January 18, 2010

Benefits of Extending Active Directory

Once you extend the Active Directory schema and perform the other steps necessary to publish site information to AD, clients in the same AD forest as your ConfigMgr sites can query AD to locate Configuration Manager services and retrieve important information about your ConfigMgr sites. Those clients in workgroups and domains without trust relationships are not able to take advantage of the schema extensions.

The following ConfigMgr features require extending the AD schema and publishing site information to AD:

Global roaming—Roaming in ConfigMgr allows clients such as laptop computers to connect to the network at various locations and receive certain services from the local site. The schema extensions allow a client to query AD for the mSSMSRoamingBoundaryRange objects and determine whether a site exists on the IP subnet of their current network location. This is known as global roaming. Without the schema extensions, clients can only receive services when at their assigned site or roaming to the sites below their assigned site in the ConfigMgr hierarchy.

Global roaming can make content available to clients at network locations where it would otherwise not be available. Global roaming can also prevent unnecessary network traffic otherwise caused by those clients at remote locations requiring services from their assigned site.

Network Access Protection—You can use ConfigMgr’s NAP capabilities to prevent clients that do not comply with specified security patch requirements from connecting to the network. NAP requires the client to retrieve health state reference information stored in the attributes of the mSSMSSite AD object.

Client site assignment—To receive ConfigMgr services, you must first assign a client system to a site. The schema extensions provide an option for the client to retrieve the information from AD that it needs to identify and contact its assigned site.

Client installation properties—A number of configurable options, such as the size of the download cache, are available through the extended schema.

Site mode settings—The extended schema can supply information to the client about the site’s security mode and certificate information required for native sites.

Server locator point and management points—Clients can use Active Directory to identify the server locator point and management points. Without the schema extensions you must provide this information in other ways, such as manually creating special Windows Internet Naming Service (WINS) entries.

Custom Transmission Control Protocol (TCP)/Internet Protocol (IP) Port information—If a site has been configured to use nonstandard ports for client communications, this information can be provided through the schema extensions.

In addition, the schema extensions allow for automated public key exchange, thus facilitating site-to-site communication. If you have clients assigned to your central site and do not have the schema extended, recovery from a site failure can require reprovisioning all clients manually using the trusted root key.

No comments:

Post a Comment