Modify MDM Active Directory Service Connection Points

  • Article

10/3/2008

System Center Mobile Device Manager (MDM) Active Directory configuration tool, ADConfig.exe, creates the MDM Active Directory Service Connection Points (SCPs) and implements other Active Directory® configuration. The processes in this topic show you how to modify or clear the Active Directory SCPs. If, after installation, you have to change ports or fully qualified domain name (FQDN) values, follow these steps.

During this process, you will need a low-level Active Directory Editor, such as Active Directory Service Interfaces (ADSI). For more information about ADSI, see ADSIEdit Overview on this Microsoft TechNet Web site: https://go.microsoft.com/fwlink/?LinkId=105659

Warning

If you change MDM SCPs, it could cause MDM to function incorrectly. If the SCP is changed and the Secure Sockets Layer (SSL) certificates on the servers do not match the changed FQDNs in the SCP, this will cause some MDM components to fail. For example, MDM Administrator Tools will be unable to authenticate with the server correctly because the SCP FQDN does not match the certificate FQDN. We recommend that you do not modify the SCPs unless there is no other option for your configuration.

Members of the SCMDM2008ServerAdministrators group have read/write permission for the Keywords attribute on the SCPs. Therefore, a member of the group should be able to perform the procedures in this section without the intervention of a domain administrator.

MDM Active Directory SCPs

ADConfig.exe creates the MDM Active Directory SCPs in the default naming context of the domain in which you first ran ADConfig.exe in the \System\SCMDM2008 path during Active Directory configuration.

ADConfig.exe creates the SCPs and populates them with limited data. During MDM Setup, the SCPs are populated with additional information. The SCPs are an important part of the setup process.

MDM uses the SCPs for the following:

  • If this is the first installation for a MDM system component, MDM Setup prompts you to set the location of the database. Database values are stored in the Dependencies SCP and used during later MDM installations.
    MDM Setup sets the database keyword on the Dependencies SCP to the SQL database that MDM will use. It also sets the sqlinstance keyword on the SCP if you specify an instance of SQL Server during MDM Setup.
  • MDM Setup references the SCPs to help determine whether this is the first MDM Device Management Server or MDM Enrollment Server in an MDM system configuration.
  • Servers use the SCPs to locate other servers, or server load balancers, and also to determine what other types of servers are installed or configured.
  • MDM Administrator Tools use the SCPs to locate servers and load balancers, and to communicate with them.
  • MDM servers and services use the SCPs to locate databases.

Enrollment Server SCP

When you set up the first computer that is running MDM Enrollment Server, you enter either the FQDN for MDM Enrollment Server, or the FQDN for the MDM Enrollment Server load balancer. MDM uses the FQDN that you provided to configure the MDM Enrollment Server SCP and the MDM Enrollment Server certificates.

Device Management Server SCP

When you set up the first computer that is running MDM Device Management Server, you enter either the FQDN of the MDM Device Management Server, or the FQDN of the MDM Device Management Server load balancer. MDM Setup uses the FQDN that you provided to configure the MDM Device Management Server SCP and the MDM Device Management Server certificates.

Dependencies SCP

MDM configures the Dependencies SCP the first time that you set up either a computer that is running MDM Device Management Server or MDM Enrollment Server, whichever you install first.

MDM SCP Configuration Details

The following shows the keyword attributes of the three MDM SCPs.

MDM Enrollment Server SCP

Keyword Value

777E4F2E-CAC2-424E-BB71-2ABDA7F58947

MDM uses the GUID to find the SCP. The GUID does not have a value, but is a keyword of the SCP. Do not modify this property.

SCMDM2008Enrollment

The name of the SCP. It does not have a value, but is a keyword of the SCP. Do not modify this property.

url

Path of the MDM Enrollment Web site for the MDM Enrollment Server FQDN or MDM Enrollment Server load balancer FQDN.

Example: https://en.contoso.com:443/EnrollmentServer/Service.asmx

Automatic requests for certificates for this FQDN occur during MDM Setup.

Note   The MDM Enrollment Server port is fixed at 443.

adminurl

The FQDN and port of the MDM Administration Web site for the MDM Enrollment Server FQDN, or MDM Enrollment Server load balancer FQDN.

Example: es.contoso.com:8445

Note   Contains the port of the MDM Administration Web site.

instance

For Microsoft System Center Mobile Device Manager (MDM) 2008, the value is SCMDM2008. Do not modify this property.

version

For Microsoft System Center Mobile Device Manager (MDM) 2008, the value is 1.0.0.0. Do not modify this property.

MDM Device Management Server SCP

Keyword Value

777E4F2E-CAC2-424E-BB71-2ABDA7F58947

MDM uses the GUID to find the SCP. The GUID does not have a value, but is a keyword of the SCP. Do not modify this property.

SCMDM2008DeviceManagement

The name of the SCP. It does not have a value, but is a keyword of the SCP. Do not modify this property.

url

The FQDN and port of the MDM Device Management Web site for the MDM Device Management Server FQDN or MDM Device Management Server load balancer FQDN, entered during the first setup of MDM Device Management Server.

Example: https://dm.contoso.com:8443/MDM/TEE/Handler.ashx

Automatic requests for certificates for this FQDN occur during MDM Setup.

