Prepare the Windows Environment for Configuration Manager

 

Updated: October 27, 2016

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Use the information in the following sections to help you configure your Windows environment to support System Center 2012 Configuration Manager.

  • Prepare Active Directory for Configuration Manager

    • Extend the Active Directory Schema

    • Create the System Management Container

    • Set Security Permissions on the System Management Container

    • Enable Active Directory publishing for the Configuration Manager site

  • Configure Windows-Based Servers for Configuration Manager Site System Roles

    • Remote Differential Compression

    • Internet Information Services (IIS)

    • IIS Request Filtering for distribution points

    • HTTP verbs

Prepare Active Directory for Configuration Manager

When you extend the Active Directory schema, this action is a forest-wide configuration that you must do one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after Setup. For information to help you decide whether to extend the Active Directory schema, see Determine Whether to Extend the Active Directory Schema for Configuration Manager.

Tip

If the Active Directory schema was extended with the Configuration Manager 2007 schema extensions, you do not have to extend the schema for System Center 2012 Configuration Manager. The Active Directory schema extensions are unchanged from Configuration Manager 2007.

Four actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:

  • Extend the Active Directory schema.

  • Create the System Management container.

  • Set security permissions on the System Management container.

  • Enable Active Directory publishing for the Configuration Manager site

Extend the Active Directory Schema

Configuration Manager supports two methods to extend the Active Directory schema. The first is to use the extadsch.exe utility. The second is to use the LDIFDE utility to import the schema extension information by using the ConfigMgr_ad_schema.ldf file.

Note

Before you extend your Active Directory schema, test the schema extensions for conflicts with your current Active Directory schema. For information about how to test the Active Directory schema extensions, see Testing for Active Directory Schema Extension Conflicts in the Active Directory Domain Services documentation.

Extend the Active Directory Schema by Using ExtADSch.exe

You can extend the Active Directory schema by running the extadsch.exe file located in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation media. The extadsch.exe file does not display output when it runs but does provide feedback when you run it from a command console as a command line. When extadsch.exe runs, it generates a log file in the root of the system drive named extadsch.log, which indicates whether the schema update completed successfully or any problems that were encountered while extending the schema.

Tip

In addition to generating a log file, the extadsch.exe program displays results in the console window when it is run from the command line.

The following are limitations to using extadsch.exe:

  • Extadsch.exe is not supported when run on a Windows 2000–based computers. To extend the Active Directory schema from a Windows 2000–based computer, use the ConfigMgr_ad_schema.ldf.

  • To enable the extadsch.log to be created when you run extadsch.exe on a Windows Vista computer, you must be logged onto the computer with an account that has local administrator permissions.

To extend the Active Directory schema by using Extadsch.exe

  1. Create a backup of the schema master domain controller’s system state.

  2. Ensure that you are logged on to the schema master domain controller with an account that is a member of the Schema Admins security group.

    Important

    You must be logged on as a member of the Schema Admins security group in order to successfully extend the schema. Running the extadsch.exe file by using the Run As command to attempt to extend the schema using alternate credentials will fail.

  3. Run extadsch.exe, located at \SMSSETUP\BIN\X64 on the installation media, to add the new classes and attributes to the Active Directory schema.

  4. Verify that the schema extension was successful by reviewing the extadsch.log located in the root of the system drive.

  5. If the schema extension procedure was unsuccessful, restore the schema master's previous system state from the backup created in step 1.

    Note

    To restore the system state on a Windows domain controller, the system must be restarted in Directory Services Restore Mode. For more information about Directory Services Restore Mode, see Restart the Domain Controller in Directory Services Restore Mode Locally.

Extend the Active Directory Schema by Using an LDIF File

You can use the LDIFDE command-line utility to import directory objects into Active Directory Domain Services by using LDAP Data Interchange Format (LDIF) files.

