Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Modifying Active Directory Schema

http://seminars.apple.com/seminarsonline/modifying/apple/index.html?s=301

I've watched the video a dozen or more times and have read through the pdf as well.

But I'm getting 41 attributes and 10 classes not the 36 attributes and 10 classes they talk about in the video and pdf (i've tried this 3 times).

I have frozen the video a few times and the selections on that do not match the pdf???

Windows 2008 R2 AD, 10.6 OD.

I have used Windows XP Mode from Windows 7 to run the ADAM AD Schema Analyzer.

Can anyone fill me in on what i might be missing from the video or pdf? Is there some changes with 2008 R2 and 10.6?

Cheers

Jason

Mac Mini, Mac OS X (10.6.3)

Posted on Apr 22, 2010 6:48 AM

Reply
Question marked as Best reply

Posted on Apr 26, 2010 2:15 PM

Here are the 36 attributes I got when I tried it:


$ grep "^# Attribute: " Apple-Schema-Extensions.ldf
# Attribute: apple-category
# Attribute: apple-computeralias
# Attribute: apple-computer-list-groups
# Attribute: apple-computers
# Attribute: apple-data-stamp
# Attribute: apple-dns-domain
# Attribute: apple-dnsname
# Attribute: apple-dns-nameserver
# Attribute: apple-group-homeowner
# Attribute: apple-group-homeurl
# Attribute: apple-imhandle
# Attribute: apple-keyword
# Attribute: apple-mcxflags
# Attribute: apple-mcxsettings
# Attribute: apple-neighborhoodalias
# Attribute: apple-networkview
# Attribute: apple-nodepathxml
# Attribute: apple-service-location
# Attribute: apple-service-port
# Attribute: apple-service-type
# Attribute: apple-service-url
# Attribute: apple-user-authenticationhint
# Attribute: apple-user-class
# Attribute: apple-user-homequota
# Attribute: apple-user-homesoftquota
# Attribute: apple-user-mailattribute
# Attribute: apple-user-picture
# Attribute: apple-user-printattribute
# Attribute: apple-webloguri
# Attribute: apple-xmlplist
# Attribute: apple-mountDirectory
# Attribute: mountDumpFrequency
# Attribute: mountOption
# Attribute: mountPassNo
# Attribute: mountType
# Attribute: ttl

What did you get in addition to the above? Also, which ADAM tools were you using? When I did this, I didn't use XP mode (at least as far as I know - I'm not very Windows savvy). What I did was add the "Active Directory Lightweight Directory Services" role on the server, then run WindowsADAMADSchemaAnalyzer from the Command Prompt.

I dunno if they're relevant, but here are some potential gotchas I found:
• The settings for apple-computer-list at the top of page 7 are wrong (they list apple-computer-list-group twice), as is the following text (it lists apple-generateduid twice); you should follow the list at the bottom of page 7 instead.
• The UI in AD Schema Analyzer is very confusing. Each class has two boxes next to it: one to hide (minus sign) or show (plus sign) related attributes, and another to exclude (blank) or include (heavy plus) it in the export. Related attributes have one box, which can implicitly include (plus on gray background) or explicitly exclude (heavy X) it from the export. You have to click to select the classes to include, and then under each of those, click to exclude the attributes that you don't want. (Did you maybe get the attribute selection backward?)
• The white paper and videos are written for Mac OS X v10.5; I don't know what (if anything) should be changed for 10.6, but I expect they're close enough it'll work as is.
• If you cut-and-paste any of the LDIF from the white paper (e.g. the auxiliaryClass and possSuperiors stuff) from the PDF, you may wind up with spaces at the beginning and end of each pasted line; these must be removed, or you'll get import errors. Also, make sure the LDIF file has DOS-style line endings (CR+LF), not Unix style (LF only).
• The white paper describes changing the objectClassCategory of some of the objectClasses to 3; depending on which version of the ADAM tools generated the LDIF, you may also need to set the rest of them to 1 (for some reason, it can export them with an objectClassCategory of 0, which is invalid).
• The white paper doesn't detail indexing the macAddress attribute, which is a good idea to speed computer record lookups; the relevant LDIF snippet is:


# Index the macAddress attribute for faster searches
dn: CN=macAddress,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 1
-
25 replies
Question marked as Best reply

Apr 26, 2010 2:15 PM in response to Jason Millen

Here are the 36 attributes I got when I tried it:


