How to Configure Windows Server 2008 for Site Systems(SCCM)

How to Configure Windows Server 2008 for Site Systems

Updated: July 1, 2010
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Use the procedures in this topic to help you configure Windows Server 2008 and Windows Server 2008 R2 to support Configuration Manager 2007 SP1 or later site systems.

Note

Configuration Manager 2007 SP1 or later supports installing primary and secondary site systems on Windows Server 2008 and Windows Server 2008 R2 read-only domain controller (RODC) computers. During a site installation, the Configuration Manager 2007 Setup Wizard identifies that the site is being installed on an RODC and searches for a writable domain controller to create the necessary groups required by the type of site installation. However, when installing secondary sites by using the Install Secondary Site Installation Wizard from a Configuration Manager console, you must create the required groups in Active Directory Domain Services before you run the secondary site installation.

Use the following information to configure Windows Server 2008 and Windows Server 2008 R2 site systems for Configuration Manager:

• Remote Differential Compression for site server and branch distribution point computers
  
  
• Internet Information Services (IIS)
  
  
  • Configure WebDAV to support management points and distribution points that are enabled for "Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS"
    
    
  • Install Internet Information Services (IIS) on Windows Server 2008 and Windows Server 2008 R2 Computers
    
    
  • Install WebDAV for IIS 7.0
    
    
  • Enable WebDAV and create an Authoring Rule
    
    
  • Configure the requestFiltering section on distribution points
    
    

Remote Differential Compression for site server and branch distribution point computers

Site servers and branch distribution points require Remote Differential Compression (RDC) to generate package signatures and perform signature comparison. By default, RDC is not installed on Windows Server 2008 or Windows Server 2008 R2 and must be enabled manually.
Use the following procedure to enable Remote Differential Compression for Windows Server 2008 and Windows Server 2008 R2.

1. On the Windows Server 2008 or Windows Server 2008 R2 computer, navigate to Start / All Programs / Administrative Tools / Server Manager to start Server Manager. In Server Manager, select the Features node and click Add Features to start the Add Features Wizard.
   
2. On the Select Features page, select Remote Differential Compression, and then click Next.
   
3. Complete the rest of the wizard.
   
4. Close Server Manager.
   

Internet Information Services (IIS)

You must install Internet Information Services (IIS) for Windows Server 2008 and Windows Server 2008 R2 computers when they will be used to hold any of the following site system roles:

• Management point
  
• Distribution points that are enabled for Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS
  
• Reporting point
  
• Software update point
  
• Server locator point
  
• Fallback status point
  

Configure WebDAV to support management points and distribution points that are enabled for "Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS"

In addition to IIS, you must configure WebDAV extensions for management points and distribution points that are enabled for Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS.

• Windows Server 2008 with IIS 7.0: Manually install and configure WebDAV extensions after installing IIS 7.0.
  
• Windows Server 2008 R2 with IIS 7.5: WebDAV extensions are included with IIS, and you do not have to download them manually, but you must enable WebDAV extensions during IIS installation.
  

Install Internet Information Services (IIS) on Windows Server 2008 and Windows Server 2008 R2 Computers

Use the following procedure that applies to Windows Server 2008 and Windows Server 2008 R2:

1. On the Windows Server computer, navigate to Start / All Programs / Administrative Tools / Server Manager to start Server Manager. In Server Manager, select the Features node, and then click Add Features to start the Add Features Wizard.
   
2. On the Select Features page of the Add Features Wizard:
   
   
   • For Windows Server 2008, select the BITS Server Extensions check box. For Windows Server 2008 R2, select the Background Intelligent Transfer Services (BITS) check box. When prompted, click Add Required Role Services to add the dependent components, including the Web Server (IIS) role.
     
   • Select the Remote Differential Compression check box, and then click Next.
     
3. On the Web Server (IIS) page of the Add Features Wizard, click Next.
   
4. On the Select Role Services page of the Add Features Wizard:
   
   
   • Windows Server 2008 R2 only: For Common HTTP Features, select the WebDAV Publishing check box.
     
   • For Application Development, select the ASP.NET check box and, when prompted, click Add Required Role Services to add the dependent components.
     
     

     Note
     The ASP check box must also be selected if the site system will be configured as a reporting point.

   • For Security, select the Windows Authentication check box.
     
   • In the Management Tools node, for IIS 6 Management Compatibility, ensure that both the IIS 6 Metabase Compatibility and IIS 6 WMI Compatibility check boxes are selected, and then click Next.
     
