Lately, I wanted to create an Active Directory test domain. It was supposed to have the exactly same content as an existing one.
That quickly confronts you with the following problem:
How can I ensure that the test directory has the same LSAP schema as the reference domain?
With board tools you can synchronize or export and import the AD schema. Especially one tool, a part of the server role AD LDS (formerly ADAM), has proven to be very helpful with that. When the role is installed, you can find a program named ADSchemaAnalyzer.exe in the folder C:\Windows\ADAM.
Install AD schema as a copy of productive domain
With the tool ADSchemaAnalyze you can determine the schema difference between two LDAP directories (AD DS / AD LDS) and export them into a LDIF file. This file then has to be imported into the target directory with the tool ldifde.exe. ldifde.exe is a command line tool which exists on every domain controller.
Because some of the used terms could be misleading, I want to explain them first.
Tutorial: Synchronize and install LDAP schema
- Start ADSchemaAnalyzer
- Load schema of the target directory
File >Load target schema…
Enter user name, password and domain
Confirm with OK
The result could look like this:
- Load schema of the test directory
File >Load base schema…
After having entered the connection data to the test directory successfully, the schema difference will be determined.
The tool now shows all classes and attributes with their status.
With the option Schema >Hide present elements you can hide already existing entries.
After that, you can manually select the desired classes and attributes.
With Schema >Mark all non present elements as included you can add all missing ones.
- Then, you can create the LDIF import file via File >Create LDIF file.
Example file (short):
In the head, this file already contains the command line command for Ldifde:
ldifde i u f Fa Schema.ldf s Server Name j . c “cn=Configuration,dc=X” #configurationNamingContext
It is important that the target server owns the AD role „Schema Master“ and that the executing user is schema administrator (group schema admins).
Changes to the AD schema cannot be reversed! Check all actions thoroughly!
The author does not assume liability for data loss, undesired side effects or any other guarantees. The risk lies with the user.