[Today's post is contributed by Carol Bailey]
The ISA documentation How to Configure ISA SSL Bridging for System Center Configuration Manager Internet-Based Client Management has been updated with the following information:
Note: HTTP methods for the Internet-based software update point are not included because the HTTP verbs used by WSUS are not documented for the latest WSUS versions. However, previous versions document these as GET, HEAD, and POST and our preliminary testing confirms that these verbs are still used. If you want to increase security for the Internet-based software update point by restricting the HTTP verbs that are allowed, test this configuration yourself by using the instructions "To Modify the Web Publishing Rule to Enable the required HTTP Methods" and for the HTTP methods, substitute the following HTTP verbs: GET, HEAD and POST.
If you need to manually request certificates with a version of a Certification Authority (CA) that does not support Web enrollment for the computer store, see How to Request a Certificate With a Custom Subject Alternative Name for alternative certificate request methods.
This updated documentation has been published with the Community Content footer, so that you can share additional information about this scenario configuration with other customers.
Our thanks to Jim Harrison (Program Manager for Forefront TMG), Jason Jones (Forefront MVP), and Rachel Aldam (Technical Writer, Identify and Security Division) for their help in updating this documentation for our customers.
- Carol Bailey
This posting is provided "AS IS" with no warranties, and confers no rights.
[Today's post is from the Configuration Manager Writing Team]
The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the latest content on the Web has Updated: July 1, 2010 at the top of the topic.
This month's revisions incorporate customer feedback to include instructions that are specific to Windows Server 2008 R2 in How to Configure Windows Server 2008 for Site Systems and How to Configure Network Load Balancing for Configuration Manager Site Systems.
We've also updated several of the supported configurations topics to include the following:
Additionally, the Application Compatibility Toolkit Connector in Configuration Manager is updated to reflect the changes implemented to support operating systems other than Vista. These changes were made to Application Compatibility Toolkit 5.5 and require Application Compatibility Toolkit Connector 2. The toolkit now supports Windows XP, Windows Vista, and Windows 7.
With the help of our publishing partners, we've been able to correct a publishing problem that some customers reported to us about links not working in some topics and the "Note" icons not displaying correctly. If you find other instances like this, let us know so that we can republish the topic and correct the problem.
Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement. So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com.
What's New in the Configuration Manager Documentation Library for July 2010
The following information lists the topics that contain significant changes since the June 2010 update.
Configuration Manager 2007 General Supported Configurations Configuration Manager 2007 Supported ConfigurationsConfiguration Manager 2007 SP1 Supported Configurations Configuration Manager 2007 SP2 Supported ConfigurationsConfiguration Manager 2007 R2 Supported Configurations
- Updated with the latest support statements and clarifications.
How to Configure Windows Server 2008 for Site Systems
- Updated to include information specific to Windows Server 2008 R2 and reformatted for easier reading.
How to Configure Network Load Balancing for Configuration Manager Site Systems
Decide If You Should Extend the Active Directory Schema
- Updated with the clarification that you do not need to extend the schema again for Configuration Manager if you upgrade the operating system on domain controllers or raise the functional level of the domain or forest.
Known Limitations in Configuration Manager Support for Windows Embedded
- Updated to clarify that operating system deployment for Windows Embedded is supported for stand-alone media only and that task sequences are supported for actions other than operating system deployment.
Setup Windows and ConfigMgr
- This task sequence image step documentation is updated to correct the explanation about when the alternate graphical identification and authentication (GINA) library is applied during the setup of deployed operating systems for computers running Windows XP and Windows Server 2003.
-- The Configuration Manager Writing Team
This posting is provided "AS IS" with no warranties and confers no rights.
[Today's post is provided by Carol Bailey]
I've been seeing a steady increase in the number of questions that customers ask about Active Directory Domain Services in relation to Configuration Manager. Tech-Ed North America was no exception, which prompted me to write up some of these frequently asked questions.
Although this information is in the product documentation, I can understand why it's sometimes difficult to find the exact answer to a specific scenario, simply because there are so many possible variations. One documentation topic that holds a lot of this information is Configuration Manager in Multiple Active Directory Forests.
If you have an Active Directory-related question about Configuration Manager, see if it's addressed in this blog post. If you don't see the question listed, email SMSDocs@Microsoft.com with your question or suggestion.
Question: Can Configuration Manager manage clients when they are in a different domain to the site system servers?
Answer: Yes. The only potential gotcha here is when the site is in mixed mode, you must configure the management point with an FQDN for automatic approval to work. Tip: Check that name resolution (NetBIOS and FQDN) is working between the two domains.
Question: Do all my site system servers in a site have to be in the same domain?
Answer: No, site systems within the same site can be from different domains within the same forest, with the exception of the following:
Question: Do all my site system servers in a site have to be from the same forest?
Answer: Most of the time, yes. There are a few exceptions:
Question: Can Configuration Manager manage clients when they are in a different forest from the site server?
