Prepare the Windows Environment for Configuration Manager

When you extend the Active Directory schema, this action is a forest-wide configuration that you must do one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after Setup. For information to help you decide whether to extend the Active Directory schema, see Determine Whether to Extend the Active Directory Schema for Configuration Manager.

Tip
If the Active Directory schema was extended with the Configuration Manager 2007 schema extensions, you do not have to extend the schema for System Center 2012 Configuration Manager. The Active Directory schema extensions are unchanged from Configuration Manager 2007.

Three actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:

Extend the Active Directory schema.
Create the System Management container.
Set security permissions on the System Management container.

Extend the Active Directory Schema

Configuration Manager supports two methods to extend the Active Directory schema. The first is to use the extadsch.exe utility. The second is to use the LDIFDE utility to import the schema extension information by using the ConfigMgr_ad_schema.ldf file.

Note
Before you extend your Active Directory schema, test the schema extensions for conflicts with your current Active Directory schema. For information about how to test the Active Directory schema extensions, see Testing for Active Directory Schema Extension Conflicts in the Active Directory Domain Services documentation.

Extend the Active Directory Schema by Using ExtADSch.exe

You can extend the Active Directory schema by running the extadsch.exe file located in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation media. The extadsch.exe file does not display output when it runs but does provide feedback when you run it from a command console as a command line. When extadsch.exe runs, it generates a log file in the root of the system drive named extadsch.log, which indicates whether the schema update completed successfully or any problems that were encountered while extending the schema.

Tip
In addition to generating a log file, the extadsch.exe program displays results in the console window when it is run from the command line.

The following are limitations to using extadsch.exe:

Extadsch.exe is not supported when run on a Windows 2000–based computers. To extend the Active Directory schema from a Windows 2000–based computer, use the ConfigMgr_ad_schema.ldf.
To enable the extadsch.log to be created when you run extadsch.exe on a Windows Vista computer, you must be logged onto the computer with an account that has local administrator permissions.

To extend the Active Directory schema by using Extadsch.exe

Create a backup of the schema master domain controller’s system state.

Ensure that you are logged on to the schema master domain controller with an account that is a member of the Schema Admins security group.

Important
You must be logged on as a member of the Schema Admins security group in order to successfully extend the schema. Running the extadsch.exe file by using the Run As command to attempt to extend the schema using alternate credentials will fail.

Run extadsch.exe, located at \SMSSETUP\BIN\X64 on the installation media, to add the new classes and attributes to the Active Directory schema.
Verify that the schema extension was successful by reviewing the extadsch.log located in the root of the system drive.

If the schema extension procedure was unsuccessful, restore the schema master's previous system state from the backup created in step 1.

Note
To restore the system state on a Windows domain controller, the system must be restarted in Directory Services Restore Mode. For more information about Directory Services Restore Mode, see Restart the Domain Controller in Directory Services Restore Mode Locally.

Extend the Active Directory Schema by Using an LDIF File

You can use the LDIFDE command-line utility to import directory objects into Active Directory Domain Services by using LDAP Data Interchange Format (LDIF) files.

For greater visibility of the changes being made to the Active Directory schema than the extadsch.exe utility provides, you can use the LDIFDE utility to import schema extension information by using the ConfigMgr_ad_schema.ldf file located in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation media.

Note
The ConfigMgr_ad_schema.ldf file is unchanged from the version provided with Configuration Manager 2007.

To extend the Active Directory schema by using the ConfigMgr_ad_schema.ldf file

Create a backup of the schema master domain controller’s system state.
Open the ConfigMgr_ad_schema.ldf file, located in the SMSSETUP\BIN\X64 directory of the Configuration Manager installation media and edit the file to define the Active Directory root domain to extend. All instances of the text DC=x in the file must be replaced with the full name of the domain to extend.