5. On the Confirmation page, click Install, and then complete the rest of the wizard.
   
6. Click Close to exit the Add Features Wizard, and then close Server Manager.
   

Install WebDAV for IIS 7.0

You must install WebDAV manually on Windows Server 2008 computers with IIS 7.0. The following procedure applies to Windows Server 2008 with IIS 7.0 installed:

1. Depending on your server operating system architecture, download either the x86 or x64 version of WebDAV from: http://go.microsoft.com/fwlink/?LinkId=108052.
   
2. Depending on the version you downloaded, run either the webdav_x86_rtw.msi or the webdav_x64_rtw.msi file to install WebDAV IIS 7.0 extensions.
   

Enable WebDAV and create an Authoring Rule

Use the following procedure to enable WebDAV and create an Authoring Rule for Windows Server 2008 and Windows Server 2008 R2:

1. Navigate to Start / All Programs / Administrative Tools / Internet Information Services (IIS) Manager to start Internet Information Services 7 Application Server Manager.
   
2. In the Connections pane, expand the Sites node, and then click Default Web Site if you are using the default Web site for the site system or SMSWEB if you are using a custom Web site for the site system.
   
3. In the Features View, double-click WebDAV Authoring Rules.
   
4. With the WebDAV Authoring Rules page displayed, in the Actions pane, click Enable WebDAV.
   
5. In the Actions pane, click Add Authoring Rule.
   
6. In the Add Authoring Rule dialog box, for Allow access to, select All content.
   
7. For Allow access to this content to, select All users.
   
8. For Permissions, select Read, and then click OK.
   

Use the following procedure to change the property behavior of WebDAV on Windows Server 2008 and Windows Server 2008 R2:

1. In the WebDAV Authoring Rules page, in the Actions pane, click WebDAV Settings.
   
2. In the WebDAV Settings page, for Property Behavior, set Allow anonymous property queries to True.
   
3. Set Allow Custom Properties to False.
   
4. Set Allow property queries with infinite depth to True.
   
5. For a distribution point that is enabled for Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS, for WebDAV Behavior, set Allow hidden files to be listed to True.
   
6. In the Action pane, click Apply.
   
7. Close Internet Information Services (IIS) Manager.
   

Configure the requestFiltering section on distribution points

The following information applies when you use distribution points that are enabled for Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS.
If package source files contain extensions that, by default, are blocked in IIS, you must configure the requestFiltering section on the applicationHost.config file on a distribution points that is enabled for Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS.

Important

When you enable WebDAV and modify the requestFiltering section of the applicationHost.config file for the Web site, this increases the attack surface of the computer. Enable WebDAV only when required for management points and distribution points that are enabled for Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS. If you enable WebDAV on the default Web site, it is enabled for all applications that use the default Web site. If you modify the requestFiltering section, it is modified for all Web sites on that server. The security best practice is to run Configuration Manager 2007 on a dedicated Web server. If you must run other applications on the Web server, use a custom Web site for Configuration Manager 2007. For more information, see Best Practices for Securing Site Systems.

Use the following procedure to modify requestFiltering for Windows Server 2008 and Windows Server 2008 R2.

1. Open the applicationHost.config file located in the %Windir%\System32\Inetsrv\Config\ directory on distribution points that are enabled for Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS.
   
2. Search for the section.
   
3. Determine the file name extensions that you will have in the packages on that distribution point. For each file name extension that you require, change allowed to true.
   
   For example, if your package will contain a file with an .mdb extension, change the line to .
   
   Allow only the file name extensions required for your packages.
   
4. Save and close the applicationHost.config file.

PFX Export/Import Explained IIS7

PFX Export/Import Explained

How to Import and Export your SSL Certificate in IIS 7

PFX Backup Tutorial for Microsoft IIS 7 Servers
The PFX extension is used on Windows servers for files containing both the public key files (your SSL certificate files, provided by DigiCert) and the associated private key (generated by your server at the time the CSR was generated).
Since both the public and private keys are needed for an SSL certificate to function, a PFX backup is always needed to transfer an SSL server security certificate from one server to another.
This tutorial explains how to back up your certificate from a working server, import the certificate to a second server, and then enable the certificate for use on the new server. If you have not yet installed the certificate files you received from DigiCert to the server that generated your CSR, please see our IIS 7 installation instructions.
Exporting/Backing up your certificate/Private Key (to .pfx file format)

