so that LDAP searches can be
done without having to use escapes.
oMSyntax: 64
searchFlags: 0
lDAPDisplayName: msDFS-LinkPathv2
schemaIDGUID:: 9iGwhqsQokCiUh3AzDvmqQ==
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DFS-Link-Security-Descriptor-v2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DFS-Link-Security-Descriptor-v2
attributeID: 1.2.840.113556.1.4.2040
attributeSyntax: 2.5.5.15
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Link-Security-Descriptor-v2
adminDescription: Security descriptor of the DFS links's reparse point on the filesystem.
oMSyntax: 66
searchFlags: 0
lDAPDisplayName: msDFS-LinkSecurityDescriptorv2
schemaIDGUID:: 94fPVyY0QUizIgKztunrqA==
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DFS-Link-Identity-GUID-v2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DFS-Link-Identity-GUID-v2
attributeID: 1.2.840.113556.1.4.2041
attributeSyntax: 2.5.5.10
isSingleValued: TRUE
rangeLower: 16
rangeUpper: 16
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Link-Identity-GUID-v2
adminDescription: To be set only when the link is created. Stable across rename/move as long as link is not
replaced by another link having same name.
oMSyntax: 4
searchFlags: 0
lDAPDisplayName: msDFS-LinkIdentityGUIDv2
schemaIDGUID:: 8yew7SZX7k2NTtvwfhrR8Q==
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DFS-Short-Name-Link-Path-v2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
cn: ms-DFS-Short-Name-Link-Path-v2
attributeID: 1.2.840.113556.1.4.2042
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
rangeLower: 0
rangeUpper: 32766
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Short-Name-Link-Path-v2
adminDescription: Shortname DFS link path relative to the DFS root target share (i.e. without the
server/domain and DFS namespace name components). Use forward slashes (/) instead of backslashes so that
LDAP searches can be done without having to use escapes.
oMSyntax: 64
searchFlags: 0
lDAPDisplayName: msDFS-ShortNameLinkPathv2
schemaIDGUID:: 8CZ4LfdM6UKgOREQ4NnKmQ==
isMemberOfPartialAttributeSet: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
DN:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-DFS-Namespace-Anchor,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
cn: ms-DFS-Namespace-Anchor
subClassOf: top
governsID: 1.2.840.113556.1.5.257
rDNAttID: cn
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Namespace-Anchor
adminDescription: DFS namespace anchor
objectClassCategory: 1
lDAPDisplayName: msDFS-NamespaceAnchor
schemaIDGUID:: haBz2mRuYU2wZAFdBBZHlQ==
systemOnly: FALSE
systemPossSuperiors: 1.2.840.113556.1.5.42
systemMustContain: 1.2.840.113556.1.4.2030
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO)
systemFlags: 16
defaultHidingValue: TRUE
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=X
defaultObjectCategory: CN=ms-DFS-Namespace-Anchor,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DFS-Namespace-v2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
objectClass: classSchema
cn: ms-DFS-Namespace-v2
subClassOf: top
governsID: 1.2.840.113556.1.5.258
rDNAttID: cn
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Namespace-v2
adminDescription: DFS namespace
objectClassCategory: 1
lDAPDisplayName: msDFS-Namespacev2
schemaIDGUID:: KIbLIcPzv0u/9gYLLY8pmg==
systemOnly: FALSE
systemPossSuperiors: 1.2.840.113556.1.5.257
systemMayContain: 1.2.840.113556.1.4.2036
systemMustContain: 1.2.840.113556.1.4.2037
systemMustContain: 1.2.840.113556.1.4.2038
systemMustContain: 1.2.840.113556.1.4.2035
systemMustContain: 1.2.840.113556.1.4.2034
systemMustContain: 1.2.840.113556.1.4.2033
systemMustContain: 1.2.840.113556.1.4.2032
systemMustContain: 1.2.840.113556.1.4.2031
systemMustContain: 1.2.840.113556.1.4.2030
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
systemFlags: 16
defaultHidingValue: TRUE
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=X
defaultObjectCategory: CN=ms-DFS-Namespace-v2,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DFS-Link-v2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
cn: ms-DFS-Link-v2
subClassOf: top
governsID: 1.2.840.113556.1.5.259
rDNAttID: cn
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Link-v2
adminDescription: DFS Link in DFS namespace
objectClassCategory: 1
lDAPDisplayName: msDFS-Linkv2
schemaIDGUID:: evtpd1kRlk6czWi8SHBz6w==
systemOnly: FALSE
systemPossSuperiors: 1.2.840.113556.1.5.258
systemMayContain: 1.2.840.113556.1.4.2042
systemMayContain: 1.2.840.113556.1.4.2040
systemMayContain: 1.2.840.113556.1.4.2036
systemMustContain: 1.2.840.113556.1.4.2039
systemMustContain: 1.2.840.113556.1.4.2037
systemMustContain: 1.2.840.113556.1.4.2038
systemMustContain: 1.2.840.113556.1.4.2035
systemMustContain: 1.2.840.113556.1.4.2034
systemMustContain: 1.2.840.113556.1.4.2041
systemMustContain: 1.2.840.113556.1.4.2033
systemMustContain: 1.2.840.113556.1.4.2032
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
systemFlags: 16
defaultHidingValue: TRUE
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=X
defaultObjectCategory: CN=ms-DFS-Link-v2,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DFS-Deleted-Link-v2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
cn: ms-DFS-Deleted-Link-v2
subClassOf: top
governsID: 1.2.840.113556.1.5.260
rDNAttID: cn
showInAdvancedViewOnly: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: ms-DFS-Deleted-Link-v2
adminDescription: Deleted DFS Link in DFS namespace
objectClassCategory: 1
lDAPDisplayName: msDFS-DeletedLinkv2
schemaIDGUID:: CDQXJcoE6ECGXj+c6b8b0w==
systemOnly: FALSE
systemPossSuperiors: 1.2.840.113556.1.5.258
systemMayContain: 1.2.840.113556.1.4.2042
systemMayContain: 1.2.840.113556.1.4.2036
systemMustContain: 1.2.840.113556.1.4.2039
systemMustContain: 1.2.840.113556.1.4.2034
systemMustContain: 1.2.840.113556.1.4.2041
systemMustContain: 1.2.840.113556.1.4.2033
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
systemFlags: 16
defaultHidingValue: TRUE
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=X
defaultObjectCategory: CN=ms-DFS-Deleted-Link-v2,CN=Schema,CN=Configuration,DC=X
dn: CN=Address-Book-Roots2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: addressBookRoots2
adminDisplayName: Address-Book-Roots2
adminDescription: Used by Exchange. Exchange configures trees of address book containers to show up in the
MAPI address book. This attribute on the Exchange Config object lists the roots of the address book
container trees.
attributeId: 1.2.840.113556.1.4.2046
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
linkID: 2122
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: dKOMUBGlTk6fT4VvYaa35A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
schemaFlagsEx: 1
dn: CN=Global-Address-List2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: globalAddressList2
adminDisplayName: Global-Address-List2
adminDescription: This attribute is used on a Microsoft Exchange container to store the distinguished name
of a newly created global address list (GAL). This attribute must have an entry before you can enable
Messaging Application Programming Interface (MAPI) clients to use a GAL.
attributeId: 1.2.840.113556.1.4.2047
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
linkID: 2124
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: PfaYSBJBfEeIJjygC9gnfQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
schemaFlagsEx: 1
dn: CN=Template-Roots2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: templateRoots2
adminDisplayName: Template-Roots2
adminDescription: This attribute is used on the Exchange config container to indicate where the template
containers are stored. This information is used by the Active Directory MAPI provider.
containers are stored. This information is used by the Active Directory MAPI provider.
attributeId: 1.2.840.113556.1.4.2048
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
linkID: 2126
systemOnly: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: GqnLsYIGYkOmWRU+IB7waQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
schemaFlagsEx: 1
DN:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-Exch-Configuration-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2046
systemMayContain: 1.2.840.113556.1.4.2047
systemMayContain: 1.2.840.113556.1.4.2048
-
Sch44.ldf
dn: CN=TOP,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.1968
-
dn: CN=MS-TS-ExpireDate,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: showInAdvancedViewOnly
showInAdvancedViewOnly: TRUE
-
dn: CN=ms-PKI-DPAPIMasterKeys,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 640
-
dn: CN=ms-PKI-AccountCredentials,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 640
-
dn: CN=ms-PKI-RoamingTimeStamp,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 640
-
dn: CN=Global-Address-List2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: adminDescription
adminDescription: This attribute is used on a Microsoft Exchange container to store the distinguished name
of a newly created global address list (GAL). This attribute must have an entry before you can enable
Messaging Application Programming Interface (MAPI) clients to use a GAL.
-
dn: CN=Global-Address-List2,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: isSingleValued
isSingleValued: FALSE
-
dn: CN=ms-DS-BridgeHead-Servers-Used,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
adminDescription: List of bridge head servers used by KCC in the previous run.
adminDisplayName: ms-DS-BridgeHead-Servers-Used
attributeID: 1.2.840.113556.1.4.2049
attributeSyntax: 2.5.5.7
cn: ms-DS-BridgeHead-Servers-Used
instanceType: 4
isSingleValued: FALSE
lDAPDisplayName: msDS-BridgeHeadServersUsed
linkID: 2160
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
objectClass: attributeSchema
oMObjectClass:: KoZIhvcUAQEBCw==
oMSyntax: 127
schemaFlagsEx: 1
schemaIDGUID:: ZRTtPHF7QSWHgB4epiQ6gg==
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemFlags: 25
DN:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=Site,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2049
-
Sch45.ldf
DN: CN=ms-DS-USN-Last-Sync-Success,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
adminDisplayName: ms-DS-USN-Last-Sync-Success
adminDescription: The USN at which the last successful replication synchronization occurred.
attributeID: 1.2.840.113556.1.4.2055
attributeSyntax: 2.5.5.16
isSingleValued: TRUE
lDAPDisplayName: msDS-USNLastSyncSuccess
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
objectClass: attributeSchema
oMSyntax: 65
schemaFlagsEx: 1
searchFlags: 0
schemaIDGUID:: trj3MfjJLU+je1ioIwMDMQ==
showInAdvancedViewOnly: TRUE
systemFlags: 25
systemOnly: FALSE
dn: CN=Is-Recycled,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: isRecycled
adminDisplayName: Is-Recycled
adminDescription: Is the object recycled.
attributeId: 1.2.840.113556.1.4.2058
attributeSyntax: 2.5.5.8
omSyntax: 1
isSingleValued: TRUE
systemOnly: TRUE
schemaFlagsEx: 1
searchFlags: 8
schemaIdGuid:: VpK1j/FVS0Sqy/W0gv40WQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
systemFlags: 18
dn: CN=ms-DS-Optional-Feature-GUID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-OptionalFeatureGUID
adminDisplayName: ms-DS-Optional-Feature-GUID
adminDescription: GUID of an optional feature.
attributeId: 1.2.840.113556.1.4.2062
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
schemaFlagsEx: 1
systemOnly: TRUE
searchFlags: 0
rangeLower: 16
rangeUpper: 16
schemaIdGuid:: qL2Im4LdmEmpHV8tK68ZJw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Enabled-Feature,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-EnabledFeature
adminDisplayName: ms-DS-Enabled-Feature
adminDescription: Enabled optional features.
attributeId: 1.2.840.113556.1.4.2061
attributeSyntax: 2.5.5.1
omSyntax: 127
schemaFlagsEx: 1
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: r64GV0C5sk+8/FJoaDrZ/g==
linkID: 2168
isMemberOfPartialAttributeSet: TRUE
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-Imaging-PSP-String,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msImaging-PSPString
ldapDisplayName: msImaging-PSPString
adminDisplayName: ms-Imaging-PSP-String
adminDescription: Schema Attribute that contains the XML sequence for this PostScan Process.
attributeId: 1.2.840.113556.1.4.2054
attributeSyntax: 2.5.5.12
omSyntax: 64
schemaFlagsEx: 1
isSingleValued: TRUE
searchFlags: 0
rangeUpper: 524288
schemaIdGuid:: rmBne+3WpkS2vp3mLAnsZw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-OIDToGroup-Link,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-OIDToGroupLink
adminDisplayName: ms-DS-OIDToGroup-Link
adminDescription: For an OID, identifies the group object corresponding to the issuance policy represented
by this OID.
attributeId: 1.2.840.113556.1.4.2051
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
schemaFlagsEx: 1
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: fKXJ+UE5jUO+vw7a8qyhhw==
linkID: 2164
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-OIDToGroup-Link-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-OIDToGroupLinkBl
adminDisplayName: ms-DS-OIDToGroup-Link-BL
adminDescription: Backlink for ms-DS-OIDToGroup-Link; identifies the issuance policy, represented by an OID
object, which is mapped to this group.
attributeId: 1.2.840.113556.1.4.2052
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
schemaFlagsEx: 1
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: IA09GkRYmUGtJQ9QOadq2g==
linkID: 2165
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-Imaging-PSP-Identifier,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msImaging-PSPIdentifier
adminDisplayName: ms-Imaging-PSP-Identifier
adminDescription: Schema Attribute that contains the unique identifier for this PostScan Process.
attributeId: 1.2.840.113556.1.4.2053
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 0
schemaIdGuid:: 6TxYUfqUEku5kDBMNbGFlQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Host-Service-Account,CN=Schema,CN=Configuration,DC=X
dn: CN=ms-DS-Host-Service-Account,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-HostServiceAccount
adminDisplayName: ms-DS-Host-Service-Account
adminDescription: Service Accounts configured to run on this computer.
attributeId: 1.2.840.113556.1.4.2056
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
searchFlags: 0
schemaFlagsEx: 1
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: QxBkgKIV4UCSooyoZvcHdg==
attributeSecurityGuid:: hri1d0qU0RGuvQAA+ANnwQ==
linkID: 2166
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Host-Service-Account-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-HostServiceAccountBL
adminDisplayName: ms-DS-Host-Service-Account-BL
adminDescription: Service Accounts Back Link for linking machines associated with the service account.
attributeId: 1.2.840.113556.1.4.2057
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
searchFlags: 0
schemaFlagsEx: 1
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: 6+SrefOI50iJ1vS8fpjDMQ==
linkID: 2167
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Required-Domain-Behavior-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-RequiredDomainBehaviorVersion
adminDisplayName: ms-DS-Required-Domain-Behavior-Version
adminDescription: Required domain function level for this feature.
attributeId: 1.2.840.113556.1.4.2066
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaFlagsEx: 1
schemaIdGuid:: /j3d6g6uwky5uV/ltu0t0g==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Required-Forest-Behavior-Version,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-RequiredForestBehaviorVersion
adminDisplayName: ms-DS-Required-Forest-Behavior-Version
adminDescription: Required forest function level for this feature.
attributeId: 1.2.840.113556.1.4.2079
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaFlagsEx: 1
schemaIdGuid:: 6KLsS1OmskGP7nIVdUdL7A==
showInAdvancedViewOnly: TRUE
systemFlags: 16
systemFlags: 16
dn: CN=ms-PKI-Credential-Roaming-Tokens,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msPKI-CredentialRoamingTokens
adminDisplayName: ms-PKI-Credential-Roaming-Tokens
adminDescription: Storage of encrypted user credential token blobs for roaming.
attributeId: 1.2.840.113556.1.4.2050
attributeSyntax: 2.5.5.7
omSyntax: 127
isSingleValued: FALSE
searchFlags: 128
omObjectClass:: KoZIhvcUAQEBCw==
schemaIdGuid:: OFr/txgIsEKBENPRVMl/JA==
attributeSecurityGuid:: 3kfmkW/ZcEuVV9Y/9PPM2A==
linkID: 2162
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Local-Effective-Recycle-Time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-LocalEffectiveRecycleTime
adminDisplayName: ms-DS-Local-Effective-Recycle-Time
adminDescription: Recycle time of the object in the local DIT.
attributeId: 1.2.840.113556.1.4.2060
attributeSyntax: 2.5.5.11
omSyntax: 24
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaFlagsEx: 1
schemaIdGuid:: awHWStKwm0yTtllksXuWjA==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-Local-Effective-Deletion-Time,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-LocalEffectiveDeletionTime
adminDisplayName: ms-DS-Local-Effective-Deletion-Time
adminDescription: Deletion time of the object in the local DIT.
attributeId: 1.2.840.113556.1.4.2059
attributeSyntax: 2.5.5.11
omSyntax: 24
isSingleValued: TRUE
systemOnly: TRUE
searchFlags: 0
schemaFlagsEx: 1
schemaIdGuid:: DIDylB9T60qXXUisOf2MpA==
showInAdvancedViewOnly: TRUE
systemFlags: 20
dn: CN=ms-DS-Last-Known-RDN,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-LastKnownRDN
adminDisplayName: ms-DS-Last-Known-RDN
adminDescription: Holds original RDN of a deleted object.
attributeId: 1.2.840.113556.1.4.2067
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
schemaFlagsEx: 1
systemOnly: TRUE
searchFlags: 0
rangeLower: 1
rangeUpper: 255
schemaIdGuid:: WFixij5obUaHf9ZA4fmmEQ==
schemaIdGuid:: WFixij5obUaHf9ZA4fmmEQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Enabled-Feature-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-EnabledFeatureBL
adminDisplayName: ms-DS-Enabled-Feature-BL
adminDescription: Scopes where this optional feature is enabled.
attributeId: 1.2.840.113556.1.4.2069
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
schemaFlagsEx: 1
systemOnly: TRUE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: vAFbzsYXuESdwalmiwCQGw==
linkID: 2169
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-DS-Deleted-Object-Lifetime,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-DeletedObjectLifetime
adminDisplayName: ms-DS-Deleted-Object-Lifetime
adminDescription: Lifetime of a deleted object.
attributeId: 1.2.840.113556.1.4.2068
attributeSyntax: 2.5.5.9
omSyntax: 10
isSingleValued: TRUE
schemaFlagsEx: 1
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: toyzqZoY702KcA/PoVgUjg==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-DS-Optional-Feature-Flags,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msDS-OptionalFeatureFlags
adminDisplayName: ms-DS-Optional-Feature-Flags
adminDescription: An integer value that contains flags that define behavior of an optional feature in Active
Directory.
attributeId: 1.2.840.113556.1.4.2063
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
schemaFlagsEx: 1
systemOnly: TRUE
searchFlags: 0
schemaIdGuid:: wWAFirmXEUidt9wGFZiWWw==
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-PKI-Enrollment-Servers,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaadd
objectClass: attributeSchema
cn: ms-PKI-Enrollment-Servers
attributeID: 1.2.840.113556.1.4.2076
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
adminDisplayName: ms-PKI-Enrollment-Servers
adminDescription: Priority, authentication type, and URI of each certificate enrollment web service.
oMSyntax: 64
lDAPDisplayName: msPKI-Enrollment-Servers
name: ms-PKI-Enrollment-Servers
name: ms-PKI-Enrollment-Servers
schemaIDGUID:: j9Mr8tChMkiLKAMxQ4iGpg==
instanceType: 4
rangeUpper: 65536
isMemberOfPartialAttributeSet: TRUE
searchFlags: 0
# System-Flags=FLAG_SCHEMA_BASE_OBJECT
systemFlags: 16
systemOnly: FALSE
showInAdvancedViewOnly: TRUE
dn: CN=ms-PKI-Site-Name,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaadd
objectClass: attributeSchema
cn: ms-PKI-Site-Name
attributeID: 1.2.840.113556.1.4.2077
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
adminDisplayName: ms-PKI-Site-Name
adminDescription: Active Directory site to which the CA machine belongs.
oMSyntax: 64
lDAPDisplayName: msPKI-Site-Name
name: ms-PKI-Site-Name
schemaIDGUID:: H3HYDPwKJkmksQmwjT1DbA==
instanceType: 4
rangeUpper: 1024
isMemberOfPartialAttributeSet: TRUE
searchFlags: 0
systemOnly: FALSE
# System-Flags=FLAG_SCHEMA_BASE_OBJECT
systemFlags: 16
showInAdvancedViewOnly: TRUE
dn: CN=ms-TS-Endpoint-Data,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSEndpointData
adminDisplayName: ms-TS-Endpoint-Data
adminDescription: This attribute represents the VM Name for machine in TSV deployment.
attributeId: 1.2.840.113556.1.4.2070
attributeSyntax: 2.5.5.12
schemaIDGUID:: B8ThQERD80CrQzYlo0pjog==
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Endpoint-Type,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSEndpointType
adminDisplayName: ms-TS-Endpoint-Type
adminDescription: This attribute defines if the machine is a physical machine or a virtual machine.
attributeId: 1.2.840.113556.1.4.2071
attributeSyntax: 2.5.5.9
schemaIDGUID:: gN56N9jixUabzW2d7JOzXg==
omSyntax: 2
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Endpoint-Plugin,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSEndpointPlugin
adminDisplayName: ms-TS-Endpoint-Plugin
adminDescription: This attribute represents the name of the plugin which handles the orchestration.
attributeId: 1.2.840.113556.1.4.2072
attributeSyntax: 2.5.5.12
schemaIDGUID:: abUIPB+AWEGxe+Nj1q5pag==
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeLower: 0
rangeUpper: 32767
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Primary-Desktop,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSPrimaryDesktop
adminDisplayName: ms-TS-Primary-Desktop
adminDescription: This attribute represents the forward link to user's primary desktop.
attributeId: 1.2.840.113556.1.4.2073
attributeSyntax: 2.5.5.1
schemaIDGUID:: lJYlKeQJN0KfcpMG6+Y6sg==
omSyntax: 127
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
linkID: 2170
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Secondary-Desktops,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSSecondaryDesktops
adminDisplayName: ms-TS-Secondary-Desktops
adminDescription: This attribute represents the array of forward links to user's secondary desktops.
attributeId: 1.2.840.113556.1.4.2075
attributeSyntax: 2.5.5.1
schemaIDGUID:: mqI69jG74Ui/qwpsWh05wg==
omSyntax: 127
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 0
linkID: 2172
showInAdvancedViewOnly: TRUE
systemFlags: 16
dn: CN=ms-TS-Primary-Desktop-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSPrimaryDesktopBL
adminDisplayName: ms-TS-Primary-Desktop-BL
adminDescription: This attribute represents the backward link to user.
attributeId: 1.2.840.113556.1.4.2074
attributeSyntax: 2.5.5.1
schemaIDGUID:: GNyqndFA0U6iv2ub9H09qg==
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
linkID: 2171
showInAdvancedViewOnly: TRUE
systemFlags: 17
dn: CN=ms-TS-Secondary-Desktop-BL,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: msTSSecondaryDesktopBL
adminDisplayName: ms-TS-Secondary-Desktop-BL
adminDescription: This attribute represents the backward link to user.
attributeId: 1.2.840.113556.1.4.2078
attributeSyntax: 2.5.5.1
schemaIDGUID:: rwexNAqgWkWxOd0aGxLYrw==
omSyntax: 127
isSingleValued: FALSE
systemOnly: TRUE
searchFlags: 0
linkID: 2173
showInAdvancedViewOnly: TRUE
systemFlags: 17
DN:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-Imaging-PSPs,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msImaging-PSPs
adminDisplayName: ms-Imaging-PSPs
adminDescription: Container for all Enterprise Scan Post Scan Process objects.
governsId: 1.2.840.113556.1.5.262
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.23
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: wSrtoAyXd0eEjuxjoOxE/A==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=ms-Imaging-PSPs,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Optional-Feature,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-OptionalFeature
adminDisplayName: ms-DS-Optional-Feature
adminDescription: Configuration for an optional DS feature.
governsId: 1.2.840.113556.1.5.265
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.2079
systemMayContain: 1.2.840.113556.1.4.2066
systemMustContain: 1.2.840.113556.1.4.2062
systemMustContain: 1.2.840.113556.1.4.2063
systemPossSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: QQDwRK81i0ayCmzoc3xYCw==
defaultSecurityDescriptor: D:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;CO)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: TRUE
defaultObjectCategory: CN=ms-DS-Optional-Feature,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-Imaging-PostScanProcess,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msImaging-PostScanProcess
ldapDisplayName: msImaging-PostScanProcess
adminDisplayName: ms-Imaging-PostScanProcess
adminDescription: Enterprise Scan Post Scan Process object.
governsId: 1.2.840.113556.1.5.263
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMustContain: 1.2.840.113556.1.2.13
systemMustContain: 1.2.840.113556.1.4.2053
systemMayContain: 1.2.840.113556.1.4.2054
systemMayContain: 1.2.840.113556.1.4.223
systemPossSuperiors: 1.2.840.113556.1.5.262
schemaIdGuid:: fCV8H6O4JUWC+BHMx77jbg==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=ms-Imaging-PostScanProcess,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=ms-DS-Managed-Service-Account,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: msDS-ManagedServiceAccount
adminDisplayName: ms-DS-Managed-Service-Account
adminDescription: Service account class is used to create accounts that are used for running Windows
services.
governsId: 1.2.840.113556.1.5.264
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.5.67
systemPossSuperiors: 2.5.6.5
systemPossSuperiors: 1.2.840.113556.1.3.23
systemPossSuperiors: 1.2.840.113556.1.3.30
schemaIdGuid:: RGIgzidYhkq6HBwMOGwbZA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPCRLCLORCSDDT;;;CO)(OA;;WP;4c164200-20c0-11d0-a768-
00aa006e0529;;CO)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;CO)(OA;;SW;f3a64788-5306-11d1-a9c5-
0000f80367c1;;CO)(OA;;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;CO)
(OA;;WP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;WP;bf967950-0de6-
11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;WP;bf967953-0de6-11d0-a285-
00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)
(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;PS)
(A;;RPLCLORC;;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RPWP;bf967a7f-0de6-11d0-a285-
00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-DS-Managed-Service-Account,CN=Schema,CN=Configuration,DC=X
systemFlags: 16
dn: CN=DMD,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2055
-
dn: CN=Configuration,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2055
-
dn: CN=domain-DNS,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2055
systemMayContain: 1.2.840.113556.1.4.2055
-
dn: CN=ms-PKI-Cert-Template-OID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: searchFlags
searchFlags: 1
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2052
systemMayContain: 1.2.840.113556.1.4.2057
systemMayContain: 1.2.840.113556.1.4.2058
systemMayContain: 1.2.840.113556.1.4.2059
systemMayContain: 1.2.840.113556.1.4.2060
-
dn: CN=Top,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2067
systemMayContain: 1.2.840.113556.1.4.2069
-
dn: CN=NTDS-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2068
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2050
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2056
-
dn: CN=Cross-Ref-Container,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2061
-
dn: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2061
-
dn: CN=ms-PKI-Enterprise-Oid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2051
-
dn: CN=PKI-Enrollment-Service,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2076
systemMayContain: 1.2.840.113556.1.4.2077
-
-
dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2073
systemMayContain: 1.2.840.113556.1.4.2075
-
dn: CN=Computer,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2070
systemMayContain: 1.2.840.113556.1.4.2071
systemMayContain: 1.2.840.113556.1.4.2072
systemMayContain: 1.2.840.113556.1.4.2074
systemMayContain: 1.2.840.113556.1.4.2078
-
DN:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=User-Change-Password,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
-
dn: CN=User-Force-Change-Password,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
-
dn: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
-
dn: CN=Receive-As,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
-
dn: CN=User-Account-Restrictions,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
-
-
dn: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
-
dn: CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
-
dn: CN=Validated-DNS-Host-Name,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
-
dn: CN=Validated-SPN,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
-
dn: CN=DNS-Host-Name-Attributes,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
-
dn: CN=Allowed-To-Authenticate,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
-
dn: CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: appliesTo
appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
-
dn: CN=Run-Protect-Admin-Groups-Task,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
displayName: Run Protect Admin Groups Task
rightsGuid: 7726b9d5-a4b4-4288-a6b2-dce952e80a7f
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
validAccesses: 256
localizationDisplayId: 78
dn: CN=Manage-Optional-Features,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
displayName: Manage Optional Features for Active Directory
rightsGuid: 7c0e2a7c-a419-48e4-a995-10180aad54dd
appliesTo: ef9e60e0-56f7-11d1-a9c6-0000f80367c1
validAccesses: 256
localizationDisplayId: 79
dn: CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: objectVersion
objectVersion: 45
-
Sch46.ldf
dn: CN=ms-DS-Managed-Service-Account,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
replace: defaultHidingValue
defaultHidingValue: FALSE
-
DN:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Sch47.ldf
dn: CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
add: systemMayContain
systemMayContain: 1.2.840.113556.1.4.2061
-
dn: CN=ms-DS-Managed-Service-Account,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaModify
delete: systemPossSuperiors
systemPossSuperiors: 1.2.840.113556.1.3.30
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Next steps
Domain-wide schema update operations
Forest-wide schema update operations
Read-Only Domain Controller Updates
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
There are no changes to adprep /rodcprep in Windows Server 2012 R2 or in Windows Server 2012.
Domain-wide schema updates
11/2/2020 • 2 minutes to read • Edit Online
You can review the following set of changes to help understand and prepare for the schema updates that are
performed by adprep /domainprep in Windows Server.
Beginning in Windows Server 2012, Adprep commands run automatically as needed during AD DS installation.
They can also be run separately in advance of AD DS installation. For more information, see Running
Adprep.exe.
For more information about how to interpret the access control entry (ACE) strings, see ACE strings. For more
information about how to interpret the security ID (SID) strings, see SID strings.
O P ERAT IO N S N UM B ER A N D
GUID DESC RIP T IO N AT T RIB UT ES P ERM ISSIO N S
The Enterprise Key Admins and Key Admins groups are only created after a Windows Server 2016 Domain
Controller is promoted and takes over the PDC Emulator FSMO role.
O P ERAT IO N S N UM B ER A N D
GUID DESC RIP T IO N AT T RIB UT ES P ERM ISSIO N S
You can review the following set of changes to help understand and prepare for the schema updates that are
performed by adprep /forestprep in Windows Server 2019.
Beginning in Windows Server 2012, Adprep commands run automatically as needed during AD DS installation.
They can also be run separately in advance of AD DS installation. For more information, see Running
Adprep.exe.
For more information about how to interpret the access control entry (ACE) strings, see ACE strings. For more
information about how to interpret the security ID (SID) strings, see SID strings.
O P ERAT IO N N UM B ER A N D
GUID DESC RIP T IO N AT T RIB UT ES P ERM ISSIO N S
O P ERAT IO N N UM B ER A N D
GUID DESC RIP T IO N AT T RIB UT ES P ERM ISSIO N S
O P ERAT IO N N UM B ER A N D
GUID DESC RIP T IO N AT T RIB UT ES P ERM ISSIO N S
Operation 128 : Updated strings for Folder - description: The Folder N/A
{49c140db-2de3-44c2- Usage resource property Usage property specifies
a99a-bab2e6d2ba81} object the purpose of the folder
CN=FolderUsage_MS,CN=R and the kind of files stored
esource in it.
Properties,CN=Claims
Configuration,CN=Services
in the Configuration
partition.
This topic covers detailed methodology on troubleshooting domain controller configuration and deployment.
Introduction to Troubleshooting
P H A SE LO G
Errors in prerequisite validation and verification do not continue on to a reboot, so they are visible in all
cases. For example:
3. In any scenario, examine the dcpromo.log and dcpromoui.log.
NOTE
Some of the errors listed below are no longer possible due to operating system and domain controller
configuration changes in later operating systems. The new ADDSDeployment Windows PowerShell codes also
prevents certain errors, but the dcpromo.exe /unattend does not; this is another compelling reason to switch all of
your current automation from the deprecated DCPromo to ADDSDeployment Windows PowerShell.
3 Exit, success, with a non-critical failure Typically seen when returning the DNS
Delegation warning. If not configuring
DNS delegation, use:
-creatednsdelegation:$false
4 Exit, success, with a non-critical failure, Typically seen when returning the DNS
need to reboot Delegation warning. If not configuring
DNS delegation, use:
-creatednsdelegation:$false
15 Role change is in progress or needs You must restart the server (due to
reboot prior configuration changes) before
promotion
23 DNS client needs to be configured first Set a primary DNS server when adding
a new domain controller to a domain
24 Supplied credentials are invalid or Verify your user name and password is
missing required elements correct
25 Domain controller for the specified Validate DNS client settings, firewall
domain could not be located rules
ERRO R C O DE EXP L A N AT IO N SUGGEST ED RESO L UT IO N
26 List of domains could not be read from Validate DNS client settings, LDAP
the forest functionality, firewall rules
29 Parent domain does not exist Verify the parent domain specified
when creating a new child domain or
tree domain
33 Path to the IFM files is invalid Validate your path to the Install From
Media folder
34 The IFM database is bad Use the correct Install From Media for
this operating system and role (same
operating system version, same type
of domain controller - RODC versus
RWDC)
37 Path for NTDS Database or its logs is Change path of Database and Logs to
invalid a fixed NTFS volume, not a mapped
drive or UNC path
38 Volume does not have enough space Free up space using cleanmgr.exe, add
for NTDS database or logs more disk space, manually clear space
by moving unnecessary data
elsewhere
41 Need to specify a password for safe- Provide a password for the DSRM
mode account, it cannot be blank no matter
how the password policy is configured
42 Safe-mode password does not meet Provide a password for the DSRM
criteria (promotion only) account that meets the password
policy's configured rules
ERRO R C O DE EXP L A N AT IO N SUGGEST ED RESO L UT IO N
43 Admin password does not meet Provide a password for the local
criteria (demotion only) administrator account that meets the
password policy's configured rules
44 The specified name for the forest is Specify a valid forest root DNS domain
invalid name
45 A forest with the specified name Choose a different forest root DNS
already exists domain name
46 The specified name for the tree is Specify a valid tree DNS domain name
invalid
47 A tree with the specified name already Choose a different tree DNS domain
exists name
48 The tree name does not fit into the Choose a different tree DNS domain
forest structure name
49 The specified domain does not exist Verify your typed domain name
55 The promotion/demotion was canceled Examine the extended error and logs
by the user
56 The promotion/demotion was canceled Examine the extended error and logs
by the user, machine must be
rebooted to clean up
58 A site name must be specified during You must specify a site for an RODC, it
RODC promotion will not automatically detect one like
an RWDC
ERRO R C O DE EXP L A N AT IO N SUGGEST ED RESO L UT IO N
59 During demote, this domain controller Specify that this is the Last DNS
is the last DNS server for one of its Ser ver in the Domain or use -
zones ignorelastdnsser verfordomain
61 You cannot install Active Directory Not possible to get this error
Domain Services with DNS in an
existing domain that does not already
host DNS
62 Answer file does not have a [DCInstall] Only seen with dcpromo /unattend,
section which is deprecated. See older
documentation.
66 Promo failed because operating Examine the extended error and logs;
system detection failed the server is failing to return its
operating system version. It is likely
that the computer will need to be re-
installed, as its overall health is highly
suspect
70 The forest root domain controller must Only seen with dcpromo /unattend,
be a GC which is deprecated. See older
documentation
73 The specified forest functional level is Specify a valid forest functional level
invalid.
74 The specified domain functional level is Specify a valid domain functional level
invalid.
77 The specified argument is invalid Examine the extended error and logs
78 Failed to examine Active Directory Examine the extended error and logs
Forest
80 Domainprep has not been performed Use Windows Server 2012 to prepare
the domain or use adprep.exe
/domainprep
81 Forestprep has not been performed Use Windows Server 2012 to prepare
the forest or use adprep.exe
/forestprep
88 The specified server admin is not valid You specified an invalid account for
RODC admin delegation. Verify that
the account specified is a valid user or
group
89 RID master for the specified domain is Use netdom.exe quer y fsmo to
offline. detect the RID master. Bring it online
and make it accessible to the domain
controller you are promoting
91 Failed to detect if the process is wow64 Not possible to get this error anymore,
the operating system is 64-bit
92 Wow64 process is not supported Not possible to get this error anymore,
the operating system is 64-bit
94 Local admin password does not meet Provide a non-blank password and
requirement: either blank or not ensure that the local password policy
required requires a password
95 Cannot demote last Windows Server You must first demote all RODCs
2008 or later domain controller in the before you can demote all Windows
domain where live RODCs exist Server 2008 or later writable domain
controllers
97 Forest functional level version higher Provide a child domain functional the
than that of the child domain same or higher than the forest
operating system functional level
ERRO R C O DE EXP L A N AT IO N SUGGEST ED RESO L UT IO N
99 Forest functional level is too low (error Raise the forest functional level to at
is Windows Server 2012 only) least Windows Server 2003 native.
Windows 2000 and Windows NT 4.0
are no longer supported operating
systems
100 Domain functional level is too low Raise the domain functional level to at
(error is Windows Server 2012 only) least Windows Server 2003 native.
Windows 2000 and Windows NT 4.0
are no longer supported operating
systems
Resolution and Notes When removing the AD DS role, also remove the DNS Server
role or set the DNS Server service to disabled. Remember to
point the DNS client to another server than itself. If using
Windows PowerShell, run the following after you demote the
server:
Code - uninstall-windowsfeature dns
or
Code - set-service dns -starttype disabled
stop-service dns
Resolution and Notes Set these values using the Netlogon and DNS group policies.
Microsoft began blocking single-label domain creation in
Windows Server 2008; you can use ADMT or the Domain
Rename Tool to change to an approved DNS domain
structure.
DEM OT IO N O F L A ST DO M A IN C O N T RO L L ER IN A DO M A IN
FA IL S IF T H ERE A RE P RE- C REAT ED, UN O C C UP IED RO DC
ISSUE A C C O UN T S
Resolution and Notes Remove any remaining pre-created RODC accounts before
demoting a domain, using Dsa.msc or Ntdsutil.exe
metadata cleanup .
Resolution and Notes Run adprep.exe /gpprep manually for all domains that
were not previously prepared for Windows Server 2003,
Windows Server 2008, or Windows Server 2008 R2.
Administrators should run GPPrep only once in the history
of a domain, not with every upgrade. It is not run by
automatic adprep because if you have already set adequate
custom permissions, it would cause all SYSVOL contents to
re-replicate on all domain controllers.
Resolution and Notes You must store IFM files on a local disk, not a remote UNC
path. This intentional block prevents partial server
promotion due to a network interruption.
SP EC IF Y IN G UP N O R N O N - DO M A IN C REDEN T IA L S DURIN G
ISSUE C O N F IGURAT IO N RET URN S M ISL EA DIN G ERRO RS
Resolution and Notes Ensure you are providing valid domain credentials in the
form of domain\user .
Resolution and Notes Boot into Directory Services Repair Mode using Shift+F8.
Add the AD DS role back, and then forcibly demote the
domain controller. Alternatively, restore the System State
from backup. Do not use Dism.exe for AD DS role removal;
the utility has no knowledge of domain controllers.
IN STA L L IN G A N EW F O REST FA IL S W H EN SET T IN G
ISSUE F O REST M O DE TO W IN 2012
Resolution and Notes Do not specify a forest functional mode of Win2012 without
also specifying a domain functional mode of Win2012. Here
is an example that will work without errors:
Code - -forestmode Win2012 -domainmode Win2012]
Symptoms When you specify a path to an IFM folder, clicking the Verify
button never returns a message or appears to do anything.
Resolution and Notes The Verify button only returns errors if there are issues.
Otherwise, it makes the Next button selectable if you have
provided an IFM path. You must click Verify to proceed if
you have selected IFM.
Resolution and Notes This is a limitation of Server Manager. For feedback, use
ADDSDeployment Windows PowerShell cmdlet:
Code - Uninstall-addsdomaincontroller
Resolution and Notes Verify only validates the overall integrity of IFM. Do not
provide the wrong IFM type to a server. Restart the server
before you attempt promotion again with the correct media.
P RO M OT IN G A N RO DC IN TO A P RE- C REAT ED C O M P UT ER
ISSUE A C C O UN T FA IL S
Resolution and Notes Do not provide parameters already defined already on a pre-
created RODC account. These include:
Code - -readonlyreplica
-installdns
-donotconfigureglobalcatalog
-sitename
-installdns
Resolution and Notes This is intentional. The demotion process restarts the server
regardless of this setting.
Resolution and Notes The new domain controller cannot access WMI through
DCOM/RPC protocols against the existing domain
controllers. To date, there have been three causes for this:
- A firewall rule blocks access to the existing domain
controllers
- The NETWORK SERVICE account is missing from the
"Logon as a service" (SeServiceLogonRight) privilege on
the existing domain controllers
- NTLM is disabled on domain controllers, using security
policies described in Introducing the Restriction of NTLM
Authentication
Resolution and Notes Ignore. This warning is intentional on the first domain
controller in the root domain of a new forest, in case you
intended to point to an existing DNS server and zone.
Symptoms After you promote a new domain controller and then log off
and attempt to log on interactively, you receive error:
Code - Not enough storage is available to process this
command
Resolution and Notes The domain controller was not rebooted after promotion,
either due to an error or because you specified the
ADDSDeployment Windows PowerShell argument -
norebootoncompletion . Restart the domain controller.
T H E N EXT B UT TO N IS N OT AVA IL A B L E O N T H E DO M A IN
ISSUE C O N T RO L L ER O P T IO N S PA GE
Symptoms Even though you have set a password, the Next button on
the Domain Controller Options page in Server Manager
is not available. There is no site listed in the Site name
menu.
Resolution and Notes You have multiple AD DS sites and at least one is missing
subnets; this future domain controller belongs to one of
those subnets. You must manually select the subnet from
the Site name dropdown menu. You should also review all
AD sites using DSSITE.MSC or use the following Windows
PowerShell command to find all sites missing subnets:
Code - get-adreplicationsite -filter * -property subnets |
where-object {!$_.subnets -eq "*"} | format-table name
Resolution and Notes The DS Role Server service (DsRoleSvc) is disabled. By default,
this service is installed during AD DS role installation and set
to a Manual start type. Do not disable this service. Set it
back to Manual and allow the DS role operations to start
and stop it on demand. This behavior is by design.
Resolution and Notes Click the post-deployment warning link and the message will
disappear for good. This behavior is cosmetic and expected.
Resolution and Notes Manually add that cmdlet and arguments to any scripts. This
behavior is expected and by design.
Resolution and Notes Manually rename the file. This behavior is expected and by
design.
DC P RO M O / UN AT T EN D A L LO W S UN SUP P O RT ED
ISSUE F UN C T IO N A L L EVEL S
DC P RO M O / UN AT T EN D A L LO W S UN SUP P O RT ED
ISSUE F UN C T IO N A L L EVEL S
Resolution and Notes Do not use the deprecated dcpromo /unattend and
understand that it allows you to specify invalid settings that
later fail. This behavior is expected and by design.
Resolution and Notes This is a known issue caused by providing credentials of the
built-in local Administrator account with a matching
password to the built-in domain Administrator account. This
causes a failure down in the core setup engine that does not
error, but instead waits indefinitely (quasi-loop). This is
expected - albeit undesirable - behavior.
To fix the server:
1. Reboot it.
1. In AD, delete that server's member computer account
(it will not yet be a DC account)
1. On that server, forcibly disjoin it from the domain
1. On that server, remove the AD DS role.
1. Reboot
1. Re-add the AD DS role and reattempt promotion,
ensuring that you always provide the domain\admin
formatted credentials to DC promotion and not just the
built-in local administrator account
AD DS Operations
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This section provides links to How To's and functions related to day-to-day administration, management and
automation tasks for Active Directory Domain Services.
Best Practices for Securing Active Directory
Active Directory Replication and Topology Management Using Windows PowerShell
Managing RID Issuance
Active Directory Domain Services Component Updates
Active Directory Forest Recovery Guide
11/2/2020 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2,
Windows Server 2003
This guide contains best-practice recommendations for recovering an Active Directory® forest if forest-wide
failure renders all domain controllers (DCs) in the forest incapable of functioning normally. The steps it contains
serve as a template for your forest recovery plan, which you can customize for your particular environment.
These steps apply to DCs that run Microsoft® Windows Server 2016, 2012 R2, 2012, 2008 R2, 2008, and 2003
operating systems.
NOTE
Procedures that are unique for DCs that run Windows Server 2003 are consolidated in AD Forest Recovery Windows
Server 2003.
Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2
The following document discuss prerequisites that you should be familiar with before devising a forest recovery
plan or attempting a recovery.
NOTE
Although the objectives of this guide are to recover the forest and maintain or restore full DNS functionality, recovery can
result in a DNS configuration that is changed from the configuration before the failure. After the forest is recovered, you
can revert to the original DNS configuration. The recommendations in this guide do not describe how to configure DNS
servers to perform name resolution of other portions of the corporate namespace where there are DNS zones that are
not stored in AD DS.
Next Steps
AD Forest Recovery - Prerequisites
AD Forest Recovery - Devising a custom forest recovery plan
AD Forest Recovery - Identify the problem
AD Forest Recovery - Determine how to recover
AD Forest Recovery - Perform initial recovery
AD Forest Recovery - Procedures
AD Forest Recovery - Frequently Asked Questions
AD Forest Recovery - Recovering a Single Domain within a Multidomain Forest
AD Forest Recovery - Forest Recovery with Windows Server 2003 Domain Controllers
AD Forest Recovery - Steps for Restoring the forest
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2
This section provides an overview of the recommended path for recovering a forest. The forest recovery steps
are described in detail later.
The following list summarizes the recovery steps at a high level:
1. Identify the problem
Work with IT and Microsoft Support to determine the scope of the problem and potential causes, and
evaluate possible remedies with all business stakeholders. In many cases total forest recovery should be
the last option.
2. Decide how to recover the forest
After you determine that forest recovery is necessary, complete preliminary steps to prepare for it:
determine the current forest structure, identify the functions that each DC performs, decide which DC to
restore for each domain, and ensure that all writeable DCs are taken offline.
3. Perform initial recovery
In isolation, recover one DC for each domain, clean them, and reconnect the domains. Reset privileged
accounts, and rectify problems caused by security breaches in this phase.
4. Redeploy remaining DCs
Redeploy the forest to return it to its state before the failure. This step will need to be adapted to your
specific design and requirements. Virtualized domain controller cloning can help expedite this process.
5. Cleanup
After functionality has been restored, reconfigure name resolution as needed, and get LOB applications
working.
The steps in this guide are designed to minimize the possibility of reintroducing dangerous data into the
recovered forest. You might have to modify these steps to account for such factors as:
Scalability
Remote manageability
Speed of recovery
Identify the problem
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2
When symptoms of a forest-wide failure appear, such as in event logs or other monitoring solutions, work with
Microsoft Support to determine the cause of the failure, and evaluate any possible remedies.
IMPORTANT
This paper does not cover security recommendations about how to recover a forest that has been hacked or
compromised. In general, it is recommended to follow Pass-the-Hash mitigation techniques to harden the
environment. For more information, see Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft
Techniques.
Next Steps
AD Forest Recovery - Prerequisites
AD Forest Recovery - Devising a custom forest recovery plan
AD Forest Recovery - Identify the problem
AD Forest Recovery - Determine how to recover
AD Forest Recovery - Perform initial recovery
AD Forest Recovery - Procedures
AD Forest Recovery - Frequently Asked Questions
AD Forest Recovery - Recovering a Single Domain within a Multidomain Forest
AD Forest Recovery - Forest Recovery with Windows Server 2003 Domain Controllers
Perform initial recovery
3/5/2021 • 14 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2
Perform an authoritative (or primary) restore operation of SYSVOL only for the first DC to be restored in
the forest root domain. Incorrectly performing primary restore operations of the SYSVOL on other DCs
leads to replication conflicts of SYSVOL data.
There are two options perform a nonauthoritative restore of AD DS and an authoritative restore of
SYSVOL:
Perform a full server recovery and then force an authoritative synchronization of SYSVOL. For detailed
procedures, see Performing a full server recovery and Perform an authoritative synchronization of
DFSR-replicated SYSVOL.
Perform a full server recovery followed by a system state restore. This option requires that you create
both types of backups in advance: a full server backup and a system state backup. For detailed
procedures, see Performing a full server recovery and Performing a nonauthoritative restore of Active
Directory Domain Services.
3. After you restore and restart the writeable DC, verify that the failure did not affect the data on the DC. If
the DC data is damaged, then repeat step 2 with a different backup.
If the restored domain controller hosts an operations master role, you may need to add the
following registry entry to avoid AD DS being unavailable until it has completed replication of a
writeable directory partition:
HKLM\System\CurrentControlSet\Ser vices\NTDS\Parameters\Repl Perform Initial
Synchronizations
Create the entry with the data type REG_DWORD and a value of 0 . After the forest is recovered
completely, you can reset the value of this entry to 1 , which requires a domain controller that
restarts and holds operations master roles to have successful AD DS inbound and outbound
replication with its known replica partners before it advertises itself as domain controller and
starts providing services to clients. For more information about initial synchronization
requirements, see KB article 305476.
Continue to the next steps only after you restore and verify the data and before you join this
computer to the production network.
4. If you suspect that the forest-wide failure was related to network intrusion or malicious attack, reset the
account passwords for all administrative accounts, including members of the Enterprise Admins, Domain
Admins, Schema Admins, Server Operators, Account Operators groups, and so on. The reset of
administrative account passwords should be completed before additional domain controllers are
installed during the next phase of the forest recovery.
5. On the first restored DC in the forest root domain, seize all domain-wide and forest-wide operations
master roles. Enterprise Admins and Schema Admins credentials are needed to seize forest-wide
operations master roles.
In each child domain, seize domain-wide operations master roles. Although you might retain the
operations master roles on the restored DC only temporarily, seizing these roles assures you regarding
which DC hosts them at this point in the forest recovery process. As part of your post-recovery process,
you can redistribute the operations master roles as needed. For more information about seizing
operations master roles, see Seizing an operations master role. For recommendations about where to
place operations master roles, see What Are Operations Masters?.
6. Clean up metadata of all other writeable DCs in the forest root domain that you are not restoring from
backup (all writeable DCs in the domain except for this first DC). If you use the version of Active Directory
Users and Computers or Active Directory Sites and Services that is included with Windows Server 2008
or later or RSAT for Windows Vista or later, metadata cleanup is performed automatically when you
delete a DC object. In addition, the server object and computer object for the deleted DC are also deleted
automatically. For more information, see Cleaning metadata of removed writable DCs.
Cleaning up metadata prevents possible duplication of NTDS-settings objects if AD DS is installed on a
DC in a different site. Potentially, this could also save the Knowledge Consistency Checker (KCC) the
process of creating replication links when the DCs themselves might not be present. Moreover, as part of
metadata cleanup, DC Locator DNS resource records for all other DCs in the domain will be deleted from
DNS.
Until the metadata of all other DCs in the domain is removed, this DC, if it were a RID master before
recovery, will not assume the RID master role and therefore will not be able to issue new RIDs. You might
see event ID 16650 in the System log in Event Viewer indicating this failure, but you should see event ID
16648 indicating success a little while after you have cleaned the metadata.
7. If you have DNS zones that are stored in AD DS, ensure that the local DNS Server service is installed and
running on the DC that you have restored. If this DC was not a DNS server before the forest failure, you
must install and configure the DNS server.
NOTE
If the restored DC runs Windows Server 2008, you need to install the hotfix in KB article 975654 or connect the
server to an isolated network temporarily in order to install DNS server. The hotfix is not required for any other
versions of Windows Server.
In the forest root domain, configure the restored DC with its own IP address (or a loopback address, such
as 127.0.0.1) as its preferred DNS server. You can configure this setting in the TCP/IP properties of the
local area network (LAN) adapter. This is the first DNS server in the forest. For more information, see
Configure TCP/IP to use DNS.
In each child domain, configure the restored DC with the IP address of the first DNS server in the forest
root domain as its preferred DNS server. You can configure this setting in the TCP/IP properties of the
LAN adapter. For more information, see Configure TCP/IP to use DNS.
In the _msdcs and domain DNS zones, delete NS records of DCs that no longer exist after metadata
cleanup. Check if the SRV records of the cleaned up DCs have been removed. To help speed up DNS SRV
record removal, run:
nltest.exe /dsderegdns:server.domain.tld
8. Raise the value of the available RID pool by 100,000. For more information, see Raising the value of
available RID pools. If you have reason to believe that raising the RID Pool by 100,000 is insufficient for
your particular situation, you should determine the lowest increase that is still safe to use. RIDs are a
finite resource that should not be used up needlessly.
If new security principals were created in the domain after the time of the backup that you use for the
restore, these security principals might have access rights on certain objects. These security principals no
longer exist after recovery because the recovery has reverted to the backup; however, their access rights
might still exist. If the available RID pool is not raised after a restore, new user objects that are created
after the forest recovery might obtain identical security IDs (SIDs) and could have access to those objects,
which was not originally intended.
To illustrate, consider the example of the new employee named Amy that was mentioned in the
introduction. The user object for Amy no longer exists after the restore operation because it was created
after the backup that was used to restore the domain. However, any access rights that were assigned to
that user object might persist after the restore operation. If the SID for that user object is reassigned to a
new object after the restore operation, the new object would obtain those access rights.
9. Invalidate the current RID pool. The current RID pool is invalidated after a system state restore. But if a
system state restore was not performed, the current RID pool needs to be invalidated to prevent the
restored DC from re-issuing RIDs from the RID pool that was assigned at the time the backup was
created. For more information, see Invalidating the current RID pool.
NOTE
The first time that you attempt to create an object with a SID after you invalidate the RID pool you will receive an
error. The attempt to create an object triggers a request for a new RID pool. Retry of the operation succeeds
because the new RID pool will be allocated.
10. Reset the computer account password of this DC twice. For more information, see Resetting the computer
account password of the domain controller.
11. Reset the krbtgt password twice. For more information, see Resetting the krbtgt password.
Because the krbtgt password history is two passwords, reset passwords twice to remove the original
(prefailure) password from password history.
NOTE
If the forest recovery is in response to a security breach, you may also reset the trust passwords. For more
information, see Resetting a trust password on one side of the trust.
12. If the forest has multiple domains and the restored DC was a global catalog server before the failure,
clear the Global catalog check box in the NTDS Settings properties to remove the global catalog from
the DC. The exception to this rule is the common case of a forest with just one domain. In this case, it is
not required to remove the global catalog. For more information, see Removing the global catalog.
By restoring a global catalog from a backup that is more recent than other backups that are used to
restore DCs in other domains, you might introduce lingering objects. Consider the following example. In
domain A, DC1 is restored from a backup that was taken at time T1. In domain B, DC2 is restored from a
global catalog backup that was taken at time T2. Suppose T2 is more recent than T1, and some objects
were created between T1 and T2. After these DCs are restored, DC2, which is a global catalog, holds
newer data for domain A's partial replica than domain A holds itself. DC2, in this case, holds lingering
objects because these objects are not present on DC1.
The presence of lingering objects can lead to problems. For instance, e-mail messages might not be
delivered to a user whose user object was moved between domains. After you bring the outdated DC or
global catalog server back online, both instances of the user object appear in the global catalog. Both
objects have the same e-mail address; therefore, e-mail messages cannot be delivered.
A second problem is that a user account that no longer exists might still appear in the global address list.
A third problem is that a universal group that no longer exists might still appear in a user's access token.
If you did restore a DC that was a global catalog—either inadvertently or because that was the solitary
backup that you trusted—we recommend that you prevent the occurrence of lingering objects by
disabling the global catalog soon after the restore operation is complete. Disabling the global catalog flag
will result in the computer losing all its partial replicas (partitions) and relegating itself to regular DC
status.
13. Configure Windows Time Service. In the forest root domain, configure the PDC emulator to synchronize
time from an external time source. For more information, see Configure the Windows Time service on the
PDC emulator in the Forest Root Domain.
NOTE
When you join the physical DCs to an isolated network, you may need to change their IP addresses. As a result, the IP
addresses of DNS records will be wrong. Because a global catalog server is not available, secure dynamic updates for DNS
will fail. Virtual DCs are more advantageous in this case because they can be joined to a new virtual network without
changing their IP addresses. This is one reason why virtual DCs are recommended as the first domain controllers to be
restored during forest recovery.
After validation, Join the DCs to the production network and complete the steps to verify forest replication
health.
To fix name resolution, create DNS delegation records and configure DNS forwarding and root hints as
needed. Run repadmin /replsum to check replication between DCs.
If the restored DC's are not direct replication partners, replication recovery will be much faster by creating
temporary connection objects between them.
To validate metadata cleanup, run Repadmin /viewlist \ * for a list of all DCs in the forest. Run Nltest
/DCList: <domain> for a list of all DCs in the domain.
To check DC and DNS health, run DCDiag /v to report errors on all DCs in the forest.
NOTE
A DC will not be advertised as a global catalog server until it has completed a full synchronization of all directory
partitions in the forest. Therefore, the DC should be forced to replicate with each of the restored DCs in the forest.
Monitor the Directory Service event log in Event Viewer for event ID 1119, which indicates that this DC is a global catalog
server, or verify the following registry key has a value of 1:
HKLM\System\CurrentControlSet\Ser vices\NTDS\Parameters\Global Catalog Promotion Complete
Next Steps
AD Forest Recovery - Prerequisites
AD Forest Recovery - Devising a custom forest recovery plan
AD Forest Recovery - Identify the problem
AD Forest Recovery - Determine how to recover
AD Forest Recovery - Perform initial recovery
AD Forest Recovery - Procedures
AD Forest Recovery - Frequently Asked Questions
AD Forest Recovery - Recovering a Single Domain within a Multidomain Forest
AD Forest Recovery - Forest Recovery with Windows Server 2003 Domain Controllers
AD Forest Recovery - Procedures
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2
This section contains procedures related to the forest recovery process. The procedures are applicable for
Windows Server 2016, 2012 R2, 2012 and are also applicable to Windows Server 2008 R2 and 2008 with some
minor exceptions.
Procedures that include steps that vary for Windows Server 2003 are found in Forest Recovery with Windows
Server 2003 Domain Controllers.
The following is a list of procedures that are used in backing up and restoring domain controllers and Active
Directory.
Backing up a full server
Backing up the System State data
Performing a full server recovery
Performing an authoritative synch of DFSR-replicated SYSVOL
Performing a nonauthoritative restore of Active Directory Domain Services
These steps explain how to perform an authoritative restore of SYSVOL at the same time.
Configuring the DNS Server service
Removing the global catalog
Raising the value of available RID pools
Invalidating the current RID pool
Seizing an operations master role
Cleaning up after a restore
Cleaning metadata of removed writable domain controllers
Resetting the computer account password of the domain controller
Resetting the krbtgt password
Resetting a trust password on one side of the trust
Adding the global catalog
Resources to verify replication is working
Next Steps
AD Forest Recovery - Prerequisites
AD Forest Recovery - Devising a custom forest recovery plan
AD Forest Recovery - Identify the problem
AD Forest Recovery - Determine how to recover
AD Forest Recovery - Perform initial recovery
AD Forest Recovery - Procedures
AD Forest Recovery - Frequently Asked Questions
AD Forest Recovery - Recovering a Single Domain within a Multidomain Forest
AD Forest Recovery - Forest Recovery with Windows Server 2003 Domain Controllers
AD Forest Recovery - FAQ
6/17/2021 • 4 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2,
Windows Server 2003
This document contains frequently asked questions (FAQs) regarding forest recovery:
General Recovery
Q: What can I do to speed up recover y?
Although speed of recovery is not the primary goal of this guide, you can achieve shorter recovery times by:
Creating a detailed forest recovery plan, updating it on a regular basis, and practicing it in a simulated test
environment of reasonable size at least once a year
Using virtualized domain controller (DC) cloning
Virtualized DC cloning expedites the process to get additional DCs running after one DC is restored
from backup in each domain. The additional virtualized DCs can be cloned rather than waiting for
potentially lengthy AD DS installations to be completed and for the completion of non-critical
replication after installation.
Forests where virtual DCs are hosted in a relatively small number of well-connected data centers
potentially benefit most from cloning during recovery. However, any environment where multiple
virtualized DCs for the same domain are co-located on the same hypervisor host should benefit.
Deploying read-only domain controllers (RODCs)
RODCs can provide business continuity during the recovery process because they do not have to be
disconnected from the network as writable DCs do. RODCs do not perform outbound replication.
Therefore, they do not present the same risk that writable DCs pose for replicating damaging data
back into the recovered environment.
Other factors that affect the duration of the forest recovery process include the following:
When you restore DCs from backups, it takes time to:
Locate the physical backup media, such as tapes.
Reinstall the operating system.
Restore data from backup media.
You can reduce the time required to reinstall the operating system and restore data from
backup by performing full server recovery instead of system state restore. Because full server
recovery is binary-based, it completes much faster than system state restore.
However, if the server contains data that is excluded from system state data that you do not
want to restore, full server recovery might not be a viable alternative to system state restore.
Consider the advantages of performing a full server recovery instead of a system state restore
for your servers specifically, and prepare accordingly by performing the appropriate type of
backup that you plan to restore later.
When you rebuild DCs, it takes time to replicate data for network-based promotions.
You can decrease the time required for restoring DCs by performing the following steps:
Reduce the time for retrieving backup media by:
Using the Active Directory Database Mounting Tool (Dsamain.exe) to identify the best backup to use
for restore operations. For more information about using the Active Directory Database Mounting
Tool, see the Active Directory Database Mounting Tool Step-by-Step Guide
(https://go.microsoft.com/fwlink/?LinkId=132577).
Labeling the backup media clearly and storing the media in an organized fashion at a convenient, yet
secure, location that allows fast retrieval.
Using the Volume Shadow Copy Service with a storage area network (SAN) to maintain backups from
different points in time. For more information, see Windows Server 2003 Active Directory Fast
Recovery with Volume Shadow Copy Service and Virtual Disk Service
(https://go.microsoft.com/fwlink/?LinkId=70781).
Force the removal of AD DS from the DCs instead of reinstalling the operating system. If the cause of the
forest-wide failure has been identified to be purely within the scope of AD DS, you do not have to reinstall
the operating system on the DCs.
For more information about forcing the removal of AD DS from a DC that runs Windows Server 2008
or later, see Forcing the Removal of a Windows Server 2008 Domain Controller
(https://go.microsoft.com/fwlink/?LinkId=132627). For more information about forcing the removal
of AD DS from a DC that runs Windows Server 2003, see article 332199 in the Microsoft Knowledge
Base (https://go.microsoft.com/fwlink/?LinkId=70780).
Use faster tape devices or disk backups to reduce the time that is required for restore operations.
You can also help accelerate AD DS installations by using the Install from Media (IFM) feature to rebuild DCs in
each domain. IFM reduces the replication latency that is incurred when you rebuild DCs in each domain.
Businesses that have a more aggressive service-level agreement (SLA) might consider altering the forest
recovery procedures to speed recovery.
Q: Can I automate the forest recover y process?
Because of the complex and critical nature of the forest recovery process, there is currently no end-to-end
automation of it. The forest recovery process is more a logistical and organizational challenge of restoring
business continuity than a technical problem of process automation. Therefore, the individual who administers
the environment should create a forest recovery plan that is specific to that environment and then automate
sections of it that can be automated successfully.
You can perform most of the forest recovery steps by using command-line tools. Therefore, most of the steps
are scriptable. For example, Ntdsutil.exe is one of the most frequently used tools in the forest recovery process.
Although scripts can speed recovery, you must thoroughly test these scripts before you apply them in a real
environment. Also, you must update them according to changes in the Active Directory environment, such as
the addition of a new domain or DC, or a new version of Active Directory.
Next Steps
AD Forest Recovery - Prerequisites
AD Forest Recovery - Devising a custom forest recovery plan
AD Forest Recovery - Identify the problem
AD Forest Recovery - Determine how to recover
AD Forest Recovery - Perform initial recovery
AD Forest Recovery - Procedures
AD Forest Recovery - Frequently Asked Questions
AD Forest Recovery - Recovering a Single Domain within a Multidomain Forest
AD Forest Recovery - Forest Recovery with Windows Server 2003 Domain Controllers
AD Forest Recovery - Recovering a single domain
in a multidomain forest
3/5/2021 • 3 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2
There can be times when it is necessary to recover only a single domain within a forest that has multiple
domains, rather than a full forest recovery. This topic covers considerations for recovering a single domain and
possible strategies for recovery.
A single domain recovery presents a unique challenge for rebuilding global catalog (GC) servers. For example, if
the first domain controller (DC) for the domain is restored from a backup that was created one week earlier, then
all other GCs in the forest will have more up-to-date data for that domain than the restored DC. To re-establish
GC data consistency, there are a couple options:
Unhost and then rehost the recovered domains partition from all GCs in the forest, except those in the
recovered domain, at the same time.
Follow the forest recovery process to recover the domain, and then remove lingering objects from GCs in
other domains.
The following sections provide general considerations for each option. The complete set of steps that need to be
done for the recovery will vary for different Active Directory environments.
Rehosting all GCs can be done using repadmin /unhost and repadmin /rehost commands (part of repadmin
/experthelp). You would run the repadmin commands on every GC in each domain that is not recovered. It
needs to be ensured, that all GCs do not hold a copy of the recovered domain anymore. To achieve this, unhost
the domain partition first from all domain controllers across all none-recovered domains of the forest first. After
all GCs do not contain the partition anymore, you can rehost it. When rehosting, consider the site- and
replication-structure of your forest, for example, finish the rehost of one DC per site prior to rehosting the other
DCs of that site.
This option can be advantageous for a small organization that has only a few domain controllers for each
domain. All of the GCs could be rebuilt on a Friday night and, if necessary, complete replication for all read-only
domain partitions before Monday morning. But if you need to recover a large domain that covers sites across
the globe, rehosting the read-only domain partition on all GCs for other domains can significantly impact
operations and potentially require down time.
Next Steps
AD Forest Recovery - Prerequisites
AD Forest Recovery - Devising a custom forest recovery plan
AD Forest Recovery - Identify the problem
AD Forest Recovery - Determine how to recover
AD Forest Recovery - Perform initial recovery
AD Forest Recovery - Procedures
AD Forest Recovery - Frequently Asked Questions
AD Forest Recovery - Recovering a Single Domain within a Multidomain Forest
AD Forest Recovery - Forest Recovery with Windows Server 2003 Domain Controllers
Active Directory Forest Recovery Virtualization
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2
This topic describes the virtualized domain controller cloning feature in Windows Server 2016, 2012 R2, and
2012.
Next steps
AD Forest Recovery - Prerequisites
AD Forest Recovery - Devising a custom forest recovery plan
AD Forest Recovery - Identify the problem
AD Forest Recovery - Determine how to recover
AD Forest Recovery - Perform initial recovery
AD Forest Recovery - Procedures
AD Forest Recovery - Frequently Asked Questions
AD Forest Recovery - Recovering a Single Domain within a Multidomain Forest
AD Forest Recovery - Forest Recovery with Windows Server 2003 Domain Controllers
AD Forest Recovery - Windows Server 2003
Recovery
6/17/2021 • 6 minutes to read • Edit Online
This topic includes forest recovery procedures for domain controllers (DCs) that run Windows Server 2003. The
general process for forest recovery is no different with Windows Server 2003 DCs, but specific procedures can
differ because of different tools. For example, Ntdsutil.exe can be used to backup and restore DCs that run
Windows Server 2003 DCs, whereas Windows Server Backup or Wbadmin.exe is used for DCs that run
Windows Server 2008 or later.
Backing up the System State data
Performing a nonauthoritative restore
Install and configure the DNS Server service
NOTE
If you are also reinstalling the Windows Server 2003 operating system, you might or might not join the computer to the
domain and you can give any name to the computer during setup of the operating system. Do not install Active
Directory. After reinstalling the operating system, go directly to step 4.
On Windows Server 2003 domain controllers where you have restored only system state data, you need to also
reinstall any software applications that were running on DCs before recovery. Restoring AD DS on the first DC in
the domain also restores the registry because they both are part of System State data. Keep this in mind if you
had any applications running on these DCs and if they had any information stored in the registry.
To save time required to re-install software, determine if applications that need to be installed on the DCs are
compatible with virtual DC cloning. Such applications can be installed on the source DC prior to cloning in order
to save the time and effort required to install them on the cloned virtual DCs.
To perform a nonauthoritative restore
1. After you start the DC, press F8 to restart the computer in Directory Services Restore Mode (DSRM).
2. Select Director y Ser vices Restore Mode (Windows domain controllers only) .
3. Select the operating system that you want to start in restore mode.
4. Log on as an administrator (you can only use a local computer account, no domain logon option is available).
5. At a command prompt, type ntbackup , and then press ENTER.
6. On the Welcome page, click Advanced Mode , and then select the Restore and Manage Media tab. (Do
not select Restore Wizard .)
7. Select the appropriate backup file to restore from and ensure that the System disk and System State
check boxes are selected.
8. Click Star t Restore .
9. When the restore operation is complete, restart the computer.
Use the following procedure to perform an authoritative (also known as primary) restore of SYSVOL on a DC
that runs Windows Server 2003. Perform this procedure only on the first Windows Server 2003 DC that is
restored in the domain.
To perform an authoritative restore of SYSVOL
1. Perform steps 1 through 8 in the previous procedure.
2. In the Confirm Restore dialog box, click Advanced .
3. To perform an authoritative restore of SYSVOL, select the check box When restoring replicated data
sets, mark the restored data as the primar y data for all replicas .
NOTE
Marking the restored data as the primary data in the Backup is equivalent to setting the BurFlags entry to D4
under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser vices\NtFrs\Parameters\Cumulative Replica
Sets\ GUID
NOTE
Net Logon will register the DC Locator resource records in DNS for this DC. If you are installing the DNS Server
service on a server in the child domain, this DC will not be able to register its records immediately. This is because
it is currently isolated as part of the recovery process, and its primary DNS server is the forest root DNS server.
Configure this computer with the same IP address as it had before the disaster to avoid DC service lookup
failures.
Next Steps
AD Forest Recovery - Prerequisites
AD Forest Recovery - Devising a custom forest recovery plan
AD Forest Recovery - Identify the problem
AD Forest Recovery - Determine how to recover
AD Forest Recovery - Perform initial recovery
AD Forest Recovery - Procedures
AD Forest Recovery - Frequently Asked Questions
AD Forest Recovery - Recovering a Single Domain within a Multidomain Forest
AD Forest Recovery - Forest Recovery with Windows Server 2003 Domain Controllers
Best Practices for Securing Active Directory
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This document provides a practitioner's perspective and contains a set of practical techniques to help IT
executives protect an enterprise Active Directory environment. Active Directory plays a critical role in the IT
infrastructure, and ensures the harmony and security of different network resources in a global, interconnected
environment. The methods discussed are based largely on the Microsoft Information Security and Risk
Management (ISRM) organization's experience, which is accountable for protecting the assets of Microsoft IT
and other Microsoft Business Divisions, in addition to advising a selected number of Microsoft Global 500
customers.
Executive Summary
Introduction
Avenues to Compromise
Attractive Accounts for Credential Theft
Reducing the Active Directory Attack Surface
Implementing Least-Privilege Administrative Models
Implementing Secure Administrative Hosts
Securing Domain Controllers Against Attack
Monitoring Active Directory for Signs of Compromise
Audit Policy Recommendations
Planning for Compromise
Maintaining a More Secure Environment
Appendices
Appendix B: Privileged Accounts and Groups in Active Directory
Appendix C: Protected Accounts and Groups in Active Directory
Appendix D: Securing Built-In Administrator Accounts in Active Directory
Appendix E: Securing Enterprise Admins Groups in Active Directory
Appendix F: Securing Domain Admins Groups in Active Directory
Appendix G: Securing Administrators Groups in Active Directory
Appendix H: Securing Local Administrator Accounts and Groups
Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory
Appendix L: Events to Monitor
Appendix M: Document Links and Recommended Reading
Executive Summary
3/5/2021 • 9 minutes to read • Edit Online
IMPORTANT
The following documentation was written in 2013 and is provided for historical purposes only. Currently we are reviewing
this documentation and it is subject to change. It may not reflect current best practices.
No organization with an information technology (IT) infrastructure is immune from attack, but if appropriate
policies, processes, and controls are implemented to protect key segments of an organization's computing
infrastructure, it might be possible to prevent a breach event from growing to a wholesale compromise of the
computing environment.
This executive summary is intended to be useful as a standalone document summarizing the content of the
document, which contains recommendations that will assist organizations in enhancing the security of their
Active Directory installations. By implementing these recommendations, organizations will be able to identify
and prioritize security activities, protect key segments of their organization's computing infrastructure, and
create controls that significantly decrease the likelihood of successful attacks against critical components of the
IT environment.
Although this document discusses the most common attacks against Active Directory and countermeasures to
reduce the attack surface, it also contains recommendations for recovery in the event of complete compromise.
The only sure way to recover in the event of a complete compromise of Active Directory is to be prepared for
the compromise before it happens.
The major sections of this document are:
Avenues to Compromise
Reducing the Active Directory Attack Surface
Monitoring Active Directory for Signs of Compromise
Planning for Compromise
Avenues to Compromise
This section provides information about some of the most commonly leveraged vulnerabilities used by attackers
to compromise customers' infrastructures. It contains general categories of vulnerabilities and how they're used
to initially penetrate customers' infrastructures, propagate compromise across additional systems, and
eventually target Active Directory and domain controllers to obtain complete control of the organizations'
forests. It does not provide detailed recommendations about addressing each type of vulnerability, particularly
in the areas in which the vulnerabilities are not used to directly target Active Directory. However, for each type of
vulnerability, we have provided links to additional information to use to develop countermeasures and reduce
the organization's attack surface.
Included are the following subjects:
Initial breach targets - Most information security breaches start with the compromise of small pieces
of an organization's infrastructure-often one or two systems at a time. These initial events, or entry points
into the network, often exploit vulnerabilities that could have been fixed, but weren't. Commonly seen
vulnerabilities are:
Gaps in antivirus and antimalware deployments
Incomplete patching
Outdated applications and operating systems
Misconfiguration
Lack of secure application development practices
Attractive Accounts for Credential Theft - Credential theft attacks are those in which an attacker
initially gains privileged access to a computer on a network and then uses freely available tooling to
extract credentials from the sessions of other logged-on accounts. Included in this section are the
following:
Activities that Increase the Likelihood of Compromise - Because the target of credential
theft is usually highly privileged domain accounts and "very important person" (VIP) accounts, it is
important for administrators to be conscious of activities that increase the likelihood of a success
of a credential-theft attack. These activities are:
Logging on to unsecured computers with privileged accounts
Browsing the Internet with a highly privileged account
Configuring local privileged accounts with the same credentials across systems
Overpopulation and overuse of privileged domain groups
Insufficient management of the security of domain controllers.
Privilege Elevation and Propagation - Specific accounts, servers, and infrastructure
components are usually the primary targets of attacks against Active Directory. These accounts
are:
Permanently privileged accounts
VIP accounts
"Privilege-Attached" Active Directory accounts
Domain controllers
Other infrastructure services that affect identity, access, and configuration management,
such as public key infrastructure (PKI) servers and systems management servers
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Attacks against computing infrastructures, whether simple or complex, have existed as long as computers have.
However, within the past decade, increasing numbers of organizations of all sizes, in all parts of the world have
been attacked and compromised in ways that have significantly changed the threat landscape. Cyber-warfare
and cybercrime have increased at record rates. "Hacktivism," in which attacks are motivated by activist positions,
has been claimed as the motivation for a number of breaches intended to expose organizations' secret
information, to create denials-of-service, or even to destroy infrastructure. Attacks against public and private
institutions with the goal of exfiltrating the organizations' intellectual property (IP) have become ubiquitous.
No organization with an information technology (IT) infrastructure is immune from attack, but if appropriate
policies, processes, and controls are implemented to protect key segments of an organization's computing
infrastructure, escalation of attacks from penetration to complete compromise might be preventable. Because
the number and scale of attacks originating from outside an organization has eclipsed insider threat in recent
years, this document often discusses external attackers rather than misuse of the environment by authorized
users. Nonetheless, the principles and recommendations provided in this document are intended to help secure
your environment against external attackers and misguided or malicious insiders.
The information and recommendations provided in this document are drawn from a number of sources and
derived from practices designed to protect Active Directory installations against compromise. Although it is not
possible to prevent attacks, it is possible to reduce the Active Directory attack surface and to implement controls
that make compromise of the directory much more difficult for attackers. This document presents the most
common types of vulnerabilities we have observed in compromised environments and the most common
recommendations we have made to customers to improve the security of their Active Directory installations.
H O W IT IS REF EREN C ED IN T H IS
A C C O UN T / GRO UP LO C AT IO N N A M E O F A C C O UN T / GRO UP DO C UM EN T
Active Directory - each domain Domain Admins Domain Admins (DA) group
Active Directory - forest root domain Enterprise Admins Enterprise Admins (EA) group
Executive Summary
The Executive Summary, which can be read as a standalone document or in combination with the full document,
provides a high-level summary of this document. Included in the Executive Summary are the most common
attack vectors we have observed used to compromise customer environments, summary recommendations for
securing Active Directory installations, and basic objectives for customers who plan to deploy new AD DS
forests now or in the future.
Introduction
This is the section you are reading now.
Avenues to Compromise
This section provides information about some of the most commonly leveraged vulnerabilities we have found to
be used by attackers to compromise customers' infrastructures. This section begins with general categories of
vulnerabilities and how they are leveraged to initially penetrate customers' infrastructures, propagate
compromise across additional systems, and eventually target AD DS and domain controllers to obtain complete
control of organizations' forests.
This section does not provide detailed recommendations about addressing each type of vulnerability,
particularly in the areas in which the vulnerabilities are not used to directly target Active Directory. However, for
each type of vulnerability, we have provided links to additional information that you can use to develop
countermeasures and reduce your organization's attack surface.
Reducing the Active Directory Attack Surface
This section begins by providing background information about privileged accounts and groups in Active
Directory to provide the information that helps clarify the reasons for the subsequent recommendations for
securing and managing privileged groups and accounts. We then discuss approaches to reduce the need to use
highly privileged accounts for day-to-day administration, which does not require the level of privilege that is
granted to groups such as the Enterprise Admins (EA), Domain Admins (DA), and Built-in Administrators (BA)
groups in Active Directory. Next, we provide guidance for securing the privileged groups and accounts and for
implementing secure administrative practices and systems.
Although this section provides detailed information about these configuration settings, we have also included
appendices for each recommendation that provide step-by-step configuration instructions that can be used "as
is" or can be modified for the organization's needs. This section finishes by providing information to securely
deploy and manage domain controllers, which should be among the most stringently secured systems in the
infrastructure.
Monitoring Active Directory for Signs of Compromise
Whether you have implemented robust security information and event monitoring (SIEM) in your environment
or are using other mechanisms to monitor the security of the infrastructure, this section provides information
that can be used to identify events on Windows systems that may indicate that an organization is being
attacked. We discuss traditional and advanced audit policies, including effective configuration of audit
subcategories in the Windows 7 and Windows Vista operating systems. This section includes comprehensive
lists of objects and systems to audit, and an associated appendix lists events for which you should monitor if the
goal is to detect compromise attempts.
Planning for Compromise
This section begins by "stepping back" from technical detail to focus on principles and processes that can be
implemented to identify the users, applications, and systems that are most critical not only to the IT
infrastructure, but to the business. After identifying what is most critical to the stability and operations of your
organization, you can focus on segregating and securing these assets, whether they are intellectual property,
people, or systems. In some cases, segregating and securing assets may be performed in your existing AD DS
environment, while in other cases, you should consider implementing small, separate "cells" that allow you to
establish a secure boundary around critical assets and monitor those assets more stringently than less-critical
components. A concept called "creative destruction," which is a mechanism by which legacy applications and
systems can be eliminated by creating new solutions is discussed, and the section ends with recommendations
that can help to maintain a more secure environment by combining business and IT information to construct a
detailed picture of what is a normal operational state. By knowing what is normal for an organization,
abnormalities that may indicate attacks and compromises can be more easily identified.
Summary of Best Practice Recommendations
This section provides a table that summarizes the recommendations made in this document and orders them by
relative priority, in addition to providing links to where more information about each recommendation can be
found in the document and its appendices.
Appendices
Appendices are included in this document to augment the information contained in the body of the document.
The list of appendices and a brief description of each is included the following table.
Appendix B: Privileged Accounts and Groups in Active Provides background information that helps you to identify
Directory the users and groups you should focus on securing because
they can be leveraged by attackers to compromise and even
destroy your Active Directory installation.
Appendix C: Protected Accounts and Groups in Active Contains information about protected groups in Active
Directory Directory. It also contains information for limited
customization (removal) of groups that are considered
protected groups and are affected by AdminSDHolder and
SDProp.
Appendix D: Securing Built-In Administrator Accounts in Contains guidelines to help secure the Administrator
Active Directory account in each domain in the forest.
Appendix E: Securing Enterprise Admins Groups in Active Contains guidelines to help secure the Enterprise Admins
Directory group in the forest.
Appendix F: Securing Domain Admins Groups in Active Contains guidelines to help secure the Domain Admins
Directory group in each domain in the forest.
Appendix G: Securing Administrators Groups in Active Contains guidelines to help secure the Built-in
Directory Administrators group in each domain in the forest.
Appendix H: Securing Local Administrator Accounts and Contains guidelines to help secure local Administrator
Groups accounts and Administrators groups on domain-joined
servers and workstations.
Appendix I: Creating Management Accounts for Protected Provides information to create accounts that have limited
Accounts and Groups in Active Directory privileges and can be stringently controlled, but can be used
to populate privileged groups in Active Directory when
temporary elevation is required.
Appendix L: Events to Monitor Lists events for which you should monitor in your
environment.
Appendix M: Document Links and Recommended Reading Contains a list of recommended reading. Also contains a list
of links to external documents and their URLs so that
readers of hard copies of this document can access this
information.
Avenues to Compromise
3/5/2021 • 25 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Law Number Seven: The most secure network is a well-administered one. - 10 Immutable Laws of Security
Administration
In organizations that have experienced catastrophic compromise events, assessments usually reveal that the
organizations have limited visibility into the actual state of their IT infrastructures, which may differ significantly
from their "as documented" states. These variances introduce vulnerabilities that expose the environment to
compromise, often with little risk of discovery until the compromise has progressed to the point at which the
attackers effectively "own" the environment.
Detailed assessments of these organizations' AD DS configuration, public key infrastructures (PKIs), servers,
workstations, applications, access control lists (ACLs), and other technologies reveal misconfigurations and
vulnerabilities that, if remediated, could have prevented the initial compromise.
Analysis of IT documentation, processes, and procedures identifies vulnerabilities introduced by gaps in
administrative practices that were leveraged by attackers to eventually obtain privileges that were used to fully
compromise the Active Directory forest. A fully compromised forest is one in which attackers compromise not
only individual systems, applications, or user accounts, but escalate their access to obtain a level of privilege in
which they can modify or destroy all aspects of the forest. When an Active Directory installation has been
compromised to that degree, attackers can make changes that allow them to maintain a presence throughout
the environment, or worse, to destroy the directory and the systems and accounts it manages.
Although a number of the commonly exploited vulnerabilities in the descriptions that follow are not attacks
against Active Directory, they allow attackers to establish a foothold in an environment that can be used to run
privilege escalation (also called privilege elevation) attacks and to eventually target and compromise AD DS.
This section of this document focuses on describing the mechanisms that attackers typically use to gain access
to the infrastructure and eventually to launch privilege elevation attacks. Also see the following sections:
Reducing the Active Directory Attack Surface Detailed recommendations for the secure configuration of
Active Directory.
Monitoring Active Directory for Signs of Compromise Recommendations to help detect compromise
Planning for Compromise High-level approaches to help prepare for attacks against the infrastructure
from IT and business perspectives
NOTE
Although this document focuses on Active Directory and Windows systems that are part of an AD DS domain, attackers
rarely focus solely on Active Directory and Windows. In environments with a mixture of operating systems, directories,
applications, and data repositories, it is common to find that non-Windows systems have also been compromised. This is
particularly true if the systems provide a "bridge" between Windows and non-Windows environments, such as file servers
accessed by Windows and UNIX or Linux clients, directories that provide authentication services to multiple operating
systems, or metadirectories that synchronize data across disparate directories.
AD DS is targeted because of the centralized access and configuration management capabilities it provides not only to
Windows systems, but to other clients. Any other directory or application that provides authentication and configuration
management services can, and will be targeted by determined attackers. Although this document is focused on
protections that can reduce the likelihood of a compromise of Active Directory installations, every organization that
includes non-Windows computers, directories, applications, or data repositories should also prepare for attacks against
those systems.
Domain controllers should be treated as critical infrastructure components, secured more stringently and
configured more rigidly than file, print, and application servers. Domain controllers should not run any software
that is not required for the domain controller to function or doesn't protect the domain controller against
attacks. Domain controllers should not be permitted to access the Internet, and security settings should be
configured and enforced by Group Policy Objects (GPOs). Detailed recommendations for the secure installation,
configuration, and management of domain controllers are provided in Securing Domain Controllers Against
Attack.
Within the Operating System
Law Number Two: If a bad guy can alter the operating system on your computer, it's not your computer
anymore. - Ten Immutable Laws of Security (Version 2.0)
Although some organizations create baseline configurations for servers of different types and allow limited
customization of the operating system after it's installed, analysis of compromised environments often uncovers
large numbers of servers deployed in an ad hoc fashion, and configured manually and independently.
Configurations between two servers performing the same function may be completely different, where neither
server is configured securely. Conversely, server configuration baselines may be consistently enforced, but also
consistently misconfigured; that is, servers are configured in a manner that creates the same vulnerability on all
servers of a given type. Misconfiguration includes practices such as disabling of security features, granting
excessive rights and permissions to accounts (particularly service accounts), use of identical local credentials
across systems, and permitting installation of unauthorized applications and utilities that create vulnerabilities of
their own.
D i sa b l i n g Se c u r i t y F e a t u r e s
Organizations sometimes disable Windows Firewall with Advanced Security (WFAS) out of a belief that WFAS is
difficult to configure or requires work-intensive configuration. However, beginning with Windows Server 2008,
when any role or feature is installed on a server, it is configured by default with the least privileges required for
the role or feature to function, and the Windows Firewall is automatically configured to support the role or
feature. By disabling WFAS (and not using another host-based firewall in its place), organizations increase the
attack surface of the entire Windows environment. Perimeter firewalls provide some protection against attacks
that directly target an environment from the Internet, but they provide no protection against attacks that exploit
other attack vectors such as drive-by download attacks, or attacks that originate from other compromised
systems on the intranet.
User Account Control (UAC) settings are sometimes disabled on servers because administrative staff find the
prompts intrusive. Although Microsoft Support article 2526083 describes scenarios in which UAC may be
disabled on Windows Server, unless you are running a server core installation (where UAC is disabled by
design), you should not disable UAC on servers without careful consideration and research.
In other cases, server settings are configured to less-secure values because organizations apply outdated server
configuration settings to new operating systems, such as applying Windows Server 2003 baselines to
computers running Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008, without
changing the baselines to reflect the changes in the operating system. Rather than carrying old server baselines
to new operating systems, when deploying a new operating system, review security changes and configuration
settings to ensure that the settings implemented are applicable and appropriate for the new operating system.
G r a n t i n g Ex c e ssi v e P r i v i l e g e
In nearly every environment we have assessed, excessive privilege is granted to local and domain-based
accounts on Windows systems. Users are granted local Administrator rights on their workstations, member
servers run services that are configured with rights beyond what they need to function, and local Administrators
groups across the server population contain dozens or even hundreds of local and domain accounts.
Compromise of only one privileged account on a computer allows attackers to compromise the accounts of
every user and service that logs on to the computer, and to harvest and leverage credentials to propagate the
compromise to other systems.
Although pass-the-hash (PTH) and other credential theft attacks are ubiquitous today, it is because there is freely
available tooling that makes it simple and easy to extract the credentials of other privileged accounts when an
attacker has gained Administrator- or SYSTEM-level access to a computer. Even without tooling that allows
harvesting of credentials from logon sessions, an attacker with privileged access to a computer can just as easily
install keystroke loggers that capture keystrokes, screenshots, and clipboard contents. An attacker with
privileged access to a computer can disable antimalware software, install rootkits, modify protected files, or
install malware on the computer that automates attacks or turns a server into a drive-by download host.
The tactics used to extend a breach beyond a single computer vary, but the key to propagating compromise is
the acquisition of highly privileged access to additional systems. By reducing the number of accounts with
privileged access to any system, you reduce the attack surface not only of that computer, but the likelihood of an
attacker harvesting valuable credentials from the computer.
St a n d a r d i z i n g L o c a l A d m i n i st r a t o r C r e d e n t i a l s
There has long been debate among security specialists as to whether there is value in renaming local
Administrator accounts on Windows computers. What is actually important about local Administrator accounts
is whether they are configured with the same user name and password across multiple computers.
If the local Administrator account is named to the same value across servers and the password assigned to the
account is also configured to the same value, attackers can extract the account's credentials on one computer on
which Administrator or SYSTEM-level access has been obtained. The attacker does not have to initially
compromise the Administrator account; they need only compromise the account of a user who is a member of
the local Administrators group, or of a service account that is configured to run as LocalSystem or with
Administrator privileges. The attacker can then extract the credentials for the Administrator account and replay
those credentials in network logons to other computers on the network.
As long as another computer has a local account with the same user name and password (or password hash) as
the account credentials that are being presented, the logon attempt succeeds and the attacker obtains privileged
access to the targeted computer. In current versions of Windows, the built-in Administrator account is disabled
by default, but in legacy operating systems, the account is enabled by default.
NOTE
Some organizations have intentionally configured local Administrator accounts to be enabled in the belief that this
provides a "failsafe" in case all other privileged accounts are locked out of a system. However, even if the local
Administrator account is disabled and there are no other accounts available that can enable the account or log on to the
system with Administrator privileges, the system can be booted into safe mode and the built-in local Administrator
account can be re-enabled, as described in Microsoft Support article 814777. Additionally, if the system still successfully
applies GPOs, a GPO can be modified to (temporarily) re-enable the Administrator account, or Restricted Groups can be
configured to add a domain-based account to the local Administrators group. Repairs can be performed and the
Administrator account can again be disabled. To effectively prevent a lateral compromise that uses built-in local
Administrator account credentials, unique user names and passwords must be configured for local Administrator
accounts. To deploy unique passwords for local Administrator accounts via a GPO, see Solution for management of built-in
Administrator account's password via GPO on technet.
P e r m i t t i n g I n st a l l a t i o n o f U n a u t h o r i z e d A p p l i c a t i o n s
Law Number One: If a bad guy can persuade you to run his program on your computer, it's not solely your
computer anymore. - Ten Immutable Laws of Security (Version 2.0)
Whether an organization deploys consistent baseline settings across servers, the installation of applications that
are not part of a server's defined role should not be permitted. By allowing software to be installed that is not
part of a server's designated functionality, servers are exposed to inadvertent or malicious installation of
software that increases the server's attack surface, introduces application vulnerabilities, or causes system
instability.
Applications
As described earlier, applications are often installed and configured to use accounts that are granted more
privilege than the application actually requires. In some cases, the application's documentation specifies that
service accounts must be members of a server's local Administrators group or must be configured to run in the
context of the LocalSystem. This is often not because the application requires those rights, but because
determining what rights and permissions an application's service accounts need requires investment in
additional time and effort. If an application does not install with the minimum privileges required for the
application and its configured features to function, the system is exposed to attacks that leverage application
privileges without any attack against the operating system itself.
Lack of Secure Application Development Practices
Infrastructure exists to support business workloads. Where these workloads are implemented in custom
applications, it is critical to ensure that the applications are developed using secure best practices. Root-cause
analysis of enterprise-wide incidents often reveals that an initial compromise is effected through custom
applications-particularly those that are Internet facing. Most of these compromises are accomplished via
compromise of well-known attacks such as SQL injection (SQLi) and cross-site scripting (XSS) attacks.
SQL Injection is an application vulnerability that allows user-defined input to modify a SQL statement that is
passed to the database for execution. This input can be provided via a field in the application, a parameter (such
as the query string or a cookie), or other methods. The result of this injection is that the SQL statement provided
to the database is fundamentally different than what the developer intended. Take, for example, a common
query used in the evaluation of a user name/password combination:
SELECT userID FROM users WHERE username = 'sUserName' AND password = 'sPassword'
When this is received by the database server, it instructs the server to look through the users table and return
any userID record where the user name and password match those provided by the user (presumably via a
login form of some kind). Naturally the intent of the developer in this case is to only return a valid record if a
correct user name and password can be provided by the user. If either is incorrect, the database server will be
unable to find a matching record and return an empty result.
The issue occurs when an attacker does something unexpected such as providing their own SQL in place of valid
data. Because SQL is interpreted on-the-fly by the database server, the injected code would be processed as if
the developer had put it in himself. For example, if the attacker entered administrator for the user ID and xyz
OR 1=1 as the password, the resulting statement processed by the database would be:
SELECT userID FROM users WHERE username = 'administrator' AND password = 'xyz' OR 1=1
When this query is processed by the database server, all rows in the table will be returned in the query because
1=1 will always evaluate to True, thus it doesn't matter if the correct username and password is known or
provided. The net result in most cases is that the user will be logged on as the first user in the user's database; in
most cases, this will be the administrative user.
In addition to simply logging on, malformed SQL statements such as this can be used to add, delete, or change
data, or even drop (delete) entire tables from a database. In the most extreme cases where SQLi is combined
with excessive privilege, operating system commands can be run to enable the creation of new users, to
download attack tools, or to take any other actions of the attackers choosing.
In cross-site scripting, the vulnerability is introduced in the application's output. An attack begins with an
attacker providing malformed data to the application, but in this case the malformed data is in the form of
scripting code (such as JavaScript) that will be run by the victim's browser. Exploit of an XSS vulnerability can
allow an attacker to run any functions of the target application in the context of the user who launched the
browser. XSS attacks are typically initiated by a phishing email encouraging the user to click a link that connects
to the application and runs the attack code.
XSS is often exploited in online banking and e-commerce scenarios where an attacker can make purchases or
transfer money in the context of the exploited user. In the case of a targeted attack on a custom web-based
identity management application, it can allow an attacker to create their own identities, modify permissions and
rights, and lead to a systemic compromise.
Although a full discussion of cross-site scripting and SQL injection is outside the scope of this document, the
Open Web Application Security Project (OWASP) publishes a top 10 list with in-depth discussion of the
vulnerabilities and countermeasures.
Regardless of the investment in infrastructure security, if poorly designed and written applications are deployed
within that infrastructure, the environment is made vulnerable to attacks. Even well-secured infrastructures
often cannot provide effective countermeasures to these application attacks. Compounding the problem, poorly
designed applications may require that service accounts be granted excessive permissions for the application to
function.
The Microsoft Security Development Lifecycle (SDL) is a set of structural process controls that work to improve
security beginning early in requirements gathering and extending through the lifecycle of the application until it
is decommissioned. This integration of effective security controls is not only critical from a security perspective,
it is critical to ensure that application security is cost and schedule effective. Assessing an application for security
issues when it is effectively code complete requires organizations to make decisions about application security
only before or even after the application has been deployed. An organization can choose to address the
application flaws before deploying the application in production, incurring costs and delays, or the application
can be deployed in production with known security flaws, exposing the organization to compromise.
Some organizations place the full cost of fixing a security issue in production code above $10,000 per issue, and
applications developed without an effective SDL can average more than ten high-severity issues per 100,000
lines of code. In large applications, the costs escalate quickly. By contrast, many companies set a benchmark of
less than one issue per 100,000 lines of code at the final code review stage of the SDL, and aim for zero issues in
high-risk applications in production.
Implementing the SDL improves security by including security requirements early in requirements gathering
and design of an application provides threat modeling for high-risk applications; requires effective training and
monitoring of developers; and requires clear, consistent code standards and practices. The net effect of an SDL is
significant improvements in application security while reducing the cost to develop, deploy, maintain, and
decommission an application. Although a detailed discussion of the design and implementation of SDL is
beyond the scope of this document, refer to the Microsoft Security Development Lifecycle for detailed guidance
and information.
Attractive Accounts for Credential Theft
3/5/2021 • 10 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Credential theft attacks are those in which an attacker initially gains highest-privilege (root, Administrator, or
SYSTEM, depending on the operating system in use) access to a computer on a network and then uses freely
available tooling to extract credentials from the sessions of other logged-on accounts. Depending on the system
configuration, these credentials can be extracted in the form of hashes, tickets, or even plaintext passwords. If
any of the harvested credentials are for local accounts that are likely to exist on other computers on the network
(for example, Administrator accounts in Windows, or root accounts in OSX, UNIX, or Linux), the attacker
presents the credentials to other computers on the network to propagate compromise to additional computers
and to try to obtain the credentials of two specific types of accounts:
1. Privileged domain accounts with both broad and deep privileges (that is, accounts that have
administrator-level privileges on many computers and in Active Directory). These accounts may not be
members of any of the highest-privilege groups in Active Directory, but they may have been granted
Administrator-level privilege across many servers and workstations in the domain or forest, which makes
them effectively as powerful as members of privileged groups in Active Directory. In most cases, accounts
that have been granted high levels of privilege across broad swaths of the Windows infrastructure are
service accounts, so service accounts should always be assessed for breadth and depth of privilege.
2. "Very Important Person" (VIP) domain accounts. In the context of this document, a VIP account is any
account that has access to information an attacker wants (intellectual property and other sensitive
information), or any account that can be used to grant the attacker access to that information. Examples
of these user accounts include:
a. Executives whose accounts have access to sensitive corporate information
b. Accounts for Help Desk staff who are responsible for maintaining the computers and applications
used by executives
c. Accounts for legal staff who have access to an organization's bid and contract documents, whether
the documents are for their own organization or client organizations
d. Product planners who have access to plans and specifications for products in an company's
development pipeline, regardless of the types of products the company makes
e. Researchers whose accounts are used to access study data, product formulations, or any other
research of interest to an attacker
Because highly privileged accounts in Active Directory can be used to propagate compromise and to manipulate
VIP accounts or the data that they can access, the most useful accounts for credential theft attacks are accounts
that are members of Enterprise Admins, Domain Admins, and Administrators groups in Active Directory.
Because domain controllers are the repositories for the AD DS database and domain controllers have full access
to all of the data in Active Directory, domain controllers are also targeted for compromise, whether in parallel
with credential theft attacks, or after one or more highly privileged Active Directory accounts have been
compromised. Although numerous publications (and many attackers) focus on the Domain Admins group
memberships when describing pass-the-hash and other credential theft attacks (as is described in Reducing the
Active Directory Attack Surface), an account that is a member of any of the groups listed here can be used to
compromise the entire AD DS installation.
NOTE
For comprehensive information about pass-the-hash and other credential theft attacks, please see the Mitigating Pass-
the-Hash (PTH) Attacks and Other Credential Theft Techniques whitepaper listed in Appendix M: Document Links and
Recommended Reading. For more information about attacks by determined adversaries, which are sometimes referred to
as "advanced persistent threats" (APTs), please see Determined Adversaries and Targeted Attacks.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This section focuses on technical controls to implement to reduce the attack surface of the Active Directory
installation. The section contains the following information:
Implementing Least-Privilege Administrative Models focuses on identifying the risk that the use of highly
privileged accounts for day-to-day administration presents, in addition to providing recommendations to
implement to reduce the risk that privileged accounts present.
Implementing Secure Administrative Hosts describes principles for deployment of dedicated, secure
administrative systems, in addition to some sample approaches to a secure administrative host
deployment.
Securing Domain Controllers Against Attack discusses policies and settings that, although similar to the
recommendations for the implementation of secure administrative hosts, contain some domain
controller-specific recommendations to help ensure that the domain controllers and the systems used to
manage them are well-secured.
Enterprise Admins (EA) is a group that exists only in the forest root domain, and by default, it is a member of the
Administrators group in all domains in the forest. The built-in Administrator account in the forest root domain is
the only default member of the EA group. EAs are granted rights and permissions that allow them to implement
forest-wide changes (that is, changes that affect all domains in the forest), such as adding or removing domains,
establishing forest trusts, or raising forest functional levels. In a properly designed and implemented delegation
model, EA membership is required only when first constructing the forest or when making certain forest-wide
changes such as establishing an outbound forest trust. Most of the rights and permissions granted to the EA
group can be delegated to lesser-privileged users and groups.
Dom ain A dm in s
Each domain in a forest has its own Domain Admins (DA) group, which is a member of that domain's
Administrators group and a member of the local Administrators group on every computer that is joined to the
domain. The only default member of the DA group for a domain is the built-in Administrator account for that
domain. DAs are "all-powerful" within their domains, while EAs have forest-wide privilege. In a properly
designed and implemented delegation model, Domain Admins membership should be required only in "break
glass" scenarios (such as situations in which an account with high levels of privilege on every computer in the
domain is needed). Although native Active Directory delegation mechanisms allow delegation to the extent that
it is possible to use DA accounts only in emergency scenarios, constructing an effective delegation model can be
time consuming, and many organizations leverage third-party tools to expedite the process.
A d m i n i st r a t o r s
The third group is the built-in domain local Administrators (BA) group into which DAs and EAs are nested. This
group is granted many of the direct rights and permissions in the directory and on domain controllers. However,
the Administrators group for a domain has no privileges on member servers or on workstations. It is via
membership in the computers' local Administrators group that local privilege is granted.
NOTE
Although these are the default configurations of these privileged groups, a member of any of the three groups can
manipulate the directory to gain membership in any of the other groups. In some cases, it is trivial to obtain membership
in the other groups, while in others it is more difficult, but from the perspective of potential privilege, all three groups
should be considered effectively equivalent.
Sc h e m a A d m i n s
A fourth privileged group, Schema Admins (SA), exists only in the forest root domain and has only that domain's
built-in Administrator account as a default member, similar to the Enterprise Admins group. The Schema Admins
group is intended to be populated only temporarily and occasionally (when modification of the AD DS schema is
required).
Although the SA group is the only group that can modify the Active Directory schema (that is., the directory's
underlying data structures such as objects and attributes), the scope of the SA group's rights and permissions is
more limited than the previously described groups. It is also common to find that organizations have developed
appropriate practices for the management of the membership of the SA group because membership in the
group is typically infrequently needed, and only for short periods of time. This is technically true of the EA, DA,
and BA groups in Active Directory, as well, but it is far less common to find that organizations have implemented
similar practices for these groups as for the SA group.
Protected Accounts and Groups in Active Directory
Within Active Directory, a default set of privileged accounts and groups called "protected" accounts and groups
are secured differently than other objects in the directory. Any account that has direct or transitive membership
in any protected group (regardless of whether the membership is derived from security or distribution groups)
inherits this restricted security.
For example, if a user is a member of a distribution group that is, in turn, a member of a protected group in
Active Directory, that user object is flagged as a protected account. When an account is flagged as a protected
account, the value of the adminCount attribute on the object is set to 1.
NOTE
Although transitive membership in a protected group includes nested distribution and nested security groups, accounts
that are members of nested distribution groups will not receive the protected group's SID in their access tokens. However,
distribution groups can be converted to security groups in Active Directory, which is why distribution groups are included
in protected group member enumeration. Should a protected nested distribution group ever be converted to a security
group, the accounts that are members of the former distribution group will subsequently receive the parent protected
group's SID in their access tokens at the next logon.
The following table lists the default protected accounts and groups in Active Directory by operating system
version and service pack level.
Default Protected Accounts and Groups in Active Director y by Operating System and Ser vice Pack
(SP) Version
Cert Publishers
Read-only Domain
Controllers
A d m i n SD H o l d e r a n d SD P r o p
In the System container of every Active Directory domain, an object called AdminSDHolder is automatically
created. The purpose of the AdminSDHolder object is to ensure that the permissions on protected accounts and
groups are consistently enforced, regardless of where the protected groups and accounts are located in the
domain.
Every 60 minutes (by default), a process known as Security Descriptor Propagator (SDProp) runs on the domain
controller that holds the domain's PDC Emulator role. SDProp compares the permissions on the domain's
AdminSDHolder object with the permissions on the protected accounts and groups in the domain. If the
permissions on any of the protected accounts and groups do not match the permissions on the AdminSDHolder
object, the permissions on the protected accounts and groups are reset to match those of the domain's
AdminSDHolder object.
Permissions inheritance is disabled on protected groups and accounts, which means that even if the accounts or
groups are moved to different locations in the directory, they do not inherit permissions from their new parent
objects. Inheritance is also disabled on the AdminSDHolder object so that permissions changes to the parent
objects do not change the permissions of AdminSDHolder.
NOTE
When an account is removed from a protected group, it is no longer considered a protected account, but its adminCount
attribute remains set to 1 if it is not manually changed. The result of this configuration is that the object's ACLs are no
longer updated by SDProp, but the object still does not inherit permissions from its parent object. Therefore, the object
may reside in an organizational unit (OU) to which permissions have been delegated, but the formerly protected object
will not inherit these delegated permissions. A script to locate and reset formerly protected objects in the domain can be
found in the Microsoft Support article 817433.
A d mi n SDHo l d e r O w n e rs h i p
Most objects in Active Directory are owned by the domain's BA group. However, the AdminSDHolder object is,
by default, owned by the domain's DA group. (This is a circumstance in which DAs do not derive their rights and
permissions via membership in the Administrators group for the domain.)
In versions of Windows earlier than Windows Server 2008, owners of an object can change permissions of the
object, including granting themselves permissions that they did not originally have. Therefore, the default
permissions on a domain's AdminSDHolder object prevent users who are members of BA or EA groups from
changing the permissions for a domain's AdminSDHolder object. However, members of the Administrators
group for the domain can take ownership of the object and grant themselves additional permissions, which
means that this protection is rudimentary and only protects the object against accidental modification by users
who are not members of the DA group in the domain. Additionally, the BA and EA (where applicable) groups
have permission to change the attributes of the AdminSDHolder object in the local domain (root domain for EA).
NOTE
An attribute on the AdminSDHolder object, dSHeuristics, allows limited customization (removal) of groups that are
considered protected groups and are affected by AdminSDHolder and SDProp. This customization should be carefully
considered if it is implemented, although there are valid circumstances in which modification of dSHeuristics on
AdminSDHolder is useful. More information about modification of the dSHeuristics attribute on an AdminSDHolder object
can be found in the Microsoft Support articles 817433 and 973840, and in Appendix C: Protected Accounts and Groups
in Active Directory.
Although the most privileged groups in Active Directory are described here, there are a number of other groups
that have been granted elevated levels of privilege. For more information about all of the default and built-in
groups in Active Directory and the user rights assigned to each, see Appendix B: Privileged Accounts and Groups
in Active Directory.
Implementing Least-Privilege Administrative Models
3/5/2021 • 40 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
The following excerpt is from The Administrator Accounts Security Planning Guide, first published on April 1,
1999:
"Most security-related training courses and documentation discuss the implementation of a principle of
least privilege, yet organizations rarely follow it. The principle is simple, and the impact of applying it
correctly greatly increases your security and reduces your risk. The principle states that all users should log
on with a user account that has the absolute minimum permissions necessary to complete the current task
and nothing more. Doing so provides protection against malicious code, among other attacks. This principle
applies to computers and the users of those computers. "One reason this principle works so well is that it
forces you to do some internal research. For example, you must determine the access privileges that a
computer or user really needs, and then implement them. For many organizations, this task might initially
seem like a great deal of work; however, it is an essential step to successfully secure your network
environment. "You should grant all domain administrator users their domain privileges under the concept of
least privilege. For example, if an administrator logs on with a privileged account and inadvertently runs a
virus program, the virus has administrative access to the local computer and to the entire domain. If the
administrator had instead logged on with a nonprivileged (nonadministrative) account, the virus's scope of
damage would only be the local computer because it runs as a local computer user. "In another example,
accounts to which you grant domain-level administrator rights must not have elevated rights in another
forest, even if there is a trust relationship between the forests. This tactic helps prevent widespread damage
if an attacker manages to compromise one managed forest. Organizations should regularly audit their
network to protect against unauthorized escalation of privilege."
The following excerpt is from the Microsoft Windows Security Resource Kit, first published in 2005:
"Always think of security in terms of granting the least amount of privileges required to carry out the task. If
an application that has too many privileges should be compromised, the attacker might be able to expand
the attack beyond what it would if the application had been under the least amount of privileges possible.
For example, examine the consequences of a network administrator unwittingly opening an email
attachment that launches a virus. If the administrator is logged on using the domain Administrator account,
the virus will have Administrator privileges on all computers in the domain and thus unrestricted access to
nearly all data on the network. If the administrator is logged on using a local Administrator account, the
virus will have Administrator privileges on the local computer and thus would be able to access any data on
the computer and install malicious software such as key-stroke logging software on the computer. If the
administrator is logged on using a normal user account, the virus will have access only to the
administrator's data and will not be able to install malicious software. By using the least privileges necessary
to read email, in this example, the potential scope of the compromise is greatly reduced."
In Active Directory
In Active Directory, it is common to find that the EA, DA and BA groups contain excessive numbers of accounts.
Most commonly, an organization's EA group contains the fewest members, DA groups usually contain a
multiplier of the number of users in the EA group, and Administrators groups usually contain more members
than the populations of the other groups combined. This is often due to a belief that Administrators are
somehow "less privileged" than DAs or EAs. While the rights and permissions granted to each of these groups
differ, they should be effectively considered equally powerful groups because a member of one can make
himself or herself a member of the other two.
On Member Servers
When we retrieve the membership of local Administrators groups on member servers in many environments,
we find membership ranging from a handful of local and domain accounts, to dozens of nested groups that,
when expanded, reveal hundreds, even thousands, of accounts with local Administrator privilege on the servers.
