11/11/2008

You must regularly back up the underlying operating system for the System Center Mobile Device Manager (MDM) system, Windows Server® 2003. You must also regularly back up the MDM system components: MDM Device Management Server, MDM Enrollment Server and MDM Gateway Server; and the supporting components: domain controllers, Microsoft enterprise certification authority and computers that are running Microsoft® SQL Server®, according to the best practices for Windows Server 2003.

This includes, but is not limited to full system backups, incremental backups and system state. For more information about how to back up the Windows Server 2003 Standard Edition and Enterprise Edition operating systems, see this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=108410 .

For more information about how to back up and restore keys and certificates in the enterprise certification authority, see this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=108411 .

For more information about how to back up and restore SQL Server 2005, as well as other administrative tasks, see this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=108412 .

Backing Up Your SQL Server Databases for MDM

To move MDM databases onto another SQL Server computer, or for general database backup and restore operations, restore the full databases onto a new SQL Server computer:

  1. Stop all 5 of the MDM services:

    • SCMDM ADGP Service

    • SCMDM Enrollment Service

    • SCMDM GCM Service

    • SCMDM Software Distribution Service

    • SCMDM Wipe Service

  2. Start Microsoft SQL Server Management Studio and connect to the local SQL Server.

  3. In SQL Server Management Studio, expand the local server, expand Databases, right-click AdminServices, point to Tasks, and then select Backup.

  4. In the Back Up Database - AdminServicesdialog box, make sure that the Backup typeis set to Full, note the backup Destinationfolder, and then select OK.

  5. In the Microsoft SQL Server Management Studiodialog box informing you that the backup completed successfully, select OK.

  6. Repeat steps 3 through 5 for each of the MDM databases.

  7. In SQL Server Management Studio, expand SQL Server Agent, and then select Jobs.

  8. Right-click ExecutionResultProcessingTimeout, point to Script Job as, point to CREATE To, and then select File.

  9. In the Select a filedialog box, select a folder on the local computer to store the SQL Server scripts, and then select Save.

  10. Right-click TEEDB_Cleanup, point to Script Job as, point to CREATE To, and then select File.

  11. In the Select a filedialog box, select a folder on the local computer to store the SQL Server scripts, and then select Save.

Restoring Your SQL Server Databases for MDM

To restore the databases for MDM, follow these steps:

  1. On the new SQL Server computer, start Microsoft SQL Server Management Studio and connect to the local SQL Server.

  2. In SQL Server Management Studio, expand the local server, right-click Databases, and then select Restore Database.

  3. In the Restore Databasedialog box, in the Destination for restoresection, in the To databasebox, type the exact name of the database that you want to restore, for example AdminServices.

  4. In the Source for restoresection, select From device, and then select the ellipsis button ( ).

  5. In the Specify Backupdialog box, select Add.

  6. In the Locate Backup Filedialog box, navigate to the backup destination folder that you noted in step 4 of the "Backing Up Your SQL Server Databases for MDM" section above, and then select OK.

  7. In the Specify Backupdialog box, select OK.

  8. In the Restore Databasedialog box, select OK.

  9. Repeat steps 2 through 6 for each of the MDM databases.

  10. In SQL Server Management Studio, make sure that the following security logins exist:

    • < domain>\SCMDM2008DeviceManagementServers

    • < domain>\SCMDM2008EnrollmentServers

    • < domain>\SCMDM2008ServerAdministrators

  11. If these logins do not exist, then follow steps 12 through 18. Otherwise, skip to step 19.

  12. In SQL Server Management Studio, expand the local server, expand Security, right-click Logins, and then select New Login.

  13. In the Login - Newdialog box, select Search.

  14. In the Select User or Groupdialog box, select Object Types.

  15. In the Object Typesdialog box, select the Groupscheck box, and then select OK.

  16. In the Select User or Groupdialog box, in the From this locationbox, make sure that Entire Directoryis selected. Otherwise, select Locationsto specify the entire directory.

  17. In the Enter the object name to selectbox, type SCMDM2008DeviceManagementServers, and then select OK.

  18. Repeat steps 12 through 17 to add the SCMDM2008EnrollmentServersand SCMDM2008ServerAdministratorssecurity logins.

  19. In SQL Server Management Studio, right-click the local server, and then select New Query.

  20. Copy the script for the ExecutionResultProcessingTimeoutjob from the above stored SQL Server script file, and paste it into the query pane.

  21. Select Query, and then select Execute.

  22. Repeat steps 19 through 21 to run the script query for the TEEDB_Cleanupjob.

Verifying Database Restoration

After running the script queries, you should verify that the databases were restored properly by making sure that the accounts and permissions are intact.

Remote Databases

When installed with remote databases, MDM setup configures the following user accounts and roles for each database.

Database User account Database Roles

AdminServices

< domain>\SCMDM2008DeviceManagementServers

ServiceAdmin, ServiceDriver, VPNAdmin, VPNPowerUSer

< domain>\SCMDM2008EnrollmentServers

ServiceAdmin, ServiceDriver

< domain>\SCMDM2008ServerAdministrators

ServiceAdmin

MobileEnrollment

< domain>\SCMDM2008EnrollmentServers

EnrollmentServer

NT AUTHORITY\ANONYMOUS LOGON

EnrollmentWebService

TEEDB

< domain>\SCMDM2008DeviceManagementServers

PublicAPI, TEE

Local Databases

When installed with local databases, MDM setup configures the following user accounts and roles for each database.

Database User account Database Roles

AdminServices

< domain>\SCMDM2008ServerAdministrators

ServiceAdmin

NT AUTHORITY\NETWORK SERVICE

ServiceAdmin, ServiceDriver, VPNAdmin, VPNPowerUser

MobileEnrollment

NT AUTHORITY\LOCAL SERVICE

EnrollmentWebService

NT AUTHORITY\NETWORK SERVICE

EnrollmentServer

TEEDB

< domain>\SCMDM2008DeviceManagementServers

PublicAPI, TEE

NT AUTHORITY\NETWORK SERVICE

PublicAPI, TEE

Database Service Connection Points

To verify the database service connection points (SCP), follow these steps.

  1. Download the Active Directory Service Interfaces tool at this Microsoft Web site:

    http://go.microsoft.com/fwlink/?LinkId=109940

  2. Open a Microsoft Management Console (MMC) window.

  3. Add the ADSIEdit snap-in.

  4. Connect to the domain.

  5. Expand the domain, expand DC=domain,DC=company name,DC=com, expand CN=System, expand CN=SCMDM2008, right-click CN=SCMDM2008Dependencies, and then select Properties.

  6. In the CN=SCMDM2008Dependencies Propertiesdialog box, on the Attribute Editortab, in the Attributesbox, scroll down and select keywords, and then select Edit.

  7. In the Multi-valued String Editordialog box, in the Valuesbox, select database=< old SQL Server >, select Remove. If only the SQL Server instance was changed and SQL Server still runs on the same computer, then select sqlinstance=< old SQL Server instance >instead of database=< old SQL Server >.

  8. In the Value to addbox, change the old SQL Server to the new SQL Server, select Add, and then select OK.

  9. In the CN=SCMDM2008Dependencies Propertiesdialog box, select Apply, and then select OK.

  10. Start all 5 of the MDM services:

    • SCMDM ADGP Service

    • SCMDM Enrollment Service

    • SCMDM GCM Service

    • SCMDM Software Distribution Service

    • SCMDM Wipe Service