业务介绍
因为一个业务需要在域用户上增加一个属性,来存储一个特定的路径标识。在网上搜了下自定义属性,没找到太具体的介绍,于是看了下官网文档。本次测试增加的属性名为userPdictionary
系统环境
- Windows Server 2016 Standard
- AD
- DNS
操作步骤
AD搭建步骤略
开启MMC中的Active Directory架构
在cmd中执行regsvr32 schmmgmt.dll
regsvr32 schmmgmt.dll
在mmc中添加Active Directory架构
在运行中输入mmc,启动控制台,选择“文件-添加/删除管理单元”,
选择“Active Directory架构--添加--确定”,
此时左侧可以看到当前AD中的类及属性
添加自定义属性
在左侧属性上点击右键,选择“新建--属性”,然后选择继续即可
此时可以看到创建新属性的界面,主要参数有:
- 公用名
- LDAP显示名
- 唯一的X500对象ID
- 描述
这里主要需要说明的是“唯一的X500对象ID”
获取对象标识符
根据官网说明
(Oid) 对象标识符是由各种颁发机构颁发的唯一数字值,用于唯一标识分布式应用程序的数据元素、语法和其他部分。 在 OSI 应用程序、X 500 目录、SNMP 和其他应用程序中可以找到 Oid,其中的唯一性非常重要。 Oid 基于树结构,在该结构中,高级颁发机构(如 ISO)将树的分支分配给 subauthority,后者又可以分配子。
LDAP 协议 (RFC 2251) 需要目录服务以使用 Oid 识别对象类、属性和语法。 这是 LDAP X. 500 旧版本的一部分。
Active Directory 域服务中的 Oid 包括 ISO 为 X. 500 类和属性颁发的部分,以及由 Microsoft 和其他颁发机构颁发的部分。 OID 表示法是一串数字,例如 "1.2.840.113556.1.5.9",下表对此进行了说明。
值 | 含义 | 描述 |
---|---|---|
1 | ISO | 标识根证书颁发机构。 |
2 | ANSI | ISO 指定的组指定。 |
840 | USA | 组分配的国家/地区指定。 |
113556 | Microsoft | 国家/地区分配的组织称号。 |
1 | Active Directory | 由组织分配。 |
5 | 类 | 由组织分配。 |
9 | 用户 类 | 由组织分配。 |
上面中的“唯一的X500对象ID”在官网文档中叫做对象标识符,在扩展本地的域架构时,需要获取本地的对象标识符。这里按照文旦介绍,使用“从 Microsoft 获取对象标识符”。
若要成功扩展 Active Directory 架构,可以从如下所示的脚本中获取根 OID。 从脚本生成的 Oid 是唯一的;它们是从唯一的 GUID 映射的。 请仔细阅读最佳做法,因为处理不当的 Oid 会导致数据丢失。
获取根OID的脚本如下:
' oidgen.vbs
'
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
' OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR
' FITNESS FOR A PARTICULAR PURPOSE.
'
' Copyright (c) Microsoft Corporation. All rights reserved
' Improvements made by Ryein C. Goddard
'
' This script is not supported under any Microsoft standard support program or service.
' The script is provided AS IS without warranty of any kind. Microsoft further disclaims all
' implied warranties including, without limitation, any implied warranties of merchantability
' or of fitness for a particular purpose. The entire risk arising out of the use or performance
' of the scripts and documentation remains with you. In no event shall Microsoft, its authors,
' or anyone else involved in the creation, production, or delivery of the script be liable for
' any damages whatsoever (including, without limitation, damages for loss of business profits,
' business interruption, loss of business information, or other pecuniary loss) arising out of
' the use of or inability to use the script or documentation, even if Microsoft has been advised
' of the possibility of such damages.
' ----------------------------------------------------------------------
Function GenerateOID()
'Initializing Variables
Dim guidString, oidPrefix
Dim guidPart0, guidPart1, guidPart2, guidPart3, guidPart4, guidPart5, guidPart6
Dim oidPart0, oidPart1, oidPart2, oidPart3, oidPart4, oidPart5, oidPart6
On Error Resume Next
'Generate GUID
Set TypeLib = CreateObject("Scriptlet.TypeLib")
guidString = TypeLib.Guid
'If no network card is available on the machine then generating GUID can result with an error.
