Create System Management Container, Extend AD Schema

In this post, I will show you how to create system management container. I will also cover the steps to extend the active directory schema (AD Schema) for SCCM.

This post can be considered as part 2 for deploying SCCM in our lab setup. In the first part I covered the steps to install active directory.

When you want to install SCCM, you have to prepare Active Directory for site publishing. This involves multiple steps which are listed in this post.

Note – If your Active Directory schema was extended for SCCM 2007 or Configuration Manager 2012, then you don’t need to do it again. The schema extensions are unchanged and will already be in place. Extending the schema is a one-time action for any forest.

Prepare Active Directory for site publishing

Before you create system management container and extend the Active Directory schema for SCCM, here are some important prerequisites.

  • There are no new Active Directory schema extensions for Configuration Manager current branch. If you previously extended the schema an earlier version, you don’t have to extend the schema again.
  • When you extend the active directory schema for Configuration Manager, it is a forest-wide, one-time, irreversible action.
  • To extend the AD schema, you must use an account that is a member of the Schema Admins group.
  • You can extend the schema before or after you install a Configuration Manager site. However, it’s best to extend the schema before you start to configure your sites and hierarchy settings.
  • After you extend the schema, the Active Directory global catalog replicates throughout the forest.

Create System Management Container

After we have a domain controller in our setup, the next step is to create a container. You create system management container one time in each domain that has a primary or secondary site. This will be used to publish data to Active Directory.

To Create System Management Container

  • Login to domain controller with a domain admin account.
  • Click Start , All Programs, Administrative Tools.
  • Select ADSI Edit.
  • Right click ADSI Edit and Click Connect to.
  • The naming context should be Default naming context. Click OK.
  • In the ADSI edit Console, Expand the Default Naming Context.
  • Right click CN=System, Click New and create an Object.
  • Select Container from the options. Click Next.
  • Provide the object value as System Management.
  • Click Next and refresh the ADSI edit to see the system management container in the console.
Create System Management Container

Delegate Permissions on System Management Container

Now that we have created the System Management Container, the next step is to delegate the permissions on System Management Container.

  • Open the Active Directory Users and Computers.
  • Click View and select Advanced Features.
  • Right click System Management and delegate control.
  • On the next screen click Add.
  • In the Object Types select computers and click OK.
  • Type the SCCM Server name and click Check Names.
  • Select the SCCM computer from the list.
  • In the Tasks to Delegate window, select Create a Custom task to delegate.
  • Select the default option This folder, exiting objects in this folder and creation of new objects in this folder. Click Next.
  • Select all the three permissions and click on full control.
  • Click Finish to close the delegation wizard.
Delegate Permissions on Container

The following video tutorial explains the creation of system management container for SCCM.

Extend Active Directory Schema for SCCM

Coming to the last step which is extend Active Directory Schema for Configuration Manager. You can perform the below steps either on Active Directory or any member server. To extend AD schema, always use an account that is a member of the Schema Admins security group.

To Extend Active Directory Schema

  • Mount the SCCM ISO file.
  • Locate the folder : SMSSETUP\BIN\X64
  • Right click file named “extadsch“. Hold the shift key+right-click on the file and copy as path.
  • Open the command prompt and paste the copied data.
  • That’s how you extend AD schema.

The log file extadsch.log is located in root drive i.e. C:\extadsch.log. Open it with a CMTrace log viewer. The highlighted text shows that Active Directory Schema has been extended successfully.

Modifying Active Directory Schema – with SMS extensions.
DS Root:CN=Schema,CN=Configuration,DC=prajwal,DC=local
Defined attribute cn=MS-SMS-Site-Code.
Defined attribute cn=mS-SMS-Assignment-Site-Code.
Defined attribute cn=MS-SMS-Site-Boundaries.
Defined attribute cn=MS-SMS-Roaming-Boundaries.
Defined attribute cn=MS-SMS-Default-MP.
Defined attribute cn=mS-SMS-Device-Management-Point.
Defined attribute cn=MS-SMS-MP-Name.
Defined attribute cn=MS-SMS-MP-Address.
Defined attribute cn=mS-SMS-Health-State.
Defined attribute cn=mS-SMS-Source-Forest.
Defined attribute cn=MS-SMS-Ranged-IP-Low.
Defined attribute cn=MS-SMS-Ranged-IP-High.
Defined attribute cn=mS-SMS-Version.
Defined attribute cn=mS-SMS-Capabilities.
Defined class cn=MS-SMS-Management-Point.
Defined class cn=MS-SMS-Server-Locator-Point.
Defined class cn=MS-SMS-Site.
Defined class cn=MS-SMS-Roaming-Boundary-Range.
Successfully extended the Active Directory schema.