In many cases, domain groups with large memberships are nested in member servers' local Administrators
groups, without consideration to the fact that any user who can modify the memberships of those groups in the
domain can gain administrative control of all systems on which the group has been nested in a local
Administrators group.
On Workstations
Although workstations typically have significantly fewer members in their local Administrators groups than
member servers do, in many environments, users are granted membership in the local Administrators group on
their personal computers. When this occurs, even if UAC is enabled, those users present an elevated risk to the
integrity of their workstations.
IMPORTANT
You should consider carefully whether users require administrative rights on their workstations, and if they do, a better
approach may be to create a separate local account on the computer that is a member of the Administrators group.
When users require elevation, they can present the credentials of that local account for elevation, but because the account
is local, it cannot be used to compromise other computers or access domain resources. As with any local accounts,
however, the credentials for the local privileged account should be unique; if you create a local account with the same
credentials on multiple workstations, you expose the computers to pass-the-hash attacks.
In Applications
In attacks in which the target is an organization's intellectual property, accounts that have been granted powerful
privileges within applications can be targeted to allow exfiltration of data. Although the accounts that have
access to sensitive data may have been granted no elevated privileges in the domain or the operating system,
accounts that can manipulate the configuration of an application or access to the information the application
provides present risk.
In Data Repositories
As is the case with other targets, attackers seeking access to intellectual property in the form of documents and
other files can target the accounts that control access to the file stores, accounts that have direct access to the
files, or even groups or roles that have access to the files. For example, if a file server is used to store contract
documents and access is granted to the documents by the use of an Active Directory group, an attacker who can
modify the membership of the group can add compromised accounts to the group and access the contract
documents. In cases in which access to documents is provided by applications such as SharePoint, attackers can
target the applications as described earlier.
Reducing Privilege
The larger and more complex an environment, the more difficult it is to manage and secure. In small
organizations, reviewing and reducing privilege may be a relatively simple proposition, but each additional
server, workstation, user account, and application in use in an organization adds another object that must be
secured. Because it can be difficult or even impossible to properly secure every aspect of an organization's IT
infrastructure, you should focus efforts first on the accounts whose privilege create the greatest risk, which are
typically the built-in privileged accounts and groups in Active Directory, and privileged local accounts on
workstations and member servers.
Securing Local Administrator Accounts on Workstations and Member Servers
Although this document focuses on securing Active Directory, as has been previously discussed, most attacks
against the directory begin as attacks against individual hosts. Full guidelines for securing local groups on
member systems cannot be provided, but the following recommendations can be used to help you secure the
local Administrator accounts on workstations and member servers.
Securing Local Administrator Accounts
On all versions of Windows currently in mainstream support, the local Administrator account is disabled by
default, which makes the account unusable for pass-the-hash and other credential theft attacks. However, in
domains containing legacy operating systems or in which local Administrator accounts have been enabled,
these accounts can be used as previously described to propagate compromise across member servers and
workstations. For this reason, the following controls are recommended for all local Administrator accounts on
domain-joined systems.
Detailed instructions for implementing these controls are provided in Appendix H: Securing Local Administrator
Accounts and Groups. Before implementing these settings, however, ensure that local Administrator accounts
are not currently used in the environment to run services on computers or perform other activities for which
these accounts should not be used. Test these settings thoroughly before implementing them in a production
environment.
Controls for Local Administrator Accounts
Built-in Administrator accounts should never be used as service accounts on member servers, nor should they
be used to log on to local computers (except in Safe Mode, which is permitted even if the account is disabled).
The goal of implementing the settings described here is to prevent each computer's local Administrator account
from being usable unless protective controls are first reversed. By implementing these controls and monitoring
Administrator accounts for changes, you can significantly reduce the likelihood of success of an attack that
targets local Administrator accounts.
C o n fi g u r i n g G P O s t o R e st r i c t A d m i n i st r a t o r A c c o u n t s o n D o m a i n - J o i n e d Sy st e m s
In one or more GPOs that you create and link to workstation and member server OUs in each domain, add the
Administrator account to the following user rights in Computer Configuration\Policies\Windows
Settings\Security Settings\Local Policies\User Rights Assignments :
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on through Remote Desktop Services
When you add Administrator accounts to these user rights, specify whether you are adding the local
Administrator account or the domain's Administrator account by the way that you label the account. For
example, to add the NWTRADERS domain's Administrator account to these deny rights, you would type the
account as NWTRADERS\Administrator , or browse to the Administrator account for the NWTRADERS
domain. To ensure that you restrict the local Administrator account, type Administrator in these user rights
settings in the Group Policy Object Editor.
NOTE
Even if local Administrator accounts are renamed, the policies will still apply.
These settings will ensure that a computer's Administrator account cannot be used to connect to the other
computers, even if it is inadvertently or maliciously enabled. Local logons using the local Administrator account
cannot be completely disabled, nor should you attempt to do so, because a computer's local Administrator
account is designed to be used in disaster recovery scenarios.
Should a member server or workstation become disjoined from the domain with no other local accounts
granted administrative privileges, the computer can be booted into safe mode, the Administrator account can be
enabled, and the account can then be used to effect repairs on the computer. When repairs are completed, the
Administrator account should again be disabled.
Securing Local Privileged Accounts and Groups in Active Directory
Law Number Six: A computer is only as secure as the administrator is trustworthy. - Ten Immutable Laws of
Security (Version 2.0)
The information provided here is intended to give general guidelines for securing the highest privilege built-in
accounts and groups in Active Directory. Detailed step-by-step instructions are also provided in Appendix D:
Securing Built-In Administrator Accounts in Active Directory, Appendix E: Securing Enterprise Admins Groups in
Active Directory, Appendix F: Securing Domain Admins Groups in Active Directory, and in Appendix G: Securing
Administrators Groups in Active Directory.
Before you implement any of these settings, you should also test all settings thoroughly to determine if they are
appropriate for your environment. Not all organizations will be able to implement these settings.
Securing Built-in Administrator Accounts in Active Directory
In each domain in Active Directory, an Administrator account is created as part of the creation of the domain.
This account is by default a member of the Domain Admins and Administrator groups in the domain, and if the
domain is the forest root domain, the account is also a member of the Enterprise Admins group. Use of a
domain's local Administrator account should be reserved only for initial build activities and, possibly, disaster-
recovery scenarios. To ensure that a built-in Administrator account can be used to effect repairs in the event that
no other accounts can be used, you should not change the default membership of the Administrator account in
any domain in the forest. Instead, you should following guidelines to help secure the Administrator account in
each domain in the forest. Detailed instructions for implementing these controls are provided in Appendix D:
Securing Built-In Administrator Accounts in Active Directory.
Controls for Built-in Administrator Accounts
The goal of implementing the settings described here is to prevent each domain's Administrator account (not a
group) from being usable unless a number of controls are reversed. By implementing these controls and
monitoring the Administrator accounts for changes, you can significantly reduce the likelihood of a successful
attack by leveraging a domain's Administrator account. For the Administrator account in each domain in your
forest, you should configure the following settings.
En a b l e t h e " A c c o u n t i s se n si t i v e a n d c a n n o t b e d e l e g a t e d " fl a g o n t h e a c c o u n t
By default, all accounts in Active Directory can be delegated. Delegation allows a computer or service to present
the credentials for an account that has authenticated to the computer or service to other computers to obtain
services on behalf of the account. When you enable the Account is sensitive and cannot be delegated
attribute on a domain-based account, the account's credentials cannot be presented to other computers or
services on the network, which limits attacks that leverage delegation to use the account's credentials on other
systems.
En a b l e t h e " Sm a r t c a r d i s r e q u i r e d fo r i n t e r a c t i v e l o g o n " fl a g o n t h e a c c o u n t
When you enable the Smar t card is required for interactive logon attribute on an account, Windows resets
the account's password to a 120-character random value. By setting this flag on built-in Administrator accounts,
you ensure that the password for the account is not only long and complex, but is not known to any user. It is
not technically necessary to create smart cards for the accounts before enabling this attribute, but if possible,
smart cards should be created for each Administrator account prior to configuring the account restrictions and
the smart cards should be stored in secure locations.
Although setting the Smar t card is required for interactive logon flag resets the account's password, it
does not prevent a user with rights to reset the account's password from setting the account to a known value
and using the account's name and new password to access resources on the network. Because of this, you
should implement the following additional controls on the account.
C o n fi g u r i n g G P O s t o R e st r i c t D o m a i n s' A d m i n i st r a t o r A c c o u n t s o n D o m a i n - J o i n e d Sy st e m s
Although disabling the Administrator account in a domain makes the account effectively unusable, you should
implement additional restrictions on the account in case the account is inadvertently or maliciously enabled.
Although these controls can ultimately be reversed by the Administrator account, the goal is to create controls
that slow an attacker's progress and limit the damage the account can inflict.
In one or more GPOs that you create and link to workstation and member server OUs in each domain, add each
domain's Administrator account to the following user rights in Computer Configuration\Policies\Windows
Settings\Security Settings\Local Policies\User Rights Assignments :
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on through Remote Desktop Services
NOTE
When you add local Administrator accounts to this setting, you must specify whether you are configuring local
Administrator accounts or domain Administrator accounts. For example, to add the NWTRADERS domain's local
Administrator account to these deny rights, you must either type the account as NWTRADERS\Administrator , or
browse to the local Administrator account for the NWTRADERS domain. If you type Administrator in these user rights
settings in the Group Policy Object Editor, you will restrict the local Administrator account on each computer to which the
GPO is applied.
We recommend restricting local Administrator accounts on member servers and workstations in the same manner as
domain-based Administrator accounts. Therefore, you should generally add the Administrator account for each domain in
the forest and the Administrator account for the local computers to these user rights settings.
C o n fi g u r i n g G P O s t o R e st r i c t A d m i n i st r a t o r A c c o u n t s o n D o m a i n C o n t r o l l e r s
In each domain in the forest, the Default Domain Controllers policy or a policy linked to the Domain Controllers
OU should be modified to add each domain's Administrator account to the following user rights in Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights
Assignments :
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on through Remote Desktop Services
NOTE
These settings will ensure that the local Administrator account cannot be used to connect to a domain controller,
although the account, if enabled, can log on locally to domain controllers. Because this account should only be enabled
and used in disaster-recovery scenarios, it is anticipated that physical access to at least one domain controller will be
available, or that other accounts with permissions to access domain controllers remotely can be used.
C o n fi g u r e A u d i t i n g o f B u i l t - i n A d m i n i st r a t o r A c c o u n t s
When you have secured each domain's Administrator account and disabled it, you should configure auditing to
monitor for changes to the account. If the account is enabled, its password is reset, or any other modifications
are made to the account, alerts should be sent to the users or teams responsible for administration of AD DS, in
addition to incident response teams in your organization.
Securing Administrators, Domain Admins and Enterprise Admins Groups
Securing Enterprise Admin Groups
The Enterprise Admins group, which is housed in the forest root domain, should contain no users on a day-to-
day basis, with the possible exception of the domain's local Administrator account, provided it is secured as
described earlier and in Appendix D: Securing Built-In Administrator Accounts in Active Directory.
When EA access is required, the users whose accounts require EA rights and permissions should be temporarily
placed into the Enterprise Admins group. Although users are using the highly privileged accounts, their activities
should be audited and preferably performed with one user performing the changes and another user observing
the changes to minimize the likelihood of inadvertent misuse or misconfiguration. When the activities have
been completed, the accounts should be removed from the EA group. This can be achieved via manual
procedures and documented processes, third-party privileged identity/access management (PIM/PAM) software,
or a combination of both. Guidelines for creating accounts that can be used to control the membership of
privileged groups in Active Directory are provided in Attractive Accounts for Credential Theft and detailed
instructions are provided in Appendix I: Creating Management Accounts for Protected Accounts and Groups in
Active Directory.
Enterprise Admins are, by default, members of the built-in Administrators group in each domain in the forest.
Removing the Enterprise Admins group from the Administrators groups in each domain is an inappropriate
modification because in the event of a forest disaster-recovery scenario, EA rights will likely be required. If the
Enterprise Admins group has been removed from Administrators groups in a forest, it should be added to the
Administrators group in each domain and the following additional controls should be implemented:
As described earlier, the Enterprise Admins group should contain no users on a day-to-day basis, with the
possible exception of the forest root domain's Administrator account, which should be secured as described
in Appendix D: Securing Built-In Administrator Accounts in Active Directory.
In GPOs linked to OUs containing member servers and workstations in each domain, the EA group should be
added to the following user rights:
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services.
This will prevent members of the EA group from logging on to member servers and workstations. If jump
servers are used to administer domain controllers and Active Directory, ensure that jump servers are located in
an OU to which the restrictive GPOs are not linked.
Auditing should be configured to send alerts if any modifications are made to the properties or membership
of the EA group. These alerts should be sent, at a minimum, to users or teams responsible for Active
Directory administration and incident response. You should also define processes and procedures for
temporarily populating the EA group, including notification procedures when legitimate population of the
group is performed.
Securing Domain Admins Groups
As is the case with the Enterprise Admins group, membership in Domain Admins groups should be required
only in build or disaster-recovery scenarios. There should be no day-to-day user accounts in the DA group with
the exception of the local Administrator account for the domain, if it has been secured as described in Appendix
D: Securing Built-In Administrator Accounts in Active Directory.
When DA access is required, the accounts needing this level of access should be temporarily placed in the DA
group for the domain in question. Although the users are using the highly privileged accounts, activities should
be audited and preferably performed with one user performing the changes and another user observing the
changes to minimize the likelihood of inadvertent misuse or misconfiguration. When the activities have been
completed, the accounts should be removed from the Domain Admins group. This can be achieved via manual
procedures and documented processes, via third-party privileged identity/access management (PIM/PAM)
software, or a combination of both. Guidelines for creating accounts that can be used to control the membership
of privileged groups in Active Directory are provided in Appendix I: Creating Management Accounts for
Protected Accounts and Groups in Active Directory.
Domain Admins are, by default, members of the local Administrators groups on all member servers and
workstations in their respective domains. This default nesting should not be modified because it affects
supportability and disaster recovery options. If Domain Admins groups have been removed from the local
Administrators groups on the member servers, they should be added to the Administrators group on each
member server and workstation in the domain via restricted group settings in linked GPOs. The following
general controls, which are described in depth in Appendix F: Securing Domain Admins Groups in Active
Directory should also be implemented.
For the Domain Admins group in each domain in the forest:
1. Remove all members from the DA group, with the possible exception of the built-in Administrator
account for the domain, provided it has been secured as described in Appendix D: Securing Built-In
Administrator Accounts in Active Directory.
2. In GPOs linked to OUs containing member servers and workstations in each domain, the DA group
should be added to the following user rights:
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
This will prevent members of the DA group from logging on to member servers and workstations. If
jump servers are used to administer domain controllers and Active Directory, ensure that jump servers
are located in an OU to which the restrictive GPOs are not linked.
3. Auditing should be configured to send alerts if any modifications are made to the properties or
membership of the DA group. These alerts should be sent, at a minimum, to users or teams responsible
for AD DS administration and incident response. You should also define processes and procedures for
temporarily populating the DA group, including notification procedures when legitimate population of
the group is performed.
Securing Administrators Groups in Active Directory
As is the case with the EA and DA groups, membership in the Administrators (BA) group should be required only
in build or disaster-recovery scenarios. There should be no day-to-day user accounts in the Administrators
group with the exception of the local Administrator account for the domain, if it has been secured as described
in Appendix D: Securing Built-In Administrator Accounts in Active Directory.
When Administrators access is required, the accounts needing this level of access should be temporarily placed
in the Administrators group for the domain in question. Although the users are using the highly privileged
accounts, activities should be audited and, preferably, performed with a user performing the changes and
another user observing the changes to minimize the likelihood of inadvertent misuse or misconfiguration.
When the activities have been completed, the accounts should immediately be removed from the
Administrators group. This can be achieved via manual procedures and documented processes, via third-party
privileged identity/access management (PIM/PAM) software, or a combination of both.
Administrators are, by default, the owners of most of the AD DS objects in their respective domains.
Membership in this group may be required in build and disaster recovery scenarios in which ownership or the
ability to take ownership of objects is required. Additionally, DAs and EAs inherit a number of their rights and
permissions by virtue of their default membership in the Administrators group. Default group nesting for
privileged groups in Active Directory should not be modified, and each domain's Administrators group should
be secured as described in Appendix G: Securing Administrators Groups in Active Directory, and in the general
instructions below.
1. Remove all members from the Administrators group, with the possible exception of the local
Administrator account for the domain, provided it has been secured as described in Appendix D: Securing
Built-In Administrator Accounts in Active Directory.
2. Members of the domain's Administrators group should never need to log on to member servers or
workstations. In one or more GPOs linked to workstation and member server OUs in each domain, the
Administrators group should be added to the following user rights:
Deny access to this computer from the network
Deny log on as a batch job,
Deny log on as a service
This will prevent members of the Administrators group from being used to log on or connect to
member servers or workstations (unless multiple controls are first breached), where their credentials
could be cached and thereby compromised. A privileged account should never be used to log on to a
less-privileged system, and enforcing these controls affords protection against a number of attacks.
3. At the domain controllers OU in each domain in the forest, the Administrators group should be granted
the following user rights (if they do not already have these rights), which will allow the members of the
Administrators group to perform functions necessary for a forest-wide disaster recovery scenario:
Access this computer from the network
Allow log on locally
Allow log on through Remote Desktop Services
4. Auditing should be configured to send alerts if any modifications are made to the properties or
membership of the Administrators group. These alerts should be sent, at a minimum, to members of the
team responsible for AD DS administration. Alerts should also be sent to members of the security team,
and procedures should be defined for modifying the membership of the Administrators group.
Specifically, these processes should include a procedure by which the security team is notified when the
Administrators group is going to be modified so that when alerts are sent, they are expected and an
alarm is not raised. Additionally, processes to notify the security team when the use of the Administrators
group has been completed and the accounts used have been removed from the group should be
implemented.
NOTE
When you implement restrictions on the Administrators group in GPOs, Windows applies the settings to members of a
computer's local Administrators group in addition to the domain's Administrators group. Therefore, you should use
caution when implementing restrictions on the Administrators group. Although prohibiting network, batch and service
logons for members of the Administrators group is advised wherever it is feasible to implement, do not restrict local
logons or logons through Remote Desktop Services. Blocking these logon types can block legitimate administration of a
computer by members of the local Administrators group. The following screenshot shows configuration settings that
block misuse of built-in local and domain Administrator accounts, in addition to misuse of built-in local or domain
Administrators groups. Note that the Deny log on through Remote Desktop Ser vices user right does not include
the Administrators group, because including it in this setting would also block these logons for accounts that are
members of the local computer's Administrators group. If services on computers are configured to run in the context of
any of the privileged groups described in this section, implementing these settings can cause services and applications to
fail. Therefore, as with all of the recommendations in this section, you should thoroughly test settings for applicability in
your environment.
Although a thorough discussion of attacks against public key infrastructures (PKIs) is outside the scope of this
document, attacks against public and private PKIs have increased exponentially since 2008. Breaches of public
PKIs have been broadly publicized, but attacks against an organization's internal PKI are perhaps even more
prolific. One such attack leverages Active Directory and certificates to allow an attacker to spoof the credentials
of other accounts in a manner that can be difficult to detect.
When a certificate is presented for authentication to a domain-joined system, the contents of the Subject or the
Subject Alternative Name (SAN) attribute in the certificate are used to map the certificate to a user object in
Active Directory. Depending on the type of certificate and how it is constructed, the Subject attribute in a
certificate typically contains a user's common name (CN), as shown in the following screenshot.
By default, Active Directory constructs a user's CN by concatenating the account's first name + " "+ last name.
However, CN components of user objects in Active Directory are not required or guaranteed to be unique, and
moving a user account to a different location in the directory changes the account's distinguished name (DN),
which is the full path to the object in the directory, as shown in the bottom pane of the previous screenshot.
Because certificate subject names are not guaranteed to be static or unique, the contents of the Subject
Alternative Name are often used to locate the user object in Active Directory. The SAN attribute for certificates
issued to users from enterprise certification authorities (Active Directory integrated CAs) typically contains the
user's UPN or email address. Because UPNs are guaranteed to be unique in an AD DS forest, locating a user
object by UPN is commonly performed as part of authentication, with or without certificates involved in the
authentication process.
The use of UPNs in SAN attributes in authentication certificates can be leveraged by attackers to obtain
fraudulent certificates. If an attacker has compromised an account that has the ability to read and write UPNs on
user objects, the attack is implemented as follows:
The UPN attribute on a user object (such as a VIP user) is temporarily changed to a different value. The SAM
account name attribute and CN can also be changed at this time, although this is usually not necessary for the
reasons described earlier.
When the UPN attribute on the target account has been changed, a stale, enabled user account or a freshly
created user account's UPN attribute is changed to the value that was originally assigned to the target account.
Stale, enabled user accounts are accounts that have not logged on for long periods of time, but have not been
disabled. They are targeted by attackers who intend to "hide in plain sight" for the following reasons:
1. Because the account is enabled, but hasn't been used recently, using the account is unlikely to trigger alerts
the way that enabling a disabled user account might.
2. Use of an existing account doesn't require the creation of a new user account that might be noticed by
administrative staff.
3. Stale user accounts that are still enabled are usually members of various security groups and are granted
access to resources on the network, simplifying access and "blending in" to an existing user population.
The user account on which the target UPN has now been configured is used to request one or more certificates
from Active Directory Certificate Services.
When certificates have been obtained for the attacker's account, the UPNs on the "new" account and the target
account are returned to their original values.
The attacker now has one or more certificates that can be presented for authentication to resources and
applications as if the user is the VIP user whose account was temporarily modified. Although a full discussion of
all of the ways in which certificates and PKI can be targeted by attackers is outside the scope of this document,
this attack mechanism is provided to illustrate why you should monitor privileged and VIP accounts in AD DS
for changes, particularly for changes to any of the attributes on the Account tab for the account (for example,
cn, name, sAMAccountName, userPrincipalName, and userAccountControl). In addition to monitoring the
accounts, you should restrict who can modify the accounts to as small a set of administrative users as possible.
Likewise, the accounts of administrative users should be protected and monitored for unauthorized changes.
Implementing Secure Administrative Hosts
3/5/2021 • 15 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Secure administrative hosts are workstations or servers that have been configured specifically for the purposes
of creating secure platforms from which privileged accounts can perform administrative tasks in Active
Directory or on domain controllers, domain-joined systems, and applications running on domain-joined
systems. In this case, "privileged accounts" refers not only to accounts that are members of the most privileged
groups in Active Directory, but to any accounts that have been delegated rights and permissions that allow
administrative tasks to be performed.
These accounts may be Help Desk accounts that have the ability to reset passwords for most of the users in a
domain, accounts that are used to administer DNS records and zones, or accounts that are used for
configuration management. Secure administrative hosts are dedicated to administrative functionality, and they
do not run software such as email applications, web browsers, or productivity software such as Microsoft Office.
Although the "most privileged" accounts and groups should accordingly be the most stringently protected, this
does not eliminate the need to protect any accounts and groups to which privileges above those of standard
user accounts have been granted.
A secure administrative host can be a dedicated workstation that is used only for administrative tasks, a member
server that runs the Remote Desktop Gateway server role and to which IT users connect to perform
administration of destination hosts, or a server that runs the Hyper-V role and provides a unique virtual
machine for each IT user to use for their administrative tasks. In many environments, combinations of all three
approaches may be implemented.
Implementing secure administrative hosts requires planning and configuration that is consistent with your
organization's size, administrative practices, risk appetite, and budget. Considerations and options for
implementing secure administrative hosts are provided here for you to use in developing an administrative
strategy suitable for your organization.
NOTE
As of this writing, the Microsoft Security Compliance Manager does not include settings specific to jump servers or other
secure administrative hosts, but Security Compliance Manager (SCM) can still be used to create initial baselines for your
administrative hosts. To properly secure the hosts, however, you should apply additional security settings appropriate to
highly secured workstations and servers.
AppLocker
Administrative hosts and virtual machines should be configured with script, tool, and application s via
AppLocker or a third-party application restriction software. Any administrative applications or utilities that do
not adhere to secure settings should be upgraded or replaced with tooling that adheres to secure development
and administrative practices. When new or additional tooling is needed on an administrative host, applications
and utilities should be thoroughly tested, and if the tooling is suitable for deployment on administrative hosts, it
can be added to the systems' s.
RDP Restrictions
Although the specific configuration will vary depending on the architecture of your administrative systems, you
should include restrictions on which accounts and computers can be used to establish Remote Desktop Protocol
(RDP) connections to managed systems, such as using Remote Desktop Gateway (RD Gateway) jump servers to
control access to domain controllers and other managed systems from authorized users and systems.
You should allow interactive logons by authorized users and should remove or even block other logon types
that are not needed for server access.
Patch and Configuration Management
Smaller organizations may rely on offerings such as Windows Update or Windows Server Update Services
(WSUS) to manage deployment of updates to Windows systems, while larger organizations may implement
enterprise patch and configuration management software such as Microsoft Endpoint Configuration Manager.
Regardless of the mechanisms you use to deploy updates to your general server and workstation population,
you should consider separate deployments for highly secure systems such as domain controllers, certification
authorities, and administrative hosts. By segregating these systems from the general management
infrastructure, if your management software or service accounts are compromised, the compromise cannot be
easily extended to the most secure systems in your infrastructure.
Although you should not implement manual update processes for secure systems, you should configure a
separate infrastructure for updating secure systems. Even in very large organizations, this infrastructure can
usually be implemented via dedicated WSUS servers and GPOs for secured systems.
Blocking Internet Access
Administrative hosts should not be permitted to access the Internet, nor should they be able to browse an
organization's intranet. Web browsers and similar applications should not be permitted on administrative hosts.
You can block Internet access for secure hosts via a combination of perimeter firewall settings, WFAS
configuration, and "black hole" proxy configuration on secure hosts. You can also use application allowslist to
prevent web browsers from being used on administrative hosts.
Virtualization
Where possible, consider implementing virtual machines as administrative hosts. Using virtualization, you can
create per-user administrative systems that are centrally stored and managed, and which can be easily shut
down when not in use, ensuring that credentials are not left active on the administrative systems. You can also
require that virtual administrative hosts are reset to an initial snapshot after each use, ensuring that the virtual
machines remain pristine. More information about options for virtualization of administrative hosts is provided
in the following section.
Applies To: Windows Server 2022 Preview, Windows Server 2019, Windows Server 2016, Windows Server
2012 R2, Windows Server 2012
Law Number Three: If a bad guy has unrestricted physical access to your computer, it's not your computer
anymore. - Ten Immutable Laws of Security (Version 2.0)
Domain controllers provide the physical storage for the AD DS database, in addition to providing the services
and data that allow enterprises to effectively manage their servers, workstations, users, and applications. If
privileged access to a domain controller is obtained by a malicious user, that user can modify, corrupt, or destroy
the AD DS database and, by extension, all of the systems and accounts that are managed by Active Directory.
Because domain controllers can read from and write to anything in the AD DS database, compromise of a
domain controller means that your Active Directory forest can never be considered trustworthy again unless
you are able to recover using a known good backup and to close the gaps that allowed the compromise in the
process.
Depending on an attacker's preparation, tooling, and skill, modification or even irreparable damage to the AD
DS database can be completed in minutes to hours, not days or weeks. What matters isn't how long an attacker
has privileged access to Active Directory, but how much the attacker has planned for the moment when
privileged access is obtained. Compromising a domain controller can provide the most expedient path to wide
scale propagation of access, or the most direct path to destruction of member servers, workstations, and Active
Directory. Because of this, domain controllers should be secured separately and more stringently than the
general Windows infrastructure.
NOTE
If you intend to co-locate virtualized domain controllers with other, less sensitive virtual machines on the same physical
virtualization servers (hosts), consider implementing a solution which enforces role-based separation of duties, such as
Shielded VMs in Hyper-V. This technology provides comprehensive protection against malicious or clueless fabric
administrators (including virtualization, network, storage and backup administrators.) It leverages physical root of trust
with remote attestation and secure VM provisioning, and effectively ensures level of security which is on par with a
dedicated physical server.
Branch Locations
Physical Domain Controllers in branches
In locations in which multiple servers reside but are not physically secured to the degree that datacenter servers
are secured, physical domain controllers should be configured with TPM chips and BitLocker Drive Encryption
for all server volumes. If a domain controller cannot be stored in a locked room in branch locations, you should
consider deploying RODCs in those locations.
Virtual Domain Controllers in branches
Whenever possible, you should run virtual domain controllers in branch offices on separate physical hosts than
the other virtual machines in the site. In branch offices in which virtual domain controllers cannot run on
separate physical hosts from the rest of the virtual server population, you should implement TPM chips and
BitLocker Drive Encryption on hosts on which virtual domain controllers run at minimum, and all hosts if
possible. Depending on the size of the branch office and the security of the physical hosts, you should consider
deploying RODCs in branch locations.
Remote Locations with Limited Space and Security
If your infrastructure includes locations in which only a single physical server can be installed, a server capable
of running virtualization workloads should be installed in the remote location, and BitLocker Drive Encryption
should be configured to protect all volumes in the server. One virtual machine on the server should run an
RODC, with other servers running as separate virtual machines on the host. Information about planning for
deployment of RODC is provided in the Read-Only Domain Controller Planning and Deployment Guide. For
more information about deploying and securing virtualized domain controllers, see Running Domain
Controllers in Hyper-V. For more detailed guidance for hardening Hyper-V, delegating virtual machine
management, and protecting virtual machines, see the Hyper-V Security Guide Solution Accelerator on the
Microsoft website.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Law Number Five: Eternal vigilance is the price of security. - 10 Immutable Laws of Security Administration
A solid event log monitoring system is a crucial part of any secure Active Directory design. Many computer
security compromises could be discovered early in the event if the victims enacted appropriate event log
monitoring and alerting. Independent reports have long supported this conclusion. For example, the 2009
Verizon Data Breach Report states:
"The apparent ineffectiveness of event monitoring and log analysis continues to be somewhat of an enigma. The
opportunity for detection is there; investigators noted that 66 percent of victims had sufficient evidence
available within their logs to discover the breach had they been more diligent in analyzing such resources."
This lack of monitoring active event logs remains a consistent weakness in many companies' security defense
plans. The 2012 Verizon Data Breach report found that even though 85 percent of breaches took several weeks
to be noticed, 84 percent of victims had evidence of the breach in their event logs.
Reports each instance of a security principal (for example, user, computer, or service account) that is logging on
to or logging off from one computer in which another computer is used to validate the account. Account logon
events are generated when a domain security principal account is authenticated on a domain controller.
Authentication of a local user on a local computer generates a logon event that is logged in the local security
log. No account logoff events are logged.
This category generates a lot of "noise" because Windows is constantly having accounts logging on to and off of
the local and remote computers during the normal course of business. Still, any security plan should include the
success and failure of this audit category.
A u di t A c c o u n t Man agem en t
This audit setting determines whether to track management of users and groups. For example, users and groups
should be tracked when a user or computer account, a security group, or a distribution group is created,
changed, or deleted; when a user or computer account is renamed, disabled, or enabled; or when a user or
computer password is changed. An event can be generated for users or groups that are added to or removed
from other groups.
A u d i t D i r e c t o r y Se r v i c e A c c e ss
This policy setting determines whether to audit security principal access to an Active Directory object that has its
own specified system access control list (SACL). In general, this category should only be enabled on domain
controllers. When enabled, this setting generates a lot of "noise."
A u d i t L o g o n Ev e n t s
Logon events are generated when a local security principal is authenticated on a local computer. Logon Events
records domain logons that occur on the local computer. Account logoff events are not generated. When
enabled, Logon Events generates a lot of "noise," but they should be enabled by default in any security auditing
plan.
A u d i t O b j e c t A c c e ss
Object Access can generate events when subsequently defined objects with auditing enabled are accessed (for
example, Opened, Read, Renamed, Deleted, or Closed). After the main auditing category is enabled, the
administrator must individually define which objects will have auditing enabled. Many Windows system objects
come with auditing enabled, so enabling this category will usually begin to generate events before the
administrator has defined any.
This category is very "noisy" and will generate five to ten events for each object access. It can be difficult for
administrators new to object auditing to gain useful information. It should only be enabled when needed.
A u di t i n g Pol i c y Ch an ge
This policy setting determines whether to audit every incidence of a change to user rights assignment policies,
Windows Firewall policies, Trust policies, or changes to the audit policy. This category should be enabled on all
computers. It generates very little noise.
A u d i t P r i v i l e g e U se
There are dozens of user rights and permissions in Windows (for example, Logon as a Batch Job and Act as Part
of the Operating System). This policy setting determines whether to audit each instance of a security principal by
exercising a user right or privilege. Enabling this category results in a lot of "noise," but it can be helpful in
tracking security principal accounts using elevated privileges.
A u d i t P r o c e ss T r a c k i n g
This policy setting determines whether to audit detailed process tracking information for events such as
program activation, process exit, handle duplication, and indirect object access. It is useful for tracking malicious
users and the programs they use.
Enabling Audit Process Tracking generates a large number of events, so typically it is set to No Auditing .
However, this setting can provide a great benefit during an incident response from the detailed log of the
processes started and the time they were launched. For domain controllers and other single-role infrastructure
servers, this category can be safely turned on all the time. Single role servers do not generate much process
tracking traffic during the normal course of their duties. As such, they can be enabled to capture unauthorized
events if they occur.
Sy st e m Ev e n t s A u d i t
System Events is almost a generic catch-all category, registering various events that impact the computer, its
system security, or the security log. It includes events for computer shutdowns and restarts, power failures,
system time changes, authentication package initializations, audit log clearings, impersonation issues, and a host
of other general events. In general, enabling this audit category generates a lot of "noise," but it generates
enough very useful events that it is difficult to ever recommend not enabling it.
Advanced Audit Policies
Starting with Windows Vista and Windows Server 2008, Microsoft improved the way event log category
selections can be made by creating subcategories under each main audit category. Subcategories allow auditing
to be far more granular than it could otherwise by using the main categories. By using subcategories, you can
enable only portions of a particular main category, and skip generating events for which you have no use. Each
audit policy subcategory can be enabled for Success, Failure, or Success and Failure events.
To list all the available auditing subcategories, review the Advanced Audit Policy container in a Group Policy
Object, or type the following at a command prompt on any computer running Windows Server 2012, Windows
Server 2008 R2, or Windows Server 2008, Windows 8, Windows 7, or Windows Vista:
auditpol /list /subcategory:*
To get a list of currently configured auditing subcategories on a computer running Windows Server 2012,
Windows Server 2008 R2, or Windows 2008, type the following:
auditpol /get /category:*
The following screenshot shows an example of auditpol.exe listing the current audit policy.
NOTE
Group Policy does not always accurately report the status of all enabled auditing policies, whereas auditpol.exe does. See
Getting the Effective Audit Policy in Windows 7 and 2008 R2 for more details.
Each main category has multiple subcategories. Below is a list of categories, their subcategories, and a
description of their functions.
Auditing Subcategories Descriptions
Audit policy subcategories enable the following event log message types:
Account Logon
C r e d e n t i a l Va l i d a t i o n
This subcategory reports the results of validation tests on credentials submitted for a user account logon
request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the
domain controller is authoritative, whereas for local accounts, the local computer is authoritative.
In domain environments, most of the account logon events are logged in the security log of the domain
controllers that are authoritative for the domain accounts. However, these events can occur on other computers
in the organization when local accounts are used to log on.
K e r b e r o s Se r v i c e T i c k e t O p e r a t i o n s
This subcategory reports events generated by Kerberos ticket request processes on the domain controller that is
authoritative for the domain account.
K e r b e r o s A u t h e n t i c a t i o n Se r v i c e
This subcategory reports events generated by the Kerberos authentication service. These events occur on the
computer that is authoritative for the credentials.
O t h e r A c c o u n t L o g o n Ev e n t s
This subcategory reports the events that occur in response to credentials submitted for a user account logon
request that do not relate to credential validation or Kerberos tickets. These events occur on the computer that is
authoritative for the credentials. For domain accounts, the domain controller is authoritative, whereas for local
accounts, the local computer is authoritative.
In domain environments, most account logon events are logged in the security log of the domain controllers
that are authoritative for the domain accounts. However, these events can occur on other computers in the
organization when local accounts are used to log on. Examples can include the following:
Remote Desktop Services session disconnections
New Remote Desktop Services sessions
Locking and unlocking a workstation
Invoking a screen saver
Dismissing a screen saver
Detection of a Kerberos replay attack, in which a Kerberos request with identical information is received twice
Access to a wireless network granted to a user or computer account
Access to a wired 802.1x network granted to a user or computer account
Account Management
U se r A c c o u n t M a n a g e m e n t
This subcategory reports each event of user account management, such as when a user account is created,
changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If this
audit policy setting is enabled, administrators can track events to detect malicious, accidental, and authorized
creation of user accounts.
Co m pu t er A c c o u n t Man agem en t
This subcategory reports each event of computer account management, such as when a computer account is
created, changed, deleted, renamed, disabled, or enabled.
Se c u r i t y G r o u p M a n a g e m e n t
This subcategory reports each event of security group management, such as when a security group is created,
changed, or deleted or when a member is added to or removed from a security group. If this audit policy setting
is enabled, administrators can track events to detect malicious, accidental, and authorized creation of security
group accounts.
D i st r i b u t i o n G r o u p M a n a g e m e n t
This subcategory reports each event of distribution group management, such as when a distribution group is
created, changed, or deleted or when a member is added to or removed from a distribution group. If this audit
policy setting is enabled, administrators can track events to detect malicious, accidental, and authorized creation
of group accounts.
A ppl i c at i o n Gr o u p Man agem en t
This subcategory reports each event of application group management on a computer, such as when an
application group is created, changed, or deleted or when a member is added to or removed from an application
group. If this audit policy setting is enabled, administrators can track events to detect malicious, accidental, and
authorized creation of application group accounts.
O t h e r A c c o u n t M a n a g e m e n t Ev e n t s
This subcategory reports the creation of a process and the name of the user or program that created it.
P r o c e ss Te r m i n a t i o n
This subcategory reports encrypt or decrypt calls into the data protection application programming interface
(DPAPI). DPAPI is used to protect secret information such as stored password and key information.
R P C Ev e n t s
This subcategory reports when an AD DS object is accessed. Only objects with configured SACLs cause audit
events to be generated, and only when they are accessed in a manner that matches the SACL entries. These
events are similar to the directory service access events in earlier versions of Windows Server. This subcategory
applies only to domain controllers.
D i r e c t o r y Se r v i c e C h a n g e s
This subcategory reports changes to objects in AD DS. The types of changes that are reported are create, modify,
move, and undelete operations that are performed on an object. Directory service change auditing, where
appropriate, indicates the old and new values of the changed properties of the objects that were changed. Only
objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that
matches their SACL entries. Some objects and properties do not cause audit events to be generated due to
settings on the object class in the schema. This subcategory applies only to domain controllers.
D i r e c t o r y Se r v i c e R e p l i c a t i o n
This subcategory reports when replication between two domain controllers begins and ends.
D e t a i l e d D i r e c t o r y Se r v i c e R e p l i c a t i o n
This subcategory reports detailed information about the information replicated between domain controllers.
These events can be very high in volume.
Logon/Logoff
Logon
This subcategory reports when a user attempts to log on to the system. These events occur on the accessed
computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a
network logon takes place to access a share, these events generate on the computer that hosts the accessed
resource. If this setting is configured to No auditing , it is difficult or impossible to determine which user has
accessed or attempted to access organization computers.
N e t w o r k P o l i c y Se r v e r
This subcategory reports events generated by RADIUS (IAS) and Network Access Protection (NAP) user access
requests. These requests can be Grant , Deny , Discard , Quarantine , Lock , and Unlock . Auditing this setting
will result in a medium or high volume of records on NPS and IAS servers.
I P se c M a i n M o d e
This subcategory reports the results of Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol
(AuthIP) during Main Mode negotiations.
I P se c Ex t e n d e d M o d e
This subcategory reports the results of AuthIP during Extended Mode negotiations.
O t h e r L o g o n / L o g o ff Ev e n t s
This subcategory reports other logon and logoff-related events, such as Remote Desktop Services session
disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking
a workstation.
L o g o ff
This subcategory reports when a user logs off the system. These events occur on the accessed computer. For
interactive logons, the generation of these events occurs on the computer that is logged on to. If a network
logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If
this setting is configured to No auditing , it is difficult or impossible to determine which user has accessed or
attempted to access organization computers.
A c c ou n t Loc kou t
This subcategory reports when a user's account is locked out as a result of too many failed logon attempts.
I P se c Q u i c k M o d e
This subcategory reports the results of IKE protocol and AuthIP during Quick Mode negotiations.
Sp e c i a l L o g o n
This subcategory reports when a special logon is used. A special logon is a logon that has administrator
equivalent privileges and can be used to elevate a process to a higher level.
Policy Change
A u di t Pol i c y Ch an ge
This subcategory reports changes in authorization policy including permissions (DACL) changes.
M P SSV C R u l e - L e v e l P o l i c y C h a n g e
This subcategory reports changes in policy rules used by the Microsoft Protection Service (MPSSVC.exe). This
service is used by Windows Firewall.
F i l t e r i n g P l a t fo r m P o l i c y C h a n g e
This subcategory reports the addition and removal of objects from WFP, including startup filters. These events
can be very high in volume.
O t h e r P o l i c y C h a n g e Ev e n t s
This subcategory reports other types of security policy changes such as configuration of the Trusted Platform
Module (TPM) or cryptographic providers.
Privilege Use
Se n si t i v e P r i v i l e g e U se
This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes
the following user rights: act as part of the operating system, back up files and directories, create a token object,
debug programs, enable computer and user accounts to be trusted for delegation, generate security audits,
impersonate a client after authentication, load and unload device drivers, manage auditing and security log,
modify firmware environment values, replace a process-level token, restore files and directories, and take
ownership of files or other objects. Auditing this subcategory will create a high volume of events.
N o n se n si t i v e P r i v i l e g e U se
This subcategory reports when a user account or service uses a nonsensitive privilege. A nonsensitive privilege
includes the following user rights: access Credential Manager as a trusted caller, access this computer from the
network, add workstations to domain, adjust memory quotas for a process, allow log on locally, allow log on
through Remote Desktop Services, bypass traverse checking, change the system time, create a pagefile, create
global objects, create permanent shared objects, create symbolic links, deny access this computer from the
network, deny log on as a batch job, deny log on as a service, deny log on locally, deny log on through Remote
Desktop Services, force shutdown from a remote system, increase a process working set, increase scheduling
priority, lock pages in memory, log on as a batch job, log on as a service, modify an object label, perform volume
maintenance tasks, profile single process, profile system performance, remove computer from docking station,
shut down the system, and synchronize directory service data. Auditing this subcategory will create a very high
volume of events.
O t h e r P r i v i l e g e U se Ev e n t s
This subcategory reports when file system objects are accessed. Only file system objects with SACLs cause audit
events to be generated, and only when they are accessed in a manner matching their SACL entries. By itself, this
policy setting will not cause auditing of any events. It determines whether to audit the event of a user who
accesses a file system object that has a specified system access control list (SACL), effectively enabling auditing
to take place.
If the audit object access setting is configured to Success , an audit entry is generated each time that a user
successfully accesses an object with a specified SACL. If this policy setting is configured to Failure , an audit
entry is generated each time that a user fails in an attempt to access an object with a specified SACL.
R e g i st r y
This subcategory reports when registry objects are accessed. Only registry objects with SACLs cause audit
events to be generated, and only when they are accessed in a manner matching their SACL entries. By itself, this
policy setting will not cause auditing of any events.
Ker n el O bj ec t
This subcategory reports when kernel objects such as processes and mutexes are accessed. Only kernel objects
with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their
SACL entries. Typically kernel objects are only given SACLs if the AuditBaseObjects or AuditBaseDirectories
auditing options are enabled.
SA M
This subcategory reports when local Security Accounts Manager (SAM) authentication database objects are
accessed.
C e r t i fi c a t i o n Se r v i c e s
This subcategory reports when applications attempt to generate audit events by using the Windows auditing
application programming interfaces (APIs).
Han dl e Man i pu l at i o n
This subcategory reports when a handle to an object is opened or closed. Only objects with SACLs cause these
events to be generated, and only if the attempted handle operation matches the SACL entries. Handle
Manipulation events are only generated for object types where the corresponding object access subcategory is
enabled (for example, file system or registry).
F i l e Sh a r e
This subcategory reports when a file share is accessed. By itself, this policy setting will not cause auditing of any
events. It determines whether to audit the event of a user who accesses a file share object that has a specified
system access control list (SACL), effectively enabling auditing to take place.
F i l t e r i n g P l a t fo r m P a c k e t D r o p
This subcategory reports when packets are dropped by Windows Filtering Platform (WFP). These events can be
very high in volume.
F i l t e r i n g P l a t fo r m C o n n e c t i o n
This subcategory reports when connections are allowed or blocked by WFP. These events can be high in volume.
O t h e r O b j e c t A c c e ss Ev e n t s
This subcategory reports other object access-related events such as Task Scheduler jobs and COM+ objects.
System
Se c u r i t y St a t e C h a n g e
This subcategory reports changes in security state of the system, such as when the security subsystem starts
and stops.
Se c u r i t y Sy st e m Ex t e n si o n
This subcategory reports the loading of extension code such as authentication packages by the security
subsystem.
Sy st e m I n t e g r i t y
NOTE
The Manage auditing and security log privilege must be given to security principals (Administrators have it by
default) to allow the modification of object access auditing options of individual resources, such as files, Active Directory
objects, and registry keys.
Advanced Audit Policy can be set by using Active Directory or local group policies. To set Advanced Audit Policy,
configure the appropriate subcategories located under Computer Configuration\Windows
Settings\Security Settings\Advanced Audit Policy (see the following screenshot for an example from the
Local Group Policy Editor (gpedit.msc)). Each audit policy subcategory can be enabled for Success , Failure , or
Success and Failure events.
NOTE
Auditpol.exe sets Advanced Audit Policy locally. If local policy conflicts with Active Directory or local Group Policy, Group
Policy settings usually prevail over auditpol.exe settings. When multiple group or local policy conflicts exist, only one policy
will prevail (that is, replace). Audit policies will not merge.
Scripting Auditpol
Microsoft provides a sample script for administrators who want to set Advanced Audit Policy by using a script
instead of manually typing in each auditpol.exe command.
Note Group Policy does not always accurately report the status of all enabled auditing policies, whereas
auditpol.exe does. See Getting the Effective Audit Policy in Windows 7 and Windows 2008 R2 for more details.
Other Auditpol Commands
Auditpol.exe can be used to save and restore a local audit policy, and to view other auditing related commands.
Here are the other auditpol commands.
auditpol /clear - Used to clear and reset local audit policies
auditpol /backup /file:<filename> - Used to back up a current local audit policy to a binary file
auditpol /restore /file:<filename> - Used to import a previously saved audit policy file to a local audit policy
auditpol /<get/set> /option:<CrashOnAuditFail> /<enable/disable> - If this audit policy setting is enabled, it
causes the system to immediately stop (with STOP: C0000244 {Audit Failed} message) if a security audit cannot
be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the
retention method specified for the security log is Do Not Over write Events or Over write Events by Days .
Typically it is only enabled by environments that need higher assurance that the security log is logging. If
enabled, administrators must closely watch security log size and rotate logs as required. It can also be set with
Group Policy by modifying the security option Audit: Shut down system immediately if unable to log
security audits (default=disabled).
auditpol /<get/set> /option:<AuditBaseObjects> /<enable/disable> - This audit policy setting determines
whether to audit the access of global system objects. If this policy is enabled, it causes system objects, such as
mutexes, events, semaphores, and DOS devices to be created with a default system access control list (SACL).
Most administrators consider auditing global system objects to be too "noisy," and they will only enable it if
malicious hacking is suspected. Only named objects are given a SACL. If the audit object access audit policy (or
Kernel Object audit subcategory) is also enabled, access to these system objects is audited. When configuring
this security setting, changes will not take effect until you restart Windows. This policy can also be set with
Group Policy by modifying the security option Audit the access of global system objects (default=disabled).
auditpol /<get/set> /option:<AuditBaseDirectories> /<enable/disable> - This audit policy setting specifies that
named kernel objects (such as mutexes and semaphores) are to be given SACLs when they are created.
AuditBaseDirectories affects container objects while AuditBaseObjects affects objects that cannot contain other
objects.
auditpol /<get/set> /option:<FullPrivilegeAuditing> /<enable/disable> - This audit policy setting specifies
whether the client generates an event when one or more of these privileges are assigned to a user security
token: AssignPrimaryTokenPrivilege, AuditPrivilege, BackupPrivilege, CreateTokenPrivilege, DebugPrivilege,
EnableDelegationPrivilege, ImpersonatePrivilege, LoadDriverPrivilege, RestorePrivilege, SecurityPrivilege,
SystemEnvironmentPrivilege, TakeOwnershipPrivilege, and TcbPrivilege. If this option is not enabled
(default=Disabled), the BackupPrivilege and RestorePrivilege privileges are not recorded. Enabling this option
can make the security log extremely noisy (sometimes hundreds of events a second) during a backup operation.
This policy can also be set with Group Policy by modifying the security option Audit: Audit the use of Backup
and Restore privilege .
NOTE
Some information provided here was taken from the Microsoft Audit Option Type and the Microsoft SCM tool.
Next steps
Auditing and Compliance in Windows Server 2008
How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and
Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003
domain, or in a Windows 2000 domain
Advanced Security Audit Policy Step-by-Step Guide
Audit Policy Recommendations
3/5/2021 • 13 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10, Windows
8.1, Windows 7
This section addresses the Windows default audit policy settings, baseline recommended audit policy settings,
and the more aggressive recommendations from Microsoft, for workstation and server products.
The SCM baseline recommendations shown here, along with the settings we recommend to help detect
compromise, are intended only to be a starting baseline guide to administrators. Each organization must make
its own decisions regarding the threats they face, their acceptable risk tolerances, and what audit policy
categories or subcategories they should enable. For further information about threats, refer to the Threats and
Countermeasures Guide. Administrators without a thoughtful audit policy in place are encouraged to start with
the settings recommended here, and then to modify and test, prior to implementing in their production
environment.
The recommendations are for enterprise-class computers, which Microsoft defines as computers that have
average security requirements and require a high level of operational functionality. Entities needing higher
security requirements should consider more aggressive audit policies.
NOTE
Microsoft Windows defaults and baseline recommendations were taken from the Microsoft Security Compliance Manager
tool.
The following baseline audit policy settings are recommended for normal security computers that are not
known to be under active, successful attack by determined adversaries or malware.
[Blank] No recommendation
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
Account Logon
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
Account Management
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
Detailed Tracking
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
DS Access
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
Object Access
Audit Application
Generated
Audit Registry
Audit SAM
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY
O R SUB C AT EGO RY
SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
Policy Change
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
Privilege Use
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
System
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
1 Beginning with Windows 10 version 1809, Audit Logon is enabled by default for both Success and Failure. In
previous versions of Windows, only Success is enabled by default.
Windows Ser ver 2016, Windows Ser ver 2012 R2, Windows Ser ver 2012, Windows Ser ver 2008
R2, and Windows Ser ver 2008 Audit Settings Recommendations
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
Account Logon
Account Management
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
Detailed Tracking
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
DS Access
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
Object Access
Audit Application
Generated
Audit Registry
Audit SAM
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
Policy Change
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY
O R SUB C AT EGO RY
SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
Privilege Use
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
System
B A SEL IN E ST RO N GER
W IN DO W S DEFA ULT REC O M M EN DAT IO N REC O M M EN DAT IO N
A UDIT P O L IC Y C AT EGO RY SUCCESS \ | FAILURE SUCCESS \ | FAILURE SUCCESS \ | FAILURE
O R SUB C AT EGO RY
Events to Monitor
A perfect event ID to generate a security alert should contain the following attributes:
High likelihood that occurrence indicates unauthorized activity
Low number of false positives
Occurrence should result in an investigative/forensics response
Two types of events should be monitored and alerted:
1. Those events in which even a single occurrence indicates unauthorized activity
2. An accumulation of events above an expected and accepted baseline
An example of the first event is:
If Domain Admins (DAs) are forbidden from logging on to computers that are not domain controllers, a single
occurrence of a DA member logging on to an end-user workstation should generate an alert and be
investigated. This type of alert is easy to generate by using the Audit Special Logon event 4964 (Special groups
have been assigned to a new logon). Other examples of single instance alerts include:
If Server A should never connect to Server B, alert when they connect to each other.
Alert if a normal end-user account is unexpectedly added to a sensitive security group.
If employees in factory location A never work at night, alert when a user logs on at midnight.
Alert if an unauthorized service is installed on a domain controller.
Investigate if a regular end-user attempts to directly log on to a SQL Server for which they have no clear
reason for doing so.
If you have no members in your DA group, and someone adds themselves there, check it immediately.
An example of the second event is:
An aberrant number of failed logons could indicate a password guessing attack. For an enterprise to provide an
alert for an unusually high number of failed logons, they must first understand the normal levels of failed
logons within their environment prior to a malicious security event.
For a comprehensive list of events that you should include when you monitor for signs of compromise, please
see Appendix L: Events to Monitor.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Law Number One: Nobody believes anything bad can happen to them, until it does. - 10 Immutable Laws of
Security Administration
Disaster recovery plans in many organizations focus on recovering from regional disasters or failures that result
in loss of computing services. However, when working with compromised customers, we often find that
recovering from intentional compromise is absent in their disaster recovery plans. This is particularly true when
the compromise results in theft of intellectual property or intentional destruction that leverages logical
boundaries (such as destruction of all Active Directory domains or all servers) rather than physical boundaries
(such as destruction of a datacenter). Although an organization may have incident response plans that define
initial activities to take when a compromise is discovered, these plans often omit steps to recover from a
compromise that affects the entire computing infrastructure.
Because Active Directory provides rich identity and access management capabilities for users, servers,
workstations, and applications, it is invariably targeted by attackers. If an attacker gains highly privileged access
to an Active Directory domain or domain controller, that access can be leveraged to access, control, or even
destroy the entire Active Directory forest.
This document has discussed some of the most common attacks against Windows and Active Directory and
countermeasures you can implement to reduce your attack surface, but the only sure way to recover in the
event of a complete compromise of Active Directory is to be prepared for the compromise before it happens.
This section focuses less on technical implementation details than previous sections of this document, and more
on high-level recommendations that you can use to create a holistic, comprehensive approach to secure and
manage your organization's critical business and IT assets.
Whether your infrastructure has never been attacked, has resisted attempted breaches, or has succumbed to
attacks and been fully compromised, you should plan for the inevitable reality that you will be attacked again
and again. It is not possible to prevent attacks, but it may indeed be possible to prevent significant breaches or
wholesale compromise. Every organization should closely evaluate their existing risk management programs,
and make necessary adjustments to help reduce their overall level of vulnerability by making balanced
investments in prevention, detection, containment, and recovery.
To create effective defenses while still providing services to the users and businesses that depend on your
infrastructure and applications, you may need to consider novel ways to prevent, detect, and contain
compromise in your environment, and then recover from the compromise. The approaches and
recommendations in this document may not help you repair a compromised Active Directory installation, but
can help you secure your next one.
Recommendations for recovering an Active Directory forest are presented in Windows Server 2012: Planning
for Active Directory Forest Recovery. You may be able to prevent your new environment from being completely
compromised, but even if you can't, you will have tools to recover and regain control of your environment.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Law Number Ten: Technology is not a panacea. - 10 Immutable Laws of Security Administration
When you have created a manageable, secure environment for your critical business assets, your focus should
shift to ensuring that it is maintained securely. Although you've been given specific technical controls to increase
the security of your AD DS installations, technology alone will not protect an environment in which IT does not
work in partnership with the business to maintain a secure, usable infrastructure. The high level
recommendations in this section are meant to be used as guidelines that you can use to develop not only
effective security, but effective lifecycle management.
In some cases, your IT organization might already have a close working relationship with business units, which
will ease implementing these recommendations. In organizations in which IT and business units are not closely
tied, you might need to first obtain executive sponsorship for efforts to forge a closer relationship between IT
and business units. The Executive Summary is intended to be useful as a standalone document for executive
review, and it can be disseminated to decision makers in your organization.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Appendices are included in this document to augment the information contained in the body of the document.
The list of appendices and a brief description of each in included the following table.
Appendix B: Privileged Accounts and Groups in Active Provides background information that helps you to identify
Directory the users and groups you should focus on securing because
they can be leveraged by attackers to compromise and even
destroy your Active Directory installation.
Appendix C: Protected Accounts and Groups in Active Contains information about protected groups in Active
Directory Directory. It also contains information for limited
customization (removal) of groups that are considered
protected groups and are affected by AdminSDHolder and
SDProp.
Appendix D: Securing Built-In Administrator Accounts in Contains guidelines to help secure the Administrator
Active Directory account in each domain in the forest.
Appendix E: Securing Enterprise Admins Groups in Active Contains guidelines to help secure the Enterprise Admins
Directory group in the forest.
Appendix F: Securing Domain Admins Groups in Active Contains guidelines to help secure the Domain Admins
Directory group in each domain in the forest.
Appendix G: Securing Administrators Groups in Active Contains guidelines to help secure the Built-in
Directory Administrators group in each domain in the forest.
Appendix H: Securing Local Administrator Accounts and Contains guidelines to help secure local Administrator
Groups accounts and Administrators groups on domain-joined
servers and workstations.
Appendix I: Creating Management Accounts for Protected Provides information to create accounts that have limited
Accounts and Groups in Active Directory privileges and can be stringently controlled, but can be used
to populate privileged groups in Active Directory when
temporary elevation is required.
Appendix L: Events to Monitor Lists events for which you should monitor in your
environment.
Appendix M: Document Links and Recommended Reading Contains a list of recommended reading. Also contains a list
of links to external documents and their URLs so that
readers of hard copies of this document can access this
information.
Appendix B: Privileged Accounts and Groups in
Active Directory
3/5/2021 • 29 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
In interfaces such as the Group Policy Object Editor, all of these assignable capabilities are referred to broadly as
user rights. In reality however, some user rights are programmatically referred to as rights, while others are
programmatically referred to as privileges. Table B-1: User Rights and Privileges provides some of the most
common assignable user rights and their programmatic constants. Although Group Policy and other interfaces
refer to all of these as user rights, some are programmatically identified as rights, while others are defined as
privileges.
For more information about each of the user rights listed in the following table, use the links in the table or see
Threats and Countermeasures Guide: User Rights in the Threats and Vulnerabilities Mitigation guide for
Windows Server 2008 R2 on the Microsoft TechNet site. For information applicable to Windows Server 2008,
please see User Rights in the Threats and Vulnerabilities Mitigation documentation on the Microsoft TechNet
site. As of the writing of this document, corresponding documentation for Windows Server 2012 is not yet
published.
NOTE
For the purposes of this document, the terms "rights" and "user rights" are used to identify rights and privileges unless
otherwise specified.
Ta b l e B - 1 : U se r R i g h t s a n d P r i v i l e g e s
Permissions
Permissions are access controls that are applied to securable objects such as the file system, registry, service,
and Active Directory objects. Each securable object has an associated access control list (ACL), which contains
access control entries (ACEs) that grant or deny security principals (users, services, computers, or groups) the
ability to perform various operations on the object. For example, the ACLs for many objects in Active Directory
contain ACEs that allow Authenticated Users to read general information about the objects, but do not grant
them the ability to read sensitive information or to change the objects. With the exception of each domain's
built-in Guest account, every security principal that logs on and is authenticated by a domain controller in an
Active Directory forest or a trusted forest has the Authenticated Users Security Identifier (SID) added to its
access token by default. Therefore, whether a user, service, or computer account attempts to read general
properties on user objects in a domain, the read operation is successful.
If a security principal attempts to access an object for which no ACEs are defined and that contain a SID that is
present in the principal's access token, the principal cannot access the object. Moreover, if an ACE in an object's
ACL contains a deny entry for a SID that matches the user's access token, the "deny" ACE will generally override
a conflicting "allow" ACE. For more information about access control in Windows, see Access Control on the
MSDN website.
Within this document, permissions refers to capabilities that are granted or denied to security principals on
securable objects. Whenever there is a conflict between a user right and a permission, the user right generally
takes precedence. For example, if an object in Active Directory has been configured with an ACL that denies
Administrators all read and write access to an object, a user who is a member of the domain's Administrators
group will be unable to view much information about the object. However, because the Administrators group is
granted the user right "Take ownership of files or other objects," the user can simply take ownership of the
object in question, then rewrite the object's ACL to grant Administrators full control of the object.
It is for this reason that this document encourages you to avoid using powerful accounts and groups for day-to-
day administration, rather than trying to restrict the capabilities of the accounts and groups. It is not effectively
possible to stop a determined user who has access to powerful credentials from using those credentials to gain
access to any securable resource.
Built-in Privileged Accounts and Groups
Active Directory is intended to facilitate delegation of administration and the principle of least privilege in
assigning rights and permissions. "Regular" users who have accounts in an Active Directory domain are, by
default, able to read much of what is stored in the directory, but are able to change only a very limited set of
data in the directory. Users who require additional privilege can be granted membership in various privileged
groups that are built into the directory so that they may perform specific tasks related to their roles, but cannot
perform tasks that are not relevant to their duties.
Within Active Directory, there are three built-in groups that comprise the highest privilege groups in the
directory: the Enterprise Admins (EA) group, the Domain Admins (DA) group, and the built-in Administrators
(BA) group.
A fourth group, the Schema Admins (SA) group, has privileges that, if abused, can damage or destroy an entire
Active Directory forest, but this group is more restricted in its capabilities than the EA, DA, and BA groups.
In addition to these four groups, there are a number of additional built-in and default accounts and groups in
Active Directory, each of which is granted rights and permissions that allow specific administrative tasks to be
performed. Although this appendix does not provide a thorough discussion of every built-in or default group in
Active Directory, it does provide a table of the groups and accounts that you're most likely to see in your
installations.
For example, if you install Microsoft Exchange Server into an Active Directory forest, additional accounts and
groups may be created in the Built-in and Users containers in your domains. This appendix describes only the
groups and accounts that are created in the Built-in and Users containers in Active Directory, based on native
roles and features. Accounts and groups that are created by the installation of enterprise software are not
included.
Enterprise Admins
The Enterprise Admins (EA) group is located in the forest root domain, and by default, it is a member of the
built-in Administrators group in every domain in the forest. The Built-in Administrator account in the forest root
domain is the only default member of the EA group. EAs are granted rights and permissions that allow them to
affect forest-wide changes. These are changes that affect all domains in the forest, such as adding or removing
domains, establishing forest trusts, or raising forest functional levels. In a properly designed and implemented
delegation model, EA membership is required only when first constructing the forest or when making certain
forest-wide changes such as establishing an outbound forest trust.
The EA group is located by default in the Users container in the forest root domain, and it is a universal security
group, unless the forest root domain is running in Windows 2000 Server mixed mode, in which case the group
is a global security group. Although some rights are granted directly to the EA group, many of this group's rights
are actually inherited by the EA group because it is a member of the Administrators group in each domain in the
forest. Enterprise Admins have no default rights on workstations or member servers.
Domain Admins
Each domain in a forest has its own Domain Admins (DA) group, which is a member of that domain's built-in
Administrators (BA) group in addition to a member of the local Administrators group on every computer that is
joined to the domain. The only default member of the DA group for a domain is the Built-in Administrator
account for that domain.
DAs are all-powerful within their domains, while EAs have forest-wide privilege. In a properly designed and
implemented delegation model, DA membership should be required only in "break glass" scenarios, which are
situations in which an account with high levels of privilege on every computer in the domain is needed, or when
certain domain wide changes must be made. Although native Active Directory delegation mechanisms do allow
delegation to the extent that it is possible to use DA accounts only in emergency scenarios, constructing an
effective delegation model can be time consuming, and many organizations use third-party applications to
expedite the process.
The DA group is a global security group located in the Users container for the domain. There is one DA group
for each domain in the forest, and the only default member of a DA group is the domain's Built-in Administrator
account. Because a domain's DA group is nested in the domain's BA group and every domain-joined system's
local Administrators group, DAs not only have permissions that are specifically granted to Domain Admins, but
they also inherit all rights and permissions granted to the domain's Administrators group and the local
Administrators group on all systems joined to the domain.
Administrators
The built-in Administrators (BA) group is a domain local group in a domain's Built-in container into which DAs
and EAs are nested, and it is this group that is granted many of the direct rights and permissions in the directory
and on domain controllers. However, the Administrators group for a domain does not have any privileges on
member servers or on workstations. Membership in domain-joined computers' local Administrators group is
where local privilege is granted; and of the groups discussed, only DAs are members of all domain-joined
computers' local Administrators groups by default.
The Administrators group is a domain-local group in the domain's Built-in container. By default, every domain's
BA group contains the local domain's Built-in Administrator account, the local domain's DA group, and the forest
root domain's EA group. Many user rights in Active Directory and on domain controllers are granted specifically
to the Administrators group, not to EAs or DAs. A domain's BA group is granted full control permissions on most
directory objects, and can take ownership of directory objects. Although EA and DA groups are granted certain
object-specific permissions in the forest and domains, much of the power of groups is actually "inherited" from
their membership in BA groups.
NOTE
Although these are the default configurations of these privileged groups, a member of any one of the three groups can
manipulate the directory to gain membership in any of the other groups. In some cases, it is trivial to achieve, while in
others it is more difficult, but from the perspective of potential privilege, all three groups should be considered effectively
equivalent.
Schema Admins
The Schema Admins (SA) group is a universal group in the forest root domain and has only that domain's Built-
in Administrator account as a default member, similar to the EA group. Although membership in the SA group
can allow an attacker to compromise the Active Directory schema, which is the framework for the entire Active
Directory forest, SAs have few default rights and permissions beyond the schema.
You should carefully manage and monitor membership in the SA group, but in some respects, this group is "less
privileged" than the three highest privileged groups described earlier because the scope of its privilege is very
narrow; that is, SAs have no administrative rights anywhere other than the schema.
Additional Built-in and Default Groups in Active Directory
To facilitate delegating administration in the directory, Active Directory ships with various built-in and default
groups that have been granted specific rights and permissions. These groups are described briefly in the
following table.
The following table lists the built-in and default groups in Active Directory. Both sets of groups exist by default;
however, built-in groups are located (by default) in the Built-in container in Active Directory, while default groups
are located (by default) in the Users container in Active Directory. Groups in the Built-in container are all Domain
Local groups, while groups in the Users container are a mixture of Domain Local, Global, and Universal groups,
in addition to three individual user accounts (Administrator, Guest, and Krbtgt).
In addition to the highest privileged groups described earlier in this appendix, some built-in and default
accounts and groups are granted elevated privileges and should also be protected and used only on secure
administrative hosts. These groups and accounts can be found in the shaded rows in Table B-1: Built-in and
Default Groups and Accounts in Active Directory. Because some of these groups and accounts are granted rights
and permissions that can be misused to compromise Active Directory or domain controllers, they are afforded
additional protections as described in Appendix C: Protected Accounts and Groups in Active Directory.
Ta b l e B - 1 : B u i l t - i n a n d D e fa u l t A c c o u n t s a n d G r o u p s i n A c t i v e D i r e c t o r y
Access Control Assistance Operators Built-in container Members of this group can remotely
(Active Directory in Windows Server Domain-local security group query authorization attributes and
2012) permissions for resources on this
computer.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
Allowed RODC Password Replication Users container Members in this group can have their
Group Domain-local security group passwords replicated to all read-only
domain controllers in the domain.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
Cloneable Domain Controllers (AD DS Users container Members of this group that are
in Windows Server 2012AD DS) Global security group domain controllers may be cloned.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
Debugger Users This is neither a default nor a built-in The presence of a Debugger Users
group, but when present in AD DS, is group indicates that debugging tools
cause for further investigation. have been installed on the system at
some point, whether via Visual Studio,
SQL, Office, or other applications that
require and support a debugging
environment. This group allows remote
debugging access to computers. When
this group exists at the domain level, it
indicates that a debugger or an
application that contains a debugger
has been installed on a domain
controller.
DEFA ULT C O N TA IN ER, GRO UP SC O P E DESC RIP T IO N A N D DEFA ULT USER
A C C O UN T O R GRO UP AND T YPE RIGH T S
Denied RODC Password Replication Users container Members in this group cannot have
Group Domain-local security group their passwords replicated to any read-
only domain controllers in the domain.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
Distributed COM Users Built-in container Members of this group are allowed to
Domain-local security group launch, activate, and use distributed
COM objects on this computer.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
DEFA ULT C O N TA IN ER, GRO UP SC O P E DESC RIP T IO N A N D DEFA ULT USER
A C C O UN T O R GRO UP AND T YPE RIGH T S
Domain Computers Users container All workstations and servers that are
Global security group joined to the domain are by default
members of this group.
Default direct user rights:
None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
DEFA ULT C O N TA IN ER, GRO UP SC O P E DESC RIP T IO N A N D DEFA ULT USER
A C C O UN T O R GRO UP AND T YPE RIGH T S
Enterprise Admins (exists only in forest Users container Enterprise Admins have permissions to
root domain) Universal security group change forest-wide configuration
settings; Enterprise Admins is a
member of every domain's
Administrators group and receives
rights and permissions granted to that
group.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Adjust memory quotas for a
process
Allow log on locally
Allow log on through Remote
DEFA ULT C O N TA IN ER, GRO UP SC O P E DESC RIP T IO N A N D DEFA ULT USER
A C C O UN T O R GRO UP AND T YPE Desktop
RIGH T S Services
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create global objects
Create symbolic links
Debug programs
Enable computer and user
accounts to be trusted for
delegation
Force shutdown from a remote
system
Impersonate a client after
authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Log on as a batch job
Manage auditing and security log
Modify firmware environment
values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking
station
Restore files and directories
Shut down the system
Take ownership of files or other
objects
Enterprise Read-only Domain Users container This group contains the accounts for
Controllers Universal security group all read-only domain controllers in the
forest.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
DEFA ULT C O N TA IN ER, GRO UP SC O P E DESC RIP T IO N A N D DEFA ULT USER
A C C O UN T O R GRO UP AND T YPE RIGH T S
Event Log Readers Built-in container Members of this group in can read the
Domain-local security group event logs on domain controllers.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
Group Policy Creator Owners Users container Members of this group can create and
Global security group modify Group Policy Objects in the
domain.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
Hyper-V Administrators (Windows Built-in container Members of this group have complete
Server 2012) Domain-local security group and unrestricted access to all features
of Hyper-V.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
Incoming Forest Trust Builders (exists Built-in container Members of this group can create
only in forest root domain) Domain-local security group incoming, one-way trusts to this
forest. (Creation of outbound forest
trusts is reserved for Enterprise
Admins.)
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
Network Configuration Operators Built-in container Members of this group are granted
Domain-local security group privileges that allow them to manage
configuration of networking features.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
Performance Log Users Built-in container Members of this group can schedule
Domain-local security group logging of performance counters,
enable trace providers, and collect
event traces locally and via remote
access to the computer.
Direct user rights:
Log on as a batch job
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
DEFA ULT C O N TA IN ER, GRO UP SC O P E DESC RIP T IO N A N D DEFA ULT USER
A C C O UN T O R GRO UP AND T YPE RIGH T S
Performance Monitor Users Built-in container Members of this group can access
Domain-local security group performance counter data locally and
remotely.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
Pre-Windows 2000 Compatible Access Built-in container This group exists for backward
Domain-local security group compatibility with operating systems
prior to Windows 2000 Server, and it
provides the ability for members to
read user and group information in the
domain.
Direct user rights:
Access this computer from the
network
Bypass traverse checking
Inherited user rights:
Add workstations to domain
Increase a process working set
RAS and IAS Servers Users container Servers in this group can read remote
Domain-local security group access properties on user accounts in
the domain.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
RDS Endpoint Servers (Windows Built-in container Servers in this group run virtual
Server 2012) Domain-local security group machines and host sessions where
users RemoteApp programs and
personal virtual desktops run. This
group needs to be populated on
servers running RD Connection Broker.
RD Session Host servers and RD
Virtualization Host servers used in the
deployment need to be in this group.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
RDS Management Servers (Windows Built-in container Servers in this group can perform
Server 2012) Domain-local security group routine administrative actions on
servers running Remote Desktop
Services. This group needs to be
populated on all servers in a Remote
Desktop Services deployment. The
servers running the RDS Central
Management service must be included
in this group.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
DEFA ULT C O N TA IN ER, GRO UP SC O P E DESC RIP T IO N A N D DEFA ULT USER
A C C O UN T O R GRO UP AND T YPE RIGH T S
RDS Remote Access Servers (Windows Built-in container Servers in this group enable users of
Server 2012) Domain-local security group RemoteApp programs and personal
virtual desktops access to these
resources. In Internet-facing
deployments, these servers are
typically deployed in an edge network.
This group needs to be populated on
servers running RD Connection Broker.
RD Gateway servers and RD Web
Access servers used in the deployment
need to be in this group.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
Read-only Domain Controllers Users container This group contains all read-only
Global security group domain controllers in the domain.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
Remote Desktop Users Built-in container Members of this group are granted
Domain-local security group the right to log on remotely using RDP.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
DEFA ULT C O N TA IN ER, GRO UP SC O P E DESC RIP T IO N A N D DEFA ULT USER
A C C O UN T O R GRO UP AND T YPE RIGH T S
Remote Management Users (Windows Built-in container Members of this group can access
Server 2012) Domain-local security group WMI resources over management
protocols (such as WS-Management
via the Windows Remote Management
service). This applies only to WMI
namespaces that grant access to the
user.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
Schema Admins (exists only in forest Users container Schema admins are the only users who
root domain) Universal security group can make modifications to the Active
Directory schema, and only if the
schema is write-enabled.
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
DEFA ULT C O N TA IN ER, GRO UP SC O P E DESC RIP T IO N A N D DEFA ULT USER
A C C O UN T O R GRO UP AND T YPE RIGH T S
Terminal Server License Servers Built-in container Members of this group can update
Domain-local security group user accounts in Active Directory with
information about license issuance, for
the purpose of tracking and reporting
TS Per User CAL usage
Default direct user rights:
None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
DEFA ULT C O N TA IN ER, GRO UP SC O P E DESC RIP T IO N A N D DEFA ULT USER
A C C O UN T O R GRO UP AND T YPE RIGH T S
Windows Authorization Access Group Built-in container Members of this group have access to
Domain-local security group the computed
tokenGroupsGlobalAndUniversal
attribute on User objects
Direct user rights: None
Inherited user rights:
Access this computer from the
network
Add workstations to domain
Bypass traverse checking
Increase a process working set
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
W IN DO W S SERVER 2012,
W IN DO W S SERVER 2003 W IN DO W S SERVER 2003 W IN DO W S SERVER 2008 R2,
RT M SP 1+ W IN DO W S SERVER 2008 W IN DO W S SERVER 2016
Cert Publishers
AdminSDHolder
The purpose of the AdminSDHolder object is to provide "template" permissions for the protected accounts and
groups in the domain. AdminSDHolder is automatically created as an object in the System container of every
Active Directory domain. Its path is: CN=AdminSDHolder,CN=System,DC=<domain_component>,DC=
<domain_component>?.
Unlike most objects in the Active Directory domain, which are owned by the Administrators group,
AdminSDHolder is owned by the Domain Admins group. By default, EAs can make changes to any domain's
AdminSDHolder object, as can the domain's Domain Admins and Administrators groups. Additionally, although
the default owner of AdminSDHolder is the domain's Domain Admins group, members of Administrators or
Enterprise Admins can take ownership of the object.
SDProp
SDProp is a process that runs every 60 minutes (by default) on the domain controller that holds the domain's
PDC Emulator (PDCE). SDProp compares the permissions on the domain's AdminSDHolder object with the
permissions on the protected accounts and groups in the domain. If the permissions on any of the protected
accounts and groups do not match the permissions on the AdminSDHolder object, the permissions on the
protected accounts and groups are reset to match those of the domain's AdminSDHolder object.
Additionally, permissions inheritance is disabled on protected groups and accounts, which means that even if
the accounts and groups are moved to different locations in the directory, they do not inherit permissions from
their new parent objects. Inheritance is disabled on the AdminSDHolder object so that permission changes to
the parent objects do not change the permissions of AdminSDHolder.
C h a n g i n g SD P r o p I n t e r v a l
Normally, you should not need to change the interval at which SDProp runs, except for testing purposes. If you
need to change the SDProp interval, on the PDCE for the domain, use regedit to add or modify the
AdminSDProtectFrequency DWORD value in HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
The range of values is in seconds from 60 to 7200 (one minute to two hours). To reverse the changes, delete
AdminSDProtectFrequency key, which will cause SDProp to revert back to the 60 minute interval. You generally
should not reduce this interval in production domains as it can increase LSASS processing overhead on the
domain controller. The impact of this increase is dependent on the number of protected objects in the domain.
R u n n i n g SD P r o p M a n u a l l y
A better approach to testing AdminSDHolder changes is to run SDProp manually, which causes the task to run
immediately but does not affect scheduled execution. Running SDProp manually is performed slightly
differently on domain controllers running Windows Server 2008 and earlier than it is on domain controllers
running Windows Server 2012 or Windows Server 2008 R2.
Procedures for running SDProp manually on older operating systems are provided in Microsoft Support article
251343, and following are step-by-step instructions for older and newer operating systems. In either case, you
must connect to the rootDSE object in Active Directory and perform a modify operation with a null DN for the
rootDSE object, specifying the name of the operation as the attribute to modify. For more information about
modifiable operations on the rootDSE object, see rootDSE Modify Operations on the MSDN website.
R u n n i n g SDP ro p M a n u a l l y i n W i n d o w s Se rv e r 2008 o r E a rl i e r
You can force SDProp to run by using Ldp.exe or by running an LDAP modification script. To run SDProp using
Ldp.exe, perform the following steps after you have made changes to the AdminSDHolder object in a domain:
1. Launch Ldp.exe .
2. Click Connection on the Ldp dialog box, and click Connect .
3. In the Connect dialog box, type the name of the domain controller for the domain that holds the PDC
Emulator (PDCE) role and click OK .
4. Verify that you have connected successfully, as indicated by Dn: (RootDSE) in the following screenshot,
click Connection and click Bind .
5. In the Bind dialog box, type the credentials of a user account that has permission to modify the rootDSE
object. (If you are logged on as that user, you can select Bind as currently logged on user.) Click OK .
6. After you have completed the bind operation, click Browse , and click Modify .
7. In the Modify dialog box, leave the DN field blank. In the Edit Entr y Attribute field, type
FixUpInheritance , and in the Values field, type Yes . Click Enter to populate the Entr y List as shown in
the following screen shot.
8. In the populated Modify dialog box, click Run, and verify that the changes you made to the
AdminSDHolder object have appeared on that object.
NOTE
For information about modifying AdminSDHolder to allow designated unprivileged accounts to modify the membership of
protected groups, see Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active
Directory.
If you prefer to run SDProp manually via LDIFDE or a script, you can create a modify entry as shown here:
R u n n i n g SDP ro p M a n u a l l y i n W i n d o w s Se rv e r 2012 o r W i n d o w s Se rv e r 2008 R 2
You can also force SDProp to run by using Ldp.exe or by running an LDAP modification script. To run SDProp
using Ldp.exe, perform the following steps after you have made changes to the AdminSDHolder object in a
domain:
1. Launch Ldp.exe .
2. In the Ldp dialog box, click Connection , and click Connect .
3. In the Connect dialog box, type the name of the domain controller for the domain that holds the PDC
Emulator (PDCE) role and click OK .
4. Verify that you have connected successfully, as indicated by Dn: (RootDSE) in the following screenshot,
click Connection and click Bind .
5. In the Bind dialog box, type the credentials of a user account that has permission to modify the rootDSE
object. (If you are logged on as that user, you can select Bind as currently logged on user .) Click OK .
6. After you have completed the bind operation, click Browse , and click Modify .
7. In the Modify dialog box, leave the DN field blank. In the Edit Entr y Attribute field, type
RunProtectAdminGroupsTask , and in the Values field, type 1 . Click Enter to populate the entry list as
shown here.
8. In the populated Modify dialog box, click Run , and verify that the changes you made to the
AdminSDHolder object have appeared on that object.
If you prefer to run SDProp manually via LDIFDE or a script, you can create a modify entry as shown here:
Appendix D: Securing Built-In Administrator
Accounts in Active Directory
3/5/2021 • 11 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
NOTE
This guide used to recommend disabling the account. This was removed as the forest recovery white paper makes use of
the default administrator account. The reason is, this is the only account that allows logon without a Global Catalog
Server.
NOTE
These settings will ensure that the domain's built-in Administrator account cannot be used to connect to a domain
controller, although the account, if enabled, can log on locally to domain controllers. Because this account should only be
enabled and used in disaster-recovery scenarios, it is anticipated that physical access to at least one domain controller will
be available, or that other accounts with permissions to access domain controllers remotely can be used.
3. To enable the Smar t card is required for interactive logon flag on the account, perform the
following steps:
a. Right-click the Administrator account and select Proper ties .
b. Click the Account tab.
c. Under Account options, select the Smar t card is required for interactive logon flag as
indicated in the following screenshot, and click OK .
C o n fi g u r i n g G P O s t o R e st r i c t A d m i n i st r a t o r A c c o u n t s a t t h e D o m a i n - L e v e l
WARNING
This GPO should never be linked at the domain-level because it can make the built-in Administrator account unusable,
even in disaster recovery scenarios.
1. In Ser ver Manager , click Tools , and click Group Policy Management .
2. In the console tree, expand \Domains\, and then Group Policy Objects (where is the name of the forest
and is the name of the domain where you want to create the Group Policy).
3. In the console tree, right-click Group Policy Objects , and click New .
4. In the New GPO dialog box, type , and click OK (where is the name of this GPO) as indicated in the
following screenshot.
7. Configure the user rights to prevent the Administrator account from accessing members servers and
workstations over the network by doing the following:
a. Double-click Deny access to this computer from the network and select Define these
policy settings .
b. Click Add User or Group and click Browse .
c. Type Administrator , click Check Names , and click OK . Verify that the account is displayed in
\Username format as indicated in the following screenshot.
IMPORTANT
When you add the Administrator account to these settings, you specify whether you are configuring a local Administrator
account or a domain Administrator account by how you label the accounts. For example, to add the TAILSPINTOYS
domain's Administrator account to these deny rights, you would browse to the Administrator account for the
TAILSPINTOYS domain, which would appear as TAILSPINTOYS\Administrator. If you type "Administrator" in these user
rights settings in the Group Policy Object Editor, you will restrict the local Administrator account on each computer to
which the GPO is applied, as described earlier.
Verification Steps
The verification steps outlined here are specific to Windows 8 and Windows Server 2012.
Ve r i fy " Sm a r t c a r d i s r e q u i r e d fo r i n t e r a c t i v e l o g o n " A c c o u n t O p t i o n
1. From any member server or workstation affected by the GPO changes, attempt to log on interactively to the
domain by using the domain's built-in Administrator account. After attempting to log on, a dialog box similar
to the following should appear.
Ve r i fy " A c c o u n t i s d i sa b l e d " A c c o u n t O p t i o n
1. From any member server or workstation affected by the GPO changes, attempt to log on interactively to the
domain by using the domain's built-in Administrator account. After attempting to log on, a dialog box similar
to the following should appear.
Ve r i fy " D e n y a c c e ss t o t h i s c o m p u t e r fr o m t h e n e t w o r k " G P O Se t t i n g s
From any member server or workstation that is not affected by the GPO changes (such as a jump server),
attempt to access a member server or workstation over the network that is affected by the GPO changes. To
verify the GPO settings, attempt to map the system drive by using the NET USE command by performing the
following steps:
1. Log on to the domain using the domain's built-in Administrator account.
2. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
3. In the Search box, type command prompt , right-click Command Prompt , and then click Run as
administrator to open an elevated command prompt.
4. When prompted to approve the elevation, click Yes .
5. In the Command Prompt window, type net use \\<Ser ver Name>\c$ , where <Server Name> is the
name of the member server or workstation you are attempting to access over the network.
6. The following screenshot shows the error message that should appear.
Ve r i fy " D e n y l o g o n a s a b a t c h j o b " G P O Se t t i n g s
From any member server or workstation affected by the GPO changes, log on locally.
C re a t e a B a t c h F i l e
1. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
2. In the Search box, type notepad , and click Notepad .
3. In Notepad , type dir c:.
4. Click File and click Save As .
5. In the Filename field, type .bat (where is the name of the new batch file).
Sc h e d u l e a Ta s k
1. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
2. In the Search box, type task scheduler , and click Task Scheduler .
NOTE
On computers running Windows 8, in the Search box, type schedule tasks , and click Schedule tasks .
Ve r i fy " D e n y l o g o n a s a se r v i c e " G P O Se t t i n g s
1. From any member server or workstation affected by the GPO changes, log on locally.
2. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
3. In the Search box, type ser vices , and click Ser vices .
4. Locate and double-click Print Spooler .
5. Click the Log On tab.
6. Under Log on as:, select This account .
7. Click Browse , type the name of the BA account at the domain-level, click Check Names , and click OK .
8. Under Password: and Confirm password:, type the Administrator account's password, and click OK .
9. Click OK three more times.
10. Right-click the Print Spooler ser vice and select Restar t .
11. When the service is restarted, a dialog box similar to the following should appear.
R e v e r t C h a n g e s t o t h e P r i n t e r Sp o o l e r Se r v i c e
1. From any member server or workstation affected by the GPO changes, log on locally.
2. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
3. In the Search box, type ser vices , and click Ser vices .
4. Locate and double-click Print Spooler .
5. Click the Log On tab.
6. Under Log on as:, select the Local System account, and click OK .
Ve r i fy " D e n y l o g o n t h r o u g h R e m o t e D e sk t o p Se r v i c e s" G P O Se t t i n g s
1. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
2. In the Search box, type remote desktop connection , and click Remote Desktop Connection .
3. In the Computer field, type the name of the computer that you want to connect to, and click Connect .
(You can also type the IP address instead of the computer name.)
4. When prompted, provide credentials for the name of the BA account at the domain-level.
5. A dialog box similar to the following should appear.
Appendix E: Securing Enterprise Admins Groups in
Active Directory
3/5/2021 • 9 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
b. Select a member of the group, click Remove , click Yes , and click OK .
5. Repeat step 2 until all members of the EA group have been removed.
Step-by-Step Instructions to Secure Enterprise Admins in Active Directory
1. In Ser ver Manager , click Tools , and click Group Policy Management .
2. In the console tree, expand \Domains\, and then Group Policy Objects (where is the name of the forest
and is the name of the domain where you want to set the Group Policy).
NOTE
In a forest that contains multiple domains, a similar GPO should be created in each domain that requires that the
Enterprise Admins group be secured.
3. In the console tree, right-click Group Policy Objects , and click New .
4. In the New GPO dialog box, type , and click OK (where is the name of this GPO).
7. Configure the user rights to prevent members of the Enterprise Admins group from accessing member
servers and workstations over the network by doing the following:
a. Double-click Deny access to this computer from the network and select Define these
policy settings .
b. Click Add User or Group and click Browse .
c. Type Enterprise Admins , click Check Names , and click OK .
d. Click OK , and OK again.
8. Configure the user rights to prevent members of the Enterprise Admins group from logging on as a
batch job by doing the following:
a. Double-click Deny log on as a batch job and select Define these policy settings .
b. Click Add User or Group and click Browse .
NOTE
In a forest that contains multiple domains, click Locations and select the root domain of the forest.
NOTE
In a forest that contains multiple domains, click Locations and select the root domain of the forest.
NOTE
In a forest that contains multiple domains, click Locations and select the root domain of the forest.
NOTE
In a forest that contains multiple domains, click Locations and select the root domain of the forest.
IMPORTANT
If jump servers are used to administer domain controllers and Active Directory, ensure that jump servers are located in an
OU to which this GPOs is not linked.
Verification Steps
Verify "Deny access to this computer from the network" GPO Settings
From any member server or workstation that is not affected by the GPO changes (such as a "jump server"),
attempt to access a member server or workstation over the network that is affected by the GPO changes. To
verify the GPO settings, attempt to map the system drive by using the NET USE command by performing the
following steps:
1. Log on locally using an account that is a member of the EA group.
2. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
3. In the Search box, type command prompt , right-click Command Prompt , and then click Run as
administrator to open an elevated command prompt.
4. When prompted to approve the elevation, click Yes .
5. In the Command Prompt window, type net use \\<Ser ver Name>\c$ , where <Server Name> is the
name of the member server or workstation you're attempting to access over the network.
6. The following screenshot shows the error message that should appear.
1. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
2. In the Search box, type notepad , and click Notepad .
3. In Notepad , type dir c:.
4. Click File , and click Save As .
5. In the File name box, type .bat (where is the name of the new batch file).
Sc h e d u l e a Ta sk
1. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
2. In the Search box, type task scheduler , and click Task Scheduler .
NOTE
On computers running Windows 8, in the Search box, type schedule tasks , and click Schedule tasks .
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
4. In the New GPO dialog box, type <GPO Name>, and click OK (where <GPO Name> is the name of this
GPO).
7. Configure the user rights to prevent members of the Domain Admins group from accessing members
servers and workstations over the network by doing the following:
a. Double-click Deny access to this computer from the network and select Define these
policy settings .
b. Click Add User or Group and click Browse .
c. Type Domain Admins , click Check Names , and click OK .
IMPORTANT
If jump servers are used to administer domain controllers and Active Directory, ensure that jump servers
are located in an OU to which this GPOs is not linked.
Verification Steps
Ve r i fy " D e n y a c c e ss t o t h i s c o m p u t e r fr o m t h e n e t w o r k " G P O Se t t i n g s
From any member server or workstation that is not affected by the GPO changes (such as a "jump server"),
attempt to access a member server or workstation over the network that is affected by the GPO changes. To
verify the GPO settings, attempt to map the system drive by using the NET USE command.
1. Log on locally using an account that is a member of the Domain Admins group.
2. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
3. In the Search box, type command prompt , right-click Command Prompt , and then click Run as
administrator to open an elevated command prompt.
4. When prompted to approve the elevation, click Yes .
5. In the Command Prompt window, type net use \\<Ser ver Name>\c$ , where <Server Name> is the
name of the member server or workstation you're attempting to access over the network.
6. The following screenshot shows the error message that should appear.
Ve r i fy " D e n y l o g o n a s a b a t c h j o b " G P O Se t t i n g s
From any member server or workstation affected by the GPO changes, log on locally.
C re a t e a B a t c h F i l e
1. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
2. In the Search box, type notepad , and click Notepad .
3. In Notepad , type dir c:.
4. Click File , and click Save As .
5. In the File name field, type <Filename>.bat (where <Filename> is the name of the new batch file).
Sc h e d u l e a Ta s k
1. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
2. In the Search box, type task scheduler , and click Task Scheduler .
NOTE
On computers running Windows 8, in the Search box, type schedule tasks , and click Schedule tasks .
3. In the Task Scheduler menu bar, click Action , and click Create Task .
4. In the Create Task dialog box, type <Task Name> (where <Task Name> is the name of the new task).
5. Click the Actions tab, and click New .
6. In the Action field, select Star t a program .
7. Under Program/script , click Browse , locate and select the batch file created in the Create a Batch File
section, and click Open .
8. Click OK .
9. Click the General tab.
10. Under Security options, click Change User or Group .
11. Type the name of an account that is a member of the Domain Admins group, click Check Names , and
click OK .
12. Select Run whether the user is logged on or not and select Do not store password . The task will
only have access to local computer resources.
13. Click OK .
14. A dialog box should appear, requesting user account credentials to run the task.
15. After entering the credentials, click OK .
16. A dialog box similar to the following should appear.
Ve r i fy " D e n y l o g o n a s a se r v i c e " G P O Se t t i n g s
1. From any member server or workstation affected by the GPO changes, log on locally.
2. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
3. In the Search box, type ser vices , and click Ser vices .
4. Locate and double-click Print Spooler .
5. Click the Log On tab.
6. Under Log on as , select the This account option.
7. Click Browse , type the name of an account that is a member of the Domain Admins group, click Check
Names , and click OK .
8. Under Password and Confirm password , type the selected account's password, and click OK .
9. Click OK three more times.
10. Right-click Print Spooler and click Restar t .
11. When the service is restarted, a dialog box similar to the following should appear.
R e v e r t C h a n g e s t o t h e P r i n t e r Sp o o l e r Se r v i c e
1. From any member server or workstation affected by the GPO changes, log on locally.
2. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
3. In the Search box, type ser vices , and click Ser vices .
4. Locate and double-click Print Spooler .
5. Click the Log On tab.
6. Under Log on as , select the Local System account, and click OK .
Ve r i fy " D e n y l o g o n l o c a l l y " G P O Se t t i n g s
1. From any member server or workstation affected by the GPO changes, attempt to log on locally using an
account that is a member of the Domain Admins group. A dialog box similar to the following should
appear.
Ve r i fy " D e n y l o g o n t h r o u g h R e m o t e D e sk t o p Se r v i c e s" G P O Se t t i n g s
1. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
2. In the Search box, type remote desktop connection , and click Remote Desktop Connection .
3. In the Computer field, type the name of the computer that you want to connect to, and click Connect .
(You can also type the IP address instead of the computer name.)
4. When prompted, provide credentials for an account that is a member of the Domain Admins group.
5. A dialog box similar to the following should appear.
Appendix G: Securing Administrators Groups in
Active Directory
3/5/2021 • 10 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
b. Select a member of the group, click Remove , click Yes , and click OK .
3. Repeat step 2 until all members of the Administrators group have been removed.
Step-by-Step Instructions to Secure Administrators Groups in Active Directory
1. In Ser ver Manager , click Tools , and click Group Policy Management .
2. In the console tree, expand <Forest>\Domains\<Domain>, and then Group Policy Objects (where
<Forest> is the name of the forest and <Domain> is the name of the domain where you want to set the
Group Policy).
3. In the console tree, right-click Group Policy Objects , and click New .
4. In the New GPO dialog box, type , and click OK (where GPO Name is the name of this GPO).
7. Configure the user rights to prevent members of the Administrators group from accessing member
servers and workstations over the network by doing the following:
a. Double-click Deny access to this computer from the network and select Define these
policy settings .
b. Click Add User or Group and click Browse .
c. Type Administrators , click Check Names , and click OK .
IMPORTANT
If jump servers are used to administer domain controllers and Active Directory, ensure that jump servers
are located in an OU to which this GPOs is not linked.
NOTE
When you implement restrictions on the Administrators group in GPOs, Windows applies the settings to
members of a computer's local Administrators group in addition to the domain's Administrators group.
Therefore, you should use caution when implementing restrictions in the Administrators group. Although
prohibiting network, batch, and service logons for members of the Administrators group is advised
wherever it is feasible to implement, do not restrict local logons or logons through Remote Desktop
Services. Blocking these logon types can block legitimate administration of a computer by members of the
local Administrators group.
The following screenshot shows configuration settings that block misuse of built-in local and domain
Administrator accounts, in addition to misuse of built-in local or domain Administrators groups. Note that
the Deny log on through Remote Desktop Ser vices user right does not include the Administrators
group, because including it in this setting would also block these logons for accounts that are members of
the local computer's Administrators group. If services on computers are configured to run in the context of
any of the privileged groups described in this section, implementing these settings can cause services and
applications to fail. Therefore, as with all of the recommendations in this section, you should thoroughly
test settings for applicability in your environment.
Step-by-Step Instructions to Grant User Rights to the Administrators Group
1. In Ser ver Manager , click Tools , and click Group Policy Management .
2. In the console tree, expand \Domains\, and then Group Policy Objects (where is the name of the forest
and is the name of the domain where you want to set the Group Policy).
3. In the console tree, right-click Group Policy Objects , and click New .
4. In the New GPO dialog box, type , and click OK (where is the name of this GPO).
Verification Steps
Ve r i fy " D e n y a c c e ss t o t h i s c o m p u t e r fr o m t h e n e t w o r k " G P O Se t t i n g s
From any member server or workstation that is not affected by the GPO changes (such as a "jump server"),
attempt to access a member server or workstation over the network that is affected by the GPO changes. To
verify the GPO settings, attempt to map the system drive by using the NET USE command.
1. Log on locally using an account that is a member of the Administrators group.
2. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
3. In the Search box, type command prompt , right-click Command Prompt , and then click Run as
administrator to open an elevated command prompt.
4. When prompted to approve the elevation, click Yes .
5. In the Command Prompt window, type net use \\<Ser ver Name>\c$ , where <Server Name> is the
name of the member server or workstation you're attempting to access over the network.
6. The following screenshot shows the error message that should appear.
Ve r i fy " D e n y l o g o n a s a b a t c h j o b " G P O Se t t i n g s
From any member server or workstation affected by the GPO changes, log on locally.
C re a t e a B a t c h F i l e
1. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
2. In the Search box, type notepad , and click Notepad .
3. In Notepad , type dir c:.
4. Click File , and click Save As .
5. In the File name field, type .bat (where is the name of the new batch file).
Sc h e d u l e a Ta s k
1. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
2. In the Search box, type task scheduler , and click Task Scheduler .
NOTE
On computers running Windows 8, in the Search box, type schedule tasks, and click Schedule tasks.
Ve r i fy " D e n y l o g o n a s a se r v i c e " G P O Se t t i n g s
1. From any member server or workstation affected by the GPO changes, log on locally.
2. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
3. In the Search box, type ser vices , and click Ser vices .
4. Locate and double-click Print Spooler .
5. Click the Log On tab.
6. In the Log on as field, select This account .
7. Click Browse , type the name of an account that is a member of the Administrators group, click Check
Names , and click OK .
8. In the Password and Confirm password fields, type the selected account's password, and click OK .
9. Click OK three more times.
10. Right-click Print Spooler and click Restar t .
11. When the service is restarted, a dialog box similar to the following should appear.
R e v e r t C h a n g e s t o t h e P r i n t e r Sp o o l e r Se r v i c e
1. From any member server or workstation affected by the GPO changes, log on locally.
2. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
3. In the Search box, type ser vices , and click Ser vices .
4. Locate and double-click Print Spooler .
5. Click the Log On tab.
6. In the Log on as field, click Local System account, and click OK .
Appendix H: Securing Local Administrator Accounts
and Groups
3/5/2021 • 9 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
1. In Ser ver Manager , click Tools , and click Group Policy Management .
2. In the console tree, expand <Forest>\Domains\<Domain>, and then Group Policy Objects (where
<Forest> is the name of the forest and <Domain> is the name of the domain where you want to set the
Group Policy).
3. In the console tree, right-click Group Policy Objects , and click New .
4. In the New GPO dialog box, type <GPO Name> , and click OK (where <GPO Name> is the name of this
GPO).
7. Configure the user rights to prevent the local Administrator account from accessing members servers
and workstations over the network by doing the following:
a. Double-click Deny access to this computer from the network and select Define these
policy settings .
b. Click Add User or Group , type the user name of the local Administrator account, and click OK .
This user name will be Administrator , the default when Windows is installed.
c. Click OK.
IMPORTANT
When you add the Administrator account to these settings, you specify whether you are configuring a
local Administrator account or a domain Administrator account by how you label the accounts. For
example, to add the TAILSPINTOYS domain's Administrator account to these deny rights, you would
browse to the Administrator account for the TAILSPINTOYS domain, which would appear as
TAILSPINTOYS\Administrator. If you type Administrator in these user rights settings in the Group Policy
Object Editor, you will restrict the local Administrator account on each computer to which the GPO is
applied, as described earlier.
8. Configure the user rights to prevent the local Administrator account from logging on as a batch job by
doing the following:
a. Double-click Deny log on as a batch job and select Define these policy settings .
b. Click Add User or Group , type the user name of the local Administrator account, and click OK .
This user name will be Administrator , the default when Windows is installed.
c. Click OK .
IMPORTANT
When you add the Administrator account to these settings, you specify whether you are configuring local
Administrator account or domain Administrator account by how you label the accounts. For example, to
add the TAILSPINTOYS domain's Administrator account to these deny rights, you would browse to the
Administrator account for the TAILSPINTOYS domain, which would appear as TAILSPINTOYS\Administrator.
If you type Administrator in these user rights settings in the Group Policy Object Editor, you will restrict
the local Administrator account on each computer to which the GPO is applied, as described earlier.
9. Configure the user rights to prevent the local Administrator account from logging on as a service by
doing the following:
a. Double-click Deny log on as a ser vice and select Define these policy settings .
b. Click Add User or Group , type the user name of the local Administrator account, and click OK .
This user name will be Administrator , the default when Windows is installed.
c. Click OK .
IMPORTANT
When you add the Administrator account to these settings, you specify whether you are configuring local
Administrator account or domain Administrator account by how you label the accounts. For example, to
add the TAILSPINTOYS domain's Administrator account to these deny rights, you would browse to the
Administrator account for the TAILSPINTOYS domain, which would appear as TAILSPINTOYS\Administrator.
If you type Administrator in these user rights settings in the Group Policy Object Editor, you will restrict
the local Administrator account on each computer to which the GPO is applied, as described earlier.
10. Configure the user rights to prevent the local Administrator account from accessing member servers and
workstations via Remote Desktop Services by doing the following:
a. Double-click Deny log on through Remote Desktop Ser vices and select Define these
policy settings .
b. Click Add User or Group , type the user name of the local Administrator account, and click OK .
This user name will be Administrator , the default when Windows is installed.
c. Click OK .
IMPORTANT
When you add the Administrator account to these settings, you specify whether you are configuring local
Administrator account or domain Administrator account by how you label the accounts. For example, to
add the TAILSPINTOYS domain's Administrator account to these deny rights, you would browse to the
Administrator account for the TAILSPINTOYS domain, which would appear as TAILSPINTOYS\Administrator.
If you type Administrator in these user rights settings in the Group Policy Object Editor, you will restrict
the local Administrator account on each computer to which the GPO is applied, as described earlier.
11. To exit Group Policy Management Editor , click File , and click Exit .
12. In Group Policy Management , link the GPO to the member server and workstation OUs by doing the
following:
a. Navigate to the <Forest>\Domains\<Domain> (where <Forest> is the name of the forest and
<Domain> is the name of the domain where you want to set the Group Policy).
b. Right-click the OU that the GPO will be applied to and click Link an existing GPO .
From any member server or workstation that is not affected by the GPO changes (such as a jump server),
attempt to access a member server or workstation over the network that is affected by the GPO changes. To
verify the GPO settings, attempt to map the system drive by using the NET USE command.
1. Log on locally to any member server or workstation that is not affected by the GPO changes.
2. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
3. In the Search box, type command prompt , right-click Command Prompt , and then click Run as
administrator to open an elevated command prompt.
4. When prompted to approve the elevation, click Yes .
5. In the Command Prompt window, type net use \\<Server Name>\c$ /user:<Server Name>\Administrator ,
where <Server Name> is the name of the member server or workstation you're attempting to access
over the network.
NOTE
The local Administrator credentials must be from the same system you're attempting to access over the network.
6. The following screenshot shows the error message that should appear.
Ve r i fy " D e n y l o g o n a s a b a t c h j o b " G P O Se t t i n g s
From any member server or workstation affected by the GPO changes, log on locally.
C re a t e a B a t c h F i l e
1. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
2. In the Search box, type notepad , and click Notepad .
3. In Notepad , type dir c:.
4. Click File , and click Save As .
5. In the File name box, type <Filename>.bat (where <Filename> is the name of the new batch file).
Sc h e d u l e a Ta s k
1. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
2. In the Search box, type task scheduler, and click Task Scheduler .
NOTE
On computers running Windows 8, in the Search box, type schedule tasks , and click Schedule tasks .
V e ri f y " De n y l o g o n a s a s e rv i c e " G P O Se t t i n g s
1. From any member server or workstation affected by the GPO changes, log on locally.
2. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
3. In the Search box, type ser vices , and click Ser vices .
4. Locate and double-click Print Spooler .
5. Click the Log On tab.
6. In Log on as field, click This account .
7. Click Browse , type the system's local Administrator account, click Check Names , and click OK .
8. In the Password and Confirm password fields, type the selected account's password, and click OK .
9. Click OK three more times.
10. Right-click Print Spooler and click Restar t .
11. When the service is restarted, a dialog box similar to the following should appear.
R e v e rt C h a n g e s t o t h e P ri n t e r Sp o o l e r Se rv i c e
1. From any member server or workstation affected by the GPO changes, log on locally.
2. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
3. In the Search box, type ser vices , and click Ser vices .
4. Locate and double-click Print Spooler .
5. Click the Log On tab.
6. In the Log on as : field, select Local System Account , and click OK .
V e ri f y " De n y l o g o n t h ro u g h R e mo t e De s k t o p Se rv i c e s " G P O Se t t i n g s
1. With the mouse, move the pointer into the upper-right or lower-right corner of the screen. When the
Charms bar appears, click Search .
2. In the Search box, type remote desktop connection , and click Remote Desktop Connection .
3. In the Computer field, type the name of the computer that you want to connect to, and click Connect .
(You can also type the IP address instead of the computer name.)
4. When prompted, provide credentials for the system's local Administrator account.
5. A dialog box similar to the following should appear.
Appendix I: Creating Management Accounts for
Protected Accounts and Groups in Active Directory
3/5/2021 • 21 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
One of the challenges in implementing an Active Directory model that does not rely on permanent membership
in highly privileged groups is that there must be a mechanism to populate these groups when temporary
membership in the groups is required. Some privileged identity management solutions require that the
software's service accounts are granted permanent membership in groups such as DA or Administrators in each
domain in the forest. However, it is technically not necessary for Privileged Identity Management (PIM) solutions
to run their services in such highly privileged contexts.
This appendix provides information that you can use for natively implemented or third-party PIM solutions to
create accounts that have limited privileges and can be stringently controlled, but can be used to populate
privileged groups in Active Directory when temporary elevation is required. If you are implementing PIM as a
native solution, these accounts may be used by administrative staff to perform the temporary group population,
and if you're implementing PIM via third-party software, you might be able to adapt these accounts to function
as service accounts.
NOTE
The procedures described in this appendix provide one approach to the management of highly privileged groups in Active
Directory. You can adapt these procedures to suit your needs, add additional restrictions, or omit some of the restrictions
that are described here.
NOTE
By implementing the steps described in this appendix, you will create accounts that will be able to manage the
membership of all protected groups in each domain, not only the highest-privilege Active Directory groups like EAs, DAs
and BAs. For more information about protected groups in Active Directory, see Appendix C: Protected Accounts and
Groups in Active Directory.
2. In the New Object - Group dialog box, enter a name for the group. If you plan to use this group to
"activate" all management accounts in your forest, make it a universal security group. If you have a
single-domain forest or if you plan to create a group in each domain, you can create a global security
group. Click OK to create the group.
3. Right-click the group you just created, click Proper ties , and click the Object tab. In the group's Object
proper ty dialog box, select Protect object from accidental deletion , which will not only prevent
otherwise-authorized users from deleting the group, but also from moving it to another OU unless the
attribute is first deselected.
NOTE
If you have already configured permissions on the group's parent OUs to restrict administration to a limited set of
users, you may not need to perform the following steps. They are provided here so that even if you have not yet
implemented limited administrative control over the OU structure in which you've created this group, you can
secure the group against modification by unauthorized users.
4. Click the Members tab, and add the accounts for members of your team who will be responsible for
enabling management accounts or populating protected groups when necessary.
5. If you have not already done so, in the Active Director y Users and Computers console, click View
and select Advanced Features . Right-click the group you just created, click Proper ties , and click the
Security tab. On the Security tab, click Advanced .
6. In the Advanced Security Settings for [Group] dialog box, click Disable Inheritance . When
prompted, click Conver t inherited permissions into explicit permissions on this object , and click
OK to return to the group's Security dialog box.
7. On the Security tab, remove groups that should not be permitted to access this group. For example, if
you do not want Authenticated Users to be able to read the group's name and general properties, you
can remove that ACE. You can also remove ACEs, such as those for account operators and pre-Windows
2000 Server compatible access. You should, however, leave a minimum set of object permissions in place.
Leave the following ACEs intact:
SELF
SYSTEM
Domain Admins
Enterprise Admins
Administrators
Windows Authorization Access Group (if applicable)
ENTERPRISE DOMAIN CONTROLLERS
Although it may seem counterintuitive to allow the highest privileged groups in Active Directory to
manage this group, your goal in implementing these settings is not to prevent members of those groups
from making authorized changes. Rather, the goal is to ensure that when you have occasion to require
very high levels of privilege, authorized changes will succeed. It is for this reason that changing default
privileged group nesting, rights, and permissions are discouraged throughout this document. By leaving
default structures intact and emptying the membership of the highest privilege groups in the directory,
you can create a more secure environment that still functions as expected.
NOTE
If you have not already configured audit policies for the objects in the OU structure where you created this group,
you should configure auditing to log changes this group.
8. You have completed configuration of the group that will be used to "check out" management accounts
when they are needed and "check in" the accounts when their activities have been completed.
Creating the Management Accounts
You should create at least one account that will be used to manage the membership of privileged groups in your
Active Directory installation, and preferably a second account to serve as a backup. Whether you choose to
create the management accounts in a single domain in the forest and grant them management capabilities for
all domains' protected groups, or whether you choose to implement management accounts in each domain in
the forest, the procedures are effectively the same.
