As part of the SCCM integration, extending the AD schema is necessary to bring up machines and users in the database. The extension consists of creating a new container dedicated to SCCM. This step is necessary for the installation of SCCM, but also when adding a new domain.
The user must have the following rights:
- Domain Admins
- Schema administrators
Extending the AD schema: Creating the System Management container
First, we will create the “System Management” container. Connect to the AD server and start ADSI Edit. Right click on “ADSI Edit” and select “Connection“. Leave everything as default and click OK.
Then expand “Default Naming Context“, right click on CN=System, New, Object.
In the list, choose “container” then click on next, name it “System Management” then next and OK. The container is now created.
Delegation of rights
The SCCM server account must now have full control over the container. To do this, launch “Active Directory Users and Computers“, click on “View” and then “Advanced Features“.
Then expand “System“, right-click on “System Management” and select “Delegation of Control“.
In the pop-up window, click on “Add“. Then click on “Object Types” and check “Computers“. Click OK to close the window, add the account name of the primary SCCM site and click Next.
In the selection of tasks to delegate, select “Create a custom task to delegate” and then Next. In the Active Directory object type, leave default and then next.
In the permissions, check “Property specific” and “Create/delete specific child objects“. Underneath, click on “Full control“. Click on “Next” and then “Finish“.
Extending the AD schema
We will use the extadsch.exe tool to extend the AD schema. This tool is available in the SCCM installation iso or in the SCCM installation folder (Program Files\Microsoft Configuration Manager\cd.latest\SMSSETUP\BIN\I386).
Run it from the AD server via CMD. If your account has been correctly assigned rights, you should see the message “Successfully extended the Active Directory Schema“.
A log file is available in the root of the system partition (extadsch.log) to check for a second that everything is OK.