For greater visibility of the changes being made to the Active Directory schema than the extadsch.exe utility provides, you can use the LDIFDE utility to import schema extension information by using the ConfigMgr_ad_schema.ldf file located in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation media.

Note

The ConfigMgr_ad_schema.ldf file is unchanged from the version provided with Configuration Manager 2007.

To extend the Active Directory schema by using the ConfigMgr_ad_schema.ldf file

  1. Create a backup of the schema master domain controller’s system state.

  2. Open the ConfigMgr_ad_schema.ldf file, located in the SMSSETUP\BIN\X64 directory of the Configuration Manager installation media and edit the file to define the Active Directory root domain to extend. All instances of the text DC=x in the file must be replaced with the full name of the domain to extend.

    For example, if the full name of the domain to extend is named widgets.microsoft.com, change all instances of DC=x in the file to DC=widgets, DC=microsoft, DC=com.

  3. Use the LDIFDE command-line utility to import the contents of the ConfigMgr_ad_schema.ldf file into Active Directory Domain Services.

    For example, the following command line will import the schema extensions into Active Directory Domain Services, turn on verbose logging, and create a log file during the import process: ldifde –i –f ConfigMgr_ad_schema.ldf –v –j <location to store log file>

  4. To verify that the schema extension was successful, you can review the log file created by the command line used in step 3.

  5. If the schema extension procedure was unsuccessful, restore the schema master's previous system state from the backup created in step 1.

    Note

    To restore the system state on a Windows domain controller, the system must be restarted in Directory Services Restore Mode. For more information about Directory Services Restore Mode, see Restart the Domain Controller in Directory Services Restore Mode Locally.

Create the System Management Container

Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container must be created one time for each domain that includes a Configuration Manager primary site server or secondary site server that publishes site information to Active Directory Domain Services

Tip

You can grant the site servers computer account Full Control permission to the System container in Active Directory Domain Services, which results in the site server automatically creating the System Management container when site information is first published to Active Directory Domain Services. However, it is more secure to manually create the System Management container.

Use ADSI Edit to create the System Management container in Active Directory Domain Services. For more information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc) in the Active Directory Domain Services documentation.

To manually create the System Management container

  1. Log on as an account that has the Create All Child Objects permission on the System container in Active Directory Domain Services.

  2. Run ADSI Edit, and connect to the domain in which the site server resides.

  3. Expand Domain <computer fully qualified domain name>, expand <distinguished name>, right-click CN=System, click New, and then click Object.

  4. In the Create Object dialog box, select Container, and then click Next.

  5. In the Value box, type System Management, and then click Next.

  6. Click Finish to complete the procedure.

Set Security Permissions on the System Management Container

After you have created the System Management container in Active Directory Domain Services, you must grant the site server's computer account the permissions that are required to publish site information to the container.

Important

The primary site server computer account must be granted Full Control permissions to the System Management container and all its child objects. If you have secondary sites, the secondary site server computer account must also be granted Full Control permissions to the System Management container and all its child objects.

You can grant the necessary permissions by using the Active Directory Users and Computers administrative tool or the Active Directory Service Interfaces Editor (ADSI Edit). For more information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc).

Note

The following procedures are provided as examples of how to configure Windows Server 2008 R2 computers. If you are using a different operating system version, like Windows Server 2012 R2, refer to that operating system’s documentation for information about how to make similar configurations.

To apply permissions to the System Management container by using the Active Directory Users and Computers administrative tool

  1. Click Start, click Run, and then enter dsa.msc to open the Active Directory Users and Computers administrative tool.

  2. Click View, and then click Advanced Features.

  3. Expand the System container, right-click System Management, and then click Properties.

  4. In the System Management Properties dialog box, click the Security tab, and then click Add to add the site server computer account. Grant the account Full Control permissions.

