SCCM FAQ

How to extended AD schema for SCCM?
Each AD forest has a single domain controller that has the role of schema master. All schema modifications are made on the schema master. To modify the schema, you must log on using an account in the forest root domain that is a member of the Schema Admins group.
--------------------------------------------------------------------------------
About the Schema Admins Group - The built-in Schema Admins group exists in the root domain of your forest. Normally there should not be any user accounts in the Schema Admins group. You should only add accounts to the Schema Admins temporarily when you need to modify the schema. Exercising this level of caution will protect the schema from any accidental modifications.
--------------------------------------------------------------------------------
The ConfigMgr 2007 schema modifications create four new classes and 14 new attributes used with these classes. The classes created represent the following:
Management points—Clients can use this information to find a management point.
Roaming boundary ranges—Clients can use this information to locate ConfigMgr services when they connect to the network at a location not within the boundaries of their assigned site.
Server locator points (SLPs)—Clients can use this information to find an SLP.
ConfigMgr sites—Clients can retrieve important information about the site from this AD object.
--------------------------------------------------------------------------------
When you modify the schema, you should take the schema master offline temporarily while you apply the changes. Regardless of the method you use to extend the schema, you should review the logs to verify that the schema extensions were successful before bringing the schema master back online. This way, if there is a problem with the schema modifications, you can seize the schema master role on another domain controller and retain your original schema!
Before actually extending the schema for ConfigMgr 2007, run the dcdiag and netdiag command-line tools, part of the Windows Support Tools. These tools validate that all domain controllers (DCs) are replicating and healthy. Because it may be difficult to validate the output of these tools, you can output the results to a text file using the following syntax:
dcdiag >c:\dcdiag.txt
Search the output text file for failures and see if any domain controllers are having problems replicating. If any failures are present, do not update the schema. Upgrading the schema when domain controllers are not healthy or replicating correctly will cause them to be orphaned as AD is revved to a higher version. The machine will then need to be manually and painfully cleaned out of AD.
--------------------------------------------------------------------------------
Schema Extensions and ConfigMgr 2007 Updates - There are no changes to the schema extensions from the RTM (Release to Manufacturing, or initial release) version of Configuration Manager 2007 in either Service Pack (SP) 1 or Release 2 (R2) (it is unknown at the time of writing this chapter whether SP 2 will incorporate schema changes). The ConfigMgr schema extensions include previous changes from the SMS 2003 version of the schema extensions.
Although you can deploy ConfigMgr with only the SMS 2003 schema extensions applied to AD, you will not have all the functionality provided by the ConfigMgr schema extensions. Configuration Manager features not supported by the SMS 2003 Schema extensions include Network Access Protection and native mode security. The “Benefits of Extending Active Directory” section of this chapter discusses these features.
--------------------------------------------------------------------------------
Viewing Schema Changes
If you are curious about the details of the new classes, you can use the Schema Management Microsoft Management Console (MMC) snap-in to view their full schema definitions. Before adding the snap-in to the management console, you must install it by running the following command from the command prompt:
regsvr32 schmmgmt.dll
After installing the snap-in, perform the following steps to add Schema Management to the MMC:
1.Select Start, choose Run, and then enter MMC.
2.Choose Add/Remove snap-in from the File menu of the Microsoft Management Console.
3.Click the Add button and then choose Active Directory Schema.
4.Choose Close and then click OK to complete the open dialog boxes.
The left pane of the schema management tool displays a tree control with two main nodes—classes and attributes. If you expand out the classes node, you will find the following classes defined by ConfigMgr:
mSSMSManagementPoint
mSSMSRoamingBoundaryRange
mSSMSServerLocatorPoint
mSSMSSite
 
 
by Carol Bailey (Microsoft)

I've been seeing a steady increase in the number of questions that customers ask about Active Directory Domain Services in relation to Configuration Manager.  Tech-Ed North America was no exception, which prompted me to write up some of these frequently asked questions. 

Although this information is in the product documentation, I can understand why it's sometimes difficult to find the exact answer to a specific scenario, simply because there are so many possible variations.  One documentation topic that holds a lot of this information is Configuration Manager in Multiple Active Directory Forests.

If you have an Active Directory-related question about Configuration Manager, see if it's addressed in this blog post. If you don't see the question listed, email SMSDocs@Microsoft.com with your question or suggestion.

 Question:  Can Configuration Manager manage clients when they are in a different domain to the site system servers?

Answer:  Yes.  The only potential gotcha here is when the site is in mixed mode, you must configure the management point with an FQDN for automatic approval to work.  Tip: Check that name resolution (NetBIOS and FQDN) is working between the two domains.

 Question:  Do all my site system servers in a site have to be in the same domain?

Answer: No, site systems within the same site can be from different domains within the same forest, with the exception of the following:

  • SMS Provider
  • reporting point
  • site database server

 Question:  Do all my site system servers in a site have to be from the same forest?

