"Failed to extend the Active Directory schema. Your Active Directory does not allow schema updates"

Goto the SMS 2003 Home Page
 

When I run EXTADSCH.EXE and then look in the EXTADSCH.LOG file I get the following:

<12-05-2003 08:36:58> Modifying Active Directory Schema - with SMS extensions.
<12-05-2003 08:37:00> DSRoot:CN=Schema,CN=Configuration,DC=fernlea,DC=com
<12-05-2003 08:37:00> Failed to create attribute cn=MS-SMS-Site-Code. Error code = 8245.
<12-05-2003 08:37:00> Failed to create attribute cn=mS-SMS-Assignment-Site-Code.  Error code = 8245.
<12-05-2003 08:37:00> Failed to create attribute cn=MS-SMS-Site-Boundaries.  Error code = 8245.
<12-05-2003 08:37:00> Failed to create attribute cn=MS-SMS-Roaming-Boundaries.  Error code = 8245.
<12-05-2003 08:37:00> Failed to create attribute cn=MS-SMS-Default-MP.  Error code = 8245.
<12-05-2003 08:37:00> Failed to create attribute cn=mS-SMS-Device-Management-Point.  Error code = 8245.
<12-05-2003 08:37:00> Failed to create attribute cn=MS-SMS-MP-Name.  Error code = 8245.
<12-05-2003 08:37:00> Failed to create attribute cn=MS-SMS-MP-Address.  Error code = 8245.
<12-05-2003 08:37:00> Failed to create attribute cn=MS-SMS-Ranged-IP-Low.  Error code = 8245.
<12-05-2003 08:37:00> Failed to create attribute cn=MS-SMS-Ranged-IP-High.  Error code = 8245.
<12-05-2003 08:37:00> Failed to create class cn=MS-SMS-Management-Point.  Error code = 8202.
<12-05-2003 08:37:00> Failed to create class cn=MS-SMS-Server-Locator-Point.  Error code = 8202.
<12-05-2003 08:37:00> Failed to create class cn=MS-SMS-Site.  Error code = 8202.
<12-05-2003 08:37:00> Failed to create class cn=MS-SMS-Roaming-Boundary-Range.  Error code = 8202.
<12-05-2003 08:37:00> Failed to extend the Active Directory schema.  Your Active Directory does not allow schema updates

In SMS under Site Status and under my first and only site, and under Component Status I get an exclamation mark, and an error of "4913 Milestone SMS_Hierarchy_Manager", and in the Status Message Details I get "Systems Management Server cannot create the object "SMS-Site-001" in Active Directory."

Contributed By: Atif Gul [MS]
Checkout the following link:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sms/sms2003/plan/techfaq/tfaq01.asp

Also some more info as following:

There are two distinct processes that occur here, and they tend to get confused.

First, there is the process of EXTENDing the Active Directory schema.

  • This does not put any SITE specific information into Active Directory, rather just adds several classes and attributes that any SMS site in the SMS hierarchy can use at a later point in time.
     
  • The information is only added to active directory. No existing information in Active Directory is modified.
     
  • The changes are minor. They include four (4) classes and ten (10) attributes.
     
  • This information is part of the Global Catalog, so a full replication will occur across all global catalog servers.
     
  • The specific information that is added to the schema is documented in the Online Library available in the Admin Console. Search for "Extending the Active Directory Schema"

Second, there is the process of PUBLISHing SMS information into Active Directory.

  • This occurs when each SMS site publishes its site-specific information into Active Directory.
     
  • There are several SMS components responsible for publishing the information.
     
  • Each site server attempts to publish its data in active directory by default.

So, we'll break these two tasks up and call them EXTEND and PUBLISH

EXTEND SCHEMA
In order to EXTEND, two conditions must be met:

a. the Active Directory Schema must allow schema updates to be performed

b. the specific account performing the extension must have permissions to do so.

After the conditions are met, the EXTADSCH.EXE tool can be run from a command prompt (no parameters required), or the SMS Setup Wizard can be used to extend the active directory schema.

