Shulou(Shulou.com)06/03 Report--

SCCM Planning-Active Directory Integration

This article focuses on Active Directory integration.

Benefits of integration

In ConfigMgr deployment, you can integrate CofigMgr with existing Active Directory, but integration is not mandatory. Let's focus on the benefits of integration with Active Directory:

Integration ensures that computers in the domain can read all the necessary parameters needed for installation directly through Active Directory when installing ConfigMgr client, thus eliminating the trouble of manually specifying parameters.

The target computer can participate in the normal operation of the SCCM level only after the ConfigMgr client is installed and successfully assigned to a ConfigMgr site, and after integration with AD, the client can obtain the necessary information needed for site assignment through AD and automatically assign it to a site.

When the client needs to obtain MP information, it can first retrieve the MP information through Active Directory, without the need to obtain it through DNS or WIN.

The client can read the port information used by the site communication and retrieve the client certificate selection conditions in the PKI architecture directly in the AD. Limitations of integration

Client deployment scenarios supported by ConfigMgr:

ConfigMgr client is a domain member, site server and ConfigMgr client belong to the same Active Directory forest: this scenario is supported by Active Directory integration

The ConfigMgr client is a domain member, and the site server and ConfigMgr client are not in the same Active Directory forest: this scenario is supported by Active Directory integration, but the ConfigMgr needs to be published to the Active Directory forest where the ConfigMgr client resides

The ConfigMgr client is a member of the workgroup: this scenario is not supported by Active Directory integration.

Non-Windows client environment: this scenario is not supported by Active Directory integration. Integrated Active Directory precondition

For integration with Active Directory, the target Active Directoey must meet the following two conditions:

The domain function level of the site server needs to be at least Windows Server 2000, which basically meets this condition for most of our current Active Directory. If you fail to meet the requirements, you can first upgrade the Active Directory advanced forest / domain function level.

This level does not support all integration features, such as Active Directory forest discovery; to support all features, it must be a domain feature level of Windows Server 2003 or above

The target Active Directory schema must be extended. Permissions required to integrate Active Directory

Like other extended schema operations, ConfigMgr requires that the account used to extend the schema must be a "Schema administrator".

New Active Directory class description

In the process of extending the Active Directory schema, ConfigMgr creates the following 4 new LDAP classes (Class) and 14 new properties (Attribute):

The class LDAP class describes that the Management pointsConfigMgr client finds the management point through this type Roaming boundaryConfigMgr locates the ConfigMgr service Server locator points (SLPs) ConfigMgr 2007 in the local network location using this type to find SLP. Although this type is created in the Active Directory architecture, it is not actually used in ConfigMgr 2012. SLP related functions have been integrated into the management point. SLP no longer tries a separate site system role ConfigMgr sitesConfigMgr client can retrieve other important information properties about the site through this type.

The Active Directory attribute names of all ConfigMgr extensions start with "mS-SMS".

Publish ConfigMgr

Once Active Directory is integrated, ConfigMgr can publish its site definition, boundary group, management point and other information to the Active Directory domain where the site server is located.

The location of the publication is in the "container" object "CN=System Management,CN=System" under the Domain Partition.

Permissions required to publish ConfigMgr

To publish ConfigMgr to Active Directory, you can use:

"Active Directory Lin Discovery" account

Site server computer account

No matter which one you use, you must have "full control" permission on the CN=System Management,CN=System object.

It is the original intention of this series of articles to refine the basic knowledge, precautions, operation mechanism and troubleshooting methods involved in SCCM for readers. There are many articles in the network to refer to the information about the components and function deployment steps of SCCM, so this series of articles do not focus on providing deployment guides similar to Step-by-Step.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.