Home > Articles > Operating Systems, Server > Microsoft Servers

This chapter is from the book

This chapter is from the book

System Center 2012 Configuration Manager (SCCM) UnleashedSystem Center 2012 Configuration Manager (SCCM) Unleashed

Learn More Buy

This chapter is from the book

This chapter is from the book

System Center 2012 Configuration Manager (SCCM) UnleashedSystem Center 2012 Configuration Manager (SCCM) Unleashed

Learn More Buy

Active Directory Integration

Active Directory is the central information store used by Windows Server to maintain entity and relationship data for a wide variety of objects in a networked environment. AD provides a set of core services, including authentication, authorization, and directory services. ConfigMgr takes advantage of the AD environment to support many of its features. For information about Active Directory in Windows Server 2008 R2, see http://www.microsoft.com/windowsserver2008/en/us/active-directory.aspx.

ConfigMgr can use AD to publish information about its sites and services, making it easily accessible to Active Directory clients. To take advantage of this capability, you must extend the AD schema to create classes of objects specific to ConfigMgr. Although implementing ConfigMgr does not require extending the schema, it is required for certain ConfigMgr features. Extending the schema also greatly simplifies ConfigMgr deployment and operations. The “Schema Extensions” section discusses extending the AD schema. Chapter 4, “Architecture Design Planning,” discusses the benefits and feature dependencies of the extended schema.

Schema Extensions

All objects in AD are instances of classes defined in the AD schema. The schema provides definitions for common objects such as users, computers, and printers. Each object class has a set of attributes that describes members of the class. As an example, an object of the computer class has a name, operating system, and so forth. Additional information about the AD schema is available at http://msdn.microsoft.com/en-us/library/ms675085.aspx.

The schema is extensible, allowing administrators and applications to define new object classes and modify existing classes. Using the schema extensions provided with Configuration Manager eases administration of your ConfigMgr environment. The ConfigMgr schema extensions are relatively low risk, involving only a specific set of classes not likely to cause conflicts. Nevertheless, you need to test any schema modifications before applying them to your production environment.

NOTE: Schema Extensions and ConfigMgr 2012 Updates

There are no changes to the schema extensions from ConfigMgr 2007 to 2012. If you extended the Active Directory schema for ConfigMgr 2007, you do not need to run the System Center 2012 Configuration Manager schema extensions.

After you extend the AD schema and perform the other steps necessary to publish site information to AD, ConfigMgr sites can publish information to AD.

The next sections describe the process for extending the schema and configuring sites to publish to AD, as well as the AD objects and attributes created by the schema extensions.

Tools for Extending the Schema

You can extend the schema in either of two ways:

  • Running the ExtADSch.exe utility from the ConfigMgr installation media
  • Using the LDIFDE (Lightweight Data Interchange Format Data Exchange) utility to import the ConfigMgr_ad_schema.ldf LDIF file

To use all the features of ConfigMgr 2012, you must use Active Directory with Windows Server 2003 or later; Windows 2000 domains are supported with reduced functionality; most notably, Active Directory Forest Discovery does not work with Windows 2000 domains. If you are extending the schema on a Windows 2000 domain controller, you must use the LDIF file.

Using ExtADSch

Using ExtADSch.exe is the simplest way to extend the schema and until ConfigMgr 2007 was the only way to extend the schema. ExtADSch.exe creates the log file extadsch.log, located in the root of the system drive (%systemdrive%), which lists all schema modifications it has made and the status of the operation. Following the list of attributes and classes that have been created, the log should contain the entry Successfully extended the Active Directory schema.

Using LDIFDE

LDIFDE is a powerful command-line utility for extracting and updating directory service data on Active Directory servers. LDIFDE provides command-line switches, allowing you to specify a number of options, including some you may want to use when updating the schema for ConfigMgr. Table 3.1 includes the options that you are most likely to use.

Table 3.1. LDIFDE Command-Line Switches and Descriptions

Switch

Description

-i

Turns on Import Mode. Required for updating the schema.

-f

Filename. (Used to specify the location of the ConfigMgr_ad_schema.ldf file.)

-j

Log file location.

-v

Turns on Verbose Mode.

-k

Ignore Constraint Violation and Object Already Exists errors. (Use with caution. May be useful if the schema is previously extended for ConfigMgr.)

The options vary slightly, depending on the Windows Server version you are running. You can see a complete listing of LDIFDE syntax by entering this command:

ldifde /?

You can also find detailed information about using LDIFDE at http://technet.microsoft.com/en-us/library/cc731033.aspx. Here is an example of a typical command to update the schema for ConfigMgr:

ldifde –i –f ConfigMgr_ad_schema.ldf –v –j SchemaUpdate.log

The verbose logging available with LDIFDE includes more detail than the log file generated by ExtADSch.exe. The ConfigMgr_ad_schema.ldf file allows you to review all intended changes before they are applied. You can also modify the LDF file to customize the schema extensions. As an example, you can remove the sections for creating classes and attributes that already exist as an alternative to using the –k switch referred to in Table 3.1.

