Jason Sandys Senior Lead Consultant Catapult Systems, Inc. Session Code: MGT312

Native Mode Setup Dialogs

Overview What Is Native Mode Benefits Pre-requisites PKI Refresher Misperceptions Certificate Deployment & Demo Implications Notes from the Field

What Is Native Mode? DP*DP*MPMP SUPSUPSMPSMP

Benefits Enables Internet Based Client Management (IBCM) Inventory Software Distribution Software Updates Desired Configuration Management Compliance Security in general

Prerequisites Certificates (aka Public Key Infrastructure) Clients ConfigMgr 2007 only Windows 2000 not supported DP*DP*MPMP SUPSUP SM P

PKI Refresher Key Distribution

PKI Refresher Certificate Revocation Lists (CRL) Certificate Distribution Points (CDP) CRLCDP LDAPLDAPFTPFTP SMBSMB HTTPHTTP

Misperceptions PKI is Easy You must use a Microsoft PKI AMT takes advantage of Native Mode

Misperceptions Enterprise Edition = Enterprise CA

Misperceptions Internet-based clients can roam Fallback Status Points (FSP) are only for Native Mode An FSP in a Native Mode site can happily co-exist with other site roles

Misperceptions Mixed mode does not use certificates Native mode protects all site communication Only domain joined systems can participate in a Native Mode site

Certificate Deployment

Implications Agent Deployment Certificates on the clients By default SLPs are not used “Internet only” clients must be installed manually CCMSetup.exe /native:CRL SMSSITECODE=ABC SMSMP=mgmtpoint

Implications WSUS/SUP Must manually add the Web server cert in IIS Must manually configure IIS for SSL Require SSL on virtual directories APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService \Tools: WSUSUtil.exe configuressl

Implications OSD Boot Images require client certificates and a copy of the Root CA certificate Build and Capture reference systems are not on the domain CDP must be available PXE

Notes from the Field Initial Installation Install in mixed mode and migrate Easier to troubleshoot Better when no PKI in place already Better for organizations unfamiliar with ConfigMgr Install in native mode Requires PKI Compounding issues

Notes from the Field PKI Decisions Some decisions are not reversible without a lot of pain Just because it works in the lab, does not mean it will work in production Certificate Validity Period CRL Distribution Points Key Length

Notes from the Field Intra-SUP Communication SUP to SUP communication is mostly HTTPS in native mode SUP ActiveActive Internet Based Update Metadata Configuration EULAs

Notes from the Field PKI Timing Certificate deployment is not instantaneous Templates are stored in AD Clients must be active and have connectivity to request a certificate Plan for this delay

Other Notables Native Mode is not a one-way choice Parent sites must be migrated first Mixed mode parent sites do not support Native Mode child sites Secondary site modes are dictated by their parent site’s mode Native Mode Readiness Tool us/library/bb aspx us/library/bb aspx

Links MS Internet Clients & Native Mode Forum /configmgribcm/threads/ /configmgribcm/threads/ System Center ConfigMgr TechCenter Library us/library/bb aspxhttp://technet.microsoft.com/en- us/library/bb aspx Configuration Manager Team Blog My Blog

Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification and Training Resources Microsoft Certification & Training Resources Resources

Related Content MGT304 Deploying Microsoft System Center Configuration Manager 2007, Part 1: Site Deployment MGT305 Deploying Microsoft System Center Configuration Manager 2007, Part 2: Client Deployment MGT306 Deploying Microsoft System Center Configuration Manager 2007, Part 3: Hierarchy Design and Implementation Best Practices MGT02-HOL Microsoft System Center Configuration Manager: Migrating from Mixed Mode to Native Mode

Management Track Resources Key Microsoft Sites System Center on Microsoft.com: System Center on TechNet: Virtualization on Microsoft.com: Community Resources System Center Team Blog: System Center on TechNet Edge: System Center on Twitter: Virtualization Feed: System Center Influencers Program: Content, connections, and resources for influencers in the System Center Community. For information, contact

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.