Modify MDM Active Directory Service Connection Points
10/3/2008
System Center Mobile Device Manager (MDM) Active Directory configuration tool, ADConfig.exe, creates the MDM Active Directory Service Connection Points (SCPs) and implements other Active Directory® configuration. The processes in this topic show you how to modify or clear the Active Directory SCPs. If, after installation, you have to change ports or fully qualified domain name (FQDN) values, follow these steps.
During this process, you will need a low-level Active Directory Editor, such as Active Directory Service Interfaces (ADSI). For more information about ADSI, see ADSIEdit Overview on this Microsoft TechNet Web site: https://go.microsoft.com/fwlink/?LinkId=105659
Warning
If you change MDM SCPs, it could cause MDM to function incorrectly. If the SCP is changed and the Secure Sockets Layer (SSL) certificates on the servers do not match the changed FQDNs in the SCP, this will cause some MDM components to fail. For example, MDM Administrator Tools will be unable to authenticate with the server correctly because the SCP FQDN does not match the certificate FQDN. We recommend that you do not modify the SCPs unless there is no other option for your configuration.
Members of the SCMDM2008ServerAdministrators group have read/write permission for the Keywords attribute on the SCPs. Therefore, a member of the group should be able to perform the procedures in this section without the intervention of a domain administrator.
MDM Active Directory SCPs
ADConfig.exe creates the MDM Active Directory SCPs in the default naming context of the domain in which you first ran ADConfig.exe in the \System\SCMDM2008 path during Active Directory configuration.
ADConfig.exe creates the SCPs and populates them with limited data. During MDM Setup, the SCPs are populated with additional information. The SCPs are an important part of the setup process.
MDM uses the SCPs for the following:
- If this is the first installation for a MDM system component, MDM Setup prompts you to set the location of the database. Database values are stored in the Dependencies SCP and used during later MDM installations.
MDM Setup sets the database keyword on the Dependencies SCP to the SQL database that MDM will use. It also sets the sqlinstance keyword on the SCP if you specify an instance of SQL Server during MDM Setup. - MDM Setup references the SCPs to help determine whether this is the first MDM Device Management Server or MDM Enrollment Server in an MDM system configuration.
- Servers use the SCPs to locate other servers, or server load balancers, and also to determine what other types of servers are installed or configured.
- MDM Administrator Tools use the SCPs to locate servers and load balancers, and to communicate with them.
- MDM servers and services use the SCPs to locate databases.
Enrollment Server SCP
When you set up the first computer that is running MDM Enrollment Server, you enter either the FQDN for MDM Enrollment Server, or the FQDN for the MDM Enrollment Server load balancer. MDM uses the FQDN that you provided to configure the MDM Enrollment Server SCP and the MDM Enrollment Server certificates.
Device Management Server SCP
When you set up the first computer that is running MDM Device Management Server, you enter either the FQDN of the MDM Device Management Server, or the FQDN of the MDM Device Management Server load balancer. MDM Setup uses the FQDN that you provided to configure the MDM Device Management Server SCP and the MDM Device Management Server certificates.
Dependencies SCP
MDM configures the Dependencies SCP the first time that you set up either a computer that is running MDM Device Management Server or MDM Enrollment Server, whichever you install first.
MDM SCP Configuration Details
The following shows the keyword attributes of the three MDM SCPs.
MDM Enrollment Server SCP
Keyword | Value |
---|---|
777E4F2E-CAC2-424E-BB71-2ABDA7F58947 |
MDM uses the GUID to find the SCP. The GUID does not have a value, but is a keyword of the SCP. Do not modify this property. |
SCMDM2008Enrollment |
The name of the SCP. It does not have a value, but is a keyword of the SCP. Do not modify this property. |
url |
Path of the MDM Enrollment Web site for the MDM Enrollment Server FQDN or MDM Enrollment Server load balancer FQDN. Example: https://en.contoso.com:443/EnrollmentServer/Service.asmx Automatic requests for certificates for this FQDN occur during MDM Setup. Note The MDM Enrollment Server port is fixed at 443. |
adminurl |
The FQDN and port of the MDM Administration Web site for the MDM Enrollment Server FQDN, or MDM Enrollment Server load balancer FQDN. Example: es.contoso.com:8445 Note Contains the port of the MDM Administration Web site. |
instance |
For Microsoft System Center Mobile Device Manager (MDM) 2008, the value is SCMDM2008. Do not modify this property. |
version |
For Microsoft System Center Mobile Device Manager (MDM) 2008, the value is 1.0.0.0. Do not modify this property. |
MDM Device Management Server SCP
Keyword | Value |
---|---|
777E4F2E-CAC2-424E-BB71-2ABDA7F58947 |
MDM uses the GUID to find the SCP. The GUID does not have a value, but is a keyword of the SCP. Do not modify this property. |
SCMDM2008DeviceManagement |
The name of the SCP. It does not have a value, but is a keyword of the SCP. Do not modify this property. |
url |
The FQDN and port of the MDM Device Management Web site for the MDM Device Management Server FQDN or MDM Device Management Server load balancer FQDN, entered during the first setup of MDM Device Management Server. Example: https://dm.contoso.com:8443/MDM/TEE/Handler.ashx Automatic requests for certificates for this FQDN occur during MDM Setup. Note FQDN specifies that you must include a port, unless it is port 443. |
