Extend schema

This document explains how to extend the schema in a Managed Service for Microsoft Active Directory instance.

Before you begin

Before you begin, do the following:

  1. Create a Managed Microsoft AD domain.
  2. Create and join a Windows VM to the domain.
  3. Make sure that you read About schema extension and understand these considerations.
  4. Prepare the LDIF file with the schema changes. For more information, see How to prepare your LDIF file.
  5. Make sure that you have any one of the following Identity and Access Management (IAM) user roles:

    • Google Cloud Managed Identities Domain Admin (roles/managedidentities.domainAdmin)
    • Google Cloud Managed Identities Admin (roles/managedidentities.admin)

    For more information, see Cloud Managed Identities roles.

Extend the schema

When you initiate schema extension, Managed Microsoft AD creates a schema extension backup automatically before applying the schema changes. You can use this backup to restore the domain if you encounter any problems after schema extension. To identify the schema extension backup, you can list the backups created for your domain.

To extend the schema, run the following gcloud CLI command:

gcloud active-directory domains extend-schema DOMAIN_NAME  --ldif-file=LDIF_FILE_PATH \
    --description=SCHEMA_EXTENSION_DESCRIPTION --project=DOMAIN_RESOURCE_PROJECT_ID --async

Replace the following:

  • DOMAIN_NAME: The name of your Managed Microsoft AD domain. For example, my-domain.example.com.
  • LDIF_FILE_PATH: The path of the LDIF file with the schema changes. The maximum file size is limited to 1 MB.
  • SCHEMA_EXTENSION_DESCRIPTION: The description of the schema changes.
  • DOMAIN_RESOURCE_PROJECT_ID: The project ID of the domain resource project. For example, my-project.

Managed Microsoft AD initiates schema extension and responds with an operation ID which you can use to track the completion of schema extension.

To check the status of your schema extension, run the following gcloud CLI command:

gcloud active-directory operations describe OPERATION_ID

Replace OPERATION_ID with the operation ID of your schema extension. For example, operation-1234567890-98765a1b2c3d4e5-e6f7g8-9h0i1j2.

Verify the schema extension

After you extend the schema of your Managed Microsoft AD instance, it's important you verify the schema changes before integrating your applications with Active Directory. You can verify the schema changes using different tools and approaches. In the following sections, we explain how you can verify the schema changes using any one of these approaches:

  1. Active Directory Schema Snap-In
  2. Windows PowerShell

Active Directory Schema Snap-In

To verify the schema changes using Active Directory Schema Snap-In, do the following:

  1. Login to your domain-joined VM as a delegated administrator.
  2. Install the Active Directory Schema Snap-In.
  3. Open the Microsoft Management Console (MMC).
  4. Expand the Active Directory Schema tree for your directory.
  5. Verify if you can see the changes in classes and attributes of the schema.

Windows PowerShell

To verify the schema changes using Windows PowerShell, use Get-ADObject cmdlet. Run the following command in Windows PowerShell:

get-adobject -Identity 'cn=ATTRIBUTE,cn=Schema,cn=Configuration,dc=ROOT_DOMAIN,dc=TOP_LEVEL_DOMAIN' -Properties *

Replace the following:

  • ATTRIBUTE: The name of an attribute in your schema. For example, example-attribute.
  • ROOT_DOMAIN: The root domain of your domain name. For example, if your domain name is example.com, enter example.
  • TOP_LEVEL_DOMAIN: The top-level domain of your domain name. For example, if your domain name is example.com, enter com.

In the response, verify if you can see the changes in classes and attributes of the schema.

What's next