The Site Mode tab defines whether the Configuration Manager 2007 site will operate in native mode or mixed mode, and the site mode related settings. Site modes are used to specify how clients will communicate with the site. To select the mode that the site will operate in, select either Native or Mixed from the Site mode selection drop down list.
This tab is not visible when viewing the properties of a secondary site. Secondary sites inherit the settings contained on the site mode tab from their parent site.
 Important |
|---|
| To ensure clients do not become unmanaged as a result of changing the site mode from mixed to native, see Administrator Checklist: Migrating a Site to Native Mode. |
After selecting the site mode, the options displayed depend on whether you have selected native mode or mixed mode.
 Note |
|---|
| If you change the site mode from mixed mode to native mode and you have a network load balancing (NLB) management point that is specified with an IP address, you must reconfigure the NLB management point to use a fully qualified domain name (FQDN) instead. Until you reconfigure the NLB management point with an FQDN, clients will be unable to contact their default management point and will be unmanaged. For more information, see How to Configure the Intranet FQDN of an NLB Management Point. |
Native Mode Settings Properties
If you select native mode site operation, the following native mode properties are displayed.
- Site server signing certificate
- Specifies the site server signing certificate, which is a
requirement to configure the site to use native mode operation.
This certificate must already be deployed to the site server
externally to Configuration Manager 2007. You cannot configure
native mode without specifying this certificate.
For more information about the PKI certificate requirements, see Certificate Requirements for Native ModeFor more information about deploying the PKI certificates required for native mode, see Deploying the PKI Certificates Required for Native ModeNote
The site server signing certificate must be configured directly on each primary site database. You cannot configure the site mode for a child primary site from a parent primary site because the certificate cannot be validated correctly in this scenario.
- Certificate
- Specifies the site server signing certificate for the site. If the certificate has been selected, this will display either the friendly name of the certificate if the certificate has a friendly name, or <No friendly name> if the selected certificate does not have a friendly name. If the certificate is not yet specified, click Browse to select it, or you can type in the thumbprint in the Thumbprint text box.This certificate is used by the site server to sign client policies. To accept policies signed by this certificate, clients must also have a copy of the site server signing certificate. For more information, see Decide How to Deploy the Site Server Signing Certificate to Clients (Native Mode)
- Browse
- Browses to the certificate store on the site server so that you
can select the site server signing certificate from the list of
certificates displayed. Specifying the wrong certificate could
result in the site being unmanaged, so the certificate you select
will be validated for the following:
- The certificate is within its validity period
and has not expired.
- The certificate has the correct certificate
subject name, which includes the site code of the site.
- The certificate purpose includes document
signing.
- The certificate is within its validity period
and has not expired.
- Thumbprint
- If you cannot browse to the site server's certificate store
(for example, you do not have appropriate permissions), but you
have the certificate's thumbprint, you can enter it here. The
thumbprint must be entered as a sequential string of hexadecimal
characters. To eliminate typing errors, copy and paste the string
from the certificate itself.
When you enter the thumbprint, Configuration Manager 2007 will attempt to match it with a valid certificate on the site server's certificate store. If this is successful and the certificate is validated successfully, the friendly name will be displayed against the Certificate option.Note
You can copy the thumbprint using the Microsoft Certificates MMC snap-in. On the computer where it is stored, navigate to the Local Computer, Personal store, and expand Certificates. Double-click the certificate, and then click the Details tab. Scroll through the files and click Thumbprint. Copy the string of hexadecimal numbers that is displayed in the text box.
- Operating system deployment settings
- Specifies settings related to operating system deployment when the site is operating in native mode. These settings are inherited by secondary sites, but not child primary sites.
- Specify Root CA Certificates
- Opens the Specify Root CA Certificates dialog box, which allows you to import exported root certification authority certificates for clients that are assigned to the site. These might be required for operating system deployment clients to complete installation.For information about preparing the root certification authority certificates, see How to Prepare the Root Certification Authority Certificates for Operating System Deployment Clients.