If Err.Number <> 0 Then
Wscript.Echo "ERROR: Guid could not be generated, please ensure machine has a network card."
Err.Clear
WScript.Quit
End If
'Stop Error Resume Next
On Error GoTo 0
'The Microsoft OID Prefix used for the automated OID Generator
oidPrefix = "1.2.840.113556.1.8000.2554"
'Split GUID into 6 hexadecimal numbers
guidPart0 = Trim(Mid(guidString, 2, 4))
guidPart1 = Trim(Mid(guidString, 6, 4))
guidPart2 = Trim(Mid(guidString, 11, 4))
guidPart3 = Trim(Mid(guidString, 16, 4))
guidPart4 = Trim(Mid(guidString, 21, 4))
guidPart5 = Trim(Mid(guidString, 26, 6))
guidPart6 = Trim(Mid(guidString, 32, 6))
'Convert the hexadecimal to decimal
oidPart0 = CLng("&H" & guidPart0)
oidPart1 = CLng("&H" & guidPart1)
oidPart2 = CLng("&H" & guidPart2)
oidPart3 = CLng("&H" & guidPart3)
oidPart4 = CLng("&H" & guidPart4)
oidPart5 = CLng("&H" & guidPart5)
oidPart6 = CLng("&H" & guidPart6)
'Concatenate all the generated OIDs together with the assigned Microsoft prefix and return
GenerateOID = oidPrefix & "." & oidPart0 & "." & oidPart1 & "." & oidPart2 & "." & oidPart3 & _
"." & oidPart4 & "." & oidPart5 & "." & oidPart6
End Function
Set oShell = WScript.CreateObject ("WScript.Shell")
oShell.run "cmd /c Regsvr32 Schmmgmt.dll"
Set objFSO=CreateObject("Scripting.FileSystemObject")
outFile="C:UsersAdministratorDesktopoidInfo.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
'Output the resulted OID with best practice info
oidText = "Your root OID is: " & VBCRLF & GenerateOID & VBCRLF & VBCRLF & VBCRLF & _
"This prefix should be used to name your schema attributes and classes. For example: " & _
"if your prefix is ""Microsoft"", you should name schema elements like ""microsoft-Employee-ShoeSize"". " & _
"For more information on the prefix, view the Schema Naming Rules in the server " & _
"Application Specification (http://www.microsoft.com/windowsserver2003/partners/isvs/appspec.mspx)." & _
VBCRLF & VBCRLF & _
"You can create subsequent OIDs for new schema classes and attributes by appending a .X to the OID where X may " & _
"be any number that you choose. A common schema extension scheme generally uses the following structure:" & VBCRLF & _
"If your assigned OID was: 1.2.840.113556.1.8000.2554.999999" & VBCRLF & VBCRLF & _
"then classes could be under: 1.2.840.113556.1.8000.2554.999999.1 " & VBCRLF & _
"which makes the first class OID: 1.2.840.113556.1.8000.2554.999999.1.1" & VBCRLF & _
"the second class OID: 1.2.840.113556.1.8000.2554.999999.1.2 etc..." & VBCRLF & VBCRLF & _
"Using this example attributes could be under: 1.2.840.113556.1.8000.2554.999999.2 " & VBCRLF & _
"which makes the first attribute OID: 1.2.840.113556.1.8000.2554.999999.2.1 " & VBCRLF & _
"the second attribute OID: 1.2.840.113556.1.8000.2554.999999.2.2 etc..." & VBCRLF & VBCRLF & _
"Here are some other useful links regarding AD schema:" & VBCRLF & _
"Understanding AD Schema" & VBCRLF & _
"http://technet2.microsoft.com/WindowsServer/en/Library/b7b5b74f-e6df-42f6-a928-e52979a512011033.mspx " & _
VBCRLF & VBCRLF & _
"Developer documentation on AD Schema:" & VBCRLF & _
"http://msdn2.microsoft.com/en-us/library/ms675085.aspx " & VBCRLF & VBCRLF & _
"Extending the Schema" & VBCRLF & _
》 "http://msdn2.microsoft.com/en-us/library/ms676900.aspx " & VBCRLF & VBCRLF & _
"Step-by-Step Guide to Using Active Directory Schema and Display Specifiers " & VBCRLF & _
"http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/howto/adschema.mspx " & _
VBCRLF & VBCRLF & _
"Troubleshooting AD Schema " & VBCR & _
"http://technet2.microsoft.com/WindowsServer/en/Library/6008f7bf-80de-4fc0-ae3e-51eda0d7ab651033.mspx " & _
VBCRLF & VBCRLF
objFile.Write oidText
objFile.Close
通过cmd中运行该脚本,获取当前AD的OID,本次测试中生成的oidinfo.txt内容如下:
Your root OID is:
1.2.840.113556.1.8000.2554.55786.31829.55335.19299.48276.12206014.6177421
This prefix should be used to name your schema attributes and classes. For example: if your prefix is "Microsoft", you should name schema elements like "microsoft-Employee-ShoeSize". For more information on the prefix, view the Schema Naming Rules in the server Application Specification (http://www.microsoft.com/windowsserver2003/partners/isvs/appspec.mspx).
