In some cases Windows Active Directory Schema needs to be extended to accommodate a new application to be integrated with AD. In summary to insure a successful implementation of extending Windows Active directory schema master, the following steps should be taken:

  1. Reset the password for the DSRM administrator password (if password is not known)
  2. Backup the system state including system protected files
  3. Disable replication between your Domain Controller and other AD
  4. Extending the AD schema for SCCM 2012 server
  5. Review the logs to insure successful execution of the schema expansion
  6. If the extinction is successful, enable replication
  7. Additional steps need in the AD to prepare for SCCM 2012 installation
  8. If the extension is unsuccessful try to resolve the errors.
  9. If extension is unsuccessful and we could not resolve the errors, you need to restore the AD schema master system state

The following exercise will demonstrate in details how to implement the Extend of Windows Active Directory Schema master to insure successful implementations:

  1. To Reset the Directory Services Restore Mode (DSRM) Administrator Password in Windows 2003
  1. Login to dcserver.yourdomain.com
  2. Click, Start, click Run, type ntdsutil, and then click OK.
  3. At the Ntdsutil command prompt, type set dsrm password.
  4. At the DSRM command prompt, type the following line:
    • reset password on server null The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password.
  5. At the DSRM command prompt, type q.
  6. At the Ntdsutil command prompt, type q to exit.

 

  1. Backup system state including system-protected files
  1. Login to dcserver.yourdomain.com
  2. click Start, click Run, type ntbackup, and then click OK.

This procedure provides steps for backing up in Wizard Mode. By default, the Always Start in Wizard Mode check box is selected in the Backup or Restore Wizard. If the Welcome to the Backup Utility Advanced Mode page appears, click Wizard Mode to open the Backup or Restore Wizard.

  1. On the Welcome to the Backup or Restore Wizard page, click Next.
  2. Select Back up files and settings, and then click Next.
  3. Select Let me choose what to back up, and then click Next.
  4. In the Items to Back Up window, double-click My Computer.
  5. In the expanded list below My Computer, check System State, and then click Next.
  6. Select a location to store the backup:
    • We are backing up to a file, so we will type the path and file name for the backup (.bkf) file (or click Browse to find a folder or file).
  7. Type a name for this backup for example dcsystemstate_yymmdd where yymmdd is the year, month and date of the backup and then click Next.
  8. On the last page of the wizard, click Advanced.
  9. Do not change the default options for Type of Backup. Normal should be selected, and the check box for Backup migrated remote storage data should remain cleared. Click Next.
  10. Select Verify data after backup, and then click Next.
  11. In the Backup Options dialog box, select a backup option, and then click Next.
  12. If you are replacing the existing backups, select the option to allow only the owner and administrator access to the backup data and to any backups that are appended to this medium, and then click Next.
  13. In the When to back up box, select the appropriate option for your needs, and then click Next.
  14. If you are satisfied with all of the options that are selected, click Finish to perform the backup operation according to your selected schedule.

 

  1. Disabling replication
  1. Login to dcserver.yourdomain.com
  2. Disabling AD outbound replication repadmin /options dcserver.yourdomain.com +disable_outbound_repl

OR

  1. Disconnect the NIC card cable so that any modifications can’t replicate

 

  1. Extending the AD schema for SCCM 2012 server
  1. Login to dcserver.yourdomain.com
  2. Use Schema Master login and password This will ensure that we are logged on to the domain controller with an account that is a member of the Schema Admins security group.
Important
We must be logged on as a member of the Schema Admins security group in order to successfully extend the schema. Running the extadsch.exe file by using the Run As command to attempt to extend the schema using alternate credentials will fail.

 

  1. Run extadsch.exe, located at \SMSSETUP\BIN\X64 on the installation media, to add the new classes and attributes to the Active Directory schema. We can run the file by either opening a command prompt and running the extadsch.exe, or by double-clicking the file.

Once you run the command, you are looking for the “Successfully extended the Active Directory schema” output.

  1. Review the logs to insure successful execution of the schema expansion

View the results of the schema expansion, by viewing the C:\ExtADSch.log. This log file will detail the changes made to the schema and also show the success of the schema extensions.