- Client settings published to Active Directory
- Specifies the native mode site settings that are published to
Active Directory Domain Services for client computers, and are
automatically used with client push installations.Client computers
that can access these settings in Active Directory Domain Services
are configured with these values periodically, including when site
assignment succeeds, on startup and every 25 hours.If client
computers do not use the default settings, specify these options
with CCMSetup installation properties if any of the following
scenarios apply:
- The Active Directory schema is not extended
for Configuration Manager 2007.
- The Active Directory schema is extended for
Configuration Manager 2007 but you have clients that cannot access
these settings because they are workgroup clients or are from
another Active Directory forest.
- You want to specify different client settings
for installation only.
- The Active Directory schema is not extended
for Configuration Manager 2007.
- Enable CRL checking on clients
- Specifies whether Configuration Manager client computers use a certificate revocation list (CRL) before using the PKI certificates required for native mode.The default for this setting is to enable CRL checking when the site is installed in native mode. When the site is installed in mixed mode and then migrated to native mode, the default for this setting is to disable CRL checking for clients.For more information, see Determine Whether You Need to Enable Certificate Revocation Checking (CRL) On Clients (Native Mode).
- Allow HTTP communication for roaming and site assignment
- Specifies whether native mode client computers can use HTTP if they roam to a mixed mode site so that they can communicate with the resident management point for content location, and download content from that site's distribution points. Additionally, HTTP is required for communication with a server locator point, which is required for site assignment if the Active Directory schema is not extended for Configuration Manager 2007, and also if native mode client computers use a network load balancing management point on the intranet and cannot locate this from Active Directory Domain Services.The default for this option is not to allow HTTP communication for roaming and site assignment.For more information about this option, see Decide If You Need to Configure HTTP Communication for Roaming and Site Assignment (Native Mode)
- Certificate store
- Specifies the location of the client certificate to use in native mode. The default location is the Personal store in the Computer certificate store. If the client certificate has been deployed to an alternate location in the Computer store, specify it here.
- Certificate selection criteria
- Specifies the selection criteria to use if more than one valid
certificate is found in the specified certificate store. The
default setting is to check only the certificate purpose. To
specify the certificate selection criteria, select one of the
following options, and then specify any associated value:
- Check only certificate purpose: This
option does not use the subject name or the subject alternative
name when selecting certificates. Instead, certificates are
selected only on the intended purpose of the certificate, which
must include client authentication. This is the default certificate
selection criteria.
- Subject contains string: The string
match on the subject name in the certificate is a case-insensitive
match. This selection criteria is appropriate if you are using the
fully qualified domain name of a computer, and you want the
certificate selection to be based on the domain suffix, for example
contoso.com. However, you can use this selection method to identify
any string of sequential characters that differentiate the
certificate from others in the client certificate store
- Subject or alt includes attributes:
The attribute identification is a case-sensitive match on the
subject name, or subject alternative name field in the certificate.
This selection criteria is appropriate if you are using X.500
distinguished names or equivalent object identifiers, in accordance
with RFC 3280, and you want the certificate selection to be based
on the attribute values. Specify only the attributes and their
values that you require to uniquely identify or validate the
certificate and differentiate the certificate from others in the
client certificate store. The order in which the attributes are
entered has no significance. For a list of attribute values that
are supported for certificate selection criteria, refer to the
table in Determine If You Need to
Specify Client Certificate Settings (Native Mode). The
following examples define certificate selection criteria by using
object identifier attributes and by using distinguished names
attributes:
- Example 1: 2.5.4.8
=Maryland, 2.5.4.6 =US, 2.5.4.10= Contoso, 2.5.4.11 =Sales
- Example
2: ST=Maryland, C=US, O= Contoso,
OU=Workstations
- Example 1: 2.5.4.8
=Maryland, 2.5.4.6 =US, 2.5.4.10= Contoso, 2.5.4.11 =Sales
- Check only certificate purpose: This
option does not use the subject name or the subject alternative
name when selecting certificates. Instead, certificates are
selected only on the intended purpose of the certificate, which
must include client authentication. This is the default certificate
selection criteria.
- If multiple certificates match criteria
- Specifies the action to take if Configuration Manager finds
more than one valid certificate based on the settings specified:
- Select any certificate that matches:
Of the certificates found that matched the selection, one will be
chosen at random. If the client is running Configuration Manager
2007 SP1 or later, the certificate with the longest validity
period is selected. If a connection is not successfully made with
this certificate, the other certificates found will not be tried
and the client will send an error message to its assigned fallback
status point.
