In this post, I will show you how to create system management container for SCCM and extend the Active Directory schema (AD schema) for SCCM. We will also go through the steps to delegate permissions on the system management container and prepare Active Directory for site publishing.
After you install the active directory for SCCM, the first step is to extend the active directory schema. The next step is to create a system management container for SCCM and assign full control permissions to the container.
Getting Active Directory ready for site publishing is one of the things you need to do before you can install SCCM. There are several steps involved, which I will outline in this post. For every domain with a primary or secondary site, you must create a system management container only once. This container will be used to publish data to Active Directory.
What is System Management Container in SCCM?
The System Management is a container located in the System folder of the Active Directory which is used by the site server and the management points to store published data like boundaries and certificates.
If the Active Directory schema was already extended for SCCM 2007 or Configuration Manager 2012, then you don’t need to extend the schema again. The schema extensions are unchanged and will already be in place in AD. In other words, extending the AD schema for SCCM is a one-time action for any forest.
Prepare Active Directory for site publishing
Before you create system management container for SCCM and extend the Active Directory schema for ConfigMgr, here are some important prerequisites.
- There are no new Active Directory schema extensions for Configuration Manager current branch. If you previously extended the schema during the SCCM installation, you don’t have to extend the schema again.
- When you extend the active directory schema for Configuration Manager, it is a forest-wide, one-time, irreversible action.
- To extend AD schema for SCCM, you must use an account that is a member of the Schema Admins group.
- You can extend the schema before or after you install a Configuration Manager site. However, I recommend you extend AD schema for SCCM before you start to configure your sites and hierarchy settings.
- After you extend AD schema for SCCM, the Active Directory global catalog replicates throughout the forest.
Create System Management Container for SCCM
Let’s look at the steps to create system management container for SCCM.
Step 1: Login to Active Directory domain controller with an account that’s a member of the Schema Admins security group. Sign in with that account to the schema master domain controller. Launch the Server Manager and from the top menu, click Tools and select ADSI Edit. Right-click ADSI Edit and select Connect to.
Step 2: On the ADSI Connection Settings, the naming context should be Default naming context. Do not change the LDAP path, click OK.
Step 3: In the ADSI edit Console, expand the Default Naming Context. Right click CN=System and select New > Object.
Step 4: You must select a class for the system management container object that you are creating. In the Create Object window, select Container, and then select Next.
Step 5: Enter the container value as System Management and click Next.
Step 6: Click Finish to close the Create Object wizard. Refresh the ADSI edit and the system management container should be now visible under CN=System directory.
Assign Permissions to System Management Container
After you create System Management Container for SCCM, the next step is to assign permissions to the System Management Container. For each container, you must give permissions to each site server’s computer account that will publish data to that domain. To delegate permissions on the system management container in SCCM, follow the steps below.
Step 1: Launch the Active Directory Users and Computers console. Click View and select Advanced Features. Right click System Management container and select Delegate Control.
Step 2: On the Delegation Control Wizard, click Add button.
Step 3: In the Object Types window, check box the Computers and click OK. If you don’t perform this step, the SCCM computer account will not be visible in the ADUC console.
Step 4: In the Select Users, Computers, or Groups window, type the SCCM Server name and click Check Names, the computer name should be resolved now. Click OK.
Step 5: We have added the computer account of the Configuration Manager site server in this domain. Click Next.
Step 6: On Tasks to Delegate window, select Create a custom task to delegate. Click Next.
Step 7: In this step, you indicate the scope of the task you want to delegate. Select the default option This folder, existing objects in this folder, and creation of new objects in this folder. Click Next.
Step 8: On the Permissions window, select the permissions you would like to delegate. Select all the checkboxes: General, Property-specific, Creation/Delegation of specific child objects. Under Permissions, enable Full Control. This will assign the SCCM computer account full permissions over the system management container including the descendent objects. Click Next.
Step 9: We have successfully assigned permissions to the system management container. Close the Delegation of Control Wizard.
The following video tutorial explains the creation of system management container for SCCM.
