Update AD schema to address CVE-2021-34470 vulnerability

This vulnerability is a remote code execution flaw in the Active Directory (AD) schema parser. It was discovered by the Microsoft Security Response Center (MSRC) and has been assigned CVE-2021-34470.

The cve-2021-31206 is a vulnerability that has been addressed by Microsoft. This vulnerability was found in Active Directory and could allow an attacker to overwrite files, delete files, or create new users.

Have you previously used Exchange Server but subsequently removed all Exchange Servers in your organization? Is there an Exchange Server in your company that is older than Exchange Server 2013? You must change your AD schema to solve the CVE-2021-34470 issue, and you must read this post.

CVE-2021-34470 is a vulnerability.

You may be susceptible to CVE-2021-34470 without intentional action by a schema admin in your company if:

  • You used to run Exchange Server, but you’ve subsequently removed all Exchange servers.
  • You’re using an Exchange Server version prior to Exchange 2013. (Exchange 2003, Exchange 2007, or Exchange 2010).

If your business falls into one of these categories, we suggest that you update your Active Directory schema to resolve the CVE-2021-34470 issue. There’s more on it later.

If your company uses Exchange Server, you’ve already resolved the CVE-2021-34470 issue. Because the patch is included in the July 2021 Exchange Server Security Updates, this is the case.

Important: Keep the latest Cumulative Update / Security Update installed on the Exchange Servers. When you have an Exchange Hybrid Server for administration reasons, this is also true.

Extensions to schemas will continue to exist.

The schema extensions created by Exchange to your Active Directory are not erased even if your company has decommissioned all of its Exchange servers. Your Active Directory schema was expanded as part of the Exchange Server installation, and any Exchange schema extensions are still present in your organization if you previously used Exchange Server (unless you completely rebuilt your Active Directory forest). As a result, you may be susceptible to CVE-2021-34470, and you should use the script to mitigate the risk.

Exchange Server is designed to work with the Active Directory structure. The Exchange schema extensions will stay in your schema even if Exchange Server is removed.

The script solely performs the modification required to fix CVE-2021-34470; no further changes to the schema are done. To check whether your Active Directory schema is susceptible to CVE-2021-34470, execute the script in Test mode. If you have already changed your schema, the script will verify that CVE-2021-34470 has been resolved.

Download the PowerShell script Test-CVE-2021-34470.

From the official Microsoft GitHub website, get the Test-CVE-2021-34470.ps1 PowerShell script.


On your Domain Controller or Management Server, save the script to the C:scripts folder. Make a scripts folder if you don’t already have one. To avoid any problems while executing the script, make sure the file is unblocked. The article Not digitally signed error while executing PowerShell script has additional information.


Examine the CVE-2021-34470 flaw.

PowerShell should be run as an administrator. Change to the C:scripts directory and execute the script to check for the CVE-2021-34470 flaw.

cd C:scripts PS C:> .Test-CVE-2021-34470.ps1 PS C:scripts

In the output, you’ll see one of the following messages:

  • WARNING: The CVE-2021-34470 vulnerability has been discovered.
  • There is no CVE-2021-34470 vulnerability.

You’re OK to go if the vulnerability isn’t present. If you receive a warning about the CVE-2021-34470 vulnerability, go on to the next step and apply the patch.

Apply the vulnerability patch for CVE-2021-34470.

The user account must be added to the Schema Admins group before using the -ApplyFix switch.

Note: If you’ve recently joined the Schema Admins group, you’ll need to log out and back in again for your new membership to take effect.


Run the script using the -ApplyFix switch this time.

.Test-CVE-2021-34470.ps1 -ApplyFix PS C:scripts>

When the fix is implemented correctly, the output will look like this.

.Test-CVE-2021-34470.ps1 -ApplyFix PS C:scripts> WARNING: The vulnerability CVE-2021-34470 exists. Attempting to apply the fix… The fix was successfully applied.

That concludes our discussion. Is this information useful in addressing the CVE-2021-34470 vulnerability?


We demonstrated how to fix the CVE-2021-34470 issue by updating the AD schema. If you previously had an Exchange Server, you must download and execute the Test-CVE-2021-34470.ps1 PowerShell script to deploy the patch. If your business uses Exchange Server, you’ve already fixed the issue by installing the most recent Cumulative Update and Security Update.

Did you find this article to be interesting? You may also be interested in checking the vulnerability of Microsoft Exchange Server. Don’t forget to subscribe to our newsletter and share this post.

Related Tags

  • kb5004778
  • domain controller