Answer: Yes, and this configuration does not require any PKI certificates or that you install any site system servers into this other forest. The most important thing to remember here is that these clients cannot access site information that is published by the site server to Active Directory Domain Services - even if there is a trust in place between the two forests. This means that when you install these clients, they require a server locator point to complete site assignment. Make sure that the server locator point is installed and that these clients can access it - and the easiest way to do this is to use the SMSSLP property when you install the client. For more information, see How to Create a Server Locator Point in Configuration Manager and How to Specify the Server Locator Point for Configuration Manager Client Computers.
Additionally:
Question: I need to support clients from another forest, so do I install the the server locator point in the same forest as these clients or in the site server's forest?
Answer: Technically, you can install the server locator point in either forest. However, as a security best practice, install it in the site server's forest. If you have a firewall between the two forests, note that the server locator point requires unauthenticated client connections over HTTP. If this is against your security policies, an alternative configuration is to configure these clients for Internet-only client management, which does require PKI certificates and that the site is in native mode. This configuration does not require that these clients contact a server locator point. For more information, see the question "Is it possible to manage clients from another forest by using HTTPS connections only?"
Question: Can I install clients in another forest without downloading the client installation source files from the management point?
Answer: Yes. Copy the client installation source files from the management point or site server onto a file server in the clients' forest. Then use the CCMSetup property /source:<path> when you install the clients. The client installation source files are located in the <InstallationPath>\Client folder on the Configuration Manager 2007 site server and management points.
Question: What ports need to be open on a firewall between my two forests for client communication?
Answer: To install the clients, see Ports Used During Configuration Manager Client Deployment. Note that client push installation is the least firewall-friendly installation method, because it requires SMB and RPC. The ports that might be used after client installation will depend on the Configuration Manager features that you are using. For a list of operational ports, see Ports Used by Configuration Manager.
Question: Is it possible to manage clients from another forest by using HTTPS connections only?
Answer: Yes, if your site is in native mode, configure the native mode site systems for Internet connections and install these clients for Internet-only client management. For more information about this configuration, see Tips and Tricks: Using Internet-Only Client Management on the Intranet.
Question: Can I install a secondary site in another forest?
Answer: No. When your primary site is in forest A, Configuration Manager does not support installing a secondary site in forest B. In this scenario, you must install a primary site in forest B or use the primary site in forest A to manage clients in forest B.
Question: What additional configuration is required if I install a site in another forest?
Answer: If you are using secure key exchange between the sites, use the hierarchy maintenance tool (Preinst.exe) to configure manual key exchange. For more information, see How to Manually Exchange Public Keys Between Sites.
If there is no trust between the two forests trusts you must configure domain user accounts as site address accounts in the sender address properties of each site. If there is a full forest trust between the sites, you can use the site server computer accounts.
Question: Can I install site systems on domain controllers?
Answer: Yes. There is no technical restriction that prevents you from installing any of the site system roles on domain controllers. However, for security best practices, this is not recommended in a production environment.
Question: Can I install site systems on stand-alone servers (not in an Active Directory forest)?
Answer: No. All site systems must belong to an Active Directory forest. This includes branch distribution points and Internet-based site systems.
Question: Does any Configuration Manager feature or operation require a specific domain or forest functional level?
Answer: No. The only exception is when a full forest trust is required, which itself requires a minimum forest level of Windows Server 2003. A full forest trust is needed for the following:
Question: Does Configuration Manager support all versions of Active Directory Domain Services, including Windows Server 2008 R2?
Answer: Yes. However, for supported versions of the operating systems on clients and site systems, always check the Supported Configurations documentation for the version of Configuration Manager that you are running.
Question: Do I need to extend the schema again if I create new Configuration Manager sites or add computers from new domains?
Answer: No. Active Directory schema extensions are for the entire forest, so you need to extend the schema for Configuration Manager only once if your Configuration Manager hierarchy is contained within the forest. The only exception is if you create a new primary site in another forest, and you want this new site to publish to Active Directory Domain Services. In this scenario, extend the schema in the new forest (and configure the security permissions for the System Management container).
Question: Do I need to extend the schema again for Configuration Manager after upgrading to a later version of Configuration Manager (for example, Configuration Manager SP2) or after raising my Active Directory domain or forest functional level?
Answer: No. If you have extended the Active Directory schema for Configuration Manager, you do not need to extend it again for these scenarios. However, if you're upgrading from SMS 2003 to Configuration Manager, then you should extend the schema for Configuration Manager to benefit from the new site changes that are published to Active Directory Domain Services.
--Carol Bailey
Our team member Jason Lewis has recently finished his screencast series that covers desired configuration management (DCM) with Configuration Manager 2007. The series on his blog consists of 12 screencasts that begin with an introduction of DCM and take you through the authoring experience for the different objects and setting types.
You can see the screencast series here: http://blogs.technet.com/b/jasonlewis/archive/tags/screencasts/dcm/
You can also visit Jason's blog here: http://blogs.technet.com/b/jasonlewis/
--Yvette O'Meally