System Center Mobile Device Manager 2008 – Install Guide (No Gateway) – Part 2

September 23rd, 2008 by Andreas | Posted in Device Management, How-to's, SCMDM

We are now ready to do the fun part which is installing SCMDM. There are a few main areas covered in this part:
- Configuring Active Directory for MDM
- Installing the Enrollment Server
- Installing the Device Management Server
- Running a Post-Deployment scan with SCMDM BPA to make sure everything went smooth.

There’s plenty of screen shots, and maybe that’s not your cup of tea, but I believe a picture’s worth a thousand words.

Configuring Active Directory
Active Directory needs to be configured for including mobile devices in your domain. This includes creating groups/OUs, preparing the CA, etc.
Logon to “md-scmdm” as the domain admin. (You need domain admin, and schema admin to perform these actions.) I’m not detailing everything in this section, it can be found in the reference material from Microsoft (TechNet Library).
Fire up a command line and execute the commands as shown below:
adconfig /domain:mobilitydojo.net

adconfig /createtemplates

adconfig /enabletemplates /ca:”md-dc-ca.mobilitydojo.net\MobilityDojo Root CA”

adconfig /gpsecurity:all

adconfig /gpsecurity:default

Ok, it’s been smooth sailing so far. On to the actual SCMDM components. We’ll start installing the enrollment server, followed by the device management server.

Installing the Enrollment Server
After prepping AD, you need to logoff and logon again. This is because some new security groups have been created, and membership is applied when you logon to the domain. (And you need to be a member of one of these new groups to be able to install.)

First we have to provide the SQL Server location. Do type in the full FQDN. Do not type localhost even if this is the case as in our lab. (This will give errors later on in the process.)

For some reason I could not get it working when I provided the instance name (like above). Even if BPA said ok, and everything. I don’t know why, but it worked when I just provided the FQDN (see below). (Maybe because it’s running on the local host with only the one default instance?)

Next you provide the DNS addresses for external and internal access. The external one has to be mobileenroll.yourdomain.com, but the internal can be a different one. The internal DNS name does not have to match the host name (SSL requires a match between the certificate common name and the address DNS provides). In our lab environment the two addresses are the same. DNS resolution will also be verified (unless you check “Skip Enrollment FQDN validation). I logged on to the Domain Controller, and created an A record for mobileenroll.mobilitydojo.net. If you’ve already tried pressing “Next” and got an error you probably have to do an “ipconfig /flushdns” on the command line.

You can accept the default port for the administration web site.

We use the same CA for both devices and servers.

And then we are ready to hit the install button.

Hopefully it will end like this:

No point in waiting, so we’ll just move right along to installing the Device Management Server.

Installing the Device Management Server

The SQL Server location has already been filled in for us this time (and you can’t change it).

With the DM server we can choose the actual FQDN of the server. (It will not be exposed externally.)

Accept the default ports suggested.

Same CA.

Also ending with the “Install” button.

And hopefully you’ll get this screen here as well

Maybe it’s just me, but I like a fresh reboot after installing servers, so while it’s probably not necessary it is nonetheless my next action.
Next item on the menu is running SCMDM BPA again, this time choosing the Post-Deployment Scan. What we are looking for here are errors, and hints on how to correct them. If you get an error on the DM server saying something about .NET Framework Language – ignore it, it’s a bug in the BPA. You’ll probably get a number of warnings as well, but this is expected since we haven’t configured our servers yet. (BPA will give you helpful hints what you should do – after all that is why it’s called “Best Practices”.)

All of this will be covered in the next part, but before moving on to the configuration part you should install the last SCMDM component for now; the “Administrator Tools”. Don’t check the “Group Policy Extensions” item – we’ll install these on our Domain Controller later on. (GPMC which is required for using these extensions only runs on 32-bit, so it will not install on the SCMDM server.)

You may find it very tempting to boot up a device at this point, and start pressing it’s buttons. Please resist the urge – it is better to make sure the server is correctly configured than pulling your hair afterwards when you’re not getting the device to work

Ok, on to the part where we smooth out the edges of our installation, and try to test with a device.

