Active Directory Integration
Active Directory is the central information store used by Windows Server to maintain entity and relationship data for a wide variety of objects in a networked environment. AD provides a set of core services, including authentication, authorization, and directory services. ConfigMgr takes advantage of the AD environment to support many of its features. For information about Active Directory in Windows Server 2008 R2, see http://www.microsoft.com/windowsserver2008/en/us/active-directory.aspx.
ConfigMgr can use AD to publish information about its sites and services, making it easily accessible to Active Directory clients. To take advantage of this capability, you must extend the AD schema to create classes of objects specific to ConfigMgr. Although implementing ConfigMgr does not require extending the schema, it is required for certain ConfigMgr features. Extending the schema also greatly simplifies ConfigMgr deployment and operations. The “Schema Extensions” section discusses extending the AD schema. Chapter 4, “Architecture Design Planning,” discusses the benefits and feature dependencies of the extended schema.
All objects in AD are instances of classes defined in the AD schema. The schema provides definitions for common objects such as users, computers, and printers. Each object class has a set of attributes that describes members of the class. As an example, an object of the computer class has a name, operating system, and so forth. Additional information about the AD schema is available at http://msdn.microsoft.com/en-us/library/ms675085.aspx.
The schema is extensible, allowing administrators and applications to define new object classes and modify existing classes. Using the schema extensions provided with Configuration Manager eases administration of your ConfigMgr environment. The ConfigMgr schema extensions are relatively low risk, involving only a specific set of classes not likely to cause conflicts. Nevertheless, you need to test any schema modifications before applying them to your production environment.
After you extend the AD schema and perform the other steps necessary to publish site information to AD, ConfigMgr sites can publish information to AD.
The next sections describe the process for extending the schema and configuring sites to publish to AD, as well as the AD objects and attributes created by the schema extensions.
Tools for Extending the Schema
You can extend the schema in either of two ways:
- Running the ExtADSch.exe utility from the ConfigMgr installation media
- Using the LDIFDE (Lightweight Data Interchange Format Data Exchange) utility to import the ConfigMgr_ad_schema.ldf LDIF file
To use all the features of ConfigMgr 2012, you must use Active Directory with Windows Server 2003 or later; Windows 2000 domains are supported with reduced functionality; most notably, Active Directory Forest Discovery does not work with Windows 2000 domains. If you are extending the schema on a Windows 2000 domain controller, you must use the LDIF file.
Using ExtADSch.exe is the simplest way to extend the schema and until ConfigMgr 2007 was the only way to extend the schema. ExtADSch.exe creates the log file extadsch.log, located in the root of the system drive (%systemdrive%), which lists all schema modifications it has made and the status of the operation. Following the list of attributes and classes that have been created, the log should contain the entry Successfully extended the Active Directory schema.
LDIFDE is a powerful command-line utility for extracting and updating directory service data on Active Directory servers. LDIFDE provides command-line switches, allowing you to specify a number of options, including some you may want to use when updating the schema for ConfigMgr. Table 3.1 includes the options that you are most likely to use.
Table 3.1. LDIFDE Command-Line Switches and Descriptions
Turns on Import Mode. Required for updating the schema.
Filename. (Used to specify the location of the ConfigMgr_ad_schema.ldf file.)
Log file location.
Turns on Verbose Mode.
Ignore Constraint Violation and Object Already Exists errors. (Use with caution. May be useful if the schema is previously extended for ConfigMgr.)
The options vary slightly, depending on the Windows Server version you are running. You can see a complete listing of LDIFDE syntax by entering this command:
You can also find detailed information about using LDIFDE at http://technet.microsoft.com/en-us/library/cc731033.aspx. Here is an example of a typical command to update the schema for ConfigMgr:
ldifde –i –f ConfigMgr_ad_schema.ldf –v –j SchemaUpdate.log
The verbose logging available with LDIFDE includes more detail than the log file generated by ExtADSch.exe. The ConfigMgr_ad_schema.ldf file allows you to review all intended changes before they are applied. You can also modify the LDF file to customize the schema extensions. As an example, you can remove the sections for creating classes and attributes that already exist as an alternative to using the –k switch referred to in Table 3.1.
Extending the Schema
Each AD forest has a single domain controller with the role of schema master. All schema modifications are made on the schema master. To modify the schema, you must log on using an account in the forest root domain that is a member of the Schema Admins group.
The ConfigMgr schema modifications create four new classes and 14 new attributes used with these classes. Here is what the created classes represent:
- Management points: Clients can use this information to find a management point.
- Roaming boundary ranges: Clients can use this information to locate ConfigMgr services based on their network location.
- Server locator points (SLPs): ConfigMgr 2007 clients can use this information to find a SLP. This class is created but it is not used in System Center 2012 Configuration Manager. SLP functionality is now integrated into the management point and the SLP no longer exists as a separate site system role.
- ConfigMgr sites: Clients can retrieve important information about the site from this AD object.
Viewing Schema Changes
If you are new to ConfigMgr and are extending the schema and curious about the details of the new classes, the Schema Management MMC snap-in enables you to view their full schema definitions. Before adding the snap-in to the management console, you must install it by running the following command from the command prompt:
After installing the snap-in, perform the following steps to add Schema Management to the MMC:
- Select Start, choose Run, and then enter MMC.
- Choose Add/Remove snap-in from the File menu of the console.
- Click the Add button and then choose Active Directory Schema.
- Choose Close and then click OK to complete the open dialog boxes.
