Extending the Active Directory schema is a forest-wide action and can only be done one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after setup.
While some Configuration Manager features depend on extending the schema, such as Network Access Protection in Configuration Manager and global roaming, there are workarounds for not extending the schema to enable other Configuration Manager features. For more information about the affected features, and the workarounds for not extending the Active Directory schema for Configuration Manager 2007, see Decide If You Should Extend the Active Directory Schema.
Four actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:
- Extend the Active Directory schema.
- Create the System Management container.
- Set security permissions on the System
- Enable Active Directory publishing for the
Configuration Manager site.
When extending the schema for Configuration Manager, several classes and attributes are added that any Configuration Manager site in the Active Directory forest can use. Because the global catalog is replicated throughout the forest, you must consider the network traffic that might be generated. In Windows 2000 forests, extending the schema causes a full synchronization of the whole global catalog. For Windows 2003 forests, only the newly added attributes are replicated. You should plan to extend the schema during a time when the replication traffic does not adversely affect other network-dependent processes.
You can extend the Active Directory schema for Configuration Manager 2007 by running the ExtADSch.exe tool or by using the LDIFDE command-line tool to import the contents of the ConfigMgr_ad_schema.ldf LDIF file. Both the tool and the LDIF file are located in the SMSSETUP\BIN\i386 directory of the Configuration Manager 2007 installation files. Regardless of the method that you use to extend the schema, two conditions must be met:
- The Active Directory schema must allow
updates. On domains that are running Windows Server 2003, by
default, the schema is enabled for updates. For domains that are
running Windows 2000 Server, you must manually enable updates
on the schema master for the Active Directory forest.
- The account that is used to update the schema
must be either a member of the Schema Admins group or have been
delegated sufficient permissions to modify the schema.
|We recommend that you use the ConfigMgr_ad_schema.ldf LDIF file to extend the Active Directory schema for Configuration Manager 2007. Using an LDIF file to extend the Active Directory schema instead of the ExtADSch.exe tool provides greater transparency about the changes being made to the Active Directory schema and also makes it easier to diagnose any problems encountered during the schema extension process.|
See the following tasks for more information about extending the schema:
After the schema has been extended with the classes and attributes that are required for Configuration Manager, create a System Management container in the System container in each site server's domain partition in Active Directory Domain Services.
Because domain controllers do not replicate their System Management container to other domains in the forest, you must create a System Management container for each domain that hosts a Configuration Manager site.
Although each domain maintains its own System Management container in the domain partition, the Configuration Manager information is published to the global catalog for the forest. This makes the information for each site publishing to Active Directory Domain Services available to every client in the forest regardless of domain membership. See the following task for creating a System Management container:
After creating a System Management container, the primary site server’s computer account must be granted Full Control to the System Management container, and all its child objects to successfully publish its site information. If you have secondary sites, the secondary site server’s computer account must also be granted Full Control to the System Management container, and all its child objects. See the following task for more information about how to set security on the System Management container:
When Configuration Manager site information is published to Active Directory Domain Services, Configuration Manager clients can automatically detect server locator points and management points without generating Windows Internet Name Service (WINS) traffic. If Configuration Manager site information is not published to Active Directory Domain Services, you might have to add Configuration Manager site role information in WINS manually. For more information about publishing Configuration Manager information to Active Directory Domain Services, see the following tasks: