• Article

Determine Whether to Extend the Active Directory Schema for Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

When you extend the Active Directory schema for System Center 2012 Configuration Manager, you can publish site information to Active Directory Domain Services. Extending the Active Directory schema is optional for Configuration Manager. However, by extending the schema you can use all Configuration Manager features and functionality with the least amount of administrative overhead.

If you decide to extend the Active Directory schema, you can do so before or after you run Configuration Manager Setup.

Considerations for Extending the Active Directory Schema for Configuration Manager

The Active Directory schema extensions for System Center 2012 Configuration Manager (and later releases like SP1 or R2) are unchanged from those used by Configuration Manager 2007. If you extended the schema for Configuration Manager 2007, you do not have to extend the schema again for System Center 2012 Configuration Manager.

Similarly, if you extended the schema for one version of System Center 2012 Configuration Manager, you do not have to extend the schema again for a later version of Configuration Manager.

Extending the Active Directory schema is a forest-wide action and can only be done one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after setup.

Four actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:

  • Extend the Active Directory schema.

  • Create the System Management container.

  • Set security permissions on the System Management container.

  • Enable Active Directory publishing for the Configuration Manager site.

For information about how to extend the schema, create the System Management container, and configure setting security permissions on the container, see Prepare Active Directory for Configuration Manager in the Prepare the Windows Environment for Configuration Manager topic. For information about how to enable publishing for Configuration Manager sites, see Planning for Publishing of Site Data to Active Directory Domain Services.

Mobile devices that are managed by the Exchange Server connector and the following clients do not use Active Directory schema extensions for Configuration Manager:

  • The client for Mac computers

  • The client for Linux and UNIX servers

  • Mobile devices that are enrolled by Configuration Manager

  • Mobile devices that are enrolled by Microsoft Intune

  • Mobile device legacy clients

  • Windows clients that are configured for Internet-only client management

  • Windows clients that are detected by Configuration Manager to be on the Internet

The following table identifies Configuration Manager functions that use an Active Directory schema that is extended for Configuration Manager, and if there are workarounds that you can use if you cannot extend the schema.

Functionality

Active Directory

Details

Client computer installation and site assignment

Optional

When a new Configuration Manager Windows client installs, the client can search Active Directory Domain Services for installation properties. If you do not extend the schema, you must use one of the following workarounds to provide configuration details that computers require to install:

  • Use client push installation. Before you use client installation method, make sure that all prerequisites are met. For more information, see the section “Installation Method Dependencies” in Prerequisites for Computer Clients.

  • Install clients manually and provide client installation properties by using CCMSetup installation command-line properties. This must include the following:

    • Specify a management point or source path from which the computer can download the installation files by using the CCMSetup property /mp:=<management point name computer name> or /source:<path to client source files> on the CCMSetup command line during client installation.

    • Specify a list of initial management points for the client to use so that it can assign to the site and then download client policy and site settings. Use the CCMSetup Client.msi property SMSMP to do this.

  • Publish the management point in DNS or WINS and configure clients to use this service location method.

Port configuration for client-to-server communication

Optional

When a client installs, it is configured with port information. If you later change the client-to-server communication port for a site, a client can obtain this new port setting from Active Directory Domain Services. If you do not extend the schema, you must use one of the following workarounds to provide this new port configuration to existing clients:

  • Reinstall clients and configure them to use the new port information.

  • Deploy a script to clients to update the port information. If clients cannot communicate with a site because of the port change, you must deploy this script externally to Configuration Manager. For example, you could use Group Policy.

Network Access Protection

Required

Configuration Manager publishes health state references to Active Directory Domain Services so that the System Health Validator point can validate a client’s statement of health.

Content deployment scenarios

Optional

When you create content at one site and then deploy that content to another site in the hierarchy, the receiving site must be able to verify the signature of the signed content data. This requires access to the public key of the source site where you create this data.

When you extend the Active Directory schema for Configuration Manager, a site’s public key is made available to all sites in the hierarchy. If you do not extend the Active Directory schema, you can use the hierarchy maintenance tool, preinst.exe, to exchange the secure key information between sites.

For example, if you plan to create content at a primary site and deploy that content to a secondary site below a different primary site, you must either extend the Active Directory schema to enable the secondary site to obtain the source primary sites public key, or use preinst.exe to share keys between the two sites directly.

Attributes and Classes Added by the Configuration Manager Schema Extensions

When you extend the schema for Configuration Manager, several classes and attributes are added that any Configuration Manager site in the Active Directory forest can use. Because the global catalog is replicated throughout the forest, consider the network traffic that might be generated. In Windows 2000 forests, extending the schema causes a full synchronization of the whole global catalog. Beginning with Windows 2003 forests, only the newly added attributes are replicated. Plan to extend the schema during a time when the replication traffic does not adversely affect other network-dependent processes.

When you extend the Active Directory schema for System Center 2012 Configuration Manager, the following attributes and classes are added to Active Directory Domain Services:

  • Attributes:

    • cn=mS-SMS-Assignment-Site-Code

    • cn=mS-SMS-Capabilities

    • cn=MS-SMS-Default-MP

    • cn=mS-SMS-Device-Management-Point

    • cn=mS-SMS-Health-State

    • cn=MS-SMS-MP-Address

    • cn=MS-SMS-MP-Name

    • cn=MS-SMS-Ranged-IP-High

    • cn=MS-SMS-Ranged-IP-Low

    • cn=MS-SMS-Roaming-Boundaries

    • cn=MS-SMS-Site-Boundaries

    • cn=MS-SMS-Site-Code

    • cn=mS-SMS-Source-Forest

    • cn=mS-SMS-Version

  • Classes:

    • cn=MS-SMS-Management-Point

    • cn=MS-SMS-Roaming-Boundary-Range

    • cn=MS-SMS-Server-Locator-Point

    • cn=MS-SMS-Site

Note

The Active Directory schema extensions might include attributes and classes that are carried forward from previous versions of the product but not used by Microsoft System Center 2012 Configuration Manager. For example:

  • Attribute: cn=MS-SMS-Site-Boundaries

  • Class: cn=MS-SMS-Server-Locator-Point

To ensure that these lists are current for your version of System Center 2012 Configuration Manager, review the ConfigMgr_ad_schema.LDF file that is located in the**\SMSSETUP\BIN\x64** folder of the System Center 2012 Configuration Manager installation media.