Determine Whether to Extend the Active Directory Schema for Configuration Manager
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
When you extend the Active Directory schema for System Center 2012 Configuration Manager, you can publish site information to Active Directory Domain Services. Extending the Active Directory schema is optional for Configuration Manager. However, by extending the schema you can use all Configuration Manager features and functionality with the least amount of administrative overhead.
If you decide to extend the Active Directory schema, you can do so before or after you run Configuration Manager Setup.
The Active Directory schema extensions for System Center 2012 Configuration Manager (and later releases like SP1 or R2) are unchanged from those used by Configuration Manager 2007. If you extended the schema for Configuration Manager 2007, you do not have to extend the schema again for System Center 2012 Configuration Manager.
Similarly, if you extended the schema for one version of System Center 2012 Configuration Manager, you do not have to extend the schema again for a later version of Configuration Manager.
Extending the Active Directory schema is a forest-wide action and can only be done one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after setup.
Four actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:
Extend the Active Directory schema.
Create the System Management container.
Set security permissions on the System Management container.
Enable Active Directory publishing for the Configuration Manager site.
For information about how to extend the schema, create the System Management container, and configure setting security permissions on the container, see Prepare Active Directory for Configuration Manager in the Prepare the Windows Environment for Configuration Manager topic. For information about how to enable publishing for Configuration Manager sites, see Planning for Publishing of Site Data to Active Directory Domain Services.
Mobile devices that are managed by the Exchange Server connector and the following clients do not use Active Directory schema extensions for Configuration Manager:
The client for Mac computers
The client for Linux and UNIX servers
Mobile devices that are enrolled by Configuration Manager
Mobile devices that are enrolled by Microsoft Intune
Mobile device legacy clients
Windows clients that are configured for Internet-only client management
Windows clients that are detected by Configuration Manager to be on the Internet
The following table identifies Configuration Manager functions that use an Active Directory schema that is extended for Configuration Manager, and if there are workarounds that you can use if you cannot extend the schema.
Client computer installation and site assignment
When a new Configuration Manager Windows client installs, the client can search Active Directory Domain Services for installation properties. If you do not extend the schema, you must use one of the following workarounds to provide configuration details that computers require to install:
Port configuration for client-to-server communication
When a client installs, it is configured with port information. If you later change the client-to-server communication port for a site, a client can obtain this new port setting from Active Directory Domain Services. If you do not extend the schema, you must use one of the following workarounds to provide this new port configuration to existing clients:
Network Access Protection
Configuration Manager publishes health state references to Active Directory Domain Services so that the System Health Validator point can validate a client’s statement of health.
Content deployment scenarios
When you create content at one site and then deploy that content to another site in the hierarchy, the receiving site must be able to verify the signature of the signed content data. This requires access to the public key of the source site where you create this data.
When you extend the Active Directory schema for Configuration Manager, a site’s public key is made available to all sites in the hierarchy. If you do not extend the Active Directory schema, you can use the hierarchy maintenance tool, preinst.exe, to exchange the secure key information between sites.
For example, if you plan to create content at a primary site and deploy that content to a secondary site below a different primary site, you must either extend the Active Directory schema to enable the secondary site to obtain the source primary sites public key, or use preinst.exe to share keys between the two sites directly.
When you extend the schema for Configuration Manager, several classes and attributes are added that any Configuration Manager site in the Active Directory forest can use. Because the global catalog is replicated throughout the forest, consider the network traffic that might be generated. In Windows 2000 forests, extending the schema causes a full synchronization of the whole global catalog. Beginning with Windows 2003 forests, only the newly added attributes are replicated. Plan to extend the schema during a time when the replication traffic does not adversely affect other network-dependent processes.
When you extend the Active Directory schema for System Center 2012 Configuration Manager, the following attributes and classes are added to Active Directory Domain Services:
The Active Directory schema extensions might include attributes and classes that are carried forward from previous versions of the product but not used by Microsoft System Center 2012 Configuration Manager. For example:
To ensure that these lists are current for your version of System Center 2012 Configuration Manager, review the ConfigMgr_ad_schema.LDF file that is located in the\SMSSETUP\BIN\x64 folder of the System Center 2012 Configuration Manager installation media.