Determine Whether to Extend the Active Directory Schema for Configuration Manager

The Active Directory schema extensions for System Center 2012 Configuration Manager and System Center 2012 Configuration Manager SP1 are unchanged from those used by Configuration Manager 2007. If you extended the schema for Configuration Manager 2007, you do not have to extend the schema again for System Center 2012 Configuration Manager or System Center 2012 Configuration Manager SP1.

Similarly, if you extended the schema for System Center 2012 Configuration Manager with no service pack, you do not have to extend the schema again for System Center 2012 Configuration Manager SP1.

Extending the Active Directory schema is a forest-wide action and can only be done one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after setup.

Four actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:

Extend the Active Directory schema.
Create the System Management container.
Set security permissions on the System Management container.
Enable Active Directory publishing for the Configuration Manager site.

For information about how to extend the schema, create the System Management container, and configure setting security permissions on the container, see Prepare Active Directory for Configuration Manager in the Prepare the Windows Environment for Configuration Manager topic. For information about how to enable publishing for Configuration Manager sites, see Planning for Publishing of Site Data to Active Directory Domain Services.

Mobile devices that are managed by the Exchange Server connector and the following clients do not use Active Directory schema extensions for Configuration Manager:

The client for Mac computers
The client for Linux and UNIX servers
Mobile devices that are enrolled by Configuration Manager
Mobile devices that are enrolled by Windows Intune
Mobile device legacy clients
Windows clients that are configured for Internet-only client management
Windows clients that are detected by Configuration Manager to be on the Internet

The following table identifies Configuration Manager functions that use an Active Directory schema that is extended for Configuration Manager, and if there are workarounds that you can use if you cannot extend the schema.

Functionality	Active Directory	Details
Client computer installation and site assignment	Optional	When a new Configuration Manager Windows client installs, the client can search Active Directory Domain Services for installation properties. If you do not extend the schema, you must use one of the following workarounds to provide configuration details that computers require to install: Use client push installation. Before you use client installation method, make sure that all prerequisites are met. For more information, see the section “Installation Method Dependencies” in Prerequisites for Computer Clients. Install clients manually and provide client installation properties by using CCMSetup installation command-line properties. This must include the following: Specify a management point or source path from which the computer can download the installation files by using the CCMSetup property /mp:=<management point name computer name> or /source:<path to client source files> on the CCMSetup command line during client installation. Specify a list of initial management points for the client to use so that it can assign to the site and then download client policy and site settings. Use the CCMSetup Client.msi property SMSMP to do this. Publish the management point in DNS or WINS and configure clients to use this service location method.
Port configuration for client-to-server communication	Optional	When a client installs, it is configured with port information. If you later change the client-to-server communication port for a site, a client can obtain this new port setting from Active Directory Domain Services. If you do not extend the schema, you must use one of the following workarounds to provide this new port configuration to existing clients: Reinstall clients and configure them to use the new port information. Deploy a script to clients to update the port information. If clients cannot communicate with a site because of the port change, you must deploy this script externally to Configuration Manager. For example, you could use Group Policy.
Network Access Protection	Required	Configuration Manager publishes health state references to Active Directory Domain Services so that the System Health Validator point can validate a client’s statement of health.
Content deployment scenarios	Optional	When you create content at one site and then deploy that content to another site in the hierarchy, the receiving site must be able to verify the signature of the signed content data. This requires access to the public key of the source site where you create this data. When you extend the Active Directory schema for Configuration Manager, a site’s public key is made available to all sites in the hierarchy. If you do not extend the Active Directory schema, you can use the hierarchy maintenance tool, preinst.exe, to exchange the secure key information between sites. For example, if you plan to create content at a primary site and deploy that content to a secondary site below a different primary site, you must either extend the Active Directory schema to enable the secondary site to obtain the source primary sites public key, or use preinst.exe to share keys between the two sites directly.

When you extend the schema for Configuration Manager, several classes and attributes are added that any Configuration Manager site in the Active Directory forest can use. Because the global catalog is replicated throughout the forest, consider the network traffic that might be generated. In Windows 2000 forests, extending the schema causes a full synchronization of the whole global catalog. For Windows 2003 forests, Windows 2008 forests, and Windows 2008 R2 forests, only the newly added attributes are replicated. Plan to extend the schema during a time when the replication traffic does not adversely affect other network-dependent processes.

When you extend the Active Directory schema for System Center 2012 Configuration Manager, the following attributes and classes are added to Active Directory Domain Services:

Attributes:
- cn=mS-SMS-Assignment-Site-Code
- cn=mS-SMS-Capabilities
- cn=MS-SMS-Default-MP
- cn=mS-SMS-Device-Management-Point
- cn=mS-SMS-Health-State
- cn=MS-SMS-MP-Address
- cn=MS-SMS-MP-Name
- cn=MS-SMS-Ranged-IP-High
- cn=MS-SMS-Ranged-IP-Low
- cn=MS-SMS-Roaming-Boundaries
- cn=MS-SMS-Site-Boundaries
- cn=MS-SMS-Site-Code
- cn=mS-SMS-Source-Forest
- cn=mS-SMS-Version
Classes:
- cn=MS-SMS-Management-Point
- cn=MS-SMS-Roaming-Boundary-Range
- cn=MS-SMS-Server-Locator-Point
- cn=MS-SMS-Site

Note
The Active Directory schema extensions might include attributes and classes that are carried forward from previous versions of the product but not used by Microsoft System Center 2012 Configuration Manager. For example: Attribute: cn=MS-SMS-Site-Boundaries Class: cn=MS-SMS-Server-Locator-Point

To ensure that these lists are current for your version of System Center 2012 Configuration Manager, review the ConfigMgr_ad_schema.LDF file that is located in the\SMSSETUP\BIN\x64 folder of the System Center 2012 Configuration Manager installation media.

Concepts

Planning for Configuration Manager Sites and Hierarchy

Considerations for Extending the Active Directory Schema for Configuration Manager

Attributes and Classes Added by the Configuration Manager Schema Extensions

See Also

Concepts