2. Jason Sandys Senior Lead Consultant Catapult Systems, Inc. Session Code: MGT312

3. Native Mode Setup Dialogs

4. Overview What Is Native Mode Benefits Pre-requisites PKI Refresher Misperceptions Certificate Deployment & Demo Implications Notes from the Field

5. What Is Native Mode? DP*DP*MPMP SUPSUPSMPSMP

6. Benefits Enables Internet Based Client Management (IBCM) Inventory Software Distribution Software Updates Desired Configuration Management Compliance Security in general

7. Prerequisites Certificates (aka Public Key Infrastructure) Clients ConfigMgr 2007 only Windows 2000 not supported DP*DP*MPMP SUPSUP SM P

8. PKI Refresher Key Distribution

9. PKI Refresher Certificate Revocation Lists (CRL) Certificate Distribution Points (CDP) CRLCDP LDAPLDAPFTPFTP SMBSMB HTTPHTTP

10. Misperceptions PKI is Easy You must use a Microsoft PKI AMT takes advantage of Native Mode

11. Misperceptions Enterprise Edition = Enterprise CA

12. Misperceptions Internet-based clients can roam Fallback Status Points (FSP) are only for Native Mode An FSP in a Native Mode site can happily co-exist with other site roles

13. Misperceptions Mixed mode does not use certificates Native mode protects all site communication Only domain joined systems can participate in a Native Mode site

14. Certificate Deployment

16. Implications Agent Deployment Certificates on the clients By default SLPs are not used “Internet only” clients must be installed manually CCMSetup.exe /native:CRL SMSSITECODE=ABC SMSMP=mgmtpoint

17. Implications WSUS/SUP Must manually add the Web server cert in IIS Must manually configure IIS for SSL Require SSL on virtual directories APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService \Tools: WSUSUtil.exe configuressl

18. Implications OSD Boot Images require client certificates and a copy of the Root CA certificate Build and Capture reference systems are not on the domain CDP must be available PXE

19. Notes from the Field Initial Installation Install in mixed mode and migrate Easier to troubleshoot Better when no PKI in place already Better for organizations unfamiliar with ConfigMgr Install in native mode Requires PKI Compounding issues

20. Notes from the Field PKI Decisions Some decisions are not reversible without a lot of pain Just because it works in the lab, does not mean it will work in production Certificate Validity Period CRL Distribution Points Key Length

21. Notes from the Field Intra-SUP Communication SUP to SUP communication is mostly HTTPS in native mode SUP ActiveActive Internet Based Update Metadata Configuration EULAs

22. Notes from the Field PKI Timing Certificate deployment is not instantaneous Templates are stored in AD Clients must be active and have connectivity to request a certificate Plan for this delay

23. Other Notables Native Mode is not a one-way choice Parent sites must be migrated first Mixed mode parent sites do not support Native Mode child sites Secondary site modes are dictated by their parent site’s mode Native Mode Readiness Tool http://technet.microsoft.com/en- us/library/bb680986.aspx http://technet.microsoft.com/en- us/library/bb680986.aspx

24. Links MS Internet Clients & Native Mode Forum http://social.technet.microsoft.com/Forums/en /configmgribcm/threads/ http://social.technet.microsoft.com/Forums/en /configmgribcm/threads/ System Center ConfigMgr TechCenter Library http://technet.microsoft.com/en- us/library/bb735860.aspxhttp://technet.microsoft.com/en- us/library/bb735860.aspx Configuration Manager Team Blog http://blogs.technet.com/configmgrteam/ http://blogs.technet.com/configmgrteam/ My Blog http://myitforum.com/cs2/blogs/jsandys http://myitforum.com/cs2/blogs/jsandys

25. www.microsoft.com/teched Sessions On-Demand & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources www.microsoft.com/learning Microsoft Certification & Training Resources Resources

26. Related Content MGT304 Deploying Microsoft System Center Configuration Manager 2007, Part 1: Site Deployment MGT305 Deploying Microsoft System Center Configuration Manager 2007, Part 2: Client Deployment MGT306 Deploying Microsoft System Center Configuration Manager 2007, Part 3: Hierarchy Design and Implementation Best Practices MGT02-HOL Microsoft System Center Configuration Manager: Migrating from Mixed Mode to Native Mode

27. Management Track Resources Key Microsoft Sites System Center on Microsoft.com: http://www.microsoft.com/systemcenterhttp://www.microsoft.com/systemcenter System Center on TechNet: http://technet.microsoft.com/systemcenter/http://technet.microsoft.com/systemcenter/ Virtualization on Microsoft.com: http://www.microsoft.com/virtualizationhttp://www.microsoft.com/virtualization Community Resources System Center Team Blog: http://blogs.technet.com/systemcenterhttp://blogs.technet.com/systemcenter System Center on TechNet Edge: http://edge.technet.com/systemcenterhttp://edge.technet.com/systemcenter System Center on Twitter: http://twitter.com/system_centerhttp://twitter.com/system_center Virtualization Feed: http://www.virtualizationfeed.comhttp://www.virtualizationfeed.com System Center Influencers Program: Content, connections, and resources for influencers in the System Center Community. For information, contact scnetsup@microsoft.com scnetsup@microsoft.com

28. Complete an evaluation on CommNet and enter to win!

30. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.