Modify an MDM Active Directory Service Connection Point

  • Article

2/9/2009

System Center Mobile Device Manager Active Directory Configuration Tool (ADConfig) creates the MDM Active Directory service connection point (SCP) for an MDM instance and implements other Active Directory configurations. If, after installation, you have to clear or modify the Active Directory SCPs—for example, to change ports or fully qualified domain name (FQDN) values—the best approach is to use the MDM Set-MDMInstance Cmdlet available in the MDM Server Tools. If you do not have access to the tools, then you can make the updates by following the manual processes described later in this topic.

Modify the SCP by using an MDM Shell Cmdlet

The MDM Set-MDMInstance Cmdlet allows you to change the port or the FQDN in an SCP. You might need to update an SCP if you modify your MDM installation—for example, to expand your MDM topology by adding more servers or to troubleshoot issues in MDM. Additionally, you might need to change a SQL Server instance in the SCP.

The MDM Set-MDMInstance Cmdlet provides a better alternative for updating SCPs than using a tool such as Active Directory Service Interfaces (ADSI) to manually modify the SCP. Performing manual modifications is a potentially error-prone process that can lead to instability in your MDM system.

For more information about installing and using the MDM Set-MDMInstance Cmdlet, see the guide included with the cmdlet when you download it.

Note

The MDM Set-MDMInstance Cmdlet is included in the MDM Server Tools, part of the MDM Resource Kit Tools. To download the MDM Set-MDMInstance Cmdlet, see MDM Server Tools at this Microsoft Web page: https://go.microsoft.com/fwlink/?LinkID=127030.

Modify the SCP by Manually Editing the SCP

To manually change information in an SCP, you will need a low-level Active Directory Editor, such as ADSIEdit. For more information about ADSIEdit, see "Adsiedit Overview" on this Microsoft TechNet Web site: https://go.microsoft.com/fwlink/?LinkId=105659

Warning

If you change the MDM SCP for an instance, it could cause MDM to function incorrectly. If the SCP is changed and the Secure Sockets Layer (SSL) certificates on the servers do not match the changed FQDNs in the SCP, this will cause some MDM components to fail. For example, MDM Administrator Tools will be unable to authenticate with the server correctly because the SCP FQDN does not match the certificate FQDN. We recommend that you do not modify an SCP unless there is no other option for your configuration.

Members of the SCMDMServerAdmins group have read/write permission for the Keywords attribute on SCPs. Therefore, a member of the group should be able to perform the procedures in this section without the intervention of a domain administrator.

The MDM Active Directory SCP

ADConfig creates the MDM Active Directory SCP for an MDM instance. The SCP is created in the default naming context of the domain in which you first ran ADConfig in the \System\SCMDM path during Active Directory configuration. The name of the SCP is the name of the instance concatenated with the phrase SCMDM.

ADConfig creates the SCP and populates it with limited data. During MDM Setup, the SCP is populated with additional information. The SCP is an important part of the setup process.

MDM uses the SCP for the following:

  • If this is the first installation of an MDM system component, MDM Setup prompts you to set the location of the database. Database values are stored in the SCP and used during later MDM installations.
  • MDM Setup sets the database keyword on the SCP to the SQL database that MDM will use. It also sets the sqlinstance keyword on the SCP if you specify an instance of SQL Server during MDM Setup.
  • MDM Setup references the SCP to help determine whether this is the first MDM Device Management Server or MDM Enrollment Server in an MDM instance.
  • Servers use the SCP to locate other MDM servers or server load balancers, as well as to determine what other types of servers are installed or configured for MDM.
  • MDM Administrator Tools use the SCP to locate MDM servers and load balancers, and to communicate with them.
  • MDM servers and services use the SCP to locate databases MDM uses.
  • MDM servers and services use the SCP to determine trusted certificates for MDM device certificates, Mobile Device Manager Gateway Central Management certificates, and MDM Web server certificates based on the object identifiers—also known as OIDs—in the certificate template.

MDM SCP Configuration Details

The following table shows the keyword attributes of an MDM SCP.

Keyword Value

777E4F2E-CAC2-424E-BB71-2ABDA7F58947

MDM uses the globally unique identifier (GUID) to find the SCP. The GUID does not have a value but is a keyword of the SCP. Do not modify this property.

<InstanceName>SCMDM

The name of the SCP, where <InstanceName> is replaced with the name of the MDM instance. It does not have a value, but is a keyword of the SCP. Do not modify this property.

ENurl

Path of the MDM Enrollment Web site for the MDM Enrollment Server FQDN or MDM Enrollment Server load balancer FQDN.

Example: https://en.contoso.com:443/EnrollmentServer/Service.asmx

Automatic requests for certificates for this FQDN occur during MDM Setup.

Note   The MDM Enrollment Server port is fixed at 443.

ENAdminURL

The FQDN and port of the MDM Administration Web site for the MDM Enrollment Server FQDN, or MDM Enrollment Server load balancer FQDN.

Example: es.contoso.com:8445

Note   Contains the port of the MDM Administration Web site.

DMurl

The FQDN and port of the MDM Device Management Web site for the MDM Device Management Server FQDN or MDM Device Management Server load balancer FQDN, entered during the first setup of MDM Device Management Server.