$ grep "^# Attribute: " Apple-Schema-Extensions.ldf
# Attribute: apple-category
# Attribute: apple-computeralias
# Attribute: apple-computer-list-groups
# Attribute: apple-computers
# Attribute: apple-data-stamp
# Attribute: apple-dns-domain
# Attribute: apple-dnsname
# Attribute: apple-dns-nameserver
# Attribute: apple-group-homeowner
# Attribute: apple-group-homeurl
# Attribute: apple-imhandle
# Attribute: apple-keyword
# Attribute: apple-mcxflags
# Attribute: apple-mcxsettings
# Attribute: apple-neighborhoodalias
# Attribute: apple-networkview
# Attribute: apple-nodepathxml
# Attribute: apple-service-location
# Attribute: apple-service-port
# Attribute: apple-service-type
# Attribute: apple-service-url
# Attribute: apple-user-authenticationhint
# Attribute: apple-user-class
# Attribute: apple-user-homequota
# Attribute: apple-user-homesoftquota
# Attribute: apple-user-mailattribute
# Attribute: apple-user-picture
# Attribute: apple-user-printattribute
# Attribute: apple-webloguri
# Attribute: apple-xmlplist
# Attribute: apple-mountDirectory
# Attribute: mountDumpFrequency
# Attribute: mountOption
# Attribute: mountPassNo
# Attribute: mountType
# Attribute: ttl

What did you get in addition to the above? Also, which ADAM tools were you using? When I did this, I didn't use XP mode (at least as far as I know - I'm not very Windows savvy). What I did was add the "Active Directory Lightweight Directory Services" role on the server, then run WindowsADAMADSchemaAnalyzer from the Command Prompt.

I dunno if they're relevant, but here are some potential gotchas I found:
• The settings for apple-computer-list at the top of page 7 are wrong (they list apple-computer-list-group twice), as is the following text (it lists apple-generateduid twice); you should follow the list at the bottom of page 7 instead.
• The UI in AD Schema Analyzer is very confusing. Each class has two boxes next to it: one to hide (minus sign) or show (plus sign) related attributes, and another to exclude (blank) or include (heavy plus) it in the export. Related attributes have one box, which can implicitly include (plus on gray background) or explicitly exclude (heavy X) it from the export. You have to click to select the classes to include, and then under each of those, click to exclude the attributes that you don't want. (Did you maybe get the attribute selection backward?)
• The white paper and videos are written for Mac OS X v10.5; I don't know what (if anything) should be changed for 10.6, but I expect they're close enough it'll work as is.
• If you cut-and-paste any of the LDIF from the white paper (e.g. the auxiliaryClass and possSuperiors stuff) from the PDF, you may wind up with spaces at the beginning and end of each pasted line; these must be removed, or you'll get import errors. Also, make sure the LDIF file has DOS-style line endings (CR+LF), not Unix style (LF only).
• The white paper describes changing the objectClassCategory of some of the objectClasses to 3; depending on which version of the ADAM tools generated the LDIF, you may also need to set the rest of them to 1 (for some reason, it can export them with an objectClassCategory of 0, which is invalid).
• The white paper doesn't detail indexing the macAddress attribute, which is a good idea to speed computer record lookups; the relevant LDIF snippet is:


# Index the macAddress attribute for faster searches
dn: CN=macAddress,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 1
-

May 5, 2010 2:37 PM in response to Jason Millen

Im getting 38 attributes and 10 classes. Done it 3 times. Same results. Driving me insane. Im running the ADAM tool on a Win 2003 DC server locally. This is the same DC that Im pulling the AD base schema from. IS this OK? Do I really have to run it from a Windows PC in the AD domain? Can I run it from the DC itself? I ask because all I have are Windows 7 and Windows Vista systems. No XP systems are available. Why not run ADAM from the DC? Im a domain admin so I have full rights.

The Mac OD server is running Mac OS X Server 10.6.3.

Im using ADAM version SP1 (cant seem to find a version number other than SP1)




I have noticed a few errors is the PDF white paper guide (May 2009):

1) The example on the top of page 7 is WRONG. It shows the following attribute as both deselected AND selected:

[+] mayContain:apple-computer-list-groups (selected)
[X] mayContain:apple-computer-list-groups (deselected)

This is a huge contradiction. Apple cant get the example right. Ouch. Whats he point of an example then? This is maddening and sloppy. Period.


2) Also, The top of page 9 shows a non-existent attribute:

mayContain:ipHostAddress (there is no such thing on Mac OS X 10.5 or 10.6!)

I assume that Apple meant to refer to this:

mayContain:ipHostNumber




3) Also, The download URL for the ADAM tool on page 6 is wrong.



Other issues:

1) I have noticed that when I load the Target and Base schemas, that two classes appears in RED text. This seems dangerous to me:

subentry
subschema

What does it mean when they show up in red?



