Extending the Active Directory schema is a forest-wide action and must only be done once per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or by someone who has been delegated sufficient permissions to modify the schema. If you choose to extend the Active Directory schema, it may be done before or after setup.
While some Configuration Manager features are dependent on extending the schema, such as Network Access Protection in Configuration Manager and global roaming, there may be workarounds for not extending the schema to enable other Configuration Manager features. For more information about the affected features, and the workarounds for not extending the Active Directory schema for Configuration Manager 2007, see Decide If You Should Extend the Active Directory Schema.
Four actions need to be taken in order to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:
-
Extend the Active Directory schema.
-
Create the System Management container.
-
Set security permissions on the System Management container.
-
Enable Active Directory publishing for the Configuration Manager site.
When extending the schema for Configuration Manager, several classes and attributes are added that any Configuration Manager site in the Active Directory forest can use. Because the global catalog is replicated throughout the forest, you must consider the network traffic that might be generated as a result. In Windows 2000 forests, extending the schema causes a full synchronization of the entire global catalog. For Windows 2003 forests, only the newly added attributes are replicated. You should plan to extend the schema during a time when the replication traffic will not adversely affect other network-dependent processes.
The Active Directory schema can be extended for Configuration Manager 2007 by running the ExtADSch.exe utility or by using the LDIFDE command-line utility to import the contents of the ConfigMgr_ad_schema.ldf LDIF file. Both the utility and the LDIF file are located in the SMSSETUP\BIN\i386 directory of the Configuration Manager 2007 installation files. Regardless of the method used to extend the schema, two conditions must be met:
-
The Active Directory schema must allow updates. On domains running Windows Server 2003, the schema is enabled for updates by default. For domains running Windows 2000 Server, you must manually enable updates on the schema master for the Active Directory forest.
-
The account used to update the schema must either be a member of the Schema Admins group or have been delegated sufficient permissions to modify the schema.
.gif) Note |
|---|
|
It is recommended to use the ConfigMgr_ad_schema.ldf LDIF file to extend the Active Directory schema for Configuration Manager 2007. Using an LDIF file to extend the Active Directory schema instead of the ExtADSch.exe utility provides greater transparency about the changes being made to the Active Directory schema and also makes it easier to diagnose any problems encountered during the schema extension process. |
See the following tasks for more information about extending the schema:
How to Extend the Active Directory Schema Using an LDIF File
How to Extend the Active Directory Schema Using ExtADSch.exe
How to Enable Schema Modifications for a Windows 2000 Server Domain
After the schema has been extended with the classes and attributes required for Configuration Manager, you must create the System Management container within the System container in the site server's domain partition in Active Directory Domain Services.
Because domain controllers do not replicate their System Management container to other domains in the forest, a System Management container must be created for each domain that hosts a Configuration Manager site.
Although each domain maintains its own System Management container in the domain partition, the Configuration Manager information is published to the global catalog for the forest. This makes the information for each site publishing to Active Directory available to every client in the forest regardless of domain membership. This is another reason that overlapping site boundaries are not recommended. See the following task for creating the System Management container:
How to Create the System Management Container in Active Directory Domain Services
After creating the System Management container, the primary site server’s computer account must be granted full control to the System Management container, and all of its child objects, in order to successfully publish information. See the following task for more information about setting security on the System Management container:
How to Set Security on the System Management Container in Active Directory Domain Services
When Configuration Manager site information is published to Active Directory Domain Services, Configuration Manager clients can automatically detect server locator points and management points without generating Windows Internet Name Service (WINS) traffic. If Configuration Manager site information is not published to Active Directory Domain Services, you must manually add Configuration Manager site role information in WINS. For more information about publishing Configuration Manager information to Active Directory Domain Services, see the following tasks:
How to Publish Configuration Manager Site Information to Active Directory Domain Services
How to Verify Site Information is Published to Active Directory Domain Services
How to Stop Publishing Site Information to Active Directory Domain Services
How to Manually Add Configuration Manager Site Information to WINS
See Also