- Fail selection and send error message:
None of the certificates will be used to attempt a connection.
Instead, the client will not attempt communication with its
management point, and instead it will send an error message to its
assigned fallback status point. This is the default
configuration.
- Select any certificate that matches:
Of the certificates found that matched the selection, one will be
chosen at random. If the client is running Configuration Manager
2007 SP1 or later, the certificate with the longest validity
period is selected. If a connection is not successfully made with
this certificate, the other certificates found will not be tried
and the client will send an error message to its assigned fallback
status point.
- OK
- Saves the changes and exits the dialog box.
- Cancel
- Exits the dialog box without saving any changes.
- Apply
- Saves the changes and remains in the dialog box.
- Help
- Opens the Site Properties: Site Mode Tab help documentation.
Mixed Mode Settings Properties
If you select mixed mode site operation, the following mixed mode properties are displayed.
- Approval Settings
- Specifies the client approval settings to use when authorizing
computers to be fully managed in a mixed mode site. Approve clients
in a mixed mode site to verify client identity. Ensure that you
select a client approval method that fits your risk profile. For
more information about securing clients, see Best Practices for
Securing Clients, and for more information about approval, see
About Client
Approval in Configuration Manager.
Note
Changing the site approval method will not automatically reset the approval status of clients already assigned to the site. The new setting will take effect for newly assigned clients only.
- Manually approve each computer
- Manually approving every computer in the site introduces the least risk, but the largest administrative overhead. Clients must be manually approved from within the Configuration Manager console. Reference the procedure "To approve clients manually" in How to Approve Configuration Manager Clients.
- Automatically approve computers in trusted domains (recommended)
- Automatically approving computers in trusted domains
automatically authorizes client computers joined to domains trusted
by the site server's domain.
When using this setting, you should ensure that you have other security controls in place to prevent untrustworthy computers from joining a trusted domain.Important
If your Configuration Manager 2007 hierarchy spans multiple domains, the management point must be configured with an intranet FQDN to approve clients that are in a different domain to the site server's domain. For more information, see How to Configure the Intranet FQDN of Site Systems and Determine If You Will Use FQDN Server Names.
- Automatically approve all computers (not recommended)
- Automatically approving all computers will authorize any computer that requests assignment with the site. This setting is never recommended because it allows any computer to receive potentially sensitive data without verifying trustworthiness.
- This site contains only ConfigMgr 2007 clients.
- Regardless of the client approval method selected, this setting enables stronger client communication security settings available for Configuration Manager clients that are incompatible with SMS 2003 client communication settings. Before enabling this setting, ensure that you have no SMS 2003 clients in the site.
- Client Settings
- Specifies client data encryption settings for client information sent to management points.
- Encrypt data before sending to management point.
- Select this setting to encrypt inventory data and state messages sent from clients to their management point. The encryption method uses the client’s self-signed certificate that does not require a PKI, and it uses the 3DES algorithm rather than the more secure encryption method in native mode that uses a PKI certificate with SSL encryption. For more information about the differences in securing client data in mixed mode and native mode, see the table “Comparison of Mixed Mode and Native Mode” in the topic Benefits of Using Native Mode.
- OK
- Saves the changes and exits the dialog box.
- Cancel
- Exits the dialog box without saving any changes.
- Apply
- Saves the changes and remains in the dialog box.
- Help
- Opens the Site Properties: Site Mode Tab help documentation.
See Also
Tasks
How to Prepare the Root Certification Authority Certificates for Operating System Deployment ClientsConcepts
Configuration Manager Site ModesChoose between Native Mode and Mixed Mode
About Client Approval in Configuration Manager
Determine Whether You Need to Enable Certificate Revocation Checking (CRL) On Clients (Native Mode)
Determine If You Need to Specify Client Certificate Settings (Native Mode)
Decide How to Deploy the Site Server Signing Certificate to Clients (Native Mode)
Renewing or Changing the Site Server Signing Certificate
About Configuration Manager Client Installation Properties