Use the information in the following sections to help you
configure your Windows environment to support
System Center 2012 Configuration Manager.
When you extend the Active Directory schema, this
action is a forest-wide configuration that you must do one time per
forest. Extending the schema is an irreversible action and must be
done by a user who is a member of the Schema Admins Group or who
has been delegated sufficient permissions to modify the schema. If
you decide to extend the Active Directory schema, you can extend it
before or after Setup. For information to help you decide whether
to extend the Active Directory schema, see Determine Whether to
Extend the Active Directory Schema for Configuration
Manager.
 Tip |
| If the Active Directory schema was extended with the
Configuration Manager 2007 schema extensions, you do not have to
extend the schema for System Center 2012
Configuration Manager. The Active Directory schema extensions
are unchanged from Configuration Manager 2007. |
Four actions are required to successfully enable
Configuration Manager clients to query Active Directory Domain
Services to locate site resources:
- Extend the Active Directory schema.
- Create the System Management container.
- Set security permissions on the System
Management container.
- Enable Active Directory publishing for the
Configuration Manager site
Extend the Active Directory
Schema
Configuration Manager supports two methods to extend
the Active Directory schema. The first is to use the extadsch.exe
utility. The second is to use the LDIFDE utility to import the
schema extension information by using the
ConfigMgr_ad_schema.ldf file.
 Note |
| Before you extend your Active Directory schema, test the schema
extensions for conflicts with your current Active Directory schema.
For information about how to test the Active Directory schema
extensions, see Testing for Active Directory Schema
Extension Conflicts in the Active Directory Domain Services
documentation. |
Extend the Active Directory Schema by
Using ExtADSch.exe
You can extend the Active Directory schema by running
the extadsch.exe file located in the SMSSETUP\BIN\X64
folder on the Configuration Manager installation media. The
extadsch.exe file does not display output when it runs but does
provide feedback when you run it from a command console as a
command line. When extadsch.exe runs, it generates a log file in
the root of the system drive named extadsch.log, which
indicates whether the schema update completed successfully or any
problems that were encountered while extending the schema.
| Tip |
| In addition to generating a log file, the extadsch.exe
program displays results in the console window when it is run from
the command line. |
The following are limitations to using
extadsch.exe:
- Extadsch.exe is not supported when run
on a Windows 2000–based computers. To extend the Active Directory
schema from a Windows 2000–based computer, use the
ConfigMgr_ad_schema.ldf.
- To enable the extadsch.log to be
created when you run extadsch.exe on a Windows Vista
computer, you must be logged onto the computer with an account that
has local administrator permissions.
To extend the Active Directory
schema by using Extadsch.exe
-
Create a backup of the schema master domain
controller’s system state.
-
Ensure that you are logged on to the schema master
domain controller with an account that is a member of the Schema
Admins security group.
 Important |
| You must be logged on as a member of the Schema Admins security
group in order to successfully extend the schema. Running the
extadsch.exe file by using the Run As command to
attempt to extend the schema using alternate credentials will
fail. |
-
Run extadsch.exe, located at
\SMSSETUP\BIN\X64 on the installation media, to add the new
classes and attributes to the Active Directory schema.
-
Verify that the schema extension was successful by
reviewing the extadsch.log located in the root of the system
drive.
-
If the schema extension procedure was unsuccessful,
restore the schema master's previous system state from the backup
created in step 1.
Extend the Active Directory Schema by
Using an LDIF File
You can use the LDIFDE command-line utility to import
directory objects into Active Directory Domain Services by using
LDAP Data Interchange Format (LDIF) files.
For greater visibility of the changes being made to the
Active Directory schema than the extadsch.exe utility provides, you
can use the LDIFDE utility to import schema extension information
by using the ConfigMgr_ad_schema.ldf file located in the
SMSSETUP\BIN\X64 folder on the Configuration Manager
installation media.
| Note |
| The ConfigMgr_ad_schema.ldf file is unchanged from the version
provided with Configuration Manager 2007. |
To extend the Active Directory
schema by using the ConfigMgr_ad_schema.ldf file
-
Create a backup of the schema master domain
controller’s system state.
-
Open the ConfigMgr_ad_schema.ldf file, located
in the SMSSETUP\BIN\X64 directory of the Configuration
Manager installation media and edit the file to define the Active
Directory root domain to extend. All instances of the text
DC=x in the file must be replaced with the full name of the
domain to extend.
For example, if the full name of the domain to extend
is named widgets.microsoft.com, change all instances of DC=x
in the file to DC=widgets, DC=microsoft, DC=com.
-
Use the LDIFDE command-line utility to import the
contents of the ConfigMgr_ad_schema.ldf file into Active
Directory Domain Services.
For example, the following command line will import the
schema extensions into Active Directory Domain Services, turn on
verbose logging, and create a log file during the import
process:
ldifde –i –f ConfigMgr_ad_schema.ldf –v –j <location to store
log file>
-
To verify that the schema extension was successful, you
can review the log file created by the command line used in step
3.
