Menu
AWS Directory Service
Administration Guide (Version 1.0)

Step 2: Import Your LDIF File

You can extend your schema by importing an LDIF file from either the AWS Directory Service console or by using the API. For more information about how to do this with the schema extension APIs, see the AWS Directory Service API Reference. At this time, AWS does not support external applications, such as Microsoft Exchange, to perform schema updates directly.

Important

When you make an update to your Microsoft AD directory schema, the operation is not reversible. In other words, once you create a new class or attribute, Active Directory doesn’t allow you to remove it. However, you can disable it.

If you must delete the schema changes, one option is to restore the directory from a previous snapshot. Restoring a snapshot rolls both the schema and the directory data back to a previous point, not just the schema.

Before the update process begins, Microsoft AD takes a snapshot to preserve the current state of your directory.

To import your LDIF file

  1. In the AWS Directory Service console navigation pane, select Directories.

  2. In the Directory ID column, choose the link for your directory.

  3. Under the Schema extensions tab, choose Upload and update schema.

  4. In the dialog box, click Browse, select a valid LDIF file, type a description, and then choose Update Schema.

    Important

    Extending the schema is a critical operation. Don’t apply any schema update in production environment without first testing it with your application in a development or test environment.

How is the LDIF File Applied

After your LDIF file has been uploaded, Microsoft AD takes steps to protect your directory against errors as it applies the changes in the following order.

  1. Validates the LDIF file. Since LDIF scripts can manipulate any object in the domain, Microsoft AD runs checks right after you upload to help ensure that the import operation will not fail. These include checks to ensure the following:

    • The objects to be updated are only held in the schema container

    • The DC (domain controllers) part matches the name of the domain where the LDIF script is running

  2. Takes a snapshot of your directory. You can use the snapshot to restore your directory in case you encounter any problems with your application after updating the schema.

  3. Applies the changes to a single DC. Microsoft AD isolates one of your DCs and applies the updates in the LDIF file to the isolated DC. It then selects one of your DCs to be the schema master, removes that DC from directory replication, and applies your LDIF file using Ldifde.exe.

  4. Replication occurs to all DCs. Microsoft AD adds the isolated DC back in to replication to complete the update. While this is all happening, your directory continues to provide the Active Directory service to your applications without disruption.

Next Step

Step 3: Verify If The Schema Extension Was Successful