In the Instsall Configuration Manager Database article we have started building a fully functional SCCM Lab installing the SQL Database as a second step I will illustrate how to perform SCCM Active Directory Schema extension before deploying the ConfigMgr.
SCCM Active Directory Schema – Why should I extend?
When I was a teacher full-time one of the questions I received more often was “Why should I extend Active Directory Schema with SCCM Classes?” short answer to the question is that ConfigMgr can publish site information to Active Directory but this is only possible if Schema has been extended.
A more detailed and appropriate answer is that SCCM Active Directory Schema is necessary for some features to work correctly, here’s a partial list:
- Global Client Roaming
- Automatic Client Site Assignment via AD
- Network Access Protection
The list is not complete but suffice to say extending the AD schema for ConfigMgr will make your life easier under many aspects.
SCCM Active Directory Schema – Process Overview
Having SCCM extend Active Directory Schema is only part of the equation as multiple actions will be taken, let’s break this down into steps
- SCCM Active Directory Schema Extension
- Creation of the System Management Container in Active Directory
- Set Security Permissions on the System Management Container
- Enable Active Directory publishing for ConfigMgr Site
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: Last step will not be shown in this article as performed within the ConfigMgr Console.[/su_note]
SCCM Active Directory Schema – Extension
SCCM Active Directory Schema Extension can be performed through either the ExtADSch.exe, contained in the SCCM media, or manually importing the ConfigMgr_ad_schema.ldf file in the article I will be using the ExtADSch.exe method.
Download and extract SCCM setup files to a convenient location and navigate to the folder containing the ExtADSch.exe utility and run it
cd D:SMSSETUPBINX64> PS D:SMSSETUPBINX64> .extadsch.exe Microsoft System Center 2012 Configuration Manager v5.00 (Build 7958) Copyright (C) 2011 Microsoft Corp. Successfully extended the Active Directory schema. Please refer to the ConfigMgr documentation for instructions on the manual configuration of access rights in active dire ctory which may still need to be performed. (Although the AD schema has now be extended, AD must be configured to allow each ConfigMgr Site security rights to publish in each of their domains.)
The utility will create a lot file named ExtADSch.log under the C drive that you can review for any error or simply to check which changes have been made, here’s the file that has been created on my lab server
<07-08-2015 17:16:13> Modifying Active Directory Schema - with SMS extensions. <07-08-2015 17:16:13> DS Root:CN=Schema,CN=Configuration,DC=mcse,DC=lab <07-08-2015 17:16:14> Defined attribute cn=MS-SMS-Site-Code. <07-08-2015 17:16:14> Defined attribute cn=mS-SMS-Assignment-Site-Code. <07-08-2015 17:16:14> Defined attribute cn=MS-SMS-Site-Boundaries. <07-08-2015 17:16:14> Defined attribute cn=MS-SMS-Roaming-Boundaries. <07-08-2015 17:16:14> Defined attribute cn=MS-SMS-Default-MP. <07-08-2015 17:16:14> Defined attribute cn=mS-SMS-Device-Management-Point. <07-08-2015 17:16:14> Defined attribute cn=MS-SMS-MP-Name. <07-08-2015 17:16:14> Defined attribute cn=MS-SMS-MP-Address. <07-08-2015 17:16:14> Defined attribute cn=mS-SMS-Health-State. <07-08-2015 17:16:14> Defined attribute cn=mS-SMS-Source-Forest. <07-08-2015 17:16:14> Defined attribute cn=MS-SMS-Ranged-IP-Low. <07-08-2015 17:16:14> Defined attribute cn=MS-SMS-Ranged-IP-High. <07-08-2015 17:16:15> Defined attribute cn=mS-SMS-Version. <07-08-2015 17:16:15> Defined attribute cn=mS-SMS-Capabilities. <07-08-2015 17:16:15> Defined class cn=MS-SMS-Management-Point. <07-08-2015 17:16:15> Defined class cn=MS-SMS-Server-Locator-Point. <07-08-2015 17:16:15> Defined class cn=MS-SMS-Site. <07-08-2015 17:16:15> Defined class cn=MS-SMS-Roaming-Boundary-Range. <07-08-2015 17:16:16> Successfully extended the Active Directory schema. <07-08-2015 17:16:16> Please refer to the ConfigMgr documentation for instructions on the manual <07-08-2015 17:16:16> configuration of access rights in active directory which may still <07-08-2015 17:16:16> need to be performed. (Although the AD schema has now be extended, <07-08-2015 17:16:16> AD must be configured to allow each ConfigMgr Site security rights to <07-08-2015 17:16:16> publish in each of their domains.)
SCCM Active Directory Schema – Create System Management Container
Once AD Schema has been extended it is necessary to manually create the System Management Container that will be used by ConfigMgr to publish information to do so open ADSIEdit and connect to the default naming context, navigate to the System container and right-click it selecting New → Object → Container with Value System Management
SCCM Active Directory Schema – Set Permissions
Once the System Management container has been created it is necessary to manually grant Full Control permissions for the ConfigMgr computer account so that it will be able to write information within the container to do so right-click on the System Management container → Properties → Security Tab → Add
Once you have added the ConfigMgr computer account and assigned it Full Control permissions click on the Advanced button select permissions for the ConfigMgr account click on Edit → Applies to → This object and all descendant objects
Once permissions have been set accordingly ConfigMgr will be able to publish information to Active Directory as I already wrote this is done directly in ConfigMgr console and I will illustrate it in another article.
Having SCCM Active Directory Schema extension in place is not a requisite for ConfigMgr installation and as a matter of fact you can extend the schema anytime after installation if you decide so.
It has also to be noted that if in your environment Schema has already been extended for SCCM 2007 or even SCCM 2012 there is no need to re-extend it as there have been no updates since the previous releases.