AD Schema Extension: Endpoint Requires it?

[rrasco]

I am having problems getting the endpoint protection client to push out to systems. I was curious, since I never extended my AD, does endpoint protection require the extended schema? I would have extended my schema, but I'm still testing and my only DC is in production and I wasn't sure if I even needed to extend the schema just for endpoint protection. That is all I am evaluating at this point.

 

I have everything setup, Windows Update sees the client, but fails to install it. I just used the client push to install the client, which it says it did, but I still don't see endpoint on the client machine.

[anyweb]

no it does not require it,

if you are using client push to install the Configuration Manager client then have you verified that you are using an account with local admin priveledges on that computer to install the client ? has the firewall got the appropriate ports open ? what does the ccm.log file on the site server reveal ?

[rrasco]

I am really trying to do update-based client installations, but I was using the push as a test.

 

After checking the ccm.log file, I could see there were no accounts setup for the client push, so I set one up.

 

Warning: no remote client installation account found SMS_CLIENT_CONFIG_MANAGER 11/20/2012 3:58:22 PM 3380 (0x0D34)

 

I also have this error below. File sharing and remote admin are enabled via GPO.

 

Unable to connect to WMI (root\ccm) on remote machine "HP-Z400-02", error = 0x8004100e. SMS_CLIENT_CONFIG_MANAGER 11/20/2012 3:58:22 PM 3380 (0x0D34)

 

And lastly this one:

 

Execute query exec [sp_CP_SetLastErrorCode] 2097152049, 0 SMS_CLIENT_CONFIG_MANAGER 11/20/2012 3:58:23 PM 3380 (0x0D34)

 

Once I setup the account, I tried an updated-based installation, but am receiving this in the client's ccmsetup.log now:

 

Failed to get assigned site from AD. Error 0x80004005 ccmsetup 11/21/2012 9:56:48 AM 8476 (0x211C)

GetADInstallParams failed with 0x80004005 ccmsetup 11/21/2012 9:56:48 AM 8476 (0x211C)

Couldn't find an MP source through AD. Error 0x80004005 ccmsetup 11/21/2012 9:56:48 AM 8476 (0x211C)

Current directory 'C:\Windows\SoftwareDistribution\Download\Install' is not a valid source location. ccmsetup 11/21/2012 9:56:48 AM 8476 (0x211C)

No valid source or MP locations could be identified to download content from. Ccmsetup.exe cannot continue. ccmsetup 11/21/2012 9:56:48 AM 8476 (0x211C)

Invalid ccmsetup command line: ccmsetup 11/21/2012 9:56:48 AM 8476 (0x211C)

 

Reading a few other posts online, I heard some people say to setup boundaries and boundary groups, so I did that as well. I still get the same errors about failing to get assigned site from AD.

[rrasco]

Attempting to query AD for assigned site code ccmsetup 11/21/2012 10:03:07 AM 8112 (0x1FB0)

 

Executing query (&(ObjectCategory=MSSMSRoamingBoundaryRange)(|(&(MSSMSRangedIPLow<=3232236043)(MSSMSRangedIPHigh>=3232236043)))) ccmsetup 11/21/2012 10:03:07 AM 8112 (0x1FB0)

 

Executing query (&(ObjectCategory=mSSMSSite)(|(mSSMSRoamingBoundaries=192.168.2.0)(mSSMSRoamingBoundaries=Default-First-Site-Name))) ccmsetup 11/21/2012 10:03:07 AM 8112 (0x1FB0)

 

Failed to get assigned site from AD. Error 0x80004005 ccmsetup 11/21/2012 10:03:07 AM 8112 (0x1FB0)

[rrasco]

I've also noticed that my System Management container in AD is empty. I was pretty sure I delegated control to the SCCM computer, but I did it to make sure. I also verified the site is set to publish to my domain, which it is. Is there anyway to envoke SCCM to create the AD entries in the System Management container?

[rrasco]

Does this mean I do need to extend the schema? I saw in another post of yours, which was in reference to SCCM 2007, that said four things were required for clients to query AD, which evidently my client install is trying to do.

 

Four actions need to be taken in order to successfully enable Configuration Manager Clients to query Active Directory Domain Services to locate site resources:

 

* Extend the Active Directory schema.

* Create the System Management container.

* Set security permissions on the System Management container.

* Enable Active Directory publishing for the Configuration Manager site.

 

http://www.windows-n...tory/#entry2785

[anyweb]

your original question was

 

I am having problems getting the endpoint protection client to push out to systems. I was curious, since I never extended my AD, does endpoint protection require the extended schema?

 

to which I replied no, that said I would recommend you DO extend the schema as it will make everything you do easier and you won't have to supply workarounds like dns entries and so on

 

here are the requirements for Endpoint Protection:

 

http://technet.micro...y/hh508780.aspx

 

and here's some info about why you should extend the schema

 

Determine Whether to Extend the Active Directory Schema for Configuration Manager

http://technet.microsoft.com/en-us/library/gg712272.aspx

 

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1

 

When you extend the Active Directory schema for System Center 2012 Configuration Manager, you can publish site information to Active Directory Domain Services.

 

Extending the Active Directory schema is optional for Configuration Manager. However, by extending the schema you can use all Configuration Manager features and functionality with the least amount of administrative overhead.

