How to Set Security on the System Management Container in Active Directory Domain Services

How to Set Security on the System Container in Active Directory and Extend the Schema Using ExtADSch.exe

How to Set Security on the System Management Container in Active Directory Domain Services

To apply permissions to the System Management container using the ActiveDirectoryUsersandComputers administrative tool

1.  Click Start, click Run, and then enter dsa.msc to open the ActiveDirectoryUsersandComputers administrative tool.

2.  Click View, and then click Advanced Features.

3.  Expand the System container. On the context menu, click Properties.

4.  In the System Properties dialog box, click the Security tab.

5.  Click Add to add the site server computer account and grant the account Full Control permissions.

6.  Click Advanced, select the site server’s computer account, and click Edit.

7.  In the Apply onto list, select This object and all child objects.

8.  Click OK.

How to Extend the Active Directory Schema Using ExtADSch.exe

You can extend the Active Directory schema by running the ExtADSch.exe file located in the SMSSETUP\BIN\I386 folder on the Configuration Manager 2007 installation media. The ExtADSch.exe file does not display output when it runs; however, it does generate a log file in the root of the system drive called extadsch.log, which will indicate whether the schema update completed successfully or any problems were encountered while extending the schema.

To extend the Active Directory schema using ExtADSch.exe

1.  Create a backup of the schema master domain controller’s system state using the NTBACKUP utility. To start the NTBACKUP utility, click Start, click Run and enter ntbackup.

2.  Ensure that you are logged on to the schema master domain controller with an account that is a member of the Schema Admins security group.

v  Note: You must be logged on as a member of the Schema Admins security group in order to successfully extend the schema. Running the ExtADSch.exe file using the Run As command to attempt to extend the schema using alternate credentials will fail.

3.  Disconnect the schema master domain controller from the network.

4.  Run extadsch.exe, located at \SMSSETUP\BIN\I386 on the installation media, to add the new classes and attributes to the Active Directory schema.

5.  Verify that the schema extension was successful by reviewing the extadsch.log located in the root of the system drive.

6.  If the schema extension procedure was successful, reconnect the schema master domain controller to the network and allow it to replicate the schema extensions to the global catalog servers throughout the Active Directory forest.

7.  If the schema extension procedure was unsuccessful, restore the schema master's previous system state from the backup created in step 1 to reverse the schema extension actions before reconnecting the schema master domain controller to the network.