Active Directory Schema Details for a Trusted Forest
I am trying to export AD schema details for a trusted forest. I don't have access to a domain computer of the trusted forest. I don't have an account of a trusted forest.
I use the following command to extract attributes of my own forest.
$schema = Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) `
-SearchScope OneLevel -Filter * -Property objectClass, name, whenChanged,`
whenCreated,description,attributeID, isDefunct | Select-Object objectClass, name, whenCreated, whenChanged, isDefunct, `
@{name="event";expression={($_.whenCreated).Date.ToShortDateString()}} | `
Sort-Object whenCreated
However Get-ADObject is not working when I provide the schema partition context of the trusted domain. it gives an error like this.
Get-ADObject : The supplied distinguishedName must belong to one of the following partition(s)... listing the schema, configuration , domain partitions of my current forest.
I tried to use the directory services methods. But this doesn't provide us details like whenmodified which is required for us to understand the timeline of schema changes in the directory. Any one can provide us with a comprehensive way to query schema of a trusted forest ??
$Forest = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Forest", $ForestFQDN)
$Schema = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetSchema($Forest
$AllProperties = $Schema.FindAllProperties()
Solution 1:
Info re the two-way trust would have been helpful, since a permissions issue is the first thing that comes to mind.
With your [System.DirectoryServices]
query, you're listing the properties listed inside the Schema, not the Schema LDAP object properties. You've gone one level too far.
$Forest = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Forest", "$forestFQDN")
$Schema = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetSchema($Forest)
$s = $Schema.GetDirectoryEntry()
$s | fl whencreated,whenchanged
whenCreated : {2002-02-06 11:40:41}
whenchanged : {2021-05-17 21:10:06}
If the $Schema.GetDirectoryEntry()
method fails, it may still be a perms thing, of course. But if you can locate the object with GetSchema
, that's encouraging.
Slightly tweaked version:
$Forest = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Forest", "$forestFQDN")
$ForestObj = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest()
$Schema = $ForestObj.Schema.GetDirectoryEntry()