-
If the schema extension procedure was unsuccessful,
restore the schema master's previous system state from the backup
created in step 1.
Create the System Management
Container
Configuration Manager does not automatically create the
System Management container in Active Directory Domain Services
when the schema is extended. The container must be created one time
for each domain that includes a Configuration Manager primary site
server or secondary site server that publishes site information to
Active Directory Domain Services
| Tip |
| You can grant the site servers computer account Full
Control permission to the System container in Active Directory
Domain Services, which results in the site server automatically
creating the System Management container when site information is
first published to Active Directory Domain Services. However, it is
more secure to manually create the System Management
container. |
Use ADSI Edit to create the System Management container
in Active Directory Domain Services. For more information about how
to install and use ADSI Edit, see ADSI Edit (adsiedit.msc) in the Active
Directory Domain Services documentation.
To manually create the System
Management container
-
Log on as an account that has the Create All Child
Objects permission on the System container in Active
Directory Domain Services.
-
Run ADSI Edit, and connect to the domain in
which the site server resides.
-
Expand Domain <computer fully qualified
domain name>, expand <distinguished name>, right-click
CN=System, click New, and then click
Object.
-
In the Create Object dialog box, select
Container, and then click Next.
-
In the Value box, type System Management,
and then click Next.
-
Click Finish to complete the procedure.
Set Security Permissions on the
System Management Container
After you have created the System Management container
in Active Directory Domain Services, you must grant the site
server's computer account the permissions that are required to
publish site information to the container.
| Important |
| The primary site server computer account must be granted
Full Control permissions to the System Management container
and all its child objects. If you have secondary sites, the
secondary site server computer account must also be granted Full
Control permissions to the System Management container and all
its child objects. |
You can grant the necessary permissions by using the
Active Directory Users and Computers administrative tool or the
Active Directory Service Interfaces Editor (ADSI Edit). For more
information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc).
| Note |
| The following procedures are provided as examples of how to
configure Windows Server 2008 R2 computers. If you are
using a different operating system version, refer to that operating
system’s documentation for information about how to make similar
configurations. |
To apply permissions to the System
Management container by using the Active Directory Users and
Computers administrative tool
-
Click Start, click Run, and then enter
dsa.msc to open the Active Directory Users and Computers
administrative tool.
-
Click View, and then click Advanced
Features.
-
Expand the System container, right-click
System Management, and then click Properties.
-
In the System Management Properties dialog box,
click the Security tab, and then click Add to add the
site server computer account. Grant the account Full Control
permissions.
-
Click Advanced, select the site server’s
computer account, and then click Edit.
-
In the Apply to list, select This object and
all descendant objects.
-
Click OK and then close the Active Directory
Users and Computers administrative tool to complete the
procedure.
To apply permissions to the System
Management container by using the ADSI Edit console
-
Click Start, click Run, and enter
adsiedit.msc to open the ADSIEdit console.
-
If necessary, connect to the site server's domain.
-
In the console pane, expand the site server's domain,
expand DC=<server distinguished name>, and then expand
CN=System. Right-click CN=System Management, and then
click Properties.
-
In the CN=System Management Properties dialog
box, click the Security tab, and then click Add to
add the site server computer account. Grant the account Full
Control permissions.
-
Click Advanced, select the site server’s
computer account, and then click Edit.
-
In the Apply onto list, select This object
and all descendant objects.
-
Click OK to close the ADSIEdit console and
complete the procedure.
Enable Active Directory publishing
for the Configuration Manager site
In addition to extending the Active Directory schema,
creating the System Management container, and setting permissions
for that container, you must enable Configuration Manager to
publish site data to Active Directory Domain Services.
For information about how to publish site data, see Planning for Publishing
of Site Data to Active Directory Domain Services.
Before you can use a Windows Server with
System Center 2012 Configuration Manager, you must
ensure that the computer is configured to support Configuration
Manager operations. Use the information in the following sections
to configure Windows servers for Configuration Manager. For more
information about site system role prerequisites, see the
Prerequisites for Site System Roles section in the Supported Configurations
for Configuration Manager topic.
| Note |
| The procedures in the following sections are provided as
examples of how to configure Windows Server 2008 or
Windows Server 2008 R2 computers. If you are using a
different operating system version, refer to that operating
system’s documentation for information about how to make similar
configurations. |
Remote Differential Compression
Site servers and distribution points require Remote
Differential Compression (RDC) to generate package signatures and
perform signature comparison. If RDC is not enabled, you must
enable it on these site system servers.
Use the following procedure as an example of how to
enable Remote Differential Compression on Windows Server 2008
and Windows Server 2008 R2 computers. If you have a
different operating system version, refer to your operating system
documentation for the equivalent procedure.
