[This is prerelease documentation and is subject to change in future releases. Blank topics are included as placeholders.]

For System Center Essentials 2010 to correctly interoperate with other components running on Microsoft Windows operating systems, some changes must be made to the Essentials management server, all managed computers, and any remote computer running an Essentials component, such as a remote console or remote database. How these changes are made is determined by whether you can log on to these computers using either Domain Administrator or Group Policy Administrator credentials.

Group Policy

If you can log on with Domain Administrator or Group Policy Administrator credentials when configuring Essentials, any computers running Essentials components or agents are configured automatically.

Selecting the Group Policy option directs Essentials 2007 to make the following changes to the domain:

  • An Active Directory group is created.

  • The Essentials management server is added to the Active Directory group.

  • Two Group Policy objects (GPOs) are created.

    • One GPO is targeted at All Computers Active Directory group and contains both the Secure Sockets Layer (SSL) and Windows Server Update Services (WSUS) certificates and Windows Firewall settings.

    • The other GPO is specifically targeted at Essentials managed computers. This GPO is applied to the Active Directory group created by Essentials and contains settings related to WSUS, Agentless Exception Monitoring (AEM), and Remote Assistance.

  • A domain-level object, System Center Essentials Managed Computers (Active Directory computer group), is created.

  • A domain-level object, System Center Essentials Managed Computers Group Policy, is created and added to the Access Control List (ACL) of the System Center Essentials Managed Computers group.

  • A domain-level object, System Center Essentials All Computers Policy, is created. This object's Group Policy applies to computers in the domain.

In addition, selecting the Group Policy option directs Essentials to make the changes described in the following table.

On the management server On managed computers
  • Essentials 2007 checks whether the SSL certificate has been configured on the WSUS Web site. Essentials creates and configures a new certificate if it is not present.

  • Essentials checks whether the WSUS certificate is already configured on the Management Server. Essentials creates and configures a new certificate if it is not present.

  • For Agentless Exception Monitoring, a file share is created and an ACL is created to give write access to the Domain and to Domain Users.

  • For Agentless Exception Monitoring, the HttpListener port for AEM (port 51906) is configured with the same SSL certificate that is used for the WSUS Web site. Further, SSL and WindowsAuth are enabled for the port.

  • Proxy information is set on both the WSUS server and the Essentials management server.

  • None (managed computers receive all the required settings through Group Policy)

Note
When a computer is added to the Active Directory group, a task is performed automatically that refreshes the computer's group membership.

Local Policy

If you cannot log on with Domain Administrator or Group Policy Administrator credentials when configuring Essentials, use local policy. If Windows Firewall or another vendor's firewall product is used on computers in your environment, you must create firewall exceptions on the Essentials management server and on managed computers. Also, you must import two certificates on any computer on which you installed a remote Essentials console. For more information, see How to Install a Remote System Center Essentials Console.

Selecting the Local Policy option directs Essentials to make the changes described in the following table.

On the management server On managed computers
  • Essentials checks whether the SSL certificate has been configured on the WSUS Web site. Essentials creates and configures a new certificate if it is not present.

  • Essentials checks whether the WSUS certificate is already configured on the Management Server. Essentials creates and configures a new certificate if it is not present.

  • For Agentless Exception Monitoring, a file share is created and an ACL is created to give write access to the Domain and to Domain Users.

  • For Agentless Exception Monitoring, the HttpListener port for AEM (port 51906) is configured with the same SSL certificate that is used for the WSUS Web site. Further, SSL and WindowsAuth are enabled for the port.

  • Proxy information is set on both the WSUS server and the Essentials management server.

  • The following certificates are exported to the <EssentialsFolder>\Certificates folder:

    • WSUSCodeSigning.cer

    • WSUSSSL.cer

  • The SCE_ConfigureAgentCertPolicy rule in the System Center Essentials Management Pack gets enabled.

  • The Essentials management server name and AEM file share property values are set for the LocalPolicyConfig rule.

  • When the agent is installed, the SCE_ConfigureAgentCertPolicy rule in the System Center Essentials Management Pack runs and configures the machine.

See Also

How to Change Windows Firewall Exceptions for System Center EssentialsHow to Install a Remote System Center Essentials Console

Concepts

Administration Account
Selecting Database Locations
Storing Updates
Supported Deployment Topologies
System Requirements and Supported Platforms