Menu

How to Check the Active Directory Schema Version - Unpublished

Aug 19, 2024

How to Check the Active Directory Schema Version - Unpublished

Introduction

Certificate Automation Manager constantly interacts with Active Directory (AD) objects during the Certificate enrollment process. The AD Schema version is a description of all directory objects and attributes of the Windows domain. The AD Schema reflects the basic structure of the catalog and is critical for its proper functioning. Usually, the Schema version requires an update when you add a new Domain Controller (DC) with a new version of Windows Server.

  • Certificate Automation Manager requires an AD Schema version of Windows Server 2008 R2 (objectVersion 47) or higher.

The Schema version is associated with the objectVersion property, which is expressed as a number. Below, we provide the list of Windows Server versions and their corresponding objectVersion (Schema version) value.

Windows Server version objectVersion value
Windows Server 2000 13
Windows Server 2003 30
Windows Server 2003 R2 31
Windows Server 2008 44
Windows Server 2008 R2 47
Windows Server 2012 56
Windows Server 2012 R2 69
Windows Server 2016 87
Windows Server 2019 88

Guidelines

There are three ways to find your current AD Schema version. You can use the Server Manager, the PowerShell, or the Command Prompt. In this article, we show you the steps to use any of those tools.

Using the Server Manager

  1. Log in to your Active Directory Domain Controller. Note: If you have more than one domain controller, you should log in to the forest root domain controller.

  2. Open the Server Manager, click Tools, and click ADSI Edit.

  3. Right-click the ADSI Edit and click Connect to…

  4. Click the radio button next to Select a well known Naming Context, select Schema from the drop-down menu, and click OK.

  5. Expand the container that starts with Schema [FQDN_of_your_DC].

  6. Right-click on the first folder on the list and click Properties.

  7. On the Attribute Editor tab, scroll down until you find the objectVersion property.

  8. Compare the value that is shown there against the ones provided in the table above. In this case, the objectVersion value is 87, which corresponds to an AD Schema version of Windows Server 2016.

Using the PowerShell

  1. Log in to your Active Directory Domain Controller. Note: If you have more than one domain controller, you should log in to the forest root domain controller.

  2. Click the Start Menu, right-click Windows PowerShell, hover over More, and click Run as administrator.

  3. If there is a pop-up screen from the User Account Control, or UAC, asking if you want to allow the app to make changes, click Yes.

  4. Run the command Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion.

  5. Compare the objectVersion value from the results against the table above. In this case, the objectVersion value is 87, which corresponds to an AD Schema version of Windows Server 2016.

Using the Command Prompt

  1. Log in to your Active Directory Domain Controller. Note: If you have more than one domain controller, you should log in to the forest root domain controller.

  2. Click Start Menu, right-click Command Prompt, hover over More, and click Run as administrator.

  3. Run the command dsquery * cn=schema,cn=configuration,dc=<your_domain_name>,dc=<your_domain_suffix> -scope base -attr objectVersion.

  4. Compare the objectVersion value from the results against the table above. In this case, the objectVersion value is 87, which corresponds to an AD Schema version of Windows Server 2016.

After you have checked the AD Schema version, you should know your objectVersion value. If the objectVersion value is lower than 47, which corresponds to an AD Schema version of Windows Server 2008 R2, you will need to modify the value prior to deploying Certificate Automation Manager.

Related Articles

How to Enable Advanced Logging for Certificate Automation Manager Server

Feb 29, 2020, 5:07 AM

This article will guide you through enabling Certificate Automation Manager advanced logging feature. If this is not the solution you are looking for, please search for the solution in the search bar above. Note: This support article applies to Certificate Automation Manager version 5.x and below. Also, when facing issues to enroll for Certificates, our support staff may require more information to determine the root cause of the problem.

Read More

How to Create Custom Certificate Templates

Mar 2, 2020, 1:56 AM

This article will go over how to create templates from duplicates of default templates for both User and Machine Authentication. Depending on the use case that you implement, you will need to duplicate one of the default Certificate templates. Duplication is not required but is strongly recommended to avoid changing the properties of default templates and to better control the changes applied to templates that work with the Certificate Automation Manager.

Read More

How to Create and Link a GPO in Active Directory

Mar 2, 2020, 2:58 AM

This article will walk you through on how to create and link a Group Policy in Active Directory. Creating a GPO is a fairly simple task, so long as you know what settings you need to change, and how to apply it to the endpoints you are trying to affect.

Read More

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support