Note   FQDN specifies that you must include a port, unless it is port 443.

adminurl

The FQDN and port of the Administration Web service for the MDM Device Management Server FQDN or MDM Device Management Server load balancer FQDN.

Example: dm.contoso.com:8446

Note   Contains the port of the Enrollment Administration Web site.

instance

For Microsoft System Center Mobile Device Manager (MDM) 2008, the value is SCMDM2008. Do not modify this property.

version

For Microsoft System Center Mobile Device Manager (MDM) 2008, the value is 1.0.0.0. Do not modify this property.

Dependencies SCP

Keyword Value

777E4F2E-CAC2-424E-BB71-2ABDA7F58947

MDM uses the GUID to find the SCP. The GUID does not have a value, but is a keyword of the SCP. Do not modify this property.

SCMDM2008Dependencies

The name of the SCP. It does not have a value, but is a keyword of the SCP. Do not modify this property.

database

The FQDN of the single database server for all MDM databases.

Example: db.contoso.com

sqlinstance

An SQL instance where MDM databases reside.

If you are prompted for the location of the database, you must provide the FQDN of the database server and the SQL instance name.

Example: db.contoso.com\SQLInstanceName

If you are using the default SQL instance, you can omit the instance name.

Example: db.contoso.com

caserver

The certification authority server from which MDM Setup requests server certificates during MDM installation (if this option is selected).

cainstance

The certification authority name from which MDM Setup requests server certificates during MDM installation (if this option is selected).

instance

For Microsoft System Center Mobile Device Manager (MDM) 2008, the value is SCMDM2008. Do not modify this property.

version

For Microsoft System Center Mobile Device Manager (MDM) 2008, the value is 1.0.0.0. Do not modify this property.

Modifying MDM Active Directory SCPs

After you install MDM, or because of a system modification, you might have to change either the port or the FQDN in an MDM Enrollment Server SCP or MDM Device Management Server SCP. Additionally, you might have to change an SQL instance of the Dependencies SCP.

If you modify the SCPs, you must restart all MDM services on all computers that are running MDM. This includes MDM Device Management Server and MDM Enrollment Server, and all administration consoles or any open MDM Shell. The restarts are necessary to detect the new SCPs correctly.

Note

If you change the FQDNs, the change can cause problems with the MDM system if the FQDNs do not match the SSL certificates installed on the Web services or the Gateway Central Management service (GCM). Changing the SCPs might require that you reissue certificates.

Warning

If you modify Active Directory with a low-level editor such as ADSI Edit, it could cause problems with your Active Directory structure or environment. If you modify Active Directory, the changes could cause serious system errors. We cannot guarantee that these errors are solvable. Modify Active Directory at your own risk.

Modify an MDM Server SCP

The section shows you how to change either the port or the FQDN in an MDM Enrollment Server SCP or MDM Device Management Server SCP. As with all system modifications, missteps could make your MDM system unstable.

To Modify an MDM Server SCP

  1. Open ADSI Editor.

  2. Expand the domain in which you first ran the ADConfig tool.

  3. Expand CN=System.

  4. Expand CN=SCMDM2008. The following list of the MDM SCPs is displayed:

    • SCMDM2008Dependencies
    • SCMDM2008DeviceManagement
    • SCMDM2008Enrollment

  5. Right-click the SCP that you want to modify. For example, CN=SCMDM2008DeviceManagement.

    Note   To modify the Dependencies SCP, see the procedure in the following section

  6. Select Properties.

  7. In the CN= SCMDM2008DeviceManagement Properties dialog box, select Show only attributes that have values.

  8. Locate and then select the keywords attribute.

  9. Choose Edit to view the current values for the MDM Device Management Server SCP.

  10. In the Multi-valued String Editor dialog box, select the value that you want to modify and then choose Remove. The value appears in the Value to add box.

  11. Modify the entry, but do not change the adminurl= or url= label in front of the newly modified Value to add entry.

  12. Choose Add. The modified entry appears in the Values list.

  13. Choose OK two times to close the editor.

If you uninstall all computers that are running MDM from your infrastructure and plan to reinstall the MDM system later, make sure that you clear the following keywords in the MDM server SCPs: adminurl= and url=. Make sure that you do not remove the adminurl= and url= keywords.

Modify the Dependencies SCP

The section shows you how to modify the FQDN in the URL of the database server or change the SQL instance. Follow these steps only if your SCP does not point to the correct database, or if you changed the database name. As with all system modifications, missteps could make your MDM system unstable.

To modify the Dependencies SCP

  1. In ADSI Editor, right-click CN= SCMDM2008Dependencies, and then select Properties.

  2. Locate and select the keywords attribute.

  3. Choose Edit to view the current values for the MDM Device Management Server SCP.

  4. In the Multi-valued String Editor dialog box, select the value that you want to modify.

  5. Choose Remove.

  6. The value appears in the Value to add box.

  7. Modify the entry, but do not change the database= or the sqlinstance= label in front of it.

  8. Choose Add to add the modified value to the list, and then choose OK.

If you uninstall all computers that are running MDM from your infrastructure but plan to reinstall the MDM system later, make sure that you clear the following Dependencies SCP keywords: database= and sqlinstance=. Make sure that you do not remove the database= and sqlinstance= keywords.