Answer: Most of the time, yes.  There are a few exceptions:

  • The System Health Validator point
  • Internet-based site systems
  • Server locator point (security best practice is to install this in the same forest)
  • PXE service point (security best practice is to install this in the same forest)

 Question: Can Configuration Manager manage clients when they are in a different forest from the site server?

Answer: Yes, and this configuration does not require any PKI certificates or that you install any site system servers into this other forest.  The most important thing to remember here is that these clients cannot access site information that is published by the site server to Active Directory Domain Services - even if there is a trust in place between the two forests.  This means that when you install these clients, they require a server locator point to complete site assignment.  Make sure that the server locator point is installed and that these clients can access it - and the easiest way to do this is to use the SMSSLP property when you install the client.  For more information, see How to Create a Server Locator Point in Configuration Manager and How to Specify the Server Locator Point for Configuration Manager Client Computers.

Additionally:

  • Make sure that you have name resolution between the two forests - that the client can resolve the names of site system servers in the Configuration Manager site, and that the site system servers can resolve the name of the client computers.
  • If there is no trust between the client domain and the site server's domain, you will need a network access account for these clients to access distribution points. For more information, see How to Configure the Network Access Account.
  • If the site is in mixed mode and there is no trust between the client domain and the site server's domain, these clients will not be approved if the site is configured for the default option Automatically approve computers in trusted domains, and you must manually approve these clients.
  • If the site is in native mode and the client will use intranet communication, the clients must be installed with the option that allows HTTP communication for roaming and site assignment. The easiest way to do this is to use the /native:fallback or /native:crlandfallback property when you install the client. For more information, see How to Configure HTTP Communication for Roaming and Site Assignment. Also ensure that your PKI solution is designed to span the two forests.
  • If you want to discover these clients by using Active Directory discovery methods, there must be a full forest trust in place. However, only client push installation requires computers to be discovered. For more information about the other client installation methods and their dependencies, see Prerequisites for Configuration Manager Client Deployment.

 Question: I need to support clients from another forest, so do I install the the server locator point in the same forest as these clients or in the site server's forest?

Answer:  Technically, you can install the server locator point in either forest. However, as a security best practice, install it in the site server's forest. If you have a firewall between the two forests, note that the server locator point requires unauthenticated client connections over HTTP.  If this is against your security policies, an alternative configuration is to configure these clients for Internet-only client management, which does require PKI certificates and that the site is in native mode.  This configuration does not require that these clients contact a server locator point.  For more information, see the question "Is it possible to manage clients from another forest by using HTTPS connections only?"

 Question: Can I install clients in another forest without downloading the client installation source files from the management point?

Answer:  Yes.  Copy the client installation source files from the management point or site server onto a file server in the clients' forest.  Then use the CCMSetup property /source:<path> when you install the clients.  The client installation source files are located in the <InstallationPath>\Client folder on the Configuration Manager 2007 site server and management points.

 Question: What ports need to be open on a firewall between my two forests for client communication?

Answer:  To install the clients, see Ports Used During Configuration Manager Client Deployment.  Note that client push installation is the least firewall-friendly installation method, because it requires SMB and RPC.  The ports that might be used after client installation will depend on the Configuration Manager features that you are using. For a list of operational ports, see Ports Used by Configuration Manager.

 Question: Is it possible to manage clients from another forest by using HTTPS connections only?

Answer:  Yes, if your site is in native mode, configure the native mode site systems for Internet connections and install these clients for Internet-only client management. For more information about this configuration, see Tips and Tricks: Using Internet-Only Client Management on the Intranet.

 Question:  Can I install a secondary site in another forest?

Answer:  No. When your primary site is in forest A, Configuration Manager does not support installing a secondary site in forest B.  In this scenario, you must install a primary site in forest B or use the primary site in forest A to manage clients in forest B.

 Question: What additional configuration is required if I install a site in another forest?

Answer:  If you are using secure key exchange between the sites, use the hierarchy maintenance tool (Preinst.exe) to configure manual key exchange.  For more information, see How to Manually Exchange Public Keys Between Sites.

If there is no trust between the two forests trusts you must configure domain user accounts as site address accounts in the sender address properties of each site. If there is a full forest trust between the sites, you can use the site server computer accounts.

 Question:  Can I install site systems on domain controllers?

Answer:  Yes.  There is no technical restriction that prevents you from installing any of the site system roles on domain controllers.  However, for security best practices, this is not recommended in a production environment.

 Question:  Can I install site systems on stand-alone servers (not in an Active Directory forest)?

Answer:  No.  All site systems must belong to an Active Directory forest.  This includes branch distribution points and Internet-based site systems.

 Question:  Does any Configuration Manager feature or operation require a specific domain or forest functional level?

Answer:  No.  The only exception is when a full forest is required, which itself requires a minimum forest level of Windows Server 2003.  A full forest trust is needed for the following:

  • To discover computers in another forest
  • The option Allow only site server initiated data transfers from this site system, which is a configuration option for Internet-based site systems that are installed in the perimeter network to ensure that connections are only initiated from the intranet.

 Question:  Does Configuration Manager support all versions of Active Directory Domain Services, including Windows Server 2008 R2?

