One of the first steps needed when setting up a new Configuration Manager (SCCM) Environment is preparing the Active Directory schema to be able to publish service information to allow for the management of the devices in the domain.
To help the SCCM Agent find its way to a Site Server and other SCCM Services we need to extend the AD Schema with new classes and attributes.
The below steps are the preferred method for publishing the services as putting this information into the Active Directory Schema is more secure and easy for agents to access because Active Directory is automatically queried during installation for its service settings.
Extending the Schema is a onetime operation per Active Directory Forrest and is an irreversible action.
What you need before you start
- An account that is a part of the Schema administrators group and has the Create All Child Objects permission on the System Container in Active Directory Domain Services.
- Access to a domain controller with the Schema Master Role.
- Configuration Manager Install media. In particular, the following file: SMSSETUP\BIN\x64\Extadsch.exe
- An additional domain joined server of which will be the home of Configuration Manager.
Step 1 – Determine which Domain Controller contains the Schema Master Role
In an Active Directory Forrest, usually one or more controllers contain Master roles otherwise known as Flexible Single Master Operations (FSMO) roles. Extending the Schema needs to be performed on the Domain Controller that holds the Schema Master role.
If your environment has more than one Domain Controller the below steps can assist you in finding out which controller has the Schema Master Role.
- Open Command Prompt on any Domain Controller as an Administrator and type in the following command.
netdom query fmso
- This command will return a list of FSMO roles and the Domain Controllers responsible for them as shown in the screenshot below.
Step 2 – Extend the Schema
- Login to the Domain Controller that holds the Schema Master role with an Administrator account that is a part of the Schema administrators group. (Usually a Domain Admin account will suffice here)
- Mount the Configuration Manager Source media.
- Open Command Prompt, navigate to the mounted media and change directory to the following location:
- Run extadsch.exe from the command prompt.
- Confirm the results in the command prompt window show “Successfully extended the Active Directory schema.”
- Alternatively, you can confirm or troubleshoot any issues by reviewing the ExtADSch.log file that will be located in the root of the system drive.
Step 2 – Create the “System Management” Container
- Login with an account that has the correct permissions to create child objects in Active Directory.
- Open ADSI Edit from the Windows Administrative Tools folder in the Start Menu.
- If there is no Domain shown in the console, right click on ADSI Edit in the left pane and choose connect to…
- In the Connection Settings window, leave the existing defaults and click OK.
- Expand the FQDN Domain object and then right click on CN=System, click New and then choose
- The Create Object dialog box will appear, select Container and then click the Next
- Type System Management in the Value box and then click Next and then Finish to complete the process.
- Expand CN=System and ensure you can see the CN=System Management Keep the ADSI Edit console open so you can apply permissions in the next step.
Step 3 – Apply Permissions to the System Management Container
- While still in the ADSI Edit console right click on the CN=System Management container and choose Properties.
- On the CN=System Management Properties dialog box click on the Security
- Click Add and then click Object Type. In the Object Types dialog box tick Computers and then OK. Enter the Config Manager Site Server Computer name into the search area and click Check Names.
- Grant the computer account Full control
- Click Advanced, highlight the servers computer account and click Edit.
- In the Applies to drop down box, choose This object and all descendant objects.
- Click OK and then the same for all other dialog boxes to apply the permissions.
Click here to follow the next steps to install the prerequisites for the Primary Site Server.