NOTE
The steps in this document assume that you have not yet implemented role-based access controls and privileged identity
management for Active Directory. Therefore, some procedures must be performed by a user whose account is a member
of the Domain Admins group for the domain in question.
When you are using an account with DA privileges, you can log on to a domain controller to perform the configuration
activities. Steps that do not require DA privileges can be performed by less-privileged accounts that are logged on to
administrative workstations. Screen shots that show dialog boxes bordered in the lighter blue color represent activities
that can be performed on a domain controller. Screen shots that show dialog boxes in the darker blue color represent
activities that can be performed on administrative workstations with accounts that have limited privileges.
5. Provide an initial password for the user account, clear User must change password at next logon ,
select User cannot change password and Account is disabled , and click Next .
6. Verify that the account details are correct and click Finish .
7. Right-click the user object you just created and click Proper ties .
8. Click the Account tab.
9. In the Account Options field, select the Account is sensitive and cannot be delegated flag, select
the This account suppor ts Kerberos AES 128 bit encr yption and/or the This account suppor ts
Kerberos AES 256 encr yption flag, and click OK .
NOTE
Because this account, like other accounts, will have a limited, but powerful function, the account should only be
used on secure administrative hosts. For all secure administrative hosts in your environment, you should consider
implementing the Group Policy setting Network Security: Configure Encr yption types allowed for
Kerberos to allow only the most secure encryption types you can implement for secure hosts.
Although implementing more secure encryption types for the hosts does not mitigate credential theft attacks, the
appropriate use and configuration of the secure hosts does. Setting stronger encryption types for hosts that are
only used by privileged accounts simply reduces the overall attack surface of the computers.
For more information about configuring encryption types on systems and accounts, see Windows Configurations
for Kerberos Supported Encryption Type.
These settings are supported only on computers running Windows Server 2012, Windows Server 2008 R2,
Windows 8, or Windows 7.
10. On the Object tab, select Protect object from accidental deletion . This will not only prevent the
object from being deleted (even by authorized users), but will prevent it from being moved to a different
OU in your AD DS hierarchy, unless the check box is first cleared by a user with permission to change the
attribute.
11. Click the Remote control tab.
12. Clear the Enable remote control flag. It should never be necessary for support staff to connect to this
account's sessions to implement fixes.
NOTE
Every object in Active Directory should have a designated IT owner and a designated business owner, as described
in Planning for Compromise. If you are tracking ownership of AD DS objects in Active Directory (as opposed to an
external database), you should enter appropriate ownership information in this object's properties.
In this case, the business owner is most likely an IT division, andthere is no prohibition on business owners also
being IT owners. The point of establishing ownership of objects is to allow you to identify contacts when changes
need to be made to the objects, perhaps years from their initial creation.
NOTE
It is unlikely that this account will be used to log on to read-only domain controllers (RODCs) in your
environment. However, should circumstance ever require the account to log on to an RODC, you should add this
account to the Denied RODC Password Replication Group so that its password is not cached on the RODC.
Although the account's password should be reset after each use and the account should be disabled,
implementing this setting does not have a deleterious effect on the account, and it might help in situations in
which an administrator forgets to reset the account's password and disable it.
23. In the Permission Entr y for [Account] dialog box, click Select a principal and add the group you
created in the previous procedure. Scroll to the bottom of the dialog box and click Clear all to remove all
default permissions.
24. Scroll to the top of the Permission Entr y dialog box. Ensure that the Type drop-down list is set to
Allow , and in the Applies to drop-down list, select This object only .
25. In the Permissions field, select Read all proper ties , Read permissions , and Reset password .
26. In the Proper ties field, select Read userAccountControl and Write userAccountControl .
27. Click OK , OK again in the Advanced Security Settings dialog box.
NOTE
The userAccountControl attribute controls multiple account configuration options. You cannot grant permission
to change only some of the configuration options when you grant write permission to the attribute.
28. In the Group or user names field of the Security tab, remove any groups that should not be permitted
to access or manage the account. Do not remove any groups that have been configured with Deny ACEs,
such as the Everyone group and the SELF computed account (that ACE was set when the user cannot
change password flag was enabled during creation of the account. Also do not remove the group you
just added, the SYSTEM account, or groups such as EA, DA, BA, or the Windows Authorization Access
Group.
29. Click Advanced and verify that the Advanced Security Settings dialog box looks similar to the following
screenshot.
30. Click OK , and OK again to close the account's property dialog box.
31. Setup of the first management account is now complete. You will test the account in a later procedure.
Cr eat i n g A ddi t i o n al Man agem en t A c c o u n t s
You can create additional management accounts by repeating the previous steps, by copying the account you
just created, or by creating a script to create accounts with your desired configuration settings. Note, however,
that if you copy the account you just created, many of the customized settings and ACLs will not be copied to the
new account and you will have to repeat most of the configuration steps.
You can instead create a group to which you delegate rights to populate and unpopulate protected groups, but
you will need to secure the group and the accounts you place in it. Because there should be very few accounts in
your directory that are granted the ability to manage the membership of protected groups, creating individual
accounts might be the simplest approach.
Regardless of how you choose to create a group into which you place the management accounts, you should
ensure that each account is secured as described earlier. You should also consider implementing GPO
restrictions similar to those described in Appendix D: Securing Built-In Administrator Accounts in Active
Directory.
A u di t i n g Man agem en t A c c o u n t s
You should configure auditing on the account to log, at minimum, all writes to the account. This will allow you to
not only identify successful enabling of the account and resetting of its password during authorized uses, but to
also identify attempts by unauthorized users to manipulate the account. Failed writes on the account should be
captured in your Security Information and Event Monitoring (SIEM) system (if applicable), and should trigger
alerts that provide notification to the staff responsible for investigating potential compromises.
SIEM solutions take event information from involved security sources (for example, event logs, application data,
network streams, antimalware products, and intrusion detection sources), collate the data, and try to make
intelligent views and proactive actions. There are many commercial SIEM solutions, and many enterprises create
private implementations. A well designed and appropriately implemented SIEM can significantly enhance
security monitoring and incident response capabilities. However, capabilities and accuracy vary tremendously
between solutions. SIEMs are beyond the scope of this paper, but the specific event recommendations contained
should be considered by any SIEM implementer.
For more information about recommended audit configuration settings for domain controllers, see Monitoring
Active Directory for Signs of Compromise. Domain controller-specific configuration settings are provided in
Monitoring Active Directory for Signs of Compromise.
Enabling Management Accounts to Modify the Membership of Protected Groups
In this procedure, you will configure permissions on the domain's AdminSDHolder object to allow the newly
created management accounts to modify the membership of protected groups in the domain. This procedure
cannot be performed via a graphical user interface (GUI).
As discussed in Appendix C: Protected Accounts and Groups in Active Directory, the ACL on a domain's
AdminSDHolder object is effectively "copied" to protected objects when the SDProp task runs. Protected groups
and accounts do not inherit their permissions from the AdminSDHolder object; their permissions are explicitly
set to match those on the AdminSDHolder object. Therefore, when you modify permissions on the
AdminSDHolder object, you must modify them for attributes that are appropriate to the type of the protected
object you are targeting.
In this case, you will be granting the newly created management accounts to allow them to read and write the
members attribute on group objects. However, the AdminSDHolder object is not a group object and group
attributes are not exposed in the graphical ACL editor. It is for this reason that you will implement the
permissions changes via the Dsacls command-line utility. To grant the (disabled) management accounts
permissions to modify the membership of protected groups, perform the following steps:
1. Log on to a domain controller, preferably the domain controller holding the PDC Emulator (PDCE) role,
with the credentials of a user account that has been made a member of the DA group in the domain.
2. Open an elevated command prompt by right-clicking Command Prompt and click Run as
administrator .
NOTE
For more information about elevation and user account control (UAC) in Windows, see UAC Processes and
Interactions on the TechNet website.
4. At the Command Prompt, type (substituting your domain-specific information) Dsacls [distinguished
name of the AdminSDHolder object in your domain] /G [management account
UPN]:RPWP;member .
The previous command (which is not case-sensitive) works as follows:
Dsacls sets or displays ACEs on directory objects
CN=AdminSDHolder,CN=System,DC=TailSpinToys,DC=msft identifies the object to be modified
/G indicates that a grant ACE is being configured
PIM001@tailspintoys.msft is the User Principal Name (UPN) of the security principal to which the
ACEs will be granted
RPWP grants read property and write property permissions
Member is the name of the property (attribute) on which the permissions will be set
For more information about use of Dsacls , type Dsacls without any parameters at a command prompt.
If you have created multiple management accounts for the domain, you should run the Dsacls command
for each account. When you have completed the ACL configuration on the AdminSDHolder object, you
should force SDProp to run, or wait until its scheduled run completes. For information about forcing
SDProp to run, see "Running SDProp Manually" in Appendix C: Protected Accounts and Groups in Active
Directory.
When SDProp has run, you can verify that the changes you made to the AdminSDHolder object have
been applied to protected groups in the domain. You cannot verify this by viewing the ACL on the
AdminSDHolder object for the reasons previously described, but you can verify that the permissions have
been applied by viewing the ACLs on protected groups.
5. In Active Director y Users and Computers , verify that you have enabled Advanced Features . To do
so, click View , locate the Domain Admins group, right-click the group and click Proper ties .
6. Click the Security tab and click Advanced to open the Advanced Security Settings for Domain
Admins dialog box.
7. Select Allow ACE for the management account and click Edit . Verify that the account has been
granted only Read Members and Write Members permissions on the DA group, and click OK .
8. Click OK in the Advanced Security Settings dialog box, and click OK again to close the property dialog
box for the DA group.
9. You can repeat the previous steps for other protected groups in the domain; the permissions should be
the same for all protected groups. You have now completed creation and configuration of the
management accounts for the protected groups in this domain.
NOTE
Any account that has permission to write membership of a group in Active Directory can also add itself to the
group. This behavior is by design and cannot be disabled. For this reason, you should always keep management
accounts disabled when not in use, and should closely monitor the accounts when they're disabled and when
they're in use.
1. To test enabling a management account and resetting its password, log on to a secure administrative
workstation with an account that is a member of the group you created in Appendix I: Creating
Management Accounts for Protected Accounts and Groups in Active Directory.
2. Open Active Director y Users and Computers , right-click the management account, and click Enable
Account .
3. A dialog box should display, confirming that the account has been enabled.
4. Next, reset the password on the management account. To do so, right-click the account again and click
Reset Password .
5. Type a new password for the account in the New password and Confirm password fields, and click
OK .
6. A dialog box should appear, confirming that the password for the account has been reset.
7. Now attempt to modify additional properties of the management account. Right-click the account and
click Proper ties , and click the Remote control tab.
8. Select Enable remote control and click Apply . The operation should fail and an Access Denied error
message should display.
9. Click the Account tab for the account and attempt to change the account's name, logon hours, or logon
workstations. All should fail, and account options that are not controlled by the userAccountControl
attribute should be grayed out and unavailable for modification.
10. Attempt to add the management group to a protected group such as the DA group. When you click OK , a
message should appear, informing you that you do not have permissions to modify the group.
11. Perform additional tests as required to verify that you cannot configure anything on the management
account except userAccountControl settings and password resets.
NOTE
The userAccountControl attribute controls multiple account configuration options. You cannot grant permission
to change only some of the configuration options when you grant write permission to the attribute.
Te st t h e M a n a g e m e n t A c c o u n t s
Now that you have enabled one or more accounts that can change the membership of protected groups, you
can test the accounts to ensure that they can modify protected group membership, but cannot perform other
modifications on protected accounts and groups.
1. Log on to a secure administrative host as the first management account.
2. Launch Active Director y Users and Computers and locate the Domain Admins group .
3. Right-click the Domain Admins group and click Proper ties .
4. In the Domain Admins Proper ties , click the Members tab and click Add. Enter the name of an
account that will be given temporary Domain Admins privileges and click Check Names . When the
name of the account is underlined, click OK to return to the Members tab.
5. On the Members tab for the Domain Admins Proper ties dialog box, click Apply . After clicking Apply ,
the account should stay a member of the DA group and you should receive no error messages.
6. Click the Managed By tab in the Domain Admins Proper ties dialog box and verify that you cannot
enter text in any fields and all buttons are grayed out.
7. Click the General tab in the Domain Admins Proper ties dialog box and verify that you cannot modify
any of the information about that tab.
8. Repeat these steps for additional protected groups as needed. When you have finished, log on to a secure
administrative host with an account that is a member of the group you created to enable and disable the
management accounts. Then reset the password on the management account you just tested and disable
the account. You have completed setup of the management accounts and the group that will be
responsible for enabling and disabling the accounts.
Appendix L: Events to Monitor
3/5/2021 • 26 minutes to read • Edit Online
The following table lists events that you should monitor in your environment, according to the
recommendations provided in Monitoring Active Directory for Signs of Compromise. In the following table, the
"Current Windows Event ID" column lists the event ID as it is implemented in versions of Windows and
Windows Server that are currently in mainstream support.
The "Legacy Windows Event ID" column lists the corresponding event ID in legacy versions of Windows such as
client computers running Windows XP or earlier and servers running Windows Server 2003 or earlier. The
"Potential Criticality" column identifies whether the event should be considered of low, medium, or high
criticality in detecting attacks, and the "Event Summary" column provides a brief description of the event.
A potential criticality of High means that one occurrence of the event should be investigated. Potential criticality
of Medium or Low means that these events should only be investigated if they occur unexpectedly or in
numbers that significantly exceed the expected baseline in a measured period of time. All organizations should
test these recommendations in their environments before creating alerts that require mandatory investigative
responses. Every environment is different, and some of the events ranked with a potential criticality of High may
occur due to other harmless events.
NOTE
Refer to Windows security audit events for a list of many security event IDs and their meanings.
Run wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true to get a very detailed listing of all security
event IDs
For more information about Windows security event IDs and their meanings, see the Microsoft Support article
Description of security events in Windows 7 and in Windows Server 2008 R2. You can also download Security
Audit Events for Windows 7 and Windows Server 2008 R2 and Windows 8 and Windows Server 2012 Security
Event Details, which provide detailed event information for the referenced operating systems in spreadsheet
format.
Appendix M: Document Links and Recommended
Reading
6/17/2021 • 7 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
L IN K S URL S
SolarWinds http://www.solarwinds.com/eminentware-products.aspx
Secunia http://secunia.com/
Lumension http://www.lumension.com/?
rpLeadSourceId=5009&gclid=CKuai_e13rMCFal7QgodMFkA
yA
EmpowerID http://www.empowerid.com/products/authorizationservices
CA IdentityMinder? http://awards.scmagazine.com/ca-technologies-ca-identity-
manager
Recommended Reading
The following table contains a list of recommended reading that will assist you in enhancing the security of your
Active Directory systems.
Best Practice Guide for Securing Active Directory Installations for Windows Server 2003
Best Practices for Delegating Active Directory Administration for Windows Server 2003
Error message when nonadministrator users who have been delegated control try to join computers to a Windows Server
2003-based or a Windows Server 2008-based domain controller: "Access is denied"
Copyright Information
The information contained in this document represents the current view of Microsoft Corporation on the issues
discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it
should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this
document.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
Microsoft, Active Directory, BitLocker, Hyper-V, Internet Explorer, Windows Vista, Windows, and Windows Server
are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries. All other trademarks are property of their respective owners.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious. No association with any real company, organization, product, domain name,
e-mail address, logo, person, place, or event is intended or should be inferred.
2013 Microsoft Corporation. All rights reserved.
Active Directory Replication and Topology
Management Using Windows PowerShell
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Windows PowerShell for Active Directory now includes support for replication and topology management. The
following topics provide an introduction and additional details:
Introduction to Active Directory Replication and Topology Management Using Windows PowerShell
(Level 100)
Advanced Active Directory Replication and Topology Management Using Windows PowerShell (Level
200)
Introduction to Active Directory Replication and
Topology Management Using Windows PowerShell
(Level 100)
3/5/2021 • 6 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Windows PowerShell for Active Directory includes the ability to manage replication, sites, domains and forests,
domain controllers, and partitions. Users of prior management tools such as the Active Directory Sites and
Services snap-in and repadmin.exe will notice that similar functionality is now available from within the
Windows PowerShell for Active Directory context. In addition, the cmdlets are compatible with the existing
Windows PowerShell for Active Directory cmdlets, thus creating a streamlined experience and allowing
customers to easily create automation scripts.
NOTE
The Windows PowerShell for Active Directory replication and topology cmdlets are available in the following
environments:
Windows Server 2012 domain controller
Windows Server 2012 with the Remote Server Administration Tools for AD DS and AD LDS installed.
Windows® 8 with the Remote Server Administration Tools for AD DS and AD LDS installed.
Lab Requirements
Two Windows Server 2012 domain controllers: DC1 and DC2 that are part of the contoso.com domain and
reside in the CORPORATE site within that domain.
View domain controllers and their sites
In this step, you will use the Active Directory Module for Windows PowerShell to view the existing domain
controllers and the replication topology for the domain.
To complete the steps in the following procedures, you must be a member of the Domain Admins group or have
equivalent permissions.
To view all Active Directory sites
1. On DC1 , click Windows PowerShell on the taskbar.
2. Type the following command:
Get-ADReplicationSite -Filter *
This returns detailed information about each site. The Filter parameter is used throughout Active
Directory PowerShell cmdlets to limit the list of objects returned. In this case, the asterisk (*) indicates all
site objects.
TIP
You can use the Tab key to auto-complete commands in Windows PowerShell.
Example: Type Get-ADRep and press Tab multiple times to skip through the matching commands until you reach
Get-ADReplicationSite . Auto-complete also works for parameter names such as Filter .
To format the output from the Get-ADReplicationSite command as a table and limit the display to
specific fields, you can pipe the output to the Format-Table command (or " ft " for short):
Get-ADReplicationSite -Filter * | ft Name
This returns a shorter version of the site list, including only the Name field.
To produce a table of all domain controllers
Type the following command at the Active Director y module for Windows PowerShell prompt:
Get-ADDomainController -Filter * | ft Hostname,Site
This command returns the domain controllers host name as well as their site associations.
This command created the site link to BRANCH1 and turned on the change notification process.
TIP
Use Tab to auto-complete parameter names such as -SitesIncluded and -OtherAttributes rather than
typing them out manually.
This command sets the site link cost to BRANCH1 at 100 and set the replication frequency with the site
to 15 minutes .
To move a domain controller to a different site
Type the following command at the Active Director y module for Windows PowerShell prompt:
Get-ADDomainController DC2 | Move-ADDirectoryServer -Site BRANCH1
This command moves the domain controller, DC2 to the BRANCH1 site.
Verification
To v e r i fy si t e c r e a t i o n , n e w si t e l i n k , a n d c o st a n d r e p l i c a t i o n fr e q u e n c y
Click Ser ver Manager , click Tools and then click Active Director y Sites and Ser vices and verify the
following:
Verify that the BRANCH1 site contains all of the correct values from the Windows PowerShell
commands.
Verify the CORPORATE-BRANCH1 site link is created and connects the BRANCH1 and CORPORATE
sites.
Verify DC2 is now in the BRANCH1 site. Alternatively, you can open the Active Director y Module for
Windows PowerShell and type the following command to verify DC2 is now in the BRANCH1 site:
Get-ADDomainController -Filter * | ft Hostname,Site .
This shows a list of the highest USNs seen by DC1 for every domain controller in the forest. The Ser ver
value refers to the server maintaining the table, in this case DC1 . The Par tner value refers to the
replication partner (direct or indirect) on which changes were made. The UsnFilter value is the highest
USN seen by DC1 from Partner. If a new domain controller is added to the forest, it will not appear in
DC1 's table until DC1 receives a change that originated from the new domain.
To view the up-to-dateness vector table for all domain controllers in a domain
1. Type the following command at the Active Directory module for Windows PowerShell prompt:
Get-ADReplicationUpToDatenessVectorTable * | sort Partner,Server | ft Partner,Server,UsnFilter
This command replaces DC1 with * , thus collecting the up-to-dateness vector table data from all
domain controllers. The data is sorted by Par tner and Ser ver and then displayed in a table.
The sorting allows you to easily compare the last USN seen by each domain controller for a given
replication partner. This is a quick way to check that replication is occurring across your environment. If
replication is working correctly, the UsnFilter values reported for a given replication partner should be
fairly similar across all domain controllers.
See Also
Advanced Active Directory Replication and Topology Management Using Windows PowerShell (Level 200)
Advanced Active Directory Replication and
Topology Management Using Windows PowerShell
(Level 200)
3/5/2021 • 7 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic explains the new AD DS replication and topology management cmdlets in more detail, and provides
additional examples. For an introduction, see Introduction to Active Directory Replication and Topology
Management Using Windows PowerShell (Level 100).
1. Introduction
2. Replication and Metadata
3. Get-ADReplicationAttributeMetadata
4. Get-ADReplicationPartnerMetadata
5. Get-ADReplicationFailure
6. Get-ADReplicationQueueOperation and Get-ADReplicationUpToDatenessVectorTable
7. Sync-ADObject
8. Topology
Introduction
Windows Server 2012 extends the Active Directory module for Windows PowerShell with twenty-five new
cmdlets to manage replication and forest topology. Prior to this, you were forced to use the generic *-AdObject
nouns or call .NET functions.
Like all Active Directory Windows PowerShell cmdlets, this new functionality requires installing the Active
Directory Management Gateway Service on at least one domain controller (and preferably, all domain
controllers).
The following table lists new replication and topology cmdlets added to the Active Directory Windows
PowerShell module.
C M DL ET EXP L A N AT IO N
Most of these cmdlets have their basis in Repadmin.exe. Other cmdlets (not listed) handle features like Dynamic
Access Control and Group Managed Service Accounts.
For a complete list of all Active Directory Windows PowerShell cmdlets, run:
For a complete list of all Active Directory Windows PowerShell cmdlet arguments, reference the help. For
example:
Get-help New-ADReplicationSite
Alternatively, you can get metadata for an entire class of objects, by pipelining the Get-Adobject cmdlet with a
filter, such as all groups - then combine that with a specific date. The pipeline is a channel used between multiple
cmdlets to pass data. To see all groups modified in some fashion on January 13th, 2012:
Alternatively, to find all objects authoritatively restored using a system state backup in the domain, based on
their artificially high version:
Alternatively, send all user metadata to a CSV file for later examination in Microsoft Excel:
get-adobject -filter 'objectclass -eq "user"' | Get-ADReplicationAttributeMetadata -server
dc1.corp.contoso.com -showalllinkedvalues | export-csv allgroupmetadata.csv
Get-ADReplicationPartnerMetadata
This cmdlet returns information about the configuration and state of replication for a domain controller,
allowing you to monitor, inventory, or troubleshoot. Unlike Repadmin.exe, using Windows PowerShell means
you see only the data that is important to you, in the format you want.
For example, the readable replication state of a single domain controller:
Alternatively, the last time a domain controller replicated inbound and its partners, in a table format:
Alternatively, contact all domain controllers in the forest and display any whose last attempted replication failed
for any reason:
Get-ADReplicationPartnerMetadata -target * -scope server | where {$_.lastreplicationresult -ne "0"} | ft
server,lastreplicationattempt,lastreplicationresult,partner -auto
Get-ADReplicationFailure
This cmdlet can be used to returns information about recent errors in replication. It is analogous to
Repadmin.exe /showreplsum , but again, with much more control thanks to Windows PowerShell.
For example, you can return a domain controller's most recent failures and the partners he failed contacting:
Get-ADReplicationFailure dc1.corp.contoso.com
Alternatively, return a table view for all servers in a specific AD logical site, ordered for easier viewing and
containing only the most critical data:
Topology
While Repadmin.exe is good at returning information about replication topology like sites, site links, site link
bridges, and connections, it does not have a comprehensive set of arguments to make changes. In fact, there has
never been scriptable, in-box Windows utility designed specifically for administrators to create and modify AD
DS topology. As Active Directory has matured in millions of customer environments, the need to bulk modify
Active Directory logical information becomes apparent.
For example, after a rapid expansion of new branch offices, combined with the consolidation of others, you
might have a hundred site changes to make based on physical locations, network changes, and new capacity
requirements. Rather than using Dssites.msc and Adsiedit.msc to make changes, you can automate. This is
especially compelling when you start with a spreadsheet of data provided by your network and facilities teams.
The Get-Adreplication\ * cmdlets return information about replication topology and are useful for pipelining
into the Set-Adreplication\ * cmdlets in bulk. Get cmdlets do not change data, they only show data or to create
Windows PowerShell session objects that can be pipelined to Set-Adreplication\ * cmdlets. The New and
Remove cmdlets are useful for creating or removing Active Directory topology objects.
For example, you can create new sites using a CSV file:
Alternatively, create a new site link between two existing sites with a custom replication interval and site cost:
new-adreplicationsitelink -name "chicago<-->waukegan" -sitesincluded chicago,waukegan -cost 50 -
replicationfrequencyinminutes 15
Alternatively, find every site in the forest and replace their Options attributes with the flag to enable inter-site
change notification, in order to replicate at maximum speed with compression:
IMPORTANT
Set -bor 5 to disable compression on those site links as well.
Alternatively, find all sites missing subnet assignments, in order to reconcile the list with the actual subnets of
those locations:
get-adreplicationsite -filter * -property subnets | where-object {!$_.subnets -eq "*"} | format-table name
See Also
Introduction to Active Directory Replication and Topology Management Using Windows PowerShell (Level 100)
Managing RID Issuance
3/5/2021 • 13 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic explains the change to the RID master FSMO role, including the new issuance and monitoring
functionality in the RID master and how to analyze and troubleshoot RID issuance.
Managing RID Issuance
Troubleshooting RID Issuance
More information is available at the AskDS Blog.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values
RID Block Size
Prior to Windows Server 2012, there was no maximum value enforced in that registry key, except the implicit
DWORD maximum (which has a value of 0xffffffff or 4294967295). This value is considerably larger than the
total global RID space. Administrators sometimes inappropriately or accidentally configured RID Block Size with
values that exhausted the global RID at a massive rate.
In Windows Server 2012, you cannot set this registry value higher than 15,000 decimal (0x3A98 hexadecimal).
This prevents massive unintended RID allocation.
If you set the value higher than 15,000, the value is treated as 15,000 and the domain controller logs event
16653 in the Directory Services event log at every reboot until the value is corrected.
Global RID Space Size Unlock
Prior to Windows Server 2012, the global RID space was limited to 230 (or 1,073,741,823) total RIDs. Once
reached, only a domain migration or forest recovery to an older timeframe allowed new SIDs creation - disaster
recovery, by any measure. Starting in Windows Server 2012, the 231 bit can be unlocked in order to increase the
global pool to 2,147,483,648 RIDs.
AD DS stores this setting in a special hidden attribute named SidCompatibilityVersion on the RootDSE
context of all domain controllers. This attribute is not readable using ADSIEdit, LDP, or other tools. To see an
increase in the global RID space, examine the System event log for warning event 16655 from Directory-
Services-SAM or use the following Dcdiag command:
Dcdiag.exe /TEST:RidManager /v | find /i "Available RID Pool for the Domain"
If you increase the global RID pool, the available pool will change to 2,147,483,647 instead of the default
1,073,741,823. For example:
WARNING
This unlock is intended only to prevent running out of RIDS and is to be used only in conjunction with RID Ceiling
Enforcement (see next section). Do not "preemptively" set this in environments that have millions of remaining RIDs and
low growth, as application compatibility issues potentially exist with SIDs generated from the unlocked RID pool.
This unlock operation cannot be reverted or removed, except by a complete forest recovery to earlier backups.
Important Caveats
Windows Server 2003 and Windows Server 2008 Domain Controllers cannot issue RIDs when the global RID
pool 31st bit is unlocked. Windows Server 2008 R2 domain controllers can use 31st bit RIDs but only if they
have hotfix KB 2642658 installed. Unsupported and unpatched domain controllers treat the global RID pool as
exhausted when unlocked.
This feature is not enforced by any domain functional level; take great care that only Windows Server 2012 or
updated Windows Server 2008 R2 domain controllers exist in the domain.
Implementing Unlocked Global RID space
To unlock the RID pool to the 31st bit after receiving the RID ceiling alert (see below) perform the following
steps:
1. Ensure that the RID Master role is running on a Windows Server 2012 domain controller. If not, transfer it
to a Windows Server 2012 domain controller.
2. Run LDP.exe
3. Click the Connection menu and click Connect for the Windows Server 2012 RID Master on port 389,
and then click Bind as a domain administrator.
4. Click the Browse menu and click Modify .
5. Ensure that DN is blank.
6. In Edit Entr y Attribute , type:
SidCompatibilityVersion
7. In Values , type:
8. Ensure that Add is selected in Operation and click Enter . This updates the Entr y List .
9. Select the Synchronous and Extended options, then click Run .
***Call Modify...
ldap_modify_ext_s(Id, '(null)',[1] attrs, SvrCtrls, ClntCtrls);
modified "".
11. Confirm the global RID pool increased by examining the System Event Log on that domain controller for
Directory-Services-SAM Informational event 16655.
RID Ceiling Enforcement
To afford a measure of protection and elevate administrative awareness, Windows Server 2012 introduces an
artificial ceiling on the global RID range at ten (10) percent remaining RIDs in the global space. When within one
(1) percent of the artificial ceiling, domain controllers requesting RID pools write Directory-Services-SAM
warning event 16656 to their System event log. When reaching the ten percent ceiling on the RID Master FSMO,
it writes Directory-Services-SAM event 16657 to its System event log and will not allocate any further RID pools
until overriding the ceiling. This forces you to assess the state of the RID master in the domain and address
potential runaway RID allocation; this also protects domains from exhausting the entire RID space.
This ceiling is hard-coded at ten percent remaining of the available RID space. That is, the ceiling activates when
the RID master allocates a pool that includes the RID corresponding to ninety (90) percent of the global RID
space.
For default domains, the first trigger point is 230-1 * 0.90 = 966,367,640 (or 107,374,183 RIDs
remaining).
For domains with an unlocked 31-bit RID space, the trigger point is 231-1 * 0.90 = 1,932,735,282 RIDs (or
214,748,365 RIDs remaining).
When triggered, the RID master sets Active Directory attribute msDS-RIDPoolAllocationEnabled (common
name ms-DS-RID-Pool-Allocation-Enabled ) to FALSE on the object:
CN=RID Manager$,CN=System,DC=
This writes the 16657 event and prevents further RID block issuance to all domain controllers. Domain
controllers continue to consume any outstanding RID pools already issued to them.
To remove the block and allow RID pool allocation to continue, set that value to TRUE. On the next RID allocation
performed by the RID master, the attribute will return to its default NOT SET value. After that, there are no
further ceilings and eventually, the global RID space runs out, requiring forest recovery or domain migration.
Removing the Ceiling Block
To remove the block once reaching the artificial ceiling, perform the following steps:
1. Ensure that the RID Master role is running on a Windows Server 2012 domain controller. If not, transfer it
to a Windows Server 2012 domain controller.
2. Run LDP.exe.
3. Click the Connection menu and click Connect for the Windows Server 2012 RID Master on port 389,
and then click Bind as a domain administrator.
4. Click the View menu and click Tree , then for the Base DN select the RID Master's own domain naming
context. Click Ok .
5. In the navigation pane, drill down into the CN=System container and click the CN=RID Manager$
object. Right click it and click Modify .
6. In Edit Entry Attribute, type:
MsDS-RidPoolAllocationEnabled
TRUE
8. Select Replace in Operation and click Enter . This updates the Entr y List .
9. Enable the Synchronous and Extended options, then click Run :
10. If successful, the LDP output window shows:
***Call Modify...
ldap_modify_ext_s(ld, 'CN=RID Manager$,CN=System,DC=<domain>',[1] attrs, SvrCtrls, ClntCtrls);
Modified "CN=RID Manager$,CN=System,DC=<domain>".
EVEN T ID 16653
Source Directory-Services-SAM
Severity Warning
EVEN T ID 16653
Notes and resolution The maximum value for the RID Block Size is now 15000
decimal (3A98 hexadecimal). A domain controller cannot
request more than 15,000 RIDs. This event logs at every
boot until the value is set to a value at or below this
maximum.
EVEN T ID 16654
Source Directory-Services-SAM
Severity Informational
Notes and resolution If this event is unexpected, contact all domain administrators
and determine which of them performed the action. The
Directory Services event log also contains further
information on when one of these steps was performed.
EVEN T ID 16655
Source Directory-Services-SAM
Severity Informational
Notes and resolution If this event is unexpected, contact all domain administrators
and determine which of them performed the action. This
event notes the increase of the overall RID pool size beyond
the default of 230 and will not happen automatically; only by
administrative action.
EVEN T ID 16656
Source Directory-Services-SAM
EVEN T ID 16656
Severity Warning
EVEN T ID 16657
Source Directory-Services-SAM
Severity Error
Notes and resolution Contact all domain administrators and inform them that no
further security principals can be created in this domain until
this protection is overridden. For more information about
how to override the protection and possibly increase the
overall RID pool, see Global RID Space Size Unlock.
EVEN T ID 16658
Source Directory-Services-SAM
Severity Warning
Notes and resolution Contact all domain administrators and inform them that RID
consumption has crossed a major milestone; determine if
this is expected behavior or not by reviewing security trustee
creation patterns. To ever see this event would be highly
unusual, as it means that at least ~100 million RIDS have
been allocated.
See Also
Managing RID Issuance in Windows Server 2012
Active Directory Domain Services Component
Updates
11/2/2020 • 2 minutes to read • Edit Online
This module introduces the components that received minor updates in the Directory Services and Identity
spaces.
A B O UT T H E A UT H O R
Author :
Bio:
Contributors
Reviewers
NOTE
This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and
systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012
R2 than topics on TechNet usually provide. However, it has not undergone the same editing passes, so some of the
language may seem less polished than what is typically found on TechNet.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
NOTE
This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and
systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012
R2 than topics on TechNet usually provide. However, it has not undergone the same editing passes, so some of the
language may seem less polished than what is typically found on TechNet.
SPN and UPN uniqueness
3/5/2021 • 9 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Author : Justin Turner, Senior Support Escalation Engineer with the Windows group
NOTE
This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and
systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012
R2 than topics on TechNet usually provide. However, it has not undergone the same editing passes, so some of the
language may seem less polished than what is typically found on TechNet.
Overview
Domain Controllers running Windows Server 2012 R2 block the creation of duplicate service principal names
(SPN) and user principal names (UPN). This includes if the restoration or reanimation of a deleted object or the
renaming of an object would result in a duplicate.
Background
Duplicate Service Principal Names (SPN) commonly occur and result in authentication failures and may lead to
excessive LSASS CPU utilization. There is no in-box method to block the addition of a duplicate SPN or UPN. *
Duplicate UPN values break synchronization between on-premises AD and Office 365.
*Setspn.exe is commonly used to create new SPNs, and functionally was built into the version released with
Windows Server 2008 that adds a check for duplicates.
Table SEQ Table \* ARABIC 1: UPN and SPN uniqueness
F EAT URE C O M M EN T
For more information about uniqueness requirements for UPNs and SPNs, see Uniqueness Constraints.
Symptoms
Error codes 8467 or 8468 or their hex, symbolic or string equivalents are logged in various on-screen dialogues
and in event ID 2974 in the Directory Services event log. The attempt to create a duplicate UPN or SPN is
blocked only under the following circumstances:
The write is processed by a Windows Server 2012 R2 DC
Table SEQ Table \* ARABIC 2: UPN and SPN uniqueness error codes
DEC IM A L H EX SY M B O L IC ST RIN G
Figure SEQ Figure \* ARABIC 1 error displayed in AD Administrative Center when new user
creation fails due to duplicate UPN
Event 2974 Source: ActiveDirectory_DomainService
Figure SEQ Figure \* ARABIC 2 Event ID 2974 with error 8648
The event 2974 lists the value that was blocked and a list of one or more objects (up to 10) that already contain
that value. In the following figure, you can see that UPN attribute value dhunt@blue.contoso.com already
exists on four other objects. Since this is a new feature in Windows Server 2012 R2, accidental creation of
duplicate UPN and SPNs in a mixed environment will still occur when down-level DCs process the write attempt.
Figure SEQ Figure \* ARABIC 3 Event 2974 showing all objects containing the duplicate UPN
TIP
Review event ID 2974s regularly to:
identify attempts to create duplicate UPN or SPNs
identify objects that already contain duplicates
8648 = "The operation failed because UPN value provided for addition/modification is not unique forest-wide."
SetSPN:
Setspn.exe has had duplicate SPN detection built-in to it since the Windows Server 2008 release when using the
"-S" option. You can bypass the duplicate SPN detection by using the "-A" option however. Creation of a
duplicate SPN is blocked when targeting a Windows Server 2012 R2 DC using SetSPN with the -A option. The
error message displayed is the same as the one displayed when using the -S option: "Duplicate SPN found,
aborting operation!"
ADSIEDIT:
Figure SEQ Figure \* ARABIC 4 Error message displayed in ADSIEdit when addition of duplicate
UPN is blocked
Windows PowerShell
Windows Server 2012 R2:
DSAC.exe running on Windows Server 2012 targeting a Windows Server 2012 R2 DC:
Figure SEQ Figure \* ARABIC 5 DSAC user creation error on non-Windows Ser ver 2012 R2 while
targeting Windows Ser ver 2012 R2 DC
Figure SEQ Figure \* ARABIC 6 DSAC user modification error on non-Windows Ser ver 2012 R2
while targeting Windows Ser ver 2012 R2 DC
Restore of an object that would result in a duplicate UPN fails:
No event is logged when an object fails to restore because of a duplicate UPN / SPN.
The UPN of the object must be unique in order for it to be restored.
1. Identify the UPN that exists on the object in the Recycle Bin
2. Identify all objects that have the same value
3. Remove the duplicate UPN(s)
Identify the conflicting UPN on the deleted objectUsing repadmin.exe
TIP
The previously undocumented /deleted parameter in repadmin.exe is used to include deleted objects in the result set
If the object needs to be restored, you will need remove the duplicate UPNs from the other objects. For only one
object, it is simple enough to use ADSIEdit to remove the duplicate. If there are multiple objects with duplicates,
then Windows PowerShell might be the better tool to use.
To null out the UserPrincipalName attribute using Windows PowerShell:
NOTE
The userPrincipalName attribute is single-valued attribute, so this procedure will only remove the duplicate UPN.
Duplicate SPN
Figure SEQ Figure \* ARABIC 8 Error message displayed in ADSIEdit when addition of duplicate
SPN is blocked
Logged in the Directory Services event log is an ActiveDirector y_DomainSer vice event ID 2974 .
Figure SEQ Figure \* ARABIC 9 Error logged when creation of duplicate SPN is blocked
Workflow
If DC == GC
No offbox call required, query can be satisfied locally
UPN case
Query local forest-wide UPN index for supplied UPN (userPrincipalName; a global index)
If entries returned == 0 -> write proceeds
If entries returned !=0 -> write fails
Event logged
Also returns extended error:
8648:
ERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FOREST
SPN case
Query local forest-wide SPN index for supplied SPN (servicePrincipalName; a global index)
If entries returned == 0 -> write proceeds
If entries returned !=0 -> write fails
Event logged
Also returns extended error:
8647:
ERROR_DS_SPN_VALUE_NOT_UNIQUE_IN_FOREST
If DC != GC
Offbox call desirable but not critical, i.e. this is a best-effort uniqueness check
Check proceeds against local DIT only if GC cannot be located
Event logged to indicate such
UPN case
Submit LDAP query against closest GC ? query GC's forest-wide UPN index for supplied
UPN (userPrincipalName; a global index)
If entries returned == 0 -> write proceeds
If entries returned !=0 -> write fails
Event logged
Also returns extended error:
8648:
ERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FOREST
SPN case
Submit LDAP query against closest GC ? query GC's forest-wide SPN index for supplied
SPN (servicePrincipalName; a global index)
If entries returned == 0 -> write proceeds
If entries returned !=0 -> write fails
Event logged
Also returns extended error:
8647:
ERROR_DS_SPN_VALUE_NOT_UNIQUE_IN_FOREST
When deleted objects are re-animated, SPN or UPN values present are checked for uniqueness. If a duplicate is
found, the request fails.
For certain attribute changes like DNS Host Name, SAM Account Name etc, when the modification is
made, SPNs are updated accordingly. In the process, the obsolete SPNs are deleted and new SPNs are
constructed and added to the database. The requisite attribute modifications against which this path is
triggered are:
ATT_DNS_HOST_NAME
ATT_MS_DS_ADDITIONAL_DNS_HOST_NAME
ATT_SAM_ACCOUNT_NAME
ATT_MS_DS_ADDITIONAL_SAM_ACCOUNT_NAME
ATT_SERVER_REFERENCE_BL
ATT_USER_ACCOUNT_CONTROL
If any of the new SPN value is a duplicate, we fail the modification. Of the above list, the important attributes are
ATT_DNS_HOST_NAME (Machine name) and ATT_SAM_ACCOUNT_NAME (SAM Account Name).
Try This: Exploring SPN and UPN uniqueness
This is the first of several "Tr y This " activities in the module. There is not a separate lab guide for this module.
The Tr y This activities are essentially free-form activities that allow you explore the lesson material in the lab
environment. You have the option of following the prompt or going off script and come up with your own
activity.
NOTE
This is the first of several "Tr y This " activities.
There is not a separate lab guide for this module.
The Tr y This activities are essentially free-form activities that allow you explore the lesson material in the lab
environment.
You have the option of following the prompt or going off script and come up with your own activity.
While not all sections have a Tr y This prompt, you are still encouraged to explore the lesson content in the lab where
appropriate.
Experiment with SPN and UPN uniqueness. Follow these prompts, or complete your own.
1. Create new users with UPN
2. Create accounts with SPNs
3. Either create a new user with a UPN already previously defined or change an existing account's UPN. Do
the same for a SPN on another account
a. Populate an existing user account with a UPN already in use
a. Using PowerShell, ADSIEDIT, or Active Directory Administrative Center (DSAC.exe)
b. Populate an existing account with an SPN already in use
a. Using Windows PowerShell, ADSIEDIT, or SetSPN
4. Observe the errors
Optionally
1. Verify with the classroom instructor that it is ok to enable the AD Recycle Bin in Active Directory
Administrative Center. If so, move on to the next step.
2. Populate the UPN on a user account
3. Delete the account
4. Populate a different account with the same UPN as the deleted account
5. Attempt to use the Recycle Bin GUI to restore the account
6. Imagine you have just been presented with the error you see in the previous step. (and don't have a
history of the steps you just performed)Your goal is to complete the restore of the account. See the
workbook for example steps.
Winlogon automatic restart sign-on (ARSO)
4/30/2021 • 7 minutes to read • Edit Online
During a Windows Update, there are user specific processes that must happen for the update to be complete.
These processes require the user to be logged in to their device. On the first login after an update has been
initiated, users must wait until these user specific processes are complete before they can start using their
device.
A P IS W IT H
SH UT DO W N _A RSO /
W IN DO W S UP DAT E SH UT DO W N - G - T 0 USER- IN IT IAT ED REB O OT S EW X_A RSO F L A GS
Managed devices - Yes Managed devices - Yes Managed devices - No Managed devices - Yes
Unmanaged devices - Unmanaged devices - Unmanaged devices - Unmanaged devices -
Yes Yes Yes Yes
NOTE
After a Windows Update induced reboot, the last interactive user is automatically logged in and the session is locked. This
gives the ability for a user's lock screen apps to still run despite the Windows Update reboot.
Policy #1
Sign-in and lock last interactive user automatically after a restart
In Windows 10, ARSO is disabled for Server SKUs and opt out for Client SKUs.
Group policy location: Computer Configuration > Administrative Templates > Windows Components >
Windows Logon Options
Intune policy:
Platform: Windows 10 and later
Profile type: Administrative Templates
Path: \Windows Components\Windows Logon Options
Suppor ted on: At least Windows 10 Version 1903
Description:
This policy setting controls whether a device will automatically sign in and lock the last interactive user after the
system restarts or after a shutdown and cold boot.
This only occurs if the last interactive user didn't sign out before the restart or shutdown.
If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update
restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.
If you don't configure this policy setting, it is enabled by default. When the policy is enabled, the user is
automatically signed in and the session is automatically locked with all lock screen apps configured for that user
after the device boots.
After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy,
which configures the mode of automatically signing in and locking the last interactive user after a restart or cold
boot.
If you disable this policy setting, the device does not configure automatic sign in. The user's lock screen apps are
not restarted after the system restarts.
Registr y editor :
VA L UE N A M E TYPE DATA
1 (Disable ARSO)
Policy #2
Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot
Group policy location: Computer Configuration > Administrative Templates > Windows Components >
Windows Logon Options
Intune policy:
Platform: Windows 10 and later
Profile type: Administrative Templates
Path: \Windows Components\Windows Logon Options
Suppor ted on: At least Windows 10 Version 1903
Description:
This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after
a restart or cold boot. If you chose “Disabled” in the “Sign-in and lock last interactive user automatically after a
restart” policy, then automatic sign on will not occur and this policy does not need to be configured.
If you enable this policy setting, you can choose one of the following two options:
1. “Enabled if BitLocker is on and not suspended” specifies that automatic sign on and lock will only occur if
BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the
device's hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension
temporarily removes protection for system components and data but may be needed in certain
circumstances to successfully update boot-critical components.
BitLocker is suspended during updates if:
The device doesn't have TPM 2.0 and PCR7, or
The device doesn't use a TPM-only protector
2. “Always Enabled” specifies that automatic sign on will happen even if BitLocker is off or suspended during
reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic
restart and sign on should only be run under this condition if you are confident that the configured device is
in a secure physical location.
If you disable or don't configure this setting, automatic sign on will default to the “Enabled if BitLocker is on and
not suspended” behavior.
Registr y editor
VA L UE N A M E TYPE DATA
Security details
In environments where the device’s physical security is of concern (for example, the device can be stolen),
Microsoft does not recommend using ARSO. ARSO relies on the integrity of the platform firmware and TPM, an
attacker with physical access maybe able to compromise these and as such access the credentials stored on disk
with ARSO enabled.
In enterprise environments where the security for user data protected by Data Protection API (DPAPI) is of
concern, Microsoft does not recommend using ARSO. ARSO negatively impacts user data protected by DPAPI
because decryption doesn't requires user credentials. Enterprises should test the impact on the security of user
data protected by DPAPI before using ARSO.
Credentials stored
PA SSW O RD H A SH C REDEN T IA L K EY T IC K ET - GRA N T IN G T IC K ET P RIM A RY REF RESH TO K EN
Local account - Yes Local account - Yes Local account - No Local account - No
MSA account - Yes MSA account - Yes MSA account - No MSA account - No
Azure AD joined account - Azure AD joined account - Azure AD joined account - Azure AD joined account -
Yes Yes Yes (if hybrid) Yes
Domain joined account - Domain joined account - Domain joined account - Domain joined account -
Yes Yes Yes Yes (if hybrid)
Additional resources
Autologon is a feature that has been present in Windows for several releases. It is a documented feature of
Windows that even has tools such as Autologon for Windows
http:/technet.microsoft.com/sysinternals/bb963905.aspx. It allows a single user of the device to sign in
automatically without entering credentials. The credentials are configured and stored in registry as an encrypted
LSA secret. This could be problematic for many child cases where account lockdown may occur between bed
time and wake-up, particularly if the maintenance window is commonly during this time.
TPM Key Attestation
3/5/2021 • 13 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Author : Justin Turner, Senior Support Escalation Engineer with the Windows group
NOTE
This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and
systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012
R2 than topics on TechNet usually provide. However, it has not undergone the same editing passes, so some of the
language may seem less polished than what is typically found on TechNet.
Overview
While support for TPM-protected keys has existed since Windows 8, there were no mechanisms for CAs to
cryptographically attest that the certificate requester private key is actually protected by a Trusted Platform
Module (TPM). This update enables a CA to perform that attestation and to reflect that attestation in the issued
certificate.
NOTE
This article assumes that the reader is familiar with certificate template concept (for reference, see Certificate Templates). It
also assumes that the reader is familiar with how to configure enterprise CAs to issue certificates based on certificate
templates (for reference, see Checklist: Configure CAs to Issue and Manage Certificates).
Terminology
T ERM DEF IN IT IO N
Deployment overview
In this deployment, it is assumed that a Windows Server 2012 R2 enterprise CA is set up. Also, clients (Windows
8.1) are configured to enroll against that enterprise CA using certificate templates.
There are three steps to deploying TPM key attestation:
1. Plan the TPM trust model: The first step is to decide which TPM trust model to use. There are 3
supported ways for doing this:
Trust based on user credential: The enterprise CA trusts the user-provided EKPub as part of the
certificate request and no validation is performed other than the user's domain credentials.
Trust based on EKCer t: The enterprise CA validates the EKCert chain that is provided as part of
the certificate request against an administrator-managed list of acceptable EK cert chains. The
acceptable chains are defined per-manufacturer and are expressed via two custom certificate
stores on the issuing CA (one store for the intermediate and one for root CA certificates). This trust
mode means that all TPMs from a given manufacturer are trusted. Note that in this mode, TPMs in
use in the environment must contain EKCerts.
Trust based on EKPub: The enterprise CA validates that the EKPub provided as part of the
certificate request appears in an administrator-managed list of allowed EKPubs. This list is
expressed as a directory of files where the name of each file in this directory is the SHA-2 hash of
the allowed EKPub. This option offers the highest assurance level but requires more administrative
effort, because each device is individually identified. In this trust model, only the devices that have
had their TPM's EKPub added to the allowed list of EKPubs are permitted to enroll for a TPM-
attested certificate.
Depending on which method is used, the CA will apply a different issuance policy OID to the issued
certificate. For more details about issuance policy OIDs, see the Issuance Policy OIDs table in the
Configure a certificate template section in this topic.
Note that it is possible to choose a combination of TPM trust models. In this case, the CA will accept any
of the attestation methods, and the issuance policy OIDs will reflect all attestation methods that succeed.
2. Configure the cer tificate template: Configuring the certificate template is described in the
Deployment details section in this topic. This article does not cover how this certificate template is
assigned to the enterprise CA or how enroll access is given to a group of users. For more information, see
Checklist: Configure CAs to Issue and Manage Certificates.
3. Configure the CA for the TPM trust model
a. Trust based on user credential: No specific configuration is required.
b. Trust based on EKCer t: The administrator must obtain the EKCert chain certificates from TPM
manufacturers, and import them to two new certificate stores, created by the administrator, on the
CA that perform TPM key attestation. For more information, see the CA configuration section in
this topic.
c. Trust based on EKPub: The administrator must obtain the EKPub for each device that will need
TPM-attested certificates and add them to the list of allowed EKPubs. For more information, see
the CA configuration section in this topic.
NOTE
This feature requires Windows 8.1/Windows Server 2012 R2.
TPM key attestation for third-party smart card KSPs is not supported. Microsoft Platform Crypto Provider KSP
must be used.
TPM key attestation only works for RSA keys.
TPM key attestation is not supported for a standalone CA.
TPM key attestation does not support non-persistent certificate processing.
Deployment details
Configure a certificate template
To configure the certificate template for TPM key attestation, do the following configuration steps:
1. Compatibility tab
In the Compatibility Settings section:
Ensure Windows Ser ver 2012 R2 is selected for the Cer tification Authority .
Ensure Windows 8.1 / Windows Ser ver 2012 R2 is selected for the Cer tificate recipient .
2. Cr yptography tab
Ensure Key Storage Provider is selected for the Provider Categor y and RSA is selected for the
Algorithm name . Ensure Requests must use one of the following providers is selected and the
Microsoft Platform Cr ypto Provider option is selected under Providers .
3. Key Attestation tab
This is a new tab for Windows Server 2012 R2:
User credentials: Allow an authenticating user to vouch for a valid TPM by specifying their
domain credentials.
Endorsement cer tificate: The EKCert of the device must validate through administrator-
managed TPM intermediate CA certificates to an administrator-managed root CA certificate. If you
choose this option, you must set up EKCA and EKRoot certificate stores on the issuing CA as
described in the CA configuration section in this topic.
Endorsement Key: The EKPub of the device must appear in the PKI administrator-managed list.
This option offers the highest assurance level but requires more administrative effort. If you
choose this option, you must set up an EKPub list on the issuing CA as described in the CA
configuration section in this topic.
Finally, decide which issuance policy to show in the issued certificate. By default, each enforcement type
has an associated object identifier (OID) that will be inserted into the certificate if it passes that
enforcement type, as described in the following table. Note that it is possible to choose a combination of
enforcement methods. In this case, the CA will accept any of the attestation methods, and the issuance
policy OID will reflect all attestation methods that succeeded.
Issuance Policy OIDs
The OIDs will be inserted into the issued certificate if Include Issuance Policies is selected (the default
configuration).
TIP
One potential use of having the OID present in the certificate is to limit access to VPN or wireless networking to
certain devices. For example, your access policy might allow connection (or access to a different VLAN) if OID
1.3.6.1.4.1.311.21.30 is present in the certificate. This allows you to limit access to devices whose TPM EK is
present in the EKPUB list.
CA configuration
1. Setup EKCA and EKROOT cer tificate stores on an issuing CA
If you chose Endorsement Cer tificate for the template settings, do the following configuration steps:
a. Use Windows PowerShell to create two new certificate stores on the certification authority (CA)
server that will perform TPM key attestation.
b. Obtain the intermediate and root CA certificate(s) from manufacturer(s) that you want to allow in
your enterprise environment. Those certificates must be imported into the previously-created
certificate stores (EKCA and EKROOT) as appropriate.
The following Windows PowerShell script performs both of these steps. In the following example, the
TPM manufacturer Fabrikam has provided a root certificate FabrikamRoot.cer and an issuing CA
certificate Fabrikamca.cer.
PS C:>\cd cert:
PS Cert:\>cd .\\LocalMachine
PS Cert:\LocalMachine> new-item EKROOT
PS Cert:\ LocalMachine> new-item EKCA
PS Cert:\EKCA\copy FabrikamCa.cer .\EKCA
PS Cert:\EKROOT\copy FabrikamRoot.cer .\EKROOT
O P ERAT IO N C O M M A N D SY N TA X
VA L UE N A M E TYPE DATA
HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\
EndorsementKeyListDirectories will contain a list of UNC or local file system paths, each pointing
to a folder that the CA has Read access to. Each folder may contain zero or more allow list entries,
where each entry is a file with a name that is the SHA-2 hash of a trusted EKpub, with no file
extension. Creating or editing this registry key configuration requires a restart of the CA, just like
existing CA registry configuration settings. However, edits to the configuration setting will take
effect immediately and will not require the CA to be restarted.
IMPORTANT
Secure the folders in the list from tampering and unauthorized access by configuring permissions so that
only authorized administrators have Read and Write access. The computer account of the CA requires Read
access only.
b. Populate the EKPUB list: Use the following Windows PowerShell cmdlet to obtain the public key
hash of the TPM EK by using Windows PowerShell on each device and then send this public key
hash to the CA and store it on the EKPubList folder.
Troubleshooting
Key attestation fields are unavailable on a certificate template
The Key Attestation fields are not available if the template settings do not meet the requirements for attestation.
Common reasons are:
1. The compatibility settings are not configured correctly. Make sure that they are configured as follows:
a. Cer tification Authority : Windows Ser ver 2012 R2
b. Cer tificate Recipient : Windows 8.1/Windows Ser ver 2012 R2
2. The cryptography settings are not configured correctly. Make sure that they are configured as follows:
a. Provider Categor y : Key Storage Provider
b. Algorithm Name : RSA
c. Providers : Microsoft Platform Cr ypto Provider
3. The request handling settings are not configured correctly. Make sure that they are configured as follows:
a. The Allow private key to be expor ted option must not be selected.
b. The Archive subject's encr yption private key option must not be selected.
Verification of TPM device for attestation
Use the Windows PowerShell cmdlet, Confirm-CAEndorsementKeyInfo , to verify that a specific TPM device is
trusted for attestation by CAs. There are two options: one for verifying the EKCert, and the other for verifying an
EKPub. The cmdlet is either run locally on a CA, or on remote CAs by using Windows PowerShell remoting.
1. For verifying trust on an EKPub, do the following two steps:
a. Extract the EKPub from the client computer : The EKPub can be extracted from a client
computer via Get-TpmEndorsementKeyInfo . From an elevated command prompt, run the
following:
b. Verify trust on an EKCer t on a CA computer : Copy the extracted string (the SHA-2 hash of
the EKPub) to the server (for example, via email) and pass it to the Confirm-
CAEndorsementKeyInfo cmdlet. Note that this parameter must be 64 characters.
PS C:>\$a=Get-TpmEndorsementKeyInfo
PS C:>\$a.manufacturerCertificates|Export-Certificate -filepath c:\myEkcert.cer
b. Verify trust on an EKCer t on a CA computer : Copy the extracted EKCert (EkCert.cer) to the CA
(for example, via email or xcopy). As an example, if you copy the certificate file the "c:\diagnose"
folder on the CA server, run the following to finish verification:
PS C:>new-object System.Security.Cryptography.X509Certificates.X509Certificate2
"c:\diagnose\myEKcert.cer" | Confirm-CAEndorsementKeyInfo
See Also
Trusted Platform Module Technology Overview External Resource: Trusted Platform Module
CA Backup and Restore Windows PowerShell
cmdlets
3/5/2021 • 3 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Author : Justin Turner, Senior Support Escalation Engineer with the Windows group
NOTE
This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and
systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012
R2 than topics on TechNet usually provide. However, it has not undergone the same editing passes, so some of the
language may seem less polished than what is typically found on TechNet.
Overview
The ADCSAdministration Windows PowerShell module was introduced in Window Server 2012. Two new
cmdlets were added to this module in Window Server 2012 R2 to support the Backup and Restore of a CA.
Backup-CARoleService
Restore-CARoleService
Backup-CARoleService
Table SEQ Table \* ARABIC 17: Backup and Restore Windows PowerShell Cmdlets
ADCSAdministration Cmdlet: Backup-CARoleSer vice
-Password
If the -Password parameter is used, the supplied password must be a secure string. Use the Read-Host cmdlet
to launch an interactive prompt for secure password entry, or use the Conver tTo-SecureString cmdlet to
specify the password in-line.
Review the following examples
Specifying a secure string for the Password parameter using Read-Host
Specifying a secure string for the Password parameter using Conver tTo-SecureString
Restore-CARoleService
ADCSAdministration Cmdlet: Restore-CARoleSer vice
Issues
A non-password protected backup is taken if the ConvertTo-SecureString function fails while using the Backup-
CARoleService with the -Password parameter.
Table SEQ Table \* ARABIC 18: Common Errors
A C T IO N ERRO R C O M M EN T
Restore-CARoleSer vice Restore-CARoleService : The process Stop the Active Directory Certificate
C:\ADCSBackup cannot access the file because it is Services service prior to running the
being used by another process. Restore-CARoleService cmdlet
(Exception from HRESULT:
0x80070020)
Restore-CARoleSer vice Restore-CARoleService : The directory Use the -Force parameter to overwrite
C:\ADCSBackup is not empty. (Exception from preexisting keys
HRESULT: 0x80070091)
Backup-CARoleSer vice Backup-CARoleService : Parameter set The -Password parameter is only used
C:\ADCSBackup -Password (Read- cannot be resolved using the specified to password protect private keys and
Host -Prompt "Password:" - named parameters. is therefore invalid when you are not
AsSecureString) -DatabaseOnly backing them up
Restore-CARoleSer vice Restore-CARoleService : Parameter set The -Password parameter is only used
C:\ADCSBack15 -Password (Read- cannot be resolved using the specified to password protect private keys and
Host -Prompt "Password:" - named parameters. is therefore invalid when you are not
AsSecureString) -DatabaseOnly restoring them
Restore-CARoleSer vice Restore-CARoleService : The system The path specified does not contain a
C:\ADCSBack14 -Password (Read- cannot find the file specified. (Exception valid database backup. Perhaps the
Host -Prompt "Password:" - from HRESULT: 0x80070002) path is invalid or the backup was taken
AsSecureString) with the -KeysOnly option?
Additional Resources
Active Directory Certificate Services Migration Guide
Backing up a CA database and private key
Restoring the CA database and configuration on the destination server
Author : Justin Turner, Senior Support Escalation Engineer with the Windows group
NOTE
This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and
systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012
R2 than topics on TechNet usually provide. However, it has not undergone the same editing passes, so some of the
language may seem less polished than what is typically found on TechNet.
Overview
The pre-existing process creation audit event ID 4688 will now include audit information for command
line processes.
It will also log SHA1/2 hash of the executable in the Applocker event log
Application and Services Logs\Microsoft\Windows\AppLocker
You enable via GPO, but it is disabled by default
"Include command line in process creation events"
Figure SEQ Figure \* ARABIC 16 Event 4688
Review the updated event ID 4688 in REF _Ref366427278 \h Figure 16. Prior to this update none of the
information for Process Command Line gets logged. Because of this additional logging we can now see that
not only was the wscript.exe process started, but that it was also used to execute a VB script.
Configuration
To see the effects of this update, you will need to enable two policy settings.
You must have Audit Process Creation auditing enabled to see event ID 4688.
To enable the Audit Process Creation policy, edit the following group policy:
Policy location: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit
Configuration > Detailed Tracking
Policy Name: Audit Process Creation
Suppor ted on: Windows 7 and above
Description/Help:
This security policy setting determines whether the operating system generates audit events when a process is
created (starts) and the name of the program or user that created it.
These audit events can help you understand how a computer is being used and to track user activity.
Event volume: Low to medium, depending on system usage
Default: Not configured
In order to see the additions to event ID 4688, you must enable the new policy setting: Include command line
in process creation events
Table SEQ Table \* ARABIC 19 Command line process policy setting
P O L IC Y C O N F IGURAT IO N DETA IL S
When you use Advanced Audit Policy Configuration settings, you need to confirm that these settings are not
overwritten by basic audit policy settings. Event 4719 is logged when the settings are overwritten.
The following procedure shows how to prevent conflicts by blocking the application of any basic audit policy
settings.
To ensure that Advanced Audit Policy Configuration settings are not overwritten
Additional Resources
Audit Process Creation
Advanced Security Audit Policy Step-by-Step Guide
AppLocker: Frequently Asked Questions
Try This: Explore command line process auditing
1. Enable Audit Process Creation events and ensure the Advance Audit Policy configuration is not
overwritten
2. Create a script that will generate some events of interest and execute the script. Observe the events. The
script used to generate the event in the lesson looked like this:
mkdir c:\systemfiles\temp\commandandcontrol\zone\fifthward
copy \\192.168.1.254\c$\hidden c:\systemfiles\temp\hidden\commandandcontrol\zone\fifthward
start C:\systemfiles\temp\hidden\commandandcontrol\zone\fifthward\ntuserrights.vbs
del c:\systemfiles\temp\*.* /Q
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Author : Justin Turner, Senior Support Escalation Engineer with the Windows group
NOTE
This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and
systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012
R2 than topics on TechNet usually provide. However, it has not undergone the same editing passes, so some of the
language may seem less polished than what is typically found on TechNet.
This lesson explains the Directory Services component updates in Windows Server 2012 R2.
NOTE
The deprecation of FRS is accomplished by removing the ability to install a new domain with a domain functional level
lower than Windows Server 2008 with Server Manager or via Windows PowerShell.
To raise or lower the domain functional level using Windows PowerShell, use the Set-ADDomainMode cmdlet.
To set the contoso.com DFL to Windows Ser ver 2008 mode:
Promotion of a DC running Windows Server 2012 R2 as an additional replica into an existing domain running
2003 DFL works.
New domain creation in an existing forest
ADPREP
There are no new forest or domain operations in this release.
These .ldf files contain schema changes for the Device Registration Ser vice .
1. Sch59
2. Sch61
3. Sch62
4. Sch63
5. Sch64
6. Sch65
7. Sch67
Work Folders:
1. Sch66
MSODS:
1. Sch60
Authentication Policies and Silos
1. Sch68
2. Sch69
Deprecation of NTFRS
Overview
FRS is deprecated in Windows Server 2012 R2. The deprecation of FRS is accomplished by enforcing a
minimum domain functional level (DFL) of Windows Server 2008. This enforcement is present only if the new
domain is created using Server Manager or Windows PowerShell.
You use the -DomainMode parameter with the Install-ADDSForest or Install-ADDSDomain cmdlets to specify the
domain functional level. Supported values for this parameter can be either a valid integer or a corresponding
enumerated string value. For example, to set the domain mode level to Windows Server 2008 R2, you can
specify either a value of 4 or "Win2008R2". When executing these cmdlets from Server 2012 R2 valid values
include those for Windows Server 2008 (3, Win2008) Windows Server 2008 R2 (4, Win2008R2) Windows
Server 2012 (5, Win2012) and Windows Server 2012 R2 (6, Win2012R2). The domain functional level cannot be
lower than the forest functional level, but it can be higher. Since FRS is deprecated in this release, Windows
Server 2003 (2, Win2003) is not a recognized parameter with these cmdlets when executed from Windows
Server 2012 R2.
NOTE
From the Developer : improvements in the performance of searches through improvements in the mapping from LDAP
query to ESE query. LDAP filters beyond a certain level of complexity prevent optimized index selection, resulting in
drastically decreased performance (1000x or more). This change alters the way in which we select indices for LDAP queries
to avoid this problem.
NOTE
A complete overhaul of the LDAP query optimizer algorithm, resulting in:
Faster search times
Efficiency gains allow DCs to do more
Less support calls regarding AD Performance issues
Back ported to Windows Server 2008 R2 (KB 2862304)
Background
The ability to search Active Directory is a core service provided by domain controllers. Other services and line of
business applications rely on Active Directory searches. Business operations can cease to a halt if this feature is
not available. As a core and heavily used service, it is imperative that domain controllers handle LDAP search
traffic efficiently. The LDAP query optimizer algorithm attempts to make LDAP searches efficient as possible by
mapping LDAP search filters to a result set that can be satisfied via records already indexed in the database. This
algorithm was reevaluated and further optimized. The result is the performance improvement in LDAP search
efficiency and LDAP search time of complex queries.
Details of change
An LDAP search contains:
A location (NC head, OU, Object) within the hierarchy to begin the search
A search filter
A list of attributes to return
The search process can be summarized as follows:
1. Simplify the search filter if possible.
2. Select a set of Index Keys that will return the smallest covered set.
3. Perform one or more intersections of Index Keys, to reduce the covered set.
4. For each record in the covered set, evaluate the filter expression as well as the security. If the filter
evaluates to TRUE and access is granted, then return this record to the client.
The LDAP query optimization work modifies steps 2 and 3, to reduce the size of the covered set. More
specifically, the current implementation selects duplicate Index Keys and performs redundant intersections.
Comparison between old and new algorithm
The target of the inefficient LDAP search in this example is a Windows Server 2012 domain controller. The
search completes in approximately 44 seconds as a result of failing to find a more efficient index.
Statistics
=====
Elapsed Time: 44640 (ms)
Returned 324 entries of 553896 visited - (0.06%)
Used Filter:
( | ( & ( | (cn=justintu) (postalCode=80304) (userPrincipalName=justintu@blue.contoso.com) ) ( |
(objectClass=person) (cn=justintu) ) ) ( & (cn=justintu) (objectClass=person) ) )
Used Indices:
DNT_index:516615:N
Statistics
=====
Elapsed Time: 672 (ms)
Returned 324 entries of 648 visited - (50.00%)
Used Filter:
( | ( & ( | (cn=justintu) (postalCode=80304) (userPrincipalName=justintu@blue.contoso.com) ) ( |
(objectClass=person) (cn=justintu) ) ) ( & (cn=justintu) (objectClass=person) ) )
Used Indices:
idx_userPrincipalName:648:N
idx_postalCode:323:N
idx_cn:1:N
NOTE
Additional LDAP search statistics are added to event ID 1644 to aid in troubleshooting inefficient or expensive LDAP
searches
You can now specify a Search Time Threshold (eg. Log event 1644 for searches taking longer than 100ms) instead of
specifying the Expensive and Inefficient search result threshold values
Background
While troubleshooting Active Directory performance problems, it becomes apparent that LDAP search activity
may be contributing to the problem. You decide to enable logging so that you can see expensive or inefficient
LDAP queries processed by domain controller. In order to enable the logging, you must set the Field Engineering
diagnostics value and can optionally specify the expensive / inefficient search results threshold values. Upon
enabling the Field Engineering logging level to a value of 5, any search that meets these criteria is logged in the
Directory Services event log with an event ID 1644.
The event contains:
Client IP and port
Starting Node
Filter
Search scope
Attribute selection
Server controls
Visited entries
Returned entries
However, key data is missing from the event such as the amount of time spent on the search operation and what
(if any) index was used.
Additional search statistics added to event 1644
Used indexes
Pages referenced
Pages read from disk
Pages preread from disk
Clean pages modified
Dirty pages modified
Search time
Attributes Preventing Optimization
New time-based threshold registry value for event 1644 logging
Instead of specifying the Expensive and Inefficient search result threshold values, you can specify Search Time
Threshold. If you wanted to log all search results that took 50 ms or greater, you would specify 50 decimal / 32
hex (in addition to setting the Field Engineering value).
This updates increase the maximum throughput to around 600 Mbps by changing the RPC send buffer size
from 8K to 256KB. This change allows the TCP window size to grow beyond 8K, reducing the number of network
round trips.
NOTE
There are no configurable settings to modify this behavior.
Additional Resources
How the Active Directory Replication Model Works
Guidance about how to configure protected
accounts
3/5/2021 • 18 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Through Pass-the-hash (PtH) attacks, an attacker can authenticate to a remote server or service by using the
underlying NTLM hash of a user's password (or other credential derivatives). Microsoft has previously published
guidance to mitigate pass-the-hash attacks. Windows Server 2012 R2 includes new features to help mitigate
such attacks further. For more information about other security features that help protect against credential
theft, see Credentials Protection and Management. This topic explains how to configure the following new
features:
Protected Users
Authentication policies
Authentication policy silos
There are additional mitigations built in to Windows 8.1 and Windows Server 2012 R2 to help protect against
credential theft, which are covered in the following topics:
Restricted Admin mode for Remote Desktop
LSA Protection
Protected Users
Protected Users is a new global security group to which you can add new or existing users. Windows 8.1 devices
and Windows Server 2012 R2 hosts have special behavior with members of this group to provide better
protection against credential theft. For a member of the group, a Windows 8.1 device or a Windows Server 2012
R2 host does not cache credentials that are not supported for Protected Users. Members of this group have no
additional protection if they are logged on to a device that runs a version of Windows earlier than Windows 8.1.
Members of the Protected Users group who are signed-on to Windows 8.1 devices and Windows Server 2012
R2 hosts can no longer use:
Default credential delegation (CredSSP) - plaintext credentials are not cached even when the Allow
delegating default credentials policy is enabled
Windows Digest - plaintext credentials are not cached even when they are enabled
NTLM - NTOWF is not cached
Kerberos long term keys - Kerberos ticket-granting ticket (TGT) is acquired at logon and cannot be re-
acquired automatically
Sign-on offline - the cached logon verifier is not created
If the domain functional level is Windows Server 2012 R2 , members of the group can no longer:
Authenticate by using NTLM authentication
Use Data Encryption Standard (DES) or RC4 cipher suites in Kerberos pre-authentication
Be delegated by using unconstrained or constrained delegation
Renew user tickets (TGTs) beyond the initial 4-hour lifetime
To add users to the group, you can use UI tools such as Active Directory Administrative Center (ADAC) or Active
Directory Users and Computers, or a command-line tool such as Dsmod group, or the Windows
PowerShellAdd-ADGroupMember cmdlet. Accounts for services and computers should not be members of the
Protected Users group. Membership for those accounts provides no local protections because the password or
certificate is always available on the host.
WARNING
The authentication restrictions have no workaround, which means that members of highly privileged groups such as the
Enterprise Admins group or the Domain Admins group are subject to the same restrictions as other members of the
Protected Users group. If all members of such groups are added to the Protected Users group, it is possible for all of
those accounts to be locked out. You should never add all highly privileged accounts to the Protected Users group until
you have thoroughly tested the potential impact.
Members of the Protected Users group must be able to authenticate by using Kerberos with Advanced
Encryption Standards (AES). This method requires AES keys for the account in Active Directory. The built-in
Administrator does not have an AES key unless the password was changed on a domain controller that runs
Windows Server 2008 or later. Additionally, any account, which has a password that was changed at a domain
controller that runs an earlier version of Windows Server, is locked out. Therefore, follow these best practices:
Do not test in domains unless all domain controllers run Windows Ser ver 2008 or later .
Change password for all domain accounts that were created before the domain was created.
Otherwise, these accounts cannot be authenticated.
Change password for each user before adding the account to the Protected Users group or ensure that
the password was changed recently on a domain controller that runs Windows Server 2008 or later.
Requirements for using protected accounts
Protected accounts have the following deployment requirements:
To provide client-side restrictions for Protected Users, hosts must run Windows 8.1 or Windows Server
2012 R2 . A user only has to sign-on with an account that is a member of a Protected Users group. In this
case, the Protected Users group can be created by transferring the primary domain controller (PDC)
emulator role to a domain controller that runs Windows Server 2012 R2 . After that group object is
replicated to other domain controllers, the PDC emulator role can be hosted on a domain controller that
runs an earlier version of Windows Server.
To provide domain controller-side restrictions for Protected Users, that is to restrict usage of NTLM
authentication, and other restrictions, the domain functional level must be Windows Server 2012 R2 . For
more information about functional levels, see Understanding Active Directory Domain Services (AD DS)
Functional Levels.
Troubleshoot events related to Protected Users
This section covers new logs to help troubleshoot events that are related to Protected Users and how Protected
Users can impact changes to troubleshoot either ticket-granting tickets (TGT) expiration or delegation issues.
New logs for Protected Users
Two new operational administrative logs are available to help troubleshoot events that are related to Protected
Users: Protected User - Client Log and Protected User Failures - Domain Controller Log. These new logs are
located in Event Viewer and are disabled by default. To enable a log, click Applications and Ser vices Logs ,
click Microsoft , click Windows , click Authentication , and then click the name of the log and click Action (or
right-click the log) and click Enable Log .
For more information about events in these logs, see Authentication Policies and Authentication Policy Silos.
Troubleshoot TGT expiration
Normally, the domain controller sets the TGT lifetime and renewal based on the domain policy as shown in the
following Group Policy Management Editor window.
NOTE
Although it is possible to change the configuration of supported encryption types, it is not recommended to
change those settings for computer accounts without testing in the target environment.
Restrict user tickets (TGTs) to an initial 4-hour lifetime: Use Authentication Policies.
Deny delegation with unconstrained or constrained delegation: To restrict an account, open Active
Directory Administrative Center (ADAC) and select the Account is sensitive and cannot be
delegated check box.
Authentication policies
Authentication Policies is a new container in AD DS that contains authentication policy objects. Authentication
policies can specify settings that help mitigate exposure to credential theft, such as restricting TGT lifetime for
accounts or adding other claims-related conditions.
In Windows Server 2012 , Dynamic Access Control introduced an Active Directory forest-scope object class
called Central Access Policy to provide an easy way to configure file servers across an organization. In Windows
Server 2012 R2 , a new object class called Authentication Policy (objectClass msDS-AuthNPolicies) can be used
to apply authentication configuration to account classes in Windows Server 2012 R2 domains. Active Directory
account classes are:
User
Computer
Managed Service Account and group Managed Service Account (GMSA)
Quick Kerberos refresher
The Kerberos authentication protocol consists of three types of exchanges, also known as subprotocols:
The Authentication Service (AS) Exchange (KRB_AS_*)
The Ticket-Granting Service (TGS) Exchange (KRB_TGS_*)
The Client/Server (AP) Exchange (KRB_AP_*)
The AS exchange is where the client uses the account's password or private key to create a pre-authenticator to
request a ticket-granting ticket (TGT). This happens at user sign-on or the first time a service ticket is needed.
The TGS exchange is where the account's TGT is used to create an authenticator to request a service ticket. This
happens when an authenticated connection is needed.
The AP exchange occurs as typically as data inside the application protocol and is not impacted by
authentication policies.
For more detailed information, see How the Kerberos Version 5 Authentication Protocol Works.
Overview
Authentication policies complement Protected Users by providing a way to apply configurable restrictions to
accounts and by providing restrictions for accounts for services and computers. Authentication policies are
enforced during either the AS exchange or the TGS exchange.
You can restrict initial authentication or the AS exchange by configuring:
A TGT lifetime
Access control conditions to restrict user sign-on, which must be met by devices from which the AS
exchange is coming
You can restrict service ticket requests through a ticket-granting service (TGS) exchange by configuring:
Access control conditions which must be met by the client (user, service, computer) or device from which the
TGS exchange is coming
Requirements for using authentication policies
P O L IC Y REQ UIREM EN T S
Provide custom TGT lifetimes Windows Server 2012 R2 domain functional level account
domains
Restrict user sign-on - Windows Server 2012 R2 domain functional level account
domains with Dynamic Access Control support
- Windows 8, Windows 8.1, Windows Server 2012 or
Windows Server 2012 R2 devices with Dynamic Access
Control support
Restrict service ticket issuance that is based on user account Windows Server 2012 R2 domain functional level resource
and security groups domains
Restrict service ticket issuance based on user claims or device Windows Server 2012 R2 domain functional level resource
account, security groups, or claims domains with Dynamic Access Control support
2. Under Options , in the drop-down list box, select Always provide claims .
NOTE
Suppor ted can also be configured, but because the domain is at Windows Server 2012 R2 DFL, having the DCs
always provide claims will allow user claims-based access checks to occur when using non-claims aware devices
and hosts to connect to claims-aware services.
WARNING
Configuring Fail unarmored authentication requests will result in authentication failures from any operating
system which does not support Kerberos armoring, such as Windows 7 and previous operating systems, or
operating systems beginning with Windows 8, which have not been explicitly configured to support it.
NOTE
The selected Authentication node is visible for domains which are at Windows Server 2012 R2 DFL. If the node
does not appear, then try again by using a domain administrator account from a domain that is at Windows
Server 2012 R2 DFL.
2. Click Authentication Policies , and then click New to create a new policy.
Authentications Policies must have a display name and are enforced by default.
3. To create an audit-only policy, click Only audit policy restrictions .
Authentication policies are applied based on the Active Directory account type. A single policy can apply
to all three account types by configuring settings for each type. Account types are:
User
Computer
Managed Service Account and Group Managed Service Account
If you have extended the schema with new principals that can be used by the Key Distribution Center
(KDC), then the new account type is classified from the closest derived account type.
4. To configure a TGT lifetime for user accounts, select the Specify a Ticket-Granting Ticket lifetime for
user accounts check box and enter the time in minutes.
For example, if you want a 10-hour maximum TGT lifetime, enter 600 as shown. If no TGT lifetime is
configured, then if the account is a member of the Protected Users group, the TGT lifetime and renewal
is 4 hours. Otherwise, TGT lifetime and renewal are based on the domain policy as seen in the following
Group Policy Management Editor window for a domain with default settings.
5. To restrict the user account to select devices, click Edit to define the conditions that are required for the
device.
A dd c o m pu t er ac c o u n t o r gr o u p c o n di t i o n s
1. To configure computer accounts or groups, in the drop-down list, select the drop-down list box Member
of each and change to Member of any .
NOTE
This access control defines the conditions of the device or host from which the user signs on. In access control
terminology, the computer account for the device or host is the user, which is why User is the only option.
4. To select computer objects in Active Directory, click Computers , and then click OK .
5. Type the name of the computers to restrict the user, and then click Check Names .
6. Click OK and create any other conditions for the computer account.
7. When done, then click OK and the defined conditions will appear for the computer account.
A dd c o m pu t er c l ai m c o n di t i o n s
3. When done, then click OK and the box will show the conditions defined.
T r o u b l e sh o o t m i ssi n g c o m p u t e r c l a i m s
If the claim has been provisioned, but is not available, it might only be configured for Computer classes.
Let's say you wanted to restrict authentication based on the organizational unit (OU) of the computer, which was
already configured, but only for Computer classes.
For the claim to be available to restrict User sign-on to the device, select the User check box.
Provision a user account with an authentication policy with ADAC
1. From the User account, click Policy .
This command gets all authentication policies that match the filter that the Filter parameter specifies.
PS C:\> Get-ADAuthenticationPolicy -Filter "Name -like 'testADAuthenticationPolicy*'" -Server
Server02.Contoso.com
This command modifies the description and the UserTGTLifetimeMins properties of the specified
authentication policy.
This command removes the authentication policy that the Identity parameter specifies.
This command uses the Get-ADAuthenticationPolicy cmdlet with the Filter parameter to get all
authentication policies that are not enforced. The result set is piped to the Remove-ADAuthenticationPolicy
cmdlet.
NOTE
An authentication policy can be applied to members of an authentication policy silo, or it can be applied independently of
silos to restrict specific account scope. For example, to protect a single account or a small set of accounts, a policy can be
set on those accounts without adding the accounts to a silo.
You can create an authentication policy silo by using Active Directory Administrative Center or Windows
PowerShell. By default, an authentication policy silo only audits silo policies, which is equivalent to specifying the
WhatIf parameter in Windows PowerShell cmdlets. In this case, policy silo restrictions do not apply, but audits
are generated to indicate whether failures occur if the restrictions are applied.
To create an authentication policy silo by using Active Directory Administrative Center
1. Open Active Director y Administrative Center , click Authentication , right-click Authentication
Policy Silos , click New , and then click Authentication Policy Silo .
2. In Display name , type a name for the silo. In Permitted Accounts , click Add , type the names of the
accounts, and then click OK . You can specify users, computers, or service accounts. Then specify whether
to use a single policy for all principals or a separate policy for each type of principal, and the name of the
policy or policies.
Name Enforce
---- -------
silo True
silos False
This command uses the Get-ADAuthenticationPolicySilo cmdlet with the Filter parameter to get all
authentication policy silos that are not enforced and pipe the result of the filter to the Remove-
ADAuthenticationPolicySilo cmdlet.
This command grants access to the authentication policy silo named Silo to the user account named User01.
This command revokes access to the authentication policy silo named Silo for the user account named User01.
Because the Confirm parameter is set to $False , no confirmation message appears.
This example first uses the Get-ADComputer cmdlet to get all computer accounts that match the filter that the
Filter parameter specifies. The output of this command is passed to Set-ADAccountAuthenticatinPolicySilo
to assign the authentication policy silo named Silo and the authentication policy named AuthenticationPolicy02
to them.
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
In LDAP, some queries result in a large result set. Such queries pose some challenges to the Windows Server.
Collecting and building these big result sets is significant work. Many of the attributes need to be converted
from an internal representation to the LDAP wire representation. For many attributes, a conversion from an
internal, often binary, format needs to happen to a text-based UTF-8 format in the LDAP response frame.
Another challenge is that result sets with tens of thousands of objects become huge, easily several hundred
Mega-Bytes. These then require lots of virtual address space and also the transfer over network has issues as
the whole effort is lost when the TCP session breaks down in transit.
These capacity and logistic issues have led the Microsoft LDAP developers to creating a LDAP extension known
as "Paged Query". It is implementing a LDAP control to separate one huge query into chunks of smaller result
sets. It has become a RFC standard as RFC 2696.
NOTE
The hexadecimal value behind "DSID" will vary depending on the build version of the LDAP server binaries.
User Action
The client should consider a more efficient search filter. The limit for Maximum Result Sets per Connection
may also be increased.
The events signal that a stored cookie was removed. It does NOT mean a client has seen the LDAP error, but only
that the LDAP Server has reached the administration limits for the cache. In some cases, an LDAP client may
have abandoned the paged search and may never see the error.
Applies To: Windows Server 2019, Windows Server 2016, Windows Server 2012 R2
This section includes troubleshooting recommendations and procedures for diagnosing and fixing problems
that may occur during Active Directory replication. It focuses on how to respond to Directory Service event log
entries and how to interpret messages that tools such as Repadmin.exe and Dcdiag.exe might report.
Repadmin.exe and Dcdiag.exe are available on all domain controllers that run Windows Server 2012 R2 or later
versions. For more information about how to use these tools to troubleshoot problems, see the following
articles.
Configuring a Computer for Troubleshooting Active Directory
Troubleshooting Active Directory Replication Problems
Another useful technology is Event Tracing for Windows (ETW). You can use ETW to troubleshoot LDAP
communications among the domain controllers. For more information, see Using ETW to troubleshoot LDAP
connections.
You can also install Remote Server Administration Tools (RSAT) on a member server that is running Windows
10. For information about how to install RSAT, see Remote Server Administration Tools.
Configuring a Computer for Troubleshooting
6/17/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Before you use advanced troubleshooting techniques to identify and fix Active Directory problems, configure
your computers for troubleshooting. You should also have a basic understanding of troubleshooting concepts,
procedures, and tools.
For information about monitoring tools for Windows Server, see the Step-by-Step Guide for Performance and
Reliability Monitoring in Windows Server
Event Tracing for Windows (ETW) can be a valuable troubleshooting tool for Active Directory Domain Services
(AD DS). You can use ETW to trace the Lightweight Directory Access Protocol (LDAP) communications between
Windows clients and LDAP servers, including AD DS domain controllers.
NOTE
You will have to refer to this session name later when you stop the tracing session.
In this command, <SessionName> is the same name that you used in the tracelog.exe -star t
command.
To turn off ETW
In Registry Editor, delete the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Ser vices\ldap\Tracing\ ProcessName subkey.
NOTE
You can specify multiple flags by using the sum of the appropriate flag values. For example, to specify the
DEBUG_SEARCH (0x00000001) and DEBUG_CACHE (0x00000010) flags, the appropriate <TraceFlags> value is
0x00000011 .
Example
Consider an application, App1.exe, that sets passwords for user accounts. Suppose that App1.exe produces an
unexpected error. To use ETW to help diagnose this problem, you follow these steps:
1. In Registry Editor, create the following registry entry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Ser vices\ldap\Tracing\App1.exe
2. To start a tracing session, open a Command Prompt window, and run the following command:
After this command starts, DEBUG_BIND makes sure that ETW writes tracing messages to .\ldap.etl.
3. Start App1.exe, and reproduce the unexpected error.
4. To stop the tracing session, run the following command at the command prompt:
NOTE
In this command, tracerpt.exe is a trace consumer tool.
Troubleshooting Active Directory Replication
Problems
6/17/2021 • 12 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Active Directory replication problems can have several different sources. For example, Domain Name System
(DNS) problems, networking issues, or security problems can all cause Active Directory replication to fail.
The rest of this topic explains tools and a general methodology to fix Active Directory replication errors. The
following subtopics cover symptoms, causes, and how to resolve specific replication errors:
Root causes
If you rule out intentional disconnections, hardware failures, and outdated Windows 2000 domain controllers,
the remainder of replication problems almost always have one of the following root causes:
Network connectivity: The network connection might be unavailable, or network settings are not configured
properly.
Name resolution: DNS misconfigurations are a common cause of replication failures.
Authentication and authorization: Authentication and authorization problems cause "Access denied" errors
when a domain controller tries to connect to its replication partner.
Directory database (store): The directory database might not be able to process transactions fast enough to
keep up with replication time-outs.
Replication engine: If intersite replication schedules are too short, replication queues might be too large to
process in the time that is required by the outbound replication schedule. In this case, replication of some
changes can be stalled indefinitely potentially, long enough to exceed the tombstone lifetime.
Replication topology: Domain controllers must have intersite links in AD DS that map to real wide area
network (WAN) or virtual private network (VPN) connections. If you create objects in AD DS for the
replication topology that are not supported by the actual site topology of your network, replication that
requires the misconfigured topology fails.
3. Open Excel.
4. Click the Office button, click Open, navigate to showrepl.csv, and then click Open.
5. Hide or delete column A as well as the Transport Type column, as follows:
6. Select a column that you want to hide or delete.
To hide the column, right-click the column, and then click Hide.
To delete the column, right-click the selected column, and then click Delete.
7. Select row 1 beneath the column heading row. On the View tab, click Freeze Panes, and then click Freeze
Top Row.
8. Select the entire spreadsheet. On the Data tab, click Filter.
9. In the Last Success Time column, click the down arrow, and then click Sort Ascending.
10. In the Source DC column, click the filter down arrow, point to Text Filters, and then click Custom Filter.
11. In the Custom AutoFilter dialog box, under Show rows where, click does not contain. In the adjacent text
box, type del to eliminate from view the results for deleted domain controllers.
12. Repeat step 11 for the Last Failure Time column, but use the value does not equal, and then type the value
0.
13. Resolve replication failures.
For every domain controller in the forest, the spreadsheet shows the source replication partner, the time that
replication last occurred, and the time that the last replication failure occurred for each naming context
(directory partition). By using Autofilter in Excel, you can view the replication health for working domain
controllers only, failing domain controllers only, or domain controllers that are the least or most current, and
you can see the replication partners that are replicating successfully.
The time since last replication with this A domain controller has failed inbound Event ID 2042: It has been too long
server has exceeded the tombstone replication with the named source since this machine replicated
lifetime. domain controller long enough for a
deletion to have been tombstoned,
replicated, and garbage-collected from
AD DS.
Access is denied. A replication link exists between two Fixing Replication Security Problems
domain controllers, but replication
cannot be performed properly as a
result of an authentication failure.
Last attempt at <date - time> failed This problem can be related to Fixing Replication DNS Lookup
with the "Target account name is connectivity, DNS, or authentication Problems (Event IDs 1925, 2087,
incorrect." issues. If this is a DNS error, the local 2088) Fixing Replication Security
domain controller could not resolve Problems Fixing Replication
the globally unique identifier (GUID)- Connectivity Problems (Event ID 1925)
based DNS name of its replication
partner.
LDAP Error 49. The domain controller computer Fixing Replication Security Problems
account might not be synchronized
with the Key Distribution Center (KDC).
Cannot open LDAP connection to local The administration tool could not Fixing Replication DNS Lookup
host contact AD DS. Problems (Event IDs 1925, 2087,
2088)
Active Directory replication has been The progress of inbound replication Wait for replication to complete. This
preempted. was interrupted by a higher-priority informational message indicates
replication request, such as a request normal operation.
that was generated manually with the
repadmin /sync command.
Replication posted, waiting. The domain controller posted a Wait for replication to complete. This
replication request and is waiting for informational message indicates
an answer. Replication is in progress normal operation.
from this source.
The following table lists common events that might indicate problems with Active Directory replication, along
with root causes of the problems and links to topics that provide solutions for the problems.
EVEN T ID A N D SO URC E RO OT C A USE SO L UT IO N
1311 NTDS KCC The replication configuration Fixing Replication Topology Problems
information in AD DS does not (Event ID 1311)
accurately reflect the physical topology
of the network.
1388 NTDS Replication Strict replication consistency is not in Fixing Replication Lingering Object
effect, and a lingering object has been Problems (Event IDs 1388, 1988,
replicated to the domain controller. 2042)
1925 NTDS KCC The attempt to establish a replication Fixing Replication Connectivity
link for a writable directory partition Problems (Event ID 1925) Fixing
failed. This event can have different Replication DNS Lookup Problems
causes, depending on the error. (Event IDs 1925, 2087, 2088)
1988 NTDS Replication The local domain controller has Fixing Replication Lingering Object
attempted to replicate an object from Problems (Event IDs 1388, 1988,
a source domain controller that is not 2042)
present on the local domain controller
because it may have been deleted and
already garbage-collected. Replication
does not proceed for this directory
partition with this partner until the
situation is resolved.
2042 NTDS Replication Replication has not occurred with this Fixing Replication Lingering Object
partner for a tombstone lifetime, and Problems (Event IDs 1388, 1988,
replication cannot proceed. 2042)
2087 NTDS Replication AD DS could not resolve the DNS host Fixing Replication DNS Lookup
name of the source domain controller Problems (Event IDs 1925, 2087,
to an IP address, and replication failed. 2088)
2088 NTDS Replication AD DS could not resolve the DNS host Fixing Replication DNS Lookup
name of the source domain controller Problems (Event IDs 1925, 2087,
to an IP address, but replication 2088)
succeeded.
5805 Net Logon A machine account failed to Fixing Replication Security Problems
authenticate, which is usually caused
by either multiple instances of the
same computer name or the computer
name not replicating to every domain
controller.
For more information about replication concepts, see Active Directory Replication Technologies.
Next steps
For more information, including support articles specific to error codes see the support article: How to
troubleshoot common Active Directory replication errors
Additional Resources
6/17/2021 • 2 minutes to read • Edit Online
For detailed information about using Repadmin.exe to manage Active Directory replication, see the following
resource:
Monitoring and Troubleshooting Active Directory Replication Using Repadmin
For information about specific events that are logged for Active Directory problems, see the following resource:
Active Directory
For information about Active Directory known issues and best practices, see the following resources:
Known Issues for Creating Domain and Forest Trusts
Best Practices for Administering Domain and Forest Trusts
Known Issues for Backing Up Active Directory Domain Services
Known Issues for Authoritative Restore
Best Practices for Authoritative Restore
Known Issues for Adding Domain Controllers in Remote Sites
Best Practices for Adding Domain Controllers in Remote Sites
For general information about how to manage and configure Active Directory Domain Services (AD DS) and
how it works, see the following resources:
Administering Active Directory Operations
Active Directory Collection
Active Directory Federation Services
3/5/2021 • 2 minutes to read • Edit Online
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This document contains a list of all of the documentation areas for AD FS for Windows Server 2016, 2012 R2,
and 2012. This includes the following:
AD FS Overview
AD FS Design
AD FS Deployment
AD FS Development
AD FS Operations
AD FS Technical Reference
AD FS Overview
4/20/2021 • 2 minutes to read • Edit Online
Active Directory Federation Service (AD FS) enables Federated Identity and Access Management by securely
sharing digital identity and entitlements rights across security and enterprise boundaries. AD FS extends the
ability to use single sign-on functionality that is available within a single security or enterprise boundary to
Internet-facing applications to enable customers, partners, and suppliers a streamlined user experience while
accessing the web-based applications of an organization.
This document contains a list of all of the documentation overviews for AD FS for Windows Server. This includes
the following:
What's New in AD FS for Windows Server 2019
AD FS OpenID Connect/OAuth flows and Application Scenarios
AD FS Requirements
AD FS FAQ
What's new in Active Directory Federation Services
6/17/2021 • 19 minutes to read • Edit Online
NOTE
Only one resource can be specified in the authentication request. If more than one resource is included in the request, AD
FS will return an error and authentication will not succeed.
In 2019, customers can now use claims rules to decide which additional authentication provider to invoke for
additional authentication. This is useful for 2 scenarios:
Customers are transitioning from one additional authentication provider to another. This way as they onboard
users to a newer authentication provider they can use groups to control which additional authentication
provider is called.
Customers have a need for a specific additional authentication provider (e.g. certificate) for certain applications
but different method (AzureMFA) for other applications.
This could be achieved by issuing the claim https://schemas.microsoft.com/claims/authnmethodsproviders from
additional authentication policies. The value of this claim should be the Name of the authentication provider.
Now in 2019 they can modify above claim rule to choose auth providers based on their scenarios.
Transitioning from one additional authentication provider to another: We will modify the above rule to choose
AzureMFA for users which are in group SID S-1-5-21-608905689-872870963-3921916988-12345 (say a
group managed by enterprise which tracks the users which has registered for AzureMFA) and for rest of the
users, admin wants to use certificate auth.
Admin can also make rules to allow more than one additional authentication provider in which case ADFS will
show all the issued auth methods providers and user can choose any of them. For allowing multiple additional
authentication provider they should issue multiple claim
https://schemas.microsoft.com/claims/authnmethodsproviders
If none of the auth providers are returned by the claim evaluation, ADFS will fall back to show all the additional
auth providers configured by Admin on ADFS and user will need to select the appropriate auth provider.
To get all the additional authentication providers allowed, admin can use the cmdlet (Get-
AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider. The value of
https://schemas.microsoft.com/claims/authnmethodsproviders claim should be one of the provider names
returned by above cmdlet.
There is no support to trigger particular additional auth provider if the RP is using Access Control Policies in AD
FS Windows Server 2016 | Microsoft Docs. While moving an Application away from Access control policy, ADFS
copies the corresponding policy from Access Control Policy to AdditionalAuthenticationRules and
IssuanceAuthorizationRules. So if an admin wants to use particular auth provider, they can moves away from
not using access control policy and then modify AdditionalAuthenticationRules to trigger particular additional
auth provider.
FAQ
NOTE
You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to
access the resource with scope 'ugs'. To remediate this error:
1. Launch AD FS management console. Browse to "Services > Scope Descriptions"
2. Right click "Scope Descriptions" and select "Add Scope Description"
3. Under name type "ugs" and Click Apply > OK
4. Launch PowerShell as Administrator
5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the
ClientRoleIdentifier. Make a note of the ObjectIdentifier.
6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'
7. Restart the ADFS service.
8. On the client: Restart the client. User should be prompted to provision WHFB.
9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot.
Q. Can I pass resource value as part of the scope value like how requests are done against Azure AD?
A. With AD FS on Server 2019, you can now pass the resource value embedded in the scope parameter. The
scope parameter can now be organized as a space separated list where each entry is structure as
resource/scope. For example < create a valid sample request>
Q. Does AD FS support PKCE extension?
A. AD FS in Server 2019 supports Proof Key for Code Exchange (PKCE) for OAuth Authorization Code Grant flow
For more information about using device based conditional access in the cloud
Azure Active Directory Conditional Access
For more information about using device based conditional access with AD FS
Planning for Device Based Conditional Access with AD FS
Access Control Policies in AD FS
Sign in with Windows Hello for Business
NOTE
Currently, Google Chrome and the new Microsoft Edge built on Chromium open source project browsers are not
supported for browser based single-sign on (SSO) with Microsoft Windows Hello for Business. Please use Internet Explorer
or an older version of Microsoft Edge.
Windows 10 devices introduce Windows Hello and Windows Hello for Business, replacing user passwords with
strong device-bound user credentials protected by a user's gesture (a PIN, a biometric gesture like fingerprint, or
facial recognition). AD FS 2016 supports these new Windows 10 capabilities so that users can sign in to AD FS
applications from the intranet or the extranet without the need to provide a password.
For more information about using Microsoft Windows Hello for Business in your organization
Enable Windows Hello for Business in your organization
Certificate requirements
SSL Certificates
Each AD FS and Web Application Proxy server has an SSL certificate to service HTTPS requests to the federation
service. The Web Application Proxy can have additional SSL certificates to service requests to published
applications.
Recommendation: Use the same SSL certificate for all AD FS federation servers and Web Application proxies.
Requirements:
SSL certificates on federation servers must meet the following requirements
Certificate is publicly trusted (for production deployments)
Certificate contains the Server Authentication Enhanced Key Usage (EKU) value
Certificate contains the federation service name, such as "fs.contoso.com" in the Subject or Subject
Alternative Name (SAN)
For user certificate authentication on port 443, certificate contains "certauth.<federation service name>",
such as "certauth.fs.contoso.com" in the SAN
For device registration or for modern authentication to on premises resources using pre-Windows 10 clients,
the SAN must contain "enterpriseregistration.<upn suffix>" for each UPN suffix in use in your organization.
SSL certificates on the Web Application Proxy must meet the following requirements
If the proxy is used to proxy AD FS requests that use Windows Integrated Authentication, the proxy SSL
certificate must be the same (use the same key) as the federation server SSL certificate
If the AD FS property "ExtendedProtectionTokenCheck" is enabled (the default setting in AD FS), the proxy
SSL certificate must be the same (use the same key) as the federation server SSL certificate
Otherwise, the requirements for the proxy SSL certificate are the same as those for the federation server SSL
certificate
Service Communication Certificate
This certificate is not required for most AD FS scenarios including Azure AD and Office 365. By default, AD FS
configures the SSL certificate provided upon initial configuration as the service communication certificate.
Recommendation:
Use the same certificate as you use for SSL.
Token Signing Certificate
This certificate is used to sign issued tokens to relying parties, so relying party applications must recognize the
certificate and it's associated key as known and trusted. When the token signing certificate changes, such as
when it expires and you configure a new certificate, all relying parties must be updated.
Recommendation: Use the AD FS default, internally generated, self-signed token signing certificates.
Requirements:
If your organization requires that certificates from the enterprise PKI be used for token signing, this can be
done using the SigningCertificateThumbprint parameter of the Install-AdfsFarm cmdlet.
Whether you use the default internally generated certificates or externally enrolled certificates, when the
token signing certificate is changed you must ensure all relying parties are updated with the new certificate
information. Otherwise, logons to any relying parties not updated will fail.
Token Encrypting/Decrypting Certificate
This certificate is used by claims providers who encrypt tokens issued to AD FS.
Recommendation: Use the AD FS default, internally generated, self-signed token decrypting certificates.
Requirements:
If your organization requires that certificates from the enterprise PKI be used for token signing, this can be
done using the DecryptingCertificateThumbprint parameter of the Install-AdfsFarm cmdlet.
Whether you use the default internally generated certificates or externally enrolled certificates, when the
token decrypting certificate is changed you must ensure all claims providers are updated with the new
certificate information. Otherwise, logons using any claims providers not updated will fail.
Cau t i on
Certificates that are used for token-signing and token-decrypting/encrypting are critical to the stability of the
Federation Service. Customers managing their own token-signing & token-decrypting/encrypting certificates
should ensure that these certificates are backed up and are available independently during a recovery event.
User Certificates
When using x509 user certificate authentication with AD FS, all user certificates must chain up to a root
certification authority that is trusted by the AD FS and Web Application Proxy servers.
Hardware requirements
AD FS and Web Application Proxy hardware requirements (physical or virtual) are gated on CPU, so you should
size your farm for processing capacity.
Use the AD FS 2016 Capacity Planning spreadsheet to determine the number of AD FS and Web Application
Proxy servers you will need.
The memory and disk requirements for AD FS are fairly static, see the table below:
RAM 2 GB 4 GB
H A RDWA RE REQ UIREM EN T M IN IM UM REQ UIREM EN T REC O M M EN DED REQ UIREM EN T
Proxy requirements
For extranet access, you must deploy the Web Application Proxy role service - part of the Remote Access
server role.
Third party proxies must support the MS-ADFSPIP protocol to be supported as an AD FS proxy. For a list
of 3rd party vendors see the FAQ.
AD FS 2016 requires Web Application Proxy servers on Windows Server 2016. A downlevel proxy cannot
be configured for an AD FS 2016 farm running at the 2016 farm behavior level.
A federation server and the Web Application Proxy role service cannot be installed on the same
computer.
AD DS requirements
Domain controller requirements
AD FS requires Domain controllers running Windows Server 2008 or later.
At least one Windows Server 2016 domain controller is required for Microsoft Passport for Work.
NOTE
All support for environments with Windows Server 2003 domain controllers has ended. Visit this page for additional
information on the Microsoft Support Lifecycle.
1-30 AD FS Nodes: WID supported 1-30 AD FS Nodes: Not supported using WID - SQL
Required
More than 30 AD FS Nodes: Not supported using WID - More than 30 AD FS Nodes: Not supported using WID -
SQL Required SQL Required
Browser requirements
When AD FS authentication is performed via a browser or browser control, your browser must comply to the
following requirements:
JavaScript must be enabled
For single sign on, the client browser must be configured to allow cookies
Server Name Indication (SNI) must be supported
For user certificate & device certificate authentication, the browser must support SSL client certificate
authentication
For seamless sign on using Windows Integrated Authentication, the federation service name (such as
https://fs.contoso.com) must be configured in local intranet zone or trusted sites zone.
Network requirements
Firewall Requirements
Both the firewall located between the Web Application Proxy and the federation server farm and the firewall
between the clients and the Web Application Proxy must have TCP port 443 enabled inbound.
In addition, if client user certificate authentication (clientTLS authentication using X509 user certificates) is
required and the certauth endpoint on port 443 is not enabled, AD FS 2016 requires that TCP port 49443 be
enabled inbound on the firewall between the clients and the Web Application Proxy. This is not required on the
firewall between the Web Application Proxy and the federation servers.
For additional information on hybrid port requirements see Hybrid Identity Ports and Protocols.
For additional information see Best practices for securing Active Directory Federation Services
DNS Requirements
For intranet access, all clients accessing AD FS service within the internal corporate network (intranet)
must be able to resolve the AD FS service name to the load balancer for the AD FS servers or the AD FS
server.
For extranet access, all clients accessing AD FS service from outside the corporate network
(extranet/internet) must be able to resolve the AD FS service name to the load balancer for the Web
Application Proxy servers or the Web Application Proxy server.
Each Web Application Proxy server in the DMZ must be able to resolve AD FS service name to the load
balancer for the AD FS servers or the AD FS server. This can be achieved using an alternate DNS server in
the DMZ network or by changing local server resolution using the HOSTS file.
For Windows Integrated authentication, you must use a DNS A record (not CNAME) for the federation
service name.
For user certificate authentication on port 443, "certauth.<federation service name>" must be configured
in DNS to resolve to the federation server or web application proxy.
For device registration or for modern authentication to on premises resources using pre-Windows 10
clients, "enterpriseregistration.<upn suffix>", for each UPN suffix in use in your organization, must be
configured to resolve to the federation server or web application proxy.
Load Balancer requirements
The load balancer MUST NOT terminate SSL. AD FS supports multiple use cases with certificate
authentication which will break when terminating SSL. Terminating SSL at the load balancer is not supported
for any use case.
It is recommended to use a load balancer that supports SNI. In the event it does not, using the 0.0.0.0 fallback
binding on your AD FS / Web Application Proxy server should provide a workaround.
It is recommended to use the HTTP (not HTTPS) health probe endpoints to perform load balancer health
checks for routing traffic. This avoids any issues relating to SNI. The response to these probe endpoints is an
HTTP 200 OK and is served locally with no dependence on back-end services. The HTTP probe can be
accessed over HTTP using the path ‘/adfs/probe'
http://<Web Application Proxy name>/adfs/probe
http://<ADFS server name>/adfs/probe
http://<Web Application Proxy IP address>/adfs/probe
http://<ADFS IP address>/adfs/probe
It is NOT recommended to use DNS round robin as a way to load balance. Using this type of load balancing
does not provide an automated way to remove a node from the load balancer using health probes.
It is NOT recommended to use IP based session affinity or sticky sessions for authentication traffic to AD FS
within the load balancer. This can cause an overload of certain nodes when using legacy authentication
protocol for mail clients to connect to Office 365 mail services (Exchange Online).
Permissions requirements
The administrator that performs the installation and the initial configuration of AD FS must have local
administrator permissions on the AD FS server. If the local administrator does not have permissions to create
objects in Active Directory, they must first have a domain admin create the required AD objects, then configure
the AD FS farm using the AdminConfiguration parameter.
AD FS Design
3/5/2021 • 2 minutes to read • Edit Online
AD FS Design Guide
See Also
For capacity planning for AD FS in Windows Server 2016 see the AD FS capacity planning worksheet.
Active Directory Federation Services Overview
AD FS Design Guide
3/5/2021 • 2 minutes to read • Edit Online
The AD FS design guide is a comprehensive guide for designing AD FS deployments. This guide is made up of
the following:
AD FS Design Guide in Windows Server 2012 R2
AD FS Design Guide in Windows Server 2012
See Also
For capacity planning for AD FS in Windows Server 2016 see the AD FS capcity planning worksheet.
Active Directory Federation Services Overview
AD FS Design Guide in Windows Server
3/5/2021 • 2 minutes to read • Edit Online
Active Directory Federation Services (AD FS) provides simplified, secured identity federation and Web single
sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in
federation partner organizations, or in the cloud.
In Windows Server® 2012 R2, AD FS includes a federation service role service that acts as an identity provider
(authenticates users to provide security tokens to applications that trust AD FS) or as a federation provider
(consumes tokens from other identity providers and then provides security tokens to applications that trust AD
FS).
The function of providing extranet access to applications and services that are secured by AD FS in Windows
Server 2012 R2 is now performed by a new Remote Access role service called Web Application Proxy. This is a
departure from the prior versions of Windows Server in which this function was handled by an AD FS
federation server proxy. Web Application Proxy is a server role designed to provide access for the AD FS-related
extranet scenario and other extranet scenarios. For more information on Web Application Proxy, see Web
Application Proxy Walkthrough Guide.
In this guide
Identify Your AD FS Deployment Goals
Plan Your AD FS Deployment Topology
AD FS Requirements
See Also
AD FS Design
Identify Your AD FS Deployment Goals
3/5/2021 • 3 minutes to read • Edit Online
Correctly identifying your Active Directory Federation Services (AD FS) deployment goals is essential for the
success of your AD FS design project. Prioritize and, possibly, combine your deployment goals so that you can
design and deploy AD FS by using an iterative approach. You can take advantage of existing, documented, and
predefined AD FS deployment goals that are relevant to the AD FS designs and develop a working solution for
your situation.
Prior versions of AD FS were most commonly deployed to achieve the following:
Providing your employees or customers with a web-based, SSO experience when accessing claims-based
applications within your enterprise.
Providing your employees or customers with a web-based, SSO experience to access resources in any
federation partner organization.
Providing your employees or customers with a Web-based, SSO experience when remote accessing
internally hosted Web sites or services.
Providing your employees or customers with a web-based, SSO experience when accessing resources or
services in the cloud.
In addition to these, AD FS in Windows Server® 2012 R2 adds functionality that can help you achieve the
following:
Device workplace join for SSO and seamless second factor authentication. This enables organizations to
allow access from user's personal devices and manage the risk when providing this access.
Managing risk with multi-factor access control. AD FS provides a rich level of authorization that controls
who has access to what applications. This can be based on user attributes (UPN, email, security group
membership, authentication strength, etc.), device attributes (whether the device is workplace joined) or
request attributes (network location, IP address, or user agent).
Managing risk with additional multi-factor authentication for sensitive applications. AD FS allows you to
control policies to potentially require multi-factor authentication globally or on a per application basis. In
addition, AD FS provides extensibility points for any multi-factor vendor to integrate deeply for a secure
and seamless multi-factor experience for end users.
Providing authentication and authorization capabilities for accessing web resources from the extranet
that are protected by the Web Application Proxy.
To summarize, AD FS in Windows Server 2012 R2 can be deployed to achieve the following goals in your
organization:
Enable your users to access resources on their personal devices from anywhere
Workplace join that enables users to join their personal devices to corporate Active Directory and as a
result gain access and seamless experiences when accessing corporate resources from these devices.
Pre-authentication of resources inside the corporate network that are protected by the Web Application
proxy and accessed from the internet.
Password change to enable users to change their password from any workplace joined device when their
password has expired so that they can continue to access resources.
Enhance your access control risk management tools
Managing risk is an important aspect of governance and compliance in every IT organization. There are
numerous access control risk management enhancements in AD FS in Windows Server® 2012 R2, including
the following:
Flexible controls based on network location to govern how a user authenticates to access an AD FS-
secured application.
Flexible policy to determine if a user needs to perform multi-factor authentication based on the user's
data, device data, and network location.
Per-application control to ignore SSO and force the user to provide credentials every time they access a
sensitive application.
Flexible per-application access policy based on user data, device data, or network location.
AD FS Extranet Lockout, which enables administrators to protect Active Directory accounts from brute
force attacks from the internet.
Access revocation for any workplace joined device that is disabled or deleted in Active Directory.
Use AD FS to enhance the sign-in experience
The following are new AD FS capabilities in Windows Server® 2012 R2 that enable administrator to customize
and enhance the sign-in experience:
Unified customization of the AD FS service, where the changes are made once and then automatically
propagated to the rest of the AD FS federation servers in a given farm.
Updated sign-in pages that look modern and cater to different form factors automatically.
Support for automatic fallback to forms-based authentication for devices that are not joined to the
corporate domain but are still used generate access requests from within the corporate network
(intranet).
Simple controls to customize the company logo, illustration image, standard links for IT support, home
page, privacy, etc.
Customization of description messages in the sign-in pages.
Customization of web themes.
Home Realm Discovery (HRD) based on organizational suffix of the user for enhanced privacy of a
company's partners.
HRD filtering on a per-application basis to automatically pick a realm based on the application.
One-click error reporting for easier IT troubleshooting.
Customizable error messages.
User authentication choice when more than one authentication provider is available.
See Also
AD FS Design Guide in Windows Server 2012 R2
Plan Your AD FS Deployment Topology
3/5/2021 • 5 minutes to read • Edit Online
The first step in planning a deployment of Active Directory Federation Services (AD FS) is to determine the right
deployment topology to meet the needs of your organization.
Before you read this topic, review how AD FS data is stored and replicated to other federation servers in a
federation server farm and make sure you understand the purpose of and the replication methods that can be
used for the underlying data that is stored in the AD FS configuration database.
There are two database types that you can use to store AD FS configuration data: Windows Internal Database
(WID) and Microsoft SQL Server. For more information, see The Role of the AD FS Configuration Database.
Review the various benefits and limitations that are associated with using either WID or SQL Server as the
AD FS configuration database, along with the various application scenarios that they support and then make
your selection.
IMPORTANT
To implement basic redundancy, load balancing, and the option to scale the Federation Service (if required), we
recommend that you deploy at least two federation servers per federation server farm for all production environments,
regardless of the type of database that you will use.
SUP P O RT ED B Y SQ L
DESC RIP T IO N F EAT URE SUP P O RT ED B Y W ID? SERVER?
AD FS features Federation server farm Yes. A WID farm has a limit Yes. There is no enforced
deployment of 30 federation servers if limit for the number of
you have 100 or fewer federation servers that you
relying party trusts. can deploy in a single farm
A WID farm does not
support token replay
detection or artifact
resolution (part of the
Security Assertion Markup
Language (SAML) protocol).
SUP P O RT ED B Y SQ L
DESC RIP T IO N F EAT URE SUP P O RT ED B Y W ID? SERVER?
NOTE
As a security best practice, avoid having your federation servers directly accessible on the Internet. Consider giving your
federation servers direct Internet access only when you are setting up a test lab environment or when your organization
does not have a perimeter network.
For typical corporate networks, an intranet-facing firewall is established between the corporate network and the
perimeter network, and an Internet-facing firewall is often established between the perimeter network and the
Internet. In this situation, the federation server sits inside the corporate network, and it is not directly accessible
by Internet clients.
NOTE
Client computers that are connected to the corporate network can communicate directly with the federation server
through Windows Integrated Authentication.
A federation server proxy should be placed in the perimeter network before you configure your firewall servers
for use with AD FS.
See Also
AD FS Design Guide in Windows Server 2012 R2
Legacy AD FS Federation Server Farm Using WID
3/5/2021 • 3 minutes to read • Edit Online
The default topology for Active Directory Federation Services (AD FS) is a federation server farm, using the
Windows Internal Database (WID). In this topology, AD FS uses WID as the store for the AD FS configuration
database for all federation servers that are joined to that farm. The farm replicates and maintains the Federation
Service data in the configuration database across each server in the farm. AD FS in Windows Server 2012 R2
enables organizations with 100 or fewer relying party trusts to configure federation server farms using WID
with up to 30 servers.
The act of creating the first federation server in a farm also creates a new Federation Service. When you use
WID for the AD FS configuration database, the first federation server that you create in the farm is referred to as
the primary federation server. This means that this computer is configured with a read/write copy of the AD FS
configuration database.
All other federation servers that you configure for this farm are referred to as secondary federation servers
because they must replicate any changes that are made on the primary federation server to the read-only
copies of the AD FS configuration database that they store locally.
IMPORTANT
We recommend the use of at least two federation servers in a load-balanced configuration.
Deployment considerations
This section describes various considerations about the intended audience, benefits, and limitations that are
associated with this deployment topology.
Who should use this topology?
Organizations with 100 or fewer configured trust relationships that need to provide their internal users
(logged on to computers that are physically connected to the corporate network) with single sign-on
(SSO) access to federated applications or services
Organizations that want to provide their internal users with SSO access to Microsoft Online Services or
Microsoft Office 365
Smaller organizations that require redundant, scalable services
NOTE
Organizations with larger databases should consider using the Federation Server Farm Using SQL Server deployment
topology. Organizations with users who log in from outside the network should consider using either the Federation
Server Farm Using WID and Proxies topology or the Federation Server Farm Using SQL Server topology.
1-30 AD FS Nodes: WID supported 1-30 AD FS Nodes: Not supported using WID - SQL
Required
More than 30 AD FS Nodes: Not supported using WID - More than 30 AD FS Nodes: Not supported using WID -
SQL Required SQL Required
NOTE
This cluster DNS name must match the Federation Service name, for example, fs.fabrikam.com.
The NLB host can use the settings that are defined in this NLB cluster to allocate client requests to the individual
federation servers. The following illustration shows how the fictional Fabrikam, Inc., company sets up the first
phase of its deployment using a two-computer federation server farm (fs1 and fs2) with WID and the
positioning of a DNS server and a single NLB host that is wired to the corporate network.
NOTE
If there is a failure on this single NLB host, users will not be able to access federated applications or services. Add
additional NLB hosts if your business requirements do not allow having a single point of failure.
For more information about how to configure your networking environment for use with federation servers, see
the Name Resolution Requirements section in AD FS Requirements.
See Also
Plan Your AD FS Deployment Topology AD FS Design Guide in Windows Server 2012 R2
Legacy AD FS Federation Server Farm Using WID
and Proxies
3/5/2021 • 3 minutes to read • Edit Online
This deployment topology for Active Directory Federation Services (AD FS) is identical to the federation server
farm with Windows Internal Database (WID) topology, but it adds proxy computers to the perimeter network to
support external users. These proxies redirect client authentication requests that come from outside your
corporate network to the federation server farm. In previous versions of AD FS, these proxies were called
federation server proxies.
IMPORTANT
In Active Directory Federation Services (AD FS) in Windows Server 2012 R2 , the role of a federation server proxy is
handled by a new Remote Access role service called Web Application Proxy. To enable your AD FS for accessibility from
outside the corporate network, which was the purpose of deploying a federation server proxy in legacy versions of AD FS,
such as AD FS 2.0 and AD FS in Windows Server 2012 , you can deploy one or more web application proxies for AD FS in
Windows Server 2012 R2 .
In the context of AD FS, Web Application Proxy functions as an AD FS federation server proxy. In addition to this, Web
Application Proxy provides reverse proxy functionality for web applications inside your corporate network to enable users
on any device to access them from outside the corporate network. For more information, about the Web Application
Proxy role service, see Web Application Proxy Overview.
To plan the deployment of Web Application proxy, you can review the information in the following topics:
Plan the Web Application Proxy Infrastructure (WAP)
Plan the Web Application Proxy Server
Deployment considerations
This section describes various considerations about the intended audience, benefits, and limitations that are
associated with this deployment topology.
Who should use this topology?
Organizations with 100 or fewer configured trust relationships that need to provide both their internal
users and external users (who are logged on to computers that are physically located outside the
corporate network) with single sign-on (SSO) access to federated applications or services
Organizations that need to provide both their internal users and external users with SSO access to
Microsoft Office 365
Smaller organizations that have external users and require redundant, scalable services
What are the benefits of using this topology?
The same benefits as listed for the Federation Server Farm Using WID topology, plus the benefit of providing
additional access for external users
What are the limitations of using this topology?
The same limitations as listed for the Federation Server Farm Using WID topology
1- 100 RP T RUST S M O RE T H A N 100 RP T RUST S
1-30 AD FS Nodes: WID supported 1-30 AD FS Nodes: Not supported using WID - SQL
Required
More than 30 AD FS Nodes: Not supported using More than 30 AD FS Nodes: Not supported using
WID - SQL Required WID - SQL Required
For more information about how to configure your networking environment for use with federation servers or
web application proxies, see "Name Resolution Requirements" section in AD FS Requirements and Plan the Web
Application Proxy Infrastructure (WAP).
See Also
Plan Your AD FS Deployment Topology AD FS Design Guide in Windows Server 2012 R2
Legacy AD FS Federation Server Farm Using SQL
Server
6/17/2021 • 8 minutes to read • Edit Online
This topology for Active Directory Federation Services (AD FS) differs from the federation server farm using
Windows Internal Database (WID) deployment topology in that it does not replicate the data to each federation
server in the farm. Instead, all federation servers in the farm can read and write data into a common database
that is stored on a server running Microsoft SQL Server that is located in the corporate network.
IMPORTANT
If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008
and newer versions, including SQL Server 2012, and SQL Server 2014.
Deployment considerations
This section describes various considerations about the intended audience, benefits, and limitations that are
associated with this deployment topology.
Who should use this topology?
Large organizations with more than 100 trust relationships that need to provide both their internal users
and external users with single sign-on (SSO) access to federated application or services
Organizations that already use SQL Server and want to take advantage of their existing tools and
expertise
What are the benefits of using this topology?
Support for larger numbers of trust relationships (more than 100)
Support for token replay detection (a security feature) and artifact resolution (part of the Security
Assertion Markup Language (SAML) 2.0 protocol)
Support for the full benefits of SQL Server, such as database mirroring, failover clustering, reporting, and
management tools
What are the limitations of using this topology?
This topology does not provide database redundancy by default. Although a federation server farm with
WID topology automatically replicates the WID database on each federation server in the farm, the
federation server farm with SQL Server topology contains only one copy of the database
NOTE
SQL Server supports many different data and application redundancy options including failover clustering,
database mirroring, and several different types of SQL Server replication.
The Microsoft Information Technology (IT) department uses SQL Server database mirroring in high-safety
(synchronous) mode and failover clustering to provide high-availability support for the SQL Server instance.
SQL Server transactional (peer-to-peer) and merge replication have not been tested by the AD FS product team
at Microsoft. For more information about SQL Server, see High Availability Solutions Overview or Selecting the
Appropriate Type of Replication.
Supported SQL Server Versions
The following SQL server versions are supported with AD FS in Windows Server 2012 R2:
SQL Server 2008 / R2
SQL Server 2012
SQL Server 2014
For more information about how to configure your networking environment for use with federation servers or
web application proxies, see "Name Resolution Requirements" section in AD FS Requirements and Plan the Web
Application Proxy Infrastructure (WAP).
1-30 AD FS Nodes: WID supported 1-30 AD FS Nodes: Not supported using WID - SQL
Required
More than 30 AD FS Nodes: Not supported using WID - More than 30 AD FS Nodes: Not supported using WID -
SQL Required SQL Required
NOTE
Only one availability replica can act as an automatic failover target, the other three will rely on manual failovers.
4. Example PSH commands to update the SQL connection string for the AD FS artifact resolution service
database:
See Also
Plan Your AD FS Deployment Topology AD FS Design Guide in Windows Server 2012 R2
AD FS Requirements for Windows Server
6/17/2021 • 21 minutes to read • Edit Online
The following are the various requirements that you must conform to when deploying AD FS:
Certificate requirements
Hardware requirements
Software requirements
AD DS requirements
Configuration database requirements
Browser requirements
Extranet requirements
Network requirements
Attribute store requirements
Application requirements
Authentication requirements
Workplace join requirements
Cryptography requirements
Permissions requirements
Certificate requirements
Certificates play the most critical role in securing communications between federation servers, Web Application
Proxies, claims-aware applications, and Web clients. The requirements for certificates vary, depending on
whether you are setting up a federation server or a proxy computer, as described in this section.
Federation ser ver cer tificates
Secure Sockets Layer (SSL) cer tificate: This is a - This certificate must be a publicly trusted* X509 v3
standard SSL certificate that is used for securing certificate.
communications between federation servers and clients. - All clients that access any AD FS endpoint must trust this
certificate. It is strongly recommended to use certificates
that are issued by a public (third-party) certification
authority (CA). You can use a self-signed SSL certificate
successfully on federation servers in a test lab environment.
However, for a production environment, we recommend that
you obtain the certificate from a public CA.
- Supports any key size supported by Windows Server 2012
R2 for SSL certificates.
- Does not support certificates that use CNG keys.
- When used together with Workplace Join/Device
Registration Service, the subject alternative name of the SSL
certificate for the AD FS service must contain the value
enterpriseregistration that is followed by the User Principal
Name (UPN) suffix of your organization, for example,
enterpriseregistration.contoso.com.
- Wild card certificates are supported. When you create your
AD FS farm, you will be prompted to provide the service
name for the AD FS service (for example,
adfs.contoso.com .
- It is strongly recommended to use the same SSL certificate
for the Web Application Proxy. This is however required to
be the same when supporting Windows Integrated
Authentication endpoints through the Web Application
Proxy and when Extended Protection Authentication is
turned on (default setting).
- The Subject name of this certificate is used to represent the
Federation Service name for each instance of AD FS that you
deploy. For this reason, you may want to consider choosing
a Subject name on any new CA-issued certificates that best
represents the name of your company or organization to
partners.
The identity of the certificate must match the federation
service name (for example, fs.contoso.com).The identity is
either a subject alternative name extension of type
dNSName or, if there are no subject alternative name entries,
the subject name specified as a common name. Multiple
subject alternative name entries can be present in the
certificate, provided one of them matches the federation
service name.
- Impor tant: it's strongly recommended to use the same
SSL certificate across all nodes of your AD FS farm as well as
all Web Application proxies in your AD FS farm.
C ERT IF IC AT E T Y P E REQ UIREM EN T S, SUP P O RT & T H IN GS TO K N O W
Ser vice communication cer tificate: This certificate - By default, the SSL certificate is used as the service
enables WCF message security for securing communications communications certificate. But you also have the option to
between federation servers. configure another certificate as the service communication
certificate.
- Impor tant: if you are using the SSL certificate as the
service communication certificate, when the SSL certificate
expires, make sure to configure the renewed SSL certificate
as your service communication certificate. This does not
happen automatically.
- This certificate must be trusted by clients of AD FS that use
WCF Message Security.
- We recommend that you use a server authentication
certificate that is issued by a public (third-party) certification
authority (CA).
- The service communication certificate cannot be a
certificate that uses CNG keys.
- This certificate can be managed using the AD FS
Management console.
Token-signing cer tificate: This is a standard X509 - By default, AD FS creates a self-signed certificate with 2048
certificate that is used for securely signing all tokens that the bit keys.
federation server issues. - CA issued certificates are also supported and can be
changed using the AD FS Management snap-in
- CA issued certificates must be stored & accessed through
a CSP Crypto Provider.
- The token signing certificate cannot be a certificate that
uses CNG keys.
- AD FS does not require externally enrolled certificates for
token signing.
AD FS automatically renews these self-signed certificates
before they expire, first configuring the new certificates as
secondary certificates to allow for partners to consume
them, then flipping to primary in a process called automatic
certificate rollover.We recommend that you use the default,
automatically generated certificates for token signing.
If your organization has policies that require different
certificates to be configured for token signing, you can
specify the certificates at installation time using Powershell
(use the –SigningCertificateThumbprint parameter of the
Install-AdfsFarm cmdlet). After installation, you can view and
manage token signing certificates using the AD FS
Management console or Powershell cmdlets Set-
AdfsCertificate and Get-AdfsCertificate.
When externally enrolled certificates are used for token
signing, AD FS does not perform automatic certificate
renewal or rollover. This process must be performed by an
administrator.
To allow for certificate rollover when one certificate is close
to expiring, a secondary token signing certificate can be
configured in AD FS. By default, all token signing certificates
are published in federation metadata, but only the primary
token-signing certificate is used by AD FS to actually sign
tokens.
C ERT IF IC AT E T Y P E REQ UIREM EN T S, SUP P O RT & T H IN GS TO K N O W
Token-decr yption/encr yption cer tificate: This is a - By default, AD FS creates a self-signed certificate with 2048
standard X509 certificate that is used to decrypt/encrypt bit keys.
any incoming tokens. It is also published in federation - CA issued certificates are also supported and can be
metadata. changed using the AD FS Management snap-in
- CA issued certificates must be stored & accessed through
a CSP Crypto Provider.
- The token-decryption/encryption certificate cannot be a
certificate that uses CNG keys.
- By default, AD FS generates and uses its own, internally
generated and self-signed certificates for token decryption.
AD FS does not require externally enrolled certificates for
this purpose.
In addition, AD FS automatically renews these self-signed
certificates before they expire.
We recommend that you use the default,
automatically generated cer tificates for token
decr yption.
If your organization has policies that require different
certificates to be configured for token decryption, you can
specify the certificates at installation time using Powershell
(use the –DecryptionCertificateThumbprint parameter of the
Install-AdfsFarm cmdlet). After installation, you can view and
manage token decryption certificates using the AD FS
Management console or Powershell cmdlets Set-
AdfsCertificate and Get-AdfsCertificate.
When externally enrolled cer tificates are used for
token decr yption, AD FS does not perform
automatic cer tificate renewal. This process must be
performed by an administrator .
- The AD FS service account must have access to the token-
signing certificate's private key in the personal store of the
local computer. This is taken care of by Setup. You can also
use the AD FS Management snap-in to ensure this access if
you subsequently change the token-signing certificate.
Cau t i on
Certificates that are used for token-signing and token-decrypting/encrypting are critical to the stability of the
Federation Service. Customers managing their own token-signing & token-decrypting/encrypting certificates
should ensure that these certificates are backed up and are available independently during a recovery event.
NOTE
In AD FS you can change the Secure Hash Algorithm (SHA) level that is used for digital signatures to either SHA-1 or
SHA-256 (more secure). AD FS does not support the use of certificates with other hash methods, such as MD5 (the
default hash algorithm that is used with the Makecert.exe command-line tool). As a security best practice, we recommend
that you use SHA-256 (which is set by default) for all signatures. SHA-1 is recommended for use only in scenarios in
which you must interoperate with a product that does not support communications using SHA-256, such as a non-
Microsoft product or legacy versions of AD FS.
NOTE
After you receive a certificate from a CA, make sure that all certificates are imported into the personal certificate store of
the local computer. You can import certificates to the personal store with the Certificates MMC snap-in.
Hardware requirements
The following minimum and recommended hardware requirements apply to the AD FS federation servers in
Windows Server 2012 R2:
RAM 512 MB 4 GB
Software requirements
The following AD FS requirements are for the server functionality that is built into the Windows Server® 2012
R2 operating system:
For extranet access, you must deploy the Web Application Proxy role service - part of the Windows
Server® 2012 R2 Remote Access server role. Prior versions of a federation server proxy are not
supported with AD FS in Windows Server® 2012 R2.
A federation server and the Web Application Proxy role service cannot be installed on the same
computer.
AD DS requirements
Domain controller requirements
Domain controllers in all user domains and the domain to which the AD FS servers are joined must be running
Windows Server 2008 or later.
NOTE
All support for environments with Windows Server 2003 domain controllers will end after the Extended Support End Date
for Windows Server 2003. Customers are strongly recommended to upgrade their domain controllers as soon as possible.
Visit this page for additional information on Microsoft Support Lifecycle. For issues discovered that are specific to
Windows Server 2003 domain controller environments, fixes will be issued only for security issues and if a fix can be
issued prior to the expiry of Extended Support for Windows Server 2003.
NOTE
AD FS requires a full writable Domain Controller to function as opposed to a Read-Only Domain Controller. If a planned
topology includes a Read-Only Domain controller, the Read-Only domain controller can be used for authentication but
LDAP claims processing will require a connection to the writable domain controller.
1-30 AD FS Nodes: WID supported 1-30 AD FS Nodes: Not supported using WID - SQL
Required
1- 100 RP T RUST S M O RE T H A N 100 RP T RUST S
More than 30 AD FS Nodes: Not supported using WID - More than 30 AD FS Nodes: Not supported using WID -
SQL Required SQL Required
Browser requirements
When AD FS authentication is performed via a browser or browser control, your browser must comply to the
following requirements:
JavaScript must be enabled
Cookies must be turned on
Server Name Indication (SNI) must be supported
For user certificate & device certificate authentication (workplace join functionality), the browser must
support SSL client certificate authentication
Several key browsers and platforms have undergone validation for rendering and functionality the details of
which are listed below. Browsers and devices that not covered in this table are still supported if they meet the
requirements listed above:
B RO W SERS P L AT F O RM S
IMPORTANT
Known issue - Firefox: Workplace Join functionality that identifies the device using device certificate is not functional on
Windows platforms. Firefox does not currently support performing SSL client certificate authentication using certificates
provisioned to the user certificate store on Windows clients.
Cookies
AD FS creates session-based and persistent cookies that must be stored on client computers to provide sign-in,
sign-out, single sign-on (SSO), and other functionality. Therefore, the client browser must be configured to
accept cookies. Cookies that are used for authentication are always Secure Hypertext Transfer Protocol (HTTPS)
session cookies that are written for the originating server. If the client browser is not configured to allow these
cookies, AD FS cannot function correctly. Persistent cookies are used to preserve user selection of the claims
provider. You can disable them by using a configuration setting in the configuration file for the AD FS sign-in
pages. Support for TLS/SSL is required for security reasons.
Extranet requirements
To provide extranet access to the AD FS service, you must deploy the Web Application Proxy role service as the
extranet facing role that proxies authentication requests in a secure manner to the AD FS service. This provides
isolation of the AD FS service endpoints as well as isolation of all security keys (such as token signing
certificates) from requests that originate from the internet. In addition, features such as Soft Extranet Account
Lockout require the use of the Web Application Proxy. For more information about Web Application Proxy, see
Web Application Proxy.
If you want to use a third-party proxy for extranet access, this third-party proxy must support the protocol
defined in http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-
A4F81802D92C/%5bMS-ADFSPIP%5d.pdf.
Network requirements
Configuring the following network services appropriately is critical for successful deployment of AD FS in your
organization:
Configuring Corporate Firewall
Both the firewall located between the Web Application Proxy and the federation server farm and the firewall
between the clients and the Web Application Proxy must have TCP port 443 enabled inbound.
In addition, if client user certificate authentication (clientTLS authentication using X509 user certificates) is
required, AD FS in Windows Server 2012 R2 requires that TCP port 49443 be enabled inbound on the firewall
between the clients and the Web Application Proxy. This is not required on the firewall between the Web
Application Proxy and the federation servers).
NOTE
Also make sure that port 49443 is not used by any other services on the AD FS and Web Application Proxy server.
Configuring DNS
For intranet access, all clients accessing AD FS service within the internal corporate network (intranet)
must be able to resolve the AD FS service name (name provided by the SSL certificate) to the load
balancer for the AD FS servers or the AD FS server.
For extranet access, all clients accessing AD FS service from outside the corporate network
(extranet/internet) must be able to resolve the AD FS service name (name provided by the SSL certificate)
to the load balancer for the Web Application Proxy servers or the Web Application Proxy server.
For extranet access to function properly, each Web Application Proxy server in the DMZ must be able to
resolve AD FS service name (name provided by the SSL certificate) to the load balancer for the AD FS
servers or the AD FS server. This can be achieved using an alternate DNS server in the DMZ network or
by changing local server resolution using HOSTS file.
For Windows Integrated authentication to work inside the network and outside the network for a subset
of endpoints exposed through the Web Application Proxy, you must use an A record (not CNAME) to
point to the load balancers.
For information on configuring corporate DNS for the federation service and Device Registration Service, see
Configure Corporate DNS for the Federation Service and DRS.
For information on configuring corporate DNS for Web Application proxies, see the "Configure DNS" section in
Step 1: Configure the Web Application Proxy Infrastructure.
For information about how to configure a cluster IP address or cluster FQDN using NLB, see Specifying the
Cluster Parameters at http://go.microsoft.com/fwlink/?LinkId=75282.
NOTE
AD FS automatically creates an "Active Directory" attribute store, by default. Attribute store requirements depend on
whether your organization is acting as the account partner (hosting the federated users) or the resource partner (hosting
the federated application).
Authentication requirements
AD DS Authentication (Primar y Authentication)
For intranet access, the following standard authentication mechanisms for AD DS are supported:
Windows Integrated Authentication using Negotiate for Kerberos & NTLM
Forms Authentication using username/passwords
Certificate Authentication using certificates mapped to user accounts in AD DS
For extranet access, the following authentication mechanisms are supported:
Forms Authentication using username/passwords
Certificate Authentication using certificates that are mapped to user accounts in AD DS
Windows Integrated Authentication using Negotiate (NTLM only) for WS-Trust endpoints that accept
Windows Integrated Authentication.
For Certificate Authentication:
Extends to smartcards that can be pin protected.
The GUI for the user to enter their pin is not provided by AD FS and is required to be part of the client
operating system that is displayed when using client TLS.
The reader and cryptographic service provider (CSP) for the smart card must work on the computer
where the browser is located.
The smart card certificate must chain up to a trusted root on all the AD FS servers and Web Application
Proxy servers.
The certificate must map to the user account in AD DS by either of the following methods:
The certificate subject name corresponds to the LDAP distinguished name of a user account in AD
DS.
The certificate subject altname extension has the user principal name (UPN) of a user account in
AD DS.
For seamless Windows Integrated Authentication using Kerberos in the intranet,
It is required for the service name to be part of the Trusted Sites or the Local Intranet sites.
In addition, the HOST/<adfs_service_name> SPN must be set on the service account that the AD FS farm
runs on.
Multi-Factor Authentication
AD FS supports additional authentication (beyond primary authentication supported by AD DS) using a
provider model whereby vendors/customers can build their own multi-factor authentication adapter that an
administrator can register and use during login.
Every MFA adapter must be built on top of .NET 4.5.
For more information on MFA, see Manage Risk with Additional Multi-Factor Authentication for Sensitive
Applications.
Device Authentication
AD FS supports device authentication using certificates provisioned by the Device Registration Service during
the act of an end user workplace joining their device.
Cryptography requirements
The following table provides additional cryptography support information on the AD FS token signing, token
encryption/decryption functionality:
P ROTO C O L S/ A P P L IC AT IO N S/ C O M M EN
A L GO RIT H M K EY L EN GT H S TS
TripleDES – Default 192 (Supported >= 192 Supported algorithm for Decrypting
192 – 256) - the security token. Encrypting the
http://www.w3.org/2001/04/xmlenc#tr security token with this algorithm is
ipledes-cbc not supported.
TripleDESKeyWrap - All Key sizes supported by .NET 4.0+ Supported algorithm for Encrypting
http://www.w3.org/2001/04/xmlenc#k the symmetric key that encrypts a
w-tripledes security token.
Permissions requirements
The administrator that performs the installation and the initial configuration of AD FS must have domain
administrator permissions in the local domain (in other words, the domain to which the federation server is
joined to.)
See Also
AD FS Design Guide in Windows Server 2012 R2
AD FS Legacy Design Guide in Windows Server
3/5/2021 • 2 minutes to read • Edit Online
NOTE
For information about how to deploy AD FS in Windows Server 2012 R2 , see Windows Server 2012 R2 AD FS
Deployment Guide.
You can use Active Directory® Federation Services (AD FS) with the Windows Server® 2012 operating
system in a federation services provider role to seamlessly authenticate your users to any Web-based services
or applications that reside in a resource partner organization, without the need for administrators to create or
maintain external trusts or forest trusts between the networks of both organizations and without the need for
the users to log on a second time. The process of authenticating to one network while accessing resources in
another network—without the burden of repeated logon actions by users—is known as single sign-on (SSO).
In this guide
Identifying Your AD FS Deployment Goals
Mapping Your Deployment Goals to an AD FS Design
Determine Your AD FS Deployment Topology
Planning Your Deployment
Planning Federation Server Placement
Planning Federation Server Proxy Placement
Planning for AD FS Server Capacity
Appendix A: Reviewing AD FS Requirements
Identifying Your AD FS Deployment Goals
3/5/2021 • 2 minutes to read • Edit Online
Correctly identifying your Active Directory Federation Services (AD FS) deployment goals is essential for the
success of your AD FS design project. Depending on the size of your organization and the level of involvement
that you want to provide for the information technology (IT) staff in any partner organizations, form a project
team that can clearly articulate real-world deployment issues in a vision statement. Make sure that the members
of this team understand the direction in which your deployment project must move in order to reach your AD
FS deployment goals.
When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and,
possibly, combine your deployment goals so that you can design and deploy AD FS by using an iterative
approach. You can take advantage of existing, documented, and predefined AD FS deployment goals that are
relevant to the AD FS designs and develop a working solution for your situation.
The following table lists the tasks for articulating, refining, and documenting your AD FS deployment goals.
TA SK REF EREN C E L IN K S
Evaluate predefined AD FS deployment goals that are - Provide Your Active Directory Users Access to Your Claims-
provided in this section of the guide, and combine one or Aware Applications and Services
more goals to reach your organizational objectives - Provide Your Active Directory Users Access to the
Applications and Services of Other Organizations
- Provide Users in Another Organization Access to Your
Claims-Aware Applications and Services
Map one goal or a combination of any of the predefined AD - Mapping Your Deployment Goals to an AD FS Design
FS deployment goals to an existing AD FS design
See Also
AD FS Design Guide in Windows Server 2012
Provide Your Active Directory Users Access to Your
Claims-Aware Applications and Services
3/5/2021 • 2 minutes to read • Edit Online
When you are an administrator in the account partner organization in an Active Directory Federation Services
(AD FS) deployment and you have a deployment goal to provide single-sign-on (SSO) access for employees on
the corporate network to your hosted resources:
Employees who are logged on to an Active Directory forest in the corporate network can use SSO to
access multiple applications or services in the perimeter network in your own organization. These
applications and services are secured by AD FS.
For example, Fabrikam may want corporate network employees to have federated access to Web-based
applications that are hosted in the perimeter network for Fabrikam.
Remote employees who are logged on to an Active Directory domain can obtain AD FS tokens from the
federation server in your organization to gain federated access to AD FS-secured Web-based applications
or services that also reside in your organization.
Information in the Active Directory attribute store can be populated into the employees' AD FS tokens.
The following components are required for this deployment goal:
Active Director y Domain Ser vices (AD DS): AD DS contains the employees' user accounts that are
used to generate AD FS tokens. Information, such as group memberships and attributes, is populated into
AD FS tokens as group claims and custom claims.
NOTE
You can also use Lightweight Directory Access Protocol (LDAP) or Structured Query Language (SQL) to contain
the identities for AD FS token generation.
Corporate DNS: This implementation of Domain Name System (DNS) contains a simple host (A)
resource record so that intranet clients can locate the account federation server. This implementation of
DNS may also host other DNS records that are required in the corporate network. For more information,
see Name Resolution Requirements for Federation Servers.
Account par tner federation ser ver : This federation server is joined to a domain in the account
partner forest. It authenticates employee user accounts and generates AD FS tokens. The client computer
for the employee performs Windows Integrated Authentication against this federation server to generate
an AD FS token. For more information, see Review the Role of the Federation Server in the Account
Partner.
The account partner federation server can authenticate the following users:
Employees with user accounts in this domain
Employees with user accounts anywhere in this forest
Employees with user accounts anywhere in forests that are trusted by this forest (through a two-
way Windows trust)
Employee: An employee accesses a Web-based service (through an application) or a Web-based
application (through a supported Web browser) while he or she is logged on to the corporate network.
The employee's client computer on the corporate network communicates directly with the federation
server for authentication.
After reviewing the information in the linked topics, you can begin deploying this goal by following the steps in
Checklist: Implementing a Federated Web SSO Design.
The following illustration shows each of the required components for this AD FS deployment goal.
See Also
AD FS Design Guide in Windows Server 2012
Provide Your Active Directory Users Access to the
Applications and Services of Other Organizations
3/5/2021 • 2 minutes to read • Edit Online
This Active Directory Federation Services (AD FS) deployment goal builds on the goal in Provide Your Active
Directory Users Access to Your Claims-Aware Applications and Services.
When you are an administrator in the account partner organization and you have a deployment goal to provide
federated access for employees to hosted resources in another organization:
Employees who are logged on to an Active Directory domain in the corporate network can use single-
sign-on (SSO) functionality to access multiple Web-based applications or services, which are secured by
AD FS, when the applications or services are in a different organization. For more information, see
Federated Web SSO Design.
For example, Fabrikam may want corporate network employees to have federated access to Web services
that are hosted in Contoso.
Remote employees who are logged on to an Active Directory domain can obtain AD FS tokens from the
federation server in your organization to gain federated access to AD FS–secured Web-based
applications or services that are hosted in another organization.
For example, Fabrikam may want its remote employees to have federated access to AD FS–secured
services that are hosted in Contoso, without requiring the Fabrikam employees to be on the Fabrikam
corporate network.
In addition to the foundational components that are described in Provide Your Active Directory Users Access to
Your Claims-Aware Applications and Services and that are shaded in the following illustration, the following
components are required for this deployment goal:
Account par tner federation ser ver proxy: Employees that access the federated service or application
from the Internet can use this AD FS component to perform authentication. By default, this component
performs forms authentication, but it can also perform basic authentication. You can also configure this
component to perform Secure Sockets Layer (SSL) client authentication if employees at your organization
have certificates to present. For more information, see Where to Place a Federation Server Proxy.
Perimeter DNS: This implementation of Domain Name System (DNS) provides the host names for the
perimeter network. For more information about how to configure perimeter DNS for a federation server
proxy, see Name Resolution Requirements for Federation Server Proxies.
Remote employee: The remote employee accesses a Web-based application (through a supported Web
browser) or a Web-based service (through an application), using valid credentials from the corporate
network, while the employee is offsite using the Internet. The employee's client computer in the remote
location communicates directly with the federation server proxy to generate a token and authenticate to
the application or service.
After reviewing the information in the linked topics, you can begin deploying this goal by following the steps in
Checklist: Implementing a Federated Web SSO Design.
The following illustration shows each of the required components for this AD FS deployment goal.
See Also
AD FS Design Guide in Windows Server 2012
Provide Users in Another Organization Access to
Your Claims-Aware Applications and Services
3/5/2021 • 2 minutes to read • Edit Online
When you are an administrator in the resource partner organization in Active Directory Federation Services
(AD FS) and you have a deployment goal to provide federated access for users in another organization (the
account partner organization) to a claims-aware application or a Web-based service that is located in your
organization (the resource partner organization):
Federated users both in your organization and in organizations who have configured a federation trust to
your organization (account partner organizations) can access the AD FS secured application or service
that is hosted by your organization. For more information, see Federated Web SSO Design.
For example, Fabrikam may want its corporate network employees to have federated access to Web
services that are hosted in Contoso.
Federated users who have no direct association with a trusted organization (such as individual
customers), who are logged on to an attribute store that is hosted in your perimeter network, can access
multiple AD FS-secured applications, which are also hosted in your perimeter network, by logging on one
time from client computers that are located on the Internet. In other words, when you host customer
accounts to enable access to applications or services in your perimeter network, customers that you host
in an attribute store can access one or more applications or services in the perimeter network simply by
logging on once. For more information, see Web SSO Design.
For example, Fabrikam may want its customers to have single-sign-on (SSO) access to multiple
applications or services that are hosted in its perimeter network.
The following components are required for this deployment goal:
Active Director y Domain Ser vices (AD DS): The resource partner federation server must be joined
to an Active Directory domain.
Perimeter DNS: Domain Name System (DNS) should contain a simple host (A) resource record so that
client computers can locate the resource partner federation server and the Web server. The DNS server
may host other DNS records that are also required in the perimeter network. For more information, see
Name Resolution Requirements for Federation Servers.
Resource par tner federation ser ver : The resource partner federation server validates AD FS tokens
that the account partners send. Account partner discovery is performed through this federation server.
For more information, see Review the Role of the Federation Server in the Resource Partner.
Web ser ver : The Web server can host either a Web application or a Web service. The Web server
confirms that it receives valid AD FS tokens from federated users before it allows access to the protected
Web application or Web service.
By using Windows Identity Foundation (WIF), you can develop your Web application or service so that it
accepts federated user logon requests that are made with any standard logon method, such as user name
and password.
After reviewing the information in the linked topics, you can begin deploying this goal by following the steps in
Checklist: Implementing a Federated Web SSO Design and Checklist: Implementing a Web SSO Design.
The following illustration shows each of the required components for this AD FS deployment goal.
See Also
AD FS Design Guide in Windows Server 2012
Mapping Your Deployment Goals to an AD FS
Design
3/5/2021 • 2 minutes to read • Edit Online
After you finish reviewing the existing Active Directory Federation Services (AD FS) deployment goals and you
determine which goals are related to your deployment, you can map those goals to a specific AD FS design. For
more information about AD FS predefined deployment goals, see Identifying Your AD FS Deployment Goals.
Use the following table to determine which AD FS design maps to the appropriate combination of AD FS
deployment goals for your organization. This table refers only to the two primary AD FS designs, as described in
this guide. However, you can create a hybrid or custom AD FS design by using any combination of the AD FS
deployment goals to meet the needs of your organization.
Provide Your Active Directory Users No Yes, optional in the account partner
Access to the Applications and
Services of Other Organizations
See Also
AD FS Design Guide in Windows Server 2012
Web SSO Design
3/5/2021 • 2 minutes to read • Edit Online
In the Web Single-Sign-On (SSO) design in Active Directory Federation Services (AD FS), users must
authenticate only once to access multiple AD FS-secured applications or services. In this design all users are
external, and no federation trust exists because there are no partner organizations. Typically, you deploy this
design when you want to provide individual consumer or customer access to one or more AD FS–secured
services or applications over the Internet, as shown in the following illustration.
With the Web SSO design, an organization that typically hosts an AD FS-secured application or service in a
perimeter network can maintain a separate store of customer accounts in the perimeter network, which makes it
easier to isolate customer accounts from employee accounts.
You can manage the local accounts for customers in the perimeter network by using either Active Directory
Domain Services (AD DS), SQL Server, or a custom attribute store.
This design coincides with the deployment goal in Provide Your Active Directory Users Access to Your Claims-
Aware Applications and Services.
For a list of detailed tasks that you can use to plan and deploy your Web SSO design, see Checklist:
Implementing a Web SSO Design.
See Also
AD FS Design Guide in Windows Server 2012
Federated Web SSO Design
3/5/2021 • 2 minutes to read • Edit Online
The Federated Web Single-Sign-On (SSO) design in Active Directory Federation Services (AD FS) involves
secure communication that spans multiple firewalls, perimeter networks, and name-resolution servers—in
addition to the entire Internet routing infrastructure.
Typically, this design is used when two organizations agree to create a federation trust relationship to allow
users in one organization (the account partner organization) to access Web-based applications or services,
which are secured by AD FS, in the other organization (the resource partner organization).
In other words, a federation trust relationship is the embodiment of a business-level agreement or partnership
between two organizations. As shown in the following illustration, you can establish a federation trust
relationship between two businesses, which results in an end-to-end federation scenario.
The one-way arrow in the illustration signifies the direction of the federation trust, which—like the direction of
Windows trusts—always points to the account side of the forest. This means that authentication flows from the
account partner organization to the resource partner organization.
In this Federated Web SSO design, two federation servers (one in Fabrikam and the other in Contoso) route
authentication requests from user accounts in Fabrikam to Web-based applications or services in Contoso.
NOTE
For additional security, you can use federation server proxies to relay requests to federation servers that are not directly
accessible from the Internet.
In this example, Fabrikam is the identity, or account, provider. The Fabrikam portion of the Federated Web SSO
design uses the following AD FS deployment goal:
Provide Your Active Directory Users Access to the Applications and Services of Other Organizations
Contoso is the resource provider. The Contoso portion of the Federated Web SSO design achieves the following
AD FS deployment goals:
Provide Users in Another Organization Access to Your Claims-Aware Applications and Services
Provide Your Active Directory Users Access to Your Claims-Aware Applications and Services
For a list of detailed tasks that you can use to plan and deploy the Federated Web SSO design, see Checklist:
Implementing a Federated Web SSO Design.
See Also
AD FS Design Guide in Windows Server 2012
Determine Your AD FS Deployment Topology
3/5/2021 • 2 minutes to read • Edit Online
The first step in planning a deployment of Active Directory Federation Services (AD FS) is to determine the right
deployment topology to meet the single sign-on (SSO) needs of your organization. The topics in this section
describe the various deployment topologies that you can use with AD FS. They also describe the benefits and
limitations associated with each deployment topology so that you can select the most appropriate topology for
your specific business needs.
Before you read this deployment topology topic, we recommend that you first complete the tasks in the order
shown in the following table.
Review how AD FS data is stored and Understand the purpose of and the The Role of the AD FS Configuration
replicated to other federation servers replication methods that can be used Database
in a federation server farm. for the underlying data that is stored
in the AD FS configuration database.
This topic introduces the concepts of
the configuration database and
describes the two database types:
Windows Internal Database (WID) and
Microsoft SQL Server.
Select the type of AD FS configuration Review the various benefits and AD FS Deployment Topology
database that you will deploy in your limitations that are associated with Considerations
organization. using either WID or SQL Server as the
AD FS configuration database, along
with the various application scenarios
that they support.
NOTE
To implement basic redundancy, load balancing, and the option to scale the Federation Service (if required), we
recommend that you deploy at least two federation servers per federation server farm for all production environments,
regardless of the type of database that you will use.
When you have reviewed the content in the previous table, proceed to the following topics in this section:
Stand-Alone Federation Server Using WID
Federation Server Farm Using WID
Federation Server Farm Using WID and Proxies
Federation Server Farm Using SQL Server
After you finish selecting your AD FS deployment topology, we recommend that you review the topic Planning
for AD FS Server Capacity to determine the recommended number of servers that you will need to deploy to
support this topology.
See Also
AD FS Design Guide in Windows Server 2012
AD FS Deployment Topology Considerations
6/17/2021 • 4 minutes to read • Edit Online
This topic describes important considerations to help you plan and design which Active Directory Federation
Services (AD FS) deployment topology to use in your production environment. This topic is a starting point for
reviewing and assessing considerations that affect what features or capabilities will be available to you after you
deploy AD FS. For example, depending on which database type you choose to store the AD FS configuration
database will ultimately determine whether you can implement certain Security Assertion Markup Language
(SAML) features that require SQL Server.
SUP P O RT ED B Y SQ L M O RE IN F O RM AT IO N
F EAT URE SUP P O RT ED B Y W ID? SERVER? A B O UT T H IS F EAT URE
Federation server farm Yes, with a limit of 30 Yes. There is no enforced Determine Your AD FS
deployment federation servers for each limit for the number of Deployment Topology
farm federation servers that you
can deploy in a single farm
Database features
SUP P O RT ED B Y SQ L M O RE IN F O RM AT IO N
F EAT URE SUP P O RT ED B Y W ID? SERVER? A B O UT T H IS F EAT URE
See Also
AD FS Design Guide in Windows Server 2012
Stand-Alone Federation Server Using WID
3/5/2021 • 2 minutes to read • Edit Online
A stand-alone federation server in Active Directory Federation Services (AD FS) consists of a single server that
hosts a Federation Service configured to use the Windows Internal Database (WID). This AD FS topology is for
test labs. We do not recommend it for production environments because it has a limit of only one federation
server, and it cannot be used to scale up to more servers.
If you want to add additional federation servers to your test lab, you must rebuild the Federation Service from
scratch by deploying any of the other topologies mentioned later in this section. Therefore, we recommend that
you use this topology for a test lab or a proof-of-concept environment in your private testing network in which a
single federation server is adequate, as shown in the following illustration.
See Also
AD FS Design Guide in Windows Server 2012
Federation Server Farm Using WID
3/5/2021 • 3 minutes to read • Edit Online
The default topology for Active Directory Federation Services (AD FS) is a federation server farm, using the
Windows Internal Database (WID), that consists of up to five federation servers hosting your organization's
Federation Service. In this topology, AD FS uses WID as the store for the AD FS configuration database for all
federation servers that are joined to that farm. The farm replicates and maintains the Federation Service data in
the configuration database across each server in the farm.
The act of creating the first federation server in a farm also creates a new Federation Service. When you use
WID for the AD FS configuration database, the first federation server that you create in the farm is referred to as
the primary federation server. This means that this computer is configured with a read/write copy of the AD FS
configuration database.
All other federation servers that you configure for this farm are referred to as secondary federation servers
because they must replicate any changes that are made on the primary federation server to the read-only
copies of the AD FS configuration database that they store locally.
NOTE
We recommend the use of at least two federation servers in a load-balanced configuration.
Deployment considerations
This section describes various considerations about the intended audience, benefits, and limitations that are
associated with this deployment topology.
Who should use this topology?
Organizations with 100 or fewer configured trust relationships that need to provide their internal users
(logged on to computers that are physically connected to the corporate network) with single sign-on
(SSO) access to federated applications or services
Organizations that want to provide their internal users with SSO access to Microsoft Online Services or
Microsoft Office 365
Smaller organizations that require redundant, scalable services
NOTE
Organizations with larger databases should consider using the Federation Server Farm Using SQL Server deployment
topology, which is described later in this section. Organizations with users who log in from outside the network should
consider using either the Federation Server Farm Using WID and Proxies topology or the Federation Server Farm Using
SQL Server topology.
NOTE
This cluster DNS name must match the Federation Service name, for example, fs.fabrikam.com.
The NLB host can use the settings that are defined in this NLB cluster to allocate client requests to the individual
federation servers. The following illustration shows how the fictional Fabrikam, Inc., company sets up the first
phase of its deployment using a two-computer federation server farm (fs1 and fs2) with WID and the
positioning of a DNS server and a single NLB host that is wired to the corporate network.
NOTE
If there is a failure on this single NLB host, users will not be able to access federated applications or services. Add
additional NLB hosts if your business requirements do not allow having a single point of failure.
For more information about how to configure your networking environment for use with federation servers, see
Name Resolution Requirements for Federation Servers in the AD FS Design Guide.
See Also
AD FS Design Guide in Windows Server 2012
Federation Server Farm Using WID and Proxies
3/5/2021 • 2 minutes to read • Edit Online
This deployment topology for Active Directory Federation Services (AD FS) is identical to the federation server
farm with Windows Internal Database (WID) topology, but it adds federation server proxies to the perimeter
network to support external users. The federation server proxies redirect client authentication requests that
come from outside your corporate network to the federation server farm.
Deployment considerations
This section describes various considerations about the intended audience, benefits, and limitations that are
associated with this deployment topology.
Who should use this topology?
Organizations with 100 or fewer configured trust relationships that need to provide both their internal
users and external users (who are logged on to computers that are physically located outside the
corporate network) with single sign-on (SSO) access to federated applications or services
Organizations that need to provide both their internal users and external users with SSO access to
Microsoft Office 365
Smaller organizations that have external users and require redundant, scalable services
What are the benefits of using this topology?
The same benefits as listed for the Federation Server Farm Using WID topology, plus the benefit of providing
additional access for external users
What are the limitations of using this topology?
The same limitations as listed for the Federation Server Farm Using WID topology
See Also
AD FS Design Guide in Windows Server 2012
Federation Server Farm Using SQL Server
6/17/2021 • 2 minutes to read • Edit Online
This topology for Active Directory Federation Services (AD FS) differs from the federation server farm using
Windows Internal Database (WID) deployment topology in that it does not replicate the data to each federation
server in the farm. Instead, all federation servers in the farm can read and write data into a common database
that is stored on a server running Microsoft SQL Server that is located in the corporate network.
Deployment considerations
This section describes various considerations about the intended audience, benefits, and limitations that are
associated with this deployment topology.
Who should use this topology?
Large organizations with more than 100 trust relationships that need to provide both their internal users
and external users with single sign-on (SSO) access to federated application or services
Organizations that already use SQL Server and want to take advantage of their existing tools and
expertise
What are the benefits of using this topology?
Support for larger numbers of trust relationships (more than 100)
Support for token replay detection (a security feature) and artifact resolution (part of the Security
Assertion Markup Language (SAML) 2.0 protocol)
Support for the full benefits of SQL Server, such as database mirroring, failover clustering, reporting, and
management tools
What are the limitations of using this topology?
This topology does not provide database redundancy by default. Although a federation server farm with WID
topology automatically replicates the WID database on each federation server in the farm, the federation
server farm with SQL Server topology contains only one copy of the database
NOTE
SQL Server supports many different data and application redundancy options including failover clustering, database
mirroring, and several different types of SQL Server replication.
The Microsoft Information Technology (IT) department uses SQL Server database mirroring in high-safety
(synchronous) mode and failover clustering to provide high-availability support for the SQL Server instance.
SQL Server transactional (peer-to-peer) and merge replication have not been tested by the AD FS product team
at Microsoft. For more information about SQL Server, see High Availability Solutions Overview or Selecting the
Appropriate Type of Replication.
Supported SQL Server Versions
The following SQL server versions are supported with AD FS installed with Windows Server 2012:
SQL Server 2008 / R2
SQL Server 2012
Server placement and network layout recommendations
Similar to the federation server farm with WID topology, all of the federation servers in the farm are configured
to use one cluster Domain Name System (DNS) name (which represents the Federation Service name) and one
cluster IP address as part of the Network Load Balancing (NLB) cluster configuration. This helps the NLB host
allocate client requests to the individual federation servers. Federation server proxies can be used to proxy client
requests to the federation server farm.
The following illustration shows how the fictional Contoso Pharmaceuticals company deployed its federation
server farm with SQL Server topology in the corporate network. It also shows how that company configured the
perimeter network with access to a DNS server, an additional NLB host that uses the same cluster DNS name
(fs.contoso.com) that is used on the corporate network NLB cluster, and with two federation server proxies (fsp1
and fsp2).
For more information about how to configure your networking environment for use with federation servers or
federation server proxies, see either Name Resolution Requirements for Federation Servers or Name Resolution
Requirements for Federation Server Proxies.
See Also
AD FS Design Guide in Windows Server 2012
Planning Your Deployment
3/5/2021 • 2 minutes to read • Edit Online
When you plan for cross-organizational (federation-based) collaboration using Active Directory Federation
Services (AD FS), first determine if your organization will host a Web resource to be accessed by other
organizations across the Internet or if you will provide access to the Web resource for employees in your
organization. This determination affects how you deploy AD FS, and it is fundamental in the planning of your AD
FS infrastructure.
NOTE
Make sure that the role that organization plays in the federation agreement is clearly understood by all parties.
For the Federated Web SSO Design, AD FS uses terms such as account partner (also referred to as identity
provider in the AD FS Management snap-in) and resource partner (also referred to as relying party in the AD FS
Management snap-in) to help differentiate the organization that hosts the accounts (the account partner) from
the organization that hosts the Web-based resources (the resource partner).
In the Web SSO Design, the organization acts in both the account partner and resource partner roles because it
is providing its users with access to its applications.
The following topics explain some of the AD FS partner organization concepts. They also contain links to topics
in the AD FS Deployment Guide that contain information about setting up and configuring account partner
organizations and resource partner organizations based on your AD FS deployment goals.
In this section
Best Practices for Secure Planning and Deployment of AD FS
Planning for Interoperability with AD FS 1.x
When to Use Identity Delegation
Deploying AD FS in the Account Partner Organization
Deploying AD FS in the Resource Partner Organization
See Also
AD FS Design Guide in Windows Server 2012
Using AD DS Claims with AD FS
3/5/2021 • 4 minutes to read • Edit Online
You can enable richer access control for federated applications by using Active Directory Domain Services (AD
DS)-issued user and device claims together with Active Directory Federation Services (AD FS).
1. An AD DS administrator uses the Active Directory Administrative Center console or PowerShell cmdlets
to enables specific claim type objects in the AD DS schema.
2. An AD FS administrator uses the AD FS Management console to create and configure the claims provider
and relying party trusts with either pass-through or transform claim rules.
3. A Windows client attempts to access the network. As part of the Kerberos authentication process, the
client presents its user and computer ticket-granting ticket (TGT) which does not yet contain any claims, to
the domain controller. The domain controller then looks in AD DS for enabled claim types, and includes
any resulting claims in the returned Kerberos ticket.
4. When the user/client attempts to access a file resource that is ACLd to require the claims, they can access
the resource because the compound ID that was surfaced from Kerberos has these claims.
5. When the same client attempts to access a Web site or Web application that is configured for AD FS
authentication, the user is redirected to an AD FS federation server that is configured for Windows
integrated authentication. The client sends a request to the domain controller using Kerberos. The domain
controller issues a Kerberos ticket containing the requested claims which the client can then present to
the federation server.
6. Based on the way the claims rules have been configured on the claims provider and relying party trusts
that the administrator configured previously, AD FS reads the claims from the Kerberos ticket and
includes them in a SAML token that it issues for the client.
7. The client receives the SAML token containing the correct claims and is then redirected to the website.
For more information about how to create the claim rules required for AD DS issued claims to work with AD FS,
see Create a Rule to Transform an Incoming Claim.
See Also
AD FS Design Guide in Windows Server 2012
Best Practices for Secure Planning and Deployment
of AD FS
6/17/2021 • 11 minutes to read • Edit Online
This topic provides best-practice information to help you plan and evaluate security when you design your
Active Directory Federation Services (AD FS) deployment. This topic is a starting point for reviewing and
assessing considerations that affect the overall security of your use of AD FS. The information in this topic is
meant to compliment and extend your existing security planning and other design best practices.
A D F S C O N F IGURAT IO N DATA B A SE T Y P E T H E F O L LO W IN G C O M M A N D
A D F S SERVER RO L E USED AT A C O M M A N D P RO M P T :
For more information about the databases that you can use with AD FS, see The Role of the AD FS
Configuration Database.
Use token replay detection in situations in which security is a ver y impor tant concern, for
example, when kiosks are used. Token replay detection is a feature of AD FS that ensures that any
attempt to replay a token request that is made to the Federation Service is detected and the request is
discarded. Token replay detection is enabled by default. It works for both the WS-Federation passive
profile and the Security Assertion Markup Language (SAML) WebSSO profile by ensuring that the same
token is never used more than once.
When the Federation Service starts, it begins to build a cache of any token requests that it fulfills. Over
time, as subsequent token requests are added to the cache, the ability to detect any attempts to replay a
token request multiple times increases for the Federation Service. If you disable token replay detection
and later choose to enable it again, remember that the Federation Service will still accept tokens for a
period of time that may have been used previously, until the replay cache has been allowed enough time
to rebuild its contents. For more information, see The Role of the AD FS Configuration Database.
Use token encr yption, especially if you are using suppor ting SAML ar tifact resolution.
Encryption of tokens is strongly advised to increase security and protection against potential man-in-the-
middle (MITM) attacks that might be tried against your AD FS deployment. Using use encryption might
have a slight impact on throughout but in general, it should not be usually noticed and in many
deployments the benefits for greater security exceed any cost in terms of server performance.
To enable token encryption, first set add an encryption certificate for your relying party trusts. You can
configure an encryption certificate either when creating a relying party trust or later. To add an
encryption certificate later to an existing relying party trust, you can set a certificate for use on the
Encr yption tab within trust properties while using the AD FS snap-in. To specify a certificate for an
existing trust using the AD FS cmdlets, use the EncryptionCertificate parameter of either the Set-
ClaimsProviderTrust or Set-RelyingPar tyTrust cmdlets. To set a certificate for the Federation Service
to use when decrypting tokens, use the Set-ADFSCer tificate cmdlet and specify " Token-Encryption " for
the CertificateType parameter. Enabling and disabling encryption for specific relying party trust can be
done by using the EncryptClaims parameter of the Set-RelyingPar tyTrust cmdlet.
Utilize extended protection for authentication
To help secure your deployments, you can set and use the extended protection for authentication feature
with AD FS. This setting specifies the level of extended protection for authentication supported by a
federation server.
Extended protection for authentication helps protect against man-in-the-middle (MITM) attacks, in which
an attacker intercepts client credentials and forwards them to a server. Protection against such attacks is
made possible through a Channel Binding Token (CBT) which can be either required, allowed, or not
required by the server when it establishes communications with clients.
To enable the extended protection feature, use the ExtendedProtectionTokenCheck parameter on the
Set-ADFSProper ties cmdlet. Possible values for this setting and the level of security that the values
provide are described in the following table.
If you are using logging and tracing, ensure the privacy of any sensitive information.
AD FS does not, by default, expose or track personally identifiable information (PII) directly as part of the
Federation Service or normal operations. When event logging and debug trace logging are enabled in AD
FS, however, depending on the claims policy that you configure some claims types and their associated
values might contain PII that might be logged in the AD FS event or tracing logs.
Therefore, enforcing access control on the AD FS configuration and its log files is strongly advised. If you
do not want this kind of information to be visible, you should disable loggin, or filter out any PII or
sensitive data in your logs before you share them with others.
The following tips can help you prevent the content of a log file from being exposed unintentionally:
Ensure that the AD FS event log and trace log files are protected by access control lists (ACL) that
limit access to only those trusted administrators who require access to them.
Do not copy or archive log files using file extensions or paths that can be easily served using a
Web request. For example, the .xml file name extension is not a safe choice. You can check the
Internet Information Services (IIS) administration guide to see a list of extensions that can be
served.
If you revise the path to the log file, be sure to specify an absolute path for the log file location,
which should be outside of the Web host virtual root (vroot) public directory to prevent it from
being accessed by an external party using a Web browser.
AD FS Extranet Soft Lockout and AD FS Extranet Smar t Lockout Protection
In case of an attack in the form of authentication requests with invalid(bad) passwords that come through
the Web Application Proxy, AD FS extranet lockout enables you to protect your users from an AD FS
account lockout. In addition to protecting your users from an AD FS account lockout, AD FS extranet
lockout also protects against brute force password guessing attacks.
For Extranet Soft Lockout for AD FS on Windows Server 2012 R2 see AD FS Extranet Soft Lockout
Protection.
For Extranet Smart Lockout for AD FS on Windows Server 2016 see AD FS Extranet Smart Lockout
Protection.
NOTE
These recommendations are meant to extend, but not replace, SQL Server product security guidance. For more
information about planning a secure SQL Server installation, see Security Considerations for a Secure SQL Installation
(https://go.microsoft.com/fwlink/?LinkID=139831).
Always deploy SQL Ser ver behind a firewall in a physically secure network environment.
A SQL Server installation should never be exposed directly to the Internet. Only computers that are inside
your datacenter should be able to reach your SQL server installation that supports AD FS. For more
information, see Security Best Practices Checklist (https://go.microsoft.com/fwlink/?LinkID=189229).
Run SQL Ser ver under a ser vice account instead of using the built-in default system ser vice
accounts.
By default, SQL Server is often installed and configured to use one of the supported built-in system
accounts, such as the LocalSystem or NetworkService accounts. To enhance the security of your
SQL Server installation for AD FS, wherever possible use a separate service account for accessing your
SQL Server service and enable Kerberos authentication by registering the security principal name (SPN)
of this account in your Active Directory deployment. This enables mutual authentication between client
and server. Without SPN registration of a separate service account, SQL Server will use NTLM for
Windows-based authentication, where only the client is authenticated.
Minimize the surface area of SQL Ser ver.
Enable only those SQL Server endpoints that are necessary. By default, SQL Server provides a single
built-in TCP endpoint that cannot be removed. For AD FS, you should enable this TCP endpoint for
Kerberos authentication. To review the current TCP endpoints to see if additional user-defined TCP ports
are added to a SQL installation, you can use the "SELECT * FROM sys.tcp_endpoints" query statement in a
Transact-SQL (T-SQL) session. For more information about SQL Server endpoint configuration, see How
To: Configure the Database Engine to Listen on Multiple TCP Ports (https://go.microsoft.com/fwlink/?
LinkID=189231).
Avoid using SQL-based authentication.
To avoid having to transfer passwords as clear text over your network or storing passwords in
configuration settings, use Windows authentication only with your SQL Server installation. SQL Server
authentication is a legacy authentication mode. Storing Structured Query Language (SQL) login
credentials (SQL user names and passwords) when you are using SQL Server authentication is not
recommended. For more information, see Authentication Modes (https://go.microsoft.com/fwlink/?
LinkID=189232).
Evaluate the need for additional channel security in your SQL installation carefully.
Even with Kerberos authentication in effect, the SQL Server Security Support Provider Interface (SSPI)
does not provide channel-level security. However, for installations in which servers are securely located
on a firewall-protected network, encrypting SQL communications may not be necessary.
Although encryption is a valuable tool to help ensure security, it should not be considered for all data or
connections. When you are deciding whether to implement encryption, consider how users will access
data. If users access data over a public network, data encryption might be required to increase security.
However, if all access of SQL data by AD FS involves a secure intranet configuration, encryption might not
be required. Any use of encryption should also include a maintenance strategy for passwords, keys, and
certificates.
If there is a concern that any SQL data might be seen or tampered with over your network, use Internet
Protocol security (IPsec) or Secure Sockets Layer (SSL) to help secure your SQL connections. However,
this might have a negative effect on SQL Server performance, which might affect or limit AD FS
performance in some situations. For example, AD FS performance in token issuance might degrade when
attribute lookups from a SQL-based attribute store are critical for token issuance. You can better eliminate
a SQL tampering threat by having a strong perimeter security configuration. For example, a better
solution for securing your SQL Server installation is to ensure that it remains inaccessible for Internet
users and computers and that it remains accessible only by users or computers within your datacenter
environment.
For more information, see Encrypting Connections to SQL Server or SQL Server Encryption.
Configure securely designed access by using stored procedures to perform all SQL-based
lookups by AD FS of SQL-stored data.
To provide better service and data isolation, you can create stored procedures for all attribute store
lookup commands. You can create a database role to which you then grant permission to run the stored
procedures. Assign the service identity of the AD FS Windows service to this database role. The AD FS
Windows service should not be able to run any other SQL statement, other than the appropriate stored
procedures that are used for attribute lookup. Locking down access to the SQL Server database in this
way reduces the risk of an elevation-of-privilege attack.
See Also
AD FS Design Guide in Windows Server 2012
Planning for Interoperability with AD FS 1.x
3/5/2021 • 2 minutes to read • Edit Online
Active Directory Federation Services (AD FS) federation servers running Windows Server® 2012 can
interoperate with both an AD FS 1.0 (installed with Windows Server 2003 R2) Federation Service and an AD FS
1.1 (installed with Windows Server 2008 or Windows Server 2008 R2) Federation Service. Any of the following
interoperability combinations are supported:
Any AD FS 1.x Federation Service can send a claim that can be consumed by an AD FS Federation Service
in Windows Server 2012 . For more information, see Checklist: Configuring AD FS to Consume Claims
from AD FS 1.x.
Any AD FS Federation Service in Windows Server 2012 can send an AD FS 1.x-compatible claim that can
be consumed by an AD FS 1.x Federation Service. For more information, see Checklist: Configuring AD FS
to Send Claims to an AD FS 1.x Federation Service.
Any AD FS Federation Service in Windows Server 2012 can send an AD FS 1.x-compatible claim that can
be consumed by one or more Web servers running the AD FS 1.x claims-aware Web agent. For more
information, see Checklist: Configuring AD FS to Send Claims to an AD FS 1.x Claims-Aware Web Agent.
NOTE
AD FS does not support or interoperate with the AD FS 1.x Windows NT token–based Web agent.
An AD FS 1.x-compatible claim is a claim that can be sent by an AD FS Federation Service in Windows Server
2012 and understood by an AD FS 1.x Federation Service. So that an AD FS 1.x Federation Service can consume
the claims that an AD FS Federation Service sends, a Name Identifier (ID) claim type must be sent.
Group http://schemas.xmlsoap.org/claims/Group
Only one Name ID claim in the appropriate format must be sent. When that criterion is satisfied, many other
claims may be sent as well, assuming that they conform to the restrictions described in the table.
NOTE
An AD FS 1.x Federation Service can interpret only incoming claim types that begin with the Uniform Resource Identifier
(URI) of http://schemas.xmlsoap.org/claims/.
See Also
AD FS Design Guide in Windows Server 2012
When to Use Identity Delegation
3/5/2021 • 4 minutes to read • Edit Online
Because the original request was made to the Web server itself, which is likely to be located in a completely
different organization from the organization of the user who is attempting to access the Web server, the security
token that is sent along with the request does not meet the authorization criteria required to access any other
computer besides the Web server. Therefore, the only way that the originating user request can be fulfilled is by
placing an intermediate federation server in the resource partner organization to help with reissuing a security
token that does have the appropriate access privileges.
See Also
AD FS Design Guide in Windows Server 2012
Deploying AD FS in the Account Partner
Organization
3/5/2021 • 2 minutes to read • Edit Online
An account partner in Active Directory Federation Services (AD FS) represents the organization in the federation
trust relationship that physically stores user accounts in a supported attribute store. For more information about
which attribute stores are supported, see The Role of Attribute Stores.
The federation server in the account partner organization authenticates local users and creates security tokens
that are used by the resource partner in making authorization decisions. Relying parties such as Web sites and
Web services are then able to easily register themselves with the federation server and consume issued tokens
for authentication and access control.
In scenarios in which you need to provide your users with access to multiple federated applications or services
—when each application or service is hosted by a different organization—you can configure the account partner
federation server so that you can deploy multiple relying parties.
For more information about how to set up and configure an account partner organization, see Checklist:
Configuring the Account Partner Organization.
In this section
Review the Role of the Federation Server in the Account Partner
Review the Role of the Federation Server Proxy in the Account Partner
Prepare Client Computers in the Account Partner
See Also
AD FS Design Guide in Windows Server 2012
Review the Role of the Federation Server in the
Account Partner
3/5/2021 • 2 minutes to read • Edit Online
A federation server in Active Directory Federation Services (AD FS) functions as a security token issuer. A
federation server generates claims based on account values that reside in a local attribute store and packages
them into security tokens so that users can seamlessly access Web-browser-based applications (using single
sign-on (SSO)) that are hosted in a resource partner organization.
NOTE
When your users access federated applications by using a Web browser, a federation server automatically issues cookies
to the users to maintain their logon status for that Web-browser-based application. These cookies include claims for the
users. The cookies enable SSO capabilities so that the users do not have to enter credentials each time that they visit
different Web-browser-based applications in the resource partner.
In the Web SSO design, organizations with a perimeter network that want Internet users to have access to
applications must install a federation server proxy in the perimeter network. In the Federated Web SSO design,
there must be at least one federation server installed in the corporate network of the account partner
organization and at least one federation server installed in the corporate network of the resource partner
organization.
NOTE
Before you can set up a federation server computer in the account partner organization, you must first join the computer
to any domain in the Active Directory forest where the federation server will be used to authenticate users from that
forest. For more information, see Checklist: Setting Up a Federation Server.
See Also
AD FS Design Guide in Windows Server 2012
Review the Role of the Federation Server Proxy in
the Account Partner
6/17/2021 • 2 minutes to read • Edit Online
The primary role of the federation server proxy in the perimeter network of the account partner organization in
Active Directory Federation Services (AD FS) is to collect authentication credentials from a client computer that
logs on over the Internet and to pass those credentials to the federation server, which is located inside the
corporate network of the account partner organization. The account for the client computer is stored in the
account partner's attribute store.
A federation server proxy can also function in one or more of the following roles, depending on how you
configure it to meet the needs of the account partner organization:
Relay Security Tokens—The federation server issues a security token to the federation server proxy, which
then relays the token to the client computer. The security token is used to provide access for that client
computer to a specific relying party.
Collect Credentials—The federation server proxy uses a default client logon Web form (clientlogon.aspx)
to collect password-based credentials through forms-based authentication. However, you can customize
this form to accept other supported types of authentication, such as Secure Sockets Layer (SSL) client
authentication. For more information about how to customize this page, see Customizing Client Logon
and Home Realm Discovery Pages (http://go.microsoft.com/fwlink/?LinkId=104275). A federation server
proxy does not accept credentials through Windows Integrated Authentication.
To summarize, a federation server proxy in the account partner acts as a proxy for client logons to a federation
server that is located in the corporate network. The federation server proxy also facilitates the distribution of
security tokens to Internet clients that are destined for relying parties.
Cau t i on
Exposing a federation server proxy on the account partner extranet will the client logon Web form accessible by
anyone with Internet access. This can potentially leave your organization vulnerable to some password-based
attacks, such as dictionary attacks or brute force attacks that can trigger account lockouts for user accounts that
are stored in the corporate Active Directory Domain Services (AD DS).
See Also
AD FS Design Guide in Windows Server 2012
Prepare Client Computers in the Account Partner
3/5/2021 • 2 minutes to read • Edit Online
The easiest way for an administrator in an account partner organization to prepare client computers for access
to Active Directory Federation Services (AD FS) federated applications is to use Group Policy. Group Policy
provides a convenient way for you to push specific certificates and settings that are required for federation to all
the client computers that will be used to access federated applications.
So that your client computers can seamlessly access federated applications without certificate prompts or
trusted site–related prompts, we recommend that you first prepare each client computer before you deploy AD
FS broadly in your organization. Consider using Group Policy to automatically:
Configure Internet Explorer on each client computer to trust the account federation server.
For more information, see Configure Client Computers to Trust the Account Federation Server.
Install the appropriate account federation server, resource federation server, and Web server Secure
Sockets Layer (SSL) certificates (or equivalent certificates that chain to a trusted root) on each client
computer.
For more information, see Distribute Certificates to Client Computers by Using Group Policy.
See Also
AD FS Design Guide in Windows Server 2012
Deploying AD FS in the Resource Partner
Organization
3/5/2021 • 2 minutes to read • Edit Online
The resource partner organization in Active Directory Federation Services (AD FS) represents the organization
whose Web servers may be protected by a resource-side federation server. The federation server at the resource
partner uses the security tokens that are produced by the account partner to provide claims to the Web servers
that are located in the resource partner.
In scenarios in which you need to provide access to federated services or applications to many different users—
when some users reside in different organizations—you can configure the resource federation server so that
you can deploy multiple account partners.
For more information about how to set up and configure a resource partner organization, see Checklist:
Configuring the Resource Partner Organization.
In this section
Review the Role of the Federation Server in the Resource Partner
Review the Role of the Federation Server Proxy in the Resource Partner
Determine Your Federated Application Strategy in the Resource Partner
See Also
AD FS Design Guide in Windows Server 2012
Review the Role of the Federation Server in the
Resource Partner
3/5/2021 • 2 minutes to read • Edit Online
The federation server in the resource partner organization intercepts incoming security tokens that are sent by
an account federation server, validates and signs them, and then issues its own security tokens that are destined
for the Web-based application.
NOTE
When federated users use their Web browsers to access Web-based applications, the federation server in the resource
partner organization builds a new authentication cookie and writes it to the browser. This cookie enables single-sign-on
(SSO) capabilities so that users do not have to log on again at the federation server in the account partner when the
users attempt to access different Web-based applications in the resource partner.
In the Web SSO design, at least one federation server must be installed in the perimeter network. In the
Federated Web SSO design, there must be at least one federation server installed in the corporate network of
the account partner organization and at least one federation server installed in the corporate network of the
resource partner organization.
NOTE
Before you can set up a federation server computer in the resource partner organization, you must first join the computer
to any Active Directory domain in the resource partner organization. For more information, see Checklist: Setting Up a
Federation Server.
See Also
AD FS Design Guide in Windows Server 2012
Review the Role of the Federation Server Proxy in
the Resource Partner
3/5/2021 • 2 minutes to read • Edit Online
A federation server proxy in Active Directory Federation Services (AD FS) can function in one or more of the
following roles, depending on how you configure the server to meet the needs of the resource partner
organization:
Account par tner discover y : An Internet client computer must identify which account partner will
authenticate it. The client finds the account partner by using an account partner discovery Web form
(discoverclientrealm.aspx), which is stored on the federation server proxy in the resource partner. If more
than one account partner is configured in the AD FS Management snap-in, a drop-down menu appears to
the client with all the available account partners that are visible to Internet client computers that access
the account partner discovery Web form. You can change how the account partner discovery Web form
is presented to client computers by customizing the discoverclientrealm.aspx file.
Security token redirection : The federation server proxy in the account partner sends the security
tokens to the resource partner. The resource federation server proxy accepts these tokens and passes
them on to the federation server in the resource partner. The resource federation server then issues a
security token that is bound for a specific resource Web server. The resource federation server proxy then
redirects the token to the client.
To summarize, a resource federation server proxy facilitates the federated logon process by redirecting client
computers to a federation server that can authenticate the clients. A resource federation server proxy also acts
as a proxy for client security tokens to resource federation servers.
NOTE
When it is necessary to help reduce the amount of hardware and the number of required certificates, the federation
server proxy can be located on the same computer as the Web server.
See Also
AD FS Design Guide in Windows Server 2012
Determine Your Federated Application Strategy in
the Resource Partner
3/5/2021 • 2 minutes to read • Edit Online
An important part of designing a new Active Directory Federation Services (AD FS) infrastructure in the
resource partner organization is determining your full set of applications and services that will be used to
participate in the federation and which account partners will be the recipients of those resources. Before you
design a federated application and services strategy, consider the following questions:
Will you be enabling and deploying an ASP.NET application or a Windows Communication Foundation
(WCF) service for federation?
Will users on your corporate network require access to the federated application or service through
Windows Integrated Authentication?
Will the federated application or service be used by users in your perimeter network? If so, will Windows
Integrated Authentication be required?
Are all of the Web servers that host federated applications running a Windows Server operating system
and Internet Information Services (IIS)?
Who will the federated application or service provide resources for?
Answering these questions will help you plan a solid AD FS design. It will also assist you in creating a federated
application and services strategy that is cost effective and resource efficient. For more information about
designing the most appropriate federated application and services strategy for your organization, see the
following topics in this guide:
Provide Your Active Directory Users Access to Your Claims-Aware Applications and Services
Provide Your Active Directory Users Access to the Applications and Services of Other Organizations
Provide Users in Another Organization Access to Your Claims-Aware Applications and Services
For more information about how to create a claims-aware ASP.NET application or WCF service, see Windows
Identity Foundation SDK.
See Also
AD FS Design Guide in Windows Server 2012
Planning Federation Server Placement
3/5/2021 • 2 minutes to read • Edit Online
The most critical component of an Active Directory Federation Services (AD FS) deployment is the federation
server. Therefore, it is important that you plan your federation server placement strategy carefully, including
when and where to deploy federation servers. The information in the following topics can help you determine
when and where to create a federation server or federation server farm and whether to use that federation
server in the account partner role, the resource partner role, or both:
Review the Role of the Federation Server in the Account Partner
Review the Role of the Federation Server in the Resource Partner
When to Create a Federation Server
Where to Place a Federation Server
When to Create a Federation Server Farm
Certificate Requirements for Federation Servers
Name Resolution Requirements for Federation Servers
NOTE
Although this information might help with your placement planning for federation servers, it does not explain how to
determine the proper number of federation servers and the hardware requirements for each AD FS design.
For examples of how a federation server can be placed in any of the two primary AD FS design scenarios, see
Mapping Your Deployment Goals to an AD FS Design.
See Also
AD FS Design Guide in Windows Server 2012
When to Create a Federation Server
3/5/2021 • 4 minutes to read • Edit Online
When you create a federation serverin Active Directory Federation Services (AD FS), you provide a means by
which your organization can:
Engage in Web single-sign-on (SSO)–based communication with another organization (that also has at
least one federation server) and, when necessary, with the employees in your own organization (who
need access over the Internet).
Enable front end services to impersonate users to infrastructure services using identity delegation. For
more information, see When to Use Identity Delegation.
The following sections describe some of the key decisions for determining when and where to create one or
more federation servers.
NOTE
For the Federated Web SSO design, there must be at least one federation server in the account partner and at least one
federation server in the resource partner.
Differences between a federation server and a federation server
proxy
A federation server can serve out Web pages for sign-in, policy, authentication, and discovery in the same way
that a federation server proxy does. The primary differences between a federation server and a federation
server proxy have to do with what operations a federation server can perform that a federation server proxy
cannot perform.
The following are the operations that only a federation server can perform:
The federation server performs the cryptographic operations that produce the token. Although federation
server proxies cannot produce tokens, they can be used to route or redirect the tokens to clients and,
when necessary, back to the federation server. For more information about using federation servers, see
When to Create a Federation Server Proxy.
Federation servers support the use of Windows Integrated Authentication for clients on the corporate
network; federation server proxies do not. For more information about using Windows Integrated
Authentication with federation server, see When to Create a Federation Server Farm.
Cau t i on
Communication between federation servers and SQL Server configuration databases, SQL Server attribute
stores, domain controllers, and AD LDS instances is not integrity or confidentiality protected by default. To
mitigate this, consider protecting the communication channel between these servers using IPSEC or using a
physically secure connection between all of these servers. For communication between federation servers and
SQL servers, consider using SSL protection in the connection string. For connections between federation servers
and domain controllers, consider turning on Kerberos signing and encryption. For LDAP, LDAP/S is not
supported for AD LDS/AD DS.
See Also
AD FS Design Guide in Windows Server 2012
Where to Place a Federation Server
6/17/2021 • 2 minutes to read • Edit Online
As a security best practice, place Active Directory Federation Services (AD FS)federation servers behind a
firewall and connect them to your corporate network to prevent exposure from the Internet. This is important
because federation servers have full authorization to grant security tokens. Therefore, they should have the
same protection as a domain controller. If a federation server is compromised, a malicious user has the ability to
issue full access tokens to all Web applications and to federation servers that are protected by Active Directory
Federation Services (AD FS) in all resource partner organizations.
NOTE
As a security best practice, avoid having your federation servers directly accessible on the Internet. Consider giving your
federation servers direct Internet access only when you are setting up a test lab environment or when your organization
does not have a perimeter network.
For typical corporate networks, an intranet-facing firewall is established between the corporate network and the
perimeter network, and an Internet-facing firewall is often established between the perimeter network and the
Internet. In this situation, the federation server sits inside the corporate network, and it is not directly accessible
by Internet clients.
NOTE
Client computers that are connected to the corporate network can communicate directly with the federation server
through Windows Integrated Authentication.
A federation server proxy should be placed in the perimeter network before you configure your firewall servers
for use with AD FS. For more information, see Where to Place a Federation Server Proxy.
See Also
AD FS Design Guide in Windows Server 2012
When to Create a Federation Server Farm
6/17/2021 • 4 minutes to read • Edit Online
Consider creating a federation server farm in Active Directory Federation Services (AD FS) when you have a
larger AD FS deployment and you want to provide fault tolerance, load-balancing, or scalability to your
organization's Federation Service. The act of creating two or more federation servers in the same network,
configuring each of them to use the same Federation Service, and adding the public key of each server's token-
signing certificates to the AD FS Management snap-in creates a federation server farm.
You can create a federation server farm or install additional federation servers to an existing farm by using the
AD FS Federation Server Configuration Wizard. For more information, see When to Create a Federation Server.
NOTE
When you choose the option to create a New federation ser ver farm using the AD FS Federation Server
Configuration Wizard, the wizard will attempt to create a container object (for sharing certificates) in Active Directory.
Therefore, it is important that you first log on to the computer, where you are setting up the federation server role, with
an account that has sufficient permissions in Active Directory to create this container object.
Before federation servers can be grouped as a farm, they must first be clustered so that requests that arrive at a
single fully qualified domain name (FQDN) are routed to the various federation servers in the server farm. You
can create the server cluster by deploying Network Load Balancing (NLB) inside the corporate network. This
guide assumes that NLB has been configured appropriately to cluster each of the federation servers in the farm.
For more information about how to configure a cluster FQDN using Microsoft NLB technology, see Specifying
the Cluster Parameters.
NOTE
If you do decide to use the server image method for deploying additional federation servers, you do not have to
complete the tasks in Checklist: Setting Up a Federation Server every time that you want to add a new server to
the farm.
Use NLB or some other form of clustering to allocate a single IP address for many federation server
computers.
Reserve a static IP address for each federation server in the farm and, depending on your Domain Name
System (DNS) configuration, insert an exclusion for each IP address in Dynamic Host Configuration
Protocol (DHCP). Microsoft NLB technology requires that each server that participates in the NLB cluster
be assigned a static IP address.
If the AD FS configuration database will be stored in a SQL database, avoid editing the SQL database
from multiple federation servers at the same time.
TA SK DESC RIP T IO N
If you are using SQL Server to store the AD FS configuration A federation server farm consists of two or more federation
database servers that share the same AD FS configuration database
and token-signing certificates. The configuration database
can be stored in either Windows Internal Database or in a
SQL Server database. If you plan to store the configuration
database in a SQL database, make sure that the
configuration database is accessible so that it can be
accessed by all new federation servers that participate in the
farm. Note: For farm scenarios, it is important that the
configuration database be located on a computer that does
not also participate as a federation server in that farm.
Microsoft NLB does not allow any of the computers that
participate in a farm to communicate with one another.
Note: Ensure that the identity of the AD FS AppPool in
Internet Information Services (IIS)) on every federation
server that participates in the farm has Read access to the
configuration database.
Obtain and share certificates You can obtain a single server authentication certificate from
a public certification authority (CA)—for example, VeriSign.
You can then configure the certificate so that all federation
servers share the same private key portion of the certificate.
For more information about how to share the same
certificate, see Checklist: Setting Up a Federation Server.
Note: The AD FS Management snap-in refers to server
authentication certificates for federation servers as service
communication certificates.
For more information, see Certificate Requirements for
Federation Servers.
Point to the same SQL Server instance If the AD FS configuration database will be stored in a SQL
database, the new federation server must point to the same
SQL Server instance that is used by other federation servers
in the farm so that the new server can participate in the
farm.
See Also
AD FS Design Guide in Windows Server 2012
Certificate Requirements for Federation Servers
6/17/2021 • 4 minutes to read • Edit Online
In any Active Directory Federation Services (AD FS) design, various certificates must be used to secure
communication and facilitate user authentications between Internet clients and federation servers. Each
federation server must have a service communication certificate and a token-signing certificate before it can
participate in AD FS communications. The following table describes the certificate types that are associated with
federation server.
Secure Sockets Layer (SSL) certificate Federation servers use an SSL certificate to secure Web
services traffic for SSL communication with Web clients and
with federation server proxies.
Because the SSL certificate must be trusted by client
computers, we recommend that you use a certificate
that is signed by a trusted CA. All certificates that you
select must have a corresponding private key.
C ERT IF IC AT E T Y P E DESC RIP T IO N
Token-decryption certificate This certificate is used to decrypt tokens that are received by
this federation server.
You can have multiple decryption certificates. This makes
it possible for a resource federation server to be able to
decrypt tokens that are issued with an older certificate
after a new certificate is set as the primary decryption
certificate. All certificates can be used for decryption, but
only the primary token-decrypting certificate is actually
published in federation metadata. All certificates that
you select must have a corresponding private key.
For more information, see Add a Token-Decrypting
Certificate.
You can request and install an SSL certificate or service communication certificate by requesting a service
communication certificate through the Microsoft Management Console (MMC) snap-in for IIS. For more general
information about using SSL certificates, see IIS 7.0: Configuring Secure Sockets Layer in IIS 7.0 and IIS 7.0:
Configuring Server Certificates in IIS 7.0 .
NOTE
In AD FS you can change the Secure Hash Algorithm (SHA) level that is used for digital signatures to either SHA-1 or
SHA-256 (more secure). AD FSdoes not support the use of certificates with other hash methods, such as MD5 (the
default hash algorithm that is used with the Makecert.exe command-line tool). As a security best practice, we recommend
that you use SHA-256 (which is set by default) for all signatures. SHA-1 is recommended for use only in scenarios in
which you must interoperate with a product that does not support communications using SHA-256, such as a non-
Microsoft product or AD FS 1. x.
IMPORTANT
Use of self-signed, SSL certificates in a production environment can allow a malicious user in an account partner
organization to take control of federation servers in a resource partner organization. This security risk exists because self-
signed certificates are root certificates. They must be added to the trusted root store of another federation server (for
example, the resource federation server), which can leave that server vulnerable to attack.
After you receive a certificate from a CA, make sure that all certificates are imported into the personal certificate
store of the local computer. You can import certificates to the personal store with the Certificates MMC snap-in.
As an alternative to using the Certificates snap-in, you can also import the SSL certificate with the IIS Manager
snap-in at the time that you assign the SSL certificate to the default Web site. For more information, see Import
a Server Authentication Certificate to the Default Web Site.
NOTE
Before you install the AD FS software on the computer that will become the federation server, make sure that both
certificates are in the Local Computer personal certificate store and that the SSL certificate is assigned to the Default Web
Site. For more information about the order of the tasks that are required to set up a federation server, see Checklist:
Setting Up a Federation Server.
Depending on your security and budget requirements, carefully consider which of your certificates will be
obtained by a public CA or a corporate CA. The following figure shows the recommended CA issuers for a given
certificate type. This recommendation reflects a best-practice approach regarding security and cost.
See Also
AD FS Design Guide in Windows Server 2012
Token-Signing Certificates
6/17/2021 • 3 minutes to read • Edit Online
Federation servers require token-signing certificates to prevent attackers from altering or counterfeiting
security tokens in an attempt to gain unauthorized access to federated resources. The private/public key pairing
that is used with token-signing certificates is the most important validation mechanism of any federated
partnership because these keys verify that a security token was issued by a valid partner federation server and
that the token was not modified during transit.
NOTE
It is a public key infrastructure (PKI) best practice to not share the private key for multiple purposes. Therefore, do not use
the service communication certificate that you installed on the federation server as the token-signing certificate.
For information about installing a certificate when you use Microsoft Certificate Services as your enterprise CA,
see IIS 7.0: Create a Domain Server Certificate in IIS 7.0.
For information about installing a certificate from a public CA, see IIS 7.0: Request an Internet Server Certificate.
For information about installing a self-signed certificate, see IIS 7.0: Create a Self-Signed Server Certificate in
IIS 7.0.
See Also
AD FS Design Guide in Windows Server 2012
Service Communications Certificates
3/5/2021 • 2 minutes to read • Edit Online
A federation server requires the use of service communication certificates for scenarios in which WCF message
security is used.
NOTE
If necessary, you can work around this condition by using Group Policy to manually push down the self-signed
certificate to the trusted root store on each client computer that will attempt to access an AD FS site.
CAs provide additional certificate-based features, such as private key archive, renewal, and revocation,
that are not provided by self-signed certificates.
Name Resolution Requirements for Federation
Servers
6/17/2021 • 2 minutes to read • Edit Online
When client computers on the corporate network attempt to access an application or Web service that is
protected by Active Directory Federation Services (AD FS), they must first authenticate to a federation server.
One way to authenticate is to have the corporate network clients access a local federation server through
Windows Integrated Authentication.
For information about how to configure a cluster IP address or cluster FQDN using NLB, see Specifying the
Cluster Parameters.
For information about how to configure corporate DNS for a federation server, see Add a Host (A) Resource
Record to Corporate DNS for a Federation Server.
For information about how to configure federation server proxies in the perimeter network, see Name
Resolution Requirements for Federation Server Proxies.
See Also
AD FS Design Guide in Windows Server 2012
Planning Federation Server Proxy Placement
3/5/2021 • 2 minutes to read • Edit Online
After you gather all the information that you will use to design your Active Directory Federation Services
(AD FS) infrastructure and after you plan your federation server and Web server strategy, you can plan when
and where to place federation server proxies in your new design. The information in the following topics can
help you determine when and where to place a federation server proxy and whether to configure it for the
account partner role or the resource partner role:
Review the Role of the Federation Server in the Account Partner
Review the Role of the Federation Server Proxy in the Resource Partner
When to Create a Federation Server Proxy
Where to Place a Federation Server Proxy
When to Create a Federation Server Proxy Farm
Certificate Requirements for Federation Server Proxies
Name Resolution Requirements for Federation Server Proxies
NOTE
Although this information might help with your placement planning for federation server proxies, it does not explain how
to determine the proper number of proxies and the proxy hardware requirements for each AD FS design.
For examples of how you can place a federation server proxy in either of the two primary AD FS design
scenarios, see Mapping Your Deployment Goals to an AD FS Design.
See Also
AD FS Design Guide in Windows Server 2012
When to Create a Federation Server Proxy
3/5/2021 • 2 minutes to read • Edit Online
Creating a federation server proxy in your organization adds additional security layers to your Active Directory
Federation Services (AD FS) deployment. Consider deploying a federation server proxy in your organization's
perimeter network when you want to:
Prevent external client computers from directly accessing your federation servers. By deploying a
federation server proxy in your perimeter network, you effectively isolate your federation servers so that
they can be accessed only by client computers that are logged in to the corporate network through
federation server proxies, which act on behalf of the external client computers. Federation server proxies
do not have access to the private keys that are used to produce tokens. For more information, see Where
to Place a Federation Server Proxy.
Provide a convenient way to differentiate the sign-in experience for users who are coming from the
Internet as opposed to users who are coming from your corporate network using Windows Integrated
Authentication. A federation server proxy collects credentials or home realm details from Internet client
computers by using the logon, logout, and identity provider discovery (homerealmdiscovery.aspx) pages
that are stored on the federation server proxy.
In contrast, client computers that come from the corporate network encounter a different experience,
based on the configuration of the federation server. The corporate network federation server is often
configured for Windows Integrated Authentication, which provides a seamless sign-in experience for
users on the corporate network.
The role that a federation server proxy plays in your organization depends on whether you place the federation
server proxy in the account partner organization or in the resource partner organization. For example, when a
federation server proxy is placed in the perimeter network of the account partner, its role is to collect the user
credential information from browser clients. When a federation server proxy is placed in the perimeter network
of the resource partner, it relays security token requests to a resource federation server and produces
organizational security tokens in response to the security tokens that are provided by its account partners.
For more information, see Review the Role of the Federation Server Proxy in the Account Partner and Review the
Role of the Federation Server Proxy in the Resource Partner
See Also
AD FS Design Guide in Windows Server 2012
Where to Place a Federation Server Proxy
6/17/2021 • 3 minutes to read • Edit Online
You can place Active Directory Federation Services (AD FS)federation server proxies in a perimeter network to
provide a protection layer against malicious users that may be coming from the Internet. Federation server
proxies are ideal for the perimeter network environment because they do not have access to the private keys
that are used to create tokens. However, federation server proxies can efficiently route incoming requests to
federation servers that are authorized to produce those tokens.
It is not necessary to place a federation server proxy inside the corporate network for either the account partner
or the resource partner because client computers that are connected to the corporate network can communicate
directly with the federation server. In this scenario, the federation server also provides federation server proxy
functionality for client computers that are coming from the corporate network.
As is typical with perimeter networks, an intranet-facing firewall is established between the perimeter network
and the corporate network, and an Internet-facing firewall is often established between the perimeter network
and the Internet. In this scenario, the federation server proxy sits between both of these firewalls on the
perimeter network.
NOTE
All communications to and from client computers also occur over HTTPS.
In addition, the Internet-facing firewall server, such as a computer running Microsoft Internet Security and
Acceleration (ISA) Server, uses a process known as server publishing to distribute Internet client requests to the
appropriate perimeter and corporate network servers, such as federation server proxies or federation servers.
Server publishing rules determine how server publishing works—essentially, filtering all incoming and outgoing
requests through the ISA Server computer. Server publishing rules map incoming client requests to the
appropriate servers behind the ISA Server computer. For information about how to configure ISA Server to
publish a server, see Create a Secure Web Publishing Rule.
In the federated world of AD FS, these client requests are typically made to a specific URL, for example, a
federation server identifier URL such as http://fs.fabrikam.com. Because these client requests come in from the
Internet, the Internet-facing firewall server must be configured to publish the federation server identifier URL for
each federation server proxy that is deployed in the perimeter network.
Configuring ISA Server to allow SSL
To facilitate secure AD FS communications, you must configure ISA Server to allow Secure Sockets Layer (SSL)
communications between the following:
Federation ser vers and federation ser ver proxies. An SSL channel is required for all
communications between federation servers and federation server proxies. Therefore, you must
configure ISA Server to allow an SSL connection between the corporate network and the perimeter
network.
Client computers, federation ser vers, and federation ser ver proxies. So that communications
can occur between client computers and federation servers or between client computers and federation
server proxies, you can place a computer running ISA Server in front of the federation server or
federation server proxy.
If your organization performs SSL client authentication on the federation server or federation server
proxy, when you place a computer running ISA Server in front of the federation server or federation
server proxy, the server must be configured for pass-through of the SSL connection because the SSL
connection must terminate at the federation server or federation server proxy.
If your organization does not perform SSL client authentication on the federation server or federation
server proxy, an additional option is to terminate the SSL connection at the computer running ISA Server
and then re-establish an SSL connection to the federation server or federation server proxy.
NOTE
The federation server or federation server proxy requires that the connection be secured by SSL to protect the contents
of the security token.
See Also
AD FS Design Guide in Windows Server 2012
When to Create a Federation Server Proxy Farm
6/17/2021 • 2 minutes to read • Edit Online
Consider installing additional federation server proxies when you have a large Active Directory Federation
Services (AD FS) deployment and you want to provide fault tolerance, load-balancing, and scalability for your
proxy deployment. The act of creating two or more federation server proxies in the same perimeter network and
configuring each of them to protect the same AD FS Federation Service creates a federation server proxy farm.
You can create a federation server proxy farm or install additional federation server proxies to an existing farm
by using the AD FS Federation Server Proxy Configuration Wizard. For more information, see When to Create a
Federation Server Proxy.
Before all the federation server proxies can function together as a farm, you must first cluster them under one IP
address and one Domain Name System (DNS) fully qualified domain name (FQDN). You can cluster the servers
by deploying Microsoft Network Load Balancing (NLB) inside the perimeter network. The tasks in the following
table require NLB to be configured appropriately to cluster the federation server proxies in the farm.
For more information about how to configure an FQDN for a cluster using Microsoft NLB technology, see
Specifying the Cluster Parameters.
TA SK DESC RIP T IO N
Point all proxies in the farm to the same AD FS Federation When you create the federation server proxies, you must
Service name type the same Federation Service name in the AD FS
Federation Server Proxy Configuration Wizard for all the
federation server proxies that will participate in the farm. The
federation server proxy uses the URL that makes up this
DNS host name to determine which AD FS Federation
Service instance it contacts.
For more information, see Configure a Computer for the
Federation Server Proxy Role.
Obtain and share certificates You can obtain a server authentication certificate from a
public certification authority (CA)—for example, VeriSign—
and then configure the certificate so that all federation
server proxies share the same private key portion of the
same certificate on the default Web site for each federation
server proxy. To share the certificate, you must install the
same server authentication certificate on the default Web
site for each federation server proxy. For more information,
see Import a Server Authentication Certificate to the Default
Web Site.
For more information, see Certificate Requirements for
Federation Server Proxies.
For more information about adding new federation server proxies to create a federation server proxy farm, see
Checklist: Setting Up a Federation Server Proxy.
See Also
AD FS Design Guide in Windows Server 2012
Certificate Requirements for Federation Server
Proxies
6/17/2021 • 2 minutes to read • Edit Online
Servers that are running in the federation server proxy role in Active Directory Federation Services (AD FS) are
required to use Secure Sockets Layer (SSL) server authentication certificates. Federation server proxies use SSL
server authentication certificates to secure Web server traffic communication with Web clients.
Federation server proxies are usually exposed to computers on the Internet that are not included in your
enterprise public key infrastructure (PKI). Therefore, use a server authentication certificate that is issued by a
public (third-party) certification authority (CA), for example, VeriSign.
When you have a federation server proxy farm, all federation server proxy computers must use the same server
authentication certificate. For more information, see When to Create a Federation Server Proxy Farm.
It is important to verify that the subject name in the server authentication certificate matches the Federation
Service name value that is specified in the AD FS Management snap-in. To locate this value, open the snap-in,
right-click Ser vice , click Edit Federation Ser vice Proper ties , and then find the value in Federation Ser vice
name text box.
For general information about using SSL certificates, see Configuring Secure Sockets Layer in IIS 7.0
(http://go.microsoft.com/fwlink/?LinkID=108544) and Configuring Server Certificates in IIS 7.0
(http://go.microsoft.com/fwlink/?LinkID=108545).
NOTE
Client authentication certificates are not required for AD FS federation server proxies.
If any certificate that you use has certificate revocation lists (CRLs), the server with the configured certificate
must be able to contact the server that distributes the CRLs. The type of CRL determines what ports are used.
See Also
AD FS Design Guide in Windows Server 2012
Name Resolution Requirements for Federation
Server Proxies
6/17/2021 • 5 minutes to read • Edit Online
When client computers on the Internet attempt to access an application that is secured by Active Directory
Federation Services (AD FS), they must first authenticate to the federation server. In most cases, the federation
server is usually not directly accessible from the Internet. Therefore, Internet client computers must be
redirected to the federation server proxy instead. You can accomplish successful redirection by adding the
appropriate Domain Name System (DNS) records to your DNS zone or zones that face the Internet.
The method that you use to redirect Internet clients to the federation server proxy depends on how you
configure the DNS zone in your perimeter network or how you configure a DNS zone that you control on the
Internet. Federation server proxies are intended for use in a perimeter network. They redirect Internet client
requests to federation servers successfully only when DNS has been configured properly in all the Internet-
facing zones that you control. Therefore, the configuration of your Internet-facing zones—whether you have a
DNS zone serving only the perimeter network or a DNS zone serving both the perimeter network and Internet
clients—is important.
This topic describes the steps that you can take to configure name resolution when you place a federation server
proxy in your perimeter network. To determine which steps to follow, first determine which of the following DNS
scenarios most closely matches the DNS infrastructure in the perimeter network of your organization. Then,
follow the steps for that scenario.
DNS zone serving both the perimeter network and Internet clients
In this scenario, your organization controls the DNS zone in the perimeter network and at least one DNS zone
on the Internet. Successful name resolution for a federation server proxy in this scenario depends on the
following conditions:
DNS in the Internet zone of the account partner must be configured so that the FQDN of the federation
server host name resolves to the IP address of the federation server proxy in the perimeter network.
DNS in the perimeter network of the account partner must be configured so that the FQDN of the
federation server host name resolves to the IP address of the federation server in the corporate network.
The following illustration and corresponding steps show how each of these conditions is achieved for a given
example.
NOTE
The content provided in this topic does not reflect actual testing that was performed on servers running Windows Server
2012 . This topic will be updated once the required testing has been performed.
Capacity planning for Active Directory Federation Services (AD FS) is the process of forecasting peak usage
periods for your Federation Service and planning or scaling-up your AD FS server deployment to meet those
load requirements.
This section describes deployment guidelines for both the federation server and federation server proxy roles
and is based on lab testing that was performed by the AD FS product team at Microsoft. The purpose of this
content is to help you:
Closely estimate the hardware needs for your organization's specific AD FS deployment, such as the
number of AD FS servers.
Accurately project the expected peak usage for sign-in requests, plan for growth, and ensure that your AD
FS deployment is capable of handling that expected peak usage.
Before you proceed with reading this capacity planning content, we recommend that you first complete the
tasks in the order shown in the following two tables. In the first table, we provide links to recommended tasks
that will help provide relevant context for this capacity planning discussion.
Understand the requirements for Review important hardware and Appendix A: Reviewing AD FS
deploying AD FS federation servers software requirements necessary for Requirements
and federation server proxies deploying federation server and
federation server proxies.
Select the type of AD FS configuration Before you can begin using capacity The Role of the AD FS Configuration
database that you will deploy in your planning data in this section, you first Database;
organization have to determine which AD FS AD FS Deployment Topology
configuration database type you will Considerations
deploy, either Windows Internal
Database (WID) or a Structured Query
Language (SQL) database.
Determine the type of topology layout Once you have decided on the type of Determine Your AD FS Deployment
to use with your new AD FS AD FS configuration database to use in Topology
configuration database selection your deployment, you will need to
consider which deployment topology
most closely matches where you will
need to place federation servers and
federation server proxies within your
production environment.
REC O M M EN DED TA SK DESC RIP T IO N REF EREN C E
Understand key AD FS–related Review the definitions of common See the section titled AD FS capacity
capacity planning terms capacity planning terms that are used planning terms in this topic
throughout the AD FS capacity
planning discussion.
Once you have reviewed the content in the previous table, you can now complete the prerequisite tasks in the
next table.
Download the AD FS Capacity The AD FS Capacity Planning Sizing AD FS Capacity Planning Spreadsheet
Planning Sizing Spreadsheet spreadsheet can help you to determine
the number of federation servers
required for an AD FS federation
server farm deployment. Instructions
for how to use this spreadsheet are
available in the link provided below for
the next task.
Gather data about the number of This user data you collect will be used Estimate the number of federation
users who will require single sign-on for the input values required within the servers for your organization
(SSO) access to the target claims- context of the AD FS Capacity Planning
aware application and the expected Sizing Spreadsheet.
peak usage periods associated with
this access
AD FS Capacity Planning Spreadsheet Updated Planning worksheet for AD FS Windows Server 2016 Capacity
for Windows Server 2016 Windows Server 2016 Planning
T ERM DEF IN IT IO N
Concurrent users The estimated number of users that are expected to submit
requests to the service within a given period of time, usually
a peak activity period.
Active users The approximate average number of users that are active on
a system, but not necessarily submitting requests, during a
given period of time.
Requests per second The number of requests either submitted by clients (when
talking about the load on a system) or processed by servers
(when talking about server throughput) in a second. This
metric is used in planning server processor and memory
capacity.
T ERM DEF IN IT IO N
Target server responsiveness and utilization Success metrics that bound the acceptable server
performance range. Generally, if responsiveness goes below
or utilization goes above the target, the system is considered
to be overloaded and more capacity is required.
Windows Internal Database (WID) The default AD FS configuration database that can be used
as an alternative to SQL Server in certain AD FS
deployments.
NOTE
Although 16 GB's of RAM was used on the federation server during testing, a more moderate memory size, such as 4
GB's of RAM per federation server can be used for most AD FS deployments. The recommendations that are provided in
this AD FS Capacity Planning content along with the results provided by the AD FS Capacity Planning Spreadsheet are
based on assumptions that each federation server will use approximately 4GB's of RAM for most AD FS production
environments.
The product team used the following configuration to gather performance and scalability data for the federation
server proxy testing:
Dual Quad Core 2.24 GHz (4 cores)
4-GB RAM
Windows Server 2008 R2, Enterprise Edition
Gigabit Network
NOTE
Capacity recommendations for AD FS servers can vary considerably, depending on the specifications you choose for the
hardware and network configuration to be used in a given environment. As a point of reference, the sizing guidance
provided in this content is based on a utilization target of 80 percent on the computers mentioned earlier.
See Also
AD FS Design Guide in Windows Server 2012
Planning for Federation Server Capacity
3/5/2021 • 6 minutes to read • Edit Online
NOTE
The number of federation servers that this spreadsheet will recommend is based on the hardware and network
specifications that the AD FS product team used during testing. Therefore, the number of federation servers that the
spreadsheet will recommend must be understood within this context. For more information about the specifications used
during testing, see the topic titled Planning for AD FS Server Capacity.
NOTE
The value that will be automatically calculated in the cell to the right of the cell titled Total number of federation
ser vers recommended at the bottom of the spreadsheet contains a formula which will add an additional 20% buffer to
the sum total of all the values in each of the individual rows preceding it. The formula added to the Total number of
federation ser vers recommended cell builds in this buffer to your total recommended number of deployed federation
servers to make it very unlikely that the overall load on the farm will ever hit its saturation point.
See Also
AD FS Design Guide in Windows Server 2012
Planning for Federation Server Proxy Capacity
3/5/2021 • 2 minutes to read • Edit Online
NOTE
For production deployments, we recommend a minimum of two federation server proxies for each federation server farm
instance you deploy.
See Also
AD FS Design Guide in Windows Server 2012
Appendix A: Reviewing AD FS Requirements
6/17/2021 • 11 minutes to read • Edit Online
So that the organizational partners in your Active Directory Federation Services (AD FS) deployment can
collaborate successfully, you must first make sure that your corporate network infrastructure is configured to
support AD FS requirements for accounts, name resolution, and certificates. AD FS has the following types of
requirements:
TIP
You can find additional AD FS resource links at the Understanding Key AD FS Concepts.
Hardware requirements
The following minimum and recommended hardware requirements apply to the federation server and
federation server proxy computers.
RAM 1 GB 4 GB
Software requirements
AD FS relies on server functionality that is built into the Windows Server® 2012 operating system.
NOTE
The Federation Service and Federation Service Proxy role services cannot coexist on the same computer.
Certificate requirements
Certificates play the most critical role in securing communications between federation servers, federation server
proxies, claims-aware applications, and Web clients. The requirements for certificates vary, depending on
whether you are setting up a federation server or federation server proxy computer, as described in this section.
Federation server certificates
Federation servers require the certificates in the following table.
W H AT Y O U N EED TO K N O W B EF O RE
C ERT IF IC AT E T Y P E DESC RIP T IO N DEP LO Y IN G
W H AT Y O U N EED TO K N O W B EF O RE
C ERT IF IC AT E T Y P E DESC RIP T IO N DEP LO Y IN G
Secure Sockets Layer (SSL) certificate This is a standard Secure Sockets Layer This certificate must be bound to the
(SSL) certificate that is used for Default Web Site in Internet
securing communications between Information Services (IIS) for a
federation servers and clients. Federation Server or a Federation
Server Proxy. For a Federation Server
Proxy, the binding must be configured
in IIS prior to running the Federation
Server Proxy Configuration Wizard
successfully.
Recommendation: Because this
certificate must be trusted by
clients of AD FS, use a server
authentication certificate that is
issued by a public (third-party)
certification authority (CA), for
example, VeriSign. Tip: The Subject
name of this certificate is used to
represent the Federation Service
name for each instance of AD FS
that you deploy. For this reason,
you may want to consider
choosing a Subject name on any
new CA-issued certificates that
best represents the name of your
company or organization to
partners.
Service communication certificate This certificate enables WCF message By default, the SSL certificate is used as
security for securing communications the service communications certificate.
between federation servers. This can be changed using the AD FS
Management console.
Token-signing certificate This is a standard X509 certificate that The token-signing certificate must
is used for securely signing all tokens contain a private key, and it should
that the federation server issues. chain to a trusted root in the
Federation Service. By default, AD FS
creates a self-signed certificate.
However, you can change this later to
a CA-issued certificate by using the AD
FS Management snap-in, depending
on the needs of your organization.
Token-decryption certificate This is a standard SSL certificate that is By default, AD FS creates a self-signed
used to decrypt any incoming tokens certificate. However, you can change
that are encrypted by a partner this later to a CA-issued certificate by
federation server. It is also published in using the AD FS Management snap-in,
federation metadata. depending on the needs of your
organization.
Cau t i on
Certificates that are used for token-signing and token-decrypting are critical to the stability of the Federation
Service. Because a loss or unplanned removal of any certificates that are configured for this purpose can disrupt
service, you should back up any certificates that are configured for this purpose.
For more information about the certificates that federation servers use, see Certificate Requirements for
Federation Servers.
Federation server proxy certificates
Federation server proxies require the certificates in the following table.
W H AT Y O U N EED TO K N O W B EF O RE
C ERT IF IC AT E T Y P E DESC RIP T IO N DEP LO Y IN G
Server authentication certificate This is a standard Secure Sockets Layer This certificate must be bound to the
(SSL) certificate that is used for Default Web Site in Internet
securing communications between a Information Services (IIS) before you
federation server proxy and Internet can run the AD FS Federation Server
client computers. Proxy Configuration Wizard
successfully.
