Share via

Running ADConfig to Upgrade Active Directory

  • Article

2/9/2009

Before you upgrade the MDM 2008 server components, you must configure the domain by running the Active Directory Configuration Tool (ADConfig) from the Setup menu on the MDM 2008 SP1 installation disc. You must run three commands to upgrade the Active Directory objects and certificate templates. You must also perform the manual steps that are listed in this section. The following lists the required commands.

  • ADConfig.exe /upgradeInstance: SCMDM2008
    This required parameter upgrades the Active Directory objects in the same domain as the existing MDM 2008 installation. You must have domain administrator privileges to run this command. This command performs the following:

    • Automatically detects the MDM 2008 domain and creates an instance named SCMDM2008 for the upgraded objects. This instance name cannot be changed.
    • Creates upgrade objects for MDM 2008 SP1 in the same domain.
    • Copies users, computers, and other objects to the new groups as necessary.
    • Moves devices from the default MDM 2008 organizational unit (OU) to the default MDM 2008 SP1 instance OU.
    • Detects the Group Policy objects (GPOs) set for the default MDM 2008 OU and applies them to the MDM 2008 SP1 OU.
    • Detects the Group Policy objects (GPOs) in this domain that have permissions set for the MDM 2008 instance. Also attempts to set permissions for the MDM 2008 SP1 instance on those GPOs that have permissions set for MDM 2008.
    • Enables the newly created SCMDM2008 instance for the domain.

  • ADConfig.exe /upgradeTemplates:SCMDM2008
    This required parameter upgrades the certificate templates. This command requires enterprise administrator permissions and performs the following:

    • Creates MDM 2008 SP1 certificate templates.
    • Places the certificate object identifiers (also known as OIDs) from the MDM 2008 certificate templates into the object identifiers list so that devices from the MDM 2008 instance can still connect to the new MDM 2008 SP1 instance.
    • Creates new certificate templates. The old certificate templates will remain intact.

  • ADConfig.exe /enableTemplates:SCMDM2008 /ca:<ca server>\<ca name>
    This required parameter enables MDM 2008 SP1 certificate templates on the certification authority. You must run this command on any certification authority where MDM certificate templates are installed.

    This command requires:

    • Administrator permissions on the certification authority for setting certification authority permissions.
    • Permissions for adding the templates to the certification authority object in Active Directory. You will need enterprise administrator permissions for this action.

You must run ADConfig.exe /enableinstance to enable the instance for all domains where you have devices. This is required. You must also run ADConfig.exe /enablegpsecurity for GPOs that you want to have enabled for the new SCMDM2008 instance.

It is strongly recommended that you run ADConfig.exe /validateinstance to ensure the integrity of your newly upgraded instance before continuing with further steps. For a description of these parameters and usage instructions, see ADConfig Tool.

The following procedures will upgrade your Active Directory environment and create certificate templates for MDM 2008 SP1. You must perform the steps in the provided order.

To upgrade Active Directory objects

  1. Run Setup.exe on the System Center Mobile Device Manager installation CD.

  2. On the Start menu, choose Configure Active Directory for MDM. A Command Prompt window appears that displays Active Directory Configuration Help.

  3. At the command prompt type the command ADConfig.exe /upgradeInstance:SCMDM2008 where SCMDM2008 will be the new instance name for the MDM 2008 installation. For the upgrade you must use the SCMDM2008 instance name, and you cannot modify this instance name.

  4. Press ENTER.

  5. When you are prompted by the message Do you want to proceed?, press Y, and then press ENTER.

  6. After you have upgraded the SCMDM2008 instance, you must enable it for any domains where you have devices or will have devices. When you run the ADConfig /upgradeInstance:SCMDM2008 command, the SCMDM2008 instance is automatically enabled in the domain where it was run.

    1. If you want to enable the upgraded instance in any other domains, at the command prompt type the command ADConfig.exe /enableInstance:SCMDM2008 /domain:<domain> where SCMDM2008 is the MDM instance name, and <domain> is the name of the domain where you want to enable the instance.
    2. Press ENTER. A message appears to confirm that the SCMDM2008 instance is enabled in the domain.

To upgrade and enable MDM 2008 certificate templates

  1. Create the MDM certificate templates.

    1. Type the command ADConfig.exe /upgradeTemplates:SCMDM2008 where SCMDM2008 is the MDM instance name.
    2. Press ENTER. A prompt appears that explains that the certificate templates will be upgraded. The upgrade process creates new certificate templates; however, the old certificate templates will remain intact.
    3. When you are prompted Do you want to proceed?, press Y, and then press ENTER.

  2. After Active Directory creates the templates, you must enable them on each certification authority where you want to have the certificate templates and permissions issued.

    1. At the command prompt, type the command ADConfig.exe /enableTemplates:SCMDM2008 /ca:<ca_server_fqdn>\<ca_instance_name> where SCMDM2008 is the MDM instance name, <ca_server_fqdn> is the fully qualified domain name of the specified certification authority server, and <ca_instance name> is the instance name of the certification authority.
      You must use quotation marks for this command if there are spaces in your certification authority name or instance. An example would be ADConfig.exe /enabletemplates:SCMDM2008 /ca:"server.contoso.com\ca name". If you do not have spaces in the certification authority instance and server names, you must not use quotation marks, or the process will fail.
    2. Press ENTER. A message appears to confirm that the templates will enable.
    3. When you are prompted Do you want to proceed?, press Y, and press ENTER.