Step by step guide installing SCCM 2007 Part 10 I will cover how to prepare Active Directory 2008 Schema in preparation for installaing System Center Configuration Manager 2007.

Extending the Active Directory schema is a forest-wide action and must only be done once per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or by someone who has been delegated sufficient permissions to modify the schema. If you choose to extend the Active Directory schema, it may be done before or after setup.

While some Configuration Manager features are dependent on extending the schema, such as Network Access Protection in Configuration Manager and global roaming, there may be workarounds for not extending the schema to enable other Configuration Manager features.

Note: Before you proceed any further please ensure:

1. The account you are using for this part has Schema Admin rights in Active Directory. i.e. Schema Admins Group.
2. The Domain controller has verified backups.

Four actions need to be taken in order to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:
Step 1: Extend the Active Directory schema.
Step 2: Create the System Management container.
Step 3: Set security permissions on the System Management container.
Step 4: Add the Site Server to the Administrators Security Group.

The Active Directory schema can be extended for Configuration Manager 2007 by running the ExtADSch.exe utility or by using the LDIFDE command-line utility to import the contents of the ConfigMgr_ad_schema.ldf LDIF file. Both the utility and the LDIF file are located in the SMSSETUP\BIN\i386 directory of the Configuration Manager 2007 installation files.

Step 1: Extend the Active Directory schema.

Note: For extending schema there is no x64 BIT version of extadsch.exe you need to use x386 version indicated below.

As indicated below this is a dump of the entire SCCM 2007 media CD.




Run extadsch.exe, located at \SMSSETUP\BIN\I386 on the installation media, to add the new classes and attributes to the Active Directory schema.




This screen will flash for a few seconds and close automatically. If you would like to look at the details please read further.



Verify that the schema extension was successful by reviewing the extadsch.log located in the root of the system drive.




======ExtADSch.log log Output=======
<12-27-2009 13:32:00> Modifying Active Directory Schema - with SMS extensions.
<12-27-2009 13:32:01> DS Root:CN=Schema,CN=Configuration,DC=pilot,DC=local
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-Site-Code.
<12-27-2009 13:32:02> Defined attribute cn=mS-SMS-Assignment-Site-Code.
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-Site-Boundaries.
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-Roaming-Boundaries.
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-Default-MP.
<12-27-2009 13:32:02> Defined attribute cn=mS-SMS-Device-Management-Point.
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-MP-Name.
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-MP-Address.
<12-27-2009 13:32:02> Defined attribute cn=mS-SMS-Health-State.
<12-27-2009 13:32:02> Defined attribute cn=mS-SMS-Source-Forest.
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-Ranged-IP-Low.
<12-27-2009 13:32:02> Defined attribute cn=MS-SMS-Ranged-IP-High.
<12-27-2009 13:32:02> Defined attribute cn=mS-SMS-Version.
<12-27-2009 13:32:02> Defined attribute cn=mS-SMS-Capabilities.
<12-27-2009 13:32:03> Defined class cn=MS-SMS-Management-Point.
<12-27-2009 13:32:03> Defined class cn=MS-SMS-Server-Locator-Point.
<12-27-2009 13:32:03> Defined class cn=MS-SMS-Site.
<12-27-2009 13:32:03> Defined class cn=MS-SMS-Roaming-Boundary-Range.
<12-27-2009 13:32:03> Successfully extended the Active Directory schema.

<12-27-2009 13:32:03> Please refer to the SMS documentation for instructions on the manual
<12-27-2009 13:32:03> configuration of access rights in active directory which may still
<12-27-2009 13:32:03> need to be performed.  (Although the AD schema has now be extended,
<12-27-2009 13:32:03> AD must be configured to allow each SMS Site security rights to
<12-27-2009 13:32:03> publish in each of their domains.)
======ExtADSch.log log Output=======

Step 2: Create the System Management container. 


Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container needs to be created once for each domain that includes a Configuration Manager site server that will publish site information to Active Directory Domain Services.

NOTE: Because domains controllers do not replicate their System Management container to other domains in the forest, a System Management container must be created for each domain that hosts a Configuration Manager Site


1. Log on as an account that has the Create All Child Objects permission on the System container in Active Directory Domain Services.
2. Open the ADSIEdit MMC console, and connect to the domain in which the site server resides.
3. In the console pane, expand Domain [computer fully qualified domain name], expand <distinguished name>, and right-click CN=System. On the context menu, click New and then click Object




4. In the Create Object dialog box, select Container and click Next.



5. In the Value field, type System Management and click Next.



6. Click Finish.



7.  System Management object has successfully been created.




Step 3: Set security permissions on the System Management container.

1. Open the Active Directory Users and Computers administrative tool.



2. Click View, and then click Advanced Features  > Expand the System container > Right-click System Management. On the context menu, click Properties



3. In the System Management Properties dialog box, click the Security tab.
4. Click Add to add the site server computer account and grant the account Full Control permissions





5. Click Advanced, select the site server’s computer account, and click Edit



6. In the Apply onto list, select This object and all descendant objects, click OK




7. Confirm the settings are displayed as configured earlier.









Step 4: Add the Site Server to the Administrators Security Group.

When all computers are in the same forest, manually add the site server computer account to the local Administrators group on each computer. Complete this step before configuring the computer as a site system.

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In the Active Directory Users and Computers console tree, go to pilot.local/Builtin.
In the details pane, right-click Administrators, and then click Properties.
In the Administrators Properties dialog box, click the Members tab, and then click Add.
In the Select Users, Contacts, Computers, or Groups dialog box, click Object Types.
In the Object Types dialog box, in Object types, select Computers, and then click OK.
In the Select Users, Contacts, Computers, or Groups dialog box, in Enter the object names to select, type PILOT-SCCM-01. Click Check Names, and then click OK.