Recommendation: Because this
certificate must be trusted by
clients of AD FS, use a server
authentication certificate that is
issued by a public (third-party)
certification authority (CA), for
example, VeriSign.
Tip: The Subject name of this
certificate is used to represent the
Federation Service name for each
instance of AD FS that you deploy.
For this reason, you may want to
consider choosing a Subject name
that best represents the name of
your company or organization to
partners.
For more information about the certificates that federation server proxies use, see Certificate Requirements for
Federation Server Proxies.
Browser requirements
Although any current Web browser with JavaScript capability can be made to work as an AD FS client, the Web
pages that are provided by default have been tested only against Internet Explorer versions 7.0, 8.0 and 9.0,
Mozilla Firefox 3.0, and Safari 3.1 on Windows. JavaScript must be enabled, and cookies must be enabled for
browser-based sign-in and sign-out to work correctly.
The AD FS product team at Microsoft successfully tested the browser and operating system configurations in the
following table.
B RO W SER W IN DO W S 7 W IN DO W S VISTA
FireFox 3.0 X X
Safari 3.1 X X
NOTE
AD FS supports both the 32bit and 64bit versions of all the browsers showing in the above table.
Cookies
AD FS creates session-based and persistent cookies that must be stored on client computers to provide sign-in,
sign-out, single sign-on (SSO), and other functionality. Therefore, the client browser must be configured to
accept cookies. Cookies that are used for authentication are always Secure Hypertext Transfer Protocol (HTTPS)
session cookies that are written for the originating server. If the client browser is not configured to allow these
cookies, AD FS cannot function correctly. Persistent cookies are used to preserve user selection of the claims
provider. You can disable them by using a configuration setting in the configuration file for the AD FS sign-in
pages.
Support for TLS/SSL is required for security reasons.
Network requirements
Configuring the following network services appropriately is critical for successful deployment of AD FS in your
organization.
TCP/IP network connectivity
For AD FS to function, TCP/IP network connectivity must exist between the client; a domain controller; and the
computers that host the Federation Service, the Federation Service Proxy (when it is used), and the AD FS Web
Agent.
DNS
The primary network service that is critical to the operation of AD FS, other than Active Directory Domain
Services (AD DS), is Domain Name System (DNS). When DNS is deployed, users can use friendly computer
names that are easy to remember to connect to computers and other resources on IP networks.
Windows Server 2008 uses DNS for name resolution instead of the Windows Internet Name Service (WINS)
NetBIOS name resolution that was used in Windows NT 4.0–based networks. It is still possible to use WINS for
applications that require it. However, AD DS and AD FS require DNS name resolution.
The process of configuring DNS to support AD FS varies, depending on whether:
Your organization already has an existing DNS infrastructure. In most scenarios, DNS is already
configured throughout your network so that Web browser clients in your corporate network have access
to the Internet. Because Internet access and name resolution are requirements of AD FS, this
infrastructure is assumed to be in place for your AD FS deployment.
You intend to add a federated server to your corporate network. For the purpose of authenticating users
in the corporate network, internal DNS servers in the corporate network forest must be configured to
return the CNAME of the internal server that is running the Federation Service. For more information, see
Name Resolution Requirements for Federation Servers.
You intend to add a federated server proxy to your perimeter network. When you want to authenticate
user accounts that are located in the corporate network of your identity partner organization, the internal
DNS servers in the corporate network forest must be configured to return the CNAME of the internal
federation server proxy. For information about how to configure DNS to accommodate the addition of
federation server proxies, see Name Resolution Requirements for Federation Server Proxies.
You are setting up DNS for a test lab environment. If you plan to use AD FS in a test lab environment
where no single root DNS server is authoritative, it is probable that you will have to set up DNS
forwarders so that queries to names between two or more forests will be forwarded appropriately. For
general information about how to set up an AD FS test lab environment, see AD FS Step-by-Step and
How To Guides.
NOTE
AD FS automatically creates an Active Directory attribute store, by default.
Attribute store requirements depend on whether your organization is acting as the account partner (hosting the
federated users) or the resource partner (hosting the federated application).
AD DS
For AD FS to operate successfully, domain controllers in either the account partner organization or the resource
partner organization must be running Windows Server 2003 SP1, Windows Server 2003 R2, Windows
Server 2008 , or Windows Server 2012 .
When AD FS is installed and configured on a domain-joined computer, the Active Directory user account store
for that domain is made available as a selectable attribute store.
IMPORTANT
Because AD FS requires the installation of Internet Information Services (IIS), we recommend that you not install the AD
FS software on a domain controller in a production environment for security purposes. However, this configuration is
supported by Microsoft Customer Service Support.
Schema requirements
AD FS does not require schema changes or functional-level modifications to AD DS.
Functional-level requirements
Most AD FS features do not require AD DS functional-level modifications to operate successfully. However,
Windows Server 2008 domain functional level or higher is required for client certificate authentication to
operate successfully if the certificate is explicitly mapped to a user's account in AD DS.
Service account requirements
If you are creating a federation server farm, you must first create a dedicated domain-based service account in
AD DS that the Federation Service can use. Later, you configure each federation server in the farm to use this
account. For more information about how to do this, see Manually Configure a Service Account for a Federation
Server Farm in the AD FS Deployment Guide.
LDAP
When you work with other Lightweight Directory Access Protocol (LDAP)-based attribute stores, you must
connect to an LDAP server that supports Windows Integrated authentication. The LDAP connection string must
also be written in the format of an LDAP URL, as described in RFC 2255.
SQL Server
For AD FS to operate successfully, computers that host the Structured Query Language (SQL) Server attribute
store must be running either Microsoft SQL Server 2005 or SQL Server 2008. When you work with SQL-based
attribute stores, you also must configure a connection string.
Custom attribute stores
You can develop custom attribute stores to enable advanced scenarios. The policy language that is built into AD
FS can reference custom attribute stores so that any of the following scenarios can be enhanced:
Creating claims for a locally authenticated user
Supplementing claims for an externally authenticated user
Authorizing a user to obtain a token
Authorizing a service to obtain a token on behavior of a user
When you work with a custom attribute store, you may also have to configure a connection string. In this
situation, you can enter any custom code you like that enables a connection to your custom attribute store. The
connection string in this situation is a set of name/value pairs that are interpreted as implemented by the
developer of the custom attribute store.
For more information about developing and using custom attribute stores, see Attribute Store Overview.
Application requirements
Federation servers can communicate with and protect federation applications, such as claims-aware
applications.
Authentication requirements
AD FS integrates naturally with existing Windows authentication, for example, Kerberos authentication, NTLM,
smart cards, and X.509 v3 client-side certificates. Federation servers use standard Kerberos authentication to
authenticate a user against a domain. Clients can authenticate by using forms-based authentication, smart card
authentication, and Windows Integrated authentication, depending on how you configure authentication.
The AD FS federation server proxy role makes possible a scenario in which the user authenticates externally
using SSL client authentication. You can also configure the federation server role to require SSL client
authentication, although typically the most seamless user experience is achieved by configuring the account
federation server for Windows Integrated authentication. In this situation, AD FS has no control over what
credentials the user employs for Windows desktop logon.
Smart card logon
Although AD FS can enforce the type of credentials that it uses for authentication (passwords, SSL client
authentication, or Windows Integrated authentication), it does not directly enforce authentication with smart
cards. Therefore, AD FS does not provide a client-side user interface (UI) to obtain smart-card personal
identification number (PIN) credentials. This is because Windows-based clients intentionally do not provide user
credential details to federation servers or Web servers.
Smart card authentication
Smart card authentication uses the Kerberos protocol to authenticate to an account federation server. AD FS
cannot be extended to add new authentication methods. The certificate in the smart card is not required to chain
up to a trusted root on the client computer. Use of a smart-card-based certificate with AD FS requires the
following conditions:
The reader and cryptographic service provider (CSP) for the smart card must work on the computer
where the browser is located.
The smart card certificate must chain up to a trusted root on the account federation server and the
account federation server proxy.
The certificate must map to the user account in AD DS by either of the following methods:
The certificate subject name corresponds to the LDAP distinguished name of a user account in
AD DS.
The certificate subject altname extension has the user principal name (UPN) of a user account in
AD DS.
To support certain authentication strength requirements in some scenarios, it is also possible to configure AD FS
to create a claim that indicates how the user was authenticated. A relying party can then use this claim to make
an authorization decision.
See Also
AD FS Design Guide in Windows Server 2012
AD FS Deployment
3/5/2021 • 2 minutes to read • Edit Online
This document contains a list of all of the documentation for deploying AD FS for Windows Server 2016. This
includes the following:
Best Practices for Securing AD FS
Deploy Azure AD Connect Health to Monitor your on-premises identity infrastructure in the cloud
Plan Device-based Conditional Access on-Premises
Required Updates for AD FS and WAP
Set up Geographic Redundancy with SQL Server Replication
Set up the lab environment for AD FS in Windows Server 2012 R2
Upgrading to AD FS in Windows Server 2016 using a WID database
Upgrading to AD FS in Windows Server 2016 using a SQL database
Deploy AD FS in Azure
AD FS in Azure with Azure Traffic Manager
Windows Server 2016 and 2012 R2 Deployment Guide
Windows Server 2012 Deployment Guide
AD FS 2016 Deployment Guide
3/5/2021 • 2 minutes to read • Edit Online
The AD FS deployment guide is a comprehensive guide for deploying AD FS. This guide is made up of the
following:
Upgrading to AD FS in Windows Server 2016
Windows Server 2016 and 2012 R2 Deployment Guide
Windows Server 2012 Deployment Guide
Monitor your on-premises identity infrastructure and synchronization services in the cloud
Best practices for securing Active Directory
Federation Services
6/22/2021 • 11 minutes to read • Edit Online
This document provides best practices for the secure planning and deployment of Active Directory Federation
Services (AD FS) and Web Application Proxy. It contains information about the default behaviors of these
components and recommendations for additional security configurations for an organization with specific use
cases and security requirements.
This document applies to AD FS and WAP in Windows Server 2012 R2, 2016, and 2019. These
recommendations can be used whether the infrastructure is deployed in an on premises network or in a cloud
hosted environment such as Microsoft Azure.
NOTE
AD FS requires a full writable Domain Controller to function as opposed to a Read-Only Domain Controller. If a planned
topology includes a Read-Only Domain controller, the Read-Only domain controller can be used for authentication but
LDAP claims processing will require a connection to the writable domain controller.
Ports required
The below diagram depicts the firewall ports that must be enabled between and amongst the components of
the AD FS and WAP deployment. If the deployment does not include Azure AD / Office 365, the sync
requirements can be disregarded.
Note that port 49443 is only required if user certificate authentication is used, which is optional for Azure
AD and Office 365.
NOTE
Port 808 (Windows Server 2012R2) or port 1501 (Windows Server 2016+) is the Net.TCP port AD FS uses for the local
WCF endpoint to transfer configuration data to the service process and PowerShell. This port can be seen by running Get-
AdfsProperties | select NetTcpPort. This is a local port that will not need to be opened in the firewall but will be displayed
in a port scan.
For additional information on required ports and protocols required for hybrid deployments see the document
here.
For detailed information about ports and protocols required for an Azure AD and Office 365 deployment, see
the document here.
Endpoints enabled
When AD FS and WAP are installed, a default set of AD FS endpoints are enabled on the federation service and
on the proxy. These defaults were chosen based on the most commonly required and used scenarios and it is
not necessary to change them.
[Optional] Min set of endpoints proxy enabled for Azure AD / Office 365
Organizations deploying AD FS and WAP only for Azure AD and Office 365 scenarios can limit even further the
number of AD FS endpoints enabled on the proxy to achieve a more minimal attack surface. Below is the list of
endpoints that must be enabled on the proxy in these scenarios:
EN DP O IN T P URP O SE
/adfs/services/trust/2005/usernamemixed Used for Exchange Online with Office clients older than
Office 2013 May 2015 update. Later clients use the passive
\adfs\ls endpoint.
/adfs/services/trust/13/usernamemixed Used for Exchange Online with Office clients older than
Office 2013 May 2015 update. Later clients use the passive
\adfs\ls endpoint.
/adfs/oauth2 This one is used for any modern apps (on-prem or in cloud)
you have configured to authenticate directly to AD FS (i.e.
not through AAD)
/adfs/services/trust/mex Used for Exchange Online with Office clients older than
Office 2013 May 2015 update. Later clients use the passive
\adfs\ls endpoint.
/adfs/ls/federationmetadata/2007- Requirement for any passive flows; and used by Office 365 /
06/federationmetadata.xml Azure AD to check AD FS certificates.
AD FS endpoints can be disabled on the proxy using the following PowerShell cmdlet:
For example:
Get-ADFSProperties
The property is ExtendedProtectionTokenCheck . The default setting is Allow, so that the security benefits can be
achieved without the compatibility concerns with browsers that do not support the capability.
Congestion control to protect the federation service
The federation service proxy (part of the WAP) provides congestion control to protect the AD FS service from a
flood of requests. The Web Application Proxy will reject external client authentication requests if the federation
server is overloaded as detected by the latency between the Web Application Proxy and the federation server.
This feature is configured by default with a recommended latency threshold level.
To verify the settings, you can do the following:
1. On your Web Application Proxy computer, start an elevated command window.
2. Navigate to the ADFS directory, at %WINDIR%\adfs\config.
3. Change the congestion control settings from its default values to
<congestionControl latencyThresholdInMSec="8000" minCongestionWindowSize="64" enabled="true" /> .
4. Save and close the file.
5. Restart the AD FS service by running net stop adfssrv and then net start adfssrv . For your reference,
guidance on this capability can be found here.
Standard HTTP request checks at the proxy
The proxy also performs the following standard checks against all traffic:
The FS-P itself authenticates to AD FS via a short lived certificate. In a scenario of suspected compromise of
dmz servers, AD FS can "revoke proxy trust" so that it no longer trusts any incoming requests from
potentially compromised proxies. Revoking the proxy trust revokes each proxy`s own certificate so that it
cannot successfully authenticate for any purpose to the AD FS server
The FS-P terminates all connections and creates a new HTTP connection to the AD FS service on the internal
network. This provides a session-level buffer between external devices and the AD FS service. The external
device never connects directly to the AD FS service.
The FS-P performs HTTP request validation that specifically filters out HTTP headers that are not required by
AD FS service.
Best practice for securing and monitoring the AD FS trust with Azure
AD
When you federate your AD FS with Azure AD, it is critical that the federation configuration (trust relationship
configured between AD FS and Azure AD) is monitored closely, and any unusual or suspicious activity is
captured. To do so, we recommend setting up alerts and getting notified whenever any changes are made to the
federation configuration. To learn how to setup alerts, see Monitor changes to federation configuration.
where:
CertificateThumbprint is your SSL certificate
SigningCertificateThumbprint is your signing certificate (with HSM protected key)
DecryptionCertificateThumbprint is your encryption certificate (with HSM protected key)
Plan Device-based Conditional Access on-Premises
3/23/2021 • 4 minutes to read • Edit Online
This document describes conditional access policies based on devices in a hybrid scenario where the on-
premises directories are connected to Azure AD using Azure AD Connect.
A DD W O RK O R SC H O O L W IN DO W S 10 DO M A IN
DESC RIP T IO N A C C O UN T A Z URE A D JO IN JO IN
Description Users add their work or Users join their Windows 10 Windows 10 domain joined
school account to their work device to Azure AD. devices automatically
BYOD device interactively. register with Azure AD.
Note: Add Work or School
Account is the replacement
for Workplace Join in
Windows 8/8.1
How users log in to the No login to Windows as the Login to Windows as the Login using AD account.
device work or school account. (work or school) account
Login using a Microsoft that registered the device.
account.
A DD W O RK O R SC H O O L W IN DO W S 10 DO M A IN
DESC RIP T IO N A C C O UN T A Z URE A D JO IN JO IN
How devices are managed MDM Policies (with MDM Policies (with Group Policy, Configuration
additional Intune additional Intune Manager
enrollment) enrollment)
W10 Settings location Settings > Accounts > Your Settings > System > About Settings > System > About
account > Add a work or > Join Azure AD > Join a domain
school account
For more information on the different ways to register devices, see also:
Using Windows 10 devices in your workplace
Setting up Windows 10 devices for work Join Windows 10 Mobile to Azure Active Directory
How Windows 10 User and Device Sign on is different from previous versions
For Windows 10 and AD FS 2016 there are some new aspects of device registration and authentication you
should know about (especially if you are very familiar with device registration and "workplace join" in previous
releases).
First, in Windows 10 and AD FS in Windows Server 2016, device registration and authentication is no longer
based solely on an X509 user certificate. There is a new and more robust protocol that provides better security
and a more seamless user experience. The key differences are that, for Windows 10 Domain Join and Azure AD
Join, there is an X509 computer certificate and a new credential called a PRT. You can read all about it here and
here.
Second, Windows 10 and AD FS 2016 support user authentication using Microsoft Passport for Work, which
you can read about here and here.
AD FS 2016 provides seamless device and user SSO based on both PRT and Passport credentials. Using the
steps in this document, you can enable these capabilities and see them work.
Device Access Control Policies
Devices can be used in simple AD FS access control rules such as:
allow access only from a registered device
require multi factor authentication when a device is not registered
These rules can then be combined with other factors such as network access location and multi factor
authentication, creating rich conditional access policies such as:
require multi factor authentication for unregistered devices accessing from outside the corporate network,
except for members of a particular group or groups
With AD FS 2016, these policies can be configured specifically to require a particular device trust level as well:
either authenticated , managed , or compliant .
For more information on configuring AD FS access control policies, see Access control policies in AD FS.
Authenticated devices
Authenticated devices are registered devices that are not enrolled in MDM (Intune and 3rd party MDMs for
Windows 10, Intune only for iOS and Android).
Authenticated devices will have the isManaged AD FS claim with value FALSE . (Whereas devices that are not
registered at all will lack this claim.) Authenticated devices (and all registered devices) will have the isKnown AD
FS claim with value TRUE .
Managed Devices:
Managed devices are registered devices that are enrolled with MDM.
Managed devices will have the isManaged AD FS claim with value TRUE .
Devices compliant (with MDM or Group Policies )
Compliant devices are registered devices that are not only enrolled with MDM but compliant with the MDM
policies. (Compliance information originates with the MDM and is written to Azure AD.)
Compliant devices will have the isCompliant AD FS claim with value TRUE .
For complete list of AD FS 2016 device and conditional access claims, see Reference.
Reference
Complete list of new AD FS 2016 and device claims
https://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn
https://schemas.microsoft.com/2014/03/psso
https://schemas.microsoft.com/2015/09/prt
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
https://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid
https://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
https://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid
https://schemas.microsoft.com/2012/01/devicecontext/claims/displayname
https://schemas.microsoft.com/2012/01/devicecontext/claims/identifier
https://schemas.microsoft.com/2012/01/devicecontext/claims/ostype
https://schemas.microsoft.com/2012/01/devicecontext/claims/osversion
https://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged
https://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser
https://schemas.microsoft.com/2014/02/devicecontext/claims/isknown
https://schemas.microsoft.com/2014/02/deviceusagetime
https://schemas.microsoft.com/2014/09/devicecontext/claims/iscompliant
https://schemas.microsoft.com/2014/09/devicecontext/claims/trusttype
https://schemas.microsoft.com/claims/authnmethodsreferences
https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent
https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path
https://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork
https://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id
https://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid
https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip
https://schemas.microsoft.com/2014/09/requestcontext/claims/userip
https://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
Required Updates for Active Directory Federation
Services (AD FS) and Web Application Proxy (WAP)
4/20/2021 • 14 minutes to read • Edit Online
As of October 2016, all updates to all components of Windows Server are released only via Windows Update
(WU). There are no more hotfixes or individual downloads. This applies to Windows Server 2016, Windows
Server 2012 R2, Windows Server 2012 and Windows Server 2008 R2 SP1.
This page lists rollup packages of particular interest for AD FS and WAP, as well as the historic list of hotfix
updates recommended for AD FS and WAP.
4489889 (OS Build 14393.2879) Addresses an issue in Active Directory March 2019
Federation Services (AD FS) that
causes a duplicate relying party trust
to appear in the AD FS management
console. This occurs when you create
or view relying party trusts using the
AD FS management console.
Addresses a high Active Directory
Federation Services (ADFS) Web
Application Proxy (WAP) latency issue
(over 10,000ms) that occurs while
Extranet Smart Lockout (ESL) is
enabled on AD FS 2016. This security
update addresses the vulnerability
described in CVE-2018-16794.
KB # DESC RIP T IO N DAT E REL EA SED
4487006 (OS Build 14393.2828) Addresses an issue that causes February 2019
updates to a relying party trust to fail
when using PowerShell or the Active
Directory Federation Services (AD FS)
management console. This issue occurs
if you configure a relying party trust to
use an online metadata URL that
publishes more than one
PassiveRequestorEndpoint. The error is,
"MSIS7615: The trusted endpoints
specified in a relying party trust must
be unique for that relying party trust."
Addresses an issue that displays a
specific error message for external
complexity password changes because
of Azure Password Protection policies.
4103720 (OS Build 14393.2273) Addresses an issue with ADFS that May 2018
causes an IdP-initiated login to a
SAML relying party to fail when
PreventTokenReplays is enabled.
Addresses an ADFS issue that occurs
when OAUTH authenticates from a
device or browser application. A user
password change generates a failure
and requires the user to exit the app
or browser to log in.
4093120 (OS Build 14393.2214) Addresses an unhandled refresh token April 2018
validation issue. It generates the
following error:
"Microsoft.IdentityServer.Web.Protocol
s.OAuth.Exceptions.OAuthInvalidRefres
hTokenException: MSIS9312: Received
invalid OAuth refresh token. The
refresh token was received earlier than
the permitted time in the token."
4077525 (OS Build 14393.2097) Addresses issue where an HTTP 500 February 2018
error occurs when an ADFS farm has at
least two servers using Windows
Internal Database (WID). In this
scenario, HTTP basic pre-
authentication on the Web Application
Proxy (WAP) server fails to
authenticate some users. When the
error occurs, you might also see the
Microsoft Windows Web Application
Proxy warning Event ID 13039 in the
WAP event log. The description reads,
"Web Application Proxy failed to
authenticate the user. Pre-
authentication is 'ADFS For Rich
Clients'. The given user is not
authorized to access the given relying
party. The authorization rules of either
the target relying party or the WAP
relying party are needed to be
modified."
Addresses issue in which AD FS can no
longer ignore prompt=login during
authentication. A Disabled option was
added to support scenarios in which
password authentication is not used.
For more information, see AD FS
ignores the "prompt=login" parameter
during an authentication in Windows
Server 2016 RTM.
4041688 (OS Build 14393.1794) This fix addresses an issue that October 2017
intermittently misdirects AD Authority
requests to the wrong Identity
Provider because of incorrect caching
behavior. This can effect authentication
features like Multi Factor
Authentication.
Added the ability for AAD Connect
Health to report ADFS server health
with correct fidelity (using verbose
auditing) on mixed WS2012R2 and
WS2016 ADFS farms.
4038801 (OS Build 14393.1737) Support added for OIDC logout using September 2017
federated LDPs. This will allow "Kiosk
Scenarios" where multiple users might
be serially logged into a single device
where there is federation with an LDP.
Fixed a WinHello issue where CEP/CES
based certificates don't work with
gMSA accounts.
4034661 (OS Build 14393.1613) Fixes a problem where the caller IP August 2017
address is nog logged by 411 events
in the Security Event log of ADFS 4.0 \
Windows Server 2016 RS1 ADFS
servers even after enabling "success
audits" and "failure audits".
This fix addresses an issue with Azure
Multi Factor Authentication (MFA)
when an ADFX server is configured to
use an HTTP Proxy.
4034658 (OS Build 14393.1593) Fix for 2016 AD FS server in order to August 2017
support MFA certificate enrollment for
Windows Hello For Business for on
prem deployments
4025334 (OS Build 14393.1532) Addressed an issue where the July 2017
PkeyAuth token handler could fail an
authentication if the pkeyauth request
contains incorrect data. The
authentication should still continue
without performing device
authentication
4022723 (OS Build 14393.1378) [Web Application Proxy] Value of June 2017
DisableHttpOnlyCookieProtection
configuration property is not picked
up by WAP 2016 in 2012R2/2016
mixed deployment
[Web Application Proxy] Unable to
obtain user access token from AD FS in
EAS Pre-auth scenarios.
4019217 Work Folders clients using token May 2017 Preview Update Rollup
broker do not work when using a
Server 2012 R2 AD FS Server
Overview
Starting with AD FS in Windows Server 2016, you can run the cmdlet Install-AdfsFarm as a local administrator
on your federation server, provided your Domain Administrator has prepared Active Directory. The script below
in this article can be used to prepare AD. The steps are as follows:
1. As Domain Administrator, run the script (or create the Active Directory objects and permissions manually).
2. The script will return an AdminConfiguration object containing the DN of the newly created AD object
3. On the federation server, execute the Install-AdfsFarm cmdlet while logged on as a local administrator,
passing the object from #2 above as the AdminConfiguration parameter
Assumptions
Contoso\localadmin is a non-Domain Admin builtin admin on the federation server
Contoso\FsSvcAcct is a domain account that will be the AD FS service account
Contoso\FsGmsaAcct$ is a gMSA account that will be the AD FS service account
$svcCred is the credentials of the AD FS service account
$localAdminCred is the credentials of the local (non DA) admin account on the federation server
Sample Output
$adminconfig.DkmContainerDN
CN=9530440c-bc84-4fe6-a3f9-8d60162a7bcf,CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com
PS:\>$adminConfig = @{"DKMContainerDn"="CN=9530440c-bc84-4fe6-a3f9-
8d60162a7bcf,CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com"}
Next, create the farm:
PS:\>$svcCred = (get-credential)
PS:\>$localAdminCred = (get-credential)
PS:\>Install-AdfsFarm -CertificateThumbprint 270D041785C579D75C1C981DA0F9C36ECFDB65E0 -FederationServiceName
"fs.contoso.com" -ServiceAccountCredential $svcCred -Credential $localAdminCred -OverwriteConfiguration -
AdminConfiguration $adminConfig -Verbose
Sample Output
$adminconfig.DkmContainerDN
CN=8065f653-af9d-42ff-aec8-56e02be4d5f3,CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com
PS:\>$adminConfig = @{"DKMContainerDn"="CN=8065f653-af9d-42ff-aec8-
56e02be4d5f3,CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com"}
Next, create the farm: Note that the local computer account and the ADFS admin account need to be granted
retrieve password and delegate to account rights on the gMSA.
[CmdletBinding(SupportsShouldProcess=$true)]
param (
[Parameter(Mandatory=$True)]
[string]$ServiceAccount,
[Parameter(Mandatory=$True)]
[string]$AdfsAdministratorAccount
)
$ServiceAccountSplit = $ServiceAccount.Split("\");
if ($ServiceAccountSplit.Length -ne 2)
if ($ServiceAccountSplit.Length -ne 2)
{
Write-error "Specify the ServiceAccount identifier in 'domain\username' format"
exit 1
}
$AdfsAdministratorAccountSplit = $AdfsAdministratorAccount.Split("\");
if ($AdfsAdministratorAccountSplit.Length -ne 2)
{
Write-error "Specify the AdfsAdministratorAccount identifier in 'domain\username' format"
exit 1
}
#######################################
## Verify AD module is installed
#######################################
$m = "ActiveDirectory"
if (Get-Module | Where-Object {$_.Name -eq $m})
{
write-verbose "Module $m is already imported."
}
else
{
if (Get-Module -ListAvailable | Where-Object {$_.Name -eq $m})
{
Import-Module $m -Verbose
}
else
{
write-error "Module $m was not imported, install the Active Directory RSAT package and retry."
exit 1
}
}
push-location ad:
#######################################
## Generate random DKM container name
## The OU Name is a randomly generated Guid
#######################################
[string]$guid = [Guid]::NewGuid()
write-verbose ("OU Name" + $guid)
$ouName = $guid
$initialPath = "CN=Microsoft,CN=Program Data," + (Get-ADDomain).DistinguishedName
$ouPath = "CN=ADFS," + $initialPath
$ou = "CN=" + $ouName + "," + $ouPath
#######################################
## Create DKM container and assign default ACE which allows adfs admin read access
#######################################
if ($AdfsAdministratorAccount.EndsWith("$"))
{
write-verbose "ADFS administrator account passed with $ suffix indicating a computer account"
$userNameSplit = $AdfsAdministratorAccount.Split("\");
$strSID = (Get-ADServiceAccount -Identity $userNameSplit[1]).SID
}
else
{
write-verbose "ADFS administrator account is a standard AD user"
$objUser = New-Object System.Security.Principal.NTAccount($AdfsAdministratorAccount)
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
}
$acl.AddAccessRule($ace1)
set-acl -Path $ouPath -AclObject $acl
#######################################
## Grant the following permission to the service account
# Read
# Create Child
# Write Owner
# Delete Tree
# Write DACL
# Write Property
#######################################
if ($ServiceAccount.EndsWith("$"))
{
write-verbose "service account passed with $ suffix indicating a gMSA"
$userNameSplit = $ServiceAccount.Split("\");
$strSID = (Get-ADServiceAccount -Identity $userNameSplit[1]).SID
}
else
{
write-verbose "service account is a standard AD user"
$objUser = New-Object System.Security.Principal.NTAccount($ServiceAccount)
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
}
$acl.AddAccessRule($ace1)
$acl.AddAccessRule($ace2)
$acl.AddAccessRule($ace3)
$acl.AddAccessRule($ace4)
$acl.AddAccessRule($ace5)
$acl.AddAccessRule($ace6)
$acl.SetOwner($strSID)
set-acl -Path $ou -AclObject $acl
}
#######################################
## Grant the following permission to the adfs admin account
# Read
# Create Child
# Write Owner
# Delete Tree
# Write DACL
# Write Property
#######################################
if ($AdfsAdministratorAccount.EndsWith("$"))
{
write-verbose "ADFS administrator account passed with $ suffix indicating a gMSA"
$userNameSplit = $AdfsAdministratorAccount.Split("\");
$strSID = (Get-ADServiceAccount -Identity $userNameSplit[1]).SID
}
else
{
write-verbose "ADFS administrator account is a standard AD user"
$objUser = New-Object System.Security.Principal.NTAccount($AdfsAdministratorAccount)
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
}
$acl.AddAccessRule($ace1)
$acl.AddAccessRule($ace2)
$acl.AddAccessRule($ace3)
$acl.AddAccessRule($ace4)
$acl.AddAccessRule($ace5)
$acl.AddAccessRule($ace6)
$acl.SetOwner($strSID)
$adminConfig = @{"DKMContainerDn"=$ou}
Write-Output $adminConfig
}
pop-location
Setup Geographic Redundancy with SQL Server
Replication
3/5/2021 • 5 minutes to read • Edit Online
IMPORTANT
If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008
or higher.
If you are using SQL Server as your AD FS configuration database, you can set up geo-redundancy for your AD
FS farm using SQL Server replication. Geo-redundancy replicates data between two geographically distant sites
so that applications can switch from one site to another. This way, in case of the failure of one site, you can still
have all the configuration data available at the second site. For more information, see the "SQL Server
geographic redundancy section" in Federation Server Farm Using SQL Server.
Prerequisites
Install and configure a SQL server farm. For more information, see
https://technet.microsoft.com/evalcenter/hh225126.aspx. On the initial SQL Server, make sure that the SQL
Server Agent service is running and set to automatic start.
4. Copy the scripts to your secondary server. Open the CreateDB.sql script in SQL Management Studio
and click Execute .
5. Open the SetPermissions.sql script in SQL Management Studio and click Execute .
NOTE
You can also use the following from the command line.
c:\>sqlcmd –i CreateDB.sql
c:\>sqlcmd –i SetPermissions.sql
1. From the SQL Server Management studio, under Replication , right click Local Publications and
choose New Publication...
2. On the New Publication Wizard screen click Next .
7. On Subscriber Types , choose SQL Ser ver 2008 or later and click Next .
8. On the Ar ticles page select Tables node to select all tables, then un-check SyncProper ties table (this
one should not be replicated)
9. On the Ar ticles page, select User Defined Functions node to select all User Defined Functions and
click Next ..
10. On the Ar ticle issues page click Next .
You may need to create a domain account for the SQL agent. Use the steps in Configure SQL login for the
domain account CONTOSO\sqlagent to create SQL login for this new AD user and assign specific
permissions.
13. On the Agent Security page, click Security Settings and enter the username/password of a domain
account (not a GMSA) created for the SQL agent and click OK . Click Next .
14. On the Wizard Actions page, click Next .
15. On the Complete the Wizard page, enter a name for your publication and click Finish .
16. Once the publication is created you should see the status of success. Click Close .
17. Back in SQL Server Management Studio, right-click the new Publication and click Launch Replication
Monitor .
Create subscription settings on the replica SQL Server
Make sure that you created the publisher settings on the initial SQL Server as described above and then
complete the following procedure:
1. On the replica SQL Server, from SQL Server Management studio, under Replication , right click Local
Subscriptions and choose New Subscription....
4. On the Merge Agent Location page, select Run each agent at its Subscriber (pull subscriptions)
(the default) and click Next .
This, along with Subscription Type below, determines the conflict resolution logic. (For more information,
see Detect and Resolve Merge Replication Conflicts.
5. On the Subscribers page, select AdfsConfigurationV3 as the subscriber database and click Next .
6. On the Merge Agent Security page, click ... and enter the username and password of a domain account
(not a GMSA) created for the SQL agent by using the ellipses box and click Next .
7. On Synchronization Schedule , choose Run Continuously and click Next .
10. On the Wizard Actions page, ensure Create the subscription is checked and click Next .
11. On the Complete the Wizard page, click Finish .
12. Once the subscription has finished the creation process, you should see success. Click Close .
Verify the process of initialization and replication
1. On the primary SQL server, right-click the Replication node and click Launch Replication Monitor .
2. In Replication Monitor , click the publication.
3. On the All Subscriptions tab, right click and View Details .
You should be able to see many entries under Actions for the initial replication.
4. Additionally, you can look under the SQL Ser ver Agent\Jobs node to see the job(s) scheduled to
execute the operations of the publication/subscription. Only local jobs are shown, so make sure to check
on the publisher and the subscriber for troubleshooting. Right-click a job and select View Histor y to
view execution history and results.
This topic outlines the steps to configure a test environment that can be used to complete the walkthroughs in
the following walkthrough guides:
Walkthrough: Workplace Join with an iOS Device
Walkthrough: Workplace Join with a Windows Device
Walkthrough Guide: Manage Risk with Conditional Access Control
Walkthrough Guide: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications
NOTE
We do not recommend that you install the web server and the federation server on the same computer.
1. On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the
federation ser vice on the ser ver .
The Active Director y Federation Ser vice Configuration Wizard opens.
2. On the Welcome page, select Create the first federation ser ver in a federation ser ver farm , and
then click Next .
3. On the Connect to AD DS page, specify an account with domain administrator rights for the
contoso.com Active Directory domain that this computer is joined to, and then click Next .
4. On the Specify Ser vice Proper ties page, do the following, and then click Next :
Import the SSL certificate that you have obtained earlier. This certificate is the required service
authentication certificate. Browse to the location of your SSL certificate.
To provide a name for your federation service, type adfs1.contoso.com . This value is the same
value that you provided when you enrolled an SSL certificate in Active Directory Certificate
Services (AD CS).
To provide a display name for your federation service, type Contoso Corporation .
5. On the Specify Ser vice Account page, select Use an existing domain user account or group
Managed Ser vice Account , and then specify the GMSA account fsgmsa that you created when you
created the domain controller.
6. On the Specify Configuration Database page, select Create a database on this ser ver using
Windows Internal Database , and then click Next .
7. On the Review Options page, verify your configuration selections, and then click Next .
8. On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed, and
then click Configure .
9. On the Results page, review the results, check whether the configuration has completed successfully, and
then click Next steps required for completing your federation ser vice deployment .
Configure Device Registration Service
The next step is to configure Device Registration Service on the ADFS1 server. For a video, see Active Directory
Federation Services How-To Video Series: Enabling the Device Registration Service.
To c o n fi g u r e D e v i c e R e g i st r a t i o n Se r v i c e fo r W i n d o w s Se r v e r 2 0 1 2 R T M
1. IMPORTANT
The following step applies to the Windows Ser ver 2012 R2 RTM build.
Enable-AdfsDeviceRegistration
2. On the ADFS1 server, in the AD FS Management console, navigate to Authentication Policies . Select
Edit Global Primar y Authentication . Select the check box next to Enable Device Authentication ,
and then click OK .
Add Host (A ) and Alias (CNAME) Resource Records to DNS
On DC1, you must ensure that the following Domain Name System (DNS) records are created for Device
Registration Service.
EN T RY TYPE A DDRESS
You can use the following procedure to add a host (A) resource record to corporate DNS name servers for the
federation server and Device Registration Service.
Membership in the Administrators group or an equivalent is the minimum requirement to complete this
procedure. Review details about using the appropriate accounts and group memberships in the HYPERLINK
"https://go.microsoft.com/fwlink/?LinkId=83477" Local and Domain Default Groups
(https://go.microsoft.com/fwlink/p/?LinkId=83477).
To a d d a h o st (A ) a n d a l i a s (C N A M E) r e so u r c e r e c o r d s t o D N S fo r y o u r fe d e r a t i o n se r v e r
1. On DC1, from Server Manager, on the Tools menu, click DNS to open the DNS snap-in.
2. In the console tree, expand DC1, expand For ward Lookup Zones , right-click contoso.com , and then
click New Host (A or AAAA) .
3. In Name, type the name you want to use for your AD FS farm. For this walkthrough, type adfs1 .
4. In IP address , type the IP address of the ADFS1 server. Click Add Host .
5. Right-click contoso.com , and then click New Alias (CNAME) .
6. In the New Resource Record dialog box, type enterpriseregistration in the Alias name box.
7. In the Fully Qualified Domain Name (FQDN) of the target host box, type adfs1.contoso.com , and then
click OK .
IMPORTANT
In a real-world deployment, if your company has multiple user principal name (UPN) suffixes, you must create
multiple CNAME records, one for each of those UPN suffixes in DNS.
NOTE
These steps have been tested on a web server that runs the Windows Server 2012 R2 operating system.
1. NOTE
You must have access to the Windows Server 2012 R2 installation media.
c:[ ]
=> issue(claim = c);
See Also
Active Directory Federation Services How-To Video Series: Installing an AD FS Server Farm
Active Directory Federation Services How-To Video Series: Updating Certificates
Active Directory Federation Services How-To Video Series: Add a Relying Party Trust
Active Directory Federation Services How-To Video Series: Enabling the Device Registration Service
Active Directory Federation Services How-To Video Series: Installing the Web Application Proxy
Upgrading to AD FS in Windows Server 2016 using
a WID database
3/5/2021 • 6 minutes to read • Edit Online
NOTE
Only begin an upgrade with a definitive time frame planned for completion. It is not recommended to keep AD FS in a
mixed mode state for an extended period of time, as leaving AD FS in a mixed mode state may cause issues with the farm.
A D F S C O N F IGURAT IO N DATA B A SE
W IN DO W S SERVER VERSIO N FBL NAME
2012 R2 1 AdfsConfiguration
2016 3 AdfsConfigurationV3
2019 4 AdfsConfigurationV4
NOTE
Upgrading the FBL creates a new AD FS configuration database. See the table above for the names of the configuration
database for each Windows Server AD FS version and FBL value
NOTE
Before you can move to AD FS in Windows Server 2019 FBL, you must remove all of the Windows Server 2016 or 2012
R2 nodes. You cannot just upgrade a Windows Server 2016 or 2012 R2 OS to Windows Server 2019 and have it become
a 2019 node. You will need to remove it and replace it with a new 2019 node.
NOTE
If AlwaysOnAvailability groups or merge replication are configured in AD FS, remove all replication of any ADFS databases
prior to upgrade and point all nodes to the Primary SQL database. After performing this, perform the farm upgrade as
documented. After upgrade, add AlwaysOnAvailability groups or merge replication to the new databases.
To u p g r a d e y o u r A D F S fa r m t o W i n d o w s Se r v e r 2 0 1 9 F a r m B e h a v i o r L e v e l
1. Using Server Manager, install the Active Directory Federation Services Role on the Windows Server 2019
2. Using the AD FS Configuration wizard, join the new Windows Server 2019 server to the existing AD FS
farm.
3. On the Windows Server 2019 federation server, open AD FS management. Note that management
capabilities are not available because this federation server is not the primary server.
4. On the Windows Server 2019 server, open an elevated PowerShell command window and run the following
cmdlet:
Set-AdfsSyncProperties -Role PrimaryComputer
5. On the AD FS server that was previously configured as primary, open an elevated PowerShell command
window and run the following cmdlet:
7. If you are upgrading an AD FS 2012 R2 farm to 2016 or 2019, the farm upgrade requires the AD schema to
be at least level 85. To upgrade the schema, With the Windows Server 2016 installation media, open a
command prompt and navigate to support\adprep directory. Run the following: adprep /forestprep
NOTE
Prior to running the next step, ensure Windows Server is current by running Windows Update from Settings. Continue
this process until no further updates are needed.
8. Now on the Windows Server 2016 Server open PowerShell and run the following cmdlet:
NOTE
All 2012 R2 servers must be removed from the farm before running the next step.
Invoke-AdfsFarmBehaviorLevelRaise
9. When prompted, type Y. This will begin raising the level. Once this completes you have successfully raised the
FBL.
10. Now, if you go to AD FS Management, you will see the new capabilities have been added for the later AD FS
version
11. Likewise, you can use the PowerShell cmdlet: Get-AdfsFarmInformation to show you the current FBL.
12. To upgrade the WAP servers to the latest level, on each Web Application Proxy, re-configure the WAP by
executing the following PowerShell cmdlet in an elevated window:
Remove old servers from the cluster and keep only the WAP servers running the latest server version, which
were reconfigured above, by running the following Powershell cmdlet.
Get-WebApplicationProxyConfiguration
NOTE
Skip the next step if the ConfigurationVersion is Windows Server 2016. This is the correct value for Web Application Proxy
on Windows Server 2016 / 2019.
To upgrade the ConfigurationVersion of the WAP servers, run the following Powershell command.
Set-WebApplicationProxyConfiguration -UpgradeConfigurationVersion
NOTE
A known PRT issue exists in AD FS 2019 if Windows Hello for Business with a Hybrid Certificate trust is performed. You
may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to
access the resource with scope 'ugs'. To remediate this error:
1. Launch AD FS management console. Brose to "Services > Scope Descriptions"
2. Right click "Scope Descriptions" and select "Add Scope Description"
3. Under name type "ugs" and Click Apply > OK
4. Launch Powershell as Administrator
5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the
ClientRoleIdentifier. Make a note of the ObjectIdentifier.
6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'
7. Restart the ADFS service.
8. On the client: Restart the client. User should be prompted to provision WHFB.
9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot.
Deploying Active Directory Federation Services in
Azure
3/5/2021 • 17 minutes to read • Edit Online
AD FS provides simplified, secured identity federation and Web single sign-on (SSO) capabilities. Federation
with Azure AD or O365 enables users to authenticate using on-premises credentials and access all resources in
cloud. As a result, it becomes important to have a highly available AD FS infrastructure to ensure access to
resources both on-premises and in the cloud. Deploying AD FS in Azure can help achieve the high availability
required with minimal efforts. There are several advantages of deploying AD FS in Azure, a few of them are
listed below:
High Availability - With the power of Azure Availability Sets, you ensure a highly available infrastructure.
Easy to Scale – Need more performance? Easily migrate to more powerful machines by just a few clicks in
Azure
Cross-Geo Redundancy – With Azure Geo Redundancy you can be assured that your infrastructure is
highly available across the globe
Easy to Manage – With highly simplified management options in Azure portal, managing your
infrastructure is very easy and hassle-free
Design principles
The diagram above shows the recommended basic topology to start deploying your AD FS infrastructure in
Azure. The principles behind the various components of the topology are listed below:
DC / ADFS Ser vers : If you have fewer than 1,000 users you can simply install AD FS role on your domain
controllers. If you do not want any performance impact on the domain controllers or if you have more than
1,000 users, then deploy AD FS on separate servers.
WAP Ser ver – it is necessary to deploy Web Application Proxy servers, so that users can reach the AD FS
when they are not on the company network also.
DMZ : The Web Application Proxy servers will be placed in the DMZ and ONLY TCP/443 access is allowed
between the DMZ and the internal subnet.
Load Balancers : To ensure high availability of AD FS and Web Application Proxy servers, we recommend
using an internal load balancer for AD FS servers and Azure Load Balancer for Web Application Proxy
servers.
Availability Sets : To provide redundancy to your AD FS deployment, it is recommended that you group two
or more virtual machines in an Availability Set for similar workloads. This configuration ensures that during
either a planned or unplanned maintenance event, at least one virtual machine will be available
Storage Accounts : It is recommended to have two storage accounts. Having a single storage account can
lead to creation of a single point of failure and can cause the deployment to become unavailable in an
unlikely scenario where the storage account goes down. Two storage accounts will help associate one
storage account for each fault line.
Network segregation : Web Application Proxy servers should be deployed in a separate DMZ network. You
can divide one virtual network into two subnets and then deploy the Web Application Proxy server(s) in an
isolated subnet. You can simply configure the network security group settings for each subnet and allow only
required communication between the two subnets. More details are given per deployment scenario below
After the NSGs are created, associate NSG_INT with subnet INT and NSG_DMZ with subnet DMZ. An example
screenshot is given below:
Click on Subnets to open the panel for subnets
Select the subnet to associate with the NSG
After configuration, the panel for Subnets should look like below:
contosodcset DC/ADFS 3 5
contosowapset WAP 3 5
AVA IL A B IL IT Y STO RA GE
M A C H IN E RO L E SUB N ET SET A C C O UN T IP A DDRESS
As you might have noticed, no NSG has been specified. This is because azure lets you use NSG at the subnet
level. Then, you can control machine network traffic by using the individual NSG associated with either the
subnet or else the NIC object. Read more on What is a Network Security Group (NSG). Static IP address is
recommended if you are managing the DNS. You can use Azure DNS and instead in the DNS records for your
domain, refer to the new machines by their Azure FQDNs. Your virtual machine pane should look like below
after the deployment is completed:
DO M A IN C O N T RO L L ER RO L E STO RA GE A C C O UN T
NOTE
if you do not see Load Balancers in your menu, click Browse in the lower left of the portal and scroll until you see
Load Balancers . Then click the yellow star to add it to your menu. Now select the new load balancer icon to open the
panel to begin configuration of the load balancer.
Name : Give any suitable name to the load balancer
Scheme : Since this load balancer will be placed in front of the AD FS servers and is meant for internal
network connections ONLY, select "Internal"
Vir tual Network : Choose the virtual network where you are deploying your AD FS
Subnet : Choose the internal subnet here
IP Address assignment : Static
After you click create and the ILB is deployed, you should see it in the list of load balancers:
Next step is to configure the backend pool and the backend probe.
6.2. Configure ILB backend pool
Select the newly created ILB in the Load Balancers panel. It will open the settings panel.
1. Select backend pools from the settings panel
2. In the add backend pool panel, click on add virtual machine
3. You will be presented with a panel where you can choose availability set
4. Choose the AD FS availability set
6.3. Configuring probe
In the ILB settings panel, select Health probes.
1. Click on add
2. Provide details for probe a. Name : Probe name b. Protocol : HTTP c. Por t : 80 (HTTP) d. Path : /adfs/probe e.
Inter val : 5 (default value) – this is the interval at which ILB will probe the machines in the backend pool f.
Unhealthy threshold limit : 2 (default value) – this is the threshold of consecutive probe failures after
which ILB will declare a machine in the backend pool non-responsive and stop sending traffic to it.
We are using the /adfs/probe endpoint that was created explictly for health checks in an AD FS environment
where a full HTTPS path check cannot happen. This is substantially better than a basic port 443 check, which
does not accurately reflect the status of a modern AD FS deployment. More information on this can be found at
https://blogs.technet.microsoft.com/applicationproxyblog/2014/10/17/hardware-load-balancer-health-checks-
and-web-application-proxy-ad-fs-2012-r2/.
6.4. Create load balancing rules
In order to effectively balance the traffic, the ILB should be configured with load balancing rules. In order to
create a load balancing rule,
1. Select Load balancing rule from the settings panel of the ILB
2. Click on Add in the Load balancing rule panel
3. In the Add load balancing rule panel a. Name : Provide a name for the rule b. Protocol : Select TCP c. Por t :
443 d. Backend por t : 443 e. Backend pool : Select the pool you created for the AD FS cluster earlier f.
Probe : Select the probe created for AD FS servers earlier
6.5. Update DNS with ILB
Using your internal DNS server, create an A record for the ILB. The A record should be for the federation service
with the IP address pointing to the IP address of the ILB. For example, if the ILB IP address is 10.3.0.8 and the
federation service installed is fs.contoso.com, then create an A record for fs.contoso.com pointing to 10.3.0.8.
This will ensure that all data trasmitted to fs.contoso.com end up at the ILB and are appropriately routed.
WARNING
If you are using the WID (Windows Internal Database) for your AD FS database, this value should instead be temporarily
set to point to your primary AD FS server or the Web Application Proxy will fail enrollement. After you have successfully
enrolled all Web Appplication Proxy servers, change this DNS entry to point to the load balancer.
NOTE
If your deployment is also using IPv6, be sure to create a corresponding AAAA record.
WARNING
If you are using the WID (Windows Internal Database) for your AD FS database, this value should instead be temporarily
set to point to your primary AD FS server, or the Web Application Proxy will fail enrollement. After you have successfully
enrolled all Web Appplication Proxy servers, change this DNS entry to point to the load balancer.
After deployment, the load balancer will appear in the Load balancers list.
8.2. Assign a DNS label to the public IP
Click on the newly created load balancer entry in the Load balancers panel to bring up the panel for
configuration. Follow below steps to configure the DNS label for the public IP:
1. Click on the public IP address. This will open the panel for the public IP and its settings
2. Click on Configuration
3. Provide a DNS label. This will become the public DNS label that you can access from anywhere, for example
contosofs.westus.cloudapp.azure.com. You can add an entry in the external DNS for the federation service
(like fs.contoso.com) that resolves to the DNS label of the external load balancer
(contosofs.westus.cloudapp.azure.com).
8.3. Configure backend pool for Internet Facing (Public) Load Balancer
Follow the same steps as in creating the internal load balancer, to configure the backend pool for Internet Facing
(Public) Load Balancer as the availability set for the WAP servers. For example, contosowapset.
NOTE
If client user certificate authentication (clientTLS authentication using X.509 user certificates) is required, then AD FS
requires TCP port 49443 to be enabled for inbound access.
PA RA M ET ER DESC RIP T IO N
Location The region to deploy the resources into, e.g. East US.
VirtualNetworkResourceGroupName Specifies the name of the resource group where the existing
virtual network resides. When using an existing virtual
network, this becomes a mandatory parameter so the
deployment can find the ID of the existing virtual network
InternalSubnetAddressRange The address range of the internal subnet, which contains the
Domain Controllers and ADFS servers, mandatory if creating
a new virtual network.
DMZSubnetAddressRange The address range of the dmz subnet, which contains the
Windows application proxy servers, mandatory if creating a
new virtual network.
Additional resources
Availability Sets
Azure Load Balancer
Internal Load Balancer
Internet Facing Load Balancer
Storage Accounts
Azure Virtual Networks
AD FS and Web Application Proxy Links
Next steps
Integrating your on-premises identities with Azure Active Directory
Configuring and managing your AD FS using Azure AD Connect
High availability cross-geographic AD FS deployment in Azure with Azure Traffic Manager
High availability cross-geographic AD FS
deployment in Azure with Azure Traffic Manager
3/5/2021 • 6 minutes to read • Edit Online
AD FS deployment in Azure provides step-by-step guideline as to how you can deploy a simple AD FS
infrastructure for your organization in Azure. This article provides the next steps to create a cross-geographic
deployment of AD FS in Azure using Azure Traffic Manager. Azure Traffic Manager helps create a geographically
spread high availability and high-performance AD FS infrastructure for your organization by making use of
range of routing methods available to suit different needs from the infrastructure.
A highly available cross-geographic AD FS infrastructure enables:
Elimination of single point of failure: With failover capabilities of Azure Traffic Manager, you can achieve
a highly available AD FS infrastructure even when one of the data centers in a part of the globe goes down
Improved performance: You can use the suggested deployment in this article to provide a high-
performance AD FS infrastructure that can help users authenticate faster.
Design principles
The basic design principles will be same as listed in Design principles in the article AD FS deployment in Azure.
The diagram above shows a simple extension of the basic deployment to another geographical region. Below
are some points to consider when extending your deployment to new geographical region
Vir tual network : You should create a new virtual network in the geographical region you want to deploy
additional AD FS infrastructure. In the diagram above you see Geo1 VNET and Geo2 VNET as the two virtual
networks in each geographical region.
Domain controllers and AD FS ser vers in new geographical VNET: It is recommended to deploy
domain controllers in the new geographical region so that the AD FS servers in the new region do not have
to contact a domain controller in another far away network to complete an authentication and thereby
improving the performance.
Storage accounts: Storage accounts are associated with a region. Since you will be deploying machines in a
new geographic region, you will have to create new storage accounts to be used in the region.
Network Security Groups: As storage accounts, Network Security Groups created in a region cannot be
used in another geographical region. Therefore, you will need to create new network security groups similar
to those in the first geographical region for INT and DMZ subnet in the new geographical region.
DNS Labels for public IP addresses: Azure Traffic Manager can refer to endpoints ONLY via DNS labels.
Therefore, you are required to create DNS labels for the External Load Balancers' public IP addresses.
Azure Traffic Manager : Microsoft Azure Traffic Manager allows you to control the distribution of user
traffic to your service endpoints running in different datacenters around the world. Azure Traffic Manager
works at the DNS level. It uses DNS responses to direct end-user traffic to globally-distributed endpoints.
Clients then connect to those endpoints directly. With different routing options of Performance, Weighted
and Priority, you can easily choose the routing option best suited for your organization's needs.
V-net to V-net connectivity between two regions: You do not need to have connectivity between the
virtual networks itself. Since each virtual network has access to domain controllers and has AD FS and WAP
server in itself, they can work without any connectivity between the virtual networks in different regions.
2. Traffic routing method: There are three routing options available in traffic manager:
Priority
Performance
Weighted
Performance is the recommended option to achieve highly responsive AD FS infrastructure.
However, you can choose any routing method best suited for your deployment needs. The AD FS
functionality is not impacted by the routing option selected. See Traffic Manager traffic routing
methods for more information. In the sample screenshot above you can see the Performance
method selected.
3. Configure endpoints: In the traffic manager page, click on endpoints and select Add. This will open an
Add endpoint page similar to the screenshot below
NOTE
Ensure that the status of the endpoints is ONLINE once the configuration is complete . If all
endpoints are in 'degraded' state, Azure Traffic Manager will do a best attempt to route the traffic assuming that
the diagnostics is incorrect and all endpoints are reachable.
5. Modifying DNS records for Azure Traffic Manager : Your federation service should be a CNAME to
the Azure Traffic Manager DNS name. Create a CNAME in the public DNS records so that whoever is
trying to reach the federation service actually reaches the Azure Traffic Manager.
For example, to point the federation service fs.fabidentity.com to the Traffic Manager, you would need to
update your DNS resource record to be the following:
fs.fabidentity.com IN CNAME mysts.trafficmanager.net
AD FS sign-in test
The easiest way to test AD FS is by using the IdpInitiatedSignon.aspx page. In order to be able to do that, it is
required to enable the IdpInitiatedSignOn on the AD FS properties. Follow the steps below to verify your AD FS
setup
1. Run the below cmdlet on the AD FS server, using PowerShell, to set it to enabled. Set-AdfsProperties -
EnableIdPInitiatedSignonPage $true
2. From any external machine access https:///adfs/ls/IdpInitiatedSignon.aspx
3. You should see the AD FS page like below:
and on successful sign-in, it will provide you with a success message as shown below:
Related links
Basic AD FS deployment in Azure
Microsoft Azure Traffic Manager
Traffic Manager traffic routing methods
Next steps
Manage an Azure Traffic Manager profile
Add, disable, enable or delete endpoints
Upgrading to AD FS in Windows Server 2016 with
SQL Server
3/5/2021 • 6 minutes to read • Edit Online
NOTE
Only begin an upgrade with a definitive time frame planned for completion. It is not recommended to keep AD FS in a
mixed mode state for an extended period of time, as leaving AD FS in a mixed mode state may cause issues with the farm.
To following architectural diagram shows the setup that was used to validate and record the steps below.
5. On the Specify SSL Cer tificate screen, specify the certificate and click Next .
6. On the Specify Ser vice Account screen, specify the service account and click Next .
7. On the Review Options screen, review the options and click Next .
8. On the Pre-requisites Checks screen, ensure that all of the pre-requisite checks have passed and click
Configure .
9. On the Results screen, ensure that server was successfully configured and click Close .
Remove the Windows Server 2012 R2 AD FS server
NOTE
You do not need to set the primary AD FS server using Set-AdfsSyncProperties -Role when using SQL as the database.
This is because all of the nodes are considered primary in this configuration.
1. On the Windows Server 2012 R2 AD FS server in Server Manager use Remove Roles and Features under
Manage .
2. On the Before you Begin screen, click Next .
3. On the Ser ver Selection Screen, click Next .
4. On the Ser ver Roles screen, remove the check next to Active Director y Federation Ser vices and click
Next .
1. Now on the Windows Server 2016 Server open PowerShell and run the following: $cred = Get-Credential
and hit enter.
2. Enter credentials that have admin privileges on the SQL Server.
3. Now in PowerShell, enter the following: Invoke-AdfsFarmBehaviorLevelRaise -Credential $cred
4. When prompted, type Y . This will begin raising the level. Once this completes you have successfully raised
the FBL.
5. Now, if you go to AD FS Management, you will see the new nodes that have been added for AD FS in
Windows Server 2016
6. Likewise, you can use the PowerShell cmdlet: Get-AdfsFarmInformation to show you the current FBL.
2. Remove old servers from the cluster and keep only the WAP servers running the latest server version, which
were reconfigured above, by running the following PowerShell command.
Get-WebApplicationProxyConfiguration
4. To upgrade the ConfigurationVersion of the WAP servers, run the following PowerShell command.
Set-WebApplicationProxyConfiguration -UpgradeConfigurationVersion
You can use Active Directory Federation Services (AD FS) with the Windows Server 2016 and 2012 R2 operating
system to build a federated identity management solutions that extend distributed identification, authentication,
and authorization services to Web-based applications across organization and platform boundaries. By
deploying AD FS, you can extend your organization's existing identity management capabilities to the Internet.
Deploying a Federation Server Farm
Deploying Federation Server Proxies
Azure Active Directory Connect
See Also
AD FS Deployment
Deploying a Federation Server Farm
3/23/2021 • 2 minutes to read • Edit Online
In order to deploy a federation server farm, complete the tasks in this checklist in order. When a reference link
takes you to a conceptual topic, return to this checklist after you review the conceptual topic so that you can
proceed with the remaining tasks in this checklist.
Checklist: Deploying a Federation Ser ver Farm
TA SK REF EREN C E
Review important concepts and considerations as you AD FS Design Guide in Windows Server 2012 R2
prepare to deploy Active Directory Federation Services Understanding Key AD FS Concepts
(AD FS).
Enroll a Secure Socket Layer (SSL) certificate for AD FS. Enroll an SSL Certificate for AD FS
Optional step: Configure a federation server with Device Configure a federation server with Device Registration
Registration Service (DRS). Service
Add a host (A) and alias (CNAME) resource record to Configure Corporate DNS for the Federation Service and
corporate Domain Name System (DNS) for the federation DRS
service and DRS.
Verify that a federation server is operational. Verify That a Federation Server Is Operational
See Also
AD FS Deployment
Windows Server 2012 R2 AD FS Deployment Guide
Join a Computer to a Domain
6/17/2021 • 2 minutes to read • Edit Online
For Active Directory Federation Services (AD FS) to function, each computer that functions as a federation
server must be joined to a domain. federation server proxies may be joined to a domain, but this is not a
requirement.
You do not have to join a Web server to a domain if the Web server is hosting claims-aware applications only.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
To join a computer to a domain
1. On the Star t screen, type Control Panel , and then press ENTER.
2. Navigate to System and Security , and then click System .
3. Under Computer name, domain, and workgroup settings , click Change settings .
4. On the Computer Name tab, click Change .
5. Under Member of , click Domain , type the name of the domain that you wish this computer to join, and
then click OK .
6. Click OK , and then restart the computer.
Additional references
Checklist: Setting Up a Federation Server
Checklist: Setting Up a Federation Server Proxy
Enroll an SSL Certificate for AD FS
3/5/2021 • 2 minutes to read • Edit Online
Active Directory Federation Services (AD FS) requires a certificate for Secure Socket Layer (SSL) server
authentication on each federation server in your federation server farm. The same certificate can be used on
each federation server in a farm. You must have both the certificate and its private key available. For example, if
you have the certificate and its private key in a .pfx file, you can import the file directly into the Active Directory
Federation Services Configuration Wizard. This SSL certificate must contain the following:
1. The subject name and subject alternative name must contain your federation service name, such as
fs.contoso.com.
2. The subject alternative name must contain the value enterpriseregistration that is followed by the User
Principal Name (UPN) suffix of your organization, for example,
enterpriseregistration.corp.contoso.com .
WARNING
Specify the subject alternative name if you plan to enable the Device Registration Service (DRS) for Workplace Join.
IMPORTANT
If your organization uses multiple UPN suffixes, and you plan to enable the DRS, the SSL certificate must contain a subject
alternative name entry for each suffix.
See Also
AD FS Deployment
Windows Server 2012 R2 AD FS Deployment Guide
Deploying a Federation Server Farm
Install the AD FS Role Service
6/17/2021 • 2 minutes to read • Edit Online
You can use the following procedure to install the AD FS role service on a computer that is running Windows
Server 2012 R2 to become the first federation server in a federation server farm or a federation server in an
existing federation server farm.
Membership in Administrators , or equivalent, on the local computer is the minimum requirement to complete
this procedure. Review details about using the appropriate accounts and group memberships at Local and
Domain Default Groups.
To install the AD FS server role via the Add roles and features wizard
1. Open Server Manager. To open Server Manager, click Ser ver Manager on the Star t screen, or Ser ver
Manager in the taskbar on the desktop. In the Quick Star t tab of the Welcome tile on the Dashboard
page, click Add roles and features . Alternatively, you can click Add Roles and Features on the
Manage menu.
2. On the Before you begin page, click Next .
3. On the Select installation type page, click Role-based or Feature-based installation , and then
click Next .
4. On the Select destination ser ver page, click Select a ser ver from the ser ver pool , verify that the
target computer is selected, and then click Next .
5. On the Select ser ver roles page, click Active Director y Federation Ser vices , and then click Next .
6. On the Select features page, click Next . The required prerequisites are preselected for you. You do not
have to select any other features.
7. On the Active Director y Federation Ser vice (AD FS) page, click Next .
8. After you verify the information on the Confirm installation selections page, click Install .
9. On the Installation progress page, verify that everything installed correctly, and then click Close .
To install the AD FS server role via Windows PowerShell
1. On the computer that you want to configure as a federation server, open the Windows PowerShell command
window, and then run the following command:
Install-windowsfeature adfs-federation –IncludeManagementTools .
See Also
AD FS Deployment
Windows Server 2012 R2 AD FS Deployment Guide
Deploying a Federation Server Farm
Configure a Federation Server
6/17/2021 • 13 minutes to read • Edit Online
After you install the Active Directory Federation Services (AD FS) role service on your computer, you are ready
to configure this computer to become a federation server. You can do one of the following:
Configure the first federation server in a new federation server farm
Add a federation server to an existing federation server farm
NOTE
Ensure that you have domain administrator permissions or have domain administrator credentials available before you
perform this procedure.
1. On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the
federation ser vice on the ser ver .
The Active Director y Federation Ser vice Configuration Wizard opens.
2. On the Welcome page, select Create the first federation ser ver in a federation ser ver farm , and
then click Next .
3. On the Connect to AD DS page, specify an account by using domain administrator permissions for the
Active Directory (AD) domain to which this computer is joined, and then click Next .
4. On the Specify Ser vice Proper ties page, do the following, and then click Next :
Import the .pfx file that contains the Secure Socket Layer (SSL) certificate and key that you have
obtained earlier. In Step 2: Enroll an SSL Certificate for AD FS, you have obtained this certificate
and copied it onto the computer that you want to configure as a federation server. To import the
.pfx file via the wizard, click Impor t , and then browse to the file's location. Enter the password for
the .pfx file when you are prompted.
Provide a name for your federation service. For example, fs.contoso.com . This name must match
one of the subject or subject alternative names in the certificate.
Provide a display name for your federation service. For example, Contoso Corporation . Users
see this name on the Active Directory Federation Services (AD FS) sign-in page.
5. On the Specify Ser vice Account page, specify a service account. You can either create or use an
existing group Managed Service Account (gMSA) or use an existing domain user account. If you select the
option to create a new gMSA account, specify a name for the new account. If you select the option to use
an existing gMSA or domain account, click Select to select an account.
NOTE
The benefit of using a gMSA account is its auto-negotiated password update feature.
WARNING
If you want to use a gMSA account, you must have at least one domain controller in your environment that is
running the Windows Server 2012 operating system.
If the gMSA option is disabled, and you see an error message, such as Group Managed Ser vice Accounts are
not available because the KDS Root Key has not been set , you can enable gMSA in your domain by
running the following Windows PowerShell command on a domain controller, which runs Windows Server 2012 or
later, in your Active Directory domain: Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10) . Then
return to the wizard, click Previous , and then click Next to re-enter the Specify Ser vice Account page. The
gMSA option should now be enabled. You can select it and enter a gMSA account name that you want to use.
6. On the Specify Configuration Database page, specify an AD FS configuration database, and then click
Next . You can either create a database on this computer by using Windows Internal Database (WID), or
you can specify the location and the instance name of Microsoft SQL Server.
For more information, see The Role of the AD FS Configuration Database.
IMPORTANT
If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server
2008 and newer versions, including SQL Server 2012 and SQL Server 2014.
7. On the Review Options page, verify your configuration selections, and then click Next .
8. On the Pre-requisite Checks page, verify that all prerequisite checks are successfully completed, and
then click Configure .
9. On the Results page, review the results and check whether the configuration is completed successfully,
and then click Next steps required for completing your federation ser vice deployment . For
more information, see Next steps for completing your AD FS installation. Click Close to exit the wizard.
To configure the first federation server in a new federation server farm via Windows PowerShell
You can create a new federation server farm by using either a new or existing gMSA account or an existing
domain user account.
If you want to create a new federation ser ver by using a new gMSA account, do the
following:
IMPORTANT
You must have domain administrator permissions to create the first federation server in a new federation server
farm.
1. On the computer that you want to configure as a federation server, ensure that the required SSL
certificate has been imported into the Local Computer\My Store directory. You can verify
whether the SSL certificate has been imported by running the following command in the Windows
PowerShell command window: dir Cert:\LocalMachine\My . The certificate is listed by its
thumbprint in the Local Computer\My Store directory.
2. On your domain controller, open the Windows PowerShell command window and run the
following command to verify whether the KDS Root Key has been created in your domain:
Get-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10) . If it has not been created so that the
output displays no information, run the following command to create the key:
Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10) .
3. On the computer that you want to configure as a federation server, open the Windows PowerShell
command window, and run the following command:
WARNING
The $ sign at the end of the previous command is required.
To obtain the value for <certificate_thumbprint> , run dir Cert:\LocalMachine\My , and then select
the thumbprint of your SSL certificate. The value of <federation_service_name> is the name of your
federation service, for example, fs.contoso.com .
NOTE
If this is NOT the first time that you run this command, add the OverwriteConfiguration parameter.
NOTE
The previous command creates a WID farm. If you want to create a SQL Server server farm, you must
have an instance of SQL Server already installed and operational.
You can use the following command to create the first federation server in a new farm that uses an
instance of SQL Server:
Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName
<federation_service_name> -GroupServiceAccountIdentifier <domain>\<GMSA_name>$ -
SQLConnectionString "Data Source=<SQL_Host_Name?\<SQL_instance_ name>;Integrated
Security=True"
where <SQL_Host_Name> is the name of the server on which SQL Server is running, and
<SQL_instance_name> is the name of the instance of SQL Server. If you use the default instance of SQL
Server, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated
Security=True ".
IMPORTANT
If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use
SQL Server 2008 and newer versions, including SQL Server 2012.
If you want to create a new federation ser ver by using an existing domain user account, do
the following:
1. On the computer that you want to configure as a federation server, ensure that the required SSL
certificate has been imported into the Local Computer\My Store directory. You can verify
whether the SSL certificate has been imported by running the following command in the Windows
PowerShell command window: dir Cert:\LocalMachine\My . The certificate is listed by its
thumbprint in the Local Computer\My Store directory.
2. On the computer that you want to configure as a federation server, open the Windows PowerShell
command window, and then run the following command: $fscred = Get-Credential . Enter the
domain user account credentials that you want to use for the federation service account in the
format domain\user name.
3. In the same Windows PowerShell command window, run the following command:
To obtain the value for <cer tificate_thumbprint> , run dir Cert:\LocalMachine\My , and then
select the thumbprint of your SSL certificate. The value of <federation_ser vice_name> is the
name of your federation service, for example, fs.contoso.com.
NOTE
If this is NOT the first time that you run this command, add the OverwriteConfiguration parameter.
NOTE
The previous command creates a WID farm. If you want to create a SQL Server farm, you must have the
instance of SQL Server already installed and operational.
You can use the following command to create the first federation server in a new farm that uses an
instance of SQL Server:
Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName
<federation_service_name> -ServiceAccountCredential $fscredential -SQLConnectionString
"Data Source=<SQL_Host_Name>\<SQL_instance_ name>;Integrated Security=True"
where SQL_Host_Name is the name of the server on which SQL Server is running, and
SQL_instance_name is the name of the instance of SQL Server. If you use the default instance of SQL
Server, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated
Security=True ".
IMPORTANT
If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use
SQL Server 2008 and newer versions, including SQL Server 2012 and SQL Server 2014.
IMPORTANT
Ensure that you have obtained a valid SSL server authentication certificate before you complete this procedure.
To add a federation server to an existing federation server farm via the Active Directory Federation Service
Configuration Wizard
1. On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the
federation ser vice on the ser ver .
The Active Director y Federation Ser vice Configuration Wizard opens.
2. On the Welcome page, select Add a federation ser ver to a federation ser ver farm , and then click
Next .
3. On the Connect to AD DS page, specify an account by using domain administrator permissions for the
AD domain to which this computer is joined, and then click Next .
4. On the Specify Farm page, provide the name of the primary federation server in a farm that uses WID
or specify the database host name and the database instance name of an existing federation server farm
that uses SQL Server.
WARNING
In Windows Server® 2012 R2, there is a workaround to specify the default instance of SQL Server. The
workaround is to not use the user interface. Instead, use the steps in To configure the first federation server in a
new federation server farm via Windows PowerShell.
IMPORTANT
If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server
2008 and newer versions, including SQL Server 2012.
5. On the Specify SSL Cer tificate page, import the .pfx file that contains the SSL certificate and key that
you have obtained previously. This certificate is the required service authentication certificate. In Step 2:
Enroll an SSL Certificate for AD FS, you have obtained this certificate and copied it to the computer that
you want to configure as a federation server. To import the .pfx file via the wizard, click Impor t and
browse to the file's location. Enter the password for the .pfx file when you are prompted.
6. On the Specify Ser vice Account page, specify the same service account that you configured when you
created the first federation server in the farm. You can use an existing group Managed Service Account or
an existing domain user account.
IMPORTANT
The account that you specify must be the same account as the account that was used on the primary federation
server in this farm.
7. On the Review Options page, verify your configuration selections, and then click Next .
8. On the Pre-requisite Checks page, verify that all prerequisite checks are successfully completed, and
then click Configure .
9. On the Results page, review the results and check whether the configuration is completed successfully,
and then click Next steps required for completing your federation ser vice deployment . For
more information, see Next steps for completing your AD FS installation. Click Close to exit the wizard.
To add a federation server to an existing federation server farm via Windows PowerShell
You can add a federation server to an existing farm by using either an existing gMSA account or an existing
domain user account.
If you want to join a federation server to a farm by using an existing gMSA account, do the following:
1. On the computer that you want to configure as a federation server, ensure that the required SSL
certificate has been imported into the Local Computer\My Store directory. You can verify
whether the SSL certificate has been imported by running the following command in the Windows
PowerShell command window: dir Cert:\LocalMachine\My . The certificate is listed by its
thumbprint in the Local Computer\My Store directory.
2. On the computer that you want to configure as a federation server, open the Windows PowerShell
command window, and run the following command.
<domain>\<GMSA_name> is your AD domain and the name of your gMSA account in that domain.
<first_federation_server_hostname> is the host name of the primary federation server in this
existing farm.
You can obtain the value for <certificate_thumbprint> by running dir Cert:\LocalMachine\My in
the previous step.
NOTE
If this is NOT the first time that you run this command, add the OverwriteConfiguration parameter.
NOTE
The previous command creates a WID farm node. If you want to create a server farm node of computers
running SQL Server, you must have the instance of SQL Server already installed and operational.
You can use the following command to add a federation server to an existing farm that is using an
instance of SQL Server:
Add-AdfsFarmNode -GroupServiceAccountIdentifier <domain>\<GMSA_name>$ -SQLConnectionString
"Data Source=<SQL_Host_Name>\<SQL_instance_ name>;Integrated Security=True"
where SQL_Host_Name is the name of the server on which SQL Server is running, and
SQL_instance_name is the name of the instance of SQL Server. If you use the default instance of SQL
Server, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated
Security=True ".
IMPORTANT
If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use
SQL Server 2008 and newer versions, including SQL Server 2012 and SQL Server 2014.
If you want to join a federation server to a farm by using an existing domain user account, do the
following:
1. On the computer that you want to configure as a federation server, open the Windows
PowerShellcommand window, and then run the following command: $fscred = get-credential .
Enter the domain user account credentials that you want to use for the federation service account
in the format domain\user name.
2. On the computer that you want to configure as a federation server, ensure that the required SSL
certificate has been imported into the Local Computer\My Store directory. You can verify
whether the SSL certificate has been imported by running the following command in the Windows
PowerShellcommand window: dir Cert:\LocalMachine\My . The certificate is listed by its
thumbprint in the Local Computer\My Store directory.
3. In the same Windows PowerShell command window, run the following command.
Add-AdfsFarmNode -ServiceAccountCredential $fscred -PrimaryComputerName
<first_federation_server_hostname> -CertificateThumbprint <certificate_thumbprint>
NOTE
If this is NOT the first time that you run this command, add the OverwriteConfiguration parameter.
NOTE
The previous command creates a WID farm node. If you want to create a server farm node of computers
running SQL Server, you must have the instance of SQL Server already installed and operational. You can
use the following command to add a federation server to an existing farm by using an instance of SQL
Server:
Add-AdfsFarmNode -ServiceAccountCredential $fscred -SQLConnectionString "Data Source=
<SQL_Host_Name>\<SQL_instance_ name>;Integrated Security=True"
where SQL_Host_Name is the name of the server on which the instance of SQL Server is running, and
SQL_instance_name is the name of the instance of SQL Server. If you use the default instance of SQL
Server, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated
Security=True ".
IMPORTANT
If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use
SQL Server 2008 and newer versions, including SQL Server 2012 and SQL Server 2014.
See Also
AD FS Deployment
Windows Server 2012 R2 AD FS Deployment Guide
Deploying a Federation Server Farm
Configure a federation server with Device
Registration Service
3/5/2021 • 2 minutes to read • Edit Online
You can enable Device Registration Service (DRS) on your federation server after you complete the procedures
in Step 4: Configure a Federation Server. The Device Registration Service provides an onboarding mechanism
for seamless second factor authentication, persistent single sign-on (SSO), and conditional access to consumers
that require access to company resources. For more information about DRS, see Join to Workplace from Any
Device for SSO and Seamless Second Factor Authentication Across Company Applications
Initialize-ADDeviceRegistration
2. When prompted for ServiceAccountName, enter the name of the service account you selected as the
service account for AD FS. If it is a gMSA account, enter the account in the domain\accountname$
format. For a domain account, use the format domain\accountname .
Enable-AdfsDeviceRegistration
Update-WebApplicationProxyDeviceRegistration
2. When prompted for credentials, enter the credentials of an account that has administrative rights to your
federation servers.
See Also
AD FS Deployment
Windows Server 2012 R2 AD FS Deployment Guide
Deploying a Federation Server Farm
Configure Corporate DNS for the Federation
Service and DRS
6/17/2021 • 2 minutes to read • Edit Online
EN T RY TYPE A DDRESS
You can use the following procedure to add a host (A) and alias (CNAME) resource records to corporate DNS for
the federation server and the Device Registration Service.
Membership in Administrators , or equivalent, is the minimum requirement to complete this procedure.
Review details about using the appropriate accounts and group memberships at Local and Domain Default
Groups.
To add a host (A) and alias (CNAME) resource records to DNS for your federation server
1. On you domain controller, in Server Manager, on the Tools menu, click DNS to open the DNS snap-in.
2. In the console tree, expand the domain_controller_name node, expand For ward Lookup Zones ,
right-click domain_name , and then click New Host (A or AAAA) .
3. In the Name box, type the name to use for your AD FS farm.
4. In the IP address box, type the IP address of your federation server. Click Add Host .
5. Right-click the domain_name node, and then click New Alias (CNAME) .
6. In the New Resource Record dialog box, type enterpriseregistration in the Alias name box.
7. In the fully qualified domain name (FQDN) of the target host box, type
federation_ser vice_farm_name.domain_name.com , and then click OK .
IMPORTANT
In a real world deployment, if your company has multiple User Principal Name (UPN) suffixes, you must create
multiple CNAME records for each of those UPN suffixes in DNS.
See Also
AD FS Deployment
Windows Server 2012 R2 AD FS Deployment Guide
Deploying a Federation Server Farm
Verify your Windows Server 2012 R2 Federation
Server is Operational
6/17/2021 • 2 minutes to read • Edit Online
You can use the following procedures to verify that a federation server is operational; that is, that any client on
the same network can reach a new federation server.
Membership in Users , Backup Operators , Power Users , Administrators or equivalent, on the local
computer is the minimum required to complete this procedure. Review details about using the appropriate
accounts and group memberships at Local and Domain Default Groups.
Procedure 1: To verify that a federation server is operational
1. To verify that Internet Information Services (IIS) is configured correctly on the federation server, log on to
a client computer that is located in the same forest as the federation server.
2. Open a browser window, in the address bar type the federation server's DNS host name, and then
append /adfs/fs/federationserverservice.asmx to it for the new federation server, for example:
https://fs1.fabrikam.com/adfs/fs/federationser verser vice.asmx
3. Press ENTER, and then complete the next procedure on the federation server computer. If you see the
message There is a problem with this website's security cer tificate , click Continue to this
website .
The expected output is a display of XML with the service description document. If this page appears, IIS
on the federation server is operational and serving pages successfully.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
Procedure 2: To verify that a federation server is operational
1. Log on to the new federation server as an administrator.
2. On the Star t screen, typeEvent Viewer , and then press ENTER.
3. In the details pane, double-click Applications and Ser vices Logs , double-click AD FS Eventing , and
then click Admin .
4. In the Event ID column, look for event ID 100. If the federation server is configured properly, you see a
new event—in the Application log of Event Viewer—with the event ID 100. This event verifies that the
federation server was able to successfully communicate with the Federation Service.
See Also
AD FS Deployment
Windows Server 2012 R2 AD FS Deployment Guide
Deploying a Federation Server Farm
Deploying Federation Server Proxies
3/5/2021 • 2 minutes to read • Edit Online
In Active Directory Federation Services (AD FS) in Windows Server 2012 R2 , the role of a federation server
proxy is handled by a new Remote Access role service called Web Application Proxy. To enable your AD FS for
accessibility from outside the corporate network, which was the purpose of deploying a federation server proxy
in legacy versions of AD FS, such as AD FS 2.0 and AD FS in Windows Server 2012 , you can deploy one or more
web application proxies for AD FS in Windows Server 2012 R2 .
In the context of AD FS, Web Application Proxy functions as an AD FS federation server proxy. In addition to this,
Web Application Proxy provides reverse proxy functionality for web applications inside your corporate network
to enable users on any device to access them from outside the corporate network. For more information, about
the Web Application Proxy role service, see Web Application Proxy Overview.
To plan the deployment of Web Application proxy, you can review the information in the following topics:
Plan the Web Application Proxy Infrastructure (WAP)
Plan the Web Application Proxy Server
To deploy Web Application proxy, you can follow the procedures in the following topics:
Configure the Web Application Proxy Infrastructure
Install and Configure the Web Application Proxy Server
See Also
AD FS Deployment
Windows Server 2012 R2 AD FS Deployment Guide
Deploying a Federation Server Farm
Azure Active Directory Connect
3/5/2021 • 2 minutes to read • Edit Online
Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you to
provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD.
.
For more information see Integrating your on-premises identities with Azure Active Directory.
Windows Server 2012 AD FS Deployment Guide
3/5/2021 • 2 minutes to read • Edit Online
You can use Active Directory® Federation Services (AD FS) with the Windows Server® 2012 operating
system to build a federated identity management solution that extends distributed identification, authentication,
and authorization services to Web-based applications across organization and platform boundaries. By
deploying AD FS, you can extend your organization's existing identity management capabilities to the Internet.
You can deploy AD FS to:
Provide your employees or customers with a Web-based, single-sign-on (SSO) experience when they
need remote access to internally hosted Web sites or services.
Provide your employees or customers with a Web-based, SSO experience when they access cross-
organizational Web sites or services from within the firewalls of your network.
Provide your employees or customers with seamless access to Web-based resources in any federation
partner organization on the Internet without requiring employees or customers to log on more than
once.
Retain complete control over your employee or customer identities without using other sign-on
providers (Windows Live ID, Liberty Alliance, and others).
In this guide
Planning to Deploy AD FS
Implementing Your AD FS Design Plan
Checklist: Implementing a Web SSO Design
Checklist: Implementing a Federated Web SSO Design
Configuring Partner Organizations
Configuring Claim Rules
Deploying Federation Servers
Deploying Federation Server Proxies
Interoperating with AD FS 1.x
Planning to Deploy AD FS
3/5/2021 • 2 minutes to read • Edit Online
After you collect information about your environment and you decide on an Active Directory Federation
Services (AD FS) design by following the guidance in the AD FS Design Guide in Windows Server 2012, you can
begin to plan the deployment of your organization's AD FS design. With the completed design and the
information in this topic, you can determine which tasks to perform to deploy AD FS in your organization.
The following environmental conditions and requirements are important factors in the implementation of your
Active Directory Federation Services (AD FS) design plan:
Suppor ted par tners: You usually use AD FS to work with partner organizations. To establish identity
federation, determine the organizations with which you want to form a partnership. After a baseline AD
FS deployment is in place, operating with partners involves adding partners, deleting partners, and
updating partner information. Changes to partnerships may occur for a variety of reasons. For example,
your AD FS deployment might require partnership updates if your partner changes its business
significantly, your organization becomes part of a larger organization or a federation of organizations, or
your organization is acquired by a different company. In any scenario in which you federate identities
from multiple domains, you will need to know the domains (partners) that you are currently supporting
and all the additional domains that represent potential partners.
Suppor ted application and ser vice types: Some applications and services require access to
operating system resources, while others are "claims aware." It is important to understand the types of
applications and services that AD FS supports so that you can formulate administration requirements.
Logical and physical architectural diagrams or deployment topology: You will need to know:
Whether federation servers will function in a set of farmed servers or on a single server.
Where your network deploys firewalls and proxies.
The location of resources and whether users are accessing resources from within your
organization, outside the organization, or both.
This parent checklist includes cross-reference links to important concepts about the Web Single-Sign-On (SSO)
design for Active Directory Federation Services (AD FS). It also contains links to subordinate checklists that will
help you complete the tasks that are required to implement this design.
NOTE
Complete the tasks in this checklist in order. When a reference link takes you to a conceptual topic or to a subordinate
checklist, return to this topic after you review the conceptual topic or complete the tasks in the subordinate checklist so
that you can proceed with the remaining tasks in this checklist.
TA SK REF EREN C E
Review important concepts about the Web SSO design and Web SSO Design
determine which AD FS deployment goals you can use to Identifying Your AD FS Deployment Goals
customize this design to meet the needs of your
organization. Note:
Review the hardware, software, certificate, Domain Name Appendix A: Reviewing AD FS Requirements
System (DNS), attribute store, and client requirements for
deploying AD FS in your organization.
According to your design plan, install one or more federation Checklist: Setting Up a Federation Server
servers in the corporate network or in the perimeter
network. Note: The Web SSO design requires only one
federation server to function successfully. A single federation
server acts in both the claims provider role and the relying
party role.
(Optional) Determine whether or not your organization Checklist: Setting Up a Federation Server Proxy
needs a federation server proxy in the perimeter network.
Depending on your Web SSO design plan and how you Checklist: Configuring the Account Partner Organization
intend to use it, add the appropriate attribute store, relying
party trusts, claims, and claim rules to the Federation
Service.
This parent checklist includes cross-reference links to important concepts about the Federated Web Single-Sign-
On (SSO) design for Active Directory Federation Services (AD FS). It also contains links to subordinate checklists
that will help you complete the tasks that are required to implement this design.
NOTE
Complete the tasks in this checklist in order. When a reference link takes you to a conceptual topic or to a subordinate
checklist, return to this topic after you review the conceptual topic or you complete the tasks in the subordinate checklist
so that you can proceed with the remaining tasks in this checklist.
TA SK REF EREN C E
Review important concepts about the Federated Web SSO Federated Web SSO Design
design and determine which AD FS deployment goals you Identifying Your AD FS Deployment Goals
can use to customize this design to meet the needs of your
organization. Planning Your Deployment
Review the hardware, software, certificate, Domain Name Appendix A: Reviewing AD FS Requirements
System (DNS), attribute store, and client requirements for
deploying AD FS in your organization.
Review important concepts about claims, claim rules, Understanding Key AD FS Concepts
attribute stores, and the AD FS configuration database
before deploying AD FS in both partner organizations.
According to your design plan, install one or more federation Checklist: Setting Up a Federation Server
servers in each partner organization. Note: For the
Federated Web SSO design, you need at least one federation
server in the account partner organization and at least one
federation server in the resource partner organization.
(Optional) Determine whether or not your organization Checklist: Setting Up a Federation Server Proxy
needs a federation server proxy. If your design plan calls for
a proxy, you can install one or more federation server
proxies in each partner organization.
According to your design plan, share certificates, configure Checklist: Configuring the Account Partner Organization
clients, and configure the trust relationships in both partner Checklist: Configuring the Resource Partner
organizations so that they can communicate over a Organization
federation trust.
TA SK REF EREN C E
To deploy a new partner organization in Active Directory Federation Services (AD FS), complete the tasks in
either Checklist: Configuring the Resource Partner Organization or Checklist: Configuring the Account Partner
Organization, depending on your AD FS design.
NOTE
When you use either of these checklists, we strongly recommend that you first read the references to account partner or
resource partner planning guidance in the AD FS Design Guide in Windows Server 2012 before continuing to the
procedures for setting up the new partner organization. Following the checklist in this way will help provide a better
understanding of the full AD FS design and deployment story for the account partner or resource partner organization.
The account partner organization contains the users that will access Web-based applications in the resource
partner. Administrators in this organization must use the AD FS Management snap-in to create relying party
trusts to represent their trust relationships with resource partner organizations. In turn, the resource partner
administrator must create claims provider trusts for each account partner organization that they want to trust.
This checklist includes tasks for deploying Active Directory Federation Services (AD FS) in the account partner
organization. It also includes tasks for configuring the components that are required to establish one-half of a
federation partnership.
If you are deploying a Web SSO Design, you do not have to follow this checklist. However, you do have to
complete the tasks in this checklist to successfully deploy a Federated Web SSO Design.
IMPORTANT
Make sure that the administrator in the resource partner organization follows the guidance in Checklist: Configuring the
Resource Partner Organization to ensure that all necessary deployment tasks will be completed to successfully create the
second half of the federation partnership.
NOTE
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you
complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
TA SK REF EREN C E
If you have an existing AD FS 1.0 or 1.1 deployment in your Planning a Migration to AD FS 2.0
production environment today, see the link to the right for
information about how to migrate settings from your
current Federation Service to a new AD FS Federation
Service. If you are deploying AD FS for the first time in your
organization using AD FS, you can skip this step and
continue to the next task in this checklist for information
about how to set up a new account partner organization.
Based on your deployment goals, review information about Provide Your Active Directory Users Access to Your
the components that are required to provide users with Claims-Aware Applications and Services
access to the federated applications. Provide Your Active Directory Users Access to the
Applications and Services of Other Organizations
Provide Users in Another Organization Access to Your
Claims-Aware Applications and Services
TA SK REF EREN C E
Before you begin deploying your AD FS servers, review the; Determine Your AD FS Deployment Topology
1.) advantages and disadvantages of choosing either AD FS Deployment Topology Considerations
Windows Internal Database (WID) or SQL Server to store the
AD FS configuration database 2.) AD FS deployment
topology types and their associated server placement and
network layout recommendations.
Review AD FS capacity planning guidance to determine the Planning for AD FS Server Capacity
proper number of federation server and federation server
proxy servers you should use in your production
environment.
To effectively plan and implement the physical topology for Checklist: Setting Up a Federation Server
the account partner deployment, determine whether your Checklist: Setting Up a Federation Server Proxy
AD FS design requires one or more federation servers or
federation server proxies.
Determine the type of attribute store that you want to add The Role of Attribute Stores
to AD FS. Then, add the attribute store using the AD FS Add an Attribute Store
Management snap-in.
If you will need to send claims to or consume claims from a Planning for Interoperability with AD FS 1.x
resource partner who is using either an AD FS 1.0 or 1.1
Federation Service, see the link to the right for information
about how to configure AD FS to interoperate with previous
versions of AD FS. If the resource partner organization is
also using AD FS to send or consume claims to your
organization, you can skip this step and continue with the
next task in this checklist.
After you deploy the first federation server in the account Create a Relying Party Trust Manually
partner organization, create a relying party trust relationship Create a Relying Party Trust Using Federation
using the AD FS Management snap-in. You can create a Metadata
relying party trust by entering data about a resource
partner manually or by using a federation metadata URL
that the administrator of the resource partner organization
provides to you. You can use the federation metadata to
retrieve the data for the resource partner automatically.
Note: If the resource partner publishes its federation
metadata or can provide a file copy of it for you to use, we
recommend that you retrieve the data automatically because
it can save time.
Depending on the needs of your organization, create one or Checklist: Creating Claim Rules for a Relying Party Trust
more claim rule sets for each relying party trust that is
specified in the AD FS Management snap-in so that claims
will be issued appropriately.
A claim description must be created if one does not already Add a Claim Description
exist that will fulfill the needs of your organization. AD FS
ships with a default set of claim descriptions that are
exposed in the AD FS Management snap-in.
TA SK REF EREN C E
Determine whether your organization will need to use When to Use Identity Delegation
identity delegation to authorize or constrain a specified
account to "act as" or impersonate other users. This is often
a requirement when front-end Web applications must
interact with back-end Web services.
Prepare client computers for federation by: Prepare Client Computers in the Account Partner
- Adding the URL for the account partner federation Configure Client Computers to Trust the Account
server to the trusted sites list for the client browser. Federation Server
- Using Group Policy to push the appropriate Secure
Sockets Layer (SSL) certificates to client computers. Distribute Certificates to Client Computers by Using
Group Policy
Checklist: Configuring the Resource Partner
Organization
6/17/2021 • 4 minutes to read • Edit Online
The resource partner organization contains the Web servers hosting the Web-based applications that will be
accessed by users in the account partner. Administrators in this organization must use the AD FS Management
snap-in to create claims provider trusts to represent their trust relationships with account partner organizations.
In turn, the account partner administrator must create relying party trusts for each account partner organization
that they want to trust.
This checklist includes the tasks that are necessary for deploying Active Directory Federation Services (AD FS) in
the resource partner organization. It also includes tasks for configuring the components that are required to
establish one-half of a federation partnership.
If you are deploying a Web SSO Design, you do not have to follow this checklist. However, you do have to
complete the tasks in this checklist to successfully deploy a Federated Web SSO Design.
IMPORTANT
Make sure that the administrator of the account partner organization follows the guidance in Checklist: Configuring the
Account Partner Organization to ensure that all necessary deployment tasks will be completed to successfully create the
second half of the federation partnership
NOTE
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you
complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
TA SK REF EREN C E
Based on your deployment goals, review information about Provide Your Active Directory Users Access to Your
the components that are required to provide users with Claims-Aware Applications and Services
access to the federated applications. Provide Your Active Directory Users Access to the
Applications and Services of Other Organizations
Provide Users in Another Organization Access to Your
Claims-Aware Applications and Services
TA SK REF EREN C E
Review the different application types, and decide which Determine Your Federated Application Strategy in the
application to deploy. Resource Partner
Before you begin deploying your AD FS servers, review the; Determine Your AD FS Deployment Topology
1.) advantages and disadvantages of choosing either AD FS Deployment Topology Considerations
Windows Internal Database (WID) or SQL Server to store the
AD FS configuration database 2.) AD FS deployment
topology types and their associated server placement and
network layout recommendations.
Review AD FS capacity planning guidance to determine the Planning for AD FS Server Capacity
proper number of federation server and federation server
proxy servers you should use in your production
environment.
To effectively plan and implement the physical topology for Checklist: Setting Up a Federation Server
the account partner deployment, determine whether your Checklist: Setting Up a Federation Server Proxy
AD FS design requires one or more federation servers or
federation server proxies.
Determine the type of attribute store that you want to add The Role of Attribute Stores
to AD FS. Then, add the attribute store using the AD FS Add an Attribute Store
Management snap-in.
If you will need to send claims to or consume claims from an Planning for Interoperability with AD FS 1.x
account partner who is using either an AD FS 1.0 or 1.1
Federation Service, see the link to the right for information
about how to configure AD FS to interoperate with previous
versions of AD FS. If the account partner organization is also
using AD FS to send or consume claims to your
organization, you can skip this step and continue with the
next task in this checklist.
After you deploy the first federation server in the resource Create a Claims Provider Trust Manually
partner organization, create a claims provider trust Create a Claims Provider Trust Using Federation
relationship by using the AD FS Management snap-in. You Metadata
can create a claims provider trust by entering data about an
account partner manually or by using a federation metadata
URL that the administrator of the account partner
organization provides to you. You can use the federation
metadata to retrieve the data for the resource partner
automatically. Note: If the account partner publishes its
federation metadata or can provide a file copy of it for you
to use, we recommend that you retrieve the data
automatically because it can save time.
Depending on the needs of your organization, create one or Checklist: Creating Claim Rules for a Claims Provider Trust
more claim rule sets for each claims provider trust that is
specified in the AD FS Management snap-in so that
incoming claims will be passed through, transformed, or
mapped appropriately to corresponding claims in the
resource partner.
TA SK REF EREN C E
(Optional) A claim description may have to be created if one Add a Claim Description
does not already exist that will fulfill the needs of your
organization. AD FS includes a default set of claim
descriptions that are exposed in the AD FS Management
snap-in.
Add an Attribute Store
6/17/2021 • 2 minutes to read • Edit Online
User accounts and computer accounts that require access to a resource that is protected by Active Directory
Federation Services (AD FS) are stored in an attribute store, such as Active Directory Domain Services (AD DS).
The claims issuance engine uses attribute stores to gather data that is necessary to issue claims. Data from the
attribute stores is then projected as claims.
You can use the following procedure to add an attribute store to the Federation Service.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
To add an attribute store
1. Open AD FS Management .
2. Under Actions click Add an attribute store .
3. In the Add an attribute store dialog box, configure the following properties for the attribute store that
you want to add:
In Display name , type the name that you want to use to identify the attribute store.
In Attribute store type , select a supported attribute store type, either Active Director y , LDAP ,
or SQL .
In Connection string , if you have selected either a Lightweight Directory Access Protocol (LDAP)
store or a Structured Query Language (SQL) store, enter the string that you used to establish a
connection to the attribute store. For Active Directory attribute stores, no connection string is
necessary; therefore, this field is disabled.
NOTE
AD FS automatically creates an Active Directory attribute store, by default.
4. Click OK .
Additional references
AD FS Operations
The Role of Attribute Stores
Create a Claims Provider Trust
6/17/2021 • 2 minutes to read • Edit Online
To add a new claims provider trust by using the AD FS Management snap-in and manually configure the
settings, perform the following procedure on a resource partner federation server in the resource partner
organization.
Membership in Administrators , or equivalent, on the local computer is the minimum requirement to complete
this procedure. Review details about using the appropriate accounts and group memberships at Local and
Domain Default Groups.
5. On the Specify Display Name page, type a Display name , under Notes , type a description for this
claims provider trust, and then click Next .
6. On the Configure URL page, specify the WS-Federation Passive URL if applicable and click Next .
7. On the Configure Identifier page, under Claims provider trust identifier , type the appropriate
identifier, and then click Next .
8. On the Configure Cer tificates page, click Add to locate a certificate file and add it to the list of
certificates, and then click Next .
9. On the Ready to Add Trust page, click Next to save your claims provider trust information.
10. On the Finish page, click Close . This action automatically displays the Edit Claim Rules dialog box. For
more information about how to proceed with adding claim rules for this claims provider trust, see the
following additional references.
To create a claims provider trust using federation metadata
To add a new claims provider trust, using the AD FS Management snap-in, by automatically importing
configuration data about the partner from federation metadata that the partner has published to a local network
or to the Internet, perform the following procedure on a federation server in the resource partner organization.
NOTE
Though it has long been common practice to use certificates with unqualified host names such as https://myserver, these
certificates have no security value and can enable an attacker to impersonate a Federation Service that is publishing
federation metadata. Therefore, when querying federation metadata, you should only use a fully qualified domain name
such as https://myserver.contoso.com .
5. On the Specify Display Name page type a Display name , under Notes type a description for this claims
provider trust, and then click Next .
6. On the Ready to Add Trust page, click Next to save your claims provider trust information.
7. On the Finish page, click Close . This will automatically display the Edit Claim Rules dialog box. For more
information about how to proceed with adding claim rules for this claims provider trust, see the
Additional references section below.
Additional references
Checklist: Configuring the Resource Partner Organization
Checklist: Creating Claim Rules for a Claims Provider Trust
See Also
AD FS Operations
Create a Relying Party Trust
6/17/2021 • 3 minutes to read • Edit Online
The following document provides information on creating a relying party trust manually and using federation
metadata.
5. On the Specify Display Name page, type a name in Display name , under Notes type a description for
this relying party trust, and then click Next .
6. On the Configure Cer tificate page, if you have an optional token encryption certificate, click Browse
to locate a certificate file, and then click Next .
7. On the Configure URL page, do one or both of the following, click Next , and then go to step 8:
Select the Enable suppor t for the WS-Federation Passive protocol check box. Under
Relying par ty WS-Federation Passive protocol URL , type the URL for this relying party trust,
and then click Next .
Select the Enable suppor t for the SAML 2.0 WebSSO protocol check box. Under Relying
par ty SAML 2.0 SSO ser vice URL , type the Security Assertion Markup Language (SAML)
service endpoint URL for this relying party trust, and then click Next .
8. On the Configure Identifiers page, specify one or more identifiers for this relying party, click Add to
add them to the list, and then click Next .
9. On the Choose Access Control Policy select a policy and click Next . For more information about
Access Control Policies, see Access Control Policies in AD FS.
10. On the Ready to Add Trust page, review the settings, and then click Next to save your relying party
trust information.
11. On the Finish page, click Close . This action automatically displays the Edit Claim Rules dialog box.
To create a claims aware Relying Party Trust using federation
metadata
To add a new relying party trust, using the AD FS Management snap-in, by automatically importing
configuration data about the partner from federation metadata that the partner published to a local network or
to the Internet, perform the following procedure on a federation server in the account partner organization.
NOTE
Though it has long been common practice to use certificates with unqualified host names such as https://myserver, these
certificates have no security value and can enable an attacker to impersonate a Federation Service that is publishing
federation metadata. Therefore, when querying federation metadata, you should only use a fully qualified domain name
such as https://myserver.contoso.com.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
1. In Server Manager, click Tools , and then select AD FS Management .
2. Under Actions , click Add Relying Par ty Trust .
See Also
AD FS Operations
Add a Claim Description
6/17/2021 • 2 minutes to read • Edit Online
In an account partner organization, administrators create claims to represent a user's membership in a group or
role or to represent some data about a user, for example, a user's employee identification number.
In a resource partner organization, administrators create corresponding claims to represent groups and users
that can be recognized as resource users. Because outgoing claims in the account partner organization map to
incoming claims in the resource partner organization, the resource partner is able to accept the credentials that
the account partner provides.
You can use the following procedure to add a claim.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
3. On the Add a Claim Description dialog box, in Display name , type a unique name that identifies the
group or role for this claim.
4. Add a Shor t Name .
5. In Claim identifier , type a URI that is associated with the group or role of the claim that you will be
using.
6. Under Description , type text that best describes the purpose of this claim.
7. Depending on the needs of your organization, select either of the following check boxes, as appropriate,
to publish this claim into federation metadata:
- To publish this claim to make partners aware that this server can accept this claim, click **Publish this
claim in federation metadata as a claim type that this Federation Service can accept**.
- To publish this claim to make partners aware that this server can issue this claim, click **Publish this
claim in federation metadata as a claim type that this Federation Service can send**.
8. Click OK .
See Also
AD FS Operations
Configure Client Computers to Trust the Account
Federation Server
6/17/2021 • 2 minutes to read • Edit Online
So that client computers can successfully access federated applications using Active Directory Federation
Services (AD FS), you must first configure the Internet Explorer settings on each client computer so that the
browser trusts the account federation server. You can do this manually or through Group Policy, depending on
your administrative preference, by completing one of the following procedures.
You can use the following procedure to push down the appropriate Secure Sockets Layer (SSL) certificates (or
equivalent certificates that chain to a trusted root) for account federation servers, resource federation servers,
and Web servers to each client computer in the account partner forest by using Group Policy.
Membership in Domain Admins or Enterprise Admins , or equivalent, in Active Directory Domain Services
(AD DS) is the minimum required to complete this procedure. Review details about using the appropriate
accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?
LinkId=83477).
To distribute certificates to client computers by using Group Policy
1. On a domain controller in the forest of the account partner organization, start the Group Policy
Management snap-in.
2. Find an existing Group Policy Object (GPO) or create a new GPO to contain the certificate settings. Ensure
that the GPO is associated with the domain, site, or organizational unit (OU) where the appropriate user
and computer accounts reside.
3. Right-click the GPO, and then click Edit .
4. In the console tree, open Computer Configuration\Policies\Windows Settings\Security
Settings\Public Key Policies , right-click Trusted Root Cer tification Authorities , and then click
Impor t .
5. On the Welcome to the Cer tificate Impor t Wizard page, click Next .
6. On the File to Impor t page, type the path to the appropriate certificate files (for example,
\\fs1\c$\fs1.cer), and then click Next .
7. On the Cer tificate Store page, click Place all cer tificates in the following store , and then click
Next .
8. On the Completing the Cer tificate Impor t Wizard page, verify that the information you provided is
accurate, and then click Finish .
9. Repeat steps 2 through 6 to add additional certificates for each of the federation servers in the farm.
Configuring Claim Rules
3/5/2021 • 2 minutes to read • Edit Online
In a claims-based identity model, the function of Active Directory Federation Services (AD FS) as federation
services is to issue a token that contains a set of claims. Claims rules govern the decision in regard of claims that
AD FS issues. Claim rules and all server configuration data are stored in the AD FS configuration database.
AD FS makes issuance decisions that are based on identity information that is provided to it in the form of
claims and other contextual information. At a high level, AD FS operates as a rules processor by taking one set of
claims as input, performs a number of transformations, and then returns a different set of claims as output.
Create a Rule to Pass Through or Filter an Incoming Claim
Create a Rule to Permit All Users
Create a Rule to Send an AD FS 1.x Compatible Claim
Create a Rule to Permit or Deny Users Based on an Incoming Claim
Create a Rule to Send LDAP Attributes as Claims
Create a Rule to Send Group Membership as a Claim
Create a Rule to Transform an Incoming Claim
Create a Rule to Send an Authentication Method Claim
Create a Rule to Send Claims Using a Custom Rule
Additional references
AD FS Operations
Checklist: Creating Claim Rules for a Claims
Provider Trust
3/5/2021 • 2 minutes to read • Edit Online
This checklist includes tasks for planning, designing, and deploying claim rules that are associated with a claims
provider trust in Active Directory Federation Services (AD FS).
NOTE
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you
complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
TA SK REF EREN C E
Review concepts about claims, claim rules, claim rule sets, The Role of Claims
and claim rule templates and how they are associated with The Role of Claim Rules
federated trusts.
Review concepts about how a claim flows through all the The Role of the Claims Pipeline
stages in the claims issuance pipeline and how rules are The Role of the Claims Engine
processed by the claims issuance engine.
To effectively plan and implement the output claims that will Determine the Type of Claim Rule Template to Use
be issued over this claims provider trust, determine whether
one or more claim rules are needed and which claim rules
you should use with this claims provider trust.
Review concepts about when to create one claim rule over When to Use a Pass Through or Filter Claim Rule
another and how you can use the claim rule language to When to Use a Transform Claim Rule
provide more complex logic than standard rules in order to
provide a desired result in the ideal output claim set. When to Use a Send LDAP Attributes as Claims Rule
When to Use a Send Group Membership as a Claim
Rule
When to Use a Custom Claim Rule
The Role of the Claim Rule Language
A claim description must be created if one does not already Add a Claim Description
exist that will fulfill the needs of your organization. AD FS
ships with a default set of claim descriptions that are
exposed in the AD FS Management snap-in.
TA SK REF EREN C E
Depending on the needs of your organization, create one or Create a Rule to Pass Through or Filter an Incoming Claim
more claim rules for the acceptance transform rules set that Create a Rule to Send LDAP Attributes as Claims
is associated with this claims provider trust so that claims will
be issued appropriately. Create a Rule to Send Group Membership as a Claim
Create a Rule to Transform an Incoming Claim
Create a Rule to Send an Authentication Method
Claim
Create a Rule to Send an AD FS 1.x Compatible Claim
Create a Rule to Send Claims Using a Custom Rule
Checklist: Creating Claim Rules for a Relying Party
Trust
3/5/2021 • 2 minutes to read • Edit Online
This checklist includes the tasks that are necessary for planning, designing, and deploying claim rules that are
associated with a relying party trust in Active Directory Federation Services (AD FS).
NOTE
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you
complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
TA SK REF EREN C E
Review concepts about claims, claim rules, claim rule sets, The Role of Claims
and claim rule templates and how they are associated with The Role of Claim Rules
federated trusts.
Review concepts about how a claim flows through all the The Role of the Claims Pipeline
stages in the claims issuance pipeline and how rules are The Role of the Claims Engine
processed by the claims issuance engine.
To effectively plan and implement the output claims that will Determine the Type of Claim Rule Template to Use
be issued over this relying party trust, determine whether
one or more claim rules are needed and which claim rules
you should use with this relying party trust.
Review concepts about when to create one claim rule over When to Use a Pass Through or Filter Claim Rule
another and how you can use the claim rule language to When to Use a Transform Claim Rule
provide more complex logic than standard rules in order to
provide a desired result in the ideal output claim set. When to Use a Send LDAP Attributes as Claims Rule
When to Use a Send Group Membership as a Claim
Rule
When to Use an Authorization Claim Rule
When to Use a Custom Claim Rule
The Role of the Claim Rule Language
A claim description must be created if one does not already Add a Claim Description
exist that will fulfill the needs of your organization. AD FS
ships with a default set of claim descriptions that are
exposed in the AD FS Management snap-in.
TA SK REF EREN C E
Depending on the needs of your organization, create one or Create a Rule to Pass Through or Filter an Incoming Claim
more claim rules for the rule sets that are associated with Create a Rule to Send LDAP Attributes as Claims
this relying party trust so that claims will be issued
appropriately. Create a Rule to Send Group Membership as a Claim
Create a Rule to Transform an Incoming Claim
Create a Rule to Send an Authentication Method
Claim
Create a Rule to Send an AD FS 1.x Compatible Claim
Create a Rule to Send Claims Using a Custom Rule
Depending on the needs of your organization, create one or Create a Rule to Permit All Users
more claim rules for either the issuance authorization rules Create a Rule to Permit or Deny Users Based on an
set or the delegation authorization rules set that is Incoming Claim
associated with this relying party trust so that users will be
permitted access to the relying party.
Create a Rule to Pass Through or Filter an Incoming
Claim
6/17/2021 • 3 minutes to read • Edit Online
Using the Pass Through or Filter an Incoming Claim rule template in Active Directory Federation Services
(AD FS), you can pass through all incoming claims with a selected claim type. You can also filter the values of
incoming claims with a selected claim type. For example, you can use this rule template to create a rule that will
send all incoming group claims. You can also use this rule to send only user principal name (UPN) claims that
end with @fabrikam.
