Step 1a: Configuring the Active Directory Domain for MDM

11/11/2008

Before you deploy System Center Mobile Device Manager (MDM), you must run the Active Directory® Configuration Tool, AdConfig.exe, from the Setup menu on the System Center Mobile Device Manager (MDM) installation disc to configure the domain. ADConfig creates the required Active Directory groups, adds the MDM Service Connection Points (SCPs), and creates the certificate templates on the designated certification authority. Additionally, Active Directory user accounts, containers, and SCPs receive permissions to support the MDM installation process. The ADConfig tool can also help administrators give MDM the appropriate access to Group Policy objects to calculate policy for managed Windows Mobile devices. Make sure that you secure Active Directory behind the company firewall before you run ADConfig. The ADConfig tool does not modify or remove inherited permissions. For more information about the ADConfig tool, see ADConfig Toolin the technical reference section.

ADConfig.exe creates and installs the following certificate templates on the specified domain certification authority:

General MDM Web Server Template (SCMDM2008WebServer)
Mobile Devices Template (SCMDM2008MobileDevice)
MDM Gateway Template (SCMDM2008GCM)

During Mobile Device Manager (MDM) Enrollment Server and Mobile Device Manager (MDM) Device Management Server installation, Setup retrieves certificates from the specified certification authority that has MDM templates enabled and binds them to IIS 6.0 on every MDM server role, except for MDM Gateway Server. On MDM Gateway Server, you must manually import the certificate into the certificate store. For more information about how to import the certificate on MDM Gateway Server, see Step 5: Installing MDM Gateway Server. Additionally, MDM Device Management Server Setup requests and gives permission to the Gateway Central Management (GCM) certificate.

In a typical installation, the certificate installation process for MDM is automatic. However you can create the certificates manually, see Creating Manual Certificates.

The Adconfig.exe tool lets administrators use the following parameters to configure the MDM system. For more information about MDM parameters, see ADConfig Tool.

Parameters	Description
/domain:<domain name>	Creates universal groups, SCPs, organizational units, and domain containers for MDM installation. The /domainparameter requires Domain Administrator credentials to run /createtemplates.
/createtemplates	Creates the MDM certificate templates in Active Directory and gives them the appropriate permissions. This parameter requires Enterprise Administrator permissions.
/enabletemplates /ca:<ca_server_name>\<ca_instance_name>	Enables the MDM certificate templates on the specified certification authority. The certification authority server and certification authority name are required for this switch. To avoid installation problems, you must make sure that the certification authority server is online. This parameter requires Enterprise Administrator permissions.
/gpsecurity:all /gpdomain:<domain>	Grants the minimum required permissions to all existing Group Policy objects (GPOs) in the specified domain. This switch is optional. Enables targeting of individual Group Policy objects. Modify Group Policy object permissions to allow MDM servers to calculate policies for mobile devices. The only schema changes that the ADConfig tool makes are in the /gpsecurityparameter. This parameter requires Domain Administrator permissions.

After the utilities finish, you must wait for replication time between domain controllers. It is important to allow for replication time before you install MDM. For more information about how to use parameters, additional parameters, groups, folders, and other Active Directory configuration changes, see ADConfig Toolin the technical reference section.

Important:
Do not move or rename the system level containers or SCPs that the ADConfig tool creates. Additionally, do not rename the pre-2000 SAM-Account-Name for any of the universal security groups that were created by MDM. Modifying the pre-2000 name will interfere with MDM system operation. To view these groups, folders, and SCPs in Active Directory Users and Computers, on the Viewtab, select the Advanced Featuresoption.

Important:

Do not move or rename the system level containers or SCPs that the ADConfig tool creates. Additionally, do not rename the pre-2000 SAM-Account-Name for any of the universal security groups that were created by MDM. Modifying the pre-2000 name will interfere with MDM system operation. To view these groups, folders, and SCPs in Active Directory Users and Computers, on the Viewtab, select the Advanced Featuresoption.

For more information about how to install and uninstall MDM system components by using command-line options, see Command-Line Options.

Before you can install MDM and complete MDM deployment by following the deployment procedures in this guide, you must plan your deployment and configure your IT environment by following the steps and guidelines in the MDM Planning Guide. MDM Planning and Deployment Checklistsin the MDM Planning Guide specifies the permissions and roles required to complete the steps in this procedure.

To configure the Active Directory domain for MDM

Run Setup.exeon the System Center Mobile Device Manager (MDM) installation CD.
On the Startmenu, choose Configure Active Directory for MDM. A Command Prompt window appears that displays Active Directory Configuration Help.
Move to the ADConfig directory.

Important:

The ADConfig directory will contain the ADConfig tool that is required for domain configuration. To run the command at the command prompt, you must be in the ADConfig directory.
Type the command, AdConfig.exe /domain:<domain name>where <domain name>is the domain in which you want to install MDM. Press ENTER. When you are prompted, Do you want to proceed?, press Y, and then press ENTER. A confirmation message appears to inform you that the configuration is successful.
Type the command, Adconfig.exe /createtemplatesand then press ENTER. A prompt appears that explains that the certificate templates will be created. When you are prompted, Do you want to proceed?, press Y, and then press ENTER. A summary generates of the templates created by Active Directory.
After Active Directory creates the templates, you must enable them. At the command prompt, type the command, ADConfig.exe /enabletemplates /ca: <ca_server_name>\<ca_instance_name>where <ca_server_name>is the name of the specified certification authority server and <ca_instance name>is the instance name of the certification authority. You must use quotes for this command if there are spaces in your certification authority name or instance. An example would be ADConfig.exe /enabletemplates /ca:"server.contoso.com\ca name"If you do not have spaces in the certification authority instance and server names, you must not use quotes or the process will fail. Press ENTER. A message appears to confirm that the templates will enable. When you are prompted, Do you want to proceed?, press Y, and press ENTER.
After you run each ADConfig parameter at a command prompt, ADConfig output is visible. This includes information such as created Active Directory objects, installed certificate templates, and other useful information. We recommend that you copy and paste the output to a text file for future reference.
At the end of the configuration process, close the Command Prompt window.