Part 3: http://mobilitydojo.net/2008/09/24/system-center-mobile-device-manager-2008-install-guide-no-gateway-part-3/

21 Responses to “System Center Mobile Device Manager 2008 – Install Guide (No Gateway) – Part 2”

ken

Oct 7th, 2008 at 5:18 am

hi thanks for the great post. I was wondering if i have to do anything else other then creating the host(A) record for mobileenroll on the domain controller. Do i have to enable anything else?
Andreas

Oct 7th, 2008 at 9:17 am

It depends. I connected my device through ActiveSync so my device was able to look up mobileenroll through the domain controller. If you’re using the emulator remember to cradle it to get network connectivity,
If the BPA doesn’t flag any errors indicating connectivity errors things should be ok on the server side, but you might have a client side issue.
I have included all the steps I have performed server side to get it to work so it is a verified scenario
Francob

Nov 27th, 2008 at 11:55 am

Great post.

I am unfortunately having problems with the enabletemplate command

I keep getting ” The <> certification authority was not found ” error message

Any ideas on how to ensure the CA is found ??
Francob

Nov 27th, 2008 at 12:05 pm

Just figured out my syntax was incorrect

I was omitting the ca instance at the end

/enabletemplates /ca:\

Francob
Andreas

Nov 27th, 2008 at 12:49 pm

Good thing that it was a simple syntax error.
SCMDM is not very forgiving with incorrect syntax – you need it to be correct down to the letter
Philip

Jun 4th, 2009 at 11:00 pm

I’m getting this error when running /enabletemplates /ca:\

Error: Failed to add security on the caserver\caname certification authority using trustee security identifier ….
. Error: This function is not supported on this system.

Help!
Andreas

Jun 4th, 2009 at 11:06 pm

And this is against a Windows Server 2003 or Windows Server 2008 Enterprise CA?
Have you checked that the user you are logged on with have the proper credentials? Domain Admin rights are probably not sufficient as it usually requires Enterprise Admin to do things related to a CA.
Philip

Jun 5th, 2009 at 1:08 am

my CA is on my domain controller running window 2008. I login as Domain Administrator with all the necessary permission. Here is the log.

[06/04/2009-14:34:26] DEBUG : Executing assembly directory C:\Temp\adconfig
[06/04/2009-14:34:26] DEBUG : Invoking RunDll with arguments “C:\Temp\adconfig\CertificateAuthorityPermissions_x64.dll”,IsCASecurityEnabled TIETON.lychee.comlychee-TIETON-CAS-1-5-21-1119451185-429848030-2992905492-1219
[06/04/2009-14:34:26] DEBUG : Rundll invocation was successful. Process returned with exit code 0
[06/04/2009-14:34:26] DEBUG : Call to exported native method IsCASecurityEnabled in DLL CertificateAuthorityPermissions_x64.dll was successful
[06/04/2009-14:34:26] DEBUG : Calling exported native method IsCARestrictionEnabled in DLL CertificateAuthorityPermissions_x64.dll with args TIETON.lychee.comlychee-TIETON-CAS-1-5-21-1119451185-429848030-2992905492-1219S-1-5-21-1119451185-429848030-2992905492-1220
[06/04/2009-14:34:26] DEBUG : Executing assembly directory C:\Temp\adconfig
[06/04/2009-14:34:26] DEBUG : Invoking RunDll with arguments “C:\Temp\adconfig\CertificateAuthorityPermissions_x64.dll”,IsCARestrictionEnabled TIETON.lychee.comlychee-TIETON-CAS-1-5-21-1119451185-429848030-2992905492-1219S-1-5-21-1119451185-429848030-2992905492-1220
[06/04/2009-14:34:27] DEBUG : Rundll exited with error code -2147024776
[06/04/2009-14:34:27] DEBUG : Failed to verify CA security restrictions on TIETON.lychee.com\lychee-TIETON-CA with trusteeSid S-1-5-21-1119451185-429848030-2992905492-1219, subjectSid S-1-5-21-1119451185-429848030-2992905492-1220. Error: System.ComponentModel.Win32Exception: This function is not supported on this system
Andreas

Jun 6th, 2009 at 4:13 pm

The “/enabletemplates” requires enterprise admin, so make sure your domain admin is also a member of that group as a double-check. And you’ve already ran the other required parameters? (Createinstance, enableinstance, createtemplates, in that order.) If you have multiple domains enabletemplates must be run on the root domain controller. Although not recommended for production it should work fine to have the CA running on the DC.

Have you tried running adconfig /validateinstance to make sure AD is ok for SCMDM?
Philip

Jun 8th, 2009 at 7:26 am

I downloaded the Best Practice Tools for MDM and ran the pre-deployment scan. I was able to figure out what was wrong from the scan results. I got my window mobile phone successfully enrolled. Sweet.
Michael B. Abbott

Nov 25th, 2009 at 6:05 am

In your first screenshot of ADConfig you have:

adconfig /domain:mobilitydojo.net

When I execute that same command-line using my Domain, I don’t have happen when you’re showing — the setting up of AD and the OU’s, etc.