You can use the following procedure to create a claim rule with the AD FS Management snap-in.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
3. Right-click the selected trust, and then click Edit Claim Issuance Policy .
4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to
3. Right-click the selected trust, and then click Edit Claim Rules .
4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the
rule wizard.
5. On the Select Rule Template page, under Claim rule template , select Pass Through or Filter an
Incoming Claim from the list, and then click Next .
6. On the Configure Rule page under Claim rule name type the display name for this rule, in Incoming
claim type select a claim type in the list, and then select one of the following options, depending on the
needs of your organization:
Pass through all claim values
Pass through only a specific claim value
Pass through only claim values that match a specific email suffix value
Pass through only claim values that star t with a specific value
7. Click the Finish button.
8. In the Edit Claim Rules dialog box, click OK to save the rule.
6. On the Configure Rule page under Claim rule name type the display name for this rule, in Incoming
claim type select a claim type in the list, and then select one of the following options, depending on the
needs of your organization:
Pass through all claim values
Pass through only a specific claim value
Pass through only claim values that match a specific email suffix value
Pass through only claim values that star t with a specific value
Additional references
Configure Claim Rules
When to Use a Pass Through or Filter Claim Rule
The Role of Claims
The Role of Claim Rules
Create a Rule to Send an AD FS 1.x Compatible
Claim
3/5/2021 • 8 minutes to read • Edit Online
In situations in which you are using Active Directory Federation Services (AD FS) to issue claims that will be
received by federation servers running AD FS 1.0 (Windows Server 2003 R2) or AD FS 1.1
(Windows Server 2008 or Windows Server 2008 R2), you must do the following:
Create a rule that will send a Name ID claim type with a format of UPN, Email, or Common Name.
All other claims that are sent must have one of the following claim types:
AD FS 1.x Email Address
AD FS 1.x UPN
Common Name
Group
Any other claim type that begins with https://schemas.xmlsoap.org/claims/, such as
https://schemas.xmlsoap.org/claims/EmployeeID
Depending on the needs of your organization, use one of the following procedures to create an AD FS 1.x
compatible NameID claim:
Create this rule to issue an AD FS 1.x Name ID claim using the Pass Through or Filter an Incoming
Claim rule template
Create this rule to issue an AD FS 1.x Name ID claim using the Transform an Incoming Claim rule
template . You can use this rule template in situations in which you want to change the existing claim
type to a new claim type that will work with AD FS 1. x claims.
NOTE
For this rule to work as expected, make sure that the relying party trust or claims provider trust where you are creating
this rule has been configured to use the AD FS 1.0 and 1.1 profile .
4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to
start the rule wizard.
5. On the Select Rule Template page, under Claim rule template , select Pass Through or Filter an
Incoming Claim from the list, and then click Next .
4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the
rule wizard.
5. On the Select Rule Template page, under Claim rule template , select Pass Through or Filter an
Incoming Claim from the list, and then click Next .
6. On the Configure Rule page, type a claim rule name.
7. In Incoming claim type , select Name ID in the list.
8. In Incoming name ID format , select one of the following AD FS 1.x-compatible claim formats from the
list:
UPN
E-Mail
Common Name
9. Select one of the following options, depending on the needs of your organization:
Pass through all claim values
Pass through only a specific claim value
Pass through only claim values that match a specific email suffix value
Pass through only claim values that star t with a specific value
10. Click Finish , and then click OK to save the rule.
3. Right-click the selected trust, and then click Edit Claim Issuance Policy .
4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to
3. Right-click the selected trust, and then click Edit Claim Rules .
4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the
rule wizard.
5. On the Select Rule Template page, under Claim rule template , select Transform an Incoming
Claim from the list, and then click Next .
6. On the Configure Rule page, type a claim rule name.
7. In Incoming claim type , select the type of incoming claim that you want to transform in the list.
8. In Outgoing claim type , select Name ID in the list.
9. In Outgoing name ID format , select one of the following AD FS 1.x-compatible claim formats from the
list:
UPN
E-Mail
Common Name
10. Select one of the following options, depending on the needs of your organization:
Pass through all claim values
Replace an incoming claim value with a different outgoing claim value
Replace incoming e-mail suffix claims with a new e-mail suffix
11. Click Finish , and then click OK to save the rule.
Additional references
Configure Claim Rules
Checklist: Creating Claim Rules for a Relying Party Trust
Checklist: Creating Claim Rules for a Claims Provider Trust
When to Use an Authorization Claim Rule
The Role of Claims
The Role of Claim Rules
Create a Rule to Permit All Users
6/17/2021 • 2 minutes to read • Edit Online
In Windows Server 2016, you can use an Access Control Policy to create a rule that will give all users access
to a relying party. In Windows Server 2012 R2, using the Permit All Users rule template in Active Directory
Federation Services (AD FS), you can create an authorization rule that will give all users access to the relying
party.
You can use additional authorization rules to further restrict access. Users who are permitted to access the
relying party from the Federation Service may still be denied service by the relying party.
You can use the following procedures to create a claim rule with the AD FS Management snap-in.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
3. Right-click the Relying Par ty Trust that you want to permit access to and select Edit Access Control
Policy .
4. On the Access control policy select Permit ever yone and then click Apply and Ok .
5. On the Select Rule Template page, under Claim rule template , select Permit All Users from the list,
and then click Next .
6. On the Configure Rule page, click Finish .
7. In the Edit Claim Rules dialog box, click OK to save the rule.
Additional references
Configure Claim Rules
Checklist: Creating Claim Rules for a Relying Party Trust
When to Use an Authorization Claim Rule
The Role of Claims
The Role of Claim Rules
Create a Rule to Permit or Deny Users Based on an
Incoming Claim
6/17/2021 • 4 minutes to read • Edit Online
In Windows Server 2016, you can use an Access Control Policy to create a rule that will permit or deny users
based on an incoming claim. In Windows Server 2012 R2, using the Permit or Deny Users Based on an
Incoming Claim rule template in Active Directory Federation Services (AD FS), you can create an authorization
rule that will grant or deny user's access to the relying party based on the type and value of an incoming claim.
For example, you can use this to create a rule that will permit only users that have a group claim with a value of
Domain Admins to access the relying party. If you want to permit all users to access the relying party, use the
Permit Ever yone Access Control Policy or the Permit All Users rule template depending on your version of
Windows Server. Users who are permitted to access the relying party from the Federation Service may still be
denied service by the relying party.
You can use the following procedure to create a claim rule with the AD FS Management snap-in.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
5. On the Rule Editor , under users, place a check in with specific claims in the request and click the
underlined specific at the bottom.
6. On the Select Claims screen, click the Claims radio button, select the Claim type , the Operator , and
the Claim Value then click Ok .
7. On the Rule Editor click Ok . On the Add Access Control Policy screen, click Ok .
8. In the AD FS Management console tree, under AD FS , click Relying Par ty Trusts .
9. Right-click the Relying Par ty Trust that you want to permit access to and select Edit Access Control
Policy .
10. On the Access control policy select your policy and then click Apply and Ok .
To create a rule to deny users based on an incoming claim on
Windows Server 2016
1. In Server Manager, click Tools , and then select AD FS Management .
2. In the console tree, under AD FS , click Access Control Policies .
5. On the Rule Editor , make sure everyone is selected and under Except place a check in with specific
claims in the request and click the underlined specific at the bottom.
6. On the Select Claims screen, click the Claims radio button, select the Claim type , the Operator , and
the Claim Value then click Ok .
7. On the Rule Editor click Ok . On the Add Access Control Policy screen, click Ok .
8. In the AD FS Management console tree, under AD FS , click Relying Par ty Trusts .
9. Right-click the Relying Par ty Trust that you want to permit access to and select Edit Access Control
Policy .
10. On the Access control policy select your policy and then click Apply and Ok .
To create a rule to permit or deny users based on an incoming claim
on Windows Server 2012 R2
1. In Server Manager, click Tools , and then select AD FS Management .
2. In the console tree, under AD FS\Trust Relationships\Relying Par ty Trusts , click a specific trust in the
list where you want to create this rule.
3. Right-click the selected trust, and then click Edit Claim Rules .
4. In the Edit Claim Rules dialog box, click the Issuance Authorization Rules tab or the Delegation
Authorization Rules tab (based on the type of authorization rule you require), and then click Add Rule
to start the Add Authorization Claim Rule Wizard .
5. On the Select Rule Template page, under Claim rule template , select Permit or Deny Users Based
on an Incoming Claim from the list, and then click Next .
6. On the Configure Rule page under Claim rule name type the display name for this rule, in Incoming
claim type select a claim type in the list, under Incoming claim value type a value or click Browse (if it
is available) and select a value, and then select one of the following options, depending on the needs of
your organization:
Permit access to users with this incoming claim
Deny access to users with this incoming claim
7. Click Finish .
8. In the Edit Claim Rules dialog box, click OK to save the rule.
Additional references
Configure Claim Rules
Checklist: Creating Claim Rules for a Relying Party Trust
When to Use an Authorization Claim Rule
The Role of Claims
The Role of Claim Rules
Create a Rule to Send LDAP Attributes as Claims
6/17/2021 • 3 minutes to read • Edit Online
Using the Send LDAP Attributes as Claims rule template in Active Directory Federation Services (AD FS), you can
create a rule that will select attributes from a Lightweight Directory Access Protocol (LDAP) attribute store, such
as Active Directory, to send as claims to the relying party. For example, you can use this rule template to create a
Send LDAP Attributes as Claims rule that will extract attribute values for authenticated users from the
displayName and telephoneNumber Active Directory attributes and then send those values as two different
outgoing claims.
You can also use this rule to send all the user's group memberships. If you want to send only individual group
memberships, use the Send Group Membership as a Claim rule template. You can use the following procedure
to create a claim rule with the AD FS Management snap-in.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
3. Right-click the selected trust, and then click Edit Claim Issuance Policy .
4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to
3. Right-click the selected trust, and then click Edit Claim Rules .
4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the
rule wizard.
5. On the Select Rule Template page, under Claim rule template , select Send LDAP Attributes as
Claims from the list, and then click Next .
6. On the Configure Rule page under Claim rule name type the display name for this rule, select the
Attribute Store , and then select the LDAP attribute and map it to the outgoing claim type.
4. In the Edit Claim Rules dialog box, select one the following tabs, depending on the trust that you are
editing and which rule set you want to create this rule in, and then click Add Rule to start the rule wizard
that is associated with that rule set:
Acceptance Transform Rules
Issuance Transform Rules
Issuance Authorization Rules
Delegation Authorization Rules
5. On the Select Rule Template page, under Claim rule template , select Send LDAP Attributes as
Claims from the list, and then click Next .
6. On the Configure Rule page under Claim rule name type the display name for this rule, under
Attribute store select Active Director y , and under Mapping of LDAP attributes to outgoing
claim types select the desired LDAP Attribute and corresponding Outgoing Claim Type types from
the drop-down lists.
You have to select a new LDAP attribute and outgoing claim type pair on a different row for each
Active Directory attribute that you want to issue a claim for as part of this rule.
Additional references
Configure Claim Rules
Checklist: Creating Claim Rules for a Relying Party Trust
Checklist: Creating Claim Rules for a Claims Provider Trust
When to Use an Authorization Claim Rule
The Role of Claims
The Role of Claim Rules
Create a Rule to Send Group Membership as a
Claim
6/17/2021 • 3 minutes to read • Edit Online
Using the Send Group Membership as a Claim rule template in Active Directory Federation Services (AD FS),
you can create a rule that will make it possible for you to select an Active Directory security group to send as a
claim. Only a single claim will be emitted from this rule, based on the group that you select. For example, you
can use this rule template to create a rule that will send a group claim with a value of Admin if the user is a
member of the Domain Admins security group. This rule should be used only for users in the local
Active Directory domain.
You can use the following procedure to create a claim rule with the AD FS Management snap-in.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
3. Right-click the selected trust, and then click Edit Claim Issuance Policy .
4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to
3. Right-click the selected trust, and then click Edit Claim Rules .
4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the
rule wizard.
5. On the Select Rule Template page, under Claim rule template , select Send Group Membership as
Claim from the list, and then click Next .
6. On the Configure Rule page under Claim rule name type the display name for this rule, in User's
group click Browse and select a group, under Outgoing claim type select the desired claim type, and
then under Outgoing Claim Type type a value.
4. In the Edit Claim Rules dialog box, select one the following tabs, depending on the trust that you are
editing and which rule set you want to create this rule in, and then click Add Rule to start the rule wizard
that is associated with that rule set:
Acceptance Transform Rules
Issuance Transform Rules
Issuance Authorization Rules
Delegation Authorization Rules
5. On the Select Rule Template page, under Claim rule template , select Send Group Membership as
a Claim from the list, and then click Next .
6. On the Configure Rule page under Claim rule name type the display name for this rule, in User's
group click Browse and select a group, under Outgoing claim type select the desired claim type, and
then under Outgoing Claim Type type a value.
7. Click Finish .
8. In the Edit Claim Rules dialog box, click OK to save the rule.
Additional references
Configure Claim Rules
Checklist: Creating Claim Rules for a Relying Party Trust
Checklist: Creating Claim Rules for a Claims Provider Trust
When to Use an Authorization Claim Rule
The Role of Claims
The Role of Claim Rules
Create a Rule to Transform an Incoming Claim
6/17/2021 • 5 minutes to read • Edit Online
By using the Transform an Incoming Claim rule template in Active Directory Federation Services (AD FS),
you can select an incoming claim, change its claim type, and change its claim value. For example, you can use
this rule template to create a rule that sends a role claim with the same claim value of an incoming group claim.
You can also use this rule to send a group claim with a claim value of Purchasers when there is an incoming
group claim with a value of Admins, or you can send only user principal name (UPN) claims that end with
@fabrikam.
You can use the following procedure to create a claim rule with the AD FS Management snap-in.
Membership in Administrators , or equivalent, on the local computer is the minimum requirement to complete
this procedure. Review details about using the appropriate accounts and group memberships at Local and
Domain Default Groups.
3. Right-click the selected trust, and then click Edit Claim Issuance Policy .
4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to
NOTE
If you are setting up the Dynamic Access Control scenario that uses AD FS-issued claims, first create a transform rule on
the claims provider trust, and in Incoming claim type , type the name for the incoming claim, or, if a claim description
was previously created, select it from the list. Second, in Outgoing claim type , select the claim URL that you want, and
then create a transform rule on the relying party trust to issue the device claim.
For more information about Dynamic Access Control scenarios, see Dynamic Access Control Content Roadmap or Using
AD DS Claims with AD FS.
4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the
rule wizard.
5. On the Select Rule Template page, under Claim rule template , select Transform an Incoming
Claim from the list, and then click Next .
6. On the Configure Rule page, under Claim rule name , type the display name for this rule. In Incoming
claim type , select a claim type in the list. In Outgoing claim type , select a claim type in the list, and
then select one of the following options, which depends on the requirements of your organization:
Pass through all claim values
Replace an incoming claim value with a different outgoing claim value
Replace incoming e-mail suffix claims with a new e-mail suffix
7. Click the Finish button.
8. In the Edit Claim Rules dialog box, click OK to save the rule.
NOTE
If you are setting up the Dynamic Access Control scenario that uses AD FS-issued claims, first create a transform rule on
the claims provider trust, and in Incoming claim type , type the name for the incoming claim, or, if a claim description
was previously created, select it from the list. Second, in Outgoing claim type , select the claim URL that you want, and
then create a transform rule on the relying party trust to issue the device claim.
For more information about Dynamic Access Control scenarios, see Dynamic Access Control Content Roadmap or Using
AD DS Claims with AD FS.
6. On the Configure Rule page, under Claim rule name , type the display name for this rule. In Incoming
claim type , select a claim type in the list. In Outgoing claim type , select a claim type in the list, and
then select one of the following options, which depends on the requirements of your organization:
Pass through all claim values
Replace an incoming claim value with a different outgoing claim value
Replace incoming e-mail suffix claims with a new e-mail suffix
NOTE
If you are setting up the Dynamic Access Control scenario that uses AD FS-issued claims, first create a transform rule on
the claims provider trust, and in Incoming claim type , type the name for the incoming claim, or, if a claim description
was previously created, select it from the list. Second, in Outgoing claim type , select the claim URL that you want, and
then create a transform rule on the relying party trust to issue the device claim.
For more information about Dynamic Access Control scenarios, see Dynamic Access Control Content Roadmap or Using
AD DS Claims with AD FS.
7. Click Finish .
8. In the Edit Claim Rules dialog box, click OK to save the rule.
Additional references
Configure Claim Rules
Checklist: Creating Claim Rules for a Relying Party Trust
Checklist: Creating Claim Rules for a Claims Provider Trust
When to Use an Authorization Claim Rule
The Role of Claims
The Role of Claim Rules
Create a Rule to Send an Authentication Method
Claim
3/5/2021 • 9 minutes to read • Edit Online
You can use either the Send Group Membership as Claims rule template or the Transform an Incoming
Claim rule template to send an authentication method claim. The relying party can use an authentication
method claim to determine the logon mechanism that the user uses to authenticate and obtain claims from
Active Directory Federation Services (AD FS). You can also use the Authentication Mechanism Assurance feature
of Active Directory Federation Services (AD FS) in Windows Server 2012 R2 as input to generate authentication
method claims for situations in which the relying party wants to determine the level of access that is based on
smart card logons. For example, a developer can assign different levels of access to federated users of the
relying party application. The levels of access are based on whether the users log on with their user name and
password credentials, as opposed to their smart cards.
Depending on the requirements of your organization, use one of the following procedures:
Create this rule by using the Send Group Membership as Claims rule template - You can use this rule
template when you want the group that you specify in this template to ultimately determine what
authentication method claim to issue.
Create this rule by using the Transform an Incoming Claim rule template - You can use this rule
template when you want to change the existing authentication method to a new authentication method
that works with a product that does not recognize standard AD FS authentication method claims.
3. Right-click the selected trust, and then click Edit Claim Issuance Policy .
4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to
3. Right-click the selected trust, and then click Edit Claim Rules .
4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the
rule wizard.
5. On the Select Rule Template page, under Claim rule template , select Send Group Membership as
Claim from the list, and then click Next .
6. On the Configure Rule page, type a claim rule name.
7. Click Browse , select the group whose members should receive this authentication method claim, and
then click OK .
8. In Outgoing claim type , select Authentication method in the list.
9. In Outgoing claim value , type one of the default uniform resource identifier (URI) values in the
following table, depending on your preferred authentication method, click Finish , and then click OK to
save the rule.
3. Right-click the selected trust, and then click Edit Claim Issuance Policy .
4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to
4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the
rule wizard.
5. On the Select Rule Template page, under Claim rule template , select Transform an Incoming
Claim from the list, and then click Next .
6. On the Configure Rule page, type a claim rule name.
7. In Incoming claim type , select Authentication method in the list.
8. In Outgoing claim type , select Authentication method in the list.
9. Select Replace an incoming claim value with a different outgoing claim value , and then do the
following:
a. In Incoming claim value , type one of the following URI values that are based on the actual
authentication method URI that was used originally, click Finish , and then click OK to save the
rule.
b. In Outgoing claim value , type one of the default URI values in the following table, which
depends on your new preferred authentication method choice, click Finish , and then click OK to
save the rule.
NOTE
Other URI values can be used in addition to the values in the table. The URI values that are shown in the previous table
reflect the URIs that the relying party accepts by default.
4. In the Edit Claim Rules dialog box, select one the following tabs, which depends on the trust that you
are editing and in which rule set you want to create this rule, and then click Add Rule to start the rule
wizard that is associated with that rule set:
Acceptance Transform Rules
Issuance Transform Rules
Issuance Authorization Rules
Delegation Authorization Rules
5. On the Select Rule Template page, under Claim rule template , select Transform an Incoming
Claim from the list, and then click Next .
Additional references
Configure Claim Rules
Checklist: Creating Claim Rules for a Relying Party Trust
Checklist: Creating Claim Rules for a Claims Provider Trust
When to Use an Authorization Claim Rule
The Role of Claims
The Role of Claim Rules
Create a Rule to Send Claims Using a Custom Rule
6/17/2021 • 3 minutes to read • Edit Online
By using the Send Claims Using a Custom Rule template in Active Directory Federation Services (AD FS),
you can create custom claim rules for situation in which a standard rule template does not satisfy the
requirements of your organization. Custom claim rules are written in the claim rule language and must then be
copied into the Custom rule text box before they can be used in a rule set. For information about constructing
the syntax for an advanced rule, see The Role of the Claim Rule Language.
You can use the following procedure to create a claim rule by using the AD FS Management snap-in.
Membership in Administrators , or equivalent, on the local computer is the minimum requirement to complete
this procedure. Review details about using the appropriate accounts and group memberships at Local and
Domain Default Groups.
3. Right-click the selected trust, and then click Edit Claim Issuance Policy .
4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to
7. Click Finish .
8. In the Edit Claim Rules dialog box, click OK to save the rule.
3. Right-click the selected trust, and then click Edit Claim Rules .
4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the
rule wizard.
5. On the Select Rule Template page, under Claim rule template , select Send Claims Using a
Custom Rule from the list, and then click Next .
6. On the Configure Rule page, under Claim rule name , type the display name for this rule. Under
Custom rule , type or paste the claim rule language syntax that you want for this rule.
7. Click Finish .
8. In the Edit Claim Rules dialog box, click OK to save the rule.
4. In the Edit Claim Rules dialog box, select one the following tabs, which depends on the trust that you
are editing and in which rule set you want to create this rule, and then click Add Rule to start the rule
wizard that is associated with that rule set:
Acceptance Transform Rules
Issuance Transform Rules
Issuance Authorization Rules
Delegation Authorization Rules
5. On the Select Rule Template page, under Claim rule template , select Send Claims Using a
Custom Rule from the list, and then click Next .
6. On the Configure Rule page, under Claim rule name , type the display name for this rule. Under
Custom rule , type or paste the claim rule language syntax that you want for this rule.
7. Click Finish .
8. In the Edit Claim Rules dialog box, click OK to save the rule.
Additional references
Configure Claim Rules
Checklist: Creating Claim Rules for a Relying Party Trust
Checklist: Creating Claim Rules for a Claims Provider Trust
When to Use an Authorization Claim Rule
The Role of Claims
The Role of Claim Rules
Deploying Federation Servers
3/5/2021 • 2 minutes to read • Edit Online
To deploy federation servers in Active Directory Federation Services (AD FS), complete each of the tasks in
Checklist: Setting Up a Federation Server.
NOTE
When you use this checklist, we recommend that you first read the references to federation server planning in the AD FS
Design Guide in Windows Server 2012 before you begin the procedures for configuring the servers. Following the
checklist in this way provides a better understanding of the design and deployment process for federation servers.
NOTE
The majority of these core user interface (UI) settings are contained in the web.config file on each federation
server. The AD FS host name and AD FS identifier values are not specified in the web.config file.
Federation servers host a claims issuance engine that issues tokens based on the credentials (for example, user
name and password) that are presented to it. A security token is a cryptographically signed data unit that
expresses one or more claims. A claim is a statement that a server makes (for example, name, identity, key,
group, privilege, or capability) about a client. After the credentials are verified on the federation server (through
the user logon process), claims for the user are collected through examination of the user attributes that are
stored in the specified attribute store.
In Federated Web Single-Sign-On (SSO) designs (AD FS designs in which two or more organizations are
involved), claims can be modified by claim rules for a specific relying party. The claims are built into a token that
is sent to a federation server in the resource partner organization. After a federation server in the resource
partner receives the claims as incoming claims, it executes the claims issuance engine to run a set of claim rules
to filter, pass through, or transform those claims. The claims are then built into a new token that is sent to the
Web server in the resource partner.
In the Web SSO design (an AD FS design in which only one organization is involved), a single federation server
can be used so that employees can log on once and still access multiple applications.
Checklist: Setting Up a Federation Server
6/17/2021 • 5 minutes to read • Edit Online
This checklist includes the deployment tasks that are necessary to prepare a server running Windows Server®
2012 for the federation server role in Active Directory Federation Services (AD FS).
NOTE
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you
complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
TA SK REF EREN C E
Before you begin deploying your AD FS federation servers, Determine Your AD FS Deployment Topology
review the; 1.) advantages and disadvantages of choosing AD FS Deployment Topology Considerations
either Windows Internal Database (WID) or SQL Server to
store the AD FS configuration database 2.) AD FS
deployment topology types and their associated server
placement and network layout recommendations.
Review AD FS capacity planning guidance to determine the Planning for Federation Server Capacity
proper number of federation servers you should use in your
production environment.
Review information in the AD FS Design Guide about where Planning Federation Server Placement
to place federation servers in your organization Where to Place a Federation Server
Determine whether this new federation server will be created Review the Role of the Federation Server in the Account
in the account partner organization or in the resource Partner
partner organization. Review the Role of the Federation Server in the
Resource Partner
Review information about how federation servers use service Certificate Requirements for Federation Servers
communication certificates and token-signing certificates to
securely authenticate client and federation server proxy
requests. Caution: Though it has long been common
practice to use certificates with unqualified host names such
as https://myserver, these certificates have no security value
and can enable an attacker to impersonate the AD FS
Federation Service to enterprise clients. Therefore, it is
recommended that you use a fully qualified domain name
(FQDN) such as https://myserver.contoso.com and only use
SSL certificates issued to the FQDN of your Federation
Service.
TA SK REF EREN C E
Review information about how to update the corporate Name Resolution Requirements for Federation Servers
network Domain Name System (DNS) so that successful
name resolution to federation servers can occur.
Join the computer that will become the federation server to Join a Computer to a Domain
a domain in the account partner forest or resource partner
forest where it will be used to authenticate the users of that
forest or from trusting forests. Note: If you want to set up a
federation server in the account partner organization, the
computer must first be joined to any domain in the forest
where your federation server will be used to authenticate
users from that forest or from trusting forests.
Create a new resource record in the corporate network DNS Add a Host (A) Resource Record to Corporate DNS for a
that points the DNS host name of the federation server to Federation Server
the IP address of the federation server.
(Optional) If you will be adding a federation server to a Export the Private Key Portion of a Server Authentication
federation server farm, you might have to first export the Certificate
private key of the existing token-signing certificate (on the
first federation server in the farm) so that you have a file
format of the certificate ready when other federation servers
must import the same certificate.
Exporting the private key is not required when your
issued server authentication certificate can be reused by
multiple computers (without the need to export) or
when you will be obtaining unique server authentication
certificates for each federation server in the farm. Note:
The AD FS Management snap-in refers to server
authentication certificates for federation servers as
service communication certificates.
After you obtain a server authentication certificate (or Import a Server Authentication Certificate to the Default
private key) from a certification authority (CA), you must Web Site
then import the certificate file to the default Web site for
each federation server. Note: Installing this certificate on the
default Web site is a requirement before you can use the AD
FS Federation Server Configuration Wizard.
(Optional) As an alternative to obtaining a server IIS: Create a Self-Signed Server Certificate and then
authentication certificate from a CA, you can use Internet complete the procedure Import a Server Authentication
Information Services (IIS) to create a sample certificate for Certificate to the Default Web Site
your federation server. Caution: It is not a security best
practice to deploy a federation server in a production
environment by using a self-signed server authentication
certificate.
If you will be configuring a federation server farm Manually Configure a Service Account for a Federation
environment in an account partner organization, you must Server Farm
create and configure a dedicated service account in
Active Directory Domain Services (AD DS) where the farm
will reside and configure each federation server in the farm
to use this account. By performing this procedure, you will
allow clients on the corporate network to authenticate to
any of the federation servers in the farm using Windows
Integrated Authentication.
TA SK REF EREN C E
Install the Federation Service role service on the computer Install the Federation Service Role Service
that will become the federation server.
Configure the AD FS software on the computer to act in the Create a Stand-Alone Federation Server
federation server role by using the AD FS Federation Server Create the First Federation Server in a Federation
Configuration Wizard. Server Farm
Follow this procedure when you want to set up a stand-
alone federation server, create the first federation server Add a Federation Server to a Federation Server Farm
in a new farm or join a computer to an existing
federation server farm. Note: For the Federated Web
Single Sign-On (SSO) design, you must have at least one
federation server in the account partner organization
and at least one federation server in the resource
partner organization.
(Optional) Use the AD FS Management snap-in to add and Add a Token-Signing Certificate
configure the necessary AD FS certificates required to deploy Add a Token-Decrypting Certificate
your design. For more information about when to add or
change certificates using the snap-in, see Certificate Set a Service Communications Certificate
Requirements for Federation Servers.
If this is the first federation server in your organization, Checklist: Configuring the Account Partner Organization
configure the Federation Service so that it conforms to your Checklist: Configuring the Resource Partner
AD FS design. Organization
From a client computer, verify that the federation server is Verify That a Federation Server Is Operational
operational.
Add a Host (A) Resource Record to Corporate DNS
for a Federation Server
6/17/2021 • 2 minutes to read • Edit Online
For clients on the corporate network to successfully access a federation server using Windows Integrated
authentication, a host (A) resource record must first be created in the corporate Domain Name System (DNS)
that resolves the host name of the account federation server (for example, fs.fabrikam.com) to the IP address of
the federation server or federation server cluster. You can use the following procedure to add a host (A) resource
record to corporate DNS for a federation server.
Membership in Administrators , or equivalent, is the minimum required to complete this procedure. Review
details about using the appropriate accounts and group memberships at Local and Domain Default Groups.
To add a host (A ) resource record to corporate DNS for a federation server
1. On a DNS server for the corporate network, open the DNS snap-in.
2. In the console tree, right-click the applicable forward lookup zone, and then click New Host (A or
AAAA) .
3. In Name , type only the computer name of the federation server or federation server cluster; for example,
for the fully qualified domain name (FQDN) fs.fabrikam.com, type fs .
4. In IP address , type the IP address for the federation server or federation server cluster, for example,
192.168.1.4.
5. Click Add Host .
Additional references
Checklist: Setting Up a Federation Server
Name Resolution Requirements for Federation Servers
Manually Configure a Service Account for a
Federation Server Farm
3/5/2021 • 2 minutes to read • Edit Online
If you intend to configure a federation server farm environment in Active Directory Federation Services (AD FS),
you must create and configure a dedicated service account in Active Directory Domain Services (AD DS) where
the farm will reside. You then configure each federation server in the farm to use this account. You must
complete the following tasks in your organization when you want to allow client computers on the corporate
network to authenticate to any of the federation servers in an AD FS farm using Windows Integrated
Authentication.
IMPORTANT
As of AD FS 3.0 (Windows Server 2012 R2), AD FS supports the use of a Group Managed Service Account (gMSA) as the
service account. This is the recommended option, as it removes the need for managing the service account password over
time. This document covers the alternate case of using a traditional service account, such as in domains still running a
Windows Server 2008 R2 or earlier domain functional level (DFL).
NOTE
You have to perform the tasks in this procedure only one time for the entire federation server farm. Later, when you
create a federation server by using the AD FS Federation Server Configuration Wizard, you must specify this same
account on the Ser vice Account wizard page on each federation server in the farm.
NOTE
Using the Network Service account for this dedicated account will result in random failures when access is
attempted through Windows Integrated Authentication, as a result of Kerberos tickets not validating from one
server to another.
For example, in a scenario in which all federation servers are clustered under the Domain Name System
(DNS) host name fs.fabrikam.com and the service account name that is assigned to the AD FS AppPool is
named adfs2farm, type the command as follows, and then press ENTER:
Now that you have properly configured a computer with the prerequisite applications and certificates, you are
ready to install the Federation Service role service of Active Directory Federation Services (AD FS). When you
install the Federation Service on a computer, that computer becomes a federation server.
NOTE
For the Federated Web Single-Sign-On (SSO) design, you must have at least one federation server in the account partner
organization and at least one federation server in the resource partner organization. For more information, see Where to
Place a Federation Server.
You can use the following procedure to install the Federation Service role service of AD FS on a computer that
will become the first federation server or on a computer that will become a federation server for an existing
federation server farm.
Prerequisites
Verify that an SSL certificate with the private key has already been installed or imported into the local certificate
store (Personal store) before you start this procedure. If you will be using a token-signing certificate that is
issued by a certification authority (CA), verify that a token-signing certificate with the private key has already
been installed or imported into the local certificate store (Personal store) before you start this procedure. As an
alternative, you can create a self-signed, token-signing certificate using the Add Roles Wizard, as described in
this procedure. For more information about token-signing certificates, see Certificate Requirements for
Federation Servers.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
To install the Federation Service role service
1. On the Star t screen, typeSer ver Manager , and then press ENTER.
2. Click Manage , and then click Add Roles and Features to start the Add Roles and Features Wizard.
3. On the Before you begin page, click Next .
4. On the Select installation type page, click Role-based or Feature-based installation , and click
Next .
5. On the Select destination ser ver page, click Select a ser ver from the ser ver pool , verify that the
target computer is highlighted, and then click Next .
6. On the Select ser ver roles page, click Active Director y Federation Ser vices , and then click next.
NOTE
If you are prompted to install additional .NET Framework or Windows Process Activation Service features, click
Add Features to install them.
7. On the Select features page, verify that the features are set, and then click Next .
8. On the Active Director y Federation Ser vice (AD FS) page, click Next .
9. On the Select role ser vices page, select the Federation Ser vice check box, and then click Next .
10. On the Web Ser ver Role (IIS) page, click Next .
11. On the Select role ser vices page, click Next .
12. After you verify the information on the Confirm installation selections page, select the Restar t the
destination ser ver automatically if required check box, and then click Install .
13. On the Installation progress page, verify that everything installed correctly, and then click Close .
Create the First Federation Server in a Federation
Server Farm
3/5/2021 • 4 minutes to read • Edit Online
After you install the Federation Service role service and configure the required certificates on a computer, you
are ready to configure the computer to become a federation server. You can use the following procedure to set
up the computer to become the first federation server in a new federation server farm using the AD FS
Federation Server Configuration Wizard.
The act of creating the first federation server in a farm also creates a new Federation Service and makes this
computer the primary federation server. This means that this computer will be configured with a read/write
copy of the AD FS configuration database. All other federation servers in this farm must replicate any changes
that are made on the primary federation server to their read-only copies of the AD FS configuration database
that they store locally. For more information about this replication process, see The Role of the AD FS
Configuration Database.
NOTE
For the Federated Web Single-Sign-On (SSO) design, you must have at least one federation server in the account partner
organization and at least one federation server in the resource partner organization. For more information, see Where to
Place a Federation Server.
Membership in Domain Admins, or a delegated domain account that has been granted write access to the
Program Data container in Active Directory, is the minimum required to complete this procedure.
To create the first federation server in a federation server farm
1. There are two ways to start the AD FS Federation Server Configuration Wizard. To start the wizard, do
one of the following:
After the Federation Service role service installation is complete, open the AD FS Management
snap-in and click the AD FS Federation Ser ver Configuration Wizard link on the Over view
page or in the Actions pane.
Any time after the setup wizard is complete, open Windows Explorer, navigate to the
C:\Windows\ADFS folder, and then double-click FsConfigWizard.exe .
2. On the Welcome page, verify that Create a new Federation Ser vice is selected, and then click Next .
3. On the Select Stand-Alone or Farm Deployment page, click New federation ser ver farm , and
then click Next .
4. On the Specify the Federation Ser vice Name page, verify that the SSL cer tificate that is showing is
correct. If this is not the correct certificate, select the appropriate certificate from the SSL cer tificate list.
This certificate is generated from the Secure Sockets Layer (SSL) settings for the Default Web Site. If the
Default Web Site has only one SSL certificate configured, that certificate is presented and automatically
selected for use. If multiple SSL certificates are configured for the Default Web Site, all those certificates
are listed here and you must select from among them. If there are no SSL settings configured for the
Default Web Site, the list is generated from the certificates that are available in the personal certificates
store on the local computer.
NOTE
The wizard will not allow you to override the certificate if an SSL certificate is configured for IIS. This ensures that
any intended prior IIS configuration for SSL certificates is preserved. To work around this restriction, you can
remove the certificate or reconfigure it manually with the IIS Management Console.
5. If the AD FS database that you selected already exists, the Existing AD FS Configuration Database
Detected page appears. If that page appears, click Delete database , and then click Next .
Cau t i on
Select this option only when you are sure that the data in this AD FS database is not important or that it is
not used in a production federation server farm.
6. On the Specify a Ser vice Account page, click Browse . In the Browse dialog box, locate the domain
account that will be used as the service account in this new federation server farm, and then click OK .
Type the password for this account, confirm it, and then click Next .
NOTE
See Manually Configure a Service Account for a Federation Server Farm for more information about specifying a
service account for a federation server farm. Each federation server in the federation server farm must specify the
same service account for the farm to be operational. For example, if the service account that was created was
contoso\ADFS2SVC, each computer that you configure for the federation server role and that will participate in
the same farm must specify contoso\ADFS2SVC at this step in the Federation Server Configuration Wizard for the
farm to be operational.
7. On the Ready to Apply Settings page, review the details. If the settings appear to be correct, click Next
to begin configuring AD FS with these settings.
8. On the Configuration Results page, review the results. When all the configuration steps are finished,
click Close to exit the wizard.
IMPORTANT
For secure deployment purposes, artifact resolution and reply detection are disabled when you use the AD FS
Federation Server Configuration Wizard to configure a federation server farm. This wizard automatically configures
the Windows Internal Database for storing service configuration data. You might, however, mistakenly undo this
change by enabling the Artifact Resolution endpoint using either the Endpoints node in the AD FS Management
snap-in or the Enable-ADFSEndpoint cmdlet in Windows PowerShell. Be careful to not reconfigure the default
setting so that this endpoint remains disabled when you use a federation server farm and the Windows Internal
Database together.
Additional references
Checklist: Setting Up a Federation Server
Create a Stand-Alone Federation Server
6/17/2021 • 3 minutes to read • Edit Online
After you install the Federation Service role service and configure the required certificates on a computer, you
are ready to configure the computer to become a federation server. You can use the following procedure to set
up the computer to become a stand-alone federation server. The act of creating a stand-alone federation server
also creates a new Federation Service. You do create a federation server with the AD FS Federation Server
Configuration Wizard.
NOTE
For the Federated Web Single-Sign-On (SSO) design, you must have at least one federation server in the account partner
organization and at least one federation server in the resource partner organization. For more information, see Where to
Place a Federation Server.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To create a stand-alone federation server
1. There are two ways to start the AD FS Federation Server Configuration Wizard. To start the wizard, do
one of the following:
After the Federation Service role service installation is complete, open the AD FS Management
snap-in and click the AD FS Federation Ser ver Configuration Wizard link on the Over view
page or in the Actions pane.
Anytime after the setup wizard is complete, open Windows Explorer, navigate to the
C:\Windows\ADFS folder, and then double-click FsConfigWizard.exe .
2. On the Welcome page, verify that Create a new Federation Ser vice is selected, and then click Next .
3. On the Select Stand-Alone or Farm Deployment page, click Stand-alone federation ser ver , and
then click Next .
IMPORTANT
When you select the Stand-alone federation server option in the AD FS Federation Server Configuration Wizard,
the service account associated with this Federation Service will automatically be assigned to the NETWORK
SERVICE account. Using NETWORK SERVICE as the service account is only recommended in situations where you
are evaluating AD FS in a test lab environment. If you intend to use the Stand-alone federation server option to
deploy a federation server in a production environment, it is important that you change this service account to a
more appropriate service account that can be dedicated to serving requests for this new Federation Service.
Changing the service account to an account other than NETWORK SERVICE will mitigate possible attack vectors
that would otherwise make your federation server vulnerable to malicious attacks.
4. On the Specify the Federation Ser vice Name page, verify that the SSL cer tificate that is showing is
correct. If not, select the appropriate certificate from the SSL cer tificate list.
This certificate is generated from the Secure Sockets Layer (SSL) settings for the Default Web Site. If the
Default Web Site has only one SSL certificate configured, that certificate is presented and automatically
selected for use. If multiple SSL certificates are configured for the Default Web Site, all those certificates
are listed here and you must select from among them. If there are no SSL settings configured for the
Default Web Site, the list is generated from the certificates that are available in the personal certificates
store on the local computer.
NOTE
The wizard will not allow you to override the certificate if an SSL certificate is configured for IIS. This ensures that
any intended prior IIS configuration for SSL certificates is preserved. To work around this restriction, you can
remove the certificate or reconfigure manually it with the IIS Management Console.
5. If the AD FS database that you selected already exists, the Existing AD FS Configuration Database
Detected page appears. If that occurs, click Delete database , and then click Next .
Cau t i on
Select this option only when you are sure that the data in this AD FS database is not important or that it is
not used in a production federation server farm.
6. On the Ready to Apply Settings page, review the details. If the settings appear to be correct, click Next
to begin configuring AD FS with these settings.
7. On the Configuration Results page, review the results. When all the configuration steps are finished,
click Close to exit the wizard.
Additional references
Checklist: Setting Up a Federation Server
Add a Federation Server to a Federation Server
Farm
6/17/2021 • 2 minutes to read • Edit Online
After you install the Federation Service role service and configure the required certificates on a computer, you
are ready to configure the computer to become a federation server. You can use the following procedure to join
a computer to a new federation server farm.
You join a computer to a farm with the AD FS Federation Server Configuration Wizard. When you use this
wizard to join a computer to an existing farm, the computer is configured with a read-only copy of the AD FS
configuration database and it must receive updates from a primary federation server.
NOTE
For the Federated Web Single-Sign-On (SSO) design, you must have at least one federation server in the account partner
organization and at least one federation server in the resource partner organization. For more information, see Where to
Place a Federation Server.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To add a federation server to a federation server farm
1. There are two ways to start the AD FS Federation Server Configuration Wizard. To start the wizard, do
one of the following:
After the Federation Service role service installation is complete, open the AD FS Management
snap-in and click the AD FS Federation Ser ver Configuration Wizard link on the Over view
page or in the Actions pane.
Anytime after the setup wizard is complete, open Windows Explorer, navigate to the
C:\Windows\ADFS folder, and double-click FsConfigWizard.exe .
2. On the Welcome page, verify that Add a federation ser ver to an existing Federation Ser vice is
selected, and then click Next .
3. If the AD FS database that you selected already exists, the Existing AD FS Configuration Database
Detected page appears. If that occurs, click Delete database , and then click Next .
Cau t i on
Select this option only when you are sure that the data in this AD FS database is not important or that it is
not used in a production federation server farm.
4. On the Specify the Primar y Federation Ser ver and Ser vice Account page, under Primar y
federation ser ver name , type the computer name of the primary federation server in the farm, and
then click Browse . In the Browse dialog box, locate the domain account that is used as the service
account by all other federation servers in the existing federation server farm, and then click OK . Type the
password and confirm it, and then click Next :
NOTE
For more information about specifying a service account for a federation server farm, see Manually Configure a
Service Account for a Federation Server Farm. Each federation server in the federation server farm must specify
the same service account for the farm to be operational. For example, if the service account that was created was
contoso\ADFS2SVC, each computer you configure for the federation server role and that will participate in the
same farm must specify contoso\ADFS2SVC at this step in the Federation Server Configuration Wizard for the
farm to be operational.
5. On the Ready to Apply Settings page, review the details. If the settings appear to be correct, click Next
to begin configuring AD FS with these settings.
6. On the Configuration Results page, review the results. When all the configuration steps are finished,
click Close to exit the wizard.
Additional references
Checklist: Setting Up a Federation Server
Add a Token-Signing Certificate
6/17/2021 • 2 minutes to read • Edit Online
Federation servers in Active Directory Federation Services (AD FS) require token-signing certificates to prevent
attackers from altering or counterfeiting security tokens in an attempt to gain unauthorized access to federated
resources. Every token-signing certificate contains cryptographic private keys and public keys that are used to
digitally sign (by means of the private key) a security token. Later, after these keys are received by a partner
federation server, they validate the authenticity (by means of the public key) of the encrypted security token.
Cau t i on
Certificates used for token-signing are critical to the stability of the Federation Service. Because loss or
unplanned removal of any certificates configured for this purpose can disrupt service, you should backup any
certificates configured for this purpose.
The token-signing certificate should chain to a trusted root in the Federation Service. You can use the following
procedure to add the token-signing certificate to the AD FS Management snap-in from a file that you have
exported.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To add a token-signing certificate
1. On the Star t screen, typeAD FS Management , and then press ENTER.
2. In the console tree, double-click Ser vice , and then click Cer tificates .
3. In the Actions pane, click the Add Token-Signing Cer tificate link.
4. In the Browse for Cer tificate file dialog box, navigate to the certificate file that you want to add, select
the certificate file, and then click Open .
Additional references
Checklist: Setting Up a Federation Server
Certificate Requirements for Federation Servers
Add a Token-Decrypting Certificate
6/17/2021 • 2 minutes to read • Edit Online
Federation servers use a token-decryption certificate when a relying party federation server must decrypt
tokens that are issued with an older certificate after a new certificate is set as the primary decryption certificate.
Active Directory Federation Services (AD FS) uses the Secure Sockets Layer (SSL) certificate for Internet
Information Services (IIS) as the default decryption certificate.
Cau t i on
Certificates used for token-decrypting are critical to the stability of the Federation Service. Because loss or
unplanned removal of any certificates configured for this purpose can disrupt service, you should backup any
certificates configured for this purpose.
You can use the following procedure to add the token-decrypting certificate to the AD FS Management snap-in
from a file that you have exported.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To add a token-decrypting certificate
1. On the Star t screen, typeAD FS Management , and then press ENTER.
2. In the console tree, double-click Ser vice , and then click Cer tificates .
3. In the Actions pane, click the Add Token-Decr ypting Cer tificate link.
4. In the Browse for Cer tificate file dialog box, navigate to the certificate file that you want to add, select
the certificate file, and then click Open .
Additional references
Checklist: Setting Up a Federation Server
Certificate Requirements for Federation Servers
Set a Service Communications Certificate
6/17/2021 • 2 minutes to read • Edit Online
Federation servers in Active Directory Federation Services (AD FS) use the service communications certificate to
secure Web services traffic for Secure Sockets Layer (SSL) communication with Web clients or with federation
server proxies.
NOTE
The Service Communications Certificate is not the same as an SSL Certificate. To change the AD FS SSL certificate, you will
need to use Powershell. Follow the guidance in this article.
You can use the following procedure to change the service communications certificate with the AD FS
Management snap-in.
NOTE
The AD FS Management snap-in refers to server authentication certificates for federation servers as service
communication certificates.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To set a service communications certificate
1. On the Star t screen, typeAD FS Management , and then press ENTER.
2. In the console tree, double-click Ser vice , and then click Cer tificates .
3. In the Actions pane, click the Set Ser vice Communications Cer tificate link.
4. In the Select a ser vice communications cer tificate dialog box, navigate to the certificate file that you
want to set as the service communications certificate, select the certificate file, and then click Open .
Additional references
Checklist: Setting Up a Federation Server
Certificate Requirements for Federation Servers
Verify That a Federation Server Is Operational
6/17/2021 • 2 minutes to read • Edit Online
You can use the following procedures to verify that a federation server is operational; that is, that any client on
the same network can reach a new federation server.
Membership in Users , Backup Operators , Power Users , Administrators or equivalent, on the local
computer is the minimum required to complete this procedure. Review details about using the appropriate
accounts and group memberships at Local and Domain Default Groups.
Procedure 1: To verify that a federation server is operational
1. To verify that Internet Information Services (IIS) is configured correctly on the federation server, log on to
a client computer that is located in the same forest as the federation server.
2. Open a browser window, in the address bar type the federation server's DNS host name, and then
append /adfs/fs/federationserverservice.asmx to it for the new federation server, for example:
https://fs1.fabrikam.com/adfs/fs/federationser verser vice.asmx
3. Press ENTER, and then complete the next procedure on the federation server computer. If you see the
message There is a problem with this website's security cer tificate , click Continue to this
website .
The expected output is a display of XML with the service description document. If this page appears, IIS
on the federation server is operational and serving pages successfully.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
Procedure 2: To verify that a federation server is operational
1. Log on to the new federation server as an administrator.
2. On the Star t screen, type Event Viewer , and then press ENTER.
3. In the details pane, double-click Applications and Ser vices Logs , double-click AD FS Eventing , and
then click Admin .
4. In the Event ID column, look for event ID 100. If the federation server is configured properly, you see a
new event—in the Application log of Event Viewer—with the event ID 100. This event verifies that the
federation server was able to successfully communicate with the Federation Service.
Additional references
Checklist: Setting Up a Federation Server
Deploying Legacy AD FS Federation Server Proxies
3/5/2021 • 2 minutes to read • Edit Online
To deploy federation server proxies in Active Directory Federation Services (AD FS), complete each of the tasks
in Checklist: Setting Up a Federation Server Proxy.
NOTE
When you use this checklist, we recommend that you first read the references to federation server proxy planning
guidance in the AD FS Design Guide in Windows Server 2012 before you begin the procedures for configuring the
servers. Following the checklist provides a better understanding of the design and deployment process for federation
server proxies.
NOTE
Although the federation server and the federation server proxy roles cannot be installed on the same computer, a
federation server can perform federation server proxy functions. For more information, see When to Create a Federation
Server.
The act of installing the AD FS software on a Windows Server® 2012 computer and configuring it to serve in
the proxy role makes that computer a federation server proxy.
Checklist: Setting Up a Federation Server Proxy
6/17/2021 • 3 minutes to read • Edit Online
This checklist includes the deployment tasks for preparing a server running Windows Server® 2012 for the
federation server proxy role in Active Directory Federation Services (AD FS).
NOTE
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you
complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
TA SK REF EREN C E
Before you begin deploying your AD FS federation server Determine Your AD FS Deployment Topology
proxies, review the AD FS deployment topology types and Planning Federation Server Proxy Placement
their associated server placement and network layout
recommendations. Where to Place a Federation Server Proxy
Review AD FS capacity planning guidance to determine the Planning for Federation Server Proxy Capacity
proper number of federation server proxies you should use
in your production environment.
Determine whether a single federation server proxy or a When to Create a Federation Server Proxy
federation server proxy farm is better for your deployment. When to Create a Federation Server Proxy Farm
Note: Federation servers also perform federation server
proxy responsibilities.
Determine whether this new federation server proxy will be Review the Role of the Federation Server Proxy in the
created in the perimeter network of the account partner Account Partner
organization or the resource partner organization. Review the Role of the Federation Server Proxy in the
Resource Partner
Before you install AD FS on a computer that will become a Certificate Requirements for Federation Server Proxies
federation server proxy, read about the importance of
obtaining a server authentication certificate—for federation
server proxy farms—adding or sharing certificates across all
the servers in a farm.
Review information in the AD FS Design Guide about how to Name Resolution Requirements for Federation Server
update Domain Name System (DNS) in the perimeter Proxies
network so that successful name resolution for federation
servers and federation server proxies can occur.
Determine whether the federation server proxy must be Join a Computer to a Domain
joined to a domain. Although federation server proxies do
not have to be joined to a domain, they are easier to
manage with remote administration and Group Policy
features when they are joined to a domain.
TA SK REF EREN C E
Depending on how the DNS infrastructure in your perimeter Configure Name Resolution for a Federation Server Proxy
network is configured, complete one of the procedures in in a DNS Zone That Serves Only the Perimeter Network
the topics on the right before you deploy a federation server Configure Name Resolution for a Federation Server
proxy in your organization. Note: Do not perform both Proxy in a DNS Zone That Serves Both the Perimeter
procedures. Read Name Resolution Requirements for Network and Internet Clients
Federation Server Proxies to determine which procedure
best suits the requirements of your organization.
After you obtain a server authentication certificate, you Import a Server Authentication Certificate to the Default
must install it in Internet Information Services (IIS) on the Web Site
default Web site of the federation server proxy.
Install the Federation Service Proxy role service on the Install the Federation Service Proxy Role Service
computer that will become the federation server proxy.
Configure the AD FS software on the computer to act in the Configure a Computer for the Federation Server Proxy
federation server proxy role by using the AD FS Federation Role
Server Proxy Configuration Wizard.
Using Event Viewer, verify that the federation server proxy Verify That a Federation Server Proxy Is Operational
service has started.
Join a Computer to a Domain
6/17/2021 • 2 minutes to read • Edit Online
For Active Directory Federation Services (AD FS) to function, each computer that functions as a federation
server must be joined to a domain. federation server proxies may be joined to a domain, but this is not a
requirement.
You do not have to join a Web server to a domain if the Web server is hosting claims-aware applications only.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
To join a computer to a domain
1. On the Star t screen, type Control Panel , and then press ENTER.
2. Navigate to System and Security , and then click System .
3. Under Computer name, domain, and workgroup settings , click Change settings .
4. On the Computer Name tab, click Change .
5. Under Member of , click Domain , type the name of the domain that you wish this computer to join, and
then click OK .
6. Click OK , and then restart the computer.
Additional references
Checklist: Setting Up a Federation Server
Checklist: Setting Up a Federation Server Proxy
Configure Name Resolution for a Federation Server
Proxy in a DNS Zone That Serves Only the
Perimeter Network
6/17/2021 • 3 minutes to read • Edit Online
So that name resolution can work successfully for a federation server in an Active Directory Federation Services
(AD FS) scenario in which one or more Domain Name System (DNS) zones serve only the perimeter network,
the following tasks must be completed:
The hosts file on the federation server proxy must be updated to add the IP address of a federation
server.
DNS in the perimeter network must be configured to resolve all client requests for the AD FS host name
to the federation server proxy. To do this, you add a host (A) resource record to perimeter DNS for the
federation server proxy.
NOTE
These procedures assume that a host (A) resource record for the federation server has already been created in the
corporate network DNS. If this record does not yet exist, create this record, and then perform these procedures. For more
information about how to create the host (A) resource record for the federation server, see Add a Host (A) Resource
Record to Corporate DNS for a Federation Server.
NOTE
It is assumed that you are using a DNS server, running Windows 2000 Server, Windows Server 2003, or Windows
Server 2008 with the DNS Server service, to control the perimeter DNS zone.
Membership in Administrators , or equivalent, is the minimum required to complete this procedure. Review
details about using the appropriate accounts and group memberships at Local and Domain Default Groups.
To add a host (A) resource record to perimeter DNS for a federation server proxy
1. On a DNS server for the perimeter network, open the DNS snap-in. Click Star t , point to Administrative
Tools , and then click DNS .
2. In the console tree, right-click the applicable forward lookup zone, and then click New Host (A or
AAAA) .
3. In Name , type only the computer name of the federation server. For example, for the fully qualified
domain name (FQDN) fs.fabrikam.com, type fs .
4. In IP address , type the IP address for the new federation server proxy, for example, 131.107.27.68 .
5. Click Add Host .
Additional references
Checklist: Setting Up a Federation Server Proxy
Name Resolution Requirements for Federation Server Proxies
Configure Name Resolution for a Federation Server
Proxy in a DNS Zone That Serves Only the
Perimeter Network
6/17/2021 • 3 minutes to read • Edit Online
So that name resolution can work successfully for a federation server in an Active Directory Federation Services
(AD FS) scenario in which one or more Domain Name System (DNS) zones serve only the perimeter network,
the following tasks must be completed:
The hosts file on the federation server proxy must be updated to add the IP address of a federation
server.
DNS in the perimeter network must be configured to resolve all client requests for the AD FS host name
to the federation server proxy. To do this, you add a host (A) resource record to perimeter DNS for the
federation server proxy.
NOTE
These procedures assume that a host (A) resource record for the federation server has already been created in the
corporate network DNS. If this record does not yet exist, create this record, and then perform these procedures. For more
information about how to create the host (A) resource record for the federation server, see Add a Host (A) Resource
Record to Corporate DNS for a Federation Server.
NOTE
It is assumed that you are using a DNS server, running Windows 2000 Server, Windows Server 2003, or Windows
Server 2008 with the DNS Server service, to control the perimeter DNS zone.
Membership in Administrators , or equivalent, is the minimum required to complete this procedure. Review
details about using the appropriate accounts and group memberships at Local and Domain Default Groups.
To add a host (A) resource record to perimeter DNS for a federation server proxy
1. On a DNS server for the perimeter network, open the DNS snap-in. Click Star t , point to Administrative
Tools , and then click DNS .
2. In the console tree, right-click the applicable forward lookup zone, and then click New Host (A or
AAAA) .
3. In Name , type only the computer name of the federation server. For example, for the fully qualified
domain name (FQDN) fs.fabrikam.com, type fs .
4. In IP address , type the IP address for the new federation server proxy, for example, 131.107.27.68 .
5. Click Add Host .
Additional references
Checklist: Setting Up a Federation Server Proxy
Name Resolution Requirements for Federation Server Proxies
Export the Private Key Portion of a Server
Authentication Certificate
6/17/2021 • 2 minutes to read • Edit Online
Every federation server in an Active Directory Federation Services (AD FS) farm must have access to the private
key of the server authentication certificate. If you are implementing a server farm of federation servers or Web
servers, you must have a single authentication certificate. This certificate must be issued by an enterprise
certification authority (CA), and it must have an exportable private key. The private key of the server
authentication certificate must be exportable so that it can be made available to all the servers in the farm.
This same concept is true of federation server proxy farms in the sense that all federation server proxies in a
farm must share the private key portion of the same server authentication certificate.
NOTE
The AD FS Management snap-in refers to server authentication certificates for federation servers as service
communication certificates.
Depending on which role this computer will play, use this procedure on the federation server computer or
federation server proxy computer where you installed the server authentication certificate with the private key.
When you finish the procedure, you can then import this certificate on the Default Web Site of each server in
the farm. For more information, see Import a Server Authentication Certificate to the Default Web Site.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
To export the private key portion of a server authentication certificate
1. On the Star t screen, typeInternet Information Ser vices (IIS) Manager , and then press ENTER.
2. In the console tree, click ComputerName .
3. In the center pane, double-click Ser ver Cer tificates .
4. In the center pane, right-click the certificate that you want to export, and then click Expor t .
5. In the Expor t Cer tificate dialog box, click the … button.
6. In File name , type C:\ NameofCertificate, and then click Open .
7. Type a password for the certificate, confirm it, and then click OK .
8. Validate the success of your export by confirming that the file you specified is created at the specified
location.
IMPORTANT
So that this certificate can be imported to the local certificate store on the new server, you must transfer the file
to physical media and protect its security during transport to the new server. It is extremely important to guard
the security of the private key. If this key is compromised, the security of your entire AD FS deployment (including
resources within your organization and in resource partner organizations) is compromised.
9. Import the exported server authentication certificate into the certificate store on the new server before
you install the Federation Service. For information about how to import the certificate, see Import a
Server Certificate (http://go.microsoft.com/fwlink/?LinkId=108283).
Additional references
Checklist: Setting Up a Federation Server
Checklist: Setting Up a Federation Server Proxy
Certificate Requirements for Federation Servers
Certificate Requirements for Federation Server Proxies
Import a Server Authentication Certificate to the
Default Web Site
6/17/2021 • 2 minutes to read • Edit Online
After you obtain a server authentication certificate from a certification authority (CA), you must manually install
that certificate on the Default Web Site for each federation server or federation server proxy in a server farm.
For Web servers, you must manually install the server authentication certificate on the appropriate Web site or
virtual directory where your federated application resides.
If you are setting up a farm, be sure to perform this procedure identically—using the exact same settings—on
each of the servers in your farm.
NOTE
The AD FS Management snap-in refers to server authentication certificates for federation servers as service
communication certificates.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
To import a server authentication certificate to the Default Web Site
1. On the Star t screen, typeInternet Information Ser vices (IIS) Manager , and then press ENTER.
2. In the console tree, click ComputerName .
3. In the center pane, double-click Ser ver Cer tificates .
4. In the Actions pane, click Impor t .
5. In the Impor t Cer tificate dialog box, click the … button.
6. Browse to the location of the pfx certificate file, highlight it, and then click Open .
7. Type a password for the certificate, and then click OK .
Additional references
Checklist: Setting Up a Federation Server
Checklist: Setting Up a Federation Server Proxy
Certificate Requirements for Federation Servers
Certificate Requirements for Federation Server Proxies
Install the Federation Service Proxy Role Service
6/17/2021 • 2 minutes to read • Edit Online
After you configure a computer with the prerequisite applications and certificates, you are ready to install the
Federation Service Proxy role service of Active Directory Federation Services (AD FS). You can use the following
procedure to install the Federation Service Proxy role service. When you install the Federation Service Proxy
role service on a computer, that computer becomes a federation server proxy.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
To install the Federation Service Proxy role service using the Server Manager
1. On the Star t screen, typeSer ver Manager , and then press ENTER.
2. Click Manage , and then click Add Roles and Features to start the Add Roles and Features Wizard.
3. On the Before you begin page, click Next .
4. On the Select installation type page, click Role-based or Feature-based installation , and click
Next .
5. On the Select destination ser ver page, click Select a ser ver from the ser ver pool , verify that the
target computer is highlighted, and then click Next .
6. On the Select ser ver roles page, click Remote Access , and then click next.
NOTE
If you are prompted to install additional .NET Framework or Windows Process Activation Service features, click
Add Features to install them.
7. On the Select role ser vices page, select the Federation Ser vice Proxy check box, and then click
Next .
8. After you verify the information on the Confirm installation selections page, select the Restar t the
destination ser ver automatically if required check box, and then click Install .
9. On the Installation progress page, verify that everything installed correctly, and then click Close .
To install the Federation Service Proxy role service using PowerShell
1. Open Windows PowerShell (Run as Administrator)
2. Type the following command and press Enter :
Additional references
Checklist: Setting Up a Federation Server
Checklist: Setting Up a Federation Server Proxy
Configure a Computer for the Federation Server
Proxy Role
6/17/2021 • 5 minutes to read • Edit Online
After you configure a computer with the required certificates and have installed the Federation Service Proxy
role service, you are ready to configure the computer to become a federation server proxy. You can use the
following procedure so that the computer acts in the federation server proxy role.
IMPORTANT
Before you use this procedure to configure the federation server proxy computer, make sure that you have followed all
the steps in Checklist: Setting Up a Federation Server Proxy in the order that they are listed. Make sure that at least one
federation server is deployed and that all the necessary credentials for authorizing a federation server proxy configuration
are implemented. You must also configure Secure Sockets Layer (SSL) bindings on the Default Web Site, or this wizard will
not start. All these tasks must be completed before this federation server proxy can function.
After you finish setting up the computer, verify that the federation server proxy is working as expected. For more
information, see Verify That a Federation Server Proxy Is Operational.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
To configure a computer for the federation server proxy role
1. There are two ways to start the AD FS Federation Server Configuration Wizard. To start the wizard, do
one of the following:
On the Star t screen, typeAD FS Federation Ser ver Proxy Configuration Wizard , and then
press ENTER.
Anytime after the setup wizard is complete, open Windows Explorer, navigate to the
C:\Windows\ADFS folder, and then double-click FspConfigWizard.exe .
2. Using either method, start the wizard, and on the Welcome page, click Next .
3. On the Specify Federation Ser vice Name page, under Federation Ser vice name , type the name
that represents the Federation Service for which this computer will act in the proxy role.
4. Based on your specific network requirements, determine whether you will need to use an HTTP proxy
server to forward requests to the Federation Service. If so, select the Use an HTTP proxy ser ver when
sending requests to this Federation Ser vice check box, under HTTP proxy ser ver address type
the address of the proxy server, click Test Connection to verify connectivity, and then click Next .
5. When you are prompted, specify the credentials that are necessary to establish a trust between this
federation server proxy and the Federation Service.
By default, only the service account used by the Federation Service or a member of the local
BUILTIN\Administrators group can authorize a federation server proxy.
6. On the Ready to Apply Settings page, review the details. If the settings appear to be correct, click Next
to begin configuring this computer with these proxy settings.
7. On the Configuration Results page, review the results. When all the configuration steps are finished,
click Close to exit the wizard.
There is no Microsoft Management Console (MMC) snap-in to use for administering federation server
proxys. To configure settings for each of the federation server proxys in your organization, use
Windows PowerShell cmdlets.
NOTE
If you intend to initially deploy AD FS to operate under alternate TCP/IP ports, you should first modify ports in your IIS
protocol bindings for HTTP and HTTPS on both the federation server and federation server proxy computers. This should
occur before you run the AD FS configuration wizards for initial configuration. If you configure Internet Information
Services (IIS) first, your alternate TCP/IP port settings are discovered when wizard-based configuration occurs within AD
FS, and the following procedure is not necessary. If you want to change the port settings later, update IIS protocol
bindings first, and then use the following procedure to update port settings appropriately. For more information about
editing IIS bindings, see article 149605 in the Microsoft Knowledge Base.
To configure alternate TCP/IP ports for the federation server proxy to use
1. Configure the federation server to use the nondefault ports.
To do this, specify the nondefault port number by including it with the HttpsPort and HttpPort options as
part of the Set-ADFSProper ties cmdlet. For example, to configure these ports, use the following
commands in the Windows PowerShell session on the federation server computer:
NOTE
Endpoint URLs are not enabled by default for the federation server proxy service. If you are configuring a new
federation server installation, you must enable federation server proxy service endpoints first. For example, it is
assumed that for all the endpoints that the example in this procedure refers to you have enabled them for proxy
by selecting them in the AD FS Management snap-in and then selecting Enable on proxy .
3. Update the IIS installation at the federation server proxy so that Security Assertion Markup Language
(SAML) and WS-Trust endpoints are configured to reflect the updated port number. To do this, you can
use Notepad to modify the following in the Web.config file, which is located at
systemdrive%\inetpub\adfs\ls\ on the federation server proxy computer. For example, assuming that you
have a federation server named sts1.contoso.com and the new port number is 444, browse to and open
the Web.config file in Notepad on the federation server proxy computer, locate the following section,
modify the port number as highlighted below, and then save and exit Notepad.
<securityTokenService
samlProtocolEndpoint="https://sts1.contoso.com:444/adfs/services/trust/samlprotocol/proxycertificatet
ransport"
wsTrustEndpoint="https://sts1.contoso.com:444/adfs/services/trust/proxycertificatetransport" />
4. Add the federation server proxy service user account to the access control list (ACL) for the related
endpoint URLs. For example, if the port number is 1234 and the user account that is used to run the AD
FSfederation server proxy service under is the built-in Network Service account, type the following
command at a command prompt:
The previous commands must be run on both the federation server and the federation server proxy
computers.
Additional references
Checklist: Setting Up a Federation Server Proxy
Verify That a Federation Server Proxy Is Operational
6/17/2021 • 2 minutes to read • Edit Online
You can use the following procedure to verify that the federation server proxy can communicate with the
Federation Service in Active Directory Federation Services (AD FS). You run this procedure after you run the AD
FS Federation Ser ver Proxy Configuration Wizard to configure the computer to run in the federation
server proxy role. For more information about how to run this wizard, see Configure a Computer for the
Federation Server Proxy Role.
IMPORTANT
The result of this test is the successful generation of a specific event in Event Viewer on the federation server proxy
computer.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
To verify that a federation server proxy is operational
1. Log on to the federation server proxy as an administrator.
2. On the Star t screen, typeEvent Viewer , and then press ENTER.
3. In the details pane, double-click Applications and Ser vices Logs , double-click AD FS Eventing , and
then click Admin .
4. In the Event ID column, look for event ID 198.
If the federation server proxy is configured properly, you see a new event in the Application log of Event
Viewer, with the event ID 198. This event verifies that the federation server proxy service was started
successfully and now is online.
Additional references
Checklist: Setting Up a Federation Server Proxy
Configure Performance Monitoring
3/5/2021 • 3 minutes to read • Edit Online
AD FS includes its own dedicated performance counters to help you monitor the performance of both federation
servers and federation server proxy computers. To use Performance Monitor to monitor the performance of
your AD FS servers, it's useful to create a new data collector set and add the AD FS counters to that view. The
following procedure describes how to configure performance monitoring for AD FS.
To configure performance monitoring for AD FS using Performance Monitor
1. On the Star t screen, type Performance Monitor , and then press ENTER.
2. In the console tree, expand Data Collector Sets , right-click User Defined , point to New , and then click
Data Collector Set .
The Create New Data Collector Set Wizard appears.
3. In Create New Data Collector Set , for Name type a name for the new data collector set (such as "AD
FS performance"), click Create manually (Advanced) , and then click Next .
4. For the type of data to include, verify that Create data logs is selected, and then click the check boxes
for the following data types: Performance counter , Event trace data , System configuration
information .
5. For performance counters, expand AD FS in the Available counters list, and then click Add .
The AD FS performance counters should appear in the Added counters list.
6. When you are prompted to add event trace providers, click Add , select AD FS Eventing and AD FS
Tracing from the list of providers.
7. When you are prompted to add registry keys to monitor, click Next .
8. When you are prompted to specify the location to save the performance data, you can accept the default
location (%systemdrive%\PerfLogs\Admin\ <data_collector_set>, and then click Next .
9. When you are prompted to create the data collector set, select Save and close , and then click Finish .
The new data collector set appears in the console tree under the User Defined node.
10. Use the following steps to work with the AD FS performance counters:
To begin performance monitoring using AD FS-related counters, right-click the data collector set
that you added (such as "AD FS performance"), and then click Star t .
To create a report to view the performance monitoring results, right-click the data collector set that
you added (such as "AD FS performance"), and then click Latest Repor t .
To end a capture of performance data so that you can view the latest report, right-click the data
collector set that you added (such as "AD FS performance"), and then click Stop .
The latest report is added and numbered automatically (starting at 000001) under the Repor t\User
Defined \<data_collector_set> node in the console tree.
AD FS performance counters
The following table lists the AD FS performance counters and describes how they are useful for monitoring
activity that relates to either a federation server or federation server proxy.
Proxy MEX Requests Monitors the number of incoming WS- Federation Server Proxies
Metadata Exchange (MEX) requests
that are sent to the federation server
proxy.
Proxy MEX Requests/sec Monitors the number of incoming Federation Server Proxies
MEX requests per second that are sent
to the federation server proxy.
Interoperating with AD FS 1.x
6/17/2021 • 2 minutes to read • Edit Online
For interoperability between Active Directory Federation Services (AD FS) in Windows Server® 2012 and
AD FS 1.x, complete one or more of the following tasks, depending on the needs of your organization:
Plan for interoperability between AD FS in Windows Server 2012 and previous versions of AD FS, and
learn more about the Name ID claim type. For more information, see Planning for Interoperability with
AD FS 1.x.
If you will be sending claims from an AD FS Federation Service in Windows Server 2012 that can be
consumed by an AD FS 1.x Federation Service, see Checklist: Configuring AD FS to Send Claims to an AD
FS 1.x Federation Service.
If you will be sending claims from an AD FS Federation Service in Windows Server 2012 that can be
consumed by an application that is hosted by a Web server running the AD FS 1.x claims-aware Web
agent, see Checklist: Configuring AD FS to Send Claims to an AD FS 1.x Claims-Aware Web Agent.
If you will be sending claims from an AD FS 1.x Federation Service to be consumed by an AD FS
Federation Service in Windows Server 2012 , see Checklist: Configuring AD FS to Consume Claims from
AD FS 1.x.
See Also
AD FS and AD FS 1.x Interoperability
Checklist: Configuring AD FS to Consume Claims
from AD FS 1.x
3/5/2021 • 2 minutes to read • Edit Online
NOTE
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you
complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
TA SK REF EREN C E
Plan for interoperability between AD FS in Windows Server Planning for Interoperability with AD FS 1.x
2012 and previous versions of AD FS, and learn more about
the Name ID claim type.
Before you can interoperate with a previous version of Create a Claims Provider Trust Manually
AD FS, you must first create a claims provider trust in the AD
FS Federation Service. Note: You cannot create a trust with
an AD FS 1.x Federation Service by using federation
metadata.
When you set up the trust using the procedure in the
link to the right, you must do the following in the Add
Claims Provider Trust Wizard to set up this trust to
interoperate with an AD FS 1.x Federation Service:
1. On the Select Data Source page, select Enter data
about the relying par ty trust manually .
2. On the Choose Profile page, select AD FS 1.0 and
1.1 profile .
3. On the Configure URL page, under WS-
Federation Passive URL , type the Federation
Ser vice endpoint URL as defined in the AD FS 1.x
Federation Service of the partner.
4. On the Configure Identifiers page, under Claims
provider trust identifier , type the Federation
Ser vice URI as defined in the AD FS 1.x Federation
Service of the partner.
TA SK REF EREN C E
On the claims provider trust that you created earlier, you Create a Rule to Send an AD FS 1.x Compatible Claim
must create a claim rule that will take claims that are
incoming from the AD FS 1.x Federation Service and pass
through, filter, or transform them into a Name ID claim type.
When the Name ID claim type has been passed through,
filtered, or transformed, it can be used as input to
another rule or rules so that it can be understood and
consumed by the AD FS Federation Service in Windows
Server 2012 .
NOTE
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you
complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
TA SK REF EREN C E
Plan for interoperability between AD FS in Windows Server Planning for Interoperability with AD FS 1.x
2012 and previous versions of AD FS and learn more about
the Name ID claim type.
Before you can achieve interoperability with a previous Create a Relying Party Trust Manually
version of AD FS, you must first create a relying party trust
in the AD FS Federation Service to the AD FS 1.x Federation
Service. Note: You cannot create a trust with an AD FS 1.x
Federation Service by using federation metadata.
When you set up the trust using the procedure in the
link to the right, you must do the following in the Add
Relying Party Trust Wizard to set up this trust to
interoperate with an AD FS 1.x Federation Service:
1. On the Select Data Source page, select Enter data
about the relying par ty trust manually .
2. On the Choose Profile page, select AD FS 1.0 and
1.1 profile .
3. On the Configure URL page, under WS-
Federation Passive URL , type the Federation
Ser vice endpoint URL as defined in the AD FS 1.x
Federation Service of the partner.
4. On the Configure Identifiers page, under Relying
par t trust identifier , type the Federation Ser vice
URI as defined in the AD FS 1.x Federation Service of
the partner.
TA SK REF EREN C E
On the relying party trust that you created earlier, you must Create a Rule to Send an AD FS 1.x Compatible Claim
create claim rules that will take incoming claims that were
extracted from an attribute store and pass through, filter, or
transform them into a Name ID claim type that can be
understood and consumed by the AD FS 1.x Federation
Service. Note: Before you create this rule, make sure that
the claim rule set where you are creating this rule has a rule
that comes before it that first extracts a Lightweight
Directory Access Protocol (LDAP) attribute claim from an
attribute store. This claim will be used as input to the rule
that you create to send an AD FS 1.x-compatible claim. For
more information about how to create a rule to extract an
LDAP attribute, see Create a Rule to Send LDAP Attributes
as Claims.
NOTE
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you
complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
TA SK REF EREN C E
Plan for interoperability between AD FS in Windows Server Planning for Interoperability with AD FS 1.x
2012 and previous versions of AD FS and learn more about
the Name ID claim type.
If you have not already done so, use the link on the right to Checklist: Configuring AD FS to Send Claims to an AD FS 1.x
first create a relying party trust between the AD FS Federation Service
Federation Service in Windows Server 2012 and the
AD FS 1.x Federation Service.
TA SK REF EREN C E
Before you can achieve interoperation with an application Create a Relying Party Trust Manually
that is hosted by the AD FS 1.x claims-aware Web agent,
you must first create a relying party trust in the AD FS
Federation Service in Windows Server 2012 to the AD FS 1.
x claims-aware Web agent. Note: Creating this trust in the
AD FS Federation Service is the equivalent of adding a new
Application to the AD FS 1.x Federation Service
(Federation Ser vice\Trust Policy\My
Organization\Application ). This relying party trust is
necessary because AD FS does not have an equivalent
Application node in its own snap-in. However, it still must
have a secure channel to the application.
When you set up the trust using the procedure in the
link to the right, you must do the following in the Add
Relying Party Trust Wizard to set up this trust to
interoperate with an AD FS 1.x claims-aware Web agent:
1. On the Select Data Source page, select Enter data
about the relying par ty trust manually .
2. On the Choose Profile page, select AD FS 1.0 and
1.1 profile .
3. On the Configure URL page, under WS-
Federation Passive URL , type the Application URL
as defined in the AD FS 1.x Federation Service of the
partner.
4. On the Configure Identifiers page, under Relying
par t trust identifier , type the Application URL as
defined in the AD FS 1.x claims-aware Web agent
On the relying party trust that you created earlier, you have Create a Rule to Send an AD FS 1.x Compatible Claim
to create claim rules that will take incoming claims that were
extracted from an attribute store and pass through, filter, or
transform them into a Name ID claim type that can be
understood and consumed by the AD FS 1.x claims-aware
Web agent. Note: Before you create this rule, make sure
that the claim rule set where you are creating this rule has a
rule that comes before it that first extracts a Lightweight
Directory Access Protocol (LDAP) attribute claim from an
attribute store. This claim will be used as input to the rule
that you create to send an AD FS 1.x-compatible claim. For
more information about how to create a rule to extract an
LDAP attribute, see Create a Rule to Send LDAP Attributes
as Claims.
Create a Relying Party Trust
6/17/2021 • 3 minutes to read • Edit Online
The following document provides information on creating a relying party trust manually and using federation
metadata.
5. On the Specify Display Name page, type a name in Display name , under Notes type a description for
this relying party trust, and then click Next .
6. On the Configure Cer tificate page, if you have an optional token encryption certificate, click Browse
to locate a certificate file, and then click Next .
7. On the Configure URL page, do one or both of the following, click Next , and then go to step 8:
Select the Enable suppor t for the WS-Federation Passive protocol check box. Under
Relying par ty WS-Federation Passive protocol URL , type the URL for this relying party trust,
and then click Next .
Select the Enable suppor t for the SAML 2.0 WebSSO protocol check box. Under Relying
par ty SAML 2.0 SSO ser vice URL , type the Security Assertion Markup Language (SAML)
service endpoint URL for this relying party trust, and then click Next .
8. On the Configure Identifiers page, specify one or more identifiers for this relying party, click Add to
add them to the list, and then click Next .
9. On the Choose Access Control Policy select a policy and click Next . For more information about
Access Control Policies, see Access Control Policies in AD FS.
10. On the Ready to Add Trust page, review the settings, and then click Next to save your relying party
trust information.
11. On the Finish page, click Close . This action automatically displays the Edit Claim Rules dialog box.
To create a claims aware Relying Party Trust using federation
metadata
To add a new relying party trust, using the AD FS Management snap-in, by automatically importing
configuration data about the partner from federation metadata that the partner published to a local network or
to the Internet, perform the following procedure on a federation server in the account partner organization.
NOTE
Though it has long been common practice to use certificates with unqualified host names such as https://myserver, these
certificates have no security value and can enable an attacker to impersonate a Federation Service that is publishing
federation metadata. Therefore, when querying federation metadata, you should only use a fully qualified domain name
such as https://myserver.contoso.com.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
1. In Server Manager, click Tools , and then select AD FS Management .
2. Under Actions , click Add Relying Par ty Trust .
See Also
AD FS Operations
Create a Claims Provider Trust
6/17/2021 • 2 minutes to read • Edit Online
To add a new claims provider trust by using the AD FS Management snap-in and manually configure the
settings, perform the following procedure on a resource partner federation server in the resource partner
organization.
Membership in Administrators , or equivalent, on the local computer is the minimum requirement to complete
this procedure. Review details about using the appropriate accounts and group memberships at Local and
Domain Default Groups.
5. On the Specify Display Name page, type a Display name , under Notes , type a description for this
claims provider trust, and then click Next .
6. On the Configure URL page, specify the WS-Federation Passive URL if applicable and click Next .
7. On the Configure Identifier page, under Claims provider trust identifier , type the appropriate
identifier, and then click Next .
8. On the Configure Cer tificates page, click Add to locate a certificate file and add it to the list of
certificates, and then click Next .
9. On the Ready to Add Trust page, click Next to save your claims provider trust information.
10. On the Finish page, click Close . This action automatically displays the Edit Claim Rules dialog box. For
more information about how to proceed with adding claim rules for this claims provider trust, see the
following additional references.
To create a claims provider trust using federation metadata
To add a new claims provider trust, using the AD FS Management snap-in, by automatically importing
configuration data about the partner from federation metadata that the partner has published to a local network
or to the Internet, perform the following procedure on a federation server in the resource partner organization.
NOTE
Though it has long been common practice to use certificates with unqualified host names such as https://myserver, these
certificates have no security value and can enable an attacker to impersonate a Federation Service that is publishing
federation metadata. Therefore, when querying federation metadata, you should only use a fully qualified domain name
such as https://myserver.contoso.com .
5. On the Specify Display Name page type a Display name , under Notes type a description for this claims
provider trust, and then click Next .
6. On the Ready to Add Trust page, click Next to save your claims provider trust information.
7. On the Finish page, click Close . This will automatically display the Edit Claim Rules dialog box. For more
information about how to proceed with adding claim rules for this claims provider trust, see the
Additional references section below.
Additional references
Checklist: Configuring the Resource Partner Organization
Checklist: Creating Claim Rules for a Claims Provider Trust
See Also
AD FS Operations
Create a Rule to Send an AD FS 1.x Compatible
Claim
3/5/2021 • 8 minutes to read • Edit Online
In situations in which you are using Active Directory Federation Services (AD FS) to issue claims that will be
received by federation servers running AD FS 1.0 (Windows Server 2003 R2) or AD FS 1.1
(Windows Server 2008 or Windows Server 2008 R2), you must do the following:
Create a rule that will send a Name ID claim type with a format of UPN, Email, or Common Name.
All other claims that are sent must have one of the following claim types:
AD FS 1.x Email Address
AD FS 1.x UPN
Common Name
Group
Any other claim type that begins with https://schemas.xmlsoap.org/claims/, such as
https://schemas.xmlsoap.org/claims/EmployeeID
Depending on the needs of your organization, use one of the following procedures to create an AD FS 1.x
compatible NameID claim:
Create this rule to issue an AD FS 1.x Name ID claim using the Pass Through or Filter an Incoming
Claim rule template
Create this rule to issue an AD FS 1.x Name ID claim using the Transform an Incoming Claim rule
template . You can use this rule template in situations in which you want to change the existing claim
type to a new claim type that will work with AD FS 1. x claims.
NOTE
For this rule to work as expected, make sure that the relying party trust or claims provider trust where you are creating
this rule has been configured to use the AD FS 1.0 and 1.1 profile .
4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to
start the rule wizard.
5. On the Select Rule Template page, under Claim rule template , select Pass Through or Filter an
Incoming Claim from the list, and then click Next .
4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the
rule wizard.
5. On the Select Rule Template page, under Claim rule template , select Pass Through or Filter an
Incoming Claim from the list, and then click Next .
6. On the Configure Rule page, type a claim rule name.
7. In Incoming claim type , select Name ID in the list.
8. In Incoming name ID format , select one of the following AD FS 1.x-compatible claim formats from the
list:
UPN
E-Mail
Common Name
9. Select one of the following options, depending on the needs of your organization:
Pass through all claim values
Pass through only a specific claim value
Pass through only claim values that match a specific email suffix value
Pass through only claim values that star t with a specific value
10. Click Finish , and then click OK to save the rule.
3. Right-click the selected trust, and then click Edit Claim Issuance Policy .
4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to
3. Right-click the selected trust, and then click Edit Claim Rules .
4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the
rule wizard.
5. On the Select Rule Template page, under Claim rule template , select Transform an Incoming
Claim from the list, and then click Next .
6. On the Configure Rule page, type a claim rule name.
7. In Incoming claim type , select the type of incoming claim that you want to transform in the list.
8. In Outgoing claim type , select Name ID in the list.
9. In Outgoing name ID format , select one of the following AD FS 1.x-compatible claim formats from the
list:
UPN
E-Mail
Common Name
10. Select one of the following options, depending on the needs of your organization:
Pass through all claim values
Replace an incoming claim value with a different outgoing claim value
Replace incoming e-mail suffix claims with a new e-mail suffix
11. Click Finish , and then click OK to save the rule.
Additional references
Configure Claim Rules
Checklist: Creating Claim Rules for a Relying Party Trust
Checklist: Creating Claim Rules for a Claims Provider Trust
When to Use an Authorization Claim Rule
The Role of Claims
The Role of Claim Rules
Migrate Active Directory Federation Services Role
Services to Windows Server 2012 R2
6/17/2021 • 2 minutes to read • Edit Online
This document provides instructions to migrate the following role services to Active Directory Federation
Services (AD FS) that is installed with Windows Server 2012 R2:
AD FS 2.0 federation server installed on Windows Server 2008 or Windows Server 2008 R2
AD FS federation server installed on Windows Server 2012
x86- or x64-based Windows Server 2008, both full and Server Core installation
options
AD FS 2.0 federation server installed on Windows Server Migration on the same server is supported. For more
2008 or Windows Server 2008 R2 information, see:
Preparing to Migrate the AD FS Federation Server
Migrating the AD FS Federation Server
AD FS federation server installed on Windows Server 2012 Migration on the same server is supported. For more
information see:
Preparing to Migrate the AD FS Federation Server
Migrating the AD FS Federation Server
Next Steps
Preparing to Migrate the AD FS Federation Server Migrating the AD FS Federation Server Migrating the AD FS
Federation Server Proxy Verifying the AD FS Migration to Windows Server 2012 R2
Prepare to Migrate the AD FS 2.0 Federation Server
to AD FS on Windows Server 2012 R2
11/2/2020 • 7 minutes to read • Edit Online
This document describes how to migrate an AD FS 2.0 or Windows Server 2012 federation server farm to a
Windows Server 2012 R2 AD FS farm. The steps can be used with AD FS farms that use either WID or SQL
Server as the underlying database.
Migration Process Outline
New AD FS functionality in Windows Server 2012 R2
AD FS Requirements in Windows Server 2012 R2
Increasing your Windows PowerShell limits
Other migration tasks and considerations
This error is thrown because the Windows PowerShell session default memory limit is too low. In Windows
PowerShell 2.0, the session default memory is 150MB. In Windows PowerShell 3.0, the session default memory
is 1024MB. You can verify Windows PowerShell remote session memory limit using the following command:
Get-Item wsman:localhost\Shell\MaxMemoryPerShellMB . You can increase the limit by running the following
command: Set-Item wsman:localhost\Shell\MaxMemoryPerShellMB 512 .
Next Steps
Migrate Active Directory Federation Services Role Services to Windows Server 2012 R2 Migrating the AD FS
Federation Server Migrating the AD FS Federation Server Proxy Verifying the AD FS Migration to Windows
Server 2012 R2
Migrate the AD FS 2.0 federation server to AD FS
on Windows Server 2012 R2
3/5/2021 • 13 minutes to read • Edit Online
To migrate an AD FS federation server that belongs to a single-node AD FS farm, a WIF farm, or a SQL Server
farm to Windows Server 2012 R2, you must perform the following tasks:
1. Export and backup the AD FS configuration data
2. Create a Windows Server 2012 R2 federation server farm
3. Import the original configuration data into the Windows Server 2012 R2 AD FS farm
NOTE
If you plan to deploy the Device Registration Service as part of running your AD FS in Windows Server 2012 R2, you must
obtain a new SSL cert. For more information, see Enroll an SSL Certificate for AD FS and Configure a federation server
with Device Registration Service.
To view the token signing, token decryption and service communication certificates that are used, run the
following Windows PowerShell command to create a list of all certificates in use in a file:
2. Export AD FS federation service properties, such as the federation service name, federation service display
name, and federation server identifier to a file.
To export federation service properties, open Windows PowerShell and run the following command:
Get-ADFSProperties | Out-File “.\properties.txt”`.
The output file will contain the following important configuration values:
3. Back up the application configuration file. Among other settings, this file contains the policy database
connection string.
To back up the application configuration file, you must manually copy the
%programfiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config file
to a secure location on a backup server.
NOTE
Make note of the database connection string in this file, located immediately after “policystore connectionstring=”. If the
connection string specifies a SQL Server database, the value is needed when restoring the original AD FS configuration on
the federation server.
The following is an example of a WID connection string:
“Data Source=\\.\pipe\mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsConfiguration;Integrated
Security=True"
. The following is an example of a SQL Server connection string:
"Data Source=databasehostname;Integrated Security=True" .
4. Record the identity of the AD FS federation service account and the password of this account.
To find the identity value, examine the Log On As column of AD FS 2.0 Windows Ser vice in the Ser vices
console and manually record this value.
NOTE
For a stand-alone federation service, the built-in NETWORK SERVICE account is used. In this case, you do not need to
have a password.
IMPORTANT
The export script takes the following parameters:
Export-FederationConfiguration.ps1 -Path <string> [-ComputerName <string>] [-Credential <pscredential>] [-
Force] [-CertificatePassword <securestring>]
Export-FederationConfiguration.ps1 -Path <string> [-ComputerName <string>] [-Credential <pscredential>]
[-Force] [-CertificatePassword <securestring>] [-RelyingPartyTrustIdentifier <string[]>] [-
ClaimsProviderTrustIdentifier <string[]>]
Export-FederationConfiguration.ps1 -Path <string> [-ComputerName <string>] [-Credential <pscredential>]
[-Force] [-CertificatePassword <securestring>] [-RelyingPartyTrustName <string[]>] [-ClaimsProviderTrustName
<string[]>]
-RelyingPar tyTrustIdentifier <string[]> - the cmdlet only exports relying party trusts whose identifiers are
specified in the string array. The default is to export NONE of the relying party trusts. If none of
RelyingPartyTrustIdentifier, ClaimsProviderTrustIdentifier, RelyingPartyTrustName, and ClaimsProviderTrustName is
specified, the script will export all relying party trusts and claims provider trusts.
-ClaimsProviderTrustIdentifier <string[]> - the cmdlet only exports claims provider trusts whose identifiers
are specified in the string array. The default is to export NONE of the claims provider trusts.
-RelyingPar tyTrustName <string[]> - the cmdlet only exports relying party trusts whose names are specified
in the string array. The default is to export NONE of the relying party trusts.
-ClaimsProviderTrustName <string[]> - the cmdlet only exports claims provider trusts whose names are
specified in the string array. The default is to export NONE of the claims provider trusts.
-Path <string> - the path to a folder that will contain the exported files.
-ComputerName <string> - specifies the STS server host name. The default is the local computer. If you are
migrating AD FS 2.0 or AD FS in Windows Server 2012 to AD FS in Windows Server 2012 R2, this is the host
name of the legacy AD FS server.
-Credential <PSCredential> - specifies a user account that has permission to perform this action. The default
is the current user.
-Force – specifies to not prompt for user confirmation.
-Cer tificatePassword <SecureString> - specifies a password for exporting AD FS certificates' private keys. If
not specified, the script will prompt for a password if an AD FS certificate with private key needs to be exported.
Inputs : None
Outputs : string - this cmdlet returns the export folder path. You can pipe the returned object to Import-
FederationConfiguration.
You can find information about custom attribute stores in use by AD FS by running the following Windows
PowerShell command:
Get-ADFSAttributeStore
Import the original configuration data into the Windows Server 2012
R2 AD FS farm
Now that you have an AD FS federation server farm running in Windows Server 2012 R2, you can import the
original AD FS configuration data into it.
1. Import and configure other custom AD FS certificates, including externally enrolled token-signing and token-
decryption/encryption certificates, and the service communication certificate if it is different from the SSL
certificate.
In the AD FS management console, select Cer tificates . Verify the service communications, token-
encryption/decryption, and token-signing certificates by checking each against the values you exported into the
certificates.txt file while preparing for the migration.
To change the token-decrypting or token-signing certificates from the default self-signed certificates to external
certificates, you must first disable the automatic certificate rollover feature that is enabled by default. To do this,
you can use the following Windows PowerShell command:
2. Configure any custom AD FS service settings such as AutoCertificateRollover or SSO lifetime using the
Set-AdfsProperties cmdlet.
3. To import AD FS relying party trusts and claims provider trusts, you must be logged in as Administrator
(however, not as the Domain Administrator) onto your federation server and run the following Windows
PowerShell script that is located in the \support\adfs folder of the Windows Server 2012 R2 installation
CD:
import-federationconfiguration.ps1
IMPORTANT
The import script takes the following parameters:
Import-FederationConfiguration.ps1 -Path <string> [-ComputerName <string>] [-Credential <pscredential>] [-Force]
[-LogPath <string>] [-CertificatePassword <securestring>]
Import-FederationConfiguration.ps1 -Path <string> [-ComputerName <string>] [-Credential <pscredential>] [-Force]
[-LogPath <string>] [-CertificatePassword <securestring>] [-RelyingPartyTrustIdentifier <string[]>] [-
ClaimsProviderTrustIdentifier <string[]>
Import-FederationConfiguration.ps1 -Path <string> [-ComputerName <string>] [-Credential <pscredential>] [-Force]
[-LogPath <string>] [-CertificatePassword <securestring>] [-RelyingPartyTrustName <string[]>] [-
ClaimsProviderTrustName <string[]>]
-RelyingPar tyTrustIdentifier <string[]> - the cmdlet only imports relying party trusts whose identifiers are specified
in the string array. The default is to import NONE of the relying party trusts. If none of RelyingPartyTrustIdentifier,
ClaimsProviderTrustIdentifier, RelyingPartyTrustName, and ClaimsProviderTrustName is specified, the script will import all
relying party trusts and claims provider trusts.
-ClaimsProviderTrustIdentifier <string[]> - the cmdlet only imports claims provider trusts whose identifiers are
specified in the string array. The default is to import NONE of the claims provider trusts.
-RelyingPar tyTrustName <string[]> - the cmdlet only imports relying party trusts whose names are specified in the
string array. The default is to import NONE of the relying party trusts.
-ClaimsProviderTrustName <string[]> - the cmdlet only imports claims provider trusts whose names are specified in
the string array. The default is to import NONE of the claims provider trusts.
-Path <string> - the path to a folder that contains the configuration files to be imported.
-LogPath <string> - the path to a folder that will contain the import log file. A log file named “import.log” will be
created in this folder.
-ComputerName <string> - specifies host name of the STS server. The default is the local computer. If you are
migrating AD FS 2.0 or AD FS in Windows Server 2012 to AD FS in Windows Server 2012 R2, this parameter should be
set to the hostname of the legacy AD FS server.
-Credential <PSCredential> - specifies a user account that has permission to perform this action. The default is the
current user.
-Force – specifies to not prompt for user confirmation.
-Cer tificatePassword <SecureString> - specifies a password for importing AD FS certificates' private keys. If not
specified, the script will prompt for a password if an AD FS certificate with private key needs to be imported.
Inputs: string - this command takes the import folder path as input. You can pipe Export-FederationConfiguration to this
command.
Outputs: None.
Any trailing spaces in the WSFedEndpoint property of a relying party trust may cause the import script to error.
In this case, manually remove the spaces from the file prior to import. For example, these entries cause errors:
<URI N="WSFedEndpoint">https://myapp.cloudapp.net:83/</URI>
IMPORTANT
If you have any custom claim rules (rules other than the AD FS default rules) on the Active Directory claims provider trust
in the source system, these will not be migrated by the scripts. This is because Windows Server 2012 R2 has new defaults.
Any custom rules must be merged by adding them manually to the Active Directory claims provider trust in the new
Windows Server 2012 R2 farm.
1. Configure all custom AD FS endpoint settings. In the AD FS Management console, select Endpoints .
Check the enabled AD FS endpoints against the list of enabled AD FS endpoints that you exported to a file
while preparing for the AD FS migration.
- And -
Configure any custom claim descriptions. In the AD FS Management console, select Claim Descriptions .
Check the list of AD FS claim descriptions against the list of claim descriptions that you exported to a file
while preparing for the AD FS migration. Add any custom claim descriptions included in your file but not
included in the default list in AD FS. Note that Claim identifier in the management console maps to the
ClaimType in the file.
2. Install and configure all backed up custom attribute stores. As an administrator, ensure any custom
attribute store binaries are upgrade to .NET Framework 4.0 or higher before updating the AD FS
configuration to point to them.
3. Configure service properties that map to the legacy web.config file parameters.
If useRelayStateForIdpInitiatedSignOn was added to the web.config file in your AD FS 2.0 or
AD FS in Windows Server 2012 farm, then you must configure the following service properties in
your AD FS in Windows Server 2012 R2 farm:
AD FS in Windows Server 2012 R2 includes a
%systemroot%\ADFS\Microsoft.IdentitySer ver.Ser vicehost.exe.config file. Create an
element with the same syntax as the web.config file element:
<useRelayStateForIdpInitiatedSignOn enabled="true" /> . Include this element as part of
<microsoft.identityser ver.web> section of the
Microsoft.IdentitySer ver.Ser vicehost.exe.config file.
If <persistIdentityProviderInformation enabled="true|false" lifetimeInDays="90"
enablewhrPersistence=”true|false” /> was added to the web.config file in your AD FS 2.0 or
AD FS in Windows Server 2012 farm, then you must configure the following service properties in
your AD FS in Windows Server 2012 R2 farm:
a. In AD FS in Windows Server 2012 R2, run the following Windows PowerShell command:
Set-AdfsWebConfig –HRDCookieEnabled –HRDCookieLifetime .
If <singleSignOn enabled="true|false" /> was added to the web.config file in your AD FS 2.0
or AD FS in Windows Server 2012 farm, you do not need to set any additional service properties
in your AD FS in Windows Server 2012 R2 farm. Single sign-on is enabled by default in AD FS in
Windows Server 2012 R2 farm.
If localAuthenticationTypes settings were added to the web.config file in your AD FS 2.0 or AD FS
in Windows Server 2012 farm, then you must configure the following service properties in your
AD FS in Windows Server 2012 R2 farm:
Integrated, Forms, TlsClient, Basic Transform list into equivalent AD FS in Windows Server 2012
R2 has global authentication policy settings to support both federation service and proxy
authentication types. These settings can be configured in the AD FS in Management snap-in
under the Authentication Policies .
After you import the original configuration data, you can customize the AD FS sign in pages as needed.
For more information, see Customizing the AD FS Sign-in Pages.
Next Steps
Migrate Active Directory Federation Services Role Services to Windows Server 2012 R2 Preparing to Migrate
the AD FS Federation Server Migrating the AD FS Federation Server Proxy Verifying the AD FS Migration to
Windows Server 2012 R2
Migrate the Active Directory Federation Services
Proxy Server to Windows Server 2012 R2
11/2/2020 • 2 minutes to read • Edit Online
In Active Directory Federation Services (AD FS) in Windows Server 2012 R2, the role of a federation server
proxy is handled by a new Remote Access role service called Web Application Proxy. In Windows Server 2012
R2, to enable your AD FS for accessibility from outside of the corporate network, you can deploy one or more
Web Application Proxies. However, you cannot migrate a federation server proxy running on Windows Server
2008 R2 or Windows Server 2012 to a Web Application Proxy running on Windows Server 2012 R2.
IMPORTANT
The migration of a federation server proxy running on Windows Server 2008, Windows Server 2008 R2, or Windows
Server 2012 to a Web Application Proxy running on Windows Server 2012 R2 is NOT supported.
If you want to configure AD FS in a Windows Server 2012 R2 migrated farm for extranet access, you must
perform a fresh deployment of one or more Web Application Proxy computers as part of your AD FS
infrastructure.
To plan Web Application Proxy deployment, you can review the information in the following topics:
Plan the Web Application Proxy Infrastructure
Plan the Web Application Proxy Server
To deploy Web Application proxy, you can follow the procedures in the following topics:
Configure the Web Application Proxy Infrastructure
Install and Configure the Web Application Proxy Server
Next Steps
Migrate Active Directory Federation Services Role Services to Windows Server 2012 R2 Preparing to Migrate
the AD FS Federation Server Migrating the AD FS Federation Server Verifying the AD FS Migration to Windows
Server 2012 R2
Verify the AD FS 2.0 migration to Windows Server
2012 R2
3/5/2021 • 2 minutes to read • Edit Online
Once you complete the same server migration of your Active Directory Federation Service (AD FS) farm to
Windows Server 2012 R2, you can use the following procedure to verify that federation servers in your farm are
operational; that is, that any client on the same network can reach your federation servers.
Membership in Users , Backup Operators , Power Users , Administrators or equivalent, on the local
computer is the minimum required to complete this procedure.
To verify that a federation server is operational
1. Open a browser window and in the address bar, type the federation servers name, and then append it with
federationmetadata/2007-06/federationmetadata.xml to browse to the federation service metadata endpoint.
For example, https://fs.contoso.com/federationmetadata/2007-06/federationmetadata.xml .
If in your browser window you can see the federation server metadata without any SSL errors or warnings, your
federation server is operational.
2. You can also browse to the AD FS sign-in page (your federation service name appended with
adfs/ls/idpinitiatedsignon.htm , for example, https://fs.contoso.com/adfs/ls/idpinitiatedsignon.htm ). This
displays the AD FS sign-in page where you can sign in with domain administrator credentials.
IMPORTANT
Make sure to configure your browser settings to trust the federation server role by adding your federation service name
(for example, https://fs.contoso.com ) to the browser's local intranet zone.
Next Steps
Migrate Active Directory Federation Services Role Services to Windows Server 2012 R2 Preparing to Migrate
the AD FS Federation Server Migrating the AD FS Federation Server Migrating the AD FS Federation Server
Proxy
Migrate Active Directory Federation Services Role
Services to Windows Server 2012
6/17/2021 • 3 minutes to read • Edit Online
The following provides instructions on migrating the following role services to Active Directory Federation
Services (AD FS) on Windows Server 2012:
AD FS 1.1 Windows token-based agent and AD FS 1.1 claims-aware agent installed with Windows Server
2008 or Windows Server 2008 R2
AD FS 2.0 federation server and AD FS 2.0 federation server proxy installed on Windows Server 2008 or
Windows Server 2008 R2
x86- or x64-based Windows Server 2008, both full and Server Core installation
options
NOTE
The versions of operating systems that are listed in the preceding table are the oldest combinations of operating
systems and service packs that are supported.
The Foundation, Standard, Enterprise, and Datacenter editions of the Windows Server operating system are
supported as the source or the destination server.
Migrations between physical operating systems and virtual operating systems are supported.
AD FS 1.0 federation server installed with Windows Server Migration is not supported
2003 R2
AD FS 1.0 federation server proxy installed with Windows Migration is not supported
Server 2003 R2
AD FS 1.0 claims-aware agent installed with Windows Server Migration is not supported
2003 R2)
AD FS 1.1 federation server installed with Windows Server Migration is not supported
2008 or Windows Server 2008 R2
AD FS 1.1 federation server proxy installed with Windows Migration is not supported
Server 2008 or Windows Server 2008 R2
AD FS 1.1 Windows token-based agent installed with Migration on the same server is supported, but the
Windows Server 2008 or Windows Server 2008 R2 migrated AD FS Windows token-based agent will function
only with an AD FS 1.1 federation service installed with
Windows Server 2008 or Windows Server 2008 R2. For
more information, see:
Migrate the AD FS 1.1 Web Agents
Interoperating with AD FS 1.x
F RO M TO A D F S IN STA L L ED W IT H W IN DO W S SERVER 2012
AD FS 1.1 claims-aware agent installed with Windows Server Migration on the same server is supported. The migrated
2008 or Windows Server 2008 R2) AD FS 1.1 claims-aware web agent will function with the
following:
AD FS 1.1 federation service installed with Windows
Server 2008 or Windows Server 2008 R2
AD FS 2.0 federation service installed on Windows
Server 2008 or Windows Server 2008 R2
AD FS federation service installed with Windows Server
2012
For more information, see:
Migrate the AD FS 1.1 Web Agents
Interoperating with AD FS 1.x
AD FS 2.0 federation server installed on Windows Server Migration on the same server is supported. For more
2008 or Windows Server 2008 R2 information, see:
Prepare to Migrate the AD FS 2.0 Federation Server
Migrate the AD FS 2.0 Federation Server
AD FS 2.0 federation server proxy installed on Windows Migration on the same server is supported. For more
Server 2008 or Windows Server 2008 R2 information see:
Prepare to Migrate the AD FS 2.0 Federation Server
Proxy
Migrate the AD FS 2.0 Federation Server Proxy
See Also
Prepare to Migrate the AD FS 2.0 Federation Server Prepare to Migrate the AD FS 2.0 Federation Server Proxy
Migrate the AD FS 2.0 Federation Server Migrate the AD FS 2.0 Federation Server Proxy Migrate the AD FS 1.1
Web Agents
Prepare to Migrate the AD FS 2.0 Federation Server
11/2/2020 • 2 minutes to read • Edit Online
This document is the starting point for preparing to migrate your AD FS 2.0 Federation Server to Windows
Server 2012. Choose the one that best fits your migration scenario:
Prepare to migrate a stand-alone AD FS federation server or a single-node AD FS farm
Prepare to migrate a WID farm
Prepare to migrate a SQL Server farm
Next Steps
Prepare to Migrate the AD FS 2.0 Federation Server Prepare to Migrate the AD FS 2.0 Federation Server Proxy
Migrate the AD FS 2.0 Federation Server Migrate the AD FS 2.0 Federation Server Proxy Migrate the AD FS 1.1
Web Agents
Prepare to migrate a stand-alone AD FS federation
server or a single-node AD FS farm
3/5/2021 • 5 minutes to read • Edit Online
To prepare to migrate (same server migration) a stand-alone AD FS 2.0 federation server or a single-node AD FS
farm to Windows Server 2012, you must export and back up the AD FS configuration data from this server.
To export the AD FS configuration data, perform the following tasks:
Step 1: Export service settings
Step 2: Export claims provider trusts
Step 3: Export relying party trusts
Step 4: Back up custom attribute stores
Step 5: Back up webpage customizations
NOTE
Optionally, you can also export the SSL certificate used by the federation service and its private key to a .pfx file. For more
information, see Export the Private Key Portion of a Server Authentication Certificate.
Exporting the SSL certificate is optional because this certificate is stored in the local computer Personal certificates store
and is preserved in the operating system upgrade.
3. Export AD FS 2.0 federation service properties, such as the federation service name, federation service
display name, and federation server identifier to a file.
To export federation service properties, open Windows PowerShell and run the following command to add the
AD FS cmdlets to your Windows PowerShell session: PSH:>add-pssnapin “Microsoft.adfs.powershell” . Then run
the following command to export federation service properties:
PSH:> Get-ADFSProperties | Out-File “.\properties.txt” .
The output file will contain the following important configuration values:
4. Back up the application configuration file. Among other settings, this file contains the policy database
connection string.
To back up the application configuration file, you must manually copy the
%programfiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config file
to a secure location on a backup server.
NOTE
Make note of the database connection string in this file, located immediately after “policystore connectionstring=”). If the
connection string specifies a SQL Server database, the value is needed when restoring the original AD FS configuration on
the federation server.
The following is an example of a WID connection string:
“Data Source=\\.\pipe\mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsConfiguration;Integrated
Security=True"
. The following is an example of a SQL Server connection string:
"Data Source=databasehostname;Integrated Security=True" .
5. Record the identity of the AD FS 2.0 federation service account and the password of this account.
To find the identity value, examine the Log On As column of AD FS 2.0 Windows Ser vice in the Ser vices
console and manually record this value.
NOTE
For a stand-alone federation service, the built-in NETWORK SERVICE account is used. In this case, you do not need to
have a password.
Next Steps
Prepare to Migrate the AD FS 2.0 Federation Server Prepare to Migrate the AD FS 2.0 Federation Server Proxy
Migrate the AD FS 2.0 Federation Server Migrate the AD FS 2.0 Federation Server Proxy Migrate the AD FS 1.1
Web Agents
Prepare to migrate an AD FS 2.0 WID farm
11/2/2020 • 2 minutes to read • Edit Online
To prepare to migrate AD FS 2.0 federation servers that belong to a Windows Internal Database (WID) farm to
Windows Server 2012, you must export and back up the AD FS configuration data from these servers.
To export the AD FS configuration data, perform the following tasks:
Step 1: - Export service settings
Step 2: Back up custom attribute stores
Step 3: Back up webpage customizations
NOTE
Optionally, you can also export the SSL certificate and its private key to a .pfx file. For more information, see Export the
Private Key Portion of a Server Authentication Certificate.
This step is optional because this certificate is stored in the local computer Personal certificates store and will be preserved
in the operating system upgrade.
2. Export any token-signing, token-encryption, or service-communications certificates and keys that are not
internally generated, in addition to self-signed certificates.
You can view all the certificates that are in use on your server by using Windows PowerShell. Open Windows
PowerShell and run the following command to add the AD FS cmdlets to your Windows PowerShell session:
PSH:>add-pssnapin “Microsoft.adfs.powershell” . Then run the following command to view all certificates that are
in use on your server PSH:>Get-ADFSCertificate . The output of this command includes StoreLocation and
StoreName values that specify the store location of each certificate. You can then use the guidance in Export the
Private Key Portion of a Server Authentication Certificate to export each certificate and its private key to a .pfx
file.
NOTE
This step is optional, because all external certificates are preserved during the operating system upgrade.
3. Record the identity of the AD FS 2.0 federation service account and the password of this account.
To find the identity value, examine the Log On As column of AD FS 2.0 Windows Ser vice in the Ser vices
console and manually record the value.
Step 2: Back up custom attribute stores
You can find information about custom attribute stores in use by AD FS by using Windows PowerShell. Open
Windows PowerShell and run the following command to add the AD FS cmdlets to your Windows PowerShell
session: PSH:>add-pssnapin “Microsoft.adfs.powershell” . Then run the following command to find information
about the custom attribute stores: PSH:>Get-ADFSAttributeStore . The steps to upgrade or migrate custom
attribute stores vary.
