ConfigMgr and Active Directory Integration (Extending the Schema)


I got some questions that why Active directory integration is required in Configuration Manager, so thought just put theoretical information which will help to understand the concept. (Ref. Book : System Center 2012 Configuration Manager (SCCM) Unleashed)
Active Directory is the central information store used by Windows Server to maintain entity and relationship data for a wide variety of objects in a networked environment. AD provides a set of core services, including authentication, authorization, and directory services. ConfigMgr takes advantage of the AD environment to support many of its features.
ConfigMgr can use AD to publish information about its sites and services, making it easily accessible to Active Directory clients. To take advantage of this capability, you must extend the AD schema to create classes of objects specific to ConfigMgr. Although implementing ConfigMgr does not require extending the schema, it is required for certain ConfigMgr features. Extending the schema also greatly simplifies ConfigMgr deployment and operations.
Schema Extensions
All objects in AD are instances of classes defined in the AD schema. The schema provides definitions for common objects such as users, computers, and printers. Each object class has a set of attributes that describes members of the class. As an example, an object of the computer class has a name, operating system, and so forth.
The schema is extensible, allowing administrators and applications to define new object classes and modify existing classes. Using the schema extensions provided with Configuration Manager eases administration of your ConfigMgr environment. The ConfigMgr schema extensions are relatively low risk, involving only a specific set of classes not likely to cause conflicts. Nevertheless, you need to test any schema modifications before applying them to your production environment.
The Active Directory schema extensions for ConfigMgr 2012 are unchanged from those used by Configuration Manager 2007. If you extended the schema for Configuration Manager 2007, you do not have to extend the schema again for ConfigMgr 2012.  The Active Directory schema can be extended before or after running ConfigMgr 2012 Setup, however as a best practice, it’s best to extend the schema before you run Configuration Manager 2012 Setup. You have to extend the Active Directory schema only once for the forest that contains site servers; you do not have to extend the schema again if you upgrade the operating systems on the domain controllers or after you raise the domain or forest functional levels.
After you extend the AD schema and perform the other steps necessary to publish site information to AD, ConfigMgr sites can publish information to AD.
Tools for Extending the Schema
You can extend the schema in either of two ways:
  • Running the ExtADSch.exe utility from the ConfigMgr installation media
  • Using the LDIFDE (Lightweight Data Interchange Format Data Exchange) utility to import the ConfigMgr_ad_schema.ldf LDIF file
The ConfigMgr schema modifications create four new classes and 14 new attributes used with these classes. Here is what the created classes represent:
  • Management points: Clients can use this information to find a management point.
  • Roaming boundary ranges: Clients can use this information to locate ConfigMgr services based on their network location.
  • Server locator points (SLPs): ConfigMgr 2007 clients can use this information to find a SLP. This class is created but it is not used in System Center 2012 Configuration Manager. SLP functionality is now integrated into the management point and the SLP no longer exists as a separate site system role.
  • ConfigMgr sites: Clients can retrieve important information about the site from this AD object.
Additional Active Directory Benefits
In an AD environment, all processes run in the security context of a user or a security context supplied by the operating system. System Center 2012 Configuration Manager uses Active Directory to authenticate administrative users and authorize user account for administrative roles. Each system has a computer account that you can add to user groups and grant access to resources. ConfigMgr makes extensive use of system and computer accounts to connect securely to network services and client systems, as well as providing security contexts for its internal operations. Using system accounts greatly simplifies administration. You can use additional AD accounts to supplement the available system accounts.
Here are other ways ConfigMgr can take advantage of AD:
  • Discovering information about your environment; including the existence of potential client systems, users, and groups.  Before implementing AD discovery methods, evaluate your AD data to ensure it is reliable and up to date. Importing obsolete records for users and computers that no longer exist or have changed may cause problems with various ConfigMgr operations.
  • Assigning and installing clients using group policy
  • Using certificates and certificate settings deployed through AD. For example, if you use the System Center Updates Publisher (SCUP) to deploy custom software updates, you can use AD to deploy the required certificates to the trusted store on client computers.

Comments

Post a Comment

Popular posts from this blog

Setup failed to install SMS Provider (Setup cannot compile MOF file \bin\i386\NetDisc.mof)

I had uninstalled the SCCM 2007 secondary site & again was trying to install it on the same hardware without formatting the OS. In the setup installation, while installing the SMS provider component it gave the error  'Setup failed to install SMS provider' When I checked it in ConfigMgrSetup.log CompileMOFFile:Failed to compile MOF E:\SMS\bin\i386\NetDisc.mof, error -2147217407 Setup cannot compile MOF file E:\SMS\bin\i386\NetDisc.mof. Do you want to continue? Setup failed to install SMS Provider. For more information about this error, see Microsoft Knowledge Base at http://microsoft.com or contact Microsoft Technical Support for further assistance. This type of error can also occur when the namespace 'NetworkModel' is not removed from WMI, while uninstallation of SCCM, on the same machine and then an SCCM 2007 RTM install is attempted. In my case  I had uninstalled the secondary site from the same hardware machine & was tryi...
Read more

Description = "User \"Domain\\SCCMAdmin2\" does not have permissions to grant rights on this instance."; ErrorCode = 1112017920;

The domain user account which had full Security rights in SCCM console, if got disabled & your new domain account is not having equivalent full rights. Then how will you access SCCM objects or delgate access to other user accounts? Security rights provide the capability to define and refine the level of access that users have when working with configuration manager objects. This gives you the ability to delegate specific tasks to specific groups of users. In my environment SCCM 2007 was installed by domain admin account "domain\SCCMAdmin1" on Primary site server. Domain\SCCMAdmin1 account has full access on all instances. As employee left the organization, this user account got disabled. Then we created another domain admin account "domain\SCCMAdmin2", Now if anyone will try to copy permissions of "domain\SCCMAdmin1" to "domain\SCCMAdmin2", definately it will give following error Errors ConfigMgr Error Object: ...
Read more

SMS Advanced Client Push Installation process

The article describes the SMS Advanced Client Push Installation process Pre-installation stage  1. During the pre-installation stage, When the Client Push Installation wizard starts, Client Configuration Request (CCR) is created for each targeted computer. Each CCR is placed into the Inboxes\CCR.box folder on the site server. Client Configuration Manager (CCM) selects a CCR from the Inboxes\CCR.box folder on the site server (CCM tasks are logged in ccm.log on the site server) The CCR file contains the client computer name and additional information.  2. The SMS Client Configuration Manager connects to the ADMIN$ share on the client. This is based on the information in the CCR file.  3. The Client Configuration Manager attempts to connect to the computer using the Client Push Installation Account (if the connection was not successful it attempts to connect to the computer by using the site server computer account). The Client Configuration Manager connects to the clie...
Read more