My colleague Chris Nackers recently posted an excellent Step by Step Guide for Extending Active Directory Schema for System Center Configuration Manager.
Here’s some additional information about preparing for the process.
The AD schema can be extended ahead of time before ConfigMgr is installed, at the same time as the first site server is installed, or even later (although this causes more work and is not recommended). The actual changes should take less than 30 minutes and can be done during business hours, but even though problems are rare you should really schedule it so you have a window of time to do troubleshooting before any critical business processes need to begin. Don’t schedule this for the busiest day of the month or quarter, just in case.
Here are the steps involved:
- Submit the request for the change management process, get approval.
- Verify that all domain controllers in all domains are online, check event logs for any warnings or errors related to AD, DNS or network connectivity.
- Verify AD replication is functioning; resolve any warnings or errors (using tools like dcdiag, netdiag, repadmin, replmon).
- Verify the schema has never been extended for SMS 2003. If there is doubt, use ADSIEdit.msc to look for the ‘mSSMSVersion’ attribute (if it has, some additional minor steps might be necessary).
- Locate the ConfigMgr 2007 install source (I recommend the latest version which includes Service Pack 2 integrated, but the latest version is not required, any version should work fine)
- Logon to the domain controller that holds the schema master role for the forest, using an account that is a member of the Schema Admins group.
- Extend the Active Directory schema using one of two options:
- A) Use the ldifde.exe tool to import the "ConfigMgr_ad_schema.ldf" file (this method requires more steps, but gives more transparency into the process).
- B) Use the included utility ExtADSch.exe (recommended)
- Create a backup of the schema master domain controller’s system state using a backup utility that is Active Directory aware.
- Ensure that you are logged on to the schema master domain controller with an account that is a member of the Schema Admins security group (do not use Run As).
- Disconnect the schema master domain controller from the network.
- Run extadsch.exe, located at \SMSSETUP\BIN\I386 on the ConfigMgr installation media or ISO. This will add the new classes and attributes to the Active Directory schema. (see Chris Nackers’ blog for a step-by-step guide)
- Verify that the schema extension was successful by reviewing the extadsch.log located in the root of the system drive.
- If the schema extension procedure was successful, reconnect the schema master domain controller to the network and allow it to replicate the schema extensions to the global catalog servers throughout the Active Directory forest.
- If the schema extension procedure was unsuccessful, restore the schema master’s previous system state from the backup created in step 1. This will reverse the schema extension actions before reconnecting the schema master domain controller to the network.
- Create the System Management container in AD
- Logon as a domain admin for the domain that will hold the ConfigMgr site
- Launch the AD Users & Computers snap-in, connect to the domain that will hold the ConfigMgr site server
- From the View menu, enable the Advanced Features and then locate the ‘System’ container in the root.
- Under the ‘System’ container, create a new container named ‘System Management’ (note the name is not plural – System not Systems – and don’t include the quotes)
- Set security permissions on the System Management container.
- If the ConfigMgr site server has been joined to the domain, you can set permissions on this new container. If the server has not been joined to the domain, these steps can be done later.
- If you plan to have more than one site server, those servers can be added to a global group and the group can be used in place of the computer accounts.
- Edit the Properties of the new System Management container, open the Security tab.
- Add the ConfigMgr site server computer account(s) (or a group that the site servers are members of) and grant the account Full Control permissions.
- Under Advanced, select the site server’s computer account (or a group that the servers are members of), and then click Edit.
- In the Apply onto list, select ‘This object and all child objects’.
How to Extend the Active Directory Schema for Configuration Manager (Overview)
How to Extend the Active Directory Schema Using an LDIF File
How to Extend the Active Directory Schema Using ExtADSch.exe
The Configuration Manager 2007 R3 feature release does not introduce changes to Active Directory schema extension requirements. You do not have to re-extend the Active Directory schema for Configuration Manager 2007 R3 if it has already been extended for Configuration Manager 2007.