2) Do I need to select EVERY Class object (top level folder with the disclosure triangle widget thingy) and THEN DESELECT each Class that I don't need to export? I have read the instructions in the PDF white paper (May 2009) several times (and watched the Apple video too), but I dont understand the difference between a Class that is blank (no ticks) versus a Class that has been deslected with an X tick. Dont they mean the same thing? Do I literally have to select every single Class top folder and then drill into them and deselect them? This is discussed above but Im still confused.

May 9, 2010 10:23 PM in response to Daniel Stranathan

I don't have a Windows server handy for reference, so I can't give definitive answers to all of these, but I'll see what I can do from memory. First, are you doing this with Windows Server 2003 or 2003 R2 domain controller? It matters a lot, because they added a lot of unix (/RFC2307) support to the schema in R2, and if that's not there as a base you'll have a lot more to do than is covered in the white paper and video.

There's no problem I know of running ADSchemaAnalyzer from the DC; that's what I did, and didn't have any trouble.

Did you compare the list of attributes you got to the list I posted above? It'd help a lot to know what extra attributes you're getting.

1) Yes, there's an error in the example at the top of page 7 or the white paper (and a different error in the text below; see the notes I posted earlier in the thread). Use the list at the bottom of page 7 instead.

2) I didn't notice the ipHostAddress glitch, but I'm pretty sure you have the right solution here.

3) I suspect the download URL is out of date. It's also irrelevant if you're running this on the DC (and it's 2003 R2 or later, which it'd better be anyway). From [http://www.microsoft.com/downloads/details.aspx?familyid=9688f8b9-1034-4ef6-a3 e5-2a2a57b5c8e4&displaylang=en]:

ADAM now ships as a part of the Microsoft® Windows® Server 2003 R2 release and can be installed through Optional Component Manager. This download is for use on Microsoft® Windows® Server 2003 systems that do not have the Microsoft® Windows® Server 2003 R2 refresh. ADAM SP1 includes the enhancements made to ADAM in the Microsoft® Windows® Server 2003 R2 release.


On Server 2003 R2, you install it in Add or Remove Programs -> Add/Remove Windows Components -> Active Directory Services -> Details -> Active Directory Application Mode (ADAM).

Other issue 1) I don't remember anything showing up in red, and don't know what it indicates. (Maybe that they're in both schema, but with different properties?) Are they still listed after you hide present elements? If not, I wouldn't worry about it.

2) No, you should completely ignore the classes that aren't listed in the white paper. Their second box can be blank, indicating that the default behavior (don't export) will be followed. It occurs to me that playing around with these irrelevant classes might incidentally trigger the export of unneeded attributes, which might be why you're getting too many in the export.

May 24, 2010 5:19 AM in response to Jason Millen

I did get 36 attributes and 10 classes
- you have to select the entire class and then select the options that are NOT listed on pdf to export what you want if I recall correctly.

----

I too assumed the same with the few errors in the pdf doc for 10.5
- Did anyone find a doc for 10.6?

-----

• The white paper and videos are written for Mac OS X v10.5; I don't know what >(if anything) should be changed for 10.6, but I expect they're close enough >it'll work as is.


The directions for 10.5 do not fully work with 10.6 clients. The user/group policies work but the computer/computer list policies do not.

----

I found a Open Directory Administration 10.6 doc that states (pg 222):

Note: Apple might extend the Open Directory LDAP schema in the future; for example, to support new versions of Mac OS X and Mac OS X Server. The latest schema is available in text files on a computer with Mac OS X Server installed. The schema files are in the /etc/openldap/schema/ directory. The apple.schema file contains the latest schema extensions for Open Directory LDAP directories.

I am assuming that the schema was updated in 10.6 and causing my issues. I will be setting up a 10.6 server when I get time.

Jun 3, 2010 9:50 PM in response to Jason Millen

I was having same problem of geting 38 attributes instead of 36. After comparing Attributes of exported LDIF file to those listed above I found the following attributes that exported.

1. macaddress found under apple-computer -> mayContain:macAddress this is found in white paper on page 7. I do not understand as document says to select but the output listed above does not have it.
2. ipHostNumber found under apple-servic -> ipHostNumber. This is on page 9 of white paper but calls it ipHostAddress

I ran on DC runing windows 2003 SP2. Mac server is 10.6.3 has all latest updates applied on both.

Jun 6, 2010 4:15 PM in response to Burnitall

@Burnitall: the extra attributes you're getting are already in the AD schema, hence don't need to be added. Did you load the AD schema as a base, and exclude them (page 6 of the white paper, steps 6 and 7)? If you do the schema diff properly, those should be left out of the LDIF file.