For example, if the full name of the domain to extend is named widgets.microsoft.com, change all instances of DC=x in the file to DC=widgets, DC=microsoft, DC=com.
Use the LDIFDE command-line utility to import the contents of the ConfigMgr_ad_schema.ldf file into Active Directory Domain Services.

For example, the following command line will import the schema extensions into Active Directory Domain Services, turn on verbose logging, and create a log file during the import process:
ldifde –i –f ConfigMgr_ad_schema.ldf –v –j <location to store log file>
To verify that the schema extension was successful, you can review the log file created by the command line used in step 3.

If the schema extension procedure was unsuccessful, restore the schema master's previous system state from the backup created in step 1.

Note
To restore the system state on a Windows domain controller, the system must be restarted in Directory Services Restore Mode. For more information about Directory Services Restore Mode, see Restart the Domain Controller in Directory Services Restore Mode Locally.

Create the System Management Container

Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container must be created one time for each domain that includes a Configuration Manager primary site server or secondary site server that publishes site information to Active Directory Domain Services

Tip
You can grant the site servers computer account Full Control permission to the System container in Active Directory Domain Services, which results in the site server automatically creating the System Management container when site information is first published to Active Directory Domain Services. However, it is more secure to manually create the System Management container.

Use ADSI Edit to create the System Management container in Active Directory Domain Services. For more information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc) in the Active Directory Domain Services documentation.

To manually create the System Management container

Set Security Permissions on the System Management Container

After you have created the System Management container in Active Directory Domain Services, you must grant the site server's computer account the permissions that are required to publish site information to the container.

Important
The primary site server computer account must be granted Full Control permissions to the System Management container and all its child objects. If you have secondary sites, the secondary site server computer account must also be granted Full Control permissions to the System Management container and all its child objects.

You can grant the necessary permissions by using the Active Directory Users and Computers administrative tool or the Active Directory Service Interfaces Editor (ADSI Edit). For more information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc).

Note
The following procedures are provided as examples of how to configure Windows Server 2008 R2 computers. If you are using a different operating system version, please refer to that operating systems documentation for information on how to make similar configurations.

To apply permissions to the System Management container by using the Active Directory Users and Computers administrative tool

To apply permissions to the System Management container by using the ADSI Edit console

Before you can use a Windows Server with System Center 2012 Configuration Manager, you must ensure the computer is configured to support Configuration Manager operations. Use the information in the following sections to configure Windows servers for Configuration Manager. For more information about site system role prerequisites, see the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

Note
The procedures in the following sections are provided as examples of how to configure Windows Server 2008 or Windows Server 2008 R2 computers. If you are using a different operating system version, please refer to that operating systems documentation for information on how to make similar configurations.

Remote Differential Compression

Internet Information Services (IIS)

Several site system roles require Internet Information Services (IIS). If IIS is not already enabled, you must enable it on site system servers before you install a site system role that requires IIS. In addition to the site system server, the following site systems roles require IIS:

Application Catalog web service point
Application Catalog website point
Distribution point
Enrollment point
Enrollment proxy point
Fallback status point
Management point
Software update point

The minimum version of IIS that Configuration Manager requires is the default version that is supplied with the operating system of the server that runs the site system.

For example, when you enable IIS on a Windows Server 2008 computer that you plan to use as a distribution point, IIS 7.0 is installed. You can also install IIS 7.5. If you enable IIS on a Windows 7 computer for a distribution point, IIS 7.5 is automatically installed. You cannot use IIS version 7.0 for distribution point that runs Windows 7.

Use the following procedure as an example of how to install IIS on a Windows Server 2008 or Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure.

To install Internet Information Services (IIS) on Windows Server 2008 and Windows Server 2008 R2 computers

On the Windows Server 2008 or Windows Server 2008 R2 computer, navigate to Start / All Programs / Administrative Tools / Server Manager to start Server Manager. In Server Manager, select the Features node and click Add Features to start the Add Features Wizard.
On the Select Features page of the Add Features Wizard, install any additional features that are required to support the site system roles you install on this computer. For example, to add BITS Server Extensions:
- For Windows Server 2008, select the BITS Server Extensions check box. For Windows Server 2008 R2, select the Background Intelligent Transfer Services (BITS) check box. When prompted, click Add Required Role Services to add the dependent components, including the Web Server (IIS) role, and then click Next.
  
