Jump to content


how can I extend the Active Directory schema for ConfigMgr in Windows Server 2008

Recommended Posts

Active Directory Schema Extensions


Configuration Manager Active Directory schema extensions provide many benefits for Configuration Manager sites, but they are not required. If you have extended your Active Directory schema for SMS 2003, you should update your schema extensions for Configuration Manager 2007. If you have already extended your schema for Configuration Manager 2007, no additional schema extensions are required for Configuration Manager 2007 SP1. For more information about extending the Active Directory schema for Configuration Manager 2007, see How to Extend the Active Directory Schema for Configuration Manager.


This guide was prepared to help you setup SCCM in a Lab environment. Before extending your Active Directory, make sure to have considered any possible implications of doing so, for example if something does go wrong during the procedure then you'll want to have a backup in place.


SCCM needs the Active Directory schema to be extended, so to do so we'll need to copy the EXTADSCH.EXE file ffrom the SCCM DVD. This guide assumes you have installed Windows Server 2008 and configured it for Active Directory and DHCP. This guide also assumes you have access to your SCCM 2007 DVD (or ISO).


The Active Directory schema can be extended for Configuration Manager 2007 before or after running Configuration Manager 2007 Setup. However, to take advantage of publishing information to Active Directory Domain Services from the outset, extend the schema before beginning Configuration Manager 2007 Setup and allow sufficient time for the schema changes to replicate through the Active Directory forest.


Looking at how to extend the schema is complex. Updating the schema requires you to be in the Schema admin security group, even an Enterprise Administrator is not a Schema admin. As Microsoft say

The Active Directory schema can be extended for Configuration Manager 2007 by running the ExtADSch.exe utility or by using the LDIFDE command-line utility to import the contents of the ConfigMgr_ad_schema.ldf LDIF file. Both the utility and the LDIF file are located in the SMSSETUP\BIN\i386 directory of the Configuration Manager 2007 installation files. Regardless of the method used to extend the schema, two conditions must be met:


* The Active Directory schema must allow updates. On domains running Windows Server 2003, the schema is enabled for updates by default. For domains running Windows 2000 Server, you must manually enable updates on the schema master for the Active Directory forest.


* The account used to update the schema must either be a member of the Schema Admins group or have been delegated sufficient permissions to modify the schema.


I decided to use the extADSch.exe method and located it on the SCCM 2007 DVD (F:\SMSSETUP\BIN\I386), but before doing so I wanted to make my Enterprise Administrator a member of the Schema Admins Group.


Adding the Enterprise Administrator Group account to the Schema Admins Group


to do this, start up Active Directory Users and Computers and select the Enterprise Admins group




double click the group and select the Member Of Tab


member of.png


click Add and type Schema then press Check Names click OK




notice that it (schema admins group) is now listed in the Member of Tab.


schema admins.png


click ok when done and now we can try running the extadsch.exe tool, we will run it from an elavated command prompt and redirect any output to a file to see if there were any problems during the process. To open an elavated command prompt do as follows:-


click on start and right-click on the Command Promtp icon at the top of the start menu, choose Run As Administrator





now we can run our code


extadsch.exe > c:\output.txt



if everything went ok the log file will be pretty emtpy otherwise it may contain errors, in addition you should see another log file in c:\ called ExtADSch.log


here is a sample of a successful schema extension:-


<08-22-2008 11:21:33> Modifying Active Directory Schema - with SMS extensions.

<08-22-2008 11:21:34> DS Root:CN=Schema,CN=Configuration,DC=w2k8,DC=windows-noob,DC=local

<08-22-2008 11:21:35> Defined attribute cn=MS-SMS-Site-Code.

<08-22-2008 11:21:35> Defined attribute cn=mS-SMS-Assignment-Site-Code.

<08-22-2008 11:21:35> Defined attribute cn=MS-SMS-Site-Boundaries.

<08-22-2008 11:21:35> Defined attribute cn=MS-SMS-Roaming-Boundaries.

<08-22-2008 11:21:35> Defined attribute cn=MS-SMS-Default-MP.

<08-22-2008 11:21:35> Defined attribute cn=mS-SMS-Device-Management-Point.

<08-22-2008 11:21:35> Defined attribute cn=MS-SMS-MP-Name.

<08-22-2008 11:21:35> Defined attribute cn=MS-SMS-MP-Address.

<08-22-2008 11:21:35> Defined attribute cn=mS-SMS-Health-State.

<08-22-2008 11:21:35> Defined attribute cn=mS-SMS-Source-Forest.

<08-22-2008 11:21:35> Defined attribute cn=MS-SMS-Ranged-IP-Low.

<08-22-2008 11:21:35> Defined attribute cn=MS-SMS-Ranged-IP-High.

<08-22-2008 11:21:35> Defined attribute cn=mS-SMS-Version.

<08-22-2008 11:21:35> Defined attribute cn=mS-SMS-Capabilities.

<08-22-2008 11:21:37> Defined class cn=MS-SMS-Management-Point.

<08-22-2008 11:21:37> Defined class cn=MS-SMS-Server-Locator-Point.

<08-22-2008 11:21:38> Defined class cn=MS-SMS-Site.

<08-22-2008 11:21:38> Defined class cn=MS-SMS-Roaming-Boundary-Range.

<08-22-2008 11:21:38> Successfully extended the Active Directory schema.


<08-22-2008 11:21:38> Please refer to the SMS documentation for instructions on the manual

<08-22-2008 11:21:38> configuration of access rights in active directory which may still

<08-22-2008 11:21:38> need to be performed. (Although the AD schema has now be extended,

<08-22-2008 11:21:38> AD must be configured to allow each SMS Site security rights to

<08-22-2008 11:21:38> publish in each of their domains.)



that's it, you have now extended the Active Directory schema in Windows Server 2008.


Now that you have extended the schema you should give the Primary SCCM server (and Management Point) permissions on the System Management container in AD.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...