The ADConfig menu of options comes back up but does not progress any further. Should I be putting /createinstance: in there?

::: Confused::
Andreas

Nov 25th, 2009 at 9:36 am

If you are installing SCMDM Service Pack 1 (and there really is no reason you shouldn’t be going for SP1) you should follow the ADConfig steps listed in the following article:
http://mobilitydojo.net/2008/12/30/scmdm-multiple-instance-deployment-part-1/

Also, if I remember correctly, you might see strange behaviour if you are running ADConfig from a read-only location, (like a cd or mounted iso), so to be sure you should copy the directory to a writable folder.
Michael B. Abbott

Nov 26th, 2009 at 2:52 am

You Sir, are amazing! Appreciate the quick response and all your effort into documenting these setups. I’ll drink a beer in your honor tonight!
Jordi

Jun 14th, 2010 at 6:28 pm

Hello, I have the same “Failed to add security on the caserver\caname certification authority using trustee security identifier” error but the BPA don’t give me any clue about the problem…

This is the result of BPA.
Pre-deploy tests were all OK but this other test failed
http://img243.imageshack.us/img243/6949/mdmcaerror.jpg

I have searched but I don’t find this error to happen to other people… Any help is wellcome
Jordi

Jun 14th, 2010 at 6:43 pm

this is an extended version of the previous message:

Hello, I have the same “Failed to add security on the caserver\caname certification authority using trustee security identifier” error but the BPA don’t give me any clue about the problem…

The error I get is:
ERROR : Failed to add security on the caserver1.domainName\serverName certification authority using trustee security identifier [S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-23959], and subject security identifier [S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-23960]. Error: This function is not supported on this system.
ERROR : Errors occurred while configuring security on caserver1.domainName\serverName certification authority for MDM instance instanceName.

The 23959 account is SCMDMEnrollmentServers and the 23960 is SCMDMEnrolledDevices

This is the result of BPA.
Pre-deploy tests were all OK but this other test failed
http://img243.imageshack.us/img243/6949/mdmcaerror.jpg

I have searched but I don’t find this error to happen to other people… Any help is welcome
Andreas

Jun 15th, 2010 at 12:40 am

BPA seems to indicate that you haven’t created an instance. With Service Pack 1 it is an additional step that needs to be performed when preparing AD.
The steps are documented here:
http://mobilitydojo.net/2008/12/30/scmdm-multiple-instance-deployment-part-1/

If you have already been through that it seems that for some reason the BPA isn’t catching it and I’m not sure why that would be.
Jordi

Jun 15th, 2010 at 9:29 am

Yes, I did follow the instructions of that link. The only difference may be that I didn’t do it in the root DC but on a member server. I’ll try to remove the instance following:

http://technet.microsoft.com/en-us/library/dd252819.aspx

“This requires that you run /disablegpsecurity; /disabletemplates; /removetemplates; /disableinstance and finally, /removeinstance”

and I’ll create it again from the root DC. Tell you the result…

Thanks
Jordi

Jun 15th, 2010 at 11:34 am

The same error after doing the step:

ADConfig /enableTemplates:instanceName /ca:caserver1.domainName\serverName

from the DC
Jordi

Jun 16th, 2010 at 6:46 pm

The problem was that the CA was on a W2003 Standard instead of W2003 Enterprise.

Regards,

Jordi
Andreas

Jun 16th, 2010 at 8:12 pm

Ah, yes, the Standard Edition will not let you create custom templates which is a bit of a showstopper with SCMDM.
It’s a real easy thing to miss while checking the pre-reqs though so I can’t blame you for running into this error
But at least the fix is “easy” once you locate this as the source (not that the error gives you much clues).
Jordi

Jun 17th, 2010 at 2:56 pm

Yes, these are the requirements and it’s explicit enough. That happens when you do things in a rush…

http://technet.microsoft.com/en-us/library/dd261866.aspx

By the way… It’s also funny that MDM 2008 does not support windows 2008…

MobilityDojo.net

System Center Mobile Device Manager 2008 – Install Guide (No Gateway) – Part 2

21 Responses to “System Center Mobile Device Manager 2008 – Install Guide (No Gateway) – Part 2”

Leave a Reply

Pages

Categories

Archives

Search

RSS Feeds

Meta