How to Extend Active Directory Schema to SCCM 2007

I will cover how to prepare Active Directory 2008 Schema in preparation for installation System Center Configuration Manager 2007.

Extending the Active Directory schema is a forest-wide action and must only be done once per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or by someone who has been delegated sufficient permissions to modify the schema. If you choose to extend the Active Directory schema, it may be done before or after setup.

While some Configuration Manager features are dependent on extending the schema, such as Network Access Protection in Configuration Manager and global roaming, there may be workarounds for not extending the schema to enable other Configuration Manager features.

Note: Before you proceed any further please ensure:

1. The account you are using for this part has Schema Admin rights in Active Directory. i.e. Schema Admins Group.
2. The Domain controller has verified backups.

Four actions need to be taken in order to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:
Step 1: Extend the Active Directory schema.
Step 2: Create the System Management container.
Step 3: Set security permissions on the System Management container.
Step 4: Add the Site Server to the Administrators Security Group.

The Active Directory schema can be extended for Configuration Manager 2007 by running the ExtADSch.exe utility or by using the LDIFDE command-line utility to import the contents of the ConfigMgr_ad_schema.ldf LDIF file. Both the utility and the LDIF file are located in the SMSSETUP\BIN\i386 directory of the Configuration Manager 2007 installation files.

Step 1: Extend the Active Directory schema.

Note: For extending schema there is no x64 BIT version of extadsch.exe you need to use x386 version indicated below.

As indicated below this is a dump of the entire SCCM 2007 media CD.

Configure WebDav

Run extadsch.exe, located at \SMSSETUP\BIN\I386 on the installation media, to add the new classes and attributes to the Active Directory schema.
Configure WebDav

This screen will flash for a few seconds and close automatically. If you would like to look at the details please read further.
Configure WebDav

Verify that the schema extension was successful by reviewing the extadsch.log located in the root of the system drive.
Configure WebDav

======ExtADSch.log log Output=======
<12-27-2009 13:32:00> Modifying Active Directory Schema - with SMS extensions.
<12-27-2009 13:32:01> DS Root:CN=Schema,CN=Configuration,DC=pilot,DC=local
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-Site-Code.
<12-27-2009 13:32:02> Defined attribute cn=mS-SMS-Assignment-Site-Code.
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-Site-Boundaries.
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-Roaming-Boundaries.
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-Default-MP.
<12-27-2009 13:32:02> Defined attribute cn=mS-SMS-Device-Management-Point.
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-MP-Name.
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-MP-Address.
<12-27-2009 13:32:02> Defined attribute cn=mS-SMS-Health-State.
<12-27-2009 13:32:02> Defined attribute cn=mS-SMS-Source-Forest.
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-Ranged-IP-Low.
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-Ranged-IP-High.
<12-27-2009 13:32:02> Defined attribute cn=mS-SMS-Version.
<12-27-2009 13:32:02> Defined attribute cn=mS-SMS-Capabilities.
<12-27-2009 13:32:03> Defined class cn=MS-SMS-Management-Point.
<12-27-2009 13:32:03> Defined class cn=MS-SMS-Server-Locator-Point.
<12-27-2009 13:32:03> Defined class cn=MS-SMS-Site.
<12-27-2009 13:32:03> Defined class cn=MS-SMS-Roaming-Boundary-Range.
<12-27-2009 13:32:03> Successfully extended the Active Directory schema.

<12-27-2009 13:32:03> Please refer to the SMS documentation for instructions on the manual
<12-27-2009 13:32:03> configuration of access rights in active directory which may still
<12-27-2009 13:32:03> need to be performed. (Although the AD schema has now be extended,
<12-27-2009 13:32:03> AD must be configured to allow each SMS Site security rights to
<12-27-2009 13:32:03> publish in each of their domains.)
======ExtADSch.log log Output=======

Step 2: Create the System Management container.

Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container needs to be created once for each domain that includes a Configuration Manager site server that will publish site information to Active Directory Domain Services.

NOTE: Because domains controllers do not replicate their System Management container to other domains in the forest, a System Management container must be created for each domain that hosts a Configuration Manager Site

1. Log on as an account that has the Create All Child Objects permission on the System container in Active Directory Domain Services.
2. Open the ADSIEdit MMC console, and connect to the domain in which the site server resides.
3. In the console pane, expand Domain [computer fully qualified domain name], expand , and right-click CN=System. On the context menu, click New and then click Object

Configure WebDav

4. In the Create Object dialog box, select Container and click Next.

Configure WebDav

 5. In the Value field, type System Management and click Next.
Configure WebDav

6. Click Finish.
Configure WebDav

7. System Management object has successfully been created.
Configure WebDav

Step 3: Set security permissions on the System Management container.

1. Open the Active Directory Users and Computers administrative tool.
Configure WebDav

2. Click View, and then click Advanced Features & Expand the System container &Right-click System Management. On the context menu, click Properties
Configure WebDav

3. In the System Management Properties dialog box, click the Security tab.
4. Click Add to add the site server computer account and grant the account Full Control permissions
Configure WebDav

5. Click Advanced, select the site server’s computer account, and click Edit
Configure WebDav

6. In the Apply onto list, select This object and all descendant objects, click OK
Configure WebDav

7. Confirm the settings are displayed as configured earlier.

Configure WebDav
Configure WebDav

Step 4: Add the Site Server to the Administrators Security Group.

When all computers are in the same forest, manually add the site server computer account to the local Administrators group on each computer. Complete this step before configuring the computer as a site system.

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In the Active Directory Users and Computers console tree, go to pilot.local/Builtin.
In the details pane, right-click Administrators, and then click Properties.
In the Administrators Properties dialog box, click the Members tab, and then click Add.
In the Select Users, Contacts, Computers, or Groups dialog box, click Object Types.
In the Object Types dialog box, in Object types, select Computers, and then click OK.
In the Select Users, Contacts, Computers, or Groups dialog box, in Enter the object names to select, type PILOT-SCCM-01. Click Check Names, and then click OK.
Configure WebDav

Source :
Category: 0 comments


Post a Comment

How Many Online this Site