Next Steps
Prepare to Migrate the AD FS 2.0 Federation Server Prepare to Migrate the AD FS 2.0 Federation Server Proxy
Migrate the AD FS 2.0 Federation Server Migrate the AD FS 2.0 Federation Server Proxy Migrate the AD FS 1.1
Web Agents
Prepare to migrate a SQL Server farm
11/2/2020 • 3 minutes to read • Edit Online
To prepare to migrate AD FS 2.0 federation servers that belong to a SQL Server farm to Windows Server 2012,
you must export and back up the AD FS configuration data from these servers.
To export the AD FS configuration data, perform the following tasks:
Step 1: Export service settings
Step 2: Back up custom attribute stores
Step 3: Back up webpage customizations
NOTE
Optionally, you can also export the SSL) certificate and its private key to a .pfx file. For more information, see Export the
Private Key Portion of a Server Authentication Certificate.
This step is optional because this certificate is stored in the local computer Personal certificates store and will be preserved
in the operating system upgrade.
2. Export any other token-signing, token-encryption, or service-communications certificates and keys that are
not internally generated by AD FS.
You can view all certificates that are in use by AD FS on your server by using Windows PowerShell. Open
Windows PowerShell and run the following command to add the AD FS cmdlets to your Windows PowerShell
session: PSH:>add-pssnapin “Microsoft.adfs.powershell” . Then run the following command to view all
certificates that are in use on your server PSH:>Get-ADFSCertificate . The output of this command includes
StoreLocation and StoreName values that specify the store location of each certificate.
NOTE
Optionally, you can then use the guidance in Export the Private Key Portion of a Server Authentication Certificate to
export each certificate and its private key to a .pfx file. This step is optional, because all external certificates are preserved
during the operating system upgrade.
3. Back up the application configuration file. Among other settings, this file contains the policy database
connection string.
To back up the application configuration file, you must manually copy the
%programfiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config file
to a secure location on a backup server.
NOTE
Record the SQL Server connection string after “policystore connectionstring=” in the following file:
%programfiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config .
You need this string when you restore the original AD FS configuration on the federation server.
4. Record the identity of the AD FS 2.0 federation service account and the password of this account.
To find the identity value, examine the Log On As column of AD FS 2.0 Windows Ser vice in the Ser vices
console and manually record the value.
Next Steps
Prepare to Migrate the AD FS 2.0 Federation Server Prepare to Migrate the AD FS 2.0 Federation Server Proxy
Migrate the AD FS 2.0 Federation Server Migrate the AD FS 2.0 Federation Server Proxy Migrate the AD FS 1.1
Web Agents
Prepare to Migrate the AD FS 2.0 Federation Server
Proxy
11/2/2020 • 2 minutes to read • Edit Online
To prepare to migrate an AD FS 2.0 federation server proxy to Windows Server 2012, you must export and back
up the AD FS configuration data from this server proxy. The steps in this topic apply to a scenario with one proxy
federation server or multiple proxy federation servers.
To export the AD FS configuration data, perform the following tasks:
Step 1: Export proxy service settings
Step 2: Back up webpage customizations
NOTE
This step is optional because this certificate is preserved during the operating system upgrade.
2. Export AD FS 2.0 federation proxy properties to a file. You can do that by using Windows PowerShell.
Open Windows PowerShell and run the following command to add the AD FS cmdlets to your Windows
PowerShell session: PSH:>add-pssnapin “Microsoft.adfs.powershell” . Then run the following command to export
federation proxy properties to a file: PSH:> Get-ADFSProxyProperties | out-file “.\proxyproperties.txt” .
3. Ensure you know the credentials of an account that is either an administrator of the AD FS federation
server or the service account under which the AD FS federation service runs. This information is required
for the proxy trust setup.
Completing this step results in gathering the following information that is required to configure your AD
FS federation server proxy:
AD FS federation service name
Name of the domain account that is required for the proxy trust setup
The address and the port of the HTTP proxy (if there is an HTTP proxy between the AD FS federation
server proxy and the AD FS federation servers)
This document is the starting point for migrating your AD FS 2.0 Federation Server to Windows Server 2012.
Choose the one that best fits your migration scenario:
Migrate a stand-alone AD FS federation server or a single-node AD FS farm
Migrate a WID farm
Migrate a SQL Server farm
Next Steps
Prepare to Migrate the AD FS 2.0 Federation Server Prepare to Migrate the AD FS 2.0 Federation Server Proxy
Migrate the AD FS 2.0 Federation Server Migrate the AD FS 2.0 Federation Server Proxy Migrate the AD FS 1.1
Web Agents
Migrate a stand-alone AD FS federation server or a
single-node AD FS farm
11/2/2020 • 6 minutes to read • Edit Online
This document provides detailed information on migrating an AD FS 2.0 stand alone server to Windows Server
2012.
IMPORTANT
As the result of the operating system upgrade, the AD FS configuration on this server is lost and the AD FS 2.0 server
role is removed. The Windows Server 2012 AD FS server role is installed instead, but it is not configured. You must
manually create the original AD FS configuration and restore the remaining AD FS settings to complete the federation
server migration.
3. Create the original AD FS configuration. You can create the original AD FS configuration by using either of
the following methods:
Use the AD FS Federation Ser ver Configuration Wizard to create a new federation server. For more
information, see Create the First Federation Server in a Federation Server Farm.
As you go through the wizard, use the information you gathered while preparing to migrate your AD FS
federation server as follows:
SSL Cer tificate on the Specify the Federation Ser vice Select the SSL certificate whose subject name and
Name page thumbprint you recorded while preparing for the AD FS
federation server migration.
Ser vice account and Password on the Specify a Ser vice Enter the service account information that you recorded
Account page while preparing for the AD FS federation server migration.
Note: If you select stand-alone federation server on the
second page of the wizard, NETWORK SERVICE is used
automatically as the service account.
IMPORTANT
You can employ this method only if you are using Windows Internal Database (WID) to store the AD FS configuration
database for your stand-alone federation server or a single-node AD FS farm.
If you are using SQL Server to store the AD FS configuration database for your single-node AD FS farm, you must use
Windows PowerShell to create the original AD FS configuration on your federation server.
IMPORTANT
You must use Windows PowerShell if you are using SQL Server to store the AD FS configuration database for your stand-
alone federation server or a single-node AD FS farm.
The following is an example of how to use Windows PowerShell to create the original AD FS configuration on a
federation server in a single-node SQL Server farm. Open the Windows PowerShell module and run the
following command: $fscredential = Get-Credential . Enter the name and the password of the service account
that you recorded while preparing your SQL server farm for migration. Then run the following command:
C:\PS> Add-AdfsFarmNode -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=<Data
Source>;Integrated Security=True"
where is the data source value in the policy store connection string value in the following file:
Data Source
%programfiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config .
4. Restore the remaining AD FS service settings and trust relationships. This is a manual step during which you
can use the files that you exported and the values that you collected while preparing for the AD FS migration.
For detailed instructions, see Restoring the Remaining AD FS Farm Configuration.
NOTE
This step is only required if you are migrating a stand-alone federation server or a single node WID farm. If the federation
server uses a SQL Server database as the configuration store, the service settings and trust relationships are preserved in
the database.
5. Update your AD FS webpages. This is a manual step. If you backed up your customized AD FS webpages
while preparing for the migration, use your backup data to overwrite the default AD FS webpages that
were created by default in the %systemdrive%\inetpub\adfs\ls directory as a result of the AD FS
configuration on Windows Server 2012.
6. Restore any remaining AD FS customizations, such as custom attribute stores.
In the AD FS management console, select Cer tificates . Verify the service communications, token-decrypting,
and token-signing certificates by checking each against the values you exported into the certificates.txt file
while preparing for the migration.
To change the token-decrypting or token-signing certificates from the default self-signed certificates to external
certificates, you must first disable the automatic certificate rollover feature that is enabled by default. To do this,
you can use the following Windows PowerShell command:
PSH: Set-ADFSProperties –AutoCertificateRollover $false .
In the AD FS Management console, select Endpoints . Check the enabled AD FS endpoints against the list
of enabled AD FS endpoints that you exported to a file while preparing for the AD FS migration.
In the AD FS Management console, select Claim Descriptions . Check the list of AD FS claim descriptions
against the list of claim descriptions that you exported to a file while preparing for the AD FS migration.
Add any custom claim descriptions included in your file but not included in the default list in AD FS. Note
that Claim identifier in the management console maps to the ClaimType in the file. For more information
on adding claim descriptions, see Add a Claim Description. For more information, see the “Step 1 - Export
Service Settings” section in Prepare to Migrate the AD FS 2.0 Federation Server.
In the AD FS Management console, select Claims Provider Trusts . You must recreate each Claims
Provider trust manually using the Add Claims Provider Trust Wizard . Use the list of claims provider
trusts that you exported and recorded while preparing for the AD FS migration. You can disregard the
claims provider trust with Identifier “AD AUTHORITY” in the file because this is the “Active Directory”
claims provider trust that is part of the default AD FS configuration. However, check for any custom claim
rules you may have added to the Active Directory trust prior to the migration. For more information on
creating claims provider trusts, see Create a Claims Provider Trust Using Federation Metadata or Create a
Claims Provider Trust Manually.
In the AD FS Management console, select Relying Par ty Trusts . You must recreate each Relying Party
trust manually using the Add Relying Par ty Trust Wizard . Use the list of relying party trusts that you
exported and recorded while preparing for the AD FS migration. For more information on creating
relying party trusts, see Create a Relying Party Trust Using Federation Metadata or Create a Relying Party
Trust Manually.
Next Steps
Prepare to Migrate the AD FS 2.0 Federation Server Prepare to Migrate the AD FS 2.0 Federation Server Proxy
Migrate the AD FS 2.0 Federation Server Migrate the AD FS 2.0 Federation Server Proxy Migrate the AD FS 1.1
Web Agents
-
Migrate an AD FS 2.0 WID farm
11/2/2020 • 4 minutes to read • Edit Online
This document provides detailed information on migrating an AD FS 2.0 Windows Internal Database (WID) farm
to Windows Server 2012.
IMPORTANT
As the result of the operating system upgrade, the AD FS configuration on this server is lost and the AD FS 2.0 server
role is removed. The Windows Server 2012 AD FS server role is installed instead, but it is not configured. You must create
the original AD FS configuration and restore the remaining AD FS settings to complete the federation server migration.
NOTE
When you reach the Specify the Primar y Federation Ser ver and a Ser vice Account page in the AD FS
Federation Ser ver Configuration Wizard , enter the name of the primary federation server of the WID farm and be
sure to enter the service account information that you recorded while preparing for the AD FS migration. For more
information, see Prepare to Migrate the AD FS 2.0 Federation Server.
When you reach the Specify the Federation Ser vice Name page, be sure to select the same SSL certificate you
recorded in the “Prepare to migrate a WID farm” in Prepare to Migrate the AD FS 2.0 Federation Server.
5. Update your AD FS webpages on this server. If you backed up your customized AD FS webpages while
preparing for the migration, you need to use your backup data to overwrite the default AD FS webpages
that were created by default in the %systemdrive%\inetpub\adfs\ls directory as a result of the AD FS
configuration on Windows Server 2012.
6. Add the server that you just upgraded to Windows Server 2012 to the load balancer.
7. Repeat steps 1 through 6 for the remaining secondary servers in your WID farm.
8. Promote one of the upgraded secondary servers to be the primary server in your WID farm. To do this,
open Windows PowerShell and run the following command:
PSH:> Set-AdfsSyncProperties –Role PrimaryComputer .
9. Remove the original primary server of your WID farm from the load balancer.
10. Demote the original primary server in your WID farm to be a secondary server by using Windows
PowerShell. Open Windows PowerShell and run the following command to add the AD FS cmdlets to
your Windows PowerShell session: PSH:>add-pssnapin “Microsoft.adfs.powershell” . Then run the
following command to demote the original primary server to be a secondary server:
PSH:> Set-AdfsSyncProperties – Role SecondaryComputer –PrimaryComputerName <FQDN of the Primary
Federation Server>
.
11. Upgrade of the operating system on this last node (server) in your WID farm from Windows Server 2008
R2 or Windows Server 2008 to Windows Server 2012. For more information, see Installing Windows
Server 2012.
IMPORTANT
As the result of upgrading the operating system, the AD FS configuration on this server is lost and the AD FS 2.0 server
role is removed. The Windows Server 2012 AD FS server role is installed instead, but it is not configured. You must
manually create the original AD FS configuration and restore the remaining AD FS settings to complete the federation
server migration.
12. Create the original AD FS configuration on this last node (server) in your WID farm.
You can create the original AD FS configuration by using the AD FS Federation Ser ver Configuration
Wizard to add a federation server to a WID farm. For more information, see Add a Federation Server to a
Federation Server Farm.
NOTE
When you reach the Specify the Primar y Federation ser ver and a Ser vice Account page in the AD FS
Federation Ser ver Configuration Wizard , enter the service account information that you recorded while preparing
for the AD FS migration. For more information, see Prepare to Migrate the AD FS 2.0 Federation Server.
When you reach the Specify the Federation Ser vice Name page, be sure to select the same SSL certificate you
recorded in Prepare to Migrate the AD FS 2.0 Federation Server.
13. Update your AD FS webpages on this last server in your WID farm. If you backed up your customized AD
FS webpages while preparing for the migration, use your backup data to overwrite the default AD FS
webpages that were created by default in the %systemdrive%\inetpub\adfs\ls directory as a result of
the AD FS configuration on Windows Server 2012.
14. Add this last server of your WID farm that you just upgraded to Windows Server 2012 to the load
balancer.
15. Restore any remaining AD FS customizations, such as custom attribute stores.
Next Steps
Prepare to Migrate the AD FS 2.0 Federation Server Prepare to Migrate the AD FS 2.0 Federation Server Proxy
Migrate the AD FS 2.0 Federation Server Migrate the AD FS 2.0 Federation Server Proxy Migrate the AD FS 1.1
Web Agents
Migrate an AD FS 2.0 SQL farm
11/2/2020 • 2 minutes to read • Edit Online
This document provides detailed information on migrating an AD FS 2.0 SQL farm to Windows Server 2012.
IMPORTANT
As the result of the operating system upgrade, the AD FS configuration on this server is lost and the AD FS 2.0 server
role is removed. The Windows Server 2012 AD FS server role is installed instead, but it is not configured. You must
manually create the original AD FS configuration and restore the remaining AD FS settings to complete the federation
server migration.
4. Create the original AD FS configuration on this server in your SQL Server farm by using AD FS Windows
PowerShell cmdlets to add a server to an existing farm.
IMPORTANT
You must use Windows PowerShell to create the original AD FS configuration if you are using SQL Server to store your AD
FS configuration database.
Open Windows PowerShell and run the following command: $fscredential = Get-Credential .
Enter the name and the password of the service account that you recorded while preparing your SQL Server
farm for migration.
Run the following command:
Add-AdfsFarmNode -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=<Data
Source>;Integrated Security=True"
, where Data Sourceis the data source value in the policy store connection string value in the following file:
%programfiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config .
5. Add the server that you just upgraded to Windows Server 2012 to the load balancer.
6. Repeat steps 2 through 6 for the remaining nodes in your SQL Server farm.
7. When all of the servers in your SQL Server farm are upgraded to Windows Server 2012, restore any
remaining AD FS customizations, such as custom attribute stores.
Next Steps
Prepare to Migrate the AD FS 2.0 Federation Server Prepare to Migrate the AD FS 2.0 Federation Server Proxy
Migrate the AD FS 2.0 Federation Server Migrate the AD FS 2.0 Federation Server Proxy Migrate the AD FS 1.1
Web Agents
Migrate the AD FS 2.0 federation server proxy
11/2/2020 • 2 minutes to read • Edit Online
This document provides detailed information on migrating an AD FS 2.0 federation proxy server to Windows
Server 2012.
IMPORTANT
As the result of the operating system upgrade, the AD FS proxy configuration on this server is lost and the AD FS 2.0
server role is removed. The Windows Server 2012 AD FS server role is installed instead, but it is not configured. You must
manually create the original AD FS proxy configuration and restore the remaining AD FS proxy settings to complete the
federation server proxy migration.
4. Create the original AD FS proxy configuration by using the AD FS Federation Ser ver Proxy
Configuration Wizard . For more information, see Configure a Computer for the Federation Server Proxy
Role. As you execute the wizard, use the information you gathered in Prepare to Migrate the AD FS 2.0
Federation Server Proxy as follows:
Federation Ser vice Name Enter the BaseHostName value from proxyproperties.txt file
Use an HTTP proxy ser ver when sending requests to Check this box if your proxyproperties.txt file contains a
this Federation Service check box value for the ForwardProxyUrl property
HTTP proxy ser ver address Enter the ForwardProxyUrl value from proxyproperties.txt
file
5. Update your AD FS webpages on this server. If you backed up your customized AD FS proxy webpages
while preparing your federation server proxy for the migration, use your backup data to overwrite the
default AD FS webpages that were created by default in the %systemdrive%\inetpub\adfs\ls
directory as a result of the AD FS proxy configuration in Windows Server 2012.
6. Add this server back to the load balancer.
7. If you have other AD FS 2.0 federation server proxies to migrate, repeat steps 2 through 6 for the
remaining federation server proxy computers.
Next Steps
Prepare to Migrate the AD FS 2.0 Federation Server Prepare to Migrate the AD FS 2.0 Federation Server Proxy
Migrate the AD FS 2.0 Federation Server Migrate the AD FS 2.0 Federation Server Proxy Migrate the AD FS 1.1
Web Agents
Migrate the AD FS web agent
11/2/2020 • 2 minutes to read • Edit Online
To migrate the AD FS 1.1 Windows token-based agent or the AD FS 1.1 claims-aware agent that is installed with
Windows Server 2008 R2 or Windows Server 2008 to Windows Server 2012, perform an in-place upgrade of
the operating system of the computer that hosts either agent to Windows Server 2012. For more information,
see Installing Windows Server 2012. No further configuration is required.
IMPORTANT
The migrated AD FS 1.1 Windows token-based agent functions only with an AD FS 1.1 federation service that is installed
with Windows Server 2008 R2 or Windows Server 2008. For more information, see Interoperating with AD FS 1.x.
The migrated AD FS 1.1 claims-aware web agent functions with the following:
AD FS 1.1 federation service installed with Windows Server 2008 R2 or Windows Server 2008
AD FS 2.0 federation service installed on Windows Server 2008 R2 or Windows Server 2008
AD FS federation service installed with Windows Server 2012
For more information, see Interoperating with AD FS 1.x.
Next Steps
Prepare to Migrate the AD FS 2.0 Federation Server Prepare to Migrate the AD FS 2.0 Federation Server Proxy
Migrate the AD FS 2.0 Federation Server Migrate the AD FS 2.0 Federation Server Proxy Migrate the AD FS 1.1
Web Agents
AD FS OpenID Connect/OAuth Concepts
11/2/2020 • 8 minutes to read • Edit Online
End User This is the security principal (users, applications, services and
groups) who needs to access the resource.
Client This is your web application, identified by its client ID. The
client is usually the party that the end user interacts with,
and it requests tokens from the authorization server.
Authorization Server / Identity Provider (IdP) This is your AD FS server. It is responsible for verifying the
identity of security principals that exist in an organization's
directory. It issues security tokens (bearer access token, ID
token, refresh token) upon successful authentication of
those security principals.
Resource Server / Resource Provider / Relying Party This is where the resource or data resides. It trusts the
Authorization Server to securely authenticate and authorize
the Client and uses Bearer access tokens to ensure that
access to a resource can be granted.
Following diagram provides the most basic relationship between the actors:
Application Types
A P P L IC AT IO N T Y P E DESC RIP T IO N RO L E
Native application Sometimes called a public client , this Requests tokens from the
is intended to be a client app that runs authorization server (AD FS) for user
on a pc or device and with which the access to resources. Sends HTTP
user interacts. requests to protected resources, using
the tokens as HTTP headers.
A P P L IC AT IO N T Y P E DESC RIP T IO N RO L E
Server application (Web app) A web application that runs on a Requests tokens from the
server and is generally accessible to authorization server (AD FS) for user
users via a browser. Because it is access to resources. Before requesting
capable of maintaining its own client token, client (Web App) needs to
'secret' or credential, it is sometimes authenticate using its secret.
called a confidential client .
Web API The end resource the user is accessing. Consumes bearer access tokens
Think of these as the new obtained by the clients
representation of "relying parties".
Application Group
Every OAuth client (native or web app) or resource (web api) configured with AD FS needs to be associated with
an application group. The clients in an application group can be configured to access the resources in the same
group. An application group can contain multiple clients and resources.
Security Tokens
Modern authentication uses following token types:
id_token :A JWT token issued by authorization server (AD FS) and consumed by the client. Claims in the ID
token will contain information about the user so that client can use that.
access_token :A JWT token issued by authorization server (AD FS) and intended to be consumed by the
resource. The 'aud' or audience claim of this token must match the identifier of the resource or Web API.
refresh_token :This is token issued by AD FS for client to use when it needs to refresh the id_token and
access_token. The token is opaque to the client and can only be consumed by AD FS.
Scopes
While registering a resource in AD FS, scopes can be configured to allow AD FS to perform specific actions. In
addition to configuring the scope, the scope value is also required to be sent in the request for AD FS to perform
the action. For e.g., Admin needs to configure scope as openid during resource registration and application
(client) needs to send scope = openid in the auth request for AD FS to issue ID Token. Details on the scopes
available in AD FS are provided below
aza - If usingOAuth 2.0 Protocol Extensions for Broker Clientsand if the scope parameter contains the scope
"aza", the server issues a new primary refresh token and sets it in the refresh_token field of the response, as
well as setting the refresh_token_expires_in field to the lifetime of the new primary refresh token if one is
enforced.
openid - Allows application to request use of the OpenID Connect authorization protocol.
logon_cert - The logon_cert scope allows an application to request logon certificates, which can be used to
interactively logon authenticated users. The AD FS server omits the access_token parameter from the
response and instead provides a base64-encoded CMS certificate chain or a CMC full PKI response. More
details availablehere.
user_impersonation - The user_impersonation scope is necessary to successfully request an on-behalf-of
access token from AD FS. For details on how to use this scope referto Build a multi-tiered application using
On-Behalf-Of (OBO) using OAuth with AD FS 2016.
allatclaims – The allatclaims scope allows the application to request claims in access token to be added in the
ID Token as well.
vpn_cert - The vpn_cert scope allows an application to request VPN certificates, which can be used to
establish VPN connections using EAP-TLS authentication. This is not supported anymore.
email - Allows application to request email claim for the signed in user.
profile - Allows application to request profile related claims for the sign-in user.
Claims
Security tokens (access and ID tokens) issued by AD FS contain claims, or assertions of information about the
subject that has been authenticated. Applications can use claims for various tasks, including:
Validate the token
Identify the subject's directory tenant
Display user information
Determine the subject's authorization The claims present in any given security token are dependent upon the
type of token, the type of credential used to authenticate the user, and the application configuration.
Types of libraries
Two types of libraries are used with AD FS:
Client libraries : Native clients and server apps use client libraries to acquire access tokens for calling a
resource such as a Web API. Microsoft Authentication Library (MSAL) is the latest and recommended
client library when using AD FS 2019. Active Directory Authentication Library (ADAL) is recommended
for AD FS 2016.
Ser ver middleware libraries : Web apps use server middleware libraries for user sign in. Web APIs use
server middleware libraries to validate tokens that are sent by native clients or by other servers. OWIN
(Open Web Interface for .NET) is the recommended middleware library.
Option 2: Should be used when web app has a resource that it is trying to access and needs to pass additional
claims through ID token. Both public and confidential clients can be used. The option requires
1. response_mode set as form_post
2. KB4019472 is installed on your AD FS servers
3. Scope allatclaims assigned to the client – RP pair. You can assign the scope by using the Grant-
ADFSApplicationPermission (Use Set-AdfsApplicationPermission if already granted once) PowerShell
cmdlet as indicated in the example below:
To better understand how to configure a Web App in ADFS to acquire customized ID token see Customize claims
to be emitted in id_token when using OpenID Connect or OAuth with AD FS 2016 or later.
Single log-out
Single logout results in ending all the client sessions using the session id. AD FS 2016 and later supports single
log-out for OpenID Connect/OAuth. For more details see Single log-out for OpenID Connect with AD FS.
AD FS Endpoints
A D F S EN DP O IN T DESC RIP T IO N
SC EN A RIO WA L K T H RO UGH
SC EN A RIO USIN G SA M P L ES O A UT H 2. 0 F LO W / GRA N T C L IEN T T Y P E
Web App that signs in users • Sample using OWIN Authorization Code Public, Confidential
Native App calls Web API • Sample using MSAL Authorization Code Public
• Sample using ADAL
Web App calls Web API • Sample using MSAL Authorization Code Confidential
• Sample using ADAL
Web API calls another web • Sample using MSAL On-behalf-of Web app acts as
API on behalf of (OBO) the • Sample using ADAL Confidential
user
Web App calls Web API Resource owner password Public, Confidential
using user creds credentials
https://adfs.contoso.com/adfs/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=id_token+token
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&scope=openid
&response_mode=fragment
&state=12345
At this point, the user will be asked to enter their credentials and complete the authentication. Once the user
authenticates, the AD FS authorize endpoint will return a response to your app at the indicatedredirect_uri, using
the method specified in theresponse_modeparameter.
Successful response
A successful response using response_mode=fragmentandresponse_type=id_token+token looks like the following
GET https://localhost/myapp/#
access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZEstZnl0aEV...
&token_type=Bearer
&expires_in=3599
&scope=openid
&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZstZnl0aEV1Q...
&state=12345
PA RA M ET ER DESC RIP T IO N
Refresh tokens
The implicit grant does not provide refresh tokens. Both id_tokens and access_tokens will expire after a short
period of time, so your app must be prepared to refresh these tokens periodically. To refresh either type of
token, you can perform the same hidden iframe request from above using the prompt=none parameter to control
the identity platform's behavior. If you want to receive a newid_token , be sure to use response_type=id_token .
https://adfs.contoso.com/adfs/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&resource=https://webapi.com/
&scope=openid
&state=12345
PA RA M ET ER REQ UIRED/ O P T IO N A L DESC RIP T IO N
At this point, the user will be asked to enter their credentials and complete the authentication. Once the user
authenticates, the AD FS will return a response to your app at the indicated redirect_uri , using the method
specified in the response_mode parameter.
Successful response
A successful response usingresponse_mode=querylooks like:
GET https://adfs.contoso.com/common/oauth2/nativeclient?
code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq...
&state=12345
PA RA M ET ER DESC RIP T IO N
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: Only required for confidential clients (web apps)
client_secret required for web apps The application secret that you created
during app registration in AD FS. You
shouldn't use the application secret in
a native app because client_secrets
can't be reliably stored on devices. It's
required for web apps and web APIs,
which have the ability to store the
client_secret securely on the server
side. The client secret must be URL-
encoded before being sent. These apps
can also use a key based
authentication by signing a JWT and
adding that as client_assertion
parameter.
Successful response
A successful token response will look like:
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
"token_type": "Bearer",
"expires_in": 3599,
"refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
"refresh_token_expires_in": 28800,
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
}
PA RA M ET ER DESC RIP T IO N
access_token The requested access token. The app can use this token to
authenticate to the secured resource (Web API).
token_type Indicates the token type value. The only type that AD FS
supports is Bearer.
refresh_token An OAuth 2.0 refresh token. The app can use this token
acquire additional access tokens after the current access
token expires. Refresh_tokens are long-lived, and can be
used to retain access to resources for extended periods of
time.
id_token A JSON Web Token (JWT). The app can decode the segments
of this token to request information about the user who
signed in. The app can cache the values and display them,
but it should not rely on them for any authorization or
security boundaries.
GET /v1.0/me/messages
Host: https://webapi.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
&grant_type=refresh_token
&client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: Only required for confidential clients (web apps)
client_secret required for web apps The application secret that you created
in the app registration portal for your
app. It should not be used in a native
app, because client_secrets can't be
reliably stored on devices. It's required
for web apps and web APIs, which
have the ability to store the
client_secret securely on the server
side. These apps can also use a key
based authentication by signing a JWT
and adding that as client_assertion
parameter.
Successful response
A successful token response will look like:
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
"token_type": "Bearer",
"expires_in": 3599,
"refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
"refresh_token_expires_in": 28800,
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
}
PA RA M ET ER DESC RIP T IO N
access_token The requested access token. The app can use this token to
authenticate to the secured resource, such as a web API.
token_type Indicates the token type value. The only type that AD FS
supports is Bearer
refresh_token An OAuth 2.0 refresh token. The app can use this token
acquire additional access tokens after the current access
token expires. Refresh_tokens are long-lived, and can be
used to retain access to resources for extended periods of
time.
id_token A JSON Web Token (JWT). The app can decode the segments
of this token to request information about the user who
signed in. The app can cache the values and display them,
but it should not rely on them for any authorization or
security boundaries.
On-Behalf-Of flow
The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API,
which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and
permissions through the request chain. For the middle-tier service to make authenticated requests to the
downstream service, it needs to secure an access token from the AD FS, on behalf of the user.
Protocol diagram
Assume that the user has been authenticated on an application using theOAuth 2.0 authorization code grant
flow described above. At this point, the application has an access tokenfor API A(token A) with the user's claims
and consent to access the middle-tier web API (API A). Make sure the client requests for user_impersonation
scope in the token. Now, API A needs to make an authenticated request to the downstream web API (API B).
The steps that follow constitute the OBO flow and are explained with the help of the following diagram.
1. The client application makes a request to API A with token A. Note: While configuring OBO flow in AD FS
make sure scope user_impersonation is selected and client do request user_impersonation scope in the
request.
2. API A authenticates to the AD FS token issuance endpoint and requests a token to access API B. Note: While
configuring this flow in AD FS make sure API A is also registered as a server application with clientID having
the same value as the resource ID in API A.
3. The AD FS token issuance endpoint validates API A's credentials with token A and issues the access token for
API B (token B).
4. Token B is set in the authorization header of the request to API B.
5. Data from the secured resource is returned by API B.
Service -to -service access token request
To request an access token, make an HTTP POST to the AD FS token endpoint with the following parameters.
First case: Access token request with a shared secret
When using a shared secret, a service-to-service access token request contains the following parameters:
Example
The following HTTP POST requests an access token and refresh token
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&client_id=https://webapi.com/
&client_secret=BYyVnAt56JpLwUcyo47XODd
&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIm…
&resource=https://secondwebapi.com/
&requested_token_use=on_behalf_of
&scope=openid
Second case: Access token request with a certificate
A service-to-service access token request with a certificate contains the following parameters:
Notice that the parameters are almost the same as in the case of the request by shared secret except that
theclient_secret parameter is replaced by two parameters: client_assertion_typeandclient_assertion.
Example
The following HTTP POST requests an access token for theWeb API with a certificate.
// line breaks for legibility only
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&client_id= https://webapi.com/
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsIng1dCI6Imd4OHRHeXN5amNS…
&resource=https://secondwebapi.com/
&requested_token_use=on_behalf_of
&scope= openid
PA RA M ET ER DESC RIP T IO N
token_type Indicates the token type value. The only type that AD FS
supports isBearer.
expires_in The length of time, in seconds, that the access token is valid.
access_token The requested access token. The calling service can use this
token to authenticate to the receiving service.
id_token A JSON Web Token (JWT). The app can decode the segments
of this token to request information about the user who
signed in. The app can cache the values and display them,
but it should not rely on them for any authorization or
security boundaries.
refresh_token The refresh token for the requested access token. The calling
service can use this token to request another access token
after the current access token expires.
Refresh_token_expires_in The length of time, in seconds, that the refresh token is valid.
{
"token_type": "Bearer",
"scope": openid,
"expires_in": 3269,
"access_token": "eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFCbmZpRy1t"
"id_token": "aWRfdG9rZW49ZXlKMGVYQWlPaUpLVjFRaUxDSmhiR2NpT2lKU1V6STFOa"
"refresh_token": "OAQABAAAAAABnfiG…"
"refresh_token_expires_in": 28800,
}
Use the access token to access the secured resource Now the middle-tier service can use the token acquired
above to make authenticated requests to the downstream web API, by setting the token in
theAuthorizationheader.
Example
Request a token
To get a token by using the client credentials grant, send a POST request to the /token AD FS endpoint:
First case: Access token request with a shared secret
Host: https://adfs.contoso.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials
Host: https://adfs.contoso.com
Content-Type: application/x-www-form-urlencoded
&client_id=97e0a5b7-d745-40b6-94fe-5f77d35c6e05
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsIng1dCI6Imd4OHRHeXN5amNScUtqRlBuZDdSRnd2d1pJMCJ9.eyJ{a lot of
characters here}M8U3bSUKKJDEg
&grant_type=client_credentials
Use a token
Now that you've acquired a token, use the token to make requests to the resource. When the token expires,
repeat the request to the /token endpoint to acquire a fresh access token.
GET /v1.0/me/messages
Host: https://webapi.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...
Authorization request
The ROPC flow is a single request—it sends the client identification and user's credentials to the IDP, and then
receives tokens in return. The client must request the user's email address (UPN) and password before doing so.
Immediately after a successful request, the client should securely release the user's credentials from memory. It
must never save them.
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope= openid
&username=myusername@contoso.com
&password=SuperS3cret
&grant_type=password
{
"token_type": "Bearer",
"scope": "openid",
"expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn...",
"refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
"refresh_token_expires_in": 28800,
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDR..."
}
PA RA M ET ER DESC RIP T IO N
id_token A JSON Web Token (JWT). The app can decode the segments
of this token to request information about the user who
signed in. The app can cache the values and display them,
but it should not rely on them for any authorization or
security boundaries.
You can use the refresh token to acquire new access tokens and refresh tokens using the same flow described in
the auth code grant flow section above.
POST https://adfs.contoso.com/adfs/oauth2/devicecode
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
scope=openid
PA RA M ET ER DESC RIP T IO N
device_code A long string used to verify the session between the client
and the authorization server. The client uses this parameter
to request the access token from the authorization server.
user_code A short string shown to the user that's used to identify the
session on a secondary device.
grant_type: urn:ietf:params:oauth:grant-type:device_code
client_id: 6731de76-14a6-49ae-97bc-6eba6914391e
device_code: GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8
PA RA M ET ER DESC RIP T IO N
scope If an access token was returned, this lists the scopes the
access token is valid for.
Related content
See AD FS Development for the complete list of walk-through articles, which provide step-by-step instructions
on using the related flows.
Build a Custom Authentication Method for AD FS in
Windows Server
3/5/2021 • 19 minutes to read • Edit Online
This walkthrough provides instructions for implementing a custom authentication method for AD FS in
Windows Server 2012 R2. For more information, see Additional Authentication Methods.
WARNING
The example that you can build here is for educational purposes only. These instructions are for the simplest, most
minimal implementation possible to expose the required elements of the model. There is no authentication back end,
error processing, or configuration data.
You should now be set up to resolve all of the types required for the provider.
7. Add a new class to your project (Right click your project, Add...Class...) and give it a name like
MyAdapter , shown below:
8. In the new file MyAdapter.cs, replace the existing code with the following:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Globalization;
using System.IO;
using System.Net;
using System.Xml.Serialization;
using Microsoft.IdentityServer.Web.Authentication.External;
using Claim = System.Security.Claims.Claim;
namespace MFAadapter
{
class MyAdapter : IAuthenticationAdapter
{
public IAuthenticationAdapterMetadata Metadata
{
//get { return new <instance of IAuthenticationAdapterMetadata derived class>; }
}
}
}
9. We are not ready to build yet... there are two more interfaces to go.
Add two more classes to your project: one is for the metadata, and the other for the presentation form.
You can add these within the same file as the class above.
class MyMetadata : IAuthenticationAdapterMetadata
{
10. Next, you can add the required members for each.First, the metadata (with helpful inline comments)
//Returns an array of strings containing URIs indicating the set of authentication methods
implemented by the adapter
/// AD FS requires that, if authentication is successful, the method actually employed will be
returned by the
/// final call to TryEndAuthentication(). If no authentication method is returned, or the method
returned is not
/// one of the methods listed in this property, the authentication attempt will fail.
public virtual string[] AuthenticationMethods
{
get { return new[] { "http://example.com/myauthenticationmethod1",
"http://example.com/myauthenticationmethod2" }; }
}
/// Returns an array indicating which languages are supported by the provider. AD FS uses this
information
/// to determine the best language\locale to display to the user.
public int[] AvailableLcids
{
get
{
return new[] { new CultureInfo("en-us").LCID, new CultureInfo("fr").LCID};
}
}
/// Returns a Dictionary containing the set of localized friendly names of the provider, indexed
by lcid.
/// These Friendly Names are displayed in the "choice page" offered to the user when there is
more than
/// one secondary authentication provider available.
public Dictionary<int, string> FriendlyNames
{
get
{
Dictionary<int, string> _friendlyNames = new Dictionary<int, string>();
_friendlyNames.Add(new CultureInfo("en-us").LCID, "Friendly name of My Example MFA
Adapter for end users (en)");
_friendlyNames.Add(new CultureInfo("fr").LCID, "Friendly name translated to fr locale");
return _friendlyNames;
}
}
/// Returns a Dictionary containing the set of localized descriptions (hover over help) of the
provider, indexed by lcid.
/// These descriptions are displayed in the "choice page" offered to the user when there is more
than one
/// secondary authentication provider available.
public Dictionary<int, string> Descriptions
{
get
{
Dictionary<int, string> _descriptions = new Dictionary<int, string>();
_descriptions.Add(new CultureInfo("en-us").LCID, "Description of My Example MFA Adapter
for end users (en)");
_descriptions.Add(new CultureInfo("fr").LCID, "Description translated to fr locale");
return _descriptions;
}
}
/// Returns an array indicating the type of claim that the adapter uses to identify the user
being authenticated.
/// Note that although the property is an array, only the first element is currently used.
/// MUST BE ONE OF THE FOLLOWING
/// "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
/// "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
/// "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
/// "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"
public string[] IdentityClaims
{
get { return new[] { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" }; }
}
//All external providers must return a value of "true" for this property.
public bool RequiresIdentity
{
get { return true; }
}
}
Now you should be able to F12 (right click – Go To Definition) on IAuthenticationAdapter to see the set of
required interface members.
Next, you can do a simple implementation of these.
11. Replace the entire contents of your class with the following:
namespace MFAadapter
{
class MyAdapter : IAuthenticationAdapter
{
public IAuthenticationAdapterMetadata Metadata
{
//get { return new <instance of IAuthenticationAdapterMetadata derived class>; }
}
12. We are not ready to build yet... there are two more interfaces to go.
Add two more classes to your project: one is for the metadata, and the other for the presentation form.
You can add these within the same file as the class above.
13. Next, you can add the required members for each.First, the metadata (with helpful inline comments)
//Returns an array of strings containing URIs indicating the set of authentication methods
implemented by the adapter
/// AD FS requires that, if authentication is successful, the method actually employed will be
returned by the
/// final call to TryEndAuthentication(). If no authentication method is returned, or the method
returned is not
/// one of the methods listed in this property, the authentication attempt will fail.
public virtual string[] AuthenticationMethods
{
get { return new[] { "http://example.com/myauthenticationmethod1",
"http://example.com/myauthenticationmethod2" }; }
}
/// Returns an array indicating which languages are supported by the provider. AD FS uses this
information
/// to determine the best languagelocale to display to the user.
public int[] AvailableLcids
{
get
{
return new[] { new CultureInfo("en-us").LCID, new CultureInfo("fr").LCID};
}
}
/// Returns a Dictionary containing the set of localized friendly names of the provider, indexed
by lcid.
/// These Friendly Names are displayed in the "choice page" offered to the user when there is
more than
/// one secondary authentication provider available.
public Dictionary<int, string> FriendlyNames
{
get
{
Dictionary<int, string> _friendlyNames = new Dictionary<int, string>();
_friendlyNames.Add(new CultureInfo("en-us").LCID, "Friendly name of My Example MFA
Adapter for end users (en)");
_friendlyNames.Add(new CultureInfo("fr").LCID, "Friendly name translated to fr locale");
return _friendlyNames;
}
}
/// Returns a Dictionary containing the set of localized descriptions (hover over help) of the
provider, indexed by lcid.
/// These descriptions are displayed in the "choice page" offered to the user when there is more
than one
/// secondary authentication provider available.
public Dictionary<int, string> Descriptions
{
get
{
Dictionary<int, string> _descriptions = new Dictionary<int, string>();
_descriptions.Add(new CultureInfo("en-us").LCID, "Description of My Example MFA Adapter
for end users (en)");
_descriptions.Add(new CultureInfo("fr").LCID, "Description translated to fr locale");
return _descriptions;
}
}
/// Returns an array indicating the type of claim that the adapter uses to identify the user
being authenticated.
/// Note that although the property is an array, only the first element is currently used.
/// MUST BE ONE OF THE FOLLOWING
/// "https://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
/// "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
/// "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
/// "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
/// "https://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"
public string[] IdentityClaims
{
get { return new[] { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" }; }
}
//All external providers must return a value of "true" for this property.
public bool RequiresIdentity
{
get { return true; }
}
}
/// Return any external resources, ie references to libraries etc., that should be included in
/// the HEAD section of the presentation form html.
public string GetFormPreRenderHtml(int lcid)
{
return null;
}
//returns the title string for the web page which presents the HTML form content to the end user
public string GetPageTitle(int lcid)
{
return "MFA Adapter";
}
}
14. Note the 'todo' for the Resources.FormPageHtml element above. You can fix it in a minute, but first
let's add the final required return statements, based on the newly implemented types, to your initial
MyAdapter class. To do this, add the following to your existing IAuthenticationAdapter implementation:
class MyAdapter : IAuthenticationAdapter
{
public IAuthenticationAdapterMetadata Metadata
{
//get { return new <instance of IAuthenticationAdapterMetadata derived class>; }
get { return new MyMetadata(); }
}
15. Now for the resource file containing the html fragment. Create a new text file in your project folder with
the following contents:
<div id="loginArea">
<form method="post" id="loginForm" >
<!-- These inputs are required by the presentation framework. Do not modify or remove -->
<input id="authMethod" type="hidden" name="AuthMethod" value="%AuthMethod%" />
<input id="context" type="hidden" name="Context" value="%Context%" />
<!-- End inputs are required by the presentation framework. -->
<p id="pageIntroductionText">This content is provided by the MFA sample adapter. Challenge
inputs should be presented below.</p>
<label for="challengeQuestionInput" class="block">Question text</label>
<input id="challengeQuestionInput" name="ChallengeQuestionAnswer" type="text" value=""
class="text" placeholder="Answer placeholder" />
<div id="submissionArea" class="submitMargin">
<input id="submitButton" type="submit" name="Submit" value="Submit" onclick="return
AuthPage.submitAnswer()"/>
</div>
</form>
<div id="intro" class="groupMargin">
<p id="supportEmail">Support information</p>
</div>
<script type="text/javascript" language="JavaScript">
//<![CDATA[
function AuthPage() { }
AuthPage.submitAnswer = function () { return true; };
//]]>
</script>
</div>
16. Then, select Project->Add Component... Resources file and name the file Resources , and click Add:
17. Then, within the Resources.resx file, choose Add Resource...Add existing file . Navigate to the text file
(containing the html fragment) that you saved above.
Ensure your GetFormHtml code resolves the name of the new resource correctly by the resources file
(.resx file) name prefix followed by the name of the resource itself:
public string GetFormHtml(int lcid)
{
string htmlTemplate = Resources.MfaFormHtml; //Resxfilename.resourcename
return htmlTemplate;
}
If you have the device registration service enabled in your AD FS environment, also execute the following
PowerShell command: net start drs
To verify the registered provider, use the following PowerShell command: Get-AdfsAuthenticationProvider .
This shows your provider as one of the providers in the system.
Create the AD FS authentication policy that invokes your adapter
Create the authentication policy using the AD FS Management snap-in
1. Open the AD FS Management snap-in (from the Server Manager Tools menu).
2. Click Authentication Policies .
3. In the center pane, under Multi-Factor Authentication , click the Edit link to the right of Global
Settings .
4. Under Select additional authentication methods at the bottom of the page, check the box for your
provider's AdminName. Click Apply .
5. To provide a “trigger” to invoke MFA using your adapter, under Locations check both Extranet and
Intranet , for example. Click OK . (To configure triggers per relying party, see “Create the authentication
policy using Windows PowerShell” below.)
6. Check the results using the following commands:
First use Get-AdfsGlobalAuthenticationPolicy . You should see your provider Name as one of the
AdditionalAuthenticationProvider values.
Then use Get-AdfsAdditionalAuthenticationRule . You should see the rules for Extranet and Intranet
configured as a result of your policy selection in the administrator UI.
Create the authentication policy using Windows PowerShell
1. First, enable the provider in global policy:
NOTE
Note that the value provided for the AdditionalAuthenticationProvider parameter corresponds to the value you
provided for the “Name” parameter in the Register-AdfsAuthenticationProvider cmdlet above and to the “Name”
property from Get-AdfsAuthenticationProvider cmdlet output.
Example 2: to create MFA rules to require MFA for external requests to a specific relying party. (Note that
individual providers cannot be connected to individual relying parties in AD FS in Windows Server 2012
R2).
Let's update it so it doesn't always return MyPresentationForm(). For this you can create one simple utility
method within your class:
if ((string)proofData.Properties["ChallengeQuestionAnswer"] == "adfabric")
{
return true;
}
else
{
return false;
}
}
Now you have to update the adapter on the test box. You must first undo the AD FS policy, then un-register from
AD FS and restart AD FS, then remove the .dll from the GAC, then add the new .dll to the GAC, then register it in
AD FS, restart AD FS, and re-configure AD FS policy.
Note that the value you pass for “Name” is the same value as “Name” you provided to the Register-
AdfsAuthenticationProvider cmdlet. It is also the “Name” property that is output from Get-
AdfsAuthenticationProvider.
Note that before you unregister a provider, you must remove the provider from the
AdfsGlobalAuthenticationPolicy (either by clearing the checkboxes you checked in AD FS management snap-in
or by using Windows PowerShell.)
Note that the AD FS service must be restarted after this operation.
Remove assembly from GAC
1. First, use the following command to find the fully qualified strong name of the entry:
C:>.gacutil.exe /l <yourAdapterAssemblyName>
Example:
C:>.gacutil /u “mfaadapter, Version=1.0.0.0, Culture=neutral, PublicKeyToken=e675eb33c62805a0,
processorArchitecture=MSIL”
You can now build your own plug-ins to block or assign a risk score to authentication requests during various
stages – request received, pre-authentication and post-authentication. This can be accomplished using the new
Risk Assessment Model introduced with AD FS 2019.
1. Request Received Stage – Enables building plug-ins to allow or block request when AD FS receives the
authentication request i.e. before user enters credentials. You can use the request context (for example:
client IP, Http method, proxy server DNS, etc.) available at this stage to perform the risk assessment. For
example, you can build a plug-in to read the IP from the request context and block the authentication
request if the IP is in the pre-defined list of risky IPs.
2. Pre-Authentication Stage – Enables building plug-ins to allow or block request at the point where user
provides the credentials but before AD FS evaluates them. At this stage, in addition to the request context
you also have information on the security context (for example: user token, user identifier, etc) and the
protocol context (for example: authentication protocol, clientID, resourceID, etc) to use in your risk
assessment logic. For example, you can build a plug-in to prevent password spray attacks by reading the
user password from the user token and blocking the authentication request if the password is in the pre-
defined list of risky passwords.
3. Post-Authentication – Enables building plug-in to assess risk after user has provided credentials and
AD FS has performed authentication. At this stage, in addition to the request context, security context, and
protocol context, you also have information on the authentication result (Success or Failure). The plug-in
can evaluate the risk score based on the available information and pass the risk score to claim and policy
rules for further evaluation.
To better understand how to build a risk assessment plug-in and run it in line with AD FS process, let's build a
sample plug-in that blocks the requests coming from certain extranet IPs identified as risky, register the plug-in
with AD FS and finally test the functionality.
NOTE
Alternatively, you can build Risky User Plug-in, a sample plug-in that leverages user risk level determined by Azure AD
Identity Protection to block authentication or enforce multi-factor authentication (MFA). Steps to build Risky User Plug-in
are available here.
Pre -requisites
Following is the list of pre-requisites required to build this sample plug-in:
AD FS 2019 installed and configured
.NET Framework 4.7 and above
Visual Studio
Build plug-in dll
The following procedure will walk you through building a sample plug-in dll:
1. Download the sample plug-in, use Git Bash and type the following:
2. Create a .csv file at any location on your AD FS server (in my case, I created the authconfigdb.csv file at
C:\extensions ) and add the IPs you want to block to this file.
The sample plug-in will block any authentication requests coming from the Extranet IPs listed in this file.
NOTE
If you have an AD FS Farm, you can create the file on any or all the AD FS servers. Any of the files can be used to
import the risky IPs into AD FS. We will discuss the import process in detail in the Register the plug-in dll with AD
FS section below.
b. On the Reference Manager window, select Browse . In the Select the files to reference… dialogue,
select Microsoft.IdentityServer.dll from your AD FS installation folder (in my case
C:\Windows\ADFS ) and click Add .
NOTE
In my case, I am building the plug-in on the AD FS server itself. If your development environment is on a different
server, copy the Microsoft.IdentityServer.dll from your AD FS installation folder on AD FS server on to your
development box.
c. Click OK on the Reference Manager window after making sure the Microsoft.IdentityServer.dll
check box is selected.
6. All the classes and references are now in place to do a build. However, since the output of this project is a
dll, it will have to be installed into the Global Assembly Cache , or GAC, of the AD FS server and the dll
needs to be signed first. This can be done as follows:
a. Right-click on the name of the project, ThreatDetectionModule. From the menu, click Proper ties .
b. From the Proper ties page, click Signing , on the left, and then check the check box marked Sign the
assembly . From the Choose a strong name key file: pull down menu, select <New...> .
c. In the Create Strong Name Key dialogue , type a name (you can choose any name) for the key,
uncheck the check box Protect my key file with password . Then, click OK .
d. Save the project as shown below:
7. Build the project by clicking Build and then Rebuild Solution as shown below:
Check the Output window at the bottom of the screen, to see if any errors occurred.
The plug-in (dll) is now ready for use and is in the \bin\Debug folder of the project folder (in my case, that's
C:\extensions\ThreatDetectionModule\bin\Debug\ThreatDetectionModule.dll ).
The next step is to register this dll with AD FS, so it runs in line with the AD FS authentication process.
Register the plug-in dll with AD FS
We need to register the dll in AD FS by using the Register-AdfsThreatDetectionModule PowerShell command on
the AD FS server. However, before we register, we need to get the Public Key Token. This public key token was
created when we created the key and signed the dll using that key. To learn what the Public Key Token for the dll
is, you can use the SN.exe as follows:
1. Copy the dll file from the \bin\Debug folder to another location (in my case, copying it to
C:\extensions ).
2. Start the Developer Command Prompt for Visual Studio and go to the directory containing the sn.exe
(in my case, the directory is C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX
4.7.2 Tools ).
3. Run the SN command with the -T parameter and the location of the file (in my case
SN -T "C:\extensions\ThreatDetectionModule.dll" ).
The command will provide you the public key token (For me, the Public Key Token is
714697626ef96b35 )
4. Add the dll to the Global Assembly Cache of the AD FS server Our best practice would be that you
create a proper installer for your project and use the installer to add the file to the GAC. Another solution
is to use Gacutil.exe (more information on Gacutil.exe available here) on your development machine.
Since I have my visual studio on the same server as AD FS, I will be using Gacutil.exe as follows:
a. On Developer Command Prompt for Visual Studio and go to the directory containing the Gacutil.exe
(in my case, the directory is C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX
4.7.2 Tools ).
b. Run the Gacutil command (in my case Gacutil /IF C:\extensions\ThreatDetectionModule.dll ):
NOTE
If you have an AD FS farm, the above needs to be executed on each AD FS server in the farm.
5. Open Windows PowerShell and run the following command to register the dll:
NOTE
You need to register the dll only once, even if you have an AD FS farm.
NOTE
If any changes are made to the plugin and the project is rebuilt, then the updated dll needs to be registered again. Before
registering, you will need to unregister the current dll using the following command:
4. Initiate authentication request from the server with the same IP you added in authconfig.csv .
For this demonstration, I will be using AD FS Help Claims X-Ray tool to initiate a request. If you would like
to use the X-Ray tool, please follow the instructions
Enter federation server instance and hit Test Authentication button.
Now that we know how to build and register the plug-in, let's walkthrough the plug-in code to understand the
implementation using the new interfaces and classes introduced with the model.
M ET H O D TYPE DEF IN IT IO N
In our sample plugin, we are using OnAuthenticationPipelineLoad and OnConfigurationUpdate methods to read
the pre-defined IPs from AD FS DB. OnAuthenticationPipelineLoad is called when plug-in is registered with AD
FS while OnConfigurationUpdate is called when the .csv is imported using the
Import-AdfsThreatDetectionModuleConfiguration cmdlet.
IRequestReceivedThreatDetectionModule Interface
This interface enables you to implement risk assessment at the point where AD FS receives the authentication
request, but before user enters credentials i.e. at Received Request stage of the authentication process.
public interface IRequestReceivedThreatDetectionModule
{
Task<ThrottleStatus> EvaluateRequest (
ThreatDetectionLogger logger,
RequestContext requestContext );
}
The interface includes EvaluateRequest method which allows you to use the context of the authentication
request passed in the requestContext input parameter to write your risk assessment logic. The requestContext
parameter is of type RequestContext.
The other input parameter passed is logger which is type ThreatDetectionLogger. The parameter can be used to
write the error, audit and/or debug messages to AD FS logs.
The method returns ThrottleStatus (0 if NotEvaluated, 1 to Block, and 2 to Allow) to AD FS which then either
blocks or allows the request.
In our sample plug-in, EvaluateRequest method implementation parses the clientIpAddress from the
requestContext parameter and compares it with all the IPs loaded from the AD FS DB. If a match is found,
method returns 2 for Block , else it returns 1 for Allow . Based on the returned value, AD FS either blocks or
allows the request.
NOTE
The sample plug-in discussed above implements only IRequestReceivedThreatDetectionModule interface. However, the
risk assessment model provides two additional interfaces –IPreAuthenticationThreatDetectionModule (to implement risk
assessment logic duing pre-authentication stage) and IPostAuthenticationThreatDetectionModule (to implement risk
assessment logic during post-authentication stage). The details on the two interfaces are provided below.
IPreAuthenticationThreatDetectionModule Interface
This interface enables you to implement risk assessment logic at the point where user provides the credentials
but before AD FS evaluates them i.e. pre-authentication stage.
The interface includes EvaluatePreAuthentication method which allows you to use the information passed in the
RequestContext requestContext, SecurityContext securityContext, ProtocolContext protocolContext, and IList
additionalClams input parameters to write your pre-authentication risk assessment logic.
NOTE
For list of properties passed with each context type, visit RequestContext, SecurityContext, and ProtocolContext class
definitions.
The other input parameter passed is logger which is type ThreatDetectionLogger. The parameter can be used to
write the error, audit and/or debug messages to AD FS logs.
The method returns ThrottleStatus (0 if NotEvaluated, 1 to Block, and 2 to Allow) to AD FS which then either
blocks or allows the request.
IPostAuthenticationThreatDetectionModule Interface
This interface enables you to implement risk assessment logic after user has provided credentials and AD FS has
performed authentication i.e. post-authentication stage.
The interface includes EvaluatePostAuthentication method which allows you to use the information passed in
the RequestContext requestContext, SecurityContext securityContext, ProtocolContext protocolContext, and IList
additionalClams input parameters to write your post-authentication risk assessment logic.
NOTE
For complete list of properties passed with each context type, refer RequestContext, SecurityContext, and ProtocolContext
class definitions.
The other input parameter passed is logger which is type ThreatDetectionLogger. The parameter can be used to
write the error, audit and/or debug messages to AD FS logs.
The method returns the Risk Score which can be used in AD FS policy and claim rules.
NOTE
For plug-in to work, the main class (in this case UserRiskAnalyzer) needs to derive ThreatDetectionModule abstract class
and should implement at least one of the three interfaces described above. Once the dll is registered, AD FS checks which
of the interfaces are implemented and calls them at appropriate stage in the pipeline.
FAQs
Why should I build these plug-ins?
A: These plug-ins not only provide you additional capability to secure your environment from attacks such as
password spray attacks, but also give you the flexibility to build your own risk assessment logic based on your
requirements.
Where are the logs captured?
A: You can write error logs to "AD FS/Admin" event log using WriteAdminLogErrorMessage method, audit logs
to "AD FS Auditing" security log using WriteAuditMessage method and debug logs to "AD FS Tracing" debug log
using WriteDebugMessage method.
Can adding these plug-ins increase AD FS authentication process latency?
A: Latency impact will be determined by the time taken to execute the risk assessment logic you implement. We
recommend evaluating the latency impact before deploying the plug-in in production environment.
Why can't AD FS suggest the list of risky IPs, users, etc.?
A: Though not currently available, we are working on building the intelligence to suggest risky IPs, users, etc. in
the Pluggable Risk Assessment Model. We will share the launch dates soon.
What other sample plug-ins are available?
A: The following sample plug-in(s) are available:
Risky User Plug-in Sample plug-in that blocks authentication or enforces MFA
based on user risk level determined by Azure AD Identity
Protection.
Single log-out for OpenID Connect with AD FS
3/5/2021 • 3 minutes to read • Edit Online
Overview
Building on the initial Oauth support in AD FS in Windows Server 2012 R2, AD FS 2016 introduced the support
for OpenId Connect sign-on. With KB4038801, AD FS 2016 now supports single log-out for OpenId Connect
scenarios. This article provides an overview of the single log-out for OpenId Connect scenario and provides
guidance on how to use it for your OpenId Connect applications in AD FS.
Discovery doc
OpenID Connect uses a JSON document called a "Discovery document" to provide details about configuration.
This includes URIs of the authentication, token, userinfo, and public-endpoints. The following is an example of
the discovery doc.
{
"issuer":"https://fs.fabidentity.com/adfs",
"authorization_endpoint":"https://fs.fabidentity.com/adfs/oauth2/authorize/",
"token_endpoint":"https://fs.fabidentity.com/adfs/oauth2/token/",
"jwks_uri":"https://fs.fabidentity.com/adfs/discovery/keys",
"token_endpoint_auth_methods_supported":
["client_secret_post","client_secret_basic","private_key_jwt","windows_client_authentication"],
"response_types_supported":["code","id_token","code id_token","id_token token","code token","code id_token
token"],
"response_modes_supported":["query","fragment","form_post"],
"grant_types_supported":
["authorization_code","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:jwt-
bearer","implicit","password","srv_challenge"],
"subject_types_supported":["pairwise"],
"scopes_supported":
["allatclaims","email","user_impersonation","logon_cert","aza","profile","vpn_cert","winhello_cert","openid"
],
"id_token_signing_alg_values_supported":["RS256"],
"token_endpoint_auth_signing_alg_values_supported":["RS256"],
"access_token_issuer":"http://fs.fabidentity.com/adfs/services/trust",
"claims_supported":
["aud","iss","iat","exp","auth_time","nonce","at_hash","c_hash","sub","upn","unique_name","pwd_url","pwd_exp
","sid"],
"microsoft_multi_refresh_token":true,
"userinfo_endpoint":"https://fs.fabidentity.com/adfs/userinfo",
"capabilities":[],
"end_session_endpoint":"https://fs.fabidentity.com/adfs/oauth2/logout",
"as_access_token_token_binding_supported":true,
"as_refresh_token_token_binding_supported":true,
"resource_access_token_token_binding_supported":true,
"op_id_token_token_binding_supported":true,
"rp_id_token_token_binding_supported":true,
"frontchannel_logout_supported":true,
"frontchannel_logout_session_supported":true
}
The following additional values will be available in the discovery doc to indicate support for Front Channel
Logout:
frontchannel_logout_supported: value will be 'true'
frontchannel_logout_session_supported: value will be 'true'.
end_session_endpoint: this is the OAuth logout URI that the client can use to initiate logout on the server.
AD FS server configuration
The AD FS property EnableOAuthLogout will be enabled by default. This property tells the AD FS server to
browse for the URL (LogoutURI) with the SID to initiate logout on the client. If you do not have KB4038801
installed you can use the following PowerShell command:
NOTE
EnableOAuthLogout parameter will be marked as obsolete after installing KB4038801. EnableOAUthLogout will always
be true and will have no impact on the logout functionality.
NOTE
frontchannel_logout is supported only after installtion of KB4038801
Client configuration
Client needs to implement a url which 'logs off' the logged in user. Administrator can configure the LogoutUri in
the client configuration using the following PowerShell cmdlets.
(Add | Set)-AdfsNativeApplication
(Add | Set)-AdfsServerApplication
(Add | Set)-AdfsClient
The LogoutUri is the url used by AF FS to "log off" the user. For implementing the LogoutUri , the client needs to
ensure it clears the authentication state of the user in the application, for example, dropping the authentication
tokens that it has. AD FS will browse to that URL, with the SID as the query parameter, signaling the relying
party / application to log off the user.
1. OAuth token with session ID : AD FS includes session id in the OAuth token at the time of id_token token
issuance. This will be used later by AD FS to identify the relevant SSO cookies to be cleaned up for the user.
2. User initiates logout on App1 : The user can initiate a logout from any of the logged in applications. In this
example scenario, a user initiates a logout from App1.
3. Application sends logout request to AD FS : After the user initiates logout, the application sends a GET
request to end_session_endpoint of AD FS. The application can optionally include id_token_hint as a
parameter to this request. If id_token_hint is present, AD FS will use it in conjunction with session ID to figure
out which URI the client should be redirected to after logout (post_logout_redirect_uri). The
post_logout_redirect_uri should be a valid uri registered with AD FS using the RedirectUris parameter.
4. AD FS sends sign-out to logged-in clients : AD FS uses the session identifier value to find the relevant
clients the user is logged in to. The identified clients are sent request on the LogoutUri registered with AD FS
to initiate a logout on the client side.
FAQs
Q: I do not see the frontchannel_logout_supported and frontchannel_logout_session_supported parameters in
the discovery doc.
A: Ensure that you have KB4038801 installed on all the AD FS servers. Refer to Single log-out in Server 2016
with KB4038801.
Q: I have configured single logout as directed, but user stays logged-in on other clients.
A: Ensure that LogoutUri is set for all the clients where the user is logged-in. Also, AD FS does a best-case
attempt to send the sign-out request on the registered LogoutUri . Client must implement logic to handle the
request and take action to sign-out the user from application.
Q: If after logout, one of the clients goes back to AD FS with a valid refresh token, will AD FS issue an access
token?
A: Yes. It is the responsibility of the client application to drop all authenticated artifacts after a sign-out request
was received at the registered LogoutUri .
Next Steps
AD FS Development
Customize claims to be emitted in id_token when
using OpenID Connect or OAuth with AD FS 2016
or later
3/5/2021 • 4 minutes to read • Edit Online
Overview
The article here shows you how to build an app that uses AD FS for OpenID Connect sign on. However, by
default there are only a fixed set of claims available in the id_token. AD FS 2016 and later releases have the
capability to customize the id_token in OpenID Connect scenarios.
5. On the Configure Web API screen, enter the following for Identifier -
https://contoso.com/WebApp . Click Add . Click Next . This value will be used later for ida:ResourceID
in the applications web.config file.
6. On the Choose Access Control Policy screen, select Permit ever yone and click Next .
7. On the Configure Application Permissions screen, make sure openid and allatclaims are selected
and click Next .
8. On the Summar y screen, click Next .
12. On Add Transform Claim Rule Wizard screen, select Send Claims Using a Custom Rule from the
drop-down and click Next
13. On the Add Transform Claim Rule Wizard screen, enter ForCustomIDToken in the Claim rule
name and the following claim rule in Custom rule . Click Finish
x:[]
=> issue(claim=x);
NOTE
You can also use PowerShell to assign the allatclaims and openid scopes.
Download and modify the sample application to emit custom claims in id_token
This section discusses how to download the sample Web APP and modify it in Visual Studio. We will be using
the Azure AD sample located here.
To download the sample project, use Git Bash and type the following:
<add key="ida:ClientId" value="[Replace this Client Id from #3 above under section Create and
configure an Application Group in AD FS 2016 or later]" />
<add key="ida:ResourceID" value="[Replace this with the Web API Identifier from #5 above]" />
<add key="ida:ADFSDiscoveryDoc" value="https://[Your ADFS hostname]/adfs/.well-known/openid-
configuration" />
<!--<add key="ida:Tenant" value="[Enter tenant name, e.g. contoso.onmicrosoft.com]" />
<add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />-->
<add key="ida:PostLogoutRedirectUri" value="[Replace this with the Redirect URI from #4 above]" />
4. Open the Startup.Auth.cs file and make the following changes:
Tweak the OpenId Connect middleware initialization logic with the following changes:
Further down, modify the OpenId Connect middleware options as in the following:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
//Authority = authority,
Resource = resourceId,
MetadataAddress = metadataAddress,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = postLogoutRedirectUri
using System.Security.Claims;
[Authorize]
public ActionResult About()
{
ClaimsPrincipal cp = ClaimsPrincipal.Current;
string userName = cp.FindFirst(ClaimTypes.WindowsAccountName).Value;
ViewBag.Message = String.Format("Hello {0}!", userName);
return View();
}
Test the custom claims in ID token
Once the above changes have been made, hit F5. This will bring up the sample page. Click on sign in.
You will be redirected to the AD FS sign-in page. Go ahead and sign in.
Once this is successful, you should see that you are now signed in.
Click the About link. You will see "Hello [Username]" which is retrieved from the username claim in ID token
Next Steps
AD FS Development
Build a multi-tiered application using On-Behalf-Of
(OBO) using OAuth with AD FS 2016 or later
3/5/2021 • 14 minutes to read • Edit Online
This walkthrough provides instruction for implementing an on-behalf-of (OBO) authentication using AD FS in
Windows Server 2016 TP5 or later. To learn more about OBO authentication please read AD FS OpenID
Connect/OAuth flows and Application Scenarios
WARNING
The example that you can build here is for educational purposes only. These instructions are for the simplest, most
minimal implementation possible to expose the required elements of the model. The example may not include all aspects
of error handling and other relate functionality and focuses ONLY on getting a successful OBO authentication.
Overview
In this sample we will be creating an authentication flow where a client will be accessing a middle-tier Web
Service and the web service will then act on behalf of the authenticated client to get an access token.
Sample Structure
Sample will comprise of three modules
ToDoService Middle Tier web API which acts as a client for the backend
WebAPI
Click on Next and you will be presented with the page for providing information about Client App. Give an
appropriate name to the client App in AD FS. Copy the client Identifier and save it somewhere you can access
later as this will be required in the application config in visual studio.
Note: The Redirect URI can be any arbitrary URI as it is really not used in case of native clients
Click on Next and you will be presented with the page for providing information about WebAPI. Give a suitable
name for the AD FS entry for the WebAPI and enter the redirect URI as the URI you see in Visual Studio for the
ToDoListService
Click on Next and you will see the Choose Access Control Policy Page. Ensure you see "Permit everyone" in the
Policy section.
Click on Next and you will be presented with the configure Application Permissions page. On this page, select
the permitted scopes as openid (selected by default) and user_impersonation. The scope 'user_impersonation' is
necessary to be successfully able to request an on-behalf-of access token from AD FS.
Click next will display the summary page. Go through the rest of the wizard and finish the configuration.
In order to enable on-behalf-of authentication, we need to ensure that AD FS returns an access token with scope
user_impersonation to the client. Modify the claims issuance for ToDoListServiceWebApi to include the
following three custom rules:
You will be presented with the "Add a new application to MySampleGroup" page. On that page, select "Server
Application or Website" as the standalone application
Click Next and you will be presented with the page to provide application details. Provide a suitable name for
the configuration entry in the Name section. Ensure that the Client Identifier is same as the identifier for the
ToDoListServiceWebAPI
Click on Next and you will be presented with the page to configure the application credentials. Click on
"Generate a shared secret". You will be presented with a secret that is automatically generated. Copy the secret
at some location as this will be required while we configure the ToDoListService in visual studio.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
namespace WebAPIOBO.Controllers
{
[Authorize]
public class WebAPIOBOController : ApiController
{
public IHttpActionResult Get()
{
return Ok($"WebAPI via OBO (user: {User.Identity.Name}");
}
}
}
This code will simply return the string when anyone puts a Get request for the WebAPI WebAPIOBO
Adding the new backend WebAPI to AD FS
Open the MySampleGroup application group. Click on Add application and select Web API template and click on
Next.
On the Configure Web API page provide an appropriate name for the WebAPI entry and the identifier. The
identifier should be the value SSL URL from WebAPIOBO project in visual studio (similar to what we did for
BackendWebAPIAdfsAdd).
Continue through the rest of the wizard same as when we configured the ToDoListService WebAPI. At the end
your application group should look like below:
K EY VA L UE
ida:OBOWebAPIBase This is the base address that we will use to call the backend
API, for e.g. https://localhost:44300
All other ida:XXXXXXX keys in the appsettings node can be commented out or deleted
Change authentication from Azure AD to AD FS
Open the file Startup.Auth.cs
Remove the following code
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters{ SaveSigninToken = true }
});
with
app.UseActiveDirectoryFederationServicesBearerAuthentication(
new ActiveDirectoryFederationServicesBearerAuthenticationOptions
{
MetadataEndpoint = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"],
TokenValidationParameters = new TokenValidationParameters()
{
SaveSigninToken = true,
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
}
});
//
// To authenticate to the Graph API, the app needs to know the Grah API's App ID URI.
// To contact the Me endpoint on the Graph API we need the URL as well.
//
private static string graphResourceId = ConfigurationManager.AppSettings["ida:GraphResourceId"];
private static string graphUserUrl = ConfigurationManager.AppSettings["ida:GraphUserUrl"];
private const string TenantIdClaimType = "https://schemas.microsoft.com/identity/claims/tenantid";
with
//
// The Client ID is used by the application to uniquely identify itself to Azure AD.
// The client secret is the credentials for the WebServer Client
// POST api/todolist
public async Task Post(TodoItem todo)
{
if
(!ClaimsPrincipal.Current.FindFirst("https://schemas.microsoft.com/identity/claims/scope").Value.Contains("u
ser_impersonation"))
{
throw new HttpResponseException(new HttpResponseMessage { StatusCode = HttpStatusCode.Unauthorized,
ReasonPhrase = "The Scope claim does not contain 'user_impersonation' or scope claim not found" });
}
//
// Call the WebAPIOBO On Behalf Of the user who called the To Do list web API.
//
if (custommessage != null)
{
augmentedTitle = String.Format("{0}, Message: {1}", todo.Title, custommessage);
}
else
{
augmentedTitle = todo.Title;
}
//
// Use ADAL to get a token On Behalf Of the current user. To do this we will need:
// The Resource ID of the service we want to call.
// The current user's access token, from the current request's authorization header.
// The credentials of this application.
// The username (UPN or email) of the user calling the API
//
// In the case of a transient error, retry once after 1 second, then abandon.
// Retrying is optional. It may be better, for your application, to return an error immediately to
the user and have the user initiate the retry.
bool retry = false;
int retryCount = 0;
do
{
retry = false;
try
{
result = await authContext.AcquireTokenAsync(OBOWebAPIBase, clientCred, userAssertion);
//result = await authContext.AcquireTokenAsync(...);
accessToken = result.AccessToken;
}
catch (AdalException ex)
{
if (ex.ErrorCode == "temporarily_unavailable")
{
// Transient error, OK to retry.
retry = true;
retryCount++;
Thread.Sleep(1000);
}
}
} while ((retry == true) && (retryCount < 1));
if (accessToken == null)
{
// An unexpected error occurred.
return (null);
}
// Once the token has been returned by ADAL, add it to the http authorization header, before making
the call to access the To Do list service.
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer",
result.AccessToken);
if (response.IsSuccessStatusCode)
{
// Read the response and databind to the GridView to display To Do items.
string s = await response.Content.ReadAsStringAsync();
JavaScriptSerializer serializer = new JavaScriptSerializer();
custommessage = serializer.Deserialize<string>(s);
return custommessage;
}
else
{
custommessage = "Unsuccessful OBO operation : " + response.ReasonPhrase;
}
// An unexpected error occurred calling the Graph API. Return a null profile.
return (null);
}
On successful operation you will see that the item has been added to the list with the additional message from
the backend Web API which was accessed using OBO flow.
You can also see the detailed traces on Fiddler. Launch Fiddler and enable HTTPS decryption. You can see that we
make two requests to the /adfs/oautincludes endpoint. In the first interaction, we present the access code to the
token endpoint and get an access token for https://localhost:44321/
In the second interaction with the token endpoint, you can see that we have requested_token_use set as
on_behalf_of and we are using the access token obtained for the middle-tier web service, i.e.
https://localhost:44321/ as the assertion to obtain the on-behalf-of token.
Next Steps
AD FS Development
Build a web application using OpenID Connect with
AD FS 2016 and later
3/5/2021 • 2 minutes to read • Edit Online
Pre-requisites
The following are a list of pre-requisites that are required prior to completing this document. This document
assumes that AD FS has been installed and an AD FS farm has been created.
GitHub client tools
AD FS in Windows Server 2016 TP4 or later
Visual Studio 2013 or later.
3. Copy the Client Identifier value. It will be used later as the value for ida:ClientId in the applications
web.config file.
4. Enter the following for Redirect URI: - https://localhost:44320/ . Click Add . Click Next .
5. On the Summar y screen, click Next .
Tweak the OpenId Connect middleware initialization logic with the following changes:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
//Authority = authority,
MetadataAddress = metadataAddress,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = postLogoutRedirectUri
You will be re-directed to the AD FS sign-in page. Go ahead and sign in.
Once this is successful you should see that you are now signed in.
Next Steps
AD FS Development
Build a server-side app that uses OAuth confidential
clients by using AD FS 2016 or later
3/5/2021 • 4 minutes to read • Edit Online
Active Directory Federation Services (AD FS) 2016 and later supports clients that can maintain their own secret,
such as an app or service that runs on a web server. These clients are known as confidential clients.
This article describes a web application running on a web server. The application serves as a confidential client
to AD FS.
Prerequisites
You'll need the following resources:
GitHub client tools.
AD FS in Windows Server 2016 Technical Preview 4 or later. (This article assumes that AD FS has been
installed.)
Visual Studio 2013 or later.
4. For Redirect URI , enter https://localhost:44323. Select Add , and then select Next .
5. On the Configure Application Credentials page:
a. Select Generate a shared secret .
b. Copy the secret. You'll use this secret later in the application's web.config file. It's the value for
ida:ClientSecret .
c. Select Next .
7. On the Apply Access Control Policy page, select Permit ever yone . Then select Next .
8. On the Configure Application Permissions page, make sure openid and user_impersonation are
selected. Then select Next .
2. At the top of the window, compile the application by selecting Build > Build Solution . All of the NuGet
packages will be restored.
3. At the top of the window, select View > Ser ver Explorer . In the pane that opens, under Data
Connections , right-click DefaultConnection and then select Modify Connection .
4. In the Modify Connection window, under Database file name (new or existing) , select Browse .
Enter path\filename.mdf. Then, in the dialog box, select Yes .
5. In the Modify Connection dialog box, select Advanced .
6. In the Advanced Proper ties dialog box, under Data Source , change (LocalDb\v11.0) to
(LocalDB)\MSSQLLocalDB .
7. Select OK > OK . Then select Yes to upgrade the database.
8. After the process finishes, on the right, copy the value in the Connection String field.
9. Open the web.config file and replace the connectionString value with the value you copied earlier. Save
the web.config file.
NOTE
The preceding steps are necessary so you can get the new connection string. Otherwise, you'll get errors when
you run Update-Database later in this article.
10. At the top of the Visual Studio window, select View > Other Windows > Package Manager Console .
11. In the Package Manager Console pane, enter Enable-Migrations .
NOTE
If you get an error that says "Enable-Migrations isn't recognized as a cmdlet," enter Install-Package
EntityFramework to update the entity framework.
Here, replace <your_fsname> with the DNS portion of your federation service URL. For example,
enter adfs.contoso.com.
4. On the new page, you see a message that prompts you to sign in. Select here .
You're prompted to sign in to AD FS.
Next steps
Learn about AD FS development.
Build a single page web application using OAuth
and ADAL.JS with AD FS 2016 or later
3/5/2021 • 5 minutes to read • Edit Online
This walkthrough provides instruction for authenticating against AD FS using ADAL for JavaScript securing an
AngularJS based single page application, implemented with an ASP.NET Web API backend.
In this scenario, when the user signs in, the JavaScript front end uses Active Directory Authentication Library for
JavaScript (ADAL.JS) and the implicit authorization grant to obtain an ID token (id_token) from Azure AD. The
token is cached and the client attaches it to the request as the bearer token when making calls to its Web API
back end, which is secured using the OWIN middleware.
IMPORTANT
The example that you can build here is for educational purposes only. These instructions are for the simplest, most
minimal implementation possible to expose the required elements of the model. The example may not include all aspects
of error handling and other relate functionality.
NOTE
This walkthrough is applicable only to AD FS Server 2016 and later
Overview
In this sample we will be creating an authentication flow where a single page application client will be
authenticating against AD FS to secure access to the WebAPI resources on the backend. Below is the overall
authentication flow
When using a single page application, the user navigates to a starting location, from where starting page and a
collection of JavaScript files and HTML views are loaded. You need to configure the Active Directory
Authentication Library (ADAL) to know the critical information about your application, i.e. the AD FS instance,
client ID, so that it can direct the authentication to your AD FS.
If ADAL sees a trigger for authentication, it uses the information provided by the application and directs the
authentication to your AD FS STS. The single page application, which is registered as a public client in AD FS, is
automatically configured for implicit grant flow. The authorization request results in an ID token that is returned
back to the application via a #fragment. Further calls to the backend WebAPI will carry this ID token as the
bearer token in the header to gain access to the WebAPI.
3. On the next page Apply Access Control Policy leave the permissions as Permit everyone
4. The summary page should look similar to below
5. Click on Next to complete the addition of the application group and close the wizard.
adalProvider.init(
{
instance: 'https://fs.contoso.com/', // your STS URL
tenant: 'adfs', // this should be set to adfs
clientId: '150ab73e-0b05-4b78-9e50-0095a992cca9', // set this to the Client Id generated
during application registration in AD FS
popUp: false,
//cacheLocation: 'localStorage', // enable this for IE, as sessionStorage
does not work for localhost.
},
$httpProvider
);
clientID This is the client ID you specified while configuring the public
client for your single page application
remove:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
}
);
and add:
app.UseActiveDirectoryFederationServicesBearerAuthentication(
new ActiveDirectoryFederationServicesBearerAuthenticationOptions
{
MetadataEndpoint = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"],
TokenValidationParameters = new TokenValidationParameters()
{
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
ValidIssuer = ConfigurationManager.AppSettings["ida:Issuer"]
}
}
);
PA RA M ET ER DESC RIP T IO N
<appSettings>
<add key="ida:Audience" value="https://localhost:44326/" />
<add key="ida:AdfsMetadataEndpoint" value="https://fs.contoso.com/federationmetadata/2007-
06/federationmetadata.xml" />
<add key="ida:Issuer" value="https://fs.contoso.com/adfs" />
</appSettings>
In Fiddler you can see the token being returned as part of the URL in the # fragment.
You will be able to now call the backend API to add ToDo List items for the logged-in user:
Next Steps
AD FS Development
Build a native client application using OAuth public
clients with AD FS 2016 or later
3/5/2021 • 6 minutes to read • Edit Online
Overview
This article shows how to build a native application that interacts with a Web API protected by AD FS 2016 or
later.
1. The .Net TodoListClient WPF application uses the Active Directory Authentication Library (ADAL) to obtain a
JWT access token from Azure Active Directory (Azure AD) through the OAuth 2.0 protocol
2. The access token is used as a bearer token to authenticate the user when calling the /todolist endpoint of the
TodoListService web API. We will be using the application example for Azure AD here and then modify it for
AD FS 2016 or later.
Pre-requisites
The following are a list of pre-requisites that are required prior to completing this document. This document
assumes that AD FS has been installed and an AD FS farm has been created.
GitHub client tools
AD FS in Windows Server 2016 or later
Visual Studio 2013 or later
Creating the sample walkthrough
Create the application group in AD FS
1. In AD FS Management, right-click on Application Groups and select Add Application Group .
2. On the Application Group Wizard, for the name enter any name you prefer, e.g. NativeToDoListAppGroup.
Select the Native application accessing a web API template . Click Next .
3. On the Native application page, note the identifier generated by AD FS. This is the id with which AD FS
will recognize the public client app. Copy the Client Identifier value. It will be used later as the value for
ida:ClientId in the application code. If you wish you can give any custom identifier here. The redirect URI
is any arbitrary value, example, put https://ToDoListClient
4. On the Configure Web API page, set the identifier value for the Web API. For this example, this should
be the value of the SSL URL where the Web App is supposed to be running. You can get this value by
clicking on the properties of the TooListServer project in the solution. This will be later used as the
todo:TodoListResourceId value in App.config file of the native client application and also as the
todo:TodoListBaseAddress .
5. Go through the Apply Access Control Policy and Configure Application Permissions with the
default values in place. The summary page should look like below.
Click next and then complete the wizard.
Add the NameIdentifier claim to the list of claims issued
The demo application uses the value in NameIdentifier claim at various places. Unlike Azure AD, AD FS does not
issue a NameIdentifier claim by default. Therefore, we need to add a claim rule to issue the NameIdentifier claim
so that the application can use the correct value. In this example, the given name of the user is issued as the
NameIdentifier value for the user in the token. To configure the claim rule, open the application group just
created, and double click on the Web API. Select the Issuance Transform Rules tab and then click on Add Rule
button. In the type of claim rule, choose Custom claim rule and then add the claim rule as shown below.
Modify ToDoListClient
This project in the solution represents the native client application. We need to make sure that the client
application knows:
1. Where to go to get the user authenticated when required?
2. What is the ID that client needs to provide to the authenticating authority (AD FS)?
3. What is the ID of the resource that we are asking the access token for?
4. What is the base address of the Web API?
The following code changes are needed in order to get the above information to the native client application.
App.config
Add the key ida:Authority with the value depicting the AD FS service. For example,
https://fs.contoso.com/adfs/
Modify ida:ClientId key with the value from Client Identifier in the Native Application page during
the Application Group creation in AD FS. For example, 3f07368b-6efd-4f50-a330-d93853f4c855
Modify the todo:todo:TodoListResourceId with the value from Identifier in the Configure Web API
page during the Application Group creation in AD FS. For example, https://localhost:44321/
Modify the todo:TodoListBaseAddress with the value from Identifier in the Configure Web API
page during the Application Group creation in AD FS. For example, https://localhost:44321/
Set the value of ida:RedirectUri with the value from Redirect URI in the Native application page
during the Application Group creation in AD FS. For example, https://ToDoListClient
For ease of reading you can remove / comment the key for ida:Tenant and ida:AADInstance .
MainWindow.xaml.cs
Comment the line for aadInstance as below
// private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
Delete the line for creating the authority value from aadInstance and tenant
private static string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
ADAL does not support validating AD FS as authority and therefore we have to pass a false value flag for
validateAuthority parameter.
Modify TodoListService
Two files need changes in this project – Web.config and Startup.Auth.cs. Web.Config changes are required to get
the correct values of the parameters. Startup.Auth.cs changes are required to set the WebAPI to authenticate
against AD FS rather than Azure AD.
Web.config
Comment the key ida:Tenant as we don't need it
Add the key for ida:Authority with value indicating the FQDN of the federation service, example,
https://fs.contoso.com/adfs/
Modify key ida:Audience with the value of the Web API identifier that you specified in the Configure Web
API page during Add Application Group in AD FS.
Add key ida:AdfsMetadataEndpoint with value corresponding to the federation metadata URL of the AD
FS service, for ex: https://fs.contoso.com/federationmetadata/2007-06/federationmetadata.xml
Star tup.Auth.cs
Modify the ConfigureAuth function as below
public void ConfigureAuth(IAppBuilder app)
{
app.UseActiveDirectoryFederationServicesBearerAuthentication(
new ActiveDirectoryFederationServicesBearerAuthenticationOptions
{
MetadataEndpoint = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"],
TokenValidationParameters = new TokenValidationParameters()
{
SaveSigninToken = true,
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
}
});
}
Essentially, we are configuring the authentication to use AD FS and further provide information about the AD FS
metadata, and to validate the token, the audience claim should be the value expected by the Web API. Running
the application
1. On the solution NativeClient-DotNet, right click and go to properties. Change the Startup Project as
shown below to Multiple Startup projects and set both TodoListClient and TodoListService to Start.
2. Press F5 button or select Debug > Continue in the menu bar. This will launch both the native application
and the WebAPI. Click on Sign-in button on the native application and it will pop-up an interactive logon
from AD AL and redirect to your AD FS service. Enter the credentials of a valid user.
In this step, the native application redirected to AD FS and got an ID token and an access token for the Web API
3. Enter a to do item in the text box and click on Add item. In this step, the application reaches out to the Web
API to add the to do item, and in order to do so, presents the access token to the WebAPI obtained from AD
FS. The Web API matches the audience value to make sure the token is intended for it and verifies the token
signature using the info from the federation metadata.
Next Steps
AD FS Development
Scenario: Native App calling Web API
3/5/2021 • 3 minutes to read • Edit Online
Learn how to build a native app signing-in users authenticated by AD FS 2019 and acquiring tokens using MSAL
library to call web APIs.
Before reading this article, you should be familiar with the AD FS concepts and Authorization code grant flow
Overview
In this flow you add authentication to your Native App (public client), which can therefore sign in users and calls
a Web API. To call a Web API from a Native App that signs in users, you can use MSAL's AcquireTokenInteractive
token acquisition method. To enable this interaction, MSAL leverages a web browser.
To better understand how to configure a Native App in ADFS to acquire access token interactively, let's use a
sample available here and walkthrough the app registration and code configuration steps.
Pre-requisites
GitHub client tools
AD FS 2019 or later configured and running
Visual Studio 2013 or later
App Registration in AD FS
This section shows how to register the Native App as a public client and Web API as a Relying Party (RP) in AD
FS
1. In AD FS Management , right-click on Application Groups and select Add Application Group .
2. On the Application Group Wizard, for the Name enter NativeAppToWebApi and under Client-Ser ver
applications select the Native application accessing a Web API template. Click Next .
3. Copy the Client Identifier value. It will be used later as the value for ClientId in the application's
App.config file. Enter the following for Redirect URI: https://ToDoListClient. Click Add . Click Next .
4. On the Configure Web API screen, enter the Identifier : https://localhost:44321/. Click Add . Click Next .
This value will be used later in the application's App.config and Web.config files.
5. On the Apply Access Control Policy screen, select Permit ever yone and click Next .
6. On the Configure Application Permissions screen, make sure openid is selected and click Next .
7. On the Summary screen, click Next .
8. On the Complete screen, click Close .
9. In AD FS Management, click on Application Groups and select NativeAppToWebApi application
group. Right-click and select Proper ties .
10. On NativeAppToWebApi properties screen, select NativeAppToWebApi – Web API under Web API
and click Edit…
11. On NativeAppToWebApi – Web API Properties screen, select Issuance Transform Rules tab and click
Add Rule…
12. On Add Transform Claim Rule Wizard, select Transform an Incoming Claim from the Claim rule
template: dropdown and click Next .
13. Enter NameID in Claim rule name: field. Select Name for Incoming claim type:, Name ID for
Outgoing claim type: and Common Name for Outgoing name ID format:. click Finish .
14. Click OK on NativeAppToWebApi – Web API Properties screen and then NativeAppToWebApi Properties
screen.
Code Configuration
This section shows how to configure a Native App to sign-in user and retrieve token to call the Web API
1. Download the sample from here
2. Open the sample using Visual Studio
3. Open the App.config file. Modify the following:
ida:Authority - enter h ttps://[your AD FS hostname]/adfs
ida:ClientId - enter the Client Identifier value from #3 in App Registration in AD FS section
above.
ida:RedirectUri - enter the Redirect URI value from #3 in App Registration in AD FS section above.
todo:TodoListResourceId – enter the Identifier value from #4 in App Registration in AD FS section
above
ida: todo:TodoListBaseAddress - enter the Identifier value from #4 in App Registration in AD FS
section above.
2. Once signed-in, enter text Build Native App to Web Api in the Create a To Do item . Click Add item .
This will call the To Do List Ser vice (Web API) and add the item in the cache.
Next Steps
AD FS OpenID Connect/OAuth flows and Application Scenarios
Scenario: Web API calling Web API (On Behalf Of
Scenario)
3/5/2021 • 5 minutes to read • Edit Online
Learn how to build a Web API calling another Web API On Behalf Of the user.
Before reading this article, you should be familiar with the AD FS concepts and On-Behalf_Of flow
Overview
A client (Web App) - not represented on the diagram below - calls a protected Web API and provides a
JWT bearer token in its "Authorization" Http header.
The protected Web API validates the token and uses the MSALAcquireTokenOnBehalfOfmethod to
request (from AD FS) another token so that it can, itself, call a second web API (named the downstream
web API) on behalf of the user.
The protected web API uses this token to call a downstream API. It can also callAcquireTokenSilentlater to
request tokens for other downstream APIs (but still on behalf of the same
user).AcquireTokenSilentrefreshes the token when needed.
To better understand how to configure on behalf of auth scenario in ADFS, let's use a sample available here and
walkthrough the app registration and code configuration steps.
Pre-requisites
GitHub client tools
AD FS 2019 or later configured and running
Visual Studio 2013 or later
App Registration in AD FS
This section shows how to register the Native App as a public client and Web APIs as Relying Parties (RP) in AD
FS
1. In AD FS Management, right-click on Application Groups and select Add Application Group .
2. On the Application Group Wizard, for the Name enter WebApiToWebApi and under Client-Ser ver
applications select the Native application accessing a Web API template. Click Next .
3. Copy the Client Identifier value. It will be used later as the value for ClientId in the application's
App.config file. Enter the following for Redirect URI: - https://ToDoListClient. Click Add . Click Next .
4. On the Configure Web API screen, enter the Identifier : https://localhost:44321/. Click Add . Click Next .
This value will be used later in the application's App.config and Web.Config files.
5. On the Apply Access Control Policy screen, select Permit ever yone and click Next .
6. On the Configure Application Permissions screen, select openid and user_impersonation . Click Next .
7. On the Summary screen, click Next .
8. On the Complete screen, click Close .
9. In AD FS Management, click on Application Groups and select WebApiToWebApi application group.
Right-click and select Proper ties .
12. On Server Application screen, add https://localhost:44321/ as the Client Identifier and Redirect URI .
13. On Configure Application Credentials screen, select Generate a shared secret . Copy the secret for later
use.
20. On the Apply Access Control Policy screen, select Permit ever yone and click Next .
21. On the Configure Application Permissions screen, click Next .
27. On Add Transform Claim Rule Wizard, select Send Claims Using a Custom Rule from dropdown and
click Next .
28. Enter PassAllClaims in Claim rule name: field and x:[] => issue(claim=x); claim rule in Custom rule:
field and click Finish.
Next
33. Enter PassAllClaims in Claim rule name: field and x:[] => issue(claim=x); claim rule in Custom rule:
field and click Finish .
34. Click OK on WebApiToWebApi – Web API 2 Properties screen and then on WebApiToWebApi Properties
screen.
Code Configuration
This section shows how to configure a Web API to call another Web API
1. Download the sample from here
2. Open the sample using Visual Studio
3. Open the App.config file. Modify the following:
ida:Authority - enter https://[your AD FS hostname]/adfs/
ida:ClientId - enter the value from #3 in App Registration in AD FS section above.
ida:RedirectUri - enter the value from #3 in App Registration in AD FS section above.
todo:TodoListResourceId – enter the Identifier value from #4 in App Registration in AD FS section
above
ida: todo:TodoListBaseAddress - enter the Identifier value from #4 in App Registration in AD FS
section above.
4. Open the Web.config file under ToDoListService. Modify the following:
ida:Audience - enter the Client Identifier value from #12 in App Registration in AD FS section
above
ida:ClientId - enter the Client Identifier value from #12 in App Registration in AD FS section above.
Ida: ClientSecret - enter the shared secret copied from #13 in App Registration in AD FS section
above.
ida:RedirectUri - enter the RedirectUri value from #12 in App Registration in AD FS section above.
ida: AdfsMetadataEndpoint - enter https://[your AD FS hostname]/federationmetadata/2007-
06/federationmetadata.xml
ida:OBOWebAPIBase - enter the Identifier value from #19 in App Registration in AD FS section
above.
ida:Authority - enter https://[your AD FS hostname]/adfs
2. On the Properties pages make sure Action is set to Star t for each of the Projects, except TodoListSPA.
3. At the top of Visual Studio, click the green arrow.
If you don't see the native app screen, search and remove *msalcache.bin files from the folder where
project repo is saved on your system.
5. You will be re-directed to the AD FS sign-in page. Go ahead and sign in.
6. Once signed-in, enter text Web Api to Web Api Call in the Create a To Do item . Click Add item . This
will call the Web API (To Do List Service) which then calls Web API 2 (WebAPIOBO) and adds the item in
the cache.
Next Steps
AD FS OpenID Connect/OAuth flows and Application Scenarios
Scenario: Web App (Server App) calling Web API
3/5/2021 • 3 minutes to read • Edit Online
Learn how to build a web app signing-in users authenticated by AD FS 2019 and acquiring tokens using MSAL
library to call web APIs.
Before reading this article, you should be familiar with the AD FS concepts and Authorization code grant flow
Overview
In this flow you add authentication to your Web App (Server App), which can therefore sign in users and calls a
web API. From the Web App, to call the Web API, use MSAL's AcquireTokenByAuthorizationCode token
acquisition method. You'll use the Authorization code flow, storing the acquired token in the token cache. Then
the controller will acquire tokens silently from the cache when needed. MSAL refreshes the token if needed.
Web Apps that calls Web APIs:
are confidential client applications.
that's why they've registered a secret (application shared secret, certificate or AD account) with AD FS. This
secret is passed-in during the call to AD FS to get a token.
To better understand how to register a Web App in ADFS and to configure it to acquire tokens to call a Web API,
let's use a sample available here and walkthrough the app registration and code configuration steps.
Pre-requisites
GitHub client tools
AD FS 2019 or later configured and running
Visual Studio 2013 or later
App Registration in AD FS
This section shows how to register the Web App as a confidential client and Web API as a Relying Party (RP) in
AD FS.
1. In AD FS Management, right-click on Application Groups and select Add Application Group .
2. On the Application Group Wizard, for the Name enter WebAppToWebApi and under Client-Ser ver
applications select the Ser ver application accessing a Web API template. Click Next .
3. Copy the Client Identifier value. It will be used later as the value for ida:ClientId in the applications
Web.config file. Enter the following for Redirect URI: - https://localhost:44326. Click Add. Click Next .
4. On the Configure Application Credentials screen, place a check in Generate a shared secret and copy
the secret. This will be used later as the value for ida:ClientSecret in the applications Web.config file.
Click Next .
5. On the Configure Web API screen, enter the Identifier : https://webapi. Click Add . Click Next . This value
will be used later for ida:GraphResourceId in the applications Web.config file.
6. On the Apply Access Control Policy screen, select Permit everyone and click Next .
7. On the Configure Application Permissions screen, make sure openid and user_impersonation are
selected and click Next .
Code Configuration
This section shows how to configure a ASP.NET Web App to sign-in user and retrieve token to call the Web API
1. Download the sample from here
2. Open the sample using Visual Studio
3. Open the web.config file. Modify the following:
ida:ClientId - enter the Client Identifier value from #3 in App Registration in AD FS section
above.
ida:ClientSecret - enter the Secret value from #4 in App Registration in AD FS section above.
ida:RedirectUri - enter the Redirect URI value from #3 in App Registration in AD FS section above.
ida:Authority - enter https://[your AD FS hostname]/adfs. E.g., https://adfs.contoso.com/adfs
ida:Resource - enter the Identifier value from #5 in App Registration in AD FS section above.
6. Clicking on Access Token will get the access token info by calling the Web API
Next Steps
AD FS OpenID Connect/OAuth flows and Application Scenarios
AD FS Operations
3/5/2021 • 2 minutes to read • Edit Online
This document contains a list of all of the documentation operations for AD FS.
Service Configuration
Update SSL Certificates in AD FS and WAP 2016
AD FS Rapid Restore Tool
Configure alternate hostname binding for certificate authentication in AD FS
Add an Attribute Store
Customize HTTP security response headers with AD FS 2019
Delegate AD FS Powershell Commandlet Access to Non-Admin Users
Fine tune SQL and address latency
AlwaysOn Availability Groups
Authentication Configuration
Strong Authentication (MFA ) & Password-less
Configure External Authentication providers as primary in AD FS (2019 or later)
Configure AD FS (2016 or later) and Azure MFA
Configure Additional Authentication Methods for AD FS
Lockout protection
Configure AD FS Extranet Soft Lockout Protection
Configure AD FS Extranet Smart Lockout Protection
Configure AD FS Extranet Banned IPs
Policy Configuration
Configure Authentication Policies
Configuring Alternate Login ID
Configure Azure AD Prompt login behavior to work with AD FS policy
Kerberos & Certificate authentication
Enable AD DS claims & kerberos compound authentication in AD FS
Configure AD FS for User Certificate Authentication
Configure alternate hostname binding for certificate authentication in AD FS
Device
Device Authentication Controls in AD FS
Authorization Configuration
Configure Access Control Policies in AD FS
Configure Device-based Conditional Access on-Premises
Other
Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company
Applications
Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications
Manage Risk with Conditional Access Control
Set up an AD FS lab environment
Walkthrough Guide: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications
Walkthrough Guide: Manage Risk with Conditional Access Control
Walkthrough: Workplace Join with a Windows Device
Walkthrough: Workplace Join with an iOS Device
Controlling Access to Organizational Data with
Active Directory Federation Services
3/5/2021 • 2 minutes to read • Edit Online
This document provides an overview of access control with AD FS across on premises, hybrid and cloud
scenarios.
Next Steps
For more information on controlling access across the cloud and on premises see:
Conditional Access in Azure Active Directory
Access Control Policies in AD FS 2016
Access Control Policies in Windows Server 2016 AD
FS
3/5/2021 • 8 minutes to read • Edit Online
If an administrator selects multiple conditions, they are of AND relationship. Actions are mutually exclusive and
for one policy rule you can only choose one action. If admin selects multiple exceptions, they are of an OR
relationship. A couple of policy rule examples are shown below:
P O L IC Y P O L IC Y RUL ES
7. Click Ok . Click Ok .
How to create a parameterized access control policy
To create a parameterized access control policy use the following procedure
To create a parameterized access control policy
1. From AD FS Management on the left select Access Control Policies and on the right click Add Access
Control Policy.
2. Enter a name and a description. For example: Permit users with a specific claim.
3. Under Permit access if any of the following rules are met , click Add .
4. Under permit, place a check in the box next to with specific claims in the request
5. At the bottom, select the underlined specific
6. From the window that pops-up, select Parameter specified when the access control policy is
assigned . Click Ok .
7. Click Ok . Click Ok .
See Also
AD FS Operations
Access Control Policies in Windows Server 2012 R2
and Windows Server 2012 AD FS
3/5/2021 • 19 minutes to read • Edit Online
The policies described in this article make use of two kinds of claims
1. Claims AD FS creates based on information the AD FS and Web Application proxy can inspect and verify,
such as the IP address of the client connecting directly to AD FS or the WAP.
2. Claims AD FS creates based on information forwarded to AD FS by the client as HTTP headers
Impor tant : The policies as documented below will block Windows 10 domain join and sign on scenarios
that require access to the following additional endpoints
To resolve, update any policies that deny based on the endpoint claim to allow exception for the endpoints
above.
For example, the rule below:
c1:[Type == "http://custom/ipoutsiderange", Value == "true"] && c2:[Type ==
"https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value !=
"/adfs/ls/"] => issue(Type = "https://schemas.microsoft.com/authorization/claims/deny", Value = "
DenyUsersWithClaim");
NOTE
Claims from this category should only be used to implement business policies and not as security policies to protect
access to your network. It is possible for unauthorized clients to send headers with false information as a way to gain
access.
The policies described in this article should always be used with another authentication method, such as
username and password or multi factor authentication.
Scenario 1: Block all external access to Office 365 Office 365 access is allowed from all clients on the internal
corporate network, but requests from external clients are
denied based on the IP address of the external client.
Scenario 2: Block all external access to Office 365 except Office 365 access is allowed from all clients on the internal
Exchange ActiveSync corporate network, as well as from any external client
devices, such as smart phones, that make use of Exchange
ActiveSync. All other external clients, such as those using
Outlook, are blocked.
Scenario 3: Block all external access to Office 365 except Blocks external access to Office 365, except for passive
browser-based applications (browser-based) applications such as Outlook Web Access or
SharePoint Online.
Scenario 4: Block all external access to Office 365 except for This scenario is used for testing and validating client access
designated Active Directory groups policy deployment. It blocks external access to Office 365
only for members of one or more Active Directory group. It
can also be used to provide external access only to members
of a group.
6. Click Finish . Verify that the new rule appears in the Issuance Authorization Rules list before to the default
Permit Access to All Users rule (the Deny rule will take precedence even though it appears earlier in
the list). If you do not have the default permit access rule, you can add one at the end of your list using
the claim rule language as follows:
c:[] => issue(Type = "https://schemas.microsoft.com/authorization/claims/permit", Value = "true");
7. To save the new rules, in the Edit Claim Rules dialog box, click OK . The resulting list should look like the
following.
Scenario 2: Block all external access to Office 365 except Exchange ActiveSync
The following example allows access to all Office 365 applications, including Exchange Online, from internal
clients including Outlook. It blocks access from clients residing outside the corporate network, as indicated by
the client IP address, except for Exchange ActiveSync clients such as smart phones.
To c r e a t e r u l e s t o b l o c k a l l e x t e r n a l a c c e ss t o O ffi c e 3 6 5 e x c e p t Ex c h a n g e A c t i v e Sy n c
6. Click Finish . Verify that the new rule appears in the Issuance Authorization Rules list.
7. Next, in the Edit Claim Rules dialog box, on the Issuance Authorization Rules tab, click Add Rule to
start the Claim Rule Wizard again.
8. On the Select Rule Template page, under Claim rule template , select Send Claims Using a
Custom Rule , and then click Next .
9. On the Configure Rule page, under Claim rule name , type the display name for this rule, for example
“If there is an IP outside the desired range AND there is a non-EAS x-ms-client-application claim, deny”.
Under Custom rule , type or paste the following claim rule language syntax:
c1:[Type == "http://custom/ipoutsiderange", Value == "true"] && c2:[Type ==
"https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value !=
"Microsoft.Exchange.ActiveSync"] => issue(Type =
"https://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");
10. Click Finish . Verify that the new rule appears in the Issuance Authorization Rules list.
11. Next, in the Edit Claim Rules dialog box, on the Issuance Authorization Rules tab, click Add Rule to
start the Claim Rule Wizard again.
12. On the Select Rule Template page, under Claim rule template, select Send Claims Using a
Custom Rule , and then click Next .
13. On the Configure Rule page, under Claim rule name , type the display name for this rule, for example
“check if application claim exists”. Under Custom rule , type or paste the following claim rule language
syntax:
14. Click Finish . Verify that the new rule appears in the Issuance Authorization Rules list.
15. Next, in the Edit Claim Rules dialog box, on the Issuance Authorization Rules tab, click Add Rule to
start the Claim Rule Wizard again.
16. On the Select Rule Template page, under Claim rule template, select Send Claims Using a
Custom Rule , and then click Next .
17. On the Configure Rule page, under Claim rule name , type the display name for this rule, for example
“deny users with ipoutsiderange true and application fail”. Under Custom rule , type or paste the
following claim rule language syntax:
18. Click Finish . Verify that the new rule appears immediately below the previous rule and before to the
default Permit Access to All Users rule in the Issuance Authorization Rules list (the Deny rule will take
precedence even though it appears earlier in the list).
If you do not have the default permit access rule, you can add one at the end of your list using the claim
rule language as follows:
19. To save the new rules, in the Edit Claim Rules dialog box, click OK. The resulting list should look like the
following.
Scenario 3: Block all external access to Office 365 except browser-based applications
To c r e a t e r u l e s t o b l o c k a l l e x t e r n a l a c c e ss t o O ffi c e 3 6 5 e x c e p t b r o w se r- b a se d a p p l i c a t i o n s
1. Click Finish . Verify that the new rule appears in the Issuance Authorization Rules list.
2. Next, in the Edit Claim Rules dialog box, on the Issuance Authorization Rules tab, click Add Rule to
start the Claim Rule Wizard again.
3. On the Select Rule Template page, under Claim rule template, select Send Claims Using a
Custom Rule , and then click Next .
4. On the Configure Rule page, under Claim rule name , type the display name for this rule, for example
“If there is an IP outside the desired range AND the endpoint is not /adfs/ls, deny”. Under Custom rule ,
type or paste the following claim rule language syntax:
5. Click Finish . Verify that the new rule appears in the Issuance Authorization Rules list before to the default
Permit Access to All Users rule (the Deny rule will take precedence even though it appears earlier in
the list).
If you do not have the default permit access rule, you can add one at the end of your list using the claim
rule language as follows:
c:[] => issue(Type = "https://schemas.microsoft.com/authorization/claims/permit", Value = "true");
11. To save the new rules, in the Edit Claim Rules dialog box, click OK . The resulting list should look like the
following.
Scenario 4: Block all external access to Office 365 except for designated Active Directory groups
The following example enables access from internal clients based on IP address. It blocks access from clients
residing outside the corporate network that have an external client IP address, except for those individuals in a
specified Active Directory Group.Use the following steps to add the correct Issuance Authorization rules to the
Microsoft Office 365 Identity Platform relying party trust using the Claim Rule Wizard:
To c r e a t e r u l e s t o b l o c k a l l e x t e r n a l a c c e ss t o O ffi c e 3 6 5 , e x c e p t fo r d e si g n a t e d A c t i v e D i r e c t o r y g r o u p s
`c1:[Type == "https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
Value =~ "^(?!192\.168\.1\.77|10\.83\.118\.23)"] && c2:[Type ==
"https://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] => issue(Type =
"http://custom/ipoutsiderange", Value = "true");`
6. Click Finish . Verify that the new rule appears in the Issuance Authorization Rules list.
7. Next, in the Edit Claim Rules dialog box, on the Issuance Authorization Rules tab, click Add Rule to
start the Claim Rule Wizard again.
8. On the Select Rule Template page, under Claim rule template, select Send Claims Using a
Custom Rule , and then click Next .
9. On the Configure Rule page, under Claim rule name , type the display name for this rule, for example
“check group SID”. Under Custom rule , type or paste the following claim rule language syntax (replace
"groupsid" with the actual SID of the AD group you are using):
10. Click Finish . Verify that the new rule appears in the Issuance Authorization Rules list.
11. Next, in the Edit Claim Rules dialog box, on the Issuance Authorization Rules tab, click Add Rule to
start the Claim Rule Wizard again.
12. On the Select Rule Template page, under Claim rule template, select Send Claims Using a
Custom Rule , and then click Next .
13. On the Configure Rule page, under Claim rule name , type the display name for this rule, for example
“deny users with ipoutsiderange true and groupsid fail”. Under Custom rule , type or paste the following
claim rule language syntax:
14. Click Finish . Verify that the new rule appears immediately below the previous rule and before to the default
Permit Access to All Users rule in the Issuance Authorization Rules list (the Deny rule will take precedence
even though it appears earlier in the list).
If you do not have the default permit access rule, you can add one at the end of your list using the claim rule
language as follows:
15. To save the new rules, in the Edit Claim Rules dialog box, click OK. The resulting list should look like the
following.
NOTE
Exchange Online currently supports only IPV4 and not IPV6 addresses.
A single IP address: The IP address of the client that is directly connected to Exchange Online
NOTE
The IP address of a client on the corporate network will appear as the external interface IP address of the organization's
outbound proxy or gateway.
Clients that are connected to the corporate network by a VPN or by Microsoft DirectAccess (DA) may appear as
internal corporate clients or as external clients depending upon the configuration of VPN or DA.
One or more IP addresses: When Exchange Online cannot determine the IP address of the connecting client,
it will set the value based on the value of the x-forwarded-for header, a non-standard header that can be
included in HTTP-based requests and is supported by many clients, load balancers, and proxies on the
market.
NOTE
1. Multiple IP addresses, indicating the client IP address and the address of each proxy that passed the request, will be
separated by a comma.
2. IP addresses related to Exchange Online infrastructure will not on the list.
Regular Expressions
When you have to match a range of IP addresses, it becomes necessary to construct a regular expression to
perform the comparison. In the next series of steps, we will provide examples for how to construct such an
expression to match the following address ranges (note that you will have to change these examples to match
your public IP range):
192.168.1.1 – 192.168.1.25
10.0.0.1 – 10.0.0.14
First, the basic pattern that will match a single IP address is as follows: \b###\.###\.###\.###\b
Extending this, we can match two different IP addresses with an OR expression as follows:
\b###\.###\.###\.###\b|\b###\.###\.###\.###\b
So, an example to match just two addresses (such as 192.168.1.1 or 10.0.0.1) would be:
\b192\.168\.1\.1\b|\b10\.0\.0\.1\b
This gives you the technique by which you can enter any number of addresses. Where a range of address
need to be allowed, for example 192.168.1.1 – 192.168.1.25, the matching must be done character by
character: \b192\.168\.1\.([1-9]|1[0-9]|2[0-5])\b
Please note the following:
The IP address is treated as string and not a number.
