Running Configuration Manager 2007 in native mode creates both external dependencies and dependencies within the product.

Dependencies External to Configuration Manager 2007

Dependency More Information

You must have a supporting public key infrastructure (PKI) that can deploy and manage the certificates required for native mode.

The site server, specific site systems, computers, and devices in the Configuration Manager site must have a certificate that is managed independently from Configuration Manager.

For more information, see Certificate Requirements for Native Mode.

If you are using fully qualified domain names (FQDNs) for Configuration Manager site systems (required for Internet-based client management and recommended on the intranet), all clients and servers must have access to Domain Name System (DNS) to resolve the computer names of servers.

DNS can also be used by clients to locate their default management point if Configuration Manager is configured for DNS publishing. DNS publishing is appropriate for the following scenarios:

  • Active Directory Domain Services is not extended for Configuration Manager.

  • Clients are from an untrusted domain or a workgroup.

Note
Network load balancing (NLB) management points cannot be published to DNS.

Windows Internet Name Service (WINS) is not supported in native mode as the means by which clients locate management points.

WINS is supported in native mode for clients that need to find a server locator point.

For more information, see Configuration Manager and Name Resolution and

Configuration Manager and Service Location (Site Information and Management Points).

Configuration Manager 2007 Dependencies

Note
Extending the Active Directory schema for Configuration Manager is not a requirement for native mode. However, it is much easier to configure clients for native mode when Configuration Manager is publishing to Active Directory Domain Services, which requires that the schema is extended for Configuration Manager 2007.

Dependency More Information

The site must be running Configuration Manager 2007, and the primary site server must be configured with the site server signing certificate.

Native mode is the default for all new sites when running Configuration Manager 2007 Setup. You can also migrate the site to native mode after installation.

How to Configure the Site Server with its Site Server Signing Certificate

How to Migrate the Site Mode from Mixed Mode to Native Mode

If the site is a child site, the parent site must be in native mode.

When upgrading a Configuration Manager hierarchy, upgrade primary sites from top to bottom, and ensure that a parent site is successfully running in native mode before migrating a child primary site to native mode.

Note
When a primary site is in native mode, running a child primary site in mixed mode for a sustained period of time is a supported scenario. There is no requirement that all primary sites in the hierarchy are configured for the same site mode.

If the native mode primary site has secondary sites, the secondary sites will automatically be configured for native mode.

Secondary sites inherit the following site settings from their primary site:

  • Site mode

  • Port configuration for client requests

  • Custom Web site

If your site system servers have PKI certificates with their fully qualified domain names (FQDNs) in the certificate subject name, you must configure the same fully qualified domain names of site systems in Configuration Manager 2007.

How to Configure the Intranet FQDN of Site Systems

How to Configure the Internet FQDN of Site Systems that Support Internet-Based Client Management

Configuring DNS for Configuration Manager Site System Roles

If your PKI deployment uses a certificate revocation list (CRL), ensure that Configuration Manager clients and native mode site systems can locate it. This requirement has the following considerations:

  • The CRL is published where computers have network connectivity to it. (For example, you might need additional CRL distribution points in the perimeter network for Internet-based clients, which clients contact by using an http connection.)

  • Intervening network devices, such as firewalls, are configured to allow connectivity to the CRL distribution point.

  • Computers can successfully resolve the name of the CRL distribution points.

Certificate revocation checking is enabled by default for client computers in native mode when the site is installed in native mode but is disabled by default when the site is installed in mixed mode and then migrated to native mode. For more information, see Determine Whether You Need to Enable Certificate Revocation Checking (CRL) On Clients (Native Mode).

Certificate revocation checking is enabled by default with IIS and cannot be disabled with Configuration Manager. Ensure that native mode site systems can connect to a CRL distribution point that is listed in their site system certificate.

Note
For more information about CRL distribution points (CDPs), see the following Windows PKI information about configuring CDP and AIA extensions: http://go.microsoft.com/fwlink/?LinkId=103608.

Clients must be running the Configuration Manager 2007 client.

Clients running Systems Management Server (SMS) 2003 are not supported.

Important
Client computers running Windows 2000 Professional or Windows 2000 Server cannot support native mode and will be unmanaged if they are assigned to a site that is configured for native mode.

See Also