CAUTION: Be Careful When Editing the LDF File

Do not attempt to edit the LDF file unless you have a thorough understanding of LDF, and remember to test all modifications before applying them to your production environment.

Extending the Schema

Each AD forest has a single domain controller with the role of schema master. All schema modifications are made on the schema master. To modify the schema, you must log on using an account in the forest root domain that is a member of the Schema Admins group.

NOTE: About the Schema Admins Group

The built-in Schema Admins group exists in the root domain of your forest. Normally there should not be any user accounts in the Schema Admins group. Only add accounts to Schema Admins temporarily when you need to modify the schema. Exercising this level of caution will protect the schema from any accidental modifications.

The ConfigMgr schema modifications create four new classes and 14 new attributes used with these classes. Here is what the created classes represent:

  • Management points: Clients can use this information to find a management point.
  • Roaming boundary ranges: Clients can use this information to locate ConfigMgr services based on their network location.
  • Server locator points (SLPs): ConfigMgr 2007 clients can use this information to find a SLP. This class is created but it is not used in System Center 2012 Configuration Manager. SLP functionality is now integrated into the management point and the SLP no longer exists as a separate site system role.
  • ConfigMgr sites: Clients can retrieve important information about the site from this AD object.

Real World: Tips and Techniques about Changing the Schema

Exercise caution when planning any changes to the AD schema, particularly when making modifications to existing classes because this could affect your environment.

When you modify the schema, you should take the schema master offline temporarily while you apply the changes. Regardless of the method used to extend the schema, review the logs to verify that the schema extensions were successful before bringing the schema master back online. This way, if there is a problem with the schema modifications, you can seize the schema master role on another domain controller and retain your original schema!

Before actually extending the schema for System Center 2012 Configuration Manager, run the dcdiag and netdiag command-line tools, which are part of the Windows Support Tools. These tools validate that all domain controllers (DCs) are replicating and healthy. Because it may be difficult to validate the output of these tools, you can output the results to a text file using the following syntax:

Ddcdiag >c:\dcdiag.txt

Search the output text file for failures and see if any domain controllers are having problems replicating. If any failures are present, do not update the schema. Upgrading the schema when domain controllers are not healthy or replicating correctly will cause them to be orphaned as AD is revved to a higher version. The machine will then need to be manually and painfully cleaned out of AD.

Viewing Schema Changes

If you are new to ConfigMgr and are extending the schema and curious about the details of the new classes, the Schema Management MMC snap-in enables you to view their full schema definitions. Before adding the snap-in to the management console, you must install it by running the following command from the command prompt:

regsvr32 schmmgmt.dll

TIP: Regsvr32 Requires Administrative Rights

On domain controllers running Windows 2008 or Windows 2008 R2 Server, you may need to launch the command prompt using the Run as Administrator option to register the schema management dll.

After installing the snap-in, perform the following steps to add Schema Management to the MMC:

  1. Select Start, choose Run, and then enter MMC.
  2. Choose Add/Remove snap-in from the File menu of the console.
  3. Click the Add button and then choose Active Directory Schema.
  4. Choose Close and then click OK to complete the open dialog boxes.

The left pane of the schema management tool displays a tree control with two main nodes—classes and attributes. If you expand out the classes node, you will find the following classes defined by ConfigMgr:

  • mSSMSManagementPoint
  • mSSMSRoamingBoundaryRange
  • mSSMSServerLocatorPoint
  • mSSMSSite

Clicking a class selects it and displays the attributes associated with the class in the right pane. The list of attributes for each class includes many attributes previously defined in AD, in addition to those attributes specifically created for System Center 2012 Configuration Manager. You can right-click a class and choose Properties to display its property page. For example, Figure 3.1 shows the general properties of the mSSMSSite class. For an explanation of these properties, click the Help button on the Properties page.

Figure 3.1

Figure 3.1. General properties of the schema class representing ConfigMgr sites.

You can see the 14 ConfigMgr attributes under the Attributes node in the schema management console. The names of each of these attributes start with mS-SMS. You can right-click an attribute and choose Properties to display its property page. Figure 3.2 shows the properties of the mS-SMS-Capabilities attribute.

Figure 3.2

Figure 3.2. General properties of the schema attribute representing site capabilities.

TIP: Verify Schema Extensions When Extending the Schema

ExtADSch.log file is created at the root of the system drive on the computer that the extensions were installed from. You should check this log for failures. Seeing Event ID 1137 in the Directory Service event log alone does not confirm the schema was extended properly; several experiences in the field have found failures in the logfile in what seemed to be a successful schema extension.