  1. Schema master expansion is successful

Enabling AD outbound replication

  1. Login to dcserver.yourdomain.com
  2. repadmin /options dcserver.yourdomain.com -disable_outbound_repl

Or

  1. Connect the NIC card cable so that modifications starts replication

 

  1. Additions steps needed in the AD to prepare for SCCM 2012 installation

After the schema is extended successfully, the Systems Management container needs to be created in Active Directory.

  1. Open ADSI Edit and expand to the “System” container.
  2. Right-click on the System container and select “new” then “object”.
  3. Select “container” from the object list, and then select “Next”.
  4. Next, enter in “System Management” and then click “Next”.
  5. Click “Finish”.

Once you click Finish, you should see the new container listed. Setting Security on the System Management container Once the System Management container has been successfully created in Active Directory, the appropriate permissions needs to be set on the object. With ADSI Edit still open, right-click on the System Management container object and select properties.

  1. Go to the Security tab of the Properties dialog box and then select “Add”.
  2. Once the next dialog box opens, add the computer account of the primary site server(s) or the Active Directory group containing the servers. It’s recommended to use an Active Directory group so that you are not required to make this change again. Once you have entered in the required information, select “Ok”
  3. Select “Full Control” for the site server or group you just added.
  4. Next select Advanced, and then configure the server or AD group permissions to apply to “this object and all descendant objects”.
  5. Click “OK” 3 times to save your changes.

 

Disaster Recovery

 

  1. Schema master expansion is not successful, need to restore system state

Restart the dcserver.yourdomain.com domain controller in Directory Services Restore Mode locally. Restarting in Directory Services Restore Mode takes the domain controller offline. In this mode, the server is not functioning as a domain controller. When we start Windows Server 2003 in Directory Services Restore Mode, the local Administrator account is authenticated by the local Security Accounts Manager (SAM) database. Therefore, logging on requires that we use the local administrator password, not an Active Directory domain password. This password has been reset in step on of this document, or it is set during Active Directory installation when we provide the password for Directory Services Restore Mode. Administrative credentials To perform this procedure, we must provide the Administrator password for Directory Services Restore Mode.

  • To restart the domain controller in Directory Services Restore Mode locally
  • To restore Active Directory system state from backup
  1. Restart the domain controller.
  2. When the screen for selecting an operating system appears, press F8.
  3. On the Windows Advanced Options menu, select Directory Services Restore Mode.
  4. When you are prompted, log on as the local administrator (the DSRM account password)
  5. Start the computer dcserver.comdacalendars.com in Directory Services Restore Mode.
  6. To start the Windows Server 2003 backup utility, click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup.

This procedure provides steps for restoring from backup in Wizard Mode. By default, the Always Start in Wizard Mode check box is selected in the Backup or Restore Wizard. If the Welcome to the Backup Utility Advanced Mode page appears, click Wizard Mode to open the Backup or Restore Wizard.

  1. On the Welcome to the Backup or Restore Wizard page, click Next.
  2. Click Restore files and settings, and then click Next.
  3. Select System State, and then click Next.
  4. On the Completing the Backup or Restore Wizard page, click Advanced.
  5. In Restore files to, click Original Location, and then click Next.
  6. Click Leave existing files (Recommended), and then click Next.
  7. In Advanced Restore Options, select the following check boxes, and then click Next:
    • Restore security settings
    • Restore junction points, but not the folders and file data they reference
    • Preserve existing volume mount points
  8. For a primary restore of SYSVOL, also select the following check box: When restoring replicated data sets, mark the restored data as the primary data for all replicas.

A primary restore is required only if the domain controller that you are restoring is the only domain controller in the domain. A primary restore is required on the first domain controller that is being restored in a domain if you are restoring the entire domain or forest.

  1. Click Finish.
  2. When the restore process is complete, click Close, and then do one of the following:
    • If you do not want to authoritatively restore any objects, click Yes to restart the computer. The system will restart and replicate any new information that is received since the last backup with its replication partners.
    • If the restored domain controller was a global catalog server before the failure, clear the Global catalog check box in the NTDS Settings properties to remove the global catalog from the domain controller.