How to Get Schema Information...

[Guest]

Hi

I am new to AD. I know about the Active Directory Schema Snap-in for MMC

Are there any other tools delivered with Windows 2000/2003 that allow someone who inherits a complex environment to make sense of the Schema defined in the AD, without any documentation

Sometime, it would be very useful to look at the data in the AD, see all values given to an attribute for a specific type of object, etc..

Thanks

 

[Eric Fleischman [MSFT]]

Hum. Well I'm not totally sure what you're looking for.
The schema itself is documented up on MSDN so you can find a lot of details
there.
Short of that, you can use tools like ldp to view specific classes, or
perhaps ldifde to dump the schema entirely to a text file. For example:
ldifde -f schema.ldf -d "cn=schema,cn=configuration,dc=domain,dc=com"

Of course you would put your own domain in there.

Is that along the lines of what you're looking for?

~Eric

 

[Matt \(IS Team\)]

Hum. Well I'm not totally sure what you're looking for.
The schema itself is documented up on MSDN so you can find a lot of details
there.
Short of that, you can use tools like ldp to view specific classes, or
perhaps ldifde to dump the schema entirely to a text file. For example:
ldifde -f schema.ldf -d "cn=schema,cn=configuration,dc=domain,dc=com"

Of course you would put your own domain in there.

Is that along the lines of what you're looking for?

~Eric

--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Hi.

I am new to AD. I know about the Active Directory Schema Snap-in for MMC.

Are there any other tools delivered with Windows 2000/2003 that allow
someone who inherits a complex environment to make sense of the Schema
defined in the AD, without any documentation?

Sometime, it would be very useful to look at the data in the AD, see all
values given to an attribute for a specific type of object, etc...

You might find the free tool at
http://www.ldapadministrator.com/download/index.php useful...

__
Matt

 

[Guest]

----- Eric Fleischman [MSFT] wrote: ----

Hum. Well I'm not totally sure what you're looking for
The schema itself is documented up on MSDN so you can find a lot of details
there
Short of that, you can use tools like ldp to view specific classes, or
perhaps ldifde to dump the schema entirely to a text file. For example
ldifde -f schema.ldf -d "cn=schema,cn=configuration,dc=domain,dc=com

Of course you would put your own domain in there. ;

Is that along the lines of what you're looking for

I am a DBA. If I were to inherit a database, I know exactly how I would go about to figure out what the various objects (tables, views, etc.) in the database are, how they are related, what values are allowed for a column, and so on... In short, I could figure out the data-structure, without needing access to application source code

I guess what I was asking for is how would I do something like that for the AD

In our AD, we have lots of classes added by IP telephony, Exchange, and other systems. I have no idea what they are. I can see various attributes, but do not know what values are allowed for each attribute and what the values mean... I can export the entire AD to say Access and try to figure things out. But I was wondering whether there is a different method that Network Engineers would use to figure out / maintain an AD they inherited

 

[Eric Fleischman [MSFT]]

In short, I could figure out the data-structure, without needing access to

application source code.

And you can do the same in ad:
ldifde -f schema.ldf -d "cn=schema,cn=configuration,dc=domain,dc=com"

That will dump the schema to an ldif file and you can then read through it
much the same way you would for AD.
Beyond that it is up to the sysadmin who extends the schema (much like the
DBA who sets up the data layout) to document what they do. I can point you
to docs on AD defaults, Exchange extensions, etc. but I can't tell you what
your particular admin did I'm afraid. Dumping it to an ldif file (such as
what the command above does) will let you pick through that as you so
choose.

Does that not do what you are looking for?

~Eric


--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

----- Eric Fleischman [MSFT] wrote: -----

Hum. Well I'm not totally sure what you're looking for.
The schema itself is documented up on MSDN so you can find a lot of
details
there.
Short of that, you can use tools like ldp to view specific classes, or
perhaps ldifde to dump the schema entirely to a text file. For
example:
ldifde -f schema.ldf -d "cn=schema,cn=configuration,dc=domain,dc=com"

Of course you would put your own domain in there.

Is that along the lines of what you're looking for?