The left pane of the schema management tool displays a tree control with two main nodes—classes and attributes. If you expand out the classes node, you will find the following classes defined by ConfigMgr:
Clicking a class selects it and displays the attributes associated with the class in the right pane. The list of attributes for each class includes many attributes previously defined in AD, in addition to those attributes specifically created for System Center 2012 Configuration Manager. You can right-click a class and choose Properties to display its property page. For example, Figure 3.1 shows the general properties of the mSSMSSite class. For an explanation of these properties, click the Help button on the Properties page.
Figure 3.1. General properties of the schema class representing ConfigMgr sites.
You can see the 14 ConfigMgr attributes under the Attributes node in the schema management console. The names of each of these attributes start with mS-SMS. You can right-click an attribute and choose Properties to display its property page. Figure 3.2 shows the properties of the mS-SMS-Capabilities attribute.
Figure 3.2. General properties of the schema attribute representing site capabilities.
After extending the schema, you must complete several tasks before ConfigMgr can publish the objects it will use to Active Directory:
- Create the System Management container where the ConfigMgr objects will reside in AD: If you previously extended the schema for ConfigMgr 2007, the System Management container will already exist. Each domain publishing ConfigMgr data must have a System Management container.
- Set permissions on the System Management container: Setting permissions allows your ConfigMgr site servers to publish site information to the container.
- Configure your sites to publish to AD: You can specify one or more AD forests to which each site will publish. Publishing to a forest other than the sites server’s local forest requires a cross-forest trust.
The next sections describe these tasks.
Creating the System Management Container
You can use the ADSIEdit MMC tool to create the System Management AD container. If you do not already have ADSIEdit installed, you can install the tool yourself.
On Windows Server 2008, add ADSIEdit using Server Manager. Configuring the domain controller server role automatically adds ADSIEdit to the Administrative Tools program group.
To create the System Management container from ADSIEdit, perform the following steps:
- Right-click the Root ADSI Edit node in the tree pane, select Connect to, and then click OK to connect to the default name context.
- Expand the default name context node in the tree pane. Then expand the node showing the distinguished name of your domain (this will begin with DC=<domain>) and right-click CN=System node.
- Select New and then choose Object.
- Select Container in the Create Object dialog box and click Next.
- Enter the name System Management and then click Next and Finish, completing the wizard.
Figure 3.3 shows ADSIEdit with the tree control expanded to the CN=System node and the Create Object dialog box displayed.
Figure 3.3. Using ADSIEdit to create the System Management container.
Setting Permissions on the System Management Container
You can view the System Management container and set permissions on it using the Active Directory Users and Computers (ADUC) utility in the Windows Server Administrative Tools menu group. After launching ADUC, enable the Advanced Features option from the View menu. You can then expand out the domain partition and System container to locate System Management.
By default, only certain administrative groups have the rights required to create and modify objects in the System Management container. For security reasons, you should create a new group and add ConfigMgr site servers to it, rather than adding them to the built-in administrative groups. Perform the following steps to grant the required access to the ConfigMgr site server security group:
- Right-click the System Management container, choose Properties, and then select the Security tab.
- Click the Add button, and select the group used with your ConfigMgr site servers, as shown in Figure 3.4.
Figure 3.4. Selecting the Site server security group.
- Check the box for Full Control, as displayed in Figure 3.5, and choose OK to apply the changes.
Figure 3.5. Assigning permissions to the System Management container.
Configuring Sites to Publish to Active Directory
Perform the following steps to configure a ConfigMgr site to publish site information to AD:
- In the ConfigMgr 2012 console, select the Administration workspace.
- Expand Site Configuration -> Sites. In the Sites pane, highlight the desired site, and click Properties on the ribbon bar.
- Select the Publishing tab, and then select the check box next to each forest to which the site will publish, as shown in Figure 3.6.
Figure 3.6. Configuring a site to publish to AD.
After extending the schema and taking the other steps necessary to enable your sites to publish to AD, you should see the ConfigMgr objects displayed in the System Management container. Figure 3.7 shows the ConfigMgr objects viewed in Active Directory Users and Computers.
Figure 3.7. The System Management container displayed in Active Directory Users and Computers. You can use ADSIEdit to view object details.
Additional Active Directory Benefits
In an AD environment, all processes run in the security context of a user or a security context supplied by the operating system. System Center 2012 Configuration Manager uses Active Directory to authenticate administrative users and authorize user account for administrative roles. Each system has a computer account that you can add to user groups and grant access to resources. ConfigMgr makes extensive use of system and computer accounts to connect securely to network services and client systems, as well as providing security contexts for its internal operations. Using system accounts greatly simplifies administration. You can use additional AD accounts to supplement the available system accounts. Chapter 20, “Security and Delegation in Configuration Manager,” discusses authentication, access control, and accounts used in ConfigMgr.
Here are other ways ConfigMgr can take advantage of AD:
- Discovering information about your environment; including the existence of potential client systems, users, and groups. Chapter 4 discusses how you can use this information to plan user-centric management. Before implementing AD discovery methods, evaluate your AD data to ensure it is reliable and up to date. Importing obsolete records for users and computers that no longer exist or have changed may cause problems with various ConfigMgr operations. Chapter 9, “Configuration Manager Client Management,” provides details about configuring the discovery process.
- Assigning and installing clients using group policy, also described in Chapter 9.
- Using certificates and certificate settings deployed through AD. For example, if you use the System Center Updates Publisher (SCUP) to deploy custom software updates, you can use AD to deploy the required certificates to the trusted store on client computers.