Step 1a: Configuring the Active Directory Domain for MDM

  • Article

2/9/2009

Before you deploy System Center Mobile Device Manager, you must run the Active Directory Configuration Tool (ADConfig) from the Setup menu on the System Center Mobile Device Manager installation disc to configure the domain. ADConfig creates the required Active Directory groups, adds the MDM service connection point (SCP), creates the certificate templates in Active Directory, and enables the certificate templates on the designated certification authority. Also, the tool allows you to create multiple instances of MDM within an Active Directory forest, and multiple instances of MDM within an Active Directory domain. For more information about ADConfig, see Configure Active Directory for MDM in the MDM Planning Guide and ADConfig Tool.

Before you install and deploy MDM by following the steps in this guide, you must first plan your deployment and configure your IT environment. To do this, follow the steps and guidelines in Planning for Mobile Device Manager.

Important

MDM Planning and Deployment Checklists specifies the permissions and roles required to run the following parameters.

To configure the Active Directory domain for MDM

  1. Run Setup.exe on the System Center Mobile Device Manager installation CD.

  2. On the Start menu, choose Configure Active Directory for MDM. A Command Prompt window appears that displays the Active Directory Configuration Tool (ADConfig) Help.

  3. You must create an instance for your MDM deployment.

    1. At the command prompt type the command, ADConfig.exe /createInstance:<instance name> /domain:<domain> where <instance name> is the MDM instance name and <domain> is the domain in which you want to install MDM. MDM supports only the characters A-Z, a-z, 0-9, dash (-), and underscore (_) for the instance name. The instance name must not be longer than 30 characters in length.

      Note

      You cannot change the immutable name (underlying instance name) once it is set. However you may change the friendly instance name at a later time. Both are used extensively throughout the MDM system. The instance name chosen here will become the immutable name and friendly name by default. To change the friendly name, see Modifying the MDM Instance Friendly Name in ADConfig Tool.

    2. Press ENTER.

    3. When you are prompted, Do you want to proceed?, press Y, and then press ENTER.

    4. Another message will appear asking you to enable the instance for the domain. When you are prompted, Do you want to proceed?, press Y, and then press ENTER.

      Important

      If you plan to use Windows Mobile 6.1 devices from other domains with this new instance, you must enable the instance in those domains. To do this you must type the command ADConfig.exe /enableinstance:<instance name> /domain:<domain name> where <instance name> is the MDM instance name and <domain name> is the name of the domain that contains the mobile devices. You must run this parameter once for every domain where you have Windows Mobile 6.1 devices. Also, you must allow sufficient time for Active Directory replication to occur between all domain controllers in your organization after creating an MDM 2008 SP1 instance. If the /enableinstance parameter is run in any parent or child domain before replication is complete, the parameter will fail. An error message will appear that states there is no such object on the server.

  4. You must create the MDM certificate templates.

    1. Type the command, ADConfig.exe /createTemplates:<instance name> where <instance name> is the MDM instance name.
    2. Press ENTER. A prompt appears that explains that the certificate templates will be created.
    3. When you are prompted, Do you want to proceed?, press Y, and then press ENTER. A summary lists the templates created in Active Directory by this command.

  5. After Active Directory creates the templates, you must enable them.

    1. At the command prompt, type the command, ADConfig.exe /enableTemplates:<instance name> /ca:<ca_server_fqdn>\<ca_instance_name> where <instance name> is the MDM instance name, <ca_server_fqdn> is the fully qualified domain name of the specified certification authority server, and <ca_instance name> is the instance name of the certification authority. For a list of the required permissions to run this parameter, see Primary Parameters in ADConfig Tool.
      You must use quotation marks for this command if there are spaces in your certification authority name or instance. An example would be ADConfig.exe /enabletemplates:NWTRADERS /ca:"server.contoso.com\ca name". If you do not have spaces in the certification authority instance and server names, you must not use quotation marks, or the process will fail.
    2. Press ENTER. A message appears to confirm that the templates will be enabled.
    3. When you are prompted, Do you want to proceed?, press Y, and press ENTER.

  6. Although optional, you may run a Group Policy security parameter (/enablegpsecurity) to do the following:

    • Modify Group Policy object permissions to allow MDM servers to calculate policies for mobile devices.

    For usage and to read more on /enablegpsecurity, see ADConfig Tool.

  7. After you run each ADConfig parameter at a command prompt, ADConfig output is visible. This includes information such as created Active Directory objects, installed certificate templates, and other useful information. This output is saved to a log file in your current directory. If ADConfig does not have permission to write to the current directory, the log file is written to the %temp% directory or to the console if there is no permission to write to the %temp% directory. After running each parameter, you will be given the path where the file is being written. The log file name will be in the format of ADConfigYYYYMMDDHHMMSS.log.

    Note

    If parameters are run multiple times the log files will be collected on disk and should be removed manually.

  8. Also it is strongly recommended that you run the ADConfig.exe /ValidateInstance :<instance> command and copy the contents to a text file. The /ValidateInstance parameter checks whether the configuration process was completed properly, including checking an MDM instance to make sure that it is set up properly. This parameter validates the templates, Active Directory structure, and organizational units (OU).

    Note

    The /validateinstance parameter will produce output that may appear to be creating instances or objects. It is in fact not creating instances, objects, or modifying SCPs. The parameter just verifies their existence in your MDM environment.

  9. At the end of the configuration process, close the Command Prompt window.