Example: https://dm.contoso.com:8443/MDM/TEE/Handler.ashx

Automatic requests for certificates for this FQDN occur during MDM Setup.

Note   FQDN format specifies that you must include a port, unless it is port 443.

DMAdminURL

The FQDN and port of the Administration Web service for the MDM Device Management Server FQDN or MDM Device Management Server load balancer FQDN.

Example: dm.contoso.com:8446

Note   Contains the port of the Enrollment Administration Web site.

database

The FQDN of the single database server for all MDM databases.

Example: db.contoso.com

sqlInstance

An SQL instance where MDM databases reside.

If you are prompted for the location of the database, you must provide the FQDN of the database server and the SQL instance name.

Example: db.contoso.com\SQLInstanceName

If you are using the default SQL instance, you can omit the instance name.

Example: db.contoso.com

serverCA

The certification authority server from which MDM Setup requests server certificates during MDM installation (if this option is selected).

serverCAName

The certification authority name from which MDM Setup requests server certificates during MDM installation (if this option is selected).

instance

The name of the MDM instance. Do not modify this property.

instanceFriendly

The friendly name of the MDM instance to be displayed in user interfaces, cmdlets, and so on.

deviceOID

The certificate template object identifiers for trusted managed device certificate templates that are associated with the instance. Do not modify this property except by using the Grant- or Revoke-MDMCertificateTemplate cmdlets, or if you are following steps that are provided in a troubleshooting topic.

GCMOID

The certificate template object identifiers for the Gateway Central Management certificate templates that are associated with the instance. Do not modify this property except by using the Grant- or Revoke-MDMCertificateTemplate cmdlets, or if you are following steps that are provided in a troubleshooting topic.

webServerOID

The certificate template object identifiers for trusted Web server certificate templates for MDM Gateway Server, MDM Enrollment Server, and MDM Device Management Server that are associated with the instance. Do not modify this property except by using the Grant- or Revoke-MDMCertificateTemplate cmdlets, or if you are following steps that are provided in a troubleshooting topic.

upgradeDeviceOID

The certificate template object identifiers for trusted managed device certificate templates that are associated with the instance when the instance is upgraded from System Center Mobile Device Manager. These are earlier object identifiers for current devices. Do not modify this property except by using the Grant- or Revoke-MDMCertificateTemplate cmdlets, or if you are following steps that are provided in a troubleshooting topic.

upgradeGCMOID

The certificate template object identifiers for the Gateway Central Management certificate templates that are associated with an upgraded System Center Mobile Device Manager instance. These are earlier GCM templates. Do not modify this property except by using the Grant- or Revoke-MDMCertificateTemplate cmdlets, or if you are following steps that are provided in a troubleshooting topic.

upgradeWebServerOID

The certificate template object identifiers for trusted Web server certificate templates for MDM Gateway Server, MDM Enrollment Server, and MDM Device Management Server that are associated with the instance. These are earlier Web server object identifiers. Do not modify this property except by using the Grant- or Revoke-MDMCertificateTemplate cmdlets, or if you are following steps that are provided in a troubleshooting topic.

version

For MDM 2008 SP1, the value is 2.0.0.0. Do not modify this property.

Modifying an MDM Active Directory SCP

After you install MDM or make a system modification, you might need to change either the port or the FQDN in an MDM SCP. Additionally, you might need to change an SQL instance in an SCP.

If you modify the SCP for an MDM instance, you must restart all MDM services on all computers that are running the MDM instance. This includes computers that are running MDM Device Management Server and MDM Enrollment Server, and all administration consoles or any open MDM Shell. The restarts are necessary to detect the updated SCP correctly.

Note

If you change the FQDNs, the change can cause problems with the MDM system if the FQDNs do not match the SSL certificates installed on the Web services or the Gateway Central Management (GCM) service. Changing the SCP might require that you reissue certificates.

Warning

If you modify Active Directory with a low-level editor such as ADSIEdit, it could cause problems with your Active Directory structure or environment. If you modify Active Directory, the changes could cause serious system errors. We cannot guarantee that these errors are solvable. Modify Active Directory at your own risk.

Modify an MDM SCP

The section shows you how to change information in an MDM SCP. As with all system modifications, missteps could make your MDM system unstable.

To Modify an MDM SCP

  1. Open ADSI Editor, ADSIEdit.

  2. Expand the domain in which you first ran ADConfig.

  3. Expand CN=System.

  4. Expand CN=SCMDM. A list of the MDM SCPs is displayed. For example, if your MDM instance is named Contoso, you will see an SCP called CN=Contoso listed.

    Right-click the SCP that you want to modify.

  5. Select Properties.

  6. In the Properties dialog box, select Show only attributes that have values.

  7. Locate and then select the keywords attribute.

  8. Choose Edit to view the current values for the SCP.

  9. In the Multi-valued String Editor dialog box, select the value that you want to modify and then choose Remove. The value appears in the Value to add box.

  10. Modify the entry, but do not change the adminurl= or url= label in front of the newly modified Value to add entry.

  11. Choose Add. The modified entry appears in the Values list.

  12. Choose OK two times to close the editor.

If you uninstall MDM from all computers in the MDM instance and plan to reinstall MDM later, make sure that you clear the following keywords in the MDM server SCP: ENadminurl=, DMadminurl=, ENurl= and DMurl=. Make sure that you do not, however, remove those keywords.