You are currently viewing Extending the AD scheme

Extending the AD scheme

  • Post category:SCCM
  • Post comments:0 Comments

As part of the SCCM integration, extending the AD schema is necessary to bring up machines and users in the database. The extension consists of creating a new container dedicated to SCCM. This step is necessary for the installation of SCCM, but also when adding a new domain.

Prerequisites

The user must have the following rights:

  • Domain Admins
  • Schema administrators

Extending the AD schema: Creating the System Management container

First, we will create the “System Management” container. Connect to the AD server and start ADSI Edit. Right click on “ADSI Edit” and select “Connection“. Leave everything as default and click OK.

Étendre le schema AD : création du container

Then expand “Default Naming Context“, right click on CN=System, New, Object.

In the list, choose “container” then click on next, name it “System Management” then next and OK. The container is now created.

Delegation of rights

The SCCM server account must now have full control over the container. To do this, launch “Active Directory Users and Computers“, click on “View” and then “Advanced Features“.

Then expand “System“, right-click on “System Management” and select “Delegation of Control“.

Étendre le schema AD : Délégation de contrôle

In the pop-up window, click on “Add“. Then click on “Object Types” and check “Computers“. Click OK to close the window, add the account name of the primary SCCM site and click Next.

In the selection of tasks to delegate, select “Create a custom task to delegate” and then Next. In the Active Directory object type, leave default and then next.

In the permissions, check “Property specific” and “Create/delete specific child objects“. Underneath, click on “Full control“. Click on “Next” and then “Finish“.

Étendre le schema AD : Contrôle total

Extending the AD schema

We will use the extadsch.exe tool to extend the AD schema. This tool is available in the SCCM installation iso or in the SCCM installation folder (Program Files\Microsoft Configuration Manager\cd.latest\SMSSETUP\BIN\I386).

Étendre le schema AD : extadsch.exe

Run it from the AD server via CMD. If your account has been correctly assigned rights, you should see the message “Successfully extended the Active Directory Schema“.

A log file is available in the root of the system partition (extadsch.log) to check for a second that everything is OK.

Leave a Reply