adminurl |
The FQDN and port of the Administration Web service for the MDM Device Management Server FQDN or MDM Device Management Server load balancer FQDN. Example: dm.contoso.com:8446 Note Contains the port of the Enrollment Administration Web site. |
instance |
For Microsoft System Center Mobile Device Manager (MDM) 2008, the value is SCMDM2008. Do not modify this property. |
version |
For Microsoft System Center Mobile Device Manager (MDM) 2008, the value is 1.0.0.0. Do not modify this property. |
Dependencies SCP
Keyword | Value |
---|---|
777E4F2E-CAC2-424E-BB71-2ABDA7F58947 |
MDM uses the GUID to find the SCP. The GUID does not have a value, but is a keyword of the SCP. Do not modify this property. |
SCMDM2008Dependencies |
The name of the SCP. It does not have a value, but is a keyword of the SCP. Do not modify this property. |
database |
The FQDN of the single database server for all MDM databases. Example: db.contoso.com |
sqlinstance |
An SQL instance where MDM databases reside. If you are prompted for the location of the database, you must provide the FQDN of the database server and the SQL instance name. Example: db.contoso.com\SQLInstanceName If you are using the default SQL instance, you can omit the instance name. Example: db.contoso.com |
caserver |
The certification authority server from which MDM Setup requests server certificates during MDM installation (if this option is selected). |
cainstance |
The certification authority name from which MDM Setup requests server certificates during MDM installation (if this option is selected). |
instance |
For Microsoft System Center Mobile Device Manager (MDM) 2008, the value is SCMDM2008. Do not modify this property. |
version |
For Microsoft System Center Mobile Device Manager (MDM) 2008, the value is 1.0.0.0. Do not modify this property. |
Modifying MDM Active Directory SCPs
After you install MDM, or because of a system modification, you might have to change either the port or the FQDN in an MDM Enrollment Server SCP or MDM Device Management Server SCP. Additionally, you might have to change an SQL instance of the Dependencies SCP.
If you modify the SCPs, you must restart all MDM services on all computers that are running MDM. This includes MDM Device Management Server and MDM Enrollment Server, and all administration consoles or any open MDM Shell. The restarts are necessary to detect the new SCPs correctly.
Note
If you change the FQDNs, the change can cause problems with the MDM system if the FQDNs do not match the SSL certificates installed on the Web services or the Gateway Central Management service (GCM). Changing the SCPs might require that you reissue certificates.
Warning
If you modify Active Directory with a low-level editor such as ADSI Edit, it could cause problems with your Active Directory structure or environment. If you modify Active Directory, the changes could cause serious system errors. We cannot guarantee that these errors are solvable. Modify Active Directory at your own risk.
Modify an MDM Server SCP
The section shows you how to change either the port or the FQDN in an MDM Enrollment Server SCP or MDM Device Management Server SCP. As with all system modifications, missteps could make your MDM system unstable.
To Modify an MDM Server SCP
Open ADSI Editor.
Expand the domain in which you first ran the ADConfig tool.
Expand CN=System.
Expand CN=SCMDM2008. The following list of the MDM SCPs is displayed:
- SCMDM2008Dependencies
- SCMDM2008DeviceManagement
- SCMDM2008Enrollment
Right-click the SCP that you want to modify. For example, CN=SCMDM2008DeviceManagement.
Note To modify the Dependencies SCP, see the procedure in the following section
Select Properties.
In the CN= SCMDM2008DeviceManagement Properties dialog box, select Show only attributes that have values.
Locate and then select the keywords attribute.
Choose Edit to view the current values for the MDM Device Management Server SCP.
In the Multi-valued String Editor dialog box, select the value that you want to modify and then choose Remove. The value appears in the Value to add box.
Modify the entry, but do not change the adminurl= or url= label in front of the newly modified Value to add entry.
Choose Add. The modified entry appears in the Values list.
Choose OK two times to close the editor.
If you uninstall all computers that are running MDM from your infrastructure and plan to reinstall the MDM system later, make sure that you clear the following keywords in the MDM server SCPs: adminurl= and url=. Make sure that you do not remove the adminurl= and url= keywords.
Modify the Dependencies SCP
The section shows you how to modify the FQDN in the URL of the database server or change the SQL instance. Follow these steps only if your SCP does not point to the correct database, or if you changed the database name. As with all system modifications, missteps could make your MDM system unstable.
To modify the Dependencies SCP
In ADSI Editor, right-click CN= SCMDM2008Dependencies, and then select Properties.
Locate and select the keywords attribute.
Choose Edit to view the current values for the MDM Device Management Server SCP.
In the Multi-valued String Editor dialog box, select the value that you want to modify.
Choose Remove.
The value appears in the Value to add box.
Modify the entry, but do not change the database= or the sqlinstance= label in front of it.
Choose Add to add the modified value to the list, and then choose OK.
If you uninstall all computers that are running MDM from your infrastructure but plan to reinstall the MDM system later, make sure that you clear the following Dependencies SCP keywords: database= and sqlinstance=. Make sure that you do not remove the database= and sqlinstance= keywords.