The procedure to accomplish the EXTEND process varies depends on the whether Windows 2000 or Windows 2003 is controlling the domain.

In the case of Windows 2000, the schema must first be configured to allow schema updates. Search in the Online Library for "Extending the Active Directory Schema" for the specific step by step instructions.

In the case of Windows 2003, the schema is already enabled for updates.

After schema updates are allowed, permissions must be set properly to have the extensions added to Active Directory. These permissions are normally controlled by membership in the schema admins universal security group.  Whomever will be running the EXTADSCH.EXE tool or running SMS Setup Wizard must be a member of this group, or have equivalent permissions.

When the EXTADSCH.EXE is run, there is no dependency on SMS being installed. It can be run by someone with sufficient permissions (such as a Server team member or Active Directory administrative group). Note that the attributes which are added to the schema will cause a full replication of the Global Catalog. It may be appropriate to schedule the schema extension process at a time when global catalog replication will not impact normal business traffic.

Assuming all has completed successfully with the EXTADSCH tool (log file located in the root directory of the drive the EXTADSCH tool was run from), the next step is to allow SMS to PUBLISH its site specific information.  Review the log file and if necessary, use the ADSIEdit MMC snap in to view the schema classes and attributes.

PUBLISH DATA
In order to PUBLISH, two conditions must be met:

a. The Active Directory schema must have already been successfully EXTENDED.

b. The specific account performing the PUBLISHING must have permissions to do so.

The procedure to accomplish the PUBLISH procedure is the same for Windows 2000 or Windows 2003 domains.

  • By default, SMS is installed with the site property enabled to allow PUBLISHing.
     
  • This is visible in the Advanced Tab in the Site Properties page for each SMS site. It is the "Publish Identity data to Active Directory" checkbox.

Permissions must be set properly for the SMS account responsible for updating the schema extensions. The steps to apply permissions are available in the Online Library from the Admin Console or the Concepts, Planning, and Deployment Guide. Search for "Creating SMS Containers in Active Directory". The set of instructions are applicable to both the System Container object as well as the System Management container object.

To set permissions:

  1. Launch the Active Directory Users and Computers MMC snap in.
     
  2. Under the View menu, enable/choose "Advanced Features"
     
  3. You will now see a "System" folder. Select the folder, right click and choose "properties"
     
  4. Select the Security tab.
     
  5. Select the Advanced button.
     
  6. Select the Add button.
     
  7. Select the Object Types button. Enable Computers (if your site is in advanced security). Choose OK
     
  8. Type in the name of the site server or SMS service account that needs permissions.
     
  9. In the "Apply to" list box, choose "This object and all child objects."
     
  10. Enable Full Control. Choose OK and save all dialogs.

After permissions are set properly, SMS will:

  • Create the System Management Container after the next hierarchy manager and/or site component manager cycle.
     
  • Add the SMS site specific information under the System Management container.
     
  • The process of creating the System Management container object can be done manually if necessary. It must be named "System Management" and be a container object

Once the System Management container is created under the System folder, the SMS site server's machine account or the SMS service account no longer needs permissions to the System folder. If permissions are removed for the System folder, the Full Control permissions must be set for all SMS service accounts or SMS Site Server machine accounts (could be done through the use of a group) and be enabled for "This object and all child objects." This will allow SMS to PUBLISH its data successfully.

As a matter of reference, there are two separate processes on the SMS Site server that publish information into Active Directory. They are Hierarchy Manager (a thread of SMS_EXECUTIVE process) and Site Component Manager. If the publishing process appears to have failed, review hman.log or sitecomp.log file located in \sms\logs\ folder.

Contributed By: Charles Clarke [MVP SMS]
You need to enable updates to your Active Directory schema.  This can be done by registering the schema management snap-in (regsvr32 schmmgmt.dll), open a blank MMC and add in the schema snap-in, right-click the top node in the left-hand pane and click “Properties”.  Check the box that allows schema extension.  Job done (That's for Windows 2000 AD).
 

 To see other SMS 2003 Troubleshooting FAQs click here.

© FAQShop.com 2003 - 2007

Goto the SMS 2003 Home Page