Additional Tasks

After extending the schema, you must complete several tasks before ConfigMgr can publish the objects it will use to Active Directory:

  • Create the System Management container where the ConfigMgr objects will reside in AD: If you previously extended the schema for ConfigMgr 2007, the System Management container will already exist. Each domain publishing ConfigMgr data must have a System Management container.
  • Set permissions on the System Management container: Setting permissions allows your ConfigMgr site servers to publish site information to the container.
  • Configure your sites to publish to AD: You can specify one or more AD forests to which each site will publish. Publishing to a forest other than the sites server’s local forest requires a cross-forest trust.

The next sections describe these tasks.

Creating the System Management Container

You can use the ADSIEdit MMC tool to create the System Management AD container. If you do not already have ADSIEdit installed, you can install the tool yourself.

On Windows Server 2008, add ADSIEdit using Server Manager. Configuring the domain controller server role automatically adds ADSIEdit to the Administrative Tools program group.

To create the System Management container from ADSIEdit, perform the following steps:

  1. Right-click the Root ADSI Edit node in the tree pane, select Connect to, and then click OK to connect to the default name context.
  2. Expand the default name context node in the tree pane. Then expand the node showing the distinguished name of your domain (this will begin with DC=<domain>) and right-click CN=System node.
  3. Select New and then choose Object.
  4. Select Container in the Create Object dialog box and click Next.
  5. Enter the name System Management and then click Next and Finish, completing the wizard.

Figure 3.3 shows ADSIEdit with the tree control expanded to the CN=System node and the Create Object dialog box displayed.

Figure 3.3

Figure 3.3. Using ADSIEdit to create the System Management container.

Setting Permissions on the System Management Container

You can view the System Management container and set permissions on it using the Active Directory Users and Computers (ADUC) utility in the Windows Server Administrative Tools menu group. After launching ADUC, enable the Advanced Features option from the View menu. You can then expand out the domain partition and System container to locate System Management.

By default, only certain administrative groups have the rights required to create and modify objects in the System Management container. For security reasons, you should create a new group and add ConfigMgr site servers to it, rather than adding them to the built-in administrative groups. Perform the following steps to grant the required access to the ConfigMgr site server security group:

  1. Right-click the System Management container, choose Properties, and then select the Security tab.
  2. Click the Add button, and select the group used with your ConfigMgr site servers, as shown in Figure 3.4.
    Figure 3.4

    Figure 3.4. Selecting the Site server security group.

  3. Check the box for Full Control, as displayed in Figure 3.5, and choose OK to apply the changes.
    Figure 3.5

    Figure 3.5. Assigning permissions to the System Management container.

Configuring Sites to Publish to Active Directory

Perform the following steps to configure a ConfigMgr site to publish site information to AD:

  1. In the ConfigMgr 2012 console, select the Administration workspace.
  2. Expand Site Configuration -> Sites. In the Sites pane, highlight the desired site, and click Properties on the ribbon bar.
  3. Select the Publishing tab, and then select the check box next to each forest to which the site will publish, as shown in Figure 3.6.
Figure 3.6

Figure 3.6. Configuring a site to publish to AD.

After extending the schema and taking the other steps necessary to enable your sites to publish to AD, you should see the ConfigMgr objects displayed in the System Management container. Figure 3.7 shows the ConfigMgr objects viewed in Active Directory Users and Computers.

Figure 3.7

Figure 3.7. The System Management container displayed in Active Directory Users and Computers. You can use ADSIEdit to view object details.

Additional Active Directory Benefits

In an AD environment, all processes run in the security context of a user or a security context supplied by the operating system. System Center 2012 Configuration Manager uses Active Directory to authenticate administrative users and authorize user account for administrative roles. Each system has a computer account that you can add to user groups and grant access to resources. ConfigMgr makes extensive use of system and computer accounts to connect securely to network services and client systems, as well as providing security contexts for its internal operations. Using system accounts greatly simplifies administration. You can use additional AD accounts to supplement the available system accounts. Chapter 20, “Security and Delegation in Configuration Manager,” discusses authentication, access control, and accounts used in ConfigMgr.

Here are other ways ConfigMgr can take advantage of AD:

  • Discovering information about your environment; including the existence of potential client systems, users, and groups. Chapter 4 discusses how you can use this information to plan user-centric management. Before implementing AD discovery methods, evaluate your AD data to ensure it is reliable and up to date. Importing obsolete records for users and computers that no longer exist or have changed may cause problems with various ConfigMgr operations. Chapter 9, “Configuration Manager Client Management,” provides details about configuring the discovery process.
  • Assigning and installing clients using group policy, also described in Chapter 9.
  • Using certificates and certificate settings deployed through AD. For example, if you use the System Center Updates Publisher (SCUP) to deploy custom software updates, you can use AD to deploy the required certificates to the trusted store on client computers.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020