  5. Click Advanced, select the site server’s computer account, and then click Edit.

  6. In the Apply to list, select This object and all descendant objects.

  7. Click OK and then close the Active Directory Users and Computers administrative tool to complete the procedure.

To apply permissions to the System Management container by using the ADSI Edit console

  1. Click Start, click Run, and enter adsiedit.msc to open the ADSIEdit console.

  2. If necessary, connect to the site server's domain.

  3. In the console pane, expand the site server's domain, expand DC=<server distinguished name>, and then expand CN=System. Right-click CN=System Management, and then click Properties.

  4. In the CN=System Management Properties dialog box, click the Security tab, and then click Add to add the site server computer account. Grant the account Full Control permissions.

  5. Click Advanced, select the site server’s computer account, and then click Edit.

  6. In the Apply onto list, select This object and all descendant objects.

  7. Click OK to close the ADSIEdit console and complete the procedure.

Enable Active Directory publishing for the Configuration Manager site

In addition to extending the Active Directory schema, creating the System Management container, and setting permissions for that container, you must enable Configuration Manager to publish site data to Active Directory Domain Services. For information about how to publish site data, see Planning for Publishing of Site Data to Active Directory Domain Services.

Configure Windows-Based Servers for Configuration Manager Site System Roles

Before you can use a Windows Server with System Center 2012 Configuration Manager, you must ensure that the computer is configured to support Configuration Manager operations. Use the information in the following sections to configure Windows servers for Configuration Manager. For more information about site system role prerequisites, see the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

Note

The procedures in the following sections are provided as examples of how to configure Windows Server 2008 or Windows Server 2008 R2 computers. If you are using a different operating system version, like Windows Server 2012 R2, refer to that operating system’s documentation for information about how to make similar configurations.

Remote Differential Compression

Site servers and distribution points require Remote Differential Compression (RDC) to generate package signatures and perform signature comparison. If RDC is not enabled, you must enable it on these site system servers.

Use the following procedure as an example of how to enable Remote Differential Compression on Windows Server 2008 and Windows Server 2008 R2 computers. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure.

To configure Remote Differential Compression for Windows Server 2008 or Windows Server 2008 R2

  1. On the Windows Server 2008 or Windows Server 2008 R2 computer, navigate to Start / All Programs / Administrative Tools / Server Manager to start Server Manager. In Server Manager, select the Features node and click Add Features to start the Add Features Wizard.

  2. On the Select Features page, select Remote Differential Compression, and then click Next.

  3. Complete the wizard and close Server Manager to complete the configuration.

Internet Information Services (IIS)

Several site system roles require Internet Information Services (IIS). If IIS is not already enabled, you must enable it on site system servers before you install a site system role that requires IIS. In addition to the site system server, the following site systems roles require IIS:

  • Application Catalog web service point

  • Application Catalog website point

  • Distribution point

  • Enrollment point

  • Enrollment proxy point

  • Fallback status point

  • Management point

  • Software update point

The minimum version of IIS that Configuration Manager requires is the default version that is supplied with the operating system of the server that runs the site system.

For example, when you enable IIS on a Windows Server 2008 computer that you plan to use as a distribution point, IIS 7.0 is installed. You can also install IIS 7.5. If you enable IIS on a Windows 7 computer for a distribution point, IIS 7.5 is automatically installed. You cannot use IIS version 7.0 for distribution point that runs Windows 7.

Use the following procedure as an example of how to install IIS on a Windows Server 2008 or Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure.

To install Internet Information Services (IIS) on Windows Server 2008 and Windows Server 2008 R2 computers

  1. On the Windows Server 2008 or Windows Server 2008 R2 computer, navigate to Start / All Programs / Administrative Tools / Server Manager to start Server Manager. In Server Manager, select the Features node and click Add Features to start the Add Features Wizard.

  2. On the Select Features page of the Add Features Wizard, install any additional features that are required to support the site system roles you install on this computer. For example, to add BITS Server Extensions:

    - For Windows Server 2008, select the **BITS Server Extensions** check box. For Windows Server 2008 R2, select the **Background Intelligent Transfer Services (BITS)** check box. When prompted, click **Add Required Role Services** to add the dependent components, including the Web Server (IIS) role, and then click **Next**.
    