The rule is broken down as follows: \b192\.168\.1\.
This matches any value beginning with 192.168.1.
The following matches the ranges required for the portion of the address after the final decimal point:
([1-9] Matches addresses ending in 1-9
|1[0-9] Matches addresses ending in 10-19
|2[0-5]) Matches addresses ending in 20-25
Note that the parentheses must be correctly positioned, so that you don't start matching other portions
of IP addresses.
With the 192 block matched, we can write a similar expression for the 10 block: \b10\.0\.0\.([1-9]|1[0-
4])\b
And putting them together, the following expression should match all the addresses for “192.168.1.1~
25” and “10.0.0.1~14”: \b192\.168\.1\.([1-9]|1[0-9]|2[0-5])\b|\b10\.0\.0\.([1-9]|1[0-4])\b
Testing the Expression
Regex expressions can become quite tricky, so we highly recommend using a regex verification tool. If you do an
internet search for “online regex expression builder”, you will find several good online utilities that will allow you
to try out your expressions against sample data.
When testing the expression, it's important that you understand what to expect to have to match. The Exchange
online system may send many IP addresses, separated by commas. The expressions provided above will work
for this. However, it's important to think about this when testing your regex expressions. For example, one might
use the following sample input to verify the examples above:
192.168.1.1, 192.168.1.2, 192.169.1.1. 192.168.12.1, 192.168.1.10, 192.168.1.25, 192.168.1.26, 192.168.1.30,
1192.168.1.20
10.0.0.1, 10.0.0.5, 10.0.0.10, 10.0.1.0, 10.0.1.1, 110.0.0.1, 10.0.0.14, 10.0.0.15, 10.0.0.10, 10,0.0.1
Claim Types
AD FS in Windows Server 2012 R2 provides request context information using the following claim types:
X -MS -Forwarded-Client-IP
Claim type: https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
This AD FS claim represents a “best attempt” at ascertaining the IP address of the user (for example, the Outlook
client) making the request. This claim can contain multiple IP addresses, including the address of every proxy
that forwarded the request. This claim is populated from an HTTP. The value of the claim can be one of the
following:
A single IP address - The IP address of the client that is directly connected to Exchange Online
NOTE
The IP address of a client on the corporate network will appear as the external interface IP address of the organization's
outbound proxy or gateway.
NOTE
IP addresses related to Exchange Online infrastructure will not be present in the list.
WARNING
Exchange Online currently supports only IPV4 addresses; it does not support IPV6 addresses.
X -MS -Client-Application
Claim type: https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application
This AD FS claim represents the protocol used by the end client, which corresponds loosely to the application
being used. This claim is populated from an HTTP header that is currently only set by Exchange Online, which
populates the header when passing the authentication request to AD FS. Depending on the application, the value
of this claim will be one of the following:
In the case of devices that use Exchange Active Sync, the value is Microsoft.Exchange.ActiveSync.
Use of the Microsoft Outlook client may result in any of the following values:
Microsoft.Exchange.Autodiscover
Microsoft.Exchange.OfflineAddressBook
Microsoft.Exchange.RPCMicrosoft.Exchange.WebServices
Microsoft.Exchange.RPCMicrosoft.Exchange.WebServices
Other possible values for this header include the following:
Microsoft.Exchange.Powershell
Microsoft.Exchange.SMTP
Microsoft.Exchange.Pop
Microsoft.Exchange.Imap
X -MS -Client-User-Agent
Claim type: https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent
This AD FS claim provides a string to represent the device type that the client is using to access the service. This
can be used when customers would like to prevent access for certain devices (such as particular types of smart
phones). Example values for this claim include (but are not limited to) the values below.
The below are examples of what the x-ms-user-agent value might contain for a client whose x-ms-client-
application is “Microsoft.Exchange.ActiveSync”
Vortex/1.0
Apple-iPad1C1/812.1
Apple-iPhone3C1/811.2
Apple-iPhone/704.11
Moto-DROID2/4.5.1
SAMSUNGSPHD700/100.202
Android/0.3
It is also possible that this value is empty.
X -MS -Proxy
Claim type: https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy
This AD FS claim indicates that the request has passed through the Web Application proxy. This claim is
populated by the Web Application proxy, which populates the header when passing the authentication request
to the back end Federation Service. AD FS then converts it to a claim.
The value of the claim is the DNS name of the Web Application proxy that passed the request.
InsideCorporateNetwork
Claim type: https://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork
Similar to the above x-ms-proxy claim type, this claim type indicates whether the request has passed through
the web application proxy. Unlike x-ms-proxy, insidecorporatenetwork is a boolean value with True indicating a
request directly to the federation service from inside the corporate network.
X -MS -Endpoint-Absolute -Path (Active vs Passive )
Claim type: https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path
This claim type can be used for determining requests originating from “active” (rich) clients versus “passive”
(web-browser-based) clients. This enables external requests from browser-based applications such as the
Outlook Web Access, SharePoint Online, or the Office 365 portal to be allowed while requests originating from
rich clients such as Microsoft Outlook are blocked.
The value of the claim is the name of the AD FS service that received the request.
See Also
AD FS Operations
Client Access Control policies in AD FS 2.0
3/5/2021 • 13 minutes to read • Edit Online
A client access policies in Active Directory Federation Services 2.0 allow you to restrict or grant users access to
resources. This document describes how to enable client access policies in AD FS 2.0 and how to configure the
most common scenarios.
6. To verify the rule, select it in the list and click Edit Rule, then click View Rule Language. The claim rule
language should appear as follows:
c:[Type == "https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip"] =>
issue(claim = c);
7. Click Finish.
8. In the Edit Claim Rules dialog box, click OK to save the rules.
9. Repeat steps 2 through 6 to create an additional claim rule for each of the remaining four claim types
shown below until all five rules have been created.
https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application
`https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent`
`https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy`
`https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path`
Step 3: Update the Microsoft Office 365 Identity Platform relying party trust
Choose one of the example scenarios below to configure the claim rules on the Microsoft Office 365 Identity
Platform relying party trust that best meets the needs of your organization.
NOTE
You will have to replace the value above for “public ip address regex” with a valid IP expression; see Building the IP address
range expression for more information.
Scenario 2: Block all external access to Office 365 except Exchange ActiveSync
The following example allows access to all Office 365 applications, including Exchange Online, from internal
clients including Outlook. It blocks access from clients residing outside the corporate network, as indicated by
the client IP address, except for Exchange ActiveSync clients such as smart phones. The rule set builds on the
default Issuance Authorization rule titled Permit Access to All Users. Use the following steps to add an Issuance
Authorization rule to the Office 365 relying party trust using the Claim Rule Wizard:
To create a rule to block all external access to Office 365
1. Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
2. In the console tree, under AD FS 2.0\Trust Relationships, click Relying Party Trusts, right-click the Microsoft
Office 365 Identity Platform trust, and then click Edit Claim Rules.
3. In the Edit Claim Rules dialog box, select the Issuance Authorization Rules tab, and then click Add Rule to
start the Claim Rule Wizard.
4. On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and
then click Next.
5. On the Configure Rule page, under Claim rule name, type the display name for this rule. Under Custom rule,
type or paste the following claim rule language syntax:
exists([Type == "https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT
exists([Type == "https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",
Value=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type ==
"https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application",
Value=="Microsoft.Exchange.ActiveSync"]) && NOT exists([Type ==
"https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value=~"customer-
provided public ip address regex"]) => issue(Type =
"https://schemas.microsoft.com/authorization/claims/deny", Value = "true");
6. Click Finish. Verify that the new rule appears immediately below the Permit Access to All Users rule in the
Issuance Authorization Rules list.
7. To save the rule, in the Edit Claim Rules dialog box, click OK.
NOTE
You will have to replace the value above for “public ip address regex” with a valid IP expression; see Building the IP address
range expression for more information.
Scenario 3: Block all external access to Office 365 except browser-based applications
The rule set builds on the default Issuance Authorization rule titled Permit Access to All Users. Use the following
steps to add an Issuance Authorization rule to the Microsoft Office 365 Identity Platform relying party trust
using the Claim Rule Wizard:
NOTE
This scenario is not supported with a third-party proxy because of limitations on client access policy headers with passive
(Web-based) requests.
To create a rule to block all external access to Office 365 except browser-based applications
1. Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
2. In the console tree, under AD FS 2.0\Trust Relationships, click Relying Party Trusts, right-click the Microsoft
Office 365 Identity Platform trust, and then click Edit Claim Rules.
3. In the Edit Claim Rules dialog box, select the Issuance Authorization Rules tab, and then click Add Rule to
start the Claim Rule Wizard.
4. On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and
then click Next.
5. On the Configure Rule page, under Claim rule name, type the display name for this rule. Under Custom rule,
type or paste the following claim rule language syntax:
exists([Type == "https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT
exists([Type == "https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
Value=~"customer-provided public ip address regex"]) && NOT exists([Type ==
"https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value ==
"/adfs/ls/"]) => issue(Type = "https://schemas.microsoft.com/authorization/claims/deny", Value = "true");
6. Click Finish. Verify that the new rule appears immediately below the Permit Access to All Users rule in the
Issuance Authorization Rules list.
7. To save the rule, in the Edit Claim Rules dialog box, click OK.
Scenario 4: Block all external access to Office 365 for designated Active Directory groups
The following example enables access from internal clients based on IP address. It blocks access from clients
residing outside the corporate network that have an external client IP address, except for those individuals in a
specified Active Directory Group.The rule set builds on the default Issuance Authorization rule titled Permit
Access to All Users. Use the following steps to add an Issuance Authorization rule to the Microsoft Office 365
Identity Platform relying party trust using the Claim Rule Wizard:
To create a rule to block all external access to Office 365 for designated Active Directory groups
1. Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
2. In the console tree, under AD FS 2.0\Trust Relationships, click Relying Party Trusts, right-click the Microsoft
Office 365 Identity Platform trust, and then click Edit Claim Rules.
3. In the Edit Claim Rules dialog box, select the Issuance Authorization Rules tab, and then click Add Rule to
start the Claim Rule Wizard.
4. On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and
then click Next.
5. On the Configure Rule page, under Claim rule name, type the display name for this rule. Under Custom rule,
type or paste the following claim rule language syntax:
exists([Type == "https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&
exists([Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "Group SID
value of allowed AD group"]) && NOT exists([Type ==
"https://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value=~"customer-
provided public ip address regex"]) => issue(Type =
"https://schemas.microsoft.com/authorization/claims/deny", Value = "true");
6. Click Finish. Verify that the new rule appears immediately below the Permit Access to All Users rule in the
Issuance Authorization Rules list.
7. To save the rule, in the Edit Claim Rules dialog box, click OK.
Descriptions of the claim rule language syntax used in the above scenarios
DESC RIP T IO N C L A IM RUL E L A N GUA GE SY N TA X
Default AD FS rule to Permit Access to All Users. This rule => issue(Type =
should already exist in the Microsoft Office 365 Identity "https://schemas.microsoft.com/authorization/claims/permit",
Platform relying party trust Issuance Authorization Rules list. Value = "true");
Used to establish that the request is from a client with an IP NOT exists([Type ==
in the defined acceptable range. "https://schemas.microsoft.com/2012/01/requestcontext/clai
ms/x-ms-forwarded-client-ip", Value=~"customer-provided
public ip address regex"])
This clause is used to specify that if the application being NOT exists([Type ==
accessed is not Microsoft.Exchange.ActiveSync the request "https://schemas.microsoft.com/2012/01/requestcontext/clai
should be denied. ms/x-ms-client-application",
Value=="Microsoft.Exchange.ActiveSync"])
This rule allows you to determine whether the call was NOT exists([Type ==
through a Web browser, and will not be denied. "https://schemas.microsoft.com/2012/01/requestcontext/clai
ms/x-ms-endpoint-absolute-path", Value == "/adfs/ls/"])
DESC RIP T IO N C L A IM RUL E L A N GUA GE SY N TA X
This rule states that the only users in a particular Active exists([Type ==
Directory group (based on SID value) should be denied. "https://schemas.microsoft.com/ws/2008/06/identity/claims/
Adding NOT to this statement means a group of users will groupsid", Value =~ "{Group SID value of allowed AD
be allowed, regardless of location. group}"])
This is a required clause to issue a deny when all preceding => issue(Type =
conditions are met. "https://schemas.microsoft.com/authorization/claims/deny",
Value = "true");
NOTE
Exchange Online currently supports only IPV4 and not IPV6 addresses.
A single IP address: The IP address of the client that is directly connected to Exchange Online
NOTE
The IP address of a client on the corporate network will appear as the external interface IP address of the organization's
outbound proxy or gateway.
Clients that are connected to the corporate network by a VPN or by Microsoft DirectAccess (DA) may appear as
internal corporate clients or as external clients depending upon the configuration of VPN or DA.
One or more IP addresses: When Exchange Online cannot determine the IP address of the connecting client, it
will set the value based on the value of the x-forwarded-for header, a non-standard header that can be included
in HTTP-based requests and is supported by many clients, load balancers, and proxies on the market.
NOTE
Multiple IP addresses, indicating the client IP address and the address of each proxy that passed the request, will be
separated by a comma.
IP addresses related to Exchange Online infrastructure will not appear on the list.
Regular Expressions
When you have to match a range of IP addresses, it becomes necessary to construct a regular expression to
perform the comparison. In the next series of steps, we will provide examples for how to construct such an
expression to match the following address ranges (note that you will have to change these examples to match
your public IP range):
192.168.1.1 – 192.168.1.25
10.0.0.1 – 10.0.0.14
First, the basic pattern that will match a single IP address is as follows: \b###.###.###.###\b
Extending this, we can match two different IP addresses with an OR expression as follows:
\b###.###.###.###\b|\b###.###.###.###\b
So, an example to match just two addresses (such as 192.168.1.1 or 10.0.0.1) would be:
\b192.168.1.1\b|\b10.0.0.1\b
This gives you the technique by which you can enter any number of addresses. Where a range of address need
to allowed, for example 192.168.1.1 – 192.168.1.25, the matching must be done character by character:
\b192.168.1.([1-9]|1[0-9]|2[0-5])\b
NOTE
The IP address is treated as string and not a number.
NOTE
The parentheses must be correctly positioned, so that you don't start matching other portions of IP addresses.
With the 192 block matched, we can write a similar expression for the 10 block: \b10.0.0.([1-9]|1[0-4])\b
And putting them together, the following expression should match all the addresses for “192.168.1.1~25” and
“10.0.0.1~14”: \b192.168.1.([1-9]|1[0-9]|2[0-5])\b|\b10.0.0.([1-9]|1[0-4])\b
Testing the Expression
Regex expressions can become quite tricky, so we highly recommend using a regex verification tool. If you do an
internet search for “online regex expression builder”, you will find several good online utilities that will allow you
to try out your expressions against sample data.
When testing the expression, it's important that you understand what to expect to have to match. The Exchange
online system may send many IP addresses, separated by commas. The expressions provided above will work
for this. However, it's important to think about this when testing your regex expressions. For example, one might
use the following sample input to verify the examples above:
192.168.1.1, 192.168.1.2, 192.169.1.1. 192.168.12.1, 192.168.1.10, 192.168.1.25, 192.168.1.26, 192.168.1.30,
1192.168.1.20
10.0.0.1, 10.0.0.5, 10.0.0.10, 10.0.1.0, 10.0.1.1, 110.0.0.1, 10.0.0.14, 10.0.0.15, 10.0.0.10, 10,0.0.1
Related
For more information on the new claim types see AD FS Claims Types.
Configure 3rd party authentication providers as
primary authentication in AD FS 2019
11/2/2020 • 3 minutes to read • Edit Online
Organizations are experiencing attacks that attempt to brute force, compromise, or otherwise lock out user
accounts by sending password based authentication requests. To help protect organizations from compromise,
AD FS has introduced capabilities such as extranet “smart” lockout and IP address based blocking.
However, these mitigations are reactive. To provide a proactive way, to reduce the severity of these attacks, AD
FS has the ability to prompt for non-password factors prior to collecting the password.
For example, AD FS 2016 introduced Azure MFA as primary authentication so that OTP codes from the
Authenticator App could be used as the first factor. Building on this, with AD FS 2019 you can configure external
authentication providers as primary authentication factors.
There are two key scenarios this enables:
Scenario 2: password-free!
Eliminate passwords entirely but completing a strong, multi-factor authentication using entirely non password
based methods in AD FS
Azure MFA with Authenticator app
Windows 10 Hello for Business
Certificate authentication
External authentication providers
Concepts
What primar y authentication really means is that it is the method the user is prompted for first, prior to
additional factors. Previously the only primary methods available in AD FS were built in methods for Active
Directory or Azure MFA, or other LDAP authentication stores. External methods could be configured as
“additional” authentication, which takes place after primary authentication has successfully completed.
In AD FS 2019, the external authentication as primary capability means that any external authentication
providers registered on the AD FS farm (using Register-AdfsAuthenticationProvider) become available for
primary authentication as well as “additional” authentication. They can be enabled the same way as the built in
providers such as Forms Authentication and Certificate Authentication, for intranet and/or extranet use.
Once an external provider is enabled for extranet, intranet, or both, it becomes available for users to use. If more
than one method is enabled, users will see a choice page and be able to choose a primary method, just as they
do for additional authentication.
Pre-requisites
Before configuring external authentication providers as primary, ensure you have the following pre-requisites in
place
The AD FS farm behavior level (FBL) has been raised to ‘4' (this value translates to AD FS 2019)
This is the default FBL value for new AD FS 2019 farms
For AD FS farms based on Windows Server 2012 R2 or 2016, the FBL can be raised using the
PowerShell commandlet Invoke-AdfsFarmBehaviorLevelRaise. For more details on upgrading an AD
FS farm, see the farm upgrade article for SQL farms or WID farms
You can check the FBL value using the cmdlet Get-AdfsFarmInformation
The AD FS 2019 farm is configured to use the new 2019 ‘paginated' user facing pages
This is the default behavior for new AD FS 2019 farms
For AD FS farms upgraded from Windows Server 2012 R2 or 2016, the paginated flows are enabled
automatically when external authentication as primary (the feature described in this document) is
enabled as described below.
An Always OnAvailability Group(AG) is a one or more user databases that fail over together. An availability
group consists of a primaryavailability replicaand one to four secondary replicas that are maintained through
SQL Server log-based data movement for data protection without the need for shared storage. Each replica is
hosted by an instance of SQL Server on a different node of the WSFC. The availability group and a
corresponding virtual network name are registered as resources in the WSFC cluster.
Anavailability group listeneron the primary replica's node responds to incoming client requests to connect to
the virtual network name, and based on attributes in the connection string, it redirects each request to the
appropriate SQL Server instance. In the event of a failover, instead of transferring ownership of shared physical
resources to another node, WSFC is leveraged to reconfigure a secondary replica on another SQL Server
instance to become the availability group's primary replica. The availability group's virtual network name
resource is then transferred to that instance. At any given moment, only a single SQL Server instance may host
the primary replica of an availability group's databases, all associated secondary replicas must each reside on a
separate instance, and each instance must reside on separate physical nodes.
NOTE
If machines are running on Azure, set up the Azure virtual machines to enable the listener configuration to communicate
with AlwaysOn Availability groups. For more information, Virtual Machines: SQL Always On Listener.
For additional overview of AlwaysOn Availability Groups, see Overview of Always On Availability Groups (SQL
Server).
NOTE
If the organization requires failover across multiple datacenters, it is recommended to create an artifact database in each
datacenter as well as enabling a background cache which reduces latency during request processing. Follow the
instructions to do so in Fine Tuning SQL and Reducing Latency.
Deployment Guidance
1. Consider the correct database for the goals of the AD FS deployment. AD FS uses a database to
store configuration and in some cases transactional data related to the Federation Service. You can use AD FS
software to select either the build-in Windows Internal Database (WID) or Microsoft SQL Server 2008 or
newer to store the data in the federation service. The following table describes the differences in supported
features between a WID and SQL database.
If you are a large organization with more than 100 trust relationships that need to provide both their internal
users and external users with single-sign on access to federation applications or services, SQL is the
recommended option.
If you are an organization with 100 or fewer configured trust relationships, WID provides data and federation
service redundancy (where each federation server replicates changes to other federation servers in the same
farm). WID does not support token replay detection or artifact resolution and has a limit of 30 federation
servers. For more information on planning your deployment, visit here.
Deploy AD FS
NOTE
If machines are running on Azure, the Virtual Machines must be configured in a specific way to allow for the listener to
communicate with the Always On Availabililty group. For information on configuration, view Configure a load balancer for
an availability group on Azure SQL Server VMs
This deployment guide will show a two node farm with two SQL servers as an example. To deploy AD FS follow
the initial links below to install the AD FS Role Service. To configure for an AoA group, there will be additional
steps for the role.
Join a Computer to a Domain
Enroll an SSL Certificate for AD FS
Install the AD FS Role Service
2. Verify connectivity to the database using SSMS and then connect to the targeted database host name. If
adding another node to the federation farm, connect to the targeted database.
3. Specify the SSL certificate for the AD FS farm.
4. Connect the farm to a service account or gMSA.
NOTE
SQL Server must be run under a domain account for installation of Always On Availability groups. By default, it is run as a
local system.
8. On the Confirm installation selections page, select Install. A server restart is not required for the Failover
Clustering feature.
9. When the installation is completed, select Close.
10. Repeat this procedure on every server that you want to add as a failover cluster node.
Run Cluster Validation Tests
1. On a computer that has the Failover Cluster Management Tools installed from the Remote Server
Administration Tools, or on a server where you installed the Failover Clustering feature, start Failover Cluster
Manager. To do this on a server, start Server Manager, and then on the Tools menu, select Failover Cluster
Manager.
2. In the Failover Cluster Manager pane, under Management, select Validate Configuration.
3. On the Before You Begin page, select Next.
4. On the Select Servers or a Cluster page, in the Enter name box, enter the NetBIOS name or the fully qualified
domain name of a server that you plan to add as a failover cluster node, and then select Add. Repeat this step
for each server that you want to add. To add multiple servers at the same time, separate the names by a
comma or by a semicolon. For example, enter the names in the format server1.contoso.com,
server2.contoso.com. When you are finished, select Next.
5. On the Testing Options page, select Run all tests (recommended), and then select Next.
6. On the Confirmation page, select Next. The Validating page displays the status of the running tests.
7. On the Summary page, do either of the following:
If the results indicate that the tests completed successfully and the configuration is suited for clustering, and
you want to create the cluster immediately, make sure that the Create the cluster now using the validated
nodes check box is selected, and then select Finish. Then, continue to step 4 of the Create the failover cluster
procedure.
If the results indicate that there were warnings or failures, select View Report to view the details and
determine which issues must be corrected. Realize that a warning for a particular validation test indicates
that this aspect of the failover cluster can be supported, but might not meet the recommended best practices.
NOTE
If you receive a warning for the Validate Storage Spaces Persistent Reservation test, see the blog post Windows Failover
Cluster validation warning indicates your disks don't support the persistent reservations for Storage Spaces for more
information. For more information about hardware validation tests, see Validate Hardware for a Failover Cluster.
6. If you skipped validation earlier, the Validation Warning page appears. We strongly recommend that you run
cluster validation. Only clusters that pass all validation tests are supported by Microsoft. To run the validation
tests, select Yes, and then select Next. Complete the Validate a Configuration Wizard as described in Validate
the configuration.
7. On the Access Point for Administering the Cluster page, do the following:
In the Cluster Name box, enter the name that you want to use to administer the cluster. Before you do, review
the following information:
During cluster creation, this name is registered as the cluster computer object (also known as the cluster
name object or CNO) in AD DS. If you specify a NetBIOS name for the cluster, the CNO is created in the same
location where the computer objects for the cluster nodes reside. This can be either the default Computers
container or an OU.
To specify a different location for the CNO, you can enter the distinguished name of an OU in the Cluster
Name box. For example: CN=ClusterName, OU=Clusters, DC=Contoso, DC=com.
If a domain administrator has prestaged the CNO in a different OU than where the cluster nodes reside,
specify the distinguished name that the domain administrator provides.
If the server does not have a network adapter that is configured to use DHCP, you must configure one or
more static IP addresses for the failover cluster. Select the check box next to each network that you want to
use for cluster management. Select the Address field next to a selected network, and then enter the IP
address that you want to assign to the cluster. This IP address (or addresses) will be associated with the
cluster name in Domain Name System (DNS).
When you are finished, select Next.
8. On the Confirmation page, review the settings. By default, the Add all eligible storage to the cluster check box
is selected. Clear this check box if you want to do either of the following:
You want to configure storage later.
You plan to create clustered storage spaces through Failover Cluster Manager or through the Failover
Clustering Windows PowerShell cmdlets, and have not yet created storage spaces in File and Storage
Services. For more information, see Deploy Clustered Storage Spaces.
9. Select Next to create the failover cluster.
10. On the Summary page, confirm that the failover cluster was successfully created. If there were any warnings
or errors, view the summary output or select View Report to view the full report. Select Finish.
11. To confirm that the cluster was created, verify that the cluster name is listed under Failover Cluster Manager
in the navigation tree. You can expand the cluster name, and then select items under Nodes, Storage or
Networks to view the associated resources. Realize that it may take some time for the cluster name to
successfully replicate in DNS. After successful DNS registration and replication, if you select All Servers in
Server Manager, the cluster name should be listed as a server with a Manageability status of Online.
7. On the Select Databases page, the grid lists user databases on the connected server instance that are eligible
to become the availability databases. Select one or more of the listed databases to participate in the new
availability group. These databases will initially be the initial primary databases. For each listed database, the
Size column displays the database size, if known. The Status column indicates whether a given database
meets the prerequisites for availability databases. It the prerequisites are not met, a brief status description
indicates the reason that the database is ineligible; for example, if it does not use the full recovery model. For
more information, click the status description. If you change a database to make it eligible, click Refresh to
update the databases grid. If the database contains a database master key, enter the password for the
database master key in the Password column.
8.On the Specify Replicas page, specify and configure one or more replicas for the new availability group. This
page contains four tabs. The following table introduces these tabs. For more information, see the Specify
Replicas Page (New Availability Group Wizard: Add Replica Wizard) topic.
Replicas Use this tab to specify each instance of SQL Server that will
host a secondary replica. Note that the server instance to
which you are currently connected must host the primary
replica.
Backup Preferences Use this tab to specify your backup preference for the
availability group as a whole and your backup priorities for
the individual availability replicas.
NOTE
When the SQL Server service account of a server instance that will host a new availability replica does not already exist as
a login, the New Availability Group Wizard needs to create the login. On the Summary page, the wizard displays the
information for the login that is to be created. If you click Finish, the wizard creates this login for the SQL Server service
account and grants the login CONNECT permission. If you are satisfied with your selections, optionally click Script to
create a script of the steps the wizard will execute. Then, to create and configure the new availability group, click Finish.
11. The Progress page displays the progress of the steps for creating the availability group (configuring
endpoints, creating the availability group, and joining the secondary replica to the group).
12. When these steps complete, the Results page displays the result of each step. If all these steps succeed, the
new availability group is completely configured. If any of the steps result in an error, you might need to
manually complete the configuration or use a wizard for the failed step. For information about the cause of a
given error, click the associated "Error" link in the Result column. When the wizard completes, click Close to
exit.
Add Databases on Secondary Node
1. Restore the artifact database through the UI on the secondary node using the backup files created.
The following document describes the native support for the prompt=login parameter that is available in AD FS.
What is prompt=login?
When applications need to request fresh authentication from Azure AD, meaning that they need Azure AD to re-
authenticate the user even if the user has already been authenticated, they can send the prompt=login
parameter to Azure AD as part of the authentication request.
When this request is for a federated user, Azure AD needs to inform the IdP, like AD FS, that the request is for
fresh authentication.
By default, Azure AD translates prompt=login to wfresh=0 and
wauth=https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password when sending this type
of authentication requests to the federated IdP.
These parameters mean:
wfresh=0 : do fresh authentication
wauth=https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password : use
username/password for the fresh authentication request
This can cause problems with corporate intranet and multi-factor authentication scenarios in which an
authentication type other than username and password, as requested by the wauth parameter, is desired.
AD FS in Windows Server 2012 R2 with the July 2016 update rollup introduced native support for the
prompt=login parameter. This means that now Azure AD can send this parameter as-is to AD FS service as part
of Azure AD and Office 365 authentication requests.
NOTE
The prompt=login capability (enabled by the PromptLoginBehavior property) is currently available only in the version
1.0 of the Azure AD Powershell module, in which the cmdlets have names that include “Msol”, such as Set-
MsolDomainFederationSettings. It is not currently available via ‘version 2.0' of the Azure AD PowerShell module, whose
cmdlets have names like “Set-AzureAD*”.
NOTE
The output of Get-MsolDomainFederationSettings by default does not display certain properties in the console. To
view all the properties you should pipe ( | ) its output to Format-List * to force the output of all the properties of the
object.
NOTE
If the value of the property PromptLoginBehavior is empty ( $null ) the behavior of TranslateToFreshPasswordAuth
is used.
Following are the possible values of PromptLoginBehavior parameter and their meaning:
TranslateToFreshPasswordAuth : means the default Azure AD behavior of translating to prompt=login
wauth=https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password and wfresh=0 .
NativeSuppor t : means that the prompt=login parameter will be sent as is to AD FS. This is the
recommended value if AD FS is in Windows Server 2012 R2 with the July 2016 update rollup or higher.
Disabled : means that only wfresh=0 is sent to AD FS.
AD FS paginated sign-in
3/5/2021 • 2 minutes to read • Edit Online
For AD FS in Windows Server 2019, we've redesigned the sign-in UI. Now, the AD FS sign-in will have the same
look and feel of Azure AD. This will provide users a more consistent sign-in experience, incorporating a centered
and paginated user flow.
What's changing
In AD FS in Windows Server 2012 R2 and 2016, your sign-in screen looked something like this:
We're moving away from displaying a single form located on the right side of the screen.
In AD FS in Windows Server 2019, these are the major design changes that you'll see:
A centered UI . Previously, the sign-in UI existed on the right side of the screen, as shown above. We've
moved the UI front and center to modernize the experience.
Pagination . Instead of providing you a long form to fill out, we've incorporated a new flow that will take you
through the sign-in experience step-by-step. Our telemetry shows that with this approach, our customers
have more successful sign-ins. It also provides us more flexibility to incorporate various authentication
methods, such us phone factor authentication.
On the first page, you'll be asked to enter your username. You may also select the option to “Keep me signed in”
to reduce the frequency of sign-in prompts and remain signed in when it's safe to do so. (This option is disabled
by default.)
On the second page, you'll be presented with authentication options, configured by your administrator. If
allowing external authentication as primary is enabled, this will be included as well.
On the third page, you'll be asked to enter your password (assuming you selected “Password” as your
authentication option).
Enable external authentication as primary, either via Powershell or through the AD FS Server Manager.
The new paginated sign in pages will be enabled when this feature is enabled. If you are a new customer
to AD FS, you'll receive the new design by default. However, if you are an existing customer with AD FS
2012 R2 or 2016, there are several steps you'll need to take to receive the new design:
Set-AdfsGlobalAuthenticationPolicy -AllowAdditionalAuthenticationAsPrimary $true
Customization
The options for customization will still be applicable for AD FS 2019. Below are some links to other documents
for your reference.
• For those who do not plan to upgrade their servers to AD FS 2019 but still want the new design: Using an
Azure AD UX Web Theme in Active Directory Federation Services
• A central location for customization: AD FS user sign-in customization
AD FS Single Sign-On Settings
3/5/2021 • 7 minutes to read • Edit Online
Single Sign-On (SSO) allows users to authenticate once and access multiple resources without being prompted
for additional credentials. This article describes the default AD FS behavior for SSO, as well as the configuration
settings that allow you to customize this behavior.
"Enable/disable “keep me signed in" Set-AdfsProperties –EnableKmsi "Keep me signed in" feature is disabled
<Boolean> by default. If it is enabled, end user will
see a “keep me signed in” choice on
AD FS sign-in page
The device usage window (14 days by default) is governed by the AD FS property
DeviceUsageWindowInDays .
Set-AdfsProperties -DeviceUsageWindowInDays
The maximum single Sign-On period (90 days by default) is governed by the AD FS property
PersistentSsoLifetimeMins .
Set-AdfsProperties -PersistentSsoLifetimeMins
With KMSI disabled, the default single sign-on period is 8 hours. This can be configured using the property
SsoLifetime. The property is measured in minutes, so its default value is 480.
With KMSI enabled, the default single sign-on period is 24 hours. This can be configured using the property
KmsiLifetimeMins. The property is measured in minutes, so its default value is 1440.
PSSO revocation
To protect security, AD FS will reject any persistent SSO cookie previously issued when the following conditions
are met. This will require the user to provide their credentials in order to authenticate with AD FS again.
User changes password
Persistent SSO setting is disabled in AD FS
Device is disabled by the administrator in lost or stolen case
AD FS receives a persistent SSO cookie which is issued for a registered user but the user or the device is
not registered anymore
AD FS receives a persistent SSO cookie for a registered user but the user re-registered
AD FS receives a persistent SSO cookie which is issued as a result of “keep me signed in” but “keep me
signed in” setting is disabled in AD FS
AD FS receives a persistent SSO cookie which is issued for a registered user but device certificate is
missing or altered during authentication
AD FS administrator has set a cutoff time for persistent SSO. When this is configured, AD FS will reject
any persistent SSO cookie issued before this time
To set the cutoff time, run the following PowerShell cmdlet:
To Summarize:
NO N O B UT Y ES NO N O B UT Y ES
K M SI K M SI
Overview
Today AD FS is made highly available by setting up an AD FS farm. Some organizations would like a way to have
a single server AD FS deployment, eliminating the need for multiple AD FS servers and network load balancing
infrastructure, while still having some assurance that service can be restored quickly if there is a problem. The
new AD FS Rapid Restore tool provides a way to restore AD FS data without requiring a full backup and restore
of the operating system or system state. You can use the new tool to export AD FS configuration either to Azure
or to an on-premises location. Then you can apply the exported data to a fresh AD FS installation, re-creating or
duplicating the AD FS environment.
Scenarios
The AD FS Rapid Restore tool can be used in the following scenarios:
1. Quickly restore AD FS functionality after a problem
Use the tool to create a cold standby installation of AD FS that can be quickly deployed in place of the
online AD FS server
2. Deploy identical test and production environments
Use the tool to quickly create an accurate copy of the production AD FS in a test environment, or to
quickly deploy a validated test configuration to production
3. Migrate from a SQL based configuration to WID and vice versa
Use the tool to move from a SQL based farm configuration to WID or vice versa.
NOTE
If you are using SQL Merge Replication or Always on Availablity Groups, the Rapid Restore tool is not supported. We
recommend using SQL based backups and a backup of the SSL certificate as an alternative.
What is backed up
The tool backs up the following AD FS configuration
AD FS configuration database (SQL or WID)
Configuration file (located in AD FS folder)
Automatically generated token signing and decrypting certificates and private keys (from the Active
Directory DKM container)
SSL certificate and any externally enrolled certificates (token signing, token decryption and service
communication) and corresponding private keys (note: private keys must be exportable and the user running
the script must have permissions to access them)
A list of the custom authentication providers, attribute stores, and local claims provider trusts that are
installed.
NOTE
If you are using the Windows Integrated Database (WID), then this tool needs to be run on the primary AD FS server. You
can use the Get-AdfsSyncProperties PowerShell cmdlet to determine whether or not the server you are on is the
primary server.
System requirements
This tool works for AD FS in Windows Server 2012 R2 and later.
The required .NET framework is at least 4.0.
The restore must be done on an AD FS server of the same version as the backup and that uses the same
Active Directory account as the AD FS service account.
Create a backup
To create a backup, use the Backup-ADFS cmdlet. This cmdlet backs up the AD FS configuration, database, SSL
certificates, etc.
The user has to be at least a local admin to run this cmdlet. To backup the Active Directory DKM container
(required in the default AD FS configuration), the user either has to be domain admin, needs to pass in the AD
FS service account credentials, or has access to the DKM container. If you are using a gMSA account, the user
must be domain admin or have permissions to the container; you cannot provide the gMSA credentials.
The backup will be named according to the pattern "adfsBackup_ID_Date-Time". It will contain the version
number, date and time that the backup was done. The cmdlet takes the following parameters:
Parameter Sets
Detailed description
BackupDKM - Backs up the Active Directory DKM container that contains the AD FS keys in the default
configuration (automatically generated token signing and decrypting certificates). This uses an AD Tool
'ldifde' to export the AD Container and all its subtrees.
-StorageType <string> - The type of storage the user wants to use. "FileSystem" indicates that the user
wants to store it in a folder locally or in the network "Azure" indicates the user wants to store it in the
Azure Storage Container When the user performs the backup, they select the backup location, either the
File System or in the cloud. For Azure to be used, Azure Storage Credentials should be passed to the
cmdlet. The storage credentials contains the account name and key. In addition to this, a container name
must also be passed in. If the container doesn't exist, it is created during the backup. For the file system to
be used, a storage path must be given. In that directory, a new directory will be created for each backup.
Each directory created will contain the backed up files.
Encr yptionPassword <string> - The password that is going to be used to encrypt all the backed up
files before storing it
AzureConnectionCredentials <pscredential> - The account name and key for the Azure storage
account
AzureStorageContainer <string> - The storage container where the backup will be stored in Azure
StoragePath <string> - The location the backups will be stored in
Ser viceAccountCredential <pscredential> - specifies the service account being used for the AD FS
Service running currently. This parameter is only needed if the user would like to backup the DKM and is
not domain admin or does not have access to the container's contents.
BackupComment <string[]> - An informational string about the backup that will be displayed during
the restore, similar to the concept of Hyper-V checkpoint naming. The default is an empty string
Backup examples
The following are backup examples for using the AD FS Rapid Restore Tool.
Backup the AD FS configuration, with the DKM, to the File System, and has access to the DKM container
contents (either domain admin or delegated)
Backup the AD FS configuration, with the DKM, to the file system with the service account credential,
running as local admin
Backup the AD FS configuration without the DKM to the Azure Storage Container.
Detailed description
StorageType <string> - The type of storage the user wants to use. "FileSystem" indicates that the user
wants to store it in a folder locally or in the network "Azure" indicates the user wants to store it in the
Azure Storage Container
Decr yptionPassword <string> - The password that was used to encrypt all the backed up files
AzureConnectionCredentials <pscredential> - The account name and key for the Azure storage
account
AzureStorageContainer <string> - The storage container where the backup will be stored in Azure
StoragePath <string> - The location the backups will be stored in
ADFSName < string > - The name of the federation that was backed up and is going to be restored. If
this is not provided and there is only one federation service name then that will be used. If there is more
than one federation service backed up to the location, then the user is prompted to choose one of the
backed up Federation Services.
Ser viceAccountCredential < pscredential > - specifies the service account that will be used for the
new AD FS Service being restored
GroupSer viceAccountIdentifier <string> - The GMSA that the user wants to use for the new AD FS
Service being restored. By default, if neither is provided then the backed up account name is used if it was
GMSA, else the user is prompted to put in a service account
DBConnectionString <string> - If the user would like to use a different DB for the restore, then they
should pass the SQL Connection String or type in WID for WID.
Force <bool> - Skip the prompts that the tool might have once the backup is chosen
RestoreDKM <bool> - Restore the DKM Container to the AD, should be set if going to a new AD and
the DKM was backed up initially.
Restore examples
Restore the AD FS configuration without the DKM from the Azure Storage Container
Restore-ADFS -StorageType "Azure" -AzureConnectionCredential $cred -DecryptionPassword "password" -
AzureStorageContainer "adfsbackups"
Restore the AD FS configuration without the DKM from the File System
Encryption information
All backup data is encrypted before pushing it to the cloud or storing it in the file system.
Each document that is created as part of the backup is encrypted using AES-256. The password passed into the
tool is used as a pass phrase to generate a new password using the Rfc2898DeriveBytes Class.
RngCryptoServiceProvider is used to generate the salt used by AES and the Rfc2898DeriveBytes Class.
Log Files
Every time a backup or restore is performed a log file is created. These can be found at the following location:
%LOCAL APPDATA%\ADFSRapidRecreationTool
NOTE
When performing a restore a PostRestore_Instructions file might be created containing an overview of the additional
authentication providers, attribute stores and local claims provider trusts to be installed manually before starting the AD
FS service.
NOTE
Old backups will not work with the new version due to changes in encryption algorithms as per FIPS compliance
On many networks the local firewall policies might not allow traffic through non-standard ports like 49443. This
became an issue when trying to accomplish certificate authentication with AD FS prior to AD FS in Windows
Server 2016. This is because you could not have different bindings for device authentication and user certificate
authentication on the same host. The default port 443 is bound to receive device certificates and cannot be
altered to support multiple binding in the same channel. The results were that smart card authentication would
not work and users were unaware of what happened since there is no indication of what really happened.
With AD FS in Windows Server 2016 this can be accomplished.
In AD FS on Windows Server 2016 this has changed. Now we support two modes, the first uses the same host
(i.e. adfs.contoso.com) with different ports (443, 49443). The second used different hosts (adfs.contoso.com and
certauth.adfs.contoso.com) with the same port (443). This will require an SSL certificate to support "certauth." as
an alternate subject name. This can be done at the time of the farm creation or later via PowerShell.
Additional references
Managing SSL Certificates in AD FS and WAP in Windows Server 2016
AD FS user sign-in customization
3/5/2021 • 2 minutes to read • Edit Online
AD FS provides a number of options for administrators to customize and tailor the end-user experience to meet
their corporate needs. The following page will serve as a central location for customization. You can use the table
below to quickly find your customization option.
TO P IC DESC RIP T IO N
AD FS Customization in Windows Server 2016 New customization options available for AD FS in Windows
Server 2016
Change the company name Steps for displaying your companies name on the sign-in
page
Change the company logo Steps for changing the logo that appears on the sign-in-
page
Change the illustration Steps for changing the illustration that appears on the sign-
in page
Add sign-in description Steps for adding a description to the sign-in page
Add help desk link Steps for adding a help desk link
Update Password Customization Steps for enabling and customizing the update password
page
Multi-factor authentication and external auth providers Information on using MFA and external auth providers
customization
Customizing the display names and descriptions for Steps on customizing display names and descriptions for
authentication methods authentication methods
User accounts and computer accounts that require access to a resource that is protected by Active Directory
Federation Services (AD FS) are stored in an attribute store, such as Active Directory Domain Services (AD DS).
The claims issuance engine uses attribute stores to gather data that is necessary to issue claims. Data from the
attribute stores is then projected as claims.
You can use the following procedure to add an attribute store to the Federation Service.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
To add an attribute store
1. Open AD FS Management .
2. Under Actions click Add an attribute store .
3. In the Add an attribute store dialog box, configure the following properties for the attribute store that
you want to add:
In Display name , type the name that you want to use to identify the attribute store.
In Attribute store type , select a supported attribute store type, either Active Director y , LDAP ,
or SQL .
In Connection string , if you have selected either a Lightweight Directory Access Protocol (LDAP)
store or a Structured Query Language (SQL) store, enter the string that you used to establish a
connection to the attribute store. For Active Directory attribute stores, no connection string is
necessary; therefore, this field is disabled.
NOTE
AD FS automatically creates an Active Directory attribute store, by default.
4. Click OK .
Additional references
AD FS Operations
The Role of Attribute Stores
Compound authentication and AD DS claims in AD
FS
3/5/2021 • 9 minutes to read • Edit Online
Windows Server 2012 enhances Kerberos authentication by introducing compound authentication. Compound
authentication enables a Kerberos Ticket-Granting Service (TGS) request to include two identities:
the identity of the user
the identity of the user's device.
Windows accomplishes compound authentication by extending Kerberos Flexible Authentication Secure
Tunneling (FAST), or Kerberos armoring.
AD FS 2012 and later versions allows consumption of AD DS issued user or device claims that reside in a
Kerberos authentication ticket. In previous versions of AD FS, the claims engine could only read user and group
security IDs (SIDs) from Kerberos but was not able to read any claims information contained within a Kerberos
ticket.
You can enable richer access control for federated applications by using Active Directory Domain Services (AD
DS)-issued user and device claims together, with Active Directory Federation Services (AD FS).
Requirements
1. The Computers accessing federated applications, must Authenticate to AD FS using Windows
Integrated Authentication .
Windows Integrated Authentication is only available when connecting to the Backend AD FS Servers.
Computers must be able to reach the Backend AD FS Servers for Federation Service Name
AD FS Servers must offer Windows Integrated Authentication as a Primary Authentication method in
its Intranet settings.
2. The policy Kerberos client suppor t for claims compound authentication and Kerberos
armoring must be applied to all Computers accessing federated applications that are protected by
Compound Authentication. This is applicable in case of single forest or cross forest scenarios.
3. The Domain housing the AD FS Servers must have the KDC suppor t for claims compound
authentication and Kerberos armoring policy setting applied to the Domain Controllers.
5. In the new dialog window, set KDC support for claims to Enabled .
6. Under Options, select Suppor ted from the drop-down menu and then click Apply and OK .
Step 2: Enable Kerberos client support for claims, compound authentication, and Kerberos armoring on
computers accessing federated applications
1. On a Group Policy applied to the computers accessing federated applications, in the Group Policy
Management Editor , under Computer Configuration , expand Policies , expand Administrative
Templates , expand System , and select Kerberos .
2. In the right pane of the Group Policy Management Editor window, double-click Kerberos client suppor t
for claims, compound authentication, and Kerberos armoring.
3. In the new dialog window, set Kerberos client support to Enabled and click Apply and OK .
4. Close the Group Policy Management Editor.
Step 3: Ensure the AD FS servers have been updated.
You need to ensure that the following updates are installed on your AD FS servers.
Hotfix 3052122 This update adds support for compound ID claims in Active
Directory Federation Services.
NOTE
In a WID based farm, the PowerShell command must be executed on the Primary AD FS Server. In a SQL based farm, the
PowerShell command may be executed on any AD FS server that is a member of the farm.
NOTE
In a WID based farm, the PowerShell command must be executed on the Primary AD FS Server. In a SQL based farm, the
PowerShell command may be executed on any AD FS server that is a member of the farm.
Step 6: Enable the compound authentication bit on the msDS -SupportedEncryptionTypes attribute
1. Enable compound authentication bit on the msDS-SupportedEncryptionTypes attribute on the account you
designated to run the AD FS service using the Set-ADSer viceAccount PowerShell cmdlet.
NOTE
If you change the service account, then you must manually enable compound authentication by running the Set-
ADUser -compoundIdentitySuppor ted:$true Windows PowerShell cmdlets.
Step 8: On the Relying Party where the ‘WindowsDeviceGroup' claims are expected, add a similar ‘Pass-
through' Or ‘Transform' claim rule.
2. In AD FS Management , click Relying Par ty Trusts and in the right pane, right-click your RP and select
Edit Claim Rules .
3. On the Issuance Transform Rules click Add Rule .
4. On the Add Transform Claim Rule Wizard select Pass Through or Filter an Incoming Claim and click
Next .
5. Add a display name and select Windows device group from the Incoming claim type drop-down.
6. Click Finish . Click Apply and Ok .
NOTE
In a WID based farm, the PowerShell command must be executed on the Primary AD FS Server. In a SQL based farm, the
PowerShell command may be executed on any AD FS server that is a member of the farm.
Step 4: Enable the compound authentication bit on the msDS -SupportedEncryptionTypes attribute
1. Enable compound authentication bit on the msDS-SupportedEncryptionTypes attribute on the account you
designated to run the AD FS service using the Set-ADSer viceAccount PowerShell cmdlet.
NOTE
If you change the service account, then you must manually enable compound authentication by running the Set-
ADUser -compoundIdentitySuppor ted:$true Windows PowerShell cmdlets.
NOTE
Once ‘CompoundIdentitySupported' is set to true, installation of the same gMSA on new Servers (2012R2/2016) fails with
the following error – Install-ADSer viceAccount : Cannot install ser vice account. Error Message: 'The
provided context did not match the target.' .
Solution : Temporarily set CompoundIdentitySupported to $false. This step causes ADFS to stop issuing
WindowsDeviceGroup claims. Set-ADServiceAccount -Identity 'ADFS Service Account' -
CompoundIdentitySupported:$false Install the gMSA on the new Server and then enable CompoundIdentitySupported
back to $True. Disabling CompoundIdentitySupported and then reenabling does not need ADFS service to be restarted.
Validation
To validate the release of ‘WindowsDeviceGroup' claims, create a test Claims Aware Application using .Net 4.6.
With WIF SDK 4.0. Configure the Application as a Relying Party in ADFS and update it with Claim Rule as
specified in steps above. When authenticating to the Application using Windows Integrated Authentication
provider of ADFS, the following claims are created.
The Claims for the computer/device may now be consumed for richer access controls.
For example – The following AdditionalAuthenticationRules Tells AD FS to invoke MFA if – The
Authenticating User is not member of the security group “-1-5-21-2134745077-1211275016-3050530490-
1117” AND the Computer (where is the user is Authenticating from) is not member of the security group "S-1-
5-21-2134745077-1211275016-3050530490-1115 (WindowsDeviceGroup)"
However, if any of the above conditions are met, do not invoke MFA.
Prerequisites
1. Determine the mode of AD FS user certificate authentication you want to enable using one of the modes
described in this article
2. Ensure that your user certificate trust chain is installed & trusted by all AD FS and WAP servers including any
intermediate certificate authorities. Usually this is done via GPO on AD FS / WAP servers
3. Ensure that the root certificate of the chain of trust for your user certificates is in the NTAuth store in Active
Directory
4. If using AD FS in alternate certificate authentication mode, ensure that your AD FS and WAP servers have
SSL certificates that contain the AD FS hostname prefixed with "certauth", for example
"certauth.fs.contoso.com", and that traffic to this hostname is allowed through the firewall
5. If using certificate authentication from the extranet, ensure that at least one AIA and at least one CDP or
OCSP location from the list specified in your certificates are accessible from the internet.
6. Also for Azure AD certificate authentication, for Exchange ActiveSync clients, the client certificate must have
the users routable email address in Exchange online in either the Principal Name or the RFC822 Name value
of the Subject Alternative Name field. (Azure Active Directory maps the RFC822 value to the Proxy Address
attribute in the directory.)
7. AD FS does not support Username Hints with SmartCard/Certificate based authentication.
Configure allowed issuing certification authorities for client certificates using the guidance under
"Management of trusted issuers for client authentication" in this article.
You may want to consider modifying the sign-in pages to suit the needs of your end users when doing
certificate authentication. Common cases are to (a) Change 'Sign-in with your X509 certificate' to something
more end user friendly
Tip : You can target a single AD FS or WAP server for easier troubleshooting by configuring DNS resolution
(HOSTS file on Windows) to point to a specific server. This allows you to enable tracing targeting a server.
Check if this is a Server Name Indication (SNI ) issue
AD FS requires the client device (or browsers) and the load balancers to support SNI. Some client devices
(usually older versions of Android) may not support SNI. Additionally, load balancers may not support SNI or
have not been configured for SNI. In these instances you are likely to see user certification failures.
1. Work with your network engineer to ensure that the Load Balancer for AD FS/WAP supports SNI
2. In the event that SNI can't be supported AD FS has a work around by following the below steps
Open an elevated command prompt window on the primary AD FS server
Type in Netsh http show sslcert
Copy the ‘application GUID' and ‘certificate hash' of the federation service
Type in
netsh http add sslcert ipport=0.0.0.0:{your_certauth_port} certhash={your_certhash} appid=
{your_applicaitonGUID}
Check if the client device has been provisioned with the certificate correctly
You may notice that some devices are working correctly but other devices are not. In this case, it is usually a
result of the user certificate not being provisioned correctly on the client device. Follow the steps below.
1. If the issue is specific to an Android device, the most common issue is that the certificate chain is not fully
trusted on the Android device. Refer to your MDM vendor to ensure that the certificate has been provisioned
correctly and the entire chain is fully trusted on the Android device.
2. If the issue is specific to a Windows device, check if the certificate is provisioned correctly by checking the
Windows Cert Store for the logged in user (not system/computer).
3. Export the client user certificate to .cer file and run the command ‘certutil -f -urlfetch -verify
certificatefilename.cer'
Check if the TLS version is compatible between AD FS/WAP servers and the client device
In rare cases, a client device (typically mobile devices) are updated to only support a higher version of TLS (say
1.3) or you may have the reverse problem where AD FS/WAP servers were updated to only use a higher TLS
version and the client device does not support it. You can use online SSL tools to check your AD FS/WAP servers
and see if it is compatible with the device. For more information on how to control the TLS versions, see this link.
Check if Azure AD PromptLoginBehavior is configured correctly on your federated domain settings
Many Office 365 applications send prompt=login to Azure AD. Azure AD, by default, converts it to a fresh
password login to AD FS. As a result, even if you have configured certificate authentication in AD FS, your end
users will only see a password login.
1. Get the federated domain settings using the ‘Get-MsolDomainFederationSettings' command let
2. Ensure that PromptLoginBehavior parameter is set to one of ‘Disabled' or ‘NativeSupport'
For more information see this link.
Additional Troubleshooting
These are rare occurrences
1. If your CRL lists are very long, it may hit a time out when attempting to download. In that case you need to
update the ‘MaxFieldLength' and ‘MaxRequestByte' as per https://support.microsoft.com/help/820129/http-
sys-registry-settings-for-windows
https://schemas.microsoft.com/2012/12/certificatecontext/fie 3
ld/x509version
https://schemas.microsoft.com/2012/12/certificatecontext/fie sha256RSA
ld/signaturealgorithm
https://schemas.microsoft.com/2012/12/certificatecontext/ex DigitalSignature
tension/keyusage
https://schemas.microsoft.com/2012/12/certificatecontext/ex KeyEncipherment
tension/keyusage
https://schemas.microsoft.com/2012/12/certificatecontext/ex 9D11941EC06FACCCCB1B116B56AA97F3987D620A
tension/subjectkeyidentifier
https://schemas.microsoft.com/2012/12/certificatecontext/ex KeyID=d6 13 e3 6b bc e5 d8 15 52 0a fd 36 6a d5 0b 51 f3
tension/authoritykeyidentifier 0b 25 7f
https://schemas.microsoft.com/2012/12/certificatecontext/ex User
tension/certificatetemplatename
https://schemas.microsoft.com/2012/12/certificatecontext/ex 1.3.6.1.4.1.311.10.3.4
tension/eku
Related Links
Configure alternate hostname binding for AD FS certificate authentication
Configure certificate authorities in Azure AD
Configure Azure MFA as authentication provider
with AD FS
6/17/2021 • 13 minutes to read • Edit Online
If your organization is federated with Azure AD, you can use Azure Multi-Factor Authentication to secure AD FS
resources, both on-premises and in the cloud. Azure MFA enables you to eliminate passwords and provide a
more secure way to authenticate. Starting with Windows Server 2016, you can now configure Azure MFA for
primary authentication or use it as an additional authentication provider.
Unlike with AD FS in Windows Server 2012 R2, the AD FS 2016 Azure MFA adapter integrates directly with
Azure AD and does not require an on premises Azure MFA server. The Azure MFA adapter is built in to Windows
Server 2016, and there is no need for additional installation.
NOTE
Previously, users were required to authenticate with MFA for registration (visiting
https://account.activedirectory.windowsazure.com/Proofup.aspx, for example via the shortcut https://aka.ms/mfasetup).
Now, an AD FS user who has not yet registered MFA verification information can access Azure AD"s proofup page via the
shortcut https://aka.ms/mfasetup using only primary authentication (such as Windows Integrated Authentication or
username and password via the AD FS web pages). If the user has no verification methods configured, Azure AD will
perform inline registration in which the user sees the message "Your admin has required that you set up this account for
additional security verification", and the user can then select to "Set it up now". Users who already have at least one MFA
verification method configured will still be prompted to provide MFA when visiting the proofup page.
NOTE
With ADFS 2019, you are required to make a modification to the anchor claim type for the Active Directory Claims
Provider trust and modify this from the windowsaccountname to UPN. Execute the PowerShell cmdlet provided below.
This has no impact on the internal functioning of the AD FS farm. You may notice a few users may be re-prompted for
credentials once this change is made. After logging in again, end users will see no difference.
Pre-Requisites
The following pre-requisites are required when using Azure MFA for authentication with AD FS:
An Azure subscription with Azure Active Directory.
Azure Multi-Factor Authentication
NOTE
Azure AD and Azure MFA are included in Azure AD Premium and the Enterprise Mobility Suite (EMS). If you have either of
these you do not need individual subscriptions.
NOTE
Ensure that these steps are performed on all AD FS servers in the farm. If you have multiple AD FS servers in your farm,
you can perform the necessary configuration remotely using Azure AD PowerShell.
Step 1: Generate a certificate for Azure MFA on each AD FS server using the
New-AdfsAzureMfaTenantCertificate cmdlet
The first thing you need to do is generate a certificate for Azure MFA to use. This can be done using PowerShell.
The certificate generated can be found in the local machines certificate store, and it is marked with a subject
name containing the TenantID for your Azure AD directory.
Note that TenantID is the name of your directory in Azure AD. Use the following PowerShell cmdlet to generate
the new certificate. $certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <tenantID>
Step 2: Add the new credentials to the Azure Multi-Factor Auth Client Service Principal
In order to enable the AD FS servers to communicate with the Azure Multi-Factor Auth Client, you need to add
the credentials to the Service Principal for the Azure Multi-Factor Auth Client. The certificates generated using
the New-AdfsAzureMFaTenantCertificate cmdlet will serve as these credentials. Do the following using PowerShell
to add the new credentials to the Azure Multi-Factor Auth Client Service Principal.
NOTE
In order to complete this step you need to connect to your instance of Azure AD with PowerShell using
Connect-MsolService . These steps assume you have already connected via PowerShell. For information see
Connect-MsolService .
Set the cer tificate as the new credential against the Azure Multi-Factor Auth Client
New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -
Usage verify -Value $certBase64
IMPORTANT
This command needs to be run on all of the AD FS servers in your farm. Azure AD MFA will fail on servers that have not
have the certificate set as the new credential against the Azure Multi-Factor Auth Client.
NOTE
981f26a1-7f43-403b-a875-f8b09b8cd720 is the GUID for Azure Multi-Factor Auth Client.
NOTE
You need to restart the AD FS service on each server in the farm before these changes take affect. For minimal impact,
take each AD FS server out of the NLB rotation one at a time and wait for all connections to drain.
Windows Server without the latest service pack doesn't support the -Environment parameter for the Set-
AdfsAzureMfaTenant cmdlet. If you use Azure Government cloud and the previous steps failed to configure your
Azure tenant due to the missing -Environment parameter, complete the following steps to manually create the
registry entries. Skip these steps if the previous cmdlet correctly registered your tenant information or you
aren't in the Azure Government cloud:
1. Open Registr y Editor on the AD FS server.
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADFS . Create the following registry key values:
REGIST RY K EY VA L UE
SasUrl https://adnotifications.windowsazure.us/StrongAuthentic
ationService.svc/Connector
StsUrl https://login.microsoftonline.us
ResourceUri https://adnotifications.windowsazure.us/StrongAuthentic
ationService.svc/Connector
3. Restart the AD FS service on each server in the farm before these changes take affect. For minimal
impact, take each AD FS server out of the NLB rotation one at a time and wait for all connections to drain.
After this, you will see that Azure MFA is available as a primary authentication method for intranet and extranet
use.
If your certificate has already expired, don't add the -Renew $true parameter to the following command. In this
scenario, the existing expired certificate is replaced with a new one instead of being left in place and an
additional certificate created.
If the certificate hasn't already expired, a new certificate that is valid from 2 days in the future to 2 days + 2
years is generated. AD FS and Azure MFA operations aren't affected by this cmdlet or the new certificate. (Note:
the 2 day delay is intentional and provides time to execute the steps below to configure the new certificate in the
tenant before AD FS starts using it for Azure MFA.)
Configure each new AD FS Azure MFA certificate in the Azure AD tenant
Using the Azure AD PowerShell module, for each new certificate (on each AD FS server), update your Azure AD
tenant settings as follows (Note: you must first connect to the tenant using Connect-MsolService to run the
following commands).
If your previous certificate had already expired, restart the AD FS service to pick up the new certificate. You don't
need to restart the AD FS service if you renewed a certificate before it expired.
Verify that the new certificate (s) will be used for Azure MFA
Once the new certificate(s) become valid, AD FS will pick them up and start using each respective certificate for
Azure MFA within a few hours to a day. Once this occurs, on each server you will see an event logged in the AD
FS Admin event log with the following information:
TenantId: contoso.onmicrosoft.com.
Old thumbprint: 7CC103D60967318A11D8C51C289EF85214D9FC63.
Old expiration date: 9/15/2019 9:43:17 PM.
New thumbprint: 8110D7415744C9D4D5A4A6309499F7B48B5F3CCF.
New expiration date: 2/27/2020 2:16:07 AM.
When Azure AD as additional authentication is being attempted, the un-proofed user will see an AD FS error
page containing the following messages:
NOTE
For guidance in general on how to customize the onload.js file, see the article Advanced Customization of AD FS Sign-in
Pages.
2. Next, create the folder and export the default AD FS Web Theme:
IMPORTANT
You need to change "<YOUR_DOMAIN_NAME_HERE>"; to use your domain name. For example:
var domain_hint = "contoso.com";
7. Finally, apply the custom AD FS Web Theme by typing the following Windows PowerShell command:
Next steps
Manage TLS/SSL Protocols and Cipher Suites used by AD FS and Azure MFA
Configure AD FS Extranet Lockout Protection
3/5/2021 • 7 minutes to read • Edit Online
In AD FS on Windows Server 2012 R2, we introduced a security feature called Extranet Lockout. With this
feature, AD FS will "stop" authenticating the "malicious" user account from outside for a period of time. This
prevents your user accounts from being locked out in Active Directory. In addition to protecting your users from
an AD account lockout, AD FS extranet lockout also protects against brute force password guessing attacks
NOTE
This feature only works for the extranet scenario where the authentication requests come through the Web Application
Proxy and only applies to username and password authentication .
How it Works
There are 3 settings in AD FS that you need to configure to enable this feature:
EnableExtranetLockout <Boolean> set this Boolean value to be True if you want to enable Extranet
Lockout.
ExtranetLockoutThreshold <Integer> this defines the maximum number of bad password attempts.
Once the threshold is reached, AD FS will immediately rejects the requests from extranet without attempting
to contact the domain controller for authentication, no matter whether password is good or bad, until the
extranet observation window is passed. This means the value of badPwdCount attribute of an AD account
will not increase while the account is soft-locked out.
ExtranetObser vationWindow <TimeSpan> this determines for how long the user account will be soft-
locked out. AD FS will start to perform username and password authentication again when the window is
passed. AD FS uses the AD attribute badPasswordTime as the reference for determining whether the extranet
observation window has passed or not. The window has passed if current time > badPasswordTime +
ExtranetObservationWindow.
NOTE
AD FS extranet lockout functions independently from the AD lockout policies. However, we strongly recommend that you
set the ExtranetLockoutThreshold parameter value to a value that is less than the AD account lockout threshold.
Failing to do so would result in AD FS being unable to protect accounts from being locked out in Active Directory.
An example of enabling Extranet Lockout feature with maximum of 15 number of bad password attempts and
30 mins soft-lockout duration is as follows:
These settings will apply to all domains that the AD FS service can authenticate. The way that it works is that
when AD FS receives an authentication request, it will access the Primary Domain Controller (PDC) through an
LDAP call and perform a lookup for the badPwdCount attribute for the user on the PDC. If AD FS finds the
value of badPwdCount >= ExtranetLockoutThreshold setting and the time defined in the Extranet Observation
Window has not passed yet, AD FS will reject the request immediately, which means no matter whether the user
enters a good or bad password from extranet, the logon will fail because AD FS does not send the credentials to
AD. AD FS does not maintain any state with regard to badPwdCount or locked out user accounts. AD FS uses
AD for all state tracking.
WARNING
When AD FS Extranet lockout on Server 2012 R2 is enabled all authentication requests through the WAP are validated by
AD FS on the PDC. When the PDC is unavailable, users will be unable to authenticate from the extranet.
Server 2016 offers an additional parameter that allows AD FS to fallback to another domain controller when the
PDC is unavailable:
ExtranetLockoutRequirePDC <Boolean> - When enabled: extranet lockout requires a primary domain
controller (PDC). When disabled: extranet lockout will fallback to another domain controller in case the PDC
is unavailable.
You can use the following Windows PowerShell command to configure the AD FS extranet lockout on Server
2016:
Example 2
As you can see from the above, there are two conditions when badPwdCount will be reset to 0. One is when
there is a successful logon. The other is when it is time to reset this counter as defined in Reset Account
Lockout Counter After setting. When Reset Account Lockout Counter After <
ExtranetObser vationWindow , an account does not have any risk of being locked out by AD. However, if
Reset Account Lockout Counter After > ExtranetObser vationWindow , there is a chance that an account
may be locked out by AD but in a "delayed fashion". It may take a while to get an account locked out by AD
depending on your configuration as AD FS will only allow one bad password attempt during its observation
window until badPwdCount reaches Account Lockout Threshold .
For more information, see Configuring Account Lockout.
Known Issues
There is a known issue where the AD user account cannot authenticate with AD FS because the badPwdCount
attribute is not replicated to the domain controller that ADFS is querying. See 2971171 for more details. You can
find all AD FS QFEs that have been released so far here.
Additional references
Best practices for securing Active Directory Federation Services
Delegate AD FS Powershell Commandlet Access to Non-Admin Users
Set-AdfsProperties
AD FS Operations
AD FS Extranet Lockout and Extranet Smart
Lockout
6/29/2021 • 18 minutes to read • Edit Online
Overview
Extranet Smart Lockout (ESL) protects your users from experiencing extranet account lockout from malicious
activity.
ESL enables AD FS to differentiate between sign-in attempts from a familiar location for a user and sign-in
attempts from what may be an attacker. AD FS can lock out attackers while letting valid users continue to use
their accounts. This prevents and protects against denial-of-service and certain classes of password spray
attacks on the user. ESL is available for AD FS in Windows Server 2016 and is built into AD FS in Windows
Server 2019.
ESL is only available for the username and password authentication requests which come through the extranet
with the Web Application Proxy or a 3rd party proxy. Any 3rd party proxy must support the MS-ADFSPIP
protocol to be used in place of the Web Application Proxy, such as F5 BIG-IP Access Policy Manager. Consult the
3rd party proxy documentation to determine if the proxy supports the MS-ADFSPIP protocol.
How It Works
Configuration information
When ESL is enabled, a new table in the Artifact database, AdfsArtifactStore.AccountActivity, is created and a
node is selected in the AD FS farm as the “User Activity” master. In a WID configuration, this node is always the
primary node. In a SQL configuration, one node is selected to be the User Activity master.
To view the node selected as the User Activity master. (Get-AdfsFarmInformation).FarmRoles
All secondary nodes will contact the master node on each fresh login through Port 80 to learn the latest value of
the bad password counts and new familiar location values, and update that node after the login is processed.
If the secondary node cannot contact the master, it will write error events into the AD FS admin log.
Authentications will continue to be processed, but AD FS will only write the updated state locally. AD FS will
retry contacting the master every 10 minutes and will switch back to the master once the master is available.
Terminology
FamiliarLocation : During an authentication request, ESL checks all presented IPs. These IPs will be a
combination of network IP, forwarded IP, and the optional x-forwarded-for IP. If the request is successful, all of
the IPs are added to the Account Activity table as “familiar IPs”. If the request has all the IPs present in the
“familiar IPs”, the request will be treated as a “Familiar” location.
UnknownLocation : If a request that comes in has at least one IP not present in the existing
“FamiliarLocation” list, then the request will be treated as an “Unknown” location. This is to handle proxying
scenarios such as Exchange Online legacy authentication where Exchange Online addresses handle both
successful and failed requests.
badPwdCount : A value representing the number of times an incorrect password was submitted and the
authentication was unsuccessful. For each user, separate counters are kept for Familiar Locations and
Unknown Locations.
UnknownLockout : A boolean value per user if the user is locked out from accessing from unknown
locations. This value is calculated based on the badPwdCountUnfamiliar and ExtranetLockoutThreshold
values.
ExtranetLockoutThreshold : This value determines the maximum number of bad password attempts. When
the threshold is reached, ADFS will reject requests from the extranet until the observation window has
passed.
ExtranetObser vationWindow : This value determines the duration that username and password requests
from unknown locations are locked out. When the window has passed, ADFS will start to perform username
and password authentication from unknown locations again.
ExtranetLockoutRequirePDC : When enabled, extranet lockout requires a primary domain controller (PDC).
When disabled, extranet lockout will fallback to another domain controller in case the PDC is unavailable.
ExtranetLockoutMode : Controls log only vs enforced mode of Extranet Smart Lockout
ADFSSmar tLockoutLogOnly : Extranet Smart Lockout is enabled, but AD FS will only write admin
and audit events, but will not reject authentication requests. This mode is intended to initially be
enabled for FamiliarLocation to be populated before ‘ADFSSmartLockoutEnforce' is enabled.
ADFSSmar tLockoutEnforce : Full support for blocking unfamiliar authentication requests when
thresholds are reached.
IPv4 and IPv6 addresses are supported.
Anatomy of a transaction
Pre-Auth Check : During an authentication request, ESL checks all presented IPs. These IPs will be a
combination of network IP, forwarded IP, and the optional x-forwarded-for IP. In the audit logs, these IPs
are listed in the field in the order of x-ms-forwarded-client-ip, x-forwarded-for, x-ms-proxy-client-ip.
Based on these IPs, ADFS determines if the request is from a familiar or unfamiliar location and then
checks if the respective badPwdCount is less than the set threshold limit OR if the last failed attempt is
happened longer than the observation window time frame. If one of these conditions is true, ADFS allows
this transaction for further processing and credential validation. If both conditions are false, the account is
already in a locked out state until the observation window passes. After the observation window passes,
the user is allowed one attempt to authenticate. Note that in 2019, ADFS will check against the
appropriate threshold limit based on if the IP address matches a familiar location or not.
Successful Login : If the log-in succeeds, then the IPs from the request are added to the user's familiar
location IP list.
Failed Login : If the log-in fails the badPwdCount is increased. The user will go into a lockout state if the
attacker sends more bad passwords to the system than the threshold allows. (badPwdCount >
ExtranetLockoutThreshold)
The “UnknownLockout” value will equal to true when the account is locked out. This means that the user's
badPwdCount is over than the threshold i.e. someone attempted more passwords than were allowed by the
system. In this state, there are 2 ways that a valid user can login.
The user must wait for the ObservationWindow time to elapse or
In order to reset the Lockout state, reset the badPwdCount back to zero with ‘Reset-ADFSAccountLockout'.
If no resets occur, the account will be allowed a single password attempt against AD for each observation
window. The account will return to the locked out state after that attempt and the observation window will
restart. The badPwdCount value will only reset automatically after a successful password login.
Log-Only mode versus ‘Enforce' mode
The AccountActivity table is populated both during ‘Log-Only' mode and ‘Enforce' mode. If ‘Log-Only' mode is
bypassed and ESL is moved directly into ‘Enforce' mode without the recommended waiting period, the familiar
IPs of the users will not be known to ADFS. In this case, ESL would behave like ‘ADBadPasswordCounter',
potentially blocking legitimate user traffic if the user account is under an active brute force attack. If the ‘Log-
Only' mode is bypassed and the user enters a locked out state with “UnknownLockout” = TRUE and attempts to
sign in with a good password from an IP that is not in the “familiar” IP list, then they will not be able to sign in.
Log-Only mode is recommended for 3-7 days to avoid this scenario. If accounts are actively under attack, a
minimum of 24 hours of ‘Log-Only' mode is necessary to prevent lockouts to legitimate users.
PS C:\>$cred = Get-Credential
PS C:\>Update-AdfsArtifactDatabasePermission -Credential $cred
NOTE
The $cred placeholder is an account that has AD FS administrator permissions. This should provide the write
permissions to create the table.
The commands above may fail due to lack of sufficient permission because your AD FS farm is using SQL
Server, and the credentialprovided above does not have admin permission on your SQL server. In this
case, you can configure database permissions manually in SQL Server Database by running the following
command when you're connected to the AdfsArtifactStore database.
# when prompted with “Are you sure you want to perform this action?”, enter Y.
[CmdletBinding(SupportsShouldProcess=$true,ConfirmImpact = 'High')]
Param()
$fileLocation = "$env:windir\ADFS\Microsoft.IdentityServer.Servicehost.exe.config"
if (-not [System.IO.File]::Exists($fileLocation))
{
write-error "Unable to open ADFS configuration file."
return
}
try
{
When enabled, extranet lockout requires a primary domain controller (PDC). When disabled and configured as
false, extranet lockout will fallback to another domain controller in case the PDC is unavailable.
To set this property run:
Log only mode is intended to be a temporary state so that the system can learn login behavior prior to
introducing lockout enforcement with the smart lockout behavior. The recommended duration for log-only
mode is 3-7 days. If accounts are actively under attack, log-only mode must be run for a minimum of 24 hours.
On AD FS 2016, if 2012R2 ‘Extranet Soft Lockout' behavior is enabled prior to enabling Extranet Smart Lockout,
Log-Only mode will disable the ‘Extranet Soft Lockout' behavior. AD FS Smart Lockout will not lock out users in
Log-Only mode. However, on-premises AD may lock out the user based on the AD configuration. Please review
AD Lockout policies to learn how on-prem AD can lockout users.
On AD FS 2019, an additional advantage is to be able to enable log-only mode for smart lockout while
continuing to enforce the previous soft lockout behavior using the below Powershell.
Set-AdfsProperties -ExtranetLockoutMode 3
For the new mode to take effect, restart the AD FS service on all nodes in the farm
Restart-service adfssrv
Once the mode is configured, you can enable smart lockout using the EnableExtranetLockout parameter
Set-AdfsProperties -EnableExtranetLockout $true
For the new mode to take effect, restart the AD FS service on all nodes in the farm by using the following
command.
Restart-service adfssrv
Reset-ADFSAccountLockout
Resets the lockout counter for a user account for each Familiar location (badPwdCountFamiliar) or
Unfamiliar Location counters (badPwdCountUnfamiliar). By resetting a counter, the “FamiliarLockout” or
“UnfamiliarLockout” value will update, as the reset counter will be less than the threshold.
Reset-ADFSAccountLockout user@contoso.com -Location Familiar
Reset-ADFSAccountLockout user@contoso.com -Location Unknown
NOTE
Troubleshoot Extranet Smart lockout with the AD FS Help Extranet Lockout troubleshooting guide
For Extranet Smart Lockout events to be written, ESL must be enabled in ‘log-only' or ‘enforce' mode and ADFS
security auditing is enabled. AD FS will write extranet lockout events to the security audit log:
When a user is locked out (reaches the lockout threshold for unsuccessful login attempts)
When AD FS receives a login attempt for a user who is already in lockout state
While in log only mode, you can check the security audit log for lockout events. For any events found, you can
check the user state using the Get-ADFSAccountActivity cmdlet to determine if the lockout occurred from
familiar or unfamiliar IP addresses, and to double check the list of familiar IP addresses for that user.
557 (ADFS 2019) An error occurred while trying to communicate with the
account store rest service on node %1. If this is a WID farm
the primary node may be offline. If this is a SQL farm ADFS
will automatically select a new node to host the User store
master role.
562 (ADFS 2019) An error occurred when communicating with the account
store endpoint on server %1.
Exception Message: %2
563 (ADFS 2019) An error occurred while calculating extranet lockout status.
Due to the value of the %1 setting authentication will be
allowed for this user and token issuance will continue. If this
is a WID farm the primary node may be offline. If this is a
SQL farm ADFS will automatically select a new node to host
the User store master role.
Account store server name: %2
User Id: %3
Exception Message: %4
512 The account for the following user is locked out. A login
attempt is being allowed due to the system configuration.
Activity ID: %1
User: %2
Client IP: %3
Bad Password Count: %4
Last Bad Password Attempt: %5
515 The following user account was in a locked out state and the
correct password was just provided. This account may be
compromised.
Additional Data
Activity ID: %1
User: %2
Client IP: %3
EVEN T ID DESC RIP T IO N
516 The following user account has been locked out due to too
many bad password attempts.
Activity ID: %1
User: %2
Client IP: %3
Bad Password Count: %4
Last Bad Password Attempt: %5
Additional references
Best practices for securing Active Directory Federation Services
Set-AdfsProperties
AD FS Operations
AD FS and banned IP addresses
3/5/2021 • 2 minutes to read • Edit Online
In June 2018, AD FS on Windows Server 2016 introduced Banned IPs with the AD FS June 2018 update. This
update enables you to configure a set of IP addresses globally in AD FS, so that requests coming from those IP
addresses, or that have those IP addresses in the x-for warded-for or x-ms-for warded-client-ip headers,
will be blocked by AD FS.
Allowed formats
1. IPv4
2. IPv6
3. CIDR format with IPv4 or v6
There is a limit of 300 entries for banned IP addresses. You can use CIDR or range format to deny a large block
of entries with a single entry.
PS C:\ >Get-AdfsProperties
Example output:
Additional references
Best practices for securing Active Directory Federation Services
Set-AdfsProperties
AD FS Operations
Configure AD FS to authenticate users stored in
LDAP directories in Windows Server 2016 or later
3/5/2021 • 5 minutes to read • Edit Online
The following topic describes the configuration required to enable your AD FS infrastructure to authenticate
users whose identities are stored in Lightweight Directory Access Protocol (LDAP) v3-compliant directories.
In many organizations, identity management solutions consist of a combination of Active Directory, AD LDS, or
third-party LDAP directories. With the addition of AD FS support for authenticating users stored in LDAP v3-
compliant directories, you can benefit from the entire enterprise-grade AD FS feature set regardless of where
your user identities are stored. AD FS supports any LDAP v3-compliant directory.
NOTE
Some of the AD FS features include single sign-on (SSO), device authentication, flexible conditional access policies, support
for work-from-anywhere through the integration with the Web Application Proxy, and seamless federation with Azure AD
which in turn enables you and your users to utilize the cloud, including Office 365 and other SaaS applications. For more
information, see Active Directory Federation Services Overview.
In order for AD FS to authenticate users from an LDAP directory, you must connect this LDAP directory to your
AD FS farm by creating a local claims provider trust . A local claims provider trust is a trust object that
represents an LDAP directory in your AD FS farm. A local claims provider trust object consists of a variety of
identifiers, names, and rules that identify this LDAP directory to the local federation service.
You can support multiple LDAP directories, each with its own configuration, within the same AD FS farm by
adding multiple local claims provider trusts . In addition, AD DS forests that are not trusted by the forest that
AD FS lives in can also be modeled as local claims provider trusts. You can create local claims provider trusts by
using Windows PowerShell.
LDAP directories (local claims provider trusts) can co-exist with AD directories (claims provider trusts) on the
same AD FS server, within the same AD FS farm, therefore, a single instance of AD FS is capable of
authenticating and authorizing access for users that are stored in both AD and non-AD directories.
Only forms-based authentication is supported for authenticating users from LDAP directories. Certificate-based
and Integrated Windows authentication are not supported for authenticating users in LDAP directories.
All passive authorization protocols that are supported by AD FS, including SAML, WS-Federation, and OAuth are
also supported for identities that are stored in LDAP directories.
The WS-Trust active authorization protocol is also supported for identities that are stored in LDAP directories.
NOTE
It is recommended that you create a new connection object for each LDAP server you want to connect to. AD FS
can connect to multiple replica LDAP servers and automatically fail over in case a specific LDAP server is down. For
such a case, you can create one AdfsLdapServerConnection for each of these replica LDAP servers and then add
the array of connection objects using the -LdapSer verConnection parameter of the Add-
AdfsLocalClaimsProviderTrust cmdlet.
NOTE: Your attempt to use Get-Credential and type in a DN and password to be used to bind to an LDAP
instance might result in a failure because of the user interface requirement for specific input formats, for
example, domain\username or user@domain.tld. You can instead use the ConvertTo-SecureString cmdlet
as follows (the example below assumes uid=admin,ou=system as the DN of the credentials to be used to
bind to the LDAP instance):
Then enter the password for the uid=admin and complete the rest of the steps.
2. Next, you can perform the optional step of mapping LDAP attributes to the existing AD FS claims using
the New-AdfsLdapAttributeToClaimMapping cmdlet. In the example below, you map givenName,
Surname, and CommonName LDAP attributes to the AD FS claims:
This mapping is done in order to make attributes from the LDAP store available as claims in AD FS in
order to create conditional access control rules in AD FS. It also enables AD FS to work with custom
schemas in LDAP stores by providing an easy way to map LDAP attributes to claims.
3. Finally, you must register the LDAP store with AD FS as a local claims provider trust using the Add-
AdfsLocalClaimsProviderTrust cmdlet:
Add-AdfsLocalClaimsProviderTrust -Name "Vendors" -Identifier "urn:vendors" -Type Ldap
# Connection info
-LdapServerConnection $vendorDirectory
In the example above, you are creating a local claims provider trust called "Vendors". You are specifying
connection information for AD FS to connect to the LDAP directory this local claims provider trust
represents by assigning $vendorDirectory to the -LdapServerConnection parameter. Note that in step one,
you've assigned $vendorDirectory a connection string to be used when connecting to your specific LDAP
directory. Finally, you are specifying that the $GivenName , $Surname , and $CommonName LDAP attributes
(which you mapped to the AD FS claims) are to be used for conditional access control, including multi-
factor authentication policies and issuance authorization rules, as well as for issuance via claims in AD FS-
issued security tokens. In order to use active protocols like Ws-Trust with AD FS, you must specify the
OrganizationalAccountSuffix parameter, which enables AD FS to disambiguate between local claims
provider trusts when servicing an active authorization request.
See Also
AD FS Operations
Configure AD FS to Send Password Expiry Claims
3/5/2021 • 2 minutes to read • Edit Online
You can configure Active Directory Federation Services (AD FS) to send password expiry claims to the relying
party trusts (applications) that are protected by ADFS. How these claims are used depends on the application.
For example, with Office 365 as your relying party, updates have been implemented to Exchange and Outlook to
notify federated users of their soon-to-be-expired passwords.
To configure AD FS to send password expiry claims to a relying party trust, you must add the following claim
rules to this relying party trust:
NOTE
Password expiry claims are only available for username and password and Microsoft Passport for Work authentication
types. If the user authenticates using Windows integrated authentication and Passport is not configured, the claims will
not be available and the users will not see password expiry notifications.
NOTE
There is a 14 days window so the sent claims will only be populated if the password is expiring within 14 days.
See Also
AD FS Operations
Configure Additional Authentication Methods for
AD FS
6/17/2021 • 2 minutes to read • Edit Online
In order to enable multi-factor authentication (MFA), you must select at least one additional authentication
method. By default, in Active Directory Federation Services (AD FS) in Windows Server 2012 R2, you can select
Certificate Authentication (in other words, smart card-based authentication) as an additional authentication
method.
NOTE
If you select Certificate Authentication, ensure that the smart card certificates have been provisioned securely and have
pin requirements.
Did you know that Microsoft Azure provides similar functionality in the cloud? Learn more about Microsoft
Azure identity solutions.
Create a hybrid identity solution in Microsoft Azure:
- Learn about Azure Multi-Factor Authentication.
- Manage identities for single-forest hybrid environments using cloud authentication.
- Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications.
P RO VIDER O F F ERIN G L IN K TO L EA RN M O RE
Microsoft Corp. Microsoft Azure MFA Walkthrough Guide: Manage Risk with
Additional Multi-Factor Authentication
for Sensitive Applications (see step 3)
Okta Okta MFA for Active Directory Okta MFA for Active Directory
Federation Services Federation Services (ADFS)
Ping Identity PingID MFA Adapter for AD FS PingID MFA Adapter for AD FS
RSA, The Security Division of EMC RSA SecurID Authentication Agent for RSA SecurID Authentication Agent for
Microsoft Active Directory Federation Microsoft Active Directory Federation
Services Services
See Also
Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications
Configure Authentication Policies
6/17/2021 • 9 minutes to read • Edit Online
In AD FS, in Windows Server 2012 R2, both access control and the authentication mechanism are enhanced with
multiple factors that include user, device, location, and authentication data. These enhancements enable you,
either through the user interface or through Windows PowerShell, to manage the risk of granting access
permissions to AD FS-secured applications via multi-factor access control and multi-factor authentication that
are based on user identity or group membership, network location, device data that is workplace-joined, and the
authentication state when multi-factor authentication (MFA) was performed.
For more information about MFA and multi-factor access control in Active Directory Federation Services (AD FS)
in Windows Server 2012 R2 , see the following topics:
Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company
Applications
Manage Risk with Conditional Access Control
Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications
4. In the Edit Authentication Policy for <relying_par ty_trust_name> window, under the Primar y
tab, you can configure the following setting as part of the Per Relying Par ty Trust authentication policy:
Whether users are required to provide their credentials each time at sign-in via the Users are
required to provide their credentials each time at sign-in check box.
To configure multi-factor authentication globally
1. In Server Manager, click Tools , and then select AD FS Management .
2. In AD FS snap-in, click Authentication Policies .
3. In the Multi-factor Authentication section, click Edit next to Global Settings . You can also right-click
Authentication Policies , and select Edit Global Multi-factor Authentication , or, under the Actions
pane, select Edit Global Multi-factor Authentication .
4. In the Edit Global Authentication Policy window, under the Multi-factor tab, you can configure the
following settings as part of the global multi-factor authentication policy:
Settings or conditions for MFA via available options under the Users/Groups , Devices , and
Locations sections.
To enable MFA for any of these settings, you must select at least one additional authentication
method. Cer tificate Authentication is the default available option. You can also configure other
custom additional authentication methods, for example, Windows Azure Active Authentication. For
more information, see Walkthrough Guide: Manage Risk with Additional Multi-Factor
Authentication for Sensitive Applications.
WARNING
You can only configure additional authentication methods globally.
WARNING
To verify that this command ran successfully, you can run the Get-AdfsGlobalAuthenticationPolicy command.
To configure MFA per-relying party trust that is based on a user's group membership data
1. On your federation server, open the Windows PowerShell command window and run the following
command:
WARNING
Ensure to replace <relying_party_trust> with the name of your relying party trust.
2. In the same Windows PowerShell command window, run the following command.
NOTE
Ensure to replace <group_SID> with the value of the security identifier (SID) of your Active Directory (AD) group.
Set-AdfsAdditionalAuthenticationRule $MfaClaimRule
NOTE
Ensure to replace <group_SID> with the value of the SID of your AD group.
Set-AdfsAdditionalAuthenticationRule $MfaClaimRule
NOTE
Ensure to replace <true_or_false> with either true or false . The value depends on your specific rule condition that is
based on whether the access request comes from the extranet or the intranet.
Set-AdfsAdditionalAuthenticationRule $MfaClaimRule
NOTE
Ensure to replace <true_or_false> with either true or false . The value depends on your specific rule condition that is
based on whether the device is workplace-joined or not.
To configure MFA globally if the access request comes from the extranet and from a non-workplace -joined
device
1. On your federation server, open the Windows PowerShell command window and run the following
command.
`Set-AdfsAdditionalAuthenticationRule "c:[Type ==
'"https://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser'", Value == '"true_or_false'"]
&& c2:[Type == '"https://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork'", Value == '"
true_or_false '"] => issue(Type =
'"https://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod'", Value
='"https://schemas.microsoft.com/claims/multipleauthn'");" `
NOTE
Ensure to replace both instances of <true_or_false> with either true or false , which depends on your specific rule
conditions. The rule conditions are based on whether the device is workplace-joined or not and whether the access
request comes from the extranet or intranet.
To configure MFA globally if access comes from an extranet user that belongs to a certain group
1. On your federation server, open the Windows PowerShell command window and run the following
command.
Set-AdfsAdditionalAuthenticationRule "c:[Type ==
`"https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid`", Value == `"group_SID`"] && c2:[Type
== `"https://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork`", Value== `"true_or_false`"] =>
issue(Type = `"https://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod`", Value
=`"https://schemas.microsoft.com/claims/
NOTE
Ensure to replace <group_SID> with the value of the group SID and <true_or_false> with either true or false , which
depends on your specific rule condition that is based on whether the access request comes from the extranet or intranet.
NOTE
Ensure to replace <relying_party_trust> with the value of your relying party trust.
2. In the same Windows PowerShell command window, run the following command.
To grant access to an application that is secured by AD FS only if this user's identity was validated with MFA
1. On your federation server, open the Windows PowerShell command window and run the following
command.
NOTE
Ensure to replace <relying_party_trust> with the value of your relying party trust.
2. In the same Windows PowerShell command window, run the following command.
To grant access to an application that is secured by AD FS only if the access request comes from a workplace -
joined device that is registered to the user
1. On your federation server, open the Windows PowerShell command window and run the following
command.
NOTE
Ensure to replace <relying_party_trust> with the value of your relying party trust.
2. In the same Windows PowerShell command window, run the following command.
To grant access to an application that is secured by AD FS only if the access request comes from a workplace -
joined device that is registered to a user whose identity has been validated with MFA
1. On your federation server, open the Windows PowerShell command window and run the following
command.
`$rp = Get-AdfsRelyingPartyTrust –Name relying_party_trust `
NOTE
Ensure to replace <relying_party_trust> with the value of your relying party trust.
2. In the same Windows PowerShell command window, run the following command.
To grant extranet access to an application secured by AD FS only if the access request comes from a user
whose identity has been validated with MFA
1. On your federation server, open the Windows PowerShell command window and run the following
command.
NOTE
Ensure to replace <relying_party_trust> with the value of your relying party trust.
2. In the same Windows PowerShell command window, run the following command.
Additional references
AD FS Operations
Configure Claim Rules in AD FS for Windows Server
3/5/2021 • 2 minutes to read • Edit Online
In a claims-based identity model, the function of Active Directory Federation Services (AD FS) as federation
services is to issue a token that contains a set of claims. Claims rules govern the decisions with regard to claims
that AD FS issues. Claim rules and all server configuration data are stored in the AD FS configuration database.
AD FS makes issuance decisions that are based on identity information that is provided to it in the form of
claims and other contextual information. At a high level, AD FS operates as a rules processor by taking one set of
claims as input, performs a number of transformations, and then returns a different set of claims as output.
The following topics will assist you in creating the rules that AD FS will process:
Create a Rule to Pass Through or Filter an Incoming Claim
Create a Rule to Permit All Users
Create a Rule to Permit or Deny Users Based on an Incoming Claim
Create a Rule to Send LDAP Attributes as Claims
Create a Rule to Send Group Membership as a Claim
Create a Rule to Transform an Incoming Claim
Create a Rule to Send an Authentication Method Claim
Create a Rule to Send an AD FS 1.x Compatible Claim
Create a Rule to Send Claims Using a Custom Rule
See Also
AD FS Operations
Configure On-Premises Conditional Access using
registered devices
3/5/2021 • 8 minutes to read • Edit Online
The following document will guide you through installing and configuring on-premises conditional access with
registered devices.
Infrastructure pre-requisites
The following per-requisites are required before you can begin with on-premises conditional access.
An Azure AD subscription with Azure AD Premium To enable device write back for on premises conditional
access - a free trial is fine
Intune subscription only required for MDM integration for device compliance
scenarios -a free trial is fine
Azure AD Connect November 2015 QFE or later. Get the latest version here.
Windows Server 2016 Active Directory schema Schema level 85 or higher is required.
Windows Server 2016 domain controller This is only required for Hello For Business key-trust
deployments. Additional information can be found at here.
Azure AD user account with Azure AD Premium license For registering the device
assigned
NOTE
If you installed Azure AD Connect prior to upgrading to the schema version (level 85 or greater) in Windows Server 2016,
you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the
synchronization rule for msDS-KeyCredentialLink is configured.
You can also use the following PowerShell cmdlet (replace the object with your schema naming context
information):
Setup AD FS
1. Create the a new AD FS 2016 farm.
2. Or migrate a farm to AD FS 2016 from AD FS 2012 R2
3. Deploy Azure AD Connect using the Custom path to connect AD FS to Azure AD.
1. Run the Add Roles & Features wizard and select feature Remote Ser ver Administration Tools -> Role
Administration Tools -> AD DS and AD LDS Tools -> Choose both the Active Director y module for
Windows PowerShell and the AD DS Tools .
2. On your AD FS primary server, ensure you are logged in as AD DS user with Enterprise Admin (EA )
privileges and open an elevated powershell prompt. Then, execute the following PowerShell commands:
Import-module activedirectory
PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "<your service account>"
Note: If your AD FS service is configured to use a GMSA account, enter the account name in the format
"domain\accountname$"
The above PSH creates the following objects:
RegisteredDevices container under the AD domain partition
Device Registration Service container and object under Configuration --> Services --> Device Registration
Configuration
Device Registration Service DKM container and object under Configuration --> Services --> Device
Registration Configuration
Note: if necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in
Program Files\Microsoft Azure Active Directory Connect\AdPrep
2. Provide your Azure AD global administrator credentials
PS C:>$aadAdminCred = Get-Credential
Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when
adding your on-premises AD DS directory.
The above commands enable Windows 10 clients to find the correct Azure AD domain to join by creating the
serviceConnectionpoint object in AD DS.
Prepare AD for Device Write Back
To ensure AD DS objects and containers are in the correct state for write back of devices from Azure AD, do the
following.
1. Open Windows PowerShell and execute the following:
PS C:>Initialize-ADSyncDeviceWriteBack -DomainName <AD DS domain name> -AdConnectorAccount [AD
connector account name]
Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when
adding your on-premises AD DS directory in domain\accountname format
The above command creates the following objects for device write back to AD DS, if they do not exist already,
and allows access to the specified AD connector account name
RegisteredDevices container in the AD domain partition
Device Registration Service container and object under Configuration --> Services --> Device Registration
Configuration
Enable Device Write Back in Azure AD Connect
If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second
time and selecting "Customize Synchronization Options" , then checking the box for device write back and
selecting the forest in which you have run the above cmdlets
Configure Device Authentication in AD FS
Using an elevated PowerShell command window, configure AD FS policy by executing the following command
PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod All
Troubleshooting
1. if you get an error on Initialize-ADDeviceRegistration that complains about an object already existing in the
wrong state, such as "The drs service object has been found without all the required attributes", you may
have executed Azure AD Connect powershell commands previously and have a partial configuration in AD
DS. Try deleting manually the objects under CN=Device Registration
Configuration,CN=Ser vices,CN=Configuration,DC=<domain> and trying again.
2. For Windows 10 domain joined clients
a. To verify that device authentication is working, sign on to the domain joined client as a test user
account. To trigger provisioning quickly, lock and unlock the desktop at least one time.
b. Instructions to check for stk key credential link on AD DS object (does sync still have to run twice?)
3. If you get an error upon trying to register a Windows computer that the device was already enrolled, but you
are unable or have already unenrolled the device, you may have a fragment of device enrollment
configuration in the registry. To investigate and remove this, use the following steps:
a. On the Windows computer, open Regedit and navigate to HKLM\Software\Microsoft\Enrollments
b. Under this key, there will be many subkeys in the GUID form. Navigate to the subkey which has ~17
values in it and has "EnrollmentType" of "6" [MDM joined] or "13" (Azure AD joined)
c. Modify EnrollmentType to 0
d. Try the device enrollment or registration again
Related Articles
Securing access to Office 365 and other apps connected to Azure Active Directory
Conditional access device policies for Office 365 services
Setting up on-premises conditional access using Azure Active Directory Device Registration
Connect domain-joined devices to Azure AD for Windows 10 experiences
Configuring intranet forms-based authentication for
devices that do not support WIA
3/5/2021 • 4 minutes to read • Edit Online
By default, Windows Integrated Authentication (WIA) is enabled in Active Directory Federation Services (AD FS)
in Windows Server 2012 R2 for authentication requests that occur within the organization's internal network
(intranet) for any application that uses a browser for its authentication. For example, these can be browser-based
applications that use WS-Federation or SAML protocols and rich applications that use the OAuth protocol. WIA
provides end users with seamless logon to the applications without having to manually entering their
credentials. However, some devices and browsers are not capable of supporting WIA and as a result
authentication requests from these devices fail. Also, the experience on certain browsers that negotiate to NTLM
is not desirable. The recommended approach is to fallback to forms-based authentication for such devices and
browsers.
AD FS in Windows Server 2016 and Windows Server 2012 R2 provides the administrators with the ability to
configure the list of user agents that support the fallback to forms-based authentication. The fallback is made
possible by two configurations:
The WIASuppor tedUserAgentStrings property of the Set-ADFSProperties commandlet
The WindowsIntegratedFallbackEnabled property of the Set-AdfsGlobalAuthenticationPolicy
commandlet
The WIASuppor tedUserAgentStrings defines the user agents which support WIA. AD FS analyzes the user
agent string when performing logins in a browser or browser control. If the component of the user agent string
does not match any of the components of the user agent strings that are configured in
WIASuppor tedUserAgentStrings property, AD FS will fall back to providing forms-based authentication,
provided that the WindowsIntegratedFallbackEnabled flag is set to True.
By default, a new AD FS installation has a set of user agent string matches created. However, these may be out of
date based on changes to browsers and devices. Particularly, Windows devices have similar user agent strings
with minor variations in the tokens. The following Windows PowerShell example provides the best guidance for
the current set of devices that are on the market today that support seamless WIA:
Set-AdfsProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0; Windows NT", "MSIE 8.0", "MSIE 9.0",
"MSIE 10.0; Windows NT 6", "Windows NT 6.3; Trident/7.0", "Windows NT 6.3; Win64; x64; Trident/7.0",
"Windows NT 6.3; WOW64; Trident/7.0", "Windows NT 6.2; Trident/7.0", "Windows NT 6.2; Win64; x64;
Trident/7.0", "Windows NT 6.2; WOW64; Trident/7.0", "Windows NT 6.1; Trident/7.0", "Windows NT 6.1; Win64;
x64; Trident/7.0", "Windows NT 6.1; WOW64; Trident/7.0", "MSIPC", "Windows Rights Management Client")
The command above will ensure that AD FS only covers the following use cases for WIA:
MSIE 7.0; Windows NT IE 7, IE in intranet zone. The "Windows NT" fragment is sent
by desktop operation system.
MSIE 8.0 IE 8.0 (no devices send this, so need to make more specific)
USER A GEN T S USE C A SES
MSIE 9.0 IE 9.0 (no devices send this, so no need to make this more
specific)
MSIE 10.0; Windows NT 6 IE 10.0 for Windows XP and newer versions of desktop
operating system
Windows Phone 8.0 devices (with preference set to mobile)
are excluded because they send
Windows NT 6.3; Trident/7.0 Windows 8.1 desktop operating system, different platforms
Windows NT 6.3; Win64; x64; Trident/7.0
In order to enable fallback to form based authentication for user agents other than those mentioned in the
WIASupportedUserAgents string, set the WindowsIntegratedFallbackEnabled flag to true
Also ensure that the forms based authentication is enabled for intranet.
And similarly for Chrome on Apple macOS, add the following user agent string to the AD FS configuration:
NOTE
As new browsers and devices are released, it is recommended that you reconcile the capabilities of those user agents and
update the AD FS configuration accordingly to optimize the user's authentication experience when using said browser and
devices. More specifically, it is recommended that you re-evaluate the WIASuppor tedUserAgents setting in AD FS
when adding a new device or browser type to your support matrix for WIA.
Configuring Alternate Login ID
3/5/2021 • 13 minutes to read • Edit Online
NOTE
Microsoft's recommended best practices are to match UPN to primary SMTP address. This article addresses the small
percentage of customers that cannot remediate UPN's to match.
For example, they can be using their email-id for sign-in and that can be different from their UPN. This is
particularly a common occurrence in scenarios where their UPN is non-routable. Consider a user Jane Doe with
UPN jdoe@contoso.local and email address jdoe@contoso.com. Jane might not be even aware of the UPN as
she has always used her email id for signing-in. Use of any other sign-in method instead of UPN constitutes
alternate ID. For more information on how the UPN is created see, Azure AD UserPrincipalName population.
Active Directory Federation Services (AD FS) enables federated applications using AD FS to sign-in using
alternate ID. This enables administrators to specify an alternative to the default UPN to be used for sign-in. AD
FS already supports using any form of user identifier that is accepted by Active Directory Domain Services (AD
DS). When configured for alternate ID, AD FS allows users to sign in using the configured alternate ID value, say
email-id. Using the alternate ID enables you to adopt SaaS providers, such as Office 365 without modifying your
on-premises UPNs. It also enables you to support line-of-business service applications with consumer-
provisioned identities.
Alternate id in Azure AD
An organization may have to use alternate ID in the following scenarios:
1. The on-premises domain name is non-routable, ex. Contoso.local and as a result the default user principal
name is non-routable ( jdoe@contoso.local). Existing UPN cannot be changed due to local application
dependencies or company policies. Azure AD and Office 365 require all domain suffixes associated with
Azure AD directory to be fully internet routable.
2. The on-premises UPN is not same as the user's email address and to sign-in to Office 365, users use email
address and UPN cannot be used due to organizational constraints. In the above-mentioned scenarios,
alternate ID with AD FS enables users to sign-in to Azure AD without modifying your on-premises UPNs.
NOTE
Microsoft recommends using Azure AD Connect to configure alternate logon ID.
AlternateLoginID is the LDAP name of the attribute that you want to use for login.
LookupForests is the list of forest DNS that your users belong to.
To enable alternate login ID feature, you must configure both -AlternateLoginID and -LookupForests parameters
with a non-null, valid value.
In the following example, you are enabling alternate login ID functionality such that your users with accounts in
contoso.com and fabrikam.com forests can log in to AD FS-enabled applications with their "mail" attribute.
3. To disable this feature, set the value for both parameters to be null.
Office version 1712 (build no 8827.2148) and above have updated the authentication logic to handle the
alternate-id scenario. In order to leverage the new logic, the client machines need to be updated to Office
version 1712 (build no 8827.2148) and above.
St e p 2 . U p d a t e t o r e q u i r e d W i n d o w s v e r si o n
Windows version 1709 and above have updated the authentication logic to handle the alternate-id scenario. In
order to leverage the new logic, the client machines need to be updated to Windows version 1709 and above.
St e p 3 . C o n fi g u r e r e g i st r y fo r i m p a c t e d u se r s u si n g g r o u p p o l i c y
The office applications rely on information pushed by the directory administrator to identify the alternate-id
environment. The following registry keys need to be configured to help office applications authenticate the user
with alternate-id without showing any extra prompts
REGK EY DATA N A M E,
REGK EY TO A DD T Y P E, A N D VA L UE W IN DO W S 7/ 8 W IN DO W S 10 DESC RIP T IO N
REGK EY DATA N A M E,
REGK EY TO A DD T Y P E, A N D VA L UE W IN DO W S 7/ 8 W IN DO W S 10 DESC RIP T IO N
HKEY_CURRENT_USE EnableAlternateIdSup Required for Outlook Required for Outlook The value of this
R\Software\Microsoft port 2016 ProPlus 2016 ProPlus regkey can be 1 / 0
\Office\16.0\Commo REG_DWORD to indicate to
n\Identity 1 Outlook application
whether it should
engage the improved
alternate-id
authentication logic.
OneDrive for Business Supported - client-side registry key With Alternate ID configured you see
recommended the on-premises UPN is pre-populated
In the verification field. This needs to
be changed to the alternate Identity
that is being used. We recommend
using the client side registry key noted
in this article: Office 2013 and Lync
2013 periodically prompt for
credentials to SharePoint Online,
OneDrive, and Lync Online.
Office 365 Pro Plus activation page Supported - client-side registry key With Alternate ID configured you see
recommended the on-premises UPN is pre-populated
in the verification field. This needs to
be changed to the alternate Identity
that is being used. We recommend
using the client-side registry key noted
in this article: Office 2013 and Lync
2013 periodically prompt for
credentials to SharePoint Online,
OneDrive, and Lync Online.
Hybrid Public Folders Supported, no extra prompts. With Modern Authentication for
Exchange Online: Supported
With regular authentication for
Exchange Online: Not Supported
Cross premises Delegation See Configure Exchange to support See Configure Exchange to support
delegated mailbox permissions in a delegated mailbox permissions in a
hybrid deployment hybrid deployment
Archive mailbox access (Mailbox on- Supported, no extra prompts Supported - Users get an extra
premises - archive in the cloud) prompt for credentials when accessing
the archive, they have to provide their
alternate ID when prompted.
Skype for Business/ Lync Supported, with no extra prompts Supported (except as noted) but there
is a potential for user confusion.
On mobile clients, Alternate Id is
supported only if SIP address= email
address = Alternate ID.
Unable to get a value for Login failure Event ID 364 with exception message
SAMAccountName for the user object MSIS8012: Unable to find
samAccountName for the user: '{0}'.
The CanonicalName attribute is not Login failure Event ID 364 with exception message
accessible MSIS8013: CanonicalName: '{0}' of the
user:'{1}' is in bad format.
Multiple user objects are found in one Login failure Event ID 364 with exception message
forests MSIS8015: Found multiple user
accounts with identity '{0}' in forest
'{1}' with identities: {2}
ERRO R C A SES IM PA C T O N SIGN - IN EXP ERIEN C E EVEN T
Multiple user objects are found across Login failure Event ID 364 with exception message
multiple forests MSIS8014: Found multiple user
accounts with identity '{0}' in forests:
{1}
See Also
AD FS Operations
Create a Claims Provider Trust
6/17/2021 • 2 minutes to read • Edit Online
To add a new claims provider trust by using the AD FS Management snap-in and manually configure the
settings, perform the following procedure on a resource partner federation server in the resource partner
organization.
Membership in Administrators , or equivalent, on the local computer is the minimum requirement to complete
this procedure. Review details about using the appropriate accounts and group memberships at Local and
Domain Default Groups.
5. On the Specify Display Name page, type a Display name , under Notes , type a description for this
claims provider trust, and then click Next .
6. On the Configure URL page, specify the WS-Federation Passive URL if applicable and click Next .
7. On the Configure Identifier page, under Claims provider trust identifier , type the appropriate
identifier, and then click Next .
8. On the Configure Cer tificates page, click Add to locate a certificate file and add it to the list of
certificates, and then click Next .
9. On the Ready to Add Trust page, click Next to save your claims provider trust information.
10. On the Finish page, click Close . This action automatically displays the Edit Claim Rules dialog box. For
more information about how to proceed with adding claim rules for this claims provider trust, see the
following additional references.
To create a claims provider trust using federation metadata
To add a new claims provider trust, using the AD FS Management snap-in, by automatically importing
configuration data about the partner from federation metadata that the partner has published to a local network
or to the Internet, perform the following procedure on a federation server in the resource partner organization.
NOTE
Though it has long been common practice to use certificates with unqualified host names such as https://myserver, these
certificates have no security value and can enable an attacker to impersonate a Federation Service that is publishing
federation metadata. Therefore, when querying federation metadata, you should only use a fully qualified domain name
such as https://myserver.contoso.com .
5. On the Specify Display Name page type a Display name , under Notes type a description for this claims
provider trust, and then click Next .
6. On the Ready to Add Trust page, click Next to save your claims provider trust information.
7. On the Finish page, click Close . This will automatically display the Edit Claim Rules dialog box. For more
information about how to proceed with adding claim rules for this claims provider trust, see the
Additional references section below.
Additional references
Checklist: Configuring the Resource Partner Organization
Checklist: Creating Claim Rules for a Claims Provider Trust
See Also
AD FS Operations
Create a Non-Claims-Aware Relying Party Trust
6/17/2021 • 2 minutes to read • Edit Online
In the AD FS Management snap-in, non-claims-aware relying party trusts are objects that are created to
represent the trust between the federation service and a single web-based application that is not claims-aware
and that is accessed through the Web Application Proxy.
A non-claims-aware relying party trust is a relying party trust which consists of identifiers, names, and rules for
authentication and authorization when the relying party trust is accessed through the Web Application Proxy.
These web-based applications that do not rely on claims, in other words, these Integrated Windows
Authentication-based applications, can have authorization rules that enforce access that is based on claims when
the access is external to the corporate network through the Web Application Proxy.
To add a new non-claims-aware relying party trust, by using the AD FS Management snap-in, perform the
following procedure.
Membership in Administrators , or equivalent, on the local computer is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at Local and Domain
Default Groups.
3. On the Welcome page, choose Non claims aware and click Star t .
4. On the Specify Display Name page, type a name in Display name , under Notes type a description for
this relying party trust, and then click Next .
5. On the Configure Identifiers page, specify one or more identifiers for this relying party, click Add to
add them to the list, and then click Next .
6. On the Choose Access Control Policy select a policy and click Next . For more information about
Access Control Policies, see Access Control Policies in AD FS.
7. On the Ready to Add Trust page, review the settings, and then click Next to save your relying party
trust information.
8. On the Finish page, click Close . This action automatically displays the Edit Claim Rules dialog box.
See Also
AD FS Operations
Create a Relying Party Trust
6/17/2021 • 3 minutes to read • Edit Online
The following document provides information on creating a relying party trust manually and using federation
metadata.