Proposed steps for AD Schema Extension for SCCM 2012

Overview

SCCM 2012 implementation requires AD Schema to be extended in the Active Directory

There is a key requirement to have a backup strategy in place before extending the AD schema since the schema update can only be reversed by a forest recovery.

In order to de-risk the AD schema extension, there needs to be a stung back out approach in case anything goes wrong during the AD schema upgrade. Most organizations require a change request to be in place before extending the AD schema and most change requests require a back out strategy. This section will serve the purpose of having a strong back out strategy. The detailed approach is as follows:

Approach

1. Logon to the Domain Controller holding the Schema Master FSMO role using Schema Admins credential
   
2. Perform Backup
   
   1. Back up system state and the system disk on a domain controller using ntdsutil.exe
      
   2. Dump the current schema into a file for comparison.  From a command prompt, run the command:  Ldifde -f Before_Schema_Update.ldf –"cn=schema,cn=configuration,dc=domain,dc=root"
      
3. Isolate the server
   
   1. Disable Outbound Replication on the server
      
   2. At a command prompt, run the command: "repadmin /options +DISABLE_OUTBOUND_REPL" without the quotation marks.
      
   3. Unplug the physical network connection to ensure no communication could occur with other domain controllers.
      
4. Extend the Schema
   
   1. There are 2 options to extend the AD Schema:
      
      1. Using LDIF File:
         
         1. Modify the LDIF file by replacing DC=x with DC=domain1,DC=domain2,DC=com
            
         2. At a command prompt, run the command "ldifde –i –f ConfigMgr_ad_schema.ldf –v –j <location to store log file>"
            
      2. Using extadsch.exe (preferred)
         
         1. Execute extadsch.exe
            
5. Validate the Schema Extension
   
   1. Using LDIF File: - Check for the log file mentioned in the command prompt command
      
   2. Using extadsch.exe – Check for extadsch.log in the root directory
      
   3. Open ADSIEdit and perform a visual check of the schema to validate whether all classes are added into AD
      
   4. Dump the current schema into a file and compare with the one obtained in step 2b. From a command prompt, run the command: Ldifde -f After_Schema_Update.ldf -d "cn=schema,cn=configuration,dc=domain,dc=root"
      
   5. Compare the content in the file Before_Schema_Update.ldf and After_Schema_Update.ldf to ensure proper extension is completed.
      
6. If the Schema Extension is Successful
   
   1. Re-enable Outbound Replication on the server
      
   2. At a command prompt, run the command: "repadmin /options -DISABLE_OUTBOUND_REPL" without the quotation marks.
      
   3. Re-connect the network cable
      
   4. Force replication of Active Directory
      
   5. Allow time for replication to be completed before Installing SCCM
      
7. Backup Strategy (Only to be implemented if the Schema Extension encounters a Catastrophe / Failure)
   
   1. Option 1 - Restore a domain controller through restore from backup
      
      1. Restore AD from backup media (non-authoritative restore).
         
      2. Verify Active Directory restore.
         
   2. Option 2 - Recover a domain controller through reinstallation.
      
      1. Demote the Domain Controller
         
      2. Re-promote the Domain Controller and let in-bound replication fix the Domain Controller
         

Disclaimer

The above mentioned steps must be tested in QA, Pre-prod, or Development environments before trying in Production.