Answer:  Yes.  However, for supported versions of the operating systems on clients and site systems, always check the Supported Configurations documentation for the version of Configuration Manager that you are running.

 Question:  Do I need to extend the schema again if I create new Configuration Manager sites or add computers from new domains?

Answer:  No.  Active Directory schema extensions are for the entire forest, so you need to extend the schema for Configuration Manager only once if your Configuration Manager hierarchy is contained within the forest. The only exception is if you create a new primary site in another forest, and you want this new site to publish to Active Directory Domain Services.  In this scenario, extend the schema in the new forest (and configure the security permissions for the System Management container).

 Question:  Do I need to extend the schema again for Configuration Manager after upgrading to a later version of Configuration Manager (for example, Configuration Manager SP2) or after raising my Active Directory domain or forest functional level?

Answer:  No.  If you have extended the Active Directory schema for Configuration Manager, you do not need to extend it again for these scenarios.  However, if you're upgrading from SMS 2003 to Configuration Manager, then you should extend the schema for Configuration Manager to benefit from the new site changes that are published to Active Directory Domain Services. 


Configuration Manager in Multiple Active Directory Forests - http://technet.microsoft.com/en-us/library/bb694003.aspx 

Configuring Internet-Based Client Management - http://technet.microsoft.com/en-us/library/bb633166(TechNet.10).aspx 

Administrator Workflow: Configuring a Site for Internet-Based Client Management -http://technet.microsoft.com/en-us/library/bb632368(TechNet.10).aspx 

Administrator Checklist: Configuring a Site for Internet-Based Client Management -http://technet.microsoft.com/en-us/library/bb632535(TechNet.10).aspx 

Administrator Checklist: Configuring the Software Update Point in a Native Mode Site -http://technet.microsoft.com/en-us/library/bb632381(TechNet.10).aspx 

Administrator Checklist: Configuring Client Computers for a Site that Supports Internet-Based Client Management - http://technet.microsoft.com/en-us/library/bb694139(TechNet.10).aspx 

Supported Scenarios for Internet-Based Client Management - http://technet.microsoft.com/en-us/library/bb693824(TechNet.10).aspx 

Determine Site Placement for Internet-based Client Management - http://technet.microsoft.com/en-us/library/bb680352(TechNet.10).aspx 

Deploying the PKI Certificates Required for Native Mode - http://technet.microsoft.com/en-us/library/bb680312(TechNet.10).aspx 

Step-By-Step Example Deployment of the PKI Certificates Required for Configuration Manager Native Mode -http://technet.microsoft.com/en-us/library/bb694035(TechNet.10).aspx 

Administrator Workflow: Deploying the PKI Requirements for Native Mode - http://technet.microsoft.com/en-us/library/bb680742(TechNet.10).aspx 

Administrator Checklist: Deploying the PKI Requirements for Native Mode - http://technet.microsoft.com/en-us/library/bb680844(TechNet.10).aspx 

How to Configure the Internet FQDN of Site Systems that Support Internet-Based Client Management -http://technet.microsoft.com/en-us/library/bb632609(TechNet.10).aspx 

How to Configure Internet-Based Site Systems to Allow Only Site Server Initiated Data Transfers -http://technet.microsoft.com/en-us/library/bb693576.aspx 

How to Configure the Site Server with its Site Server Signing Certificate - http://technet.microsoft.com/en-us/library/bb680769(TechNet.10).aspx 

How to Specify the Client Certificate Store - http://technet.microsoft.com/en-us/library/bb632622(TechNet.10).aspx 

How to Specify the Client Certificate Selection Criteria - http://technet.microsoft.com/en-us/library/bb632376(TechNet.10).aspx 

How to Determine Whether Client Computers Are Ready for Native Mode - http://technet.microsoft.com/en-us/library/bb680986(TechNet.10).aspx 

How to Export the Site Server Signing Certificate for Configuration Manager Client Installation -http://technet.microsoft.com/en-us/library/bb932126(TechNet.10).aspx 

How to Configure the Site System Installation Account - http://technet.microsoft.com/en-us/library/bb680552.aspx 

How to Configure a Distribution Point to Transfer Content Using BITS, HTTP, and HTTPS -http://technet.microsoft.com/en-us/library/bb680763(TechNet.10).aspx 

How to Configure a Distribution Point for Internet-Based Client Connections - http://technet.microsoft.com/en-us/library/bb632488(TechNet.10).aspx 

How to Configure a Fallback Status Point for Internet-Based Client Connections -http://technet.microsoft.com/en-us/library/bb680746.aspx 

How to Configure a Management Point for Internet-Based Client Connections -http://technet.microsoft.com/en-us/library/bb693517(TechNet.10).aspx 

How to Configure a Software Update Point for Internet-Based Client Connections -http://technet.microsoft.com/en-us/library/bb694265(TechNet.10).aspx 

How to Configure the Internet FQDN of an Internet-based NLB Management Point -http://technet.microsoft.com/en-us/library/bb680960(TechNet.10).aspx