      <div class="alert">
    
    
      > [!TIP]
      > <P>If you are configuring computer that will be a site server or distribution point, ensure the check box for <STRONG>Remote Differential Compression</STRONG> is selected.</P>
    
    
      </div>
    
  3. On the Web Server (IIS) page of the Add Features Wizard, click Next.

  4. On the Select Role Services page of the Add Features Wizard install any additional role services that are required to support the site system roles you install on this computer. For example, to add ASP.NET and Windows Authentication:

    - For **Application Development**, select the **ASP.NET** check box and, when prompted, click Add Required Role Services to add the dependent components.
    
    - For **Security**, select the **Windows Authentication** check box.
    
  5. In the Management Tools node, for IIS 6 Management Compatibility, ensure that both the IIS 6 Metabase Compatibility and IIS 6 WMI Compatibility check boxes are selected, and then click Next.

  6. On the Confirmation page, click Install, complete the wizard, and close Server Manager to complete the configuration.

IIS Request Filtering for distribution points

By default, IIS blocks several file name extensions and folder locations from access by HTTP or HTTPS communication. If your package source files contain extensions that are blocked in IIS, you must configure the requestFiltering section in the applicationHost.config file on distribution point computers.

The following file name extensions are used by Configuration Manager for packages and applications. Allow the following file name extensions on distribution points:

  • .PCK

  • .PKG

  • .STA

  • .TAR

For example, you might have source files for a software deployment that include a folder named bin, or that contain a file with the . mdb file name extension. By default, IIS request filtering blocks access to these elements. When you use the default IIS configuration on a distribution point, clients that use BITS fail to download this software deployment from the distribution point. In this scenario, the clients indicate that they are waiting for content. To enable the clients to download this content by using BITS, on each applicable distribution point, edit the requestFiltering section of the applicationHost.config file to allow access to the files and folders in the software deployment.

Important

Modifications to the requestFiltering section apply to all websites on that server. This configuration increases the attack surface of the computer. The security best practice is to run Configuration Manager on a dedicated web server. If you must run other applications on the web server, use a custom website for Configuration Manager. For information about custom websites, see the Planning for Custom Websites with Configuration Manager section in Planning for Site Systems in Configuration Manager.

Use the following procedure as an example of how to modify requestFiltering on a Windows Server 2008 or Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure.

To configure request filtering for IIS on distribution points

  1. On the distribution point computer, open the applicationHost.config file located in the %Windir%\System32\Inetsrv\Config\ directory.

  2. Search for the <requestFiltering> section.

  3. Determine the file name extensions and folder names that you will have in the packages on this distribution point. For each extension and folder name that you require, perform the following steps:

    - If it is listed as a **fileExtension** element, set the value for **allowed** to **true**.
    
      For example, if your content contains a file with an .mdb extension, change the line **\<add fileExtension=".mdb" allowed="false" /\>** to **\<add fileExtension=".mdb" allowed="true" /\>**.
    
      Allow only the file name extensions required for your content.
    
    - If it is listed as a **\<hiddenSegments\>** element, delete the entry that matches the file name extension or folder name from the file.
    
      For example, if your content contains a folder with the label of **bin**, remove the line \<**add segment=”bin” /\>** from the file.
    
  4. Save and close the applicationHost.config file to complete the configuration.

HTTP verbs

Management points: To ensure clients can successfully communicate with a management point, on the management point server ensure the following HTTP verbs are allowed:

  • GET

  • POST

  • CCM_POST

  • HEAD

  • PROPFIND

Distribution points: Distribution points require the following HTTP verbs as allowed:

  • GET

  • HEAD

  • PROPFIND

For information about configuring request filtering, see Configure Request Filtering in IIS on TechNet, or similar documentation that applies to the version of Windows Server that hosts your management point.