Share This Post

Step by Step Guide for Extending Active Directory Schema for System Center Configuration Manager

Account Permissions

The account that will be used to run the extadsch.exe needs to have appropriate access and be in the “Schema Admins” group. You cannot run the extadsch.exe with alternate credentials using Run As.


Locating ExtADSch.exe

The exe used to extend the AD Schema can be located in the default installation directory under the bin\i386 folder.


If you have installed ConfigMgr to an alternate location, then it will be located in that installation path (installation paht\bin\i386).

Running ExtADSch.exe

You can run the file by either opening a command prompt and running the extadsch.exe, or by double-clicking the file.


Once it’s ran, you are looking for the “Successfully extended the Active Directory schema” output. You can also view the results by viewing the ExtADSch.log that is created on the C: drive.

This log file will detail the changes made to the schema and also show the success of the schema extensions.


Creating the Systems Management Container

After the schema is extended successfully, the Systems Management container needs to be created in Active Directory.

Open ADSI Edit and expand to the “System” container.


Right-click on the System container and select “new” then “object”.


Select “container” from the object list, and then select “Next”.


Next, enter in “System Management” and then click “Next”.


Click “Finish”.


Once you click Finish, you should see the new container listed.


Setting Security on the System Management container

Once the System Management container has been successfully created in Active Directory, the appropriate permissions needs to be set on the object.

With ADSI Edit still open, right-click on the System Management container object and select properties.


Go to the Security tab of the Properties dialog box and then select “Add”. Once the next dialog box opens, add the computer account of the primary site server(s) or the Active Directory group containing the servers. It’s recommended to use an Active Directory group so that you are not required to make this change again. Once you have entered in the required information, select “Ok”


Select “Full Control” for the site server or group you just added.


Next select Advanced, and then configure the server or AD group permissions to apply to “this object and all descendant objects”.


Click “OK” 3 times to save your changes.

Share This Post

I am a Microsoft MVP for System Center Configuration Manager and owner of Nackers Consulting Services, LLC. I focus primarily on System Center Configuration Manager and the Microsoft Deployment Toolkit. In addition to helping clients leverage the technologies they use, I enjoy spending a lot of time on the forums and email lists helping answer questions and just seeing what people are doing with the deployment technologies available to them. I have spoken at Microsoft Management Summit on ConfigMgr/MDT integration and I have spoken at user groups around the country. If you have any questions, please feel free to contact me, I am always willing to help.

Leave a Reply