I am a DBA. If I were to inherit a database, I know exactly how I would go
about to figure out what the various objects (tables, views, etc.) in the
database are, how they are related, what values are allowed for a column,
and so on... In short, I could figure out the data-structure, without
needing access to application source code.

I guess what I was asking for is how would I do something like that for
the AD.

In our AD, we have lots of classes added by IP telephony, Exchange, and
other systems. I have no idea what they are. I can see various
attributes, but do not know what values are allowed for each attribute and
what the values mean... I can export the entire AD to say Access and try
to figure things out. But I was wondering whether there is a different
method that Network Engineers would use to figure out / maintain an AD
they inherited?

 

[Guest]

----- Eric Fleischman [MSFT] wrote: ----

I can point you
to docs on AD defaults, Exchange extensions, etc.

That would be very helpful..

Thank you.

 

[Hank Arnold]

Eric,

I just ran this on our DC and this is the content of the ldif.log file.
I've removed the DC and domain names due to paranoia.... I was logged on as
"administrator". Any idea what this means?? TIA

Connecting to "<DC>.<DOMAIN>"
Logging in as current user using SSPI
Exporting directory to file schema.ldf
Searching for entries...
Writing out entries
No Entries found

 

[Eric Fleischman [MSFT]]

It means you probably named the domain wrong, or you had a domain lookup
failure (IE we couldnt' find a DC due to name resolution). It is typically
the former.

Try adding the -s switch then the name of the server, so:
ldifde -f schema.ldf -d "cn=schema,cn=configuration,dc=domain,dc=com" -s
DomainControllerName

Or you can use the IP address of the DC instead of the name. That will take
a domain name lookup off of the table at least.

 

[Eric Fleischman [MSFT]]

Surely. I'll assume we're talking about 2003 schema (we extend when you
migrate from 2000 to 2003).
BTW, my search term to find the AD was "active directory schema". If you
search MSDN for them, they typically are the first hit.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/active_directory_schema.asp

 

[Matt \(IS Team\)]

Eric,

I just ran this on our DC and this is the content of the ldif.log file.
I've removed the DC and domain names due to paranoia.... I was logged on as
"administrator". Any idea what this means?? TIA

Connecting to "<DC>.<DOMAIN>"
Logging in as current user using SSPI
Exporting directory to file schema.ldf
Searching for entries...
Writing out entries
No Entries found

You'll find the free tool at
http://www.ldapadministrator.com/download/index.php useful...

Trust me!

__
Matt

 

[Hank Arnold]

Found the problem. I had specified the second "dc=" statement as

dc=com

instead of

dc=local

--
Regards,
Hank Arnold

It means you probably named the domain wrong, or you had a domain lookup
failure (IE we couldnt' find a DC due to name resolution). It is typically
the former.

Try adding the -s switch then the name of the server, so:
ldifde -f schema.ldf -d "cn=schema,cn=configuration,dc=domain,dc=com" -s
DomainControllerName

Or you can use the IP address of the DC instead of the name. That will take
a domain name lookup off of the table at least.

--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

 

[Cary Shultz [A.D. MVP]]

I almost never trust anyone who says, "Trust me!" - especially when the link
that this person provides does not work!

Cary

 

[Matt \(IS Team\)]

I almost never trust anyone who says, "Trust me!" - especially when the link
that this person provides does not work!

Cary

The link doesn't seem to work anymore, fair one.

Try: http://www.softerra.com/products/ldapadmin.php (same product, different
place)

This (free) product would have benefited the OP, still will!
I found it to be a fantastic tool when in a similar position, and when
writing some vbs scripts to automate user management.

I can appreciate why you wouldn't trust someone you don't know, who posted
to a thread on a public ng you happened to read, I doubt anyone would...

Although, if you do decide to place your trust in a complete stranger, mail
me and I'll let you know where to post the cheque to.
I won't cash it - promise!


__
Matt

 

[Cary Shultz [A.D. MVP]]

Matt,

The check is in the mail! ;-)

I will gladly take a look at the product that you are promoting. Always
love to find out about new products that make our life easier!

Thanks for the new link.

Cary