If you decide to extend the Active Directory schema, you can do so before or after you run Configuration Manager Setup.

 

Considerations for Extending the Active Directory Schema for Configuration Manager

 

 

The Active Directory schema extensions for System Center 2012 Configuration Manager and System Center 2012 Configuration Manager SP1 are unchanged from those used by Configuration Manager 2007. If you extended the schema for Configuration Manager 2007, you do not have to extend the schema again for System Center 2012 Configuration Manager or System Center 2012 Configuration Manager SP1.

Similarly, if you extended the schema for System Center 2012 Configuration Manager with no service pack, you do not have to extend the schema again for System Center 2012 Configuration Manager SP1.

Extending the Active Directory schema is a forest-wide action and can only be done one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after setup.

Four actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources:

• Extend the Active Directory schema.
  
• Create the System Management container.
  
• Set security permissions on the System Management container.
  
• Enable Active Directory publishing for the Configuration Manager site.
  

For information about how to extend the schema, create the System Management container, and configure setting security permissions on the container, see Prepare Active Directory for Configuration Manager in the Prepare the Windows Environment for Configuration Manager topic. For information about how to enable publishing for Configuration Manager sites, see Planning for Publishing of Site Data to Active Directory Domain Services.

The following clients and mobile devices that are managed by the Exchange Sever connector do not use Active Directory schema extensions for Configuration Manager:

• The client for Mac computers
  
• The client for Linux and UNIX servers
  
• Mobile devices that are enrolled by Configuration Manager
  
• Mobile device legacy clients
  
• Windows clients that are configured for Internet-only client management
  
• Windows clients that are detected by Configuration Manager to be on the Internet
  

The following table identifies Configuration Manager functions that use an Active Directory schema that is extended for Configuration Manager, and if there are workarounds that you can use if you cannot extend the schema.

Functionality Active Directory Details

Client computer installation and site assignment

Optional

When a new Configuration Manager Windows client installs, the client can search Active Directory Domain Services for installation properties. If you do not extend the schema, you must use one of the following workarounds to provide configuration details that computers require to install:

• Use client push installation. Before you use client installation method, make sure that all prerequisites are met. For more information, see the section “Installation Method Dependencies” in Prerequisites for Computer Clients.
   
  
• Install clients manually and provide client installation properties by using CCMSetup installation command-line properties. This must include the following:
  
  • Specify a management point or source path from which the computer can download the installation files by using the CCMSetup property /mp:=<management point name computer name> or /source:<path to client source files> on the CCMSetup command line during client installation.
     
    
  • Specify a list of initial management points for the client to use so that it can assign to the site and then download client policy and site settings. Use the CCMSetup Client.msi property SMSMP to do this.
     
     
    

  [*]Publish the management point in DNS or WINS and configure clients to use this service location method.

   

   

Port configuration for client-to-server communication

Optional

When a client installs, it is configured with port information. If you later change the client-to-server communication port for a site, a client can obtain this new port setting from Active Directory Domain Services. If you do not extend the schema, you must use one of the following workarounds to provide this new port configuration to existing clients:

• Reinstall clients and configure them to use the new port information.
   
  
• Deploy a script to clients to update the port information. If clients cannot communicate with a site because of the port change, you must deploy this script externally to Configuration Manager. For example, you could use Group Policy.
   
   
  

Network Access Protection

Required

Configuration Manager publishes health state references to Active Directory Domain Services so that the System Health Validator point can validate a client’s statement of health.

Content deployment scenarios

Optional

When you create content at one site and then deploy that content to another site in the hierarchy, the receiving site must be able to verify the signature of the signed content data. This requires access to the public key of the source site where you create this data.

When you extend the Active Directory schema for Configuration Manager, a site’s public key is made available to all sites in the hierarchy. If you do not extend the Active Directory schema, you can use the hierarchy maintenance tool, preinst.exe, to exchange the secure key information between sites.

For example, if you plan to create content at a primary site and deploy that content to a secondary site below a different primary site, you must either extend the Active Directory schema to enable the secondary site to obtain the source primary sites public key, or use preinst.exe to share keys between the two sites directly.

 

Attributes and Classes Added by the Configuration Manager Schema Extensions

 

 

Planning for Configuration Manager Sites and Hierarchy

[rrasco]

I know, I wasn't sure how much outside of the endpoint configuration I am actually doing by following your tutorials (thanks for those BTW). However, given your initial response to my question, I was able to work forward a little bit.

 

I went ahead and extended the schema this afternoon, but I am still unable to get it to work. I'm waiting for SCCM to populate the System Management container, I have a feeling that is a major part of it now. Is there a way to do that manually, or do I just need to wait at this point? It's been a few hours. I've also tried rebooting the SCCM machine to kick it off, but to no avail.

[anyweb]

if you follow my guides then you won't have to wait, there's obviously something wrong with your setup, check your component status logs in the monitoring workspace, they'll reveal the problem

 

Part 1 (hierarchy with CAS) describes everything you need to do to get the schema working

[rrasco]

I'll review them. EDIT: Is that compmon.log or compsumm.log?

 

I followed the guides, but I don't think the SCCM machine had control over the new container and the schema was not extended prior to SCCM installation.