  Tip
  
  If you are configuring computer that will be a site server or distribution point, ensure the check box for Remote Differential Compression is selected.
On the Web Server (IIS) page of the Add Features Wizard, click Next.
On the Select Role Services page of the Add Features Wizard install any additional role services that are required to support the site system roles you install on this computer. For example, to add ASP.NET and Windows Authentication:
- For Application Development, select the ASP.NET check box and, when prompted, click Add Required Role Services to add the dependent components.
- For Security, select the Windows Authentication check box.
In the Management Tools node, for IIS 6 Management Compatibility, ensure that both the IIS 6 Metabase Compatibility and IIS 6 WMI Compatibility check boxes are selected, and then click Next.
On the Confirmation page, click Install, complete the wizard, and close Server Manager to complete the configuration.

Tip
If you are configuring computer that will be a site server or distribution point, ensure the check box for Remote Differential Compression is selected.

Request Filtering for IIS

By default, IIS blocks several file name extensions and folder locations from access by HTTP or HTTPS communication. If your package source files contain extensions that are blocked in IIS, you must configure the requestFiltering section in the applicationHost.config file on distribution point computers.

The following file name extensions are used by Configuration Manager for packages and applications. Allow the following file name extensions on distribution points:

.PCK
.PKG
.STA
.TAR

For example, you might have source files for a software deployment that include a folder named bin, or that contain a file with the . mdb file name extension. By default, IIS request filtering blocks access to these elements. When you use the default IIS configuration on a distribution point, clients that use BITS fail to download this software deployment from the distribution point. In this scenario, the clients indicate that they are waiting for content. To enable the clients to download this content by using BITS, on each applicable distribution point, edit the requestFiltering section of the applicationHost.config file to allow access to the files and folders in the software deployment.

Important
Modifications to the requestFiltering section apply to all websites on that server. This configuration increases the attack surface of the computer. The security best practice is to run Configuration Manager on a dedicated web server. If you must run other applications on the web server, use a custom website for Configuration Manager. For information about custom websites, see the Planning for Custom Websites with Configuration Manager section in Planning for Site Systems in Configuration Manager.

Important

Modifications to the requestFiltering section apply to all websites on that server. This configuration increases the attack surface of the computer. The security best practice is to run Configuration Manager on a dedicated web server. If you must run other applications on the web server, use a custom website for Configuration Manager. For information about custom websites, see the Planning for Custom Websites with Configuration Manager section in Planning for Site Systems in Configuration Manager.

Use the following procedure as an example of how to modify requestFiltering on a Windows Server 2008 or Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure.

To configure request filtering for IIS on distribution points

On the distribution point computer, open the applicationHost.config file located in the %Windir%\System32\Inetsrv\Config\ directory.
Search for the <requestFiltering> section.
Determine the file name extensions and folder names that you will have in the packages on this distribution point. For each extension and folder name that you require, perform the following steps:
- If it is listed as a fileExtension element, set the value for allowed to true.
  
  For example, if your content contains a file with an .mdb extension, change the line <add fileExtension=".mdb" allowed="false" /> to <add fileExtension=".mdb" allowed="true" />.
  
  Allow only the file name extensions required for your content.
- If it is listed as a <hiddenSegments> element, delete the entry that matches the file name extension or folder name from the file.
  
  For example, if your content contains a folder with the label of bin, remove the line <add segment=”bin” /> from the file.
Save and close the applicationHost.config file to complete the configuration.

Concepts

Configuring Sites and Hierarchies in Configuration Manager

Prepare Active Directory for Configuration Manager