11/11/2008

The following describes some best practices to deploy System Center Mobile Device Manager (MDM) infrastructure.

Do not run MDM Setup installations as a domain administrator or by using elevated credentials

For security reasons, we strongly recommend that you do not run any MDM installation by using domain administrator, or other elevated credentials. We recommend that you run Setup with an account that is a member of the SCMDM2008ServerAdministrators group only, instead of elevated credentials.

Putting objects, users, and containers into MDM organizational units or groups is not supported

We strongly recommend that users do not add objects, users, or containers to the following groups:

Organizational Units:

  • SCMDM2008 Infrastructure Groups

Groups:

  • SCMDM2008DeviceManagementServers

  • SCMDM2008EnrollmentServers

  • SCMDM2008EnrolledDevices

  • SCMDM2008SelfService

Renaming and Moving Universal Security Groups (USGs), Containers, SCPs, and Certificate Templates
  • You may move USGs to another location in Active Directory within the same forest.

  • You may take USGs out of the SCMDM2008 Infrastructure Groups OU and place them in another OU.

  • You can rename the friendly name of USGs, but you cannot change the SAM account name (Pre-Windows 2000 name).

  • Do not move or rename the SCMDM2008 container in the system container or the SCPs.

  • Do not move or rename the SCMDM2008 Managed Device OU.

  • Do not rename certificate templates.

Use filtering to block unauthorized access to the Alerter service

For added security, you can add filtering rules to the internal and external firewall to block unauthorized traffic to the Alerter service port (UDP port 5359) in the managed device.

MDM database log

If you perform a new MDM installation over a preexisting installation and do not intend to upgrade the server, you must completely uninstall all server components and delete the SQL database (.mdf) and transaction log (.ldf) files from the previous installation. A remaining database or log file may produce Setup errors while reinstalling MDM after uninstalling the previous version. The reason is that the SQL scripts cannot create a new database and transaction log files if they already exist. If you do not remove the SQL database and transaction log files from the original installation, a data corruption error will occur and Setup will fail.

Make sure that the domain controller is online and that you can access it

Make sure that all domains in the forest are functioning correctly, and that all domain controllers are online and that you can access them through DNS. Check the DNS configuration for suitable network routing.

Reinstalling Windows Server Update Services (WSUS) 3.0 SP1

Also if you need to install and reinstall WSUS 3.0 SP1 for any reason, you must restart the SCMDM Software Distribution Service when finished. This is necessary for the WSUS and MDM Software Distribution components to remain in sync. For procedures on how to restart the SCMDM Software Distribution Service, see Stopping and Restarting MDM Device Management Serverin the MDM Operations Guide.