How to add some schemaextensions to Active Directory: 1. Find the ADDC with the Schemamaster FSMO: root@addc-01:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=ADDC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net InfrastructureMasterRole owner: CN=NTDS Settings,CN=ADDC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net RidAllocationMasterRole owner: CN=NTDS Settings,CN=ADDC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net PdcEmulationMasterRole owner: CN=NTDS Settings,CN=ADDC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net DomainNamingMasterRole owner: CN=NTDS Settings,CN=ADDC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=ADDC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=ADDC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=net schemaextensions can only be managed on the ADDC with the SchemaMasterRole. 2. Check if the Replication is working between alle ADDCs root@addc-01:~# samba-tool drs replicate addc-01 addc-02 dc=example,dc=net Replicate from addc-02 to addc-01 was successful. root@addc-01:~# samba-tool drs replicate addc-02 addc-01 dc=example,dc=net Replicate from addc-01 to addc-02 was successful. 3. If you don't have a own ODI for your attributes get one from http://pen.iana.org/pen/PenApplication.page It will take a few days until you get your free ODI. All your attributes must have a unique ODI, it schould look like: 1.3.1.5.1.4.1.. . To make your attributes unique you should use as prefix for all your attributes. 4. You need two ldif-Files for adding the extension, one for the attributes and one for adding the attributes to the Objectclass. File for attributes: --------------------------- # File attrib.ldif # => .name # = "String(Unicode)", dn: CN=StkaTextAttribute,CN=Schema,CN=Configuration,DC=example,DC=net changetype: add objectClass: attributeSchema attributeSyntax: 2.5.5.12 oMSyntax: 64 attributeID: 1.3.1.5.1.4.1.987654.1 lDAPDisplayName: StkaTextAttribute adminDisplayName: StkaTextAttribute # => .name # ="Boolean", dn: CN=StkaBoolAttribute,CN=Schema,CN=Configuration,DC=example,DC=net changetype: add objectClass: attributeSchema attributeSyntax: 2.5.5.8 oMSyntax: 1 attributeID: 1.3.1.5.1.4.1.987654.2 lDAPDisplayName: StkaBoolAttribute adminDisplayName: StkaBoolAttribute --------------------------- To find the attributeSyntax you need downlaod the sources from Samba4, open file source4/dsdb/schema/schema_syntax.c and search for: "static const struct dsdb_syntax dsdb_syntaxes". There you will find all possible attributeSyntax. So replace "987654" with your ODI-Number, choose your attributeSyntax and the attributename and create your attribute-ldif. 5. Create your class.ldif to add the attribute you created. --------------------------- # File class.ldif dn: CN=User,CN=Schema,CN=Configuration,DC=example,DC=net changetype: modify add: mayContain mayContain: StkaTextAttribute mayContain: StkaBoolAttribute dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 --------------------------- This ldif will add new attributes to all your users. 6. Add the attribute to your Active Directory: -------------- root@addc-01:~# ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=yes" --verbose < attr.ldif Modified CN=StkaTextAttribute,CN=Schema,CN=Configuration,DC=example,DC=net Modified CN=StkaBoolAttribute,CN=Schema,CN=Configuration,DC=example,DC=net Modified 2 records successfully -------------- 7. Add the attributes to your Objectclass: -------------- root@addc-01:~# ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=yes" --verbose < class.ldif Modified CN=User,CN=Schema,CN=Configuration,DC=example,DC=net Modified Modified 2 records successfully -------------- 8. recheck replication: -------------- root@addc-01:~# samba-tool drs replicate addc-01 addc-02 dc=example,dc=net Replicate from addc-02 to addc-01 was successful. root@addc-01:~# samba-tool drs replicate addc-02 addc-01 dc=example,dc=net Replicate from addc-01 to addc-02 was successful. -------------- 9. Create a ldif to change an existing user: -------------- dn: CN=u4,cn=users,DC=example,DC=net changetype: modify add: StkaTextAttribute StkaTextAttribute: What is the answer to all questions - add: StkaBoolAttribute StkaBoolAttribute: TRUE -------------- 10. Add the attributes to the user: -------------- root@addc-01:~# ldbmodify -H /var/lib/samba/private/sam.ldb user.ldif Modified 1 records successfully -------------- 11. List all attributes of the user: -------------- root@addc-01:~# ldbsearch --url=/var/lib/samba/private/sam.ldb cn=u4 # record 1 dn: CN=u4,CN=Users,DC=example,DC=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: u4 instanceType: 4 whenCreated: 20161005151014.0Z uSNCreated: 3830 name: u4 objectGUID: 4dd53b1f-8378-442a-b2c2-3cf641856ffd badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3254471717-23904020-1408941044-1106 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: u4 sAMAccountType: 805306368 userPrincipalName: u4@example.net objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=net pwdLastSet: 131201538144805200 userAccountControl: 512 StkaTextAttribute: What is the answer to all questions StkaBoolAttribute: TRUE whenChanged: 20161030182528.0Z uSNChanged: 3996 distinguishedName: CN=u4,CN=Users,DC=example,DC=net -------------- Now you can add your attributes to all new and all existing users. You can also use ADUC from the RSAT to add the attributes. To do so, activate the extended options then uses the "attribute-editor" to edit your attributes