Decide If You Should Extend the Active Directory Schema
Extending the Active Directory schema for Configuration Manager 2007 allows clients to retrieve many types of information related to Configuration Manager from a trusted source. In some cases, there are workarounds for retrieving the necessary information if the Active Directory schema is not extended, but they are all less secure than querying Active Directory.
The Active Directory schema can be extended before or after running Configuration Manager 2007 Setup. Because SMS 2003 sites will continue to function properly using Configuration Manager 2007 Active Directory schema extensions, the best practice for configuring a secure site is to always extend the Active Directory schema before installing Configuration Manager 2007 sites.
Additionally, not extending the schema for features where it is recommended might incur significant workload on other administrators who will need to create and maintain the workaround solutions such as logon scripts and Group Policy objects (GPO) for systems and users in your organization.
注意
Extending the schema for Configuration Manager does not automatically publish site information to Active Directory Domain Services.
Using SMS 2003 Active Directory Schema Extensions for Configuration Manager Sites
It is supported to deploy Configuration Manager 2007 sites using SMS 2003 Active Directory schema extensions. There are important considerations when deciding whether or not to extend the Active Directory schema for Configuration Manager 2007. Even if the Configuration Manager 2007 site is publishing site data to Active Directory Domain Services, the required Active Directory schema attributes to store the published data will not exist in some cases if the Active Directory schema has only been extended for SMS 2003.
If the Active Directory schema has been extended for SMS 2003, but not for Configuration Manager, the following limitations apply:
A Configuration Manager 2007 server locator point must be used to allow clients to verify assigned site compatibility to complete client assignment. Clients can automatically locate a server locator point through Active Directory Domain Services if the schema is extended for SMS 2003.
Because Network Access Protection for Configuration Manager requires Configuration Manager 2007 Active Directory schema extensions, this feature is unsupported for sites using SMS 2003 Active Directory schema extensions.
Site mode changes require manual workarounds on clients.
Client communication port changes require manual workarounds.
The management point dNSHostName attribute is no longer published to Active Directory Domain Services.
Feature and Function Considerations for Extending the Active Directory Schema for Configuration Manager
The following table lists the specific Configuration Manager 2007 features or functions that use Active Directory schema extensions, and any related workarounds if the schema is not extended for Configuration Manager 2007.
Feature or function
Schema extension requirement
Requirement details
Client installation and site assignment
Recommended
Requirement: If the Active Directory schema has not been extended for Configuration Manager, client installation using Ccmsetup.exe will not be able to automatically retrieve client deployment parameters from Active Directory Domain Services.
Workaround: Provide client installation properties using CCMSetup installation command line options. For more information, see About Configuration Manager Client Installation Properties.
Workaround: A Configuration Manager 2007 server locator point that is published to Active Directory Domain Services using SMS 2003 schema extensions can be automatically located by Configuration Manager 2007 clients if they belong to the same Active Directory forest.
Workaround: Provide server locator point information using the client.msi property SMSSLP=<server locator point name> on the CCMSetup command line during client installation. For more information, see About Configuration Manager Client Installation Properties.
Workaround: Publish the management point in DNS, and publish the server locator point in WINS. For more information, see Configuration Manager and Service Location (Site Information and Management Points).
Site mode setting, and related settings such as client certificate selection and CRL checking
Recommended
Requirement: If the Active Directory schema has not been extended for Configuration Manager, site mode information and client settings related to native mode configuration cannot be published to Active Directory Domain Services.
Workaround: Use CCMSetup.exe client installation command line properties, or client push installation.
Port configuration for client-to-server communication.
Recommended
Requirement: If the Active Directory schema has not been extended for Configuration Manager, clients will not be able to communicate with site systems if the default communication port is changed after client installation.
Workaround: Reinstall all affected clients or deploy a script to manually change the ports used by clients to communicate with site systems within the site.
Global roaming
Required
Requirement: If the Active Directory schema has not been extended for Configuration Manager or SMS 2003, a roaming client cannot request content for advertisements and software updates from resident management points. This scenario produces additional network traffic to request content location from the client's default management point, and the client will not be able to locate content from sibling sites in the hierarchy, or sites that are higher in the hierarchy than the client's assigned site. For more information about client behavior when roaming, see About Client Roaming in Configuration Manager.
Workaround: None.
Network Access Protection (NAP) for Configuration Manager
Required
Requirement: If the Active Directory schema has not been extended for Configuration Manager, sites enabled for Network Access Protection will be unable to publish Configuration Manager health state references to Active Directory Domain Services. If health state references are not published to Active Directory Domain Servers, the System Health Validator point is unable to validate client statements of health.
Workaround: None.
Secure key exchange between sites1
Recommended
Requirement: If the Active Directory schema has not been extended for Configuration Manager, sites configured to require secure key exchange will be unable to automatically exchange public keys to enable site-to-site communication.
Note
Secure key exchange between Configuration Manager sites is enabled by default.1
Workaround: Manually exchange the parent and child site’s public keys before attaching a child site using the hierarchy maintenance tool (Preinst.exe). For more information about the hierarchy maintenance tool see Hierarchy Maintenance Tool (Preinst.exe).
Verifying a trusted management point
Recommended
Requirement: If Active Directory schema has not been extended for Configuration Manager, clients must use the trusted root key to establish trust with a site. Unless clients have been pre-provisioned with the trusted root key, they will trust the first management point they communicate with.
Workaround: Pre-provision the clients with the trusted root key. For more information, see How to Manage the Trusted Root Key in Configuration Manager.
Workaround: Use native mode. In native mode, the management point certificate must still be signed by the trusted root key at the central site, but the management point uses a PKI-issued certificate. As long as the PKI has not been compromised, the client can trust the first management point it contacts that has a valid server authentication certificate. For more information about the PKI certificate requirements for native mode, see Certificate Requirements for Native Mode.
Recovering from the failure of a central site server hosting the management point role
Recommended
Requirement: If Active Directory schema has not been extended for Configuration Manager, and if clients report to a central site server that also functions as the management point for the site, clients have no way to automatically establish trust with the site after a new central site server and management point is restored.
Workaround: Remove the trusted root key from every client in the site and re-provision it. For more information, see How to Manage the Trusted Root Key in Configuration Manager.
Workaround: Move the management point role to a different server. As long as the clients in the central site lose only the management point or only the central site server, they can re-establish the trust relationship. For more information, see About the Trusted Root Key.
1 By default, Configuration Manager primary sites will not accept child site connections unless the public key of the child site is known to the parent site or published in Active Directory Domain Services. However, in an upgrade scenario, Configuration Manager Setup will not change the site’s original secure key exchange settings. Another method to allow child sites to attach without requiring schema extensions is to not require secure key exchange between sites, but this is not recommended because it would allow any rogue child site to attach to that site and start passing up untrusted data.
See Also
Concepts
About Configuration Manager Client Installation Properties Published to Active Directory Domain Services
About the Secure Key Exchange Parameters
Configuration Manager and Service Location (Site Information and Management Points)
Other Resources
How to Extend the Active Directory Schema for Configuration Manager