Please refer to the ConfigMgr documentation for instructions on the manual configuration of access rights in active directory which may still need to be performed. (Although the AD schema has now be extended, AD must be configured to allow each ConfigMgr Site security rights to publish in each of their domains.)

Extend Active Directory Schema

List of Active Directory Attributes and Classes

After you extend the schema for Configuration Manager, the following classes and attributes are added to the schema. These are available to all SCCM sites in that Active Directory forest.

Active Directory AttributesActive Directory Classes

25 thoughts on “Create System Management Container, Extend AD Schema”

  1. Hi Prajwal

    I have added a windows system to the same domain of sscm server and trying to search it in devices inside sccm, however I have run the Active Directory discovery method but still unable to find that windows system into devices.
    Could you please suggest the potential fixes?

  2. Hi Prajwal,

    If I need to change the FSMO role of the schema master from one domain controller to another, What do I need to pay attention on the SCCM part ?


  3. Afternoon,

    I am planning to Migrate Exchange Server 2013 to Exchange Server 2016. The Exchange 2013 is running from 2 servers and now I have a new server running Sever 2016 STD. Can I migrate using only 1 server ? I dont have virtual machine running, do I need 2 servers to successfully migrate to Exchange 2016.

  4. Hello Prajal,
    is it possible to configure the container in another Active Directory folder, other than the System folder? Is it supported by SCCM?

  5. Hello,

    Thank you for the above guidance. My question centers around changing the System Container Object. We currently have a test bed for SCCM, but we are looking to deploy into production. This will be a new server build, with proper (best practice) physical resources provided. What is the recommended practice for point our current extended AD infrastructure to this server?

    • An extended schema can simplify the process of deploying and setting up clients. An extended schema also lets clients efficiently locate resources like content servers and additional services that the different Configuration Manager site system roles provide.

  6. Hello Prajwal

    Our company has recently acquired another company. We have a two way
    trust established between our forests. I plan to deploy a Distribution
    point to the new forest for software deployments and imaging, but
    maintain only one Management Point in the original forest.

    How can I tell if the schema in our forest was extended when SCCM 2012 was deployed (before my time?)

    Does the schema need to be extended in the new forest? If so how would
    that be done without disrupting our current forest, as there is an
    active two way trust?

  7. Hello Prajwal,
    You only need to put the Site Server inside the container right?
    If you have Site System Server (like Distribution Points) you don’t have to add them inside the container right?

  8. I have been handed the reigns of the SCCM project at a school district. We currently have SCCM 2012 SP1 being utilized to the best of its ability from people prior to me. We have had Microsoft Premier out assisting us with a side by side install of SCCM 2012 R2 on a completely different VLAN from the existing. My question is am I able to have 2 site servers with full permissions to the Systems Management Container? The only errors we have in the R2 upgrade are in regards to creating objects in AD which of course isn’t going to work if it doesn’t have permissions. Can I have 2 servers with permissions to the container? They are both in the same Domain.

  9. thank you
    i want to ask if i extend the schema before with sccm 2007
    what happen to extend the schema with 2012 and if i can remove the effect of 2007

  10. Hi Prajwal,
    I have face this situation : When I ran the extadsch.exe in order to extend the AD, I had the following errors :
    Error Code = 8202, at the Class MS-SMS-Managament-Point creation step and further…

    I just reran the command, and it went through without any problems.. Just wanted to share it with people that may have the same issue..
    I have to mention that I have two DCs in my forests, so I am presuming that is a matter of replication time here.. isn’t it?

  11. Hi there,

    These articles are fantastic. Excellent documentation.

    One quick question though, If I have SCCM 2007 running already. For instance, from the System Management container, I see SMS-SITE-ABC (mSSMSSite) and other containers for ManagementPoint and ServerLocatorPoint exist. Should it cause any issue if I deploy SCCM2012 using a differnet site name?

    Can both system run in Paralle?




Leave a Comment