To configure Remote Differential
Compression for Windows Server 2008 or Windows Server
2008 R2
-
On the Windows Server 2008 or Windows Server
2008 R2 computer, navigate to Start / All Programs /
Administrative Tools / Server Manager to start Server
Manager. In Server Manager, select the Features node and
click Add Features to start the Add Features
Wizard.
-
On the Select Features page, select Remote
Differential Compression, and then click Next.
-
Complete the wizard and close Server Manager to
complete the configuration.
Internet Information Services (IIS)
Several site system roles require Internet Information
Services (IIS). If IIS is not already enabled, you must enable it
on site system servers before you install a site system role that
requires IIS. In addition to the site system server, the following
site systems roles require IIS:
- Application Catalog web service point
- Application Catalog website point
- Distribution point
- Enrollment point
- Enrollment proxy point
- Fallback status point
- Management point
- Software update point
The minimum version of IIS that Configuration Manager
requires is the default version that is supplied with the operating
system of the server that runs the site system.
For example, when you enable IIS on a
Windows Server 2008 computer that you plan to use as a
distribution point, IIS 7.0 is installed. You can also install IIS
7.5. If you enable IIS on a Windows 7 computer for a
distribution point, IIS 7.5 is automatically installed. You cannot
use IIS version 7.0 for distribution point that runs
Windows 7.
Use the following procedure as an example of how to
install IIS on a Windows Server 2008 or Windows Server
2008 R2 computer. If you have a different operating system
version, refer to your operating system documentation for the
equivalent procedure.
To install Internet Information
Services (IIS) on Windows Server 2008 and Windows Server 2008 R2
computers
-
On the Windows Server 2008 or Windows Server
2008 R2 computer, navigate to Start / All Programs /
Administrative Tools / Server Manager to start Server
Manager. In Server Manager, select the Features node and
click Add Features to start the Add Features
Wizard.
-
On the Select Features page of the Add Features
Wizard, install any additional features that are required to
support the site system roles you install on this computer. For
example, to add BITS Server Extensions:
- For Windows Server 2008, select the
BITS Server Extensions check box. For Windows Server
2008 R2, select the Background Intelligent Transfer
Services (BITS) check box. When prompted, click Add Required
Role Services to add the dependent components, including the
Web Server (IIS) role, and then click Next.
| Tip |
| If you are configuring computer that will be a site server or
distribution point, ensure the check box for Remote Differential
Compression is selected. |
-
On the Web Server (IIS) page of the Add Features
Wizard, click Next.
-
On the Select Role Services page of the Add
Features Wizard install any additional role services that are
required to support the site system roles you install on this
computer. For example, to add ASP.NET and Windows
Authentication:
- For Application Development, select
the ASP.NET check box and, when prompted, click Add Required
Role Services to add the dependent components.
- For Security, select the Windows
Authentication check box.
-
In the Management Tools node, for IIS 6
Management Compatibility, ensure that both the IIS 6
Metabase Compatibility and IIS 6 WMI Compatibility
check boxes are selected, and then click Next.
-
On the Confirmation page, click Install,
complete the wizard, and close Server Manager to complete the
configuration.
Request Filtering for IIS
By default, IIS blocks several file name extensions and
folder locations from access by HTTP or HTTPS communication. If
your package source files contain extensions that are blocked in
IIS, you must configure the requestFiltering section in the
applicationHost.config file on distribution point computers.
The following file name extensions are used by
Configuration Manager for packages and applications. Allow the
following file name extensions on distribution points:
For example, you might have source files for a software
deployment that include a folder named bin, or that contain
a file with the . mdb file name extension. By default, IIS
request filtering blocks access to these elements. When you use the
default IIS configuration on a distribution point, clients that use
BITS fail to download this software deployment from the
distribution point. In this scenario, the clients indicate that
they are waiting for content. To enable the clients to download
this content by using BITS, on each applicable distribution point,
edit the requestFiltering section of the
applicationHost.config file to allow access to the files and
folders in the software deployment.
Use the following procedure as an example of how to
modify requestFiltering on a Windows Server 2008 or
Windows Server 2008 R2 computer. If you have a different
operating system version, refer to your operating system
documentation for the equivalent procedure.
To configure request filtering
for IIS on distribution points
-
On the distribution point computer, open the
applicationHost.config file located in the
%Windir%\System32\Inetsrv\Config\ directory.
-
Search for the <requestFiltering>
section.
-
Determine the file name extensions and folder names
that you will have in the packages on this distribution point. For
each extension and folder name that you require, perform the
following steps:
- If it is listed as a fileExtension
element, set the value for allowed to true.
For example, if your content contains a file with an .mdb
extension, change the line <add fileExtension=".mdb"
allowed="false" /> to <add fileExtension=".mdb"
allowed="true" />.
Allow only the file name extensions required for your content.
- If it is listed as a
<hiddenSegments> element, delete the entry that
matches the file name extension or folder name from the file.
For example, if your content contains a folder with the label of
bin, remove the line <add segment=”bin” /> from
the file.
-
Save and close the applicationHost.config file to
complete the configuration.
