Share This Post

Step by Step Guide for Extending Active Directory Schema for System Center Configuration Manager

Account Permissions

The account that will be used to run the extadsch.exe needs to have appropriate access and be in the “Schema Admins” group. You cannot run the extadsch.exe with alternate credentials using Run As.

clip_image002

Locating ExtADSch.exe

The exe used to extend the AD Schema can be located in the default installation directory under the bin\i386 folder.

clip_image004

If you have installed ConfigMgr to an alternate location, then it will be located in that installation path (installation paht\bin\i386).

Running ExtADSch.exe

You can run the file by either opening a command prompt and running the extadsch.exe, or by double-clicking the file.

clip_image006

Once it’s ran, you are looking for the “Successfully extended the Active Directory schema” output. You can also view the results by viewing the ExtADSch.log that is created on the C: drive.

This log file will detail the changes made to the schema and also show the success of the schema extensions.

clip_image008

Creating the Systems Management Container

After the schema is extended successfully, the Systems Management container needs to be created in Active Directory.

Open ADSI Edit and expand to the “System” container.

clip_image009

Right-click on the System container and select “new” then “object”.

clip_image010

Select “container” from the object list, and then select “Next”.

clip_image012

Next, enter in “System Management” and then click “Next”.

clip_image014

Click “Finish”.

clip_image016

Once you click Finish, you should see the new container listed.

clip_image017

Setting Security on the System Management container

Once the System Management container has been successfully created in Active Directory, the appropriate permissions needs to be set on the object.

With ADSI Edit still open, right-click on the System Management container object and select properties.

clip_image018

Go to the Security tab of the Properties dialog box and then select “Add”. Once the next dialog box opens, add the computer account of the primary site server(s) or the Active Directory group containing the servers. It’s recommended to use an Active Directory group so that you are not required to make this change again. Once you have entered in the required information, select “Ok”

clip_image020

Select “Full Control” for the site server or group you just added.

clip_image022

Next select Advanced, and then configure the server or AD group permissions to apply to “this object and all descendant objects”.

clip_image024

Click “OK” 3 times to save your changes.

Share This Post

I am a Microsoft MVP for System Center Configuration Manager and owner of Nackers Consulting Services, LLC. I focus primarily on System Center Configuration Manager and the Microsoft Deployment Toolkit. In addition to helping clients leverage the technologies they use, I enjoy spending a lot of time on the forums and email lists helping answer questions and just seeing what people are doing with the deployment technologies available to them. I have spoken at Microsoft Management Summit on ConfigMgr/MDT integration and I have spoken at user groups around the country. If you have any questions, please feel free to contact me, I am always willing to help.

Leave a Reply