How to Extend Active Directory Schema for SCCM
When you manage on-premises clients, you should extend the Active Directory schema for Configuration Manager. An extended schema can simplify the process of deploying and setting up clients. An extended schema also lets clients efficiently locate resources like content servers. Extending the schema is a one-time action for any forest.
You can perform the below steps either on Active Directory or any member server. To extend AD schema, always use an account that is a member of the Schema Admins security group.
The steps to extend the active directory schema for SCCM are as follows:
- Mount the SCCM setup media. Locate the folder: SMSSETUP\BIN\X64
- Right-click file named “extadsch.exe”. Hold the shift key on the keyboard and right-click on the extadsch file and select copy as path.
- Open the command prompt and paste the copied data and press Enter key.
- This will extend Active Directory schema for SCCM.
The output “Successfully extended the Active Directory schema” confirms that the AD schema has been extended successfully for SCCM.
The AD Schema log file extadsch.log can be found in the root drive, C:\extadsch.log. Open it with a CMTrace log viewer or Notepad. The highlighted text shows that the Active Directory schema has been extended successfully.
Modifying Active Directory Schema - with SMS extensions. DS Root:CN=Schema,CN=Configuration,DC=PRAJWAL,DC=LOCAL Defined attribute cn=MS-SMS-Site-Code. Defined attribute cn=mS-SMS-Assignment-Site-Code. Defined attribute cn=MS-SMS-Site-Boundaries. Defined attribute cn=MS-SMS-Roaming-Boundaries. Defined attribute cn=MS-SMS-Default-MP. Defined attribute cn=mS-SMS-Device-Management-Point. Defined attribute cn=MS-SMS-MP-Name. Defined attribute cn=MS-SMS-MP-Address. Defined attribute cn=mS-SMS-Health-State. Defined attribute cn=mS-SMS-Source-Forest. Defined attribute cn=MS-SMS-Ranged-IP-Low. Defined attribute cn=MS-SMS-Ranged-IP-High. Defined attribute cn=mS-SMS-Version. Defined attribute cn=mS-SMS-Capabilities. Defined class cn=MS-SMS-Management-Point. Defined class cn=MS-SMS-Server-Locator-Point. Defined class cn=MS-SMS-Site. Defined class cn=MS-SMS-Roaming-Boundary-Range. Successfully extended the Active Directory schema. Please refer to the ConfigMgr documentation for instructions on the manual configuration of access rights in active directory which may still need to be performed. (Although the AD schema has now be extended, AD must be configured to allow each ConfigMgr Site security rights to publish in each of their domains.)
Failed to Extend AD Schema for SCCM
In certain environments, you may encounter errors while extending the Active Directory schema for SCCM. Listed below are some common AD schema errors and their associated solutions.
- While extending the AD schema for SCCM, you may encounter error 8202. The Active Directory schema error 8202 is logged in ExtADSch.log in the root of the system drive. Read the following guide to fix SCCM Active Directory Schema Error 8202.
- While extending the Active Directory schema for SCCM, you may encounter Schema error code 1355. Read the following guide to fix failed to extend the Active Directory Schema Error Code = 1355.
SCCM: List of Active Directory Attributes and Classes
After you extend the AD schema for Configuration Manager, the following classes and attributes are added to the schema. These are available to all SCCM sites in that Active Directory forest.
SCCM Active Directory Attributes | Active Directory Classes for SCCM |
cn=mS-SMS-Assignment-Site-Code cn=mS-SMS-Capabilities cn=MS-SMS-Default-MP cn=mS-SMS-Device-Management-Point cn=mS-SMS-Health-State cn=MS-SMS-MP-Address cn=MS-SMS-MP-Name cn=MS-SMS-Ranged-IP-High cn=MS-SMS-Ranged-IP-Low cn=MS-SMS-Roaming-Boundaries cn=MS-SMS-Site-Boundaries cn=MS-SMS-Site-Code cn=mS-SMS-Source-Forest cn=mS-SMS-Version | cn=MS-SMS-Management-Point cn=MS-SMS-Roaming-Boundary-Range cn=MS-SMS-Server-Locator-Point cn=MS-SMS-Site |
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.