You can create subsequent OIDs for new schema classes and attributes by appending a .X to the OID where X may be any number that you choose. A common schema extension scheme generally uses the following structure:
If your assigned OID was: 1.2.840.113556.1.8000.2554.999999
then classes could be under: 1.2.840.113556.1.8000.2554.999999.1
which makes the first class OID: 1.2.840.113556.1.8000.2554.999999.1.1
the second class OID: 1.2.840.113556.1.8000.2554.999999.1.2 etc...
Using this example attributes could be under: 1.2.840.113556.1.8000.2554.999999.2
which makes the first attribute OID: 1.2.840.113556.1.8000.2554.999999.2.1
the second attribute OID: 1.2.840.113556.1.8000.2554.999999.2.2 etc...
Here are some other useful links regarding AD schema:
Understanding AD Schema
http://technet2.microsoft.com/WindowsServer/en/Library/b7b5b74f-e6df-42f6-a928-e52979a512011033.mspx
Developer documentation on AD Schema:
http://msdn2.microsoft.com/en-us/library/ms675085.aspx
Extending the Schema
http://msdn2.microsoft.com/en-us/library/ms676900.aspx
Step-by-Step Guide to Using Active Directory Schema and Display Specifiers
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/howto/adschema.mspx
Troubleshooting AD Schema
http://technet2.microsoft.com/WindowsServer/en/Library/6008f7bf-80de-4fc0-ae3e-51eda0d7ab651033.mspx
获取基 OID 后
如果有一个基本 OID,请在决定如何将 Oid 划分为多个类别时小心,因为这些 Oid 包含在前缀表中,并且是 DC 复制数据的一部分。 建议不要创建两个以上的 OID 类别。
可以通过将数字追加到 oid 的形式,为新架构类和属性创建后续 Oid。X,其中 X 可以是你选择的任何数字。 常见的架构扩展通常使用以下结构:
如果分配的基本 OID 为1.2.840.113556.1.8000.999999,则可以按如下所示创建类别。
OID 基值 | 描述 |
---|---|
1.2.840.113556.1.8000.999999.1 | 应用程序类 ,第一个类将具有 OID 1.2.840.113556.1.8000.999999.1.1,第二个类将具有 OID 1.2.840.113556.1.8000.999999.1.2,依此类推。 |
1.2.840.113556.1.8000.999999.2 | 应用程序属性 , 第一个属性的 OID 为1.2.840.113556.1.8000.999999.2.1,第二个属性的 OID 为1.2.840.113556.1.8000.999999.2.2,依此类推。 |
按照文档中要求,测试中设置id为
1.2.840.113556.1.8000.2554.55786.31829.55335.19299.48276.12206014.6177421.2.1
最终配置如下:
将属性关联到类
在类项目下选择user,右键--属性,如图
选择属性标签,在可选项目中,将自定义的属性添加进来,之后点击确定
安装必须执行的操作
扩展该架构的应用程序必须按以下过程所述应用更新。在扩展架构时应用更新
- 添加新属性。
- 添加新类。
- 将新属性添加到类。
- 触发缓存重新加载。
由于此时架构缓存中不存在新的属性名称,在步骤3中引用的新属性必须由其 OID 引用。
如果不立即使用扩展,则不需要步骤 4;扩展将在大约5分钟的时间内出现在架构缓存中,具体取决于系统负载。 有关架构缓存和如何触发缓存重新加载的详细信息,请参阅更新架构缓存。
编辑属性内容
在ad的用户和计算机中,编辑用户的属性即可。