As for the error you're getting while importing, it looks like you aren't substituting your actual LDAP search base for the "dc=X" that the file contains. The import command in the white paper (page 13, step 2) uses ldifde's /c option to do the replacement:

ldifde /j . /k /i /f apple-mods.ldf /v /c "DC=X" "DC=EXAMPLE,DC=COM"

(only you'd use your actual search base instead of "DC=EXAMPLE,DC=COM").

Jun 7, 2010 8:29 AM in response to Gordon Davisson

Well did the base correctly I believe as was getting similar results. Must be my AD does not already have them. I excluded them to get 36 Attributes instead of including them like Document suggest. The Question then is why do they include them in the document when they are already in the AD?

I have checked the ldifde execusion and am using the /c command with the DC=X and our DC placed into it but still get ref1: 'x'

See command I am using
" ldifde /j . /k /i /f OSX-2003-SP2.ldf /v/c "DC=X" "DC=HanseEnv,DC=internal""

I copped right from white paper and subbed in my LDIF file name and my DC. I have tried different capitalization to see if Cap sensitive but no luck.

Running command as Administrator on Domain Controller a Small Business 2003 SP 2 Machine.

Aug 17, 2010 4:14 AM in response to Jason Millen

I did follow both, the printed as well as Timothy's online tutorial to implement the AD schema modification.

Everything seems to have worked well for Windows 2008 R2 extended with the 10.6 OD schema *although I noticed differences* when running "Create LDIF file" from ADSchemaAnalyzer.exe:

1. The default "objectClassCategory" was always "0" instead of "1"
2. "changetype" was "add" instead of "ntdsschemaadd"

Still I seem to have issues when I want to administrate users in the AD domain using Apple Workgroup Manager: When I login to the AD using the admin credentials, authentication works well and I can change the settings for existing users. The problem comes in when I want to either create or delete users and groups. *Although using the Domain Administrator from AD the command are grayed out*.

*My LDIF result:*
...
# Class: apple-user
dn: cn=apple-user,cn=Schema,cn=Configuration,dc=X
changetype: add
objectClass: classSchema
governsID: 1.3.6.1.4.1.63.1000.1.1.2.1
ldapDisplayName: apple-user
adminDescription: apple user account
objectClassCategory: 3
...

*Demo LDIF result:*
...
# Class: apple-user
dn: cn=cls-apple-user,cn=Schema,cn=Configuration,dc=X
changetype: ntdsschemaadd
objectClass: classSchema
governsID: 1.3.6.1.4.1.63.1000.1.1.2.1
ldapDisplayName: apple-user
adminDescription: apple user account
objectClassCategory: 3
...

*Applying the schema did not report any issues:*
C:\>ldifde /j . /k /i /f osx_opendirectory.ldf /v /c "DC=X" "DC=EXAMPLE,DC=COM"
...
51 entries modified successfully.
The command has completed successfully

Anybody had similar issues after the schema modification?

Aug 17, 2010 11:05 PM in response to dalimsoftware

dalimsoftware wrote:
Everything seems to have worked well for Windows 2008 R2 extended with the 10.6 OD schema *although I noticed differences* when running "Create LDIF file" from ADSchemaAnalyzer.exe:

1. The default "objectClassCategory" was always "0" instead of "1"
2. "changetype" was "add" instead of "ntdsschemaadd"


I think these are due to changes in newer versions of ADSchemaAnalyzer. The changetype difference shouldn't matter (ntdsschemaadd is just like add, except that it skips the item if it already exists), but the objectClassCategory difference may be causing problems. According to [Microsoft's documentation|http://msdn.microsoft.com/en-us/library/ms679014(VS.85).aspx], the possible values for objectClassCategory are "Structural 1, abstract 2, auxiliary 3. Class 88, 0 should not be used", so I've just set it to 1 (except for the classes where the PDF says to set it to 3).

Aug 19, 2010 12:43 AM in response to Gordon Davisson

Thank's, I will check that as well as maybe doing another test scenario using a W2003 AD controller.

Running the schema extension on AD (not using the "golden/magic triangle" setup), *are you able to fully administrate users and groups in Workgroup Manager?*

I noticed some permission issue in Workgroup Manager on mine I could not figure out:
- Creating new records is not possible
- Groups and users (except the admin account) can be deleted

Aug 24, 2010 9:12 AM in response to dalimsoftware

I don't think it's possible to create users or groups in AD via Workgroup manager. The basic problem is that AD users and groups are Windows users and groups first, and have various Windows-required attributes that WGM doesn't know anything about. Extending the schema allows the users and groups to optionally also have Mac management attributes, but doesn't remove their native Windows requirements. So, you need to create users and groups with Windows Server tools, then use WGM to add Mac-compatible managed attributes to them.

Modifying Active Directory Schema

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.