Configure Active Directory for MDM

  • Article

2/9/2009

Before you deploy System Center Mobile Device Manager, you must run the Active Directory Configuration Tool (ADConfig) from the Setup menu on the System Center Mobile Device Manager installation disc to configure the domain. ADConfig creates the required Active Directory groups, adds the MDM service connection point (SCP), creates the MDM certificate templates, and enables the certificate templates on the designated certification authority. Additionally, Active Directory user and server groups receive permissions to support the MDM installation process. ADConfig can also help administrators give MDM the appropriate access to Group Policy objects to calculate policy for managed Windows Mobile devices.

Note

Do not give permissions to Group Policy objects from instances that you do not want calculating policies on behalf of devices.

Make sure that you secure Active Directory behind the company firewall before you run ADConfig. ADConfig does not modify or remove inherited permissions. For steps on running ADConfig, see Step 1: Configuring Active Directory for MDM in the MDM Deployment Guide.

ADConfig creates and installs the following certificate templates on the specified domain certification authority:

  • General MDM Web Server Template (SCMDMWebServer)
  • Mobile Devices Template (SCMDMMobileDevice)
  • MDM Gateway Central Management Template (SCMDMGCM)

During Mobile Device Manager Enrollment Server and Mobile Device Manager Device Management Server installation, Setup requests certificates from the specified certification authority that has MDM templates enabled and binds them to IIS 6.0 on every MDM server role, except for MDM Gateway Server. On MDM Gateway Server, you must manually import the certificate into the certificate store. For more information about how to import the certificate on MDM Gateway Server, see Step 5: Installing MDM Gateway Server in the MDM Deployment Guide. Additionally, MDM Device Management Server Setup requests and gives permission to the Gateway Central Management (GCM) certificate.

In a typical installation, the certificate installation process for MDM is automatic. However you can create the certificates manually, see Manual Certificate Procedures in the Technical Reference section of the MDM Deployment Guide.

For information about the parameters that you can use with ADConfig, see ADConfig Tool.

After the utilities finish, you must wait for replication time between domain controllers. It is important to allow for replication time before you install MDM.

Important

Do not move or rename the system level containers or SCP that ADConfig creates. Additionally, do not rename the pre-2000 SAM-Account-Name for any of the universal security groups that were created by MDM. Modifying the pre-2000 name will interfere with MDM system operation. To view the groups, folders, and SCP in Active Directory Users and Computers, on the View tab, select the Advanced Features option.

For more information about how to install and uninstall MDM system components by using command-line options, see Setup Command-Line Options in the Technical Reference section of the MDM Deployment Guide.