1. Start > Run
2. Type in MMC and click OK
3. Go into the File Tab > select Add/Remove Snap-in
4. Click on Certificates and click on Add.
5. Select Computer Account > Click Next
6. Select Local Computer > Click Finish
7. Click OK to close the Add/Remove Snap-in window.
8. Double click on Certificates (Local Computer) in the center window.
9. Double click on the Personal folder, and then on Certificates.
10. Right Click on the Certificate you would like to backup and choose > ALL TASKS > Export
11. Follow the Certificate Export Wizard to backup your certificate to a .pfx file.
12. Choose to 'Yes, export the private key'
13. Choose to "Include all certificates in certificate path if possible." (do NOT select the delete Private Key option)
14. Enter a password you will remember
15. Choose to save file on a set location
16. Finish
17. You will receive a message > "The export was successful." > Click OK
18. The .pfx file backup is now saved in the location you selected.

Importing your Certificate/Private Key (from .pfx file format)

1. Start > Run
2. Type in MMC and click OK
3. Go into the File Tab > select Add/Remove Snap-in
4. Click on Certificates and click on Add.
5. Select Computer Account > Click Next
6. Select Local Computer > Click Finish
7. Click OK to close the Add/Remove Snap-in window.
8. Double click on Certificates (Local Computer) in the center window.
9. Right click on the Personal Certificates Store (folder)
10. Choose > ALL TASKS > Import
11. Follow the Certificate Import Wizard to import your Primary Certificate from the .pfx file. You will need to browse for .pfx files.
12. Enter the password that was used when exporting the certificate to a .pfx file.
13. If desired, check the box to "Mark this key as exportable."
14. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
15. Click Finish to close the certificate wizard.
16. Close the MMC console. In the case that you are prompted, it is not necessary to save the changes made to the MMC console.

Configuring Your Site - IIS 7

1. Click on Start, then Administrative Tools, then Internet Information Services (IIS) Manager.
2. Click on the server name.
3. Expand the Sites folder.
4. Select the site to be secured (usually the default web site).
5. From the "Actions" menu (on the right), click on "Bindings..." under Edit Site.
   
6. In the "Site Bindings" window, click "Add..." This will open the "Add Site Binding" window.
   
7. Under "Type" choose https. The IP address should be the IP address of the site or All Unassigned, and the port over which traffic will be secured by SSL is usually 443. The "SSL Certificate" field should specify the certificate that was installed during the import process described above.
   
8. Click "OK."
   
9. Your SSL certificate is now installed, and the website configured to accept secure connections.

Occassionally a server or IIS restart is required before your server will recognize the new certificate.

IIS 7 SSL Certificate Installation

PFX Export/Import Explained

How to Import and Export your SSL Certificate in IIS 7

PFX Backup Tutorial for Microsoft IIS 7 Servers
The PFX extension is used on Windows servers for files containing both the public key files (your SSL certificate files, provided by DigiCert) and the associated private key (generated by your server at the time the CSR was generated).
Since both the public and private keys are needed for an SSL certificate to function, a PFX backup is always needed to transfer an SSL server security certificate from one server to another.
This tutorial explains how to back up your certificate from a working server, import the certificate to a second server, and then enable the certificate for use on the new server. If you have not yet installed the certificate files you received from DigiCert to the server that generated your CSR, please see our IIS 7 installation instructions.
Exporting/Backing up your certificate/Private Key (to .pfx file format)

1. Start > Run
2. Type in MMC and click OK
3. Go into the File Tab > select Add/Remove Snap-in
4. Click on Certificates and click on Add.
5. Select Computer Account > Click Next
6. Select Local Computer > Click Finish
7. Click OK to close the Add/Remove Snap-in window.
8. Double click on Certificates (Local Computer) in the center window.
9. Double click on the Personal folder, and then on Certificates.
10. Right Click on the Certificate you would like to backup and choose > ALL TASKS > Export
11. Follow the Certificate Export Wizard to backup your certificate to a .pfx file.
12. Choose to 'Yes, export the private key'
13. Choose to "Include all certificates in certificate path if possible." (do NOT select the delete Private Key option)
14. Enter a password you will remember
15. Choose to save file on a set location
16. Finish
17. You will receive a message > "The export was successful." > Click OK
18. The .pfx file backup is now saved in the location you selected.

Importing your Certificate/Private Key (from .pfx file format)

1. Start > Run
2. Type in MMC and click OK
3. Go into the File Tab > select Add/Remove Snap-in
4. Click on Certificates and click on Add.
5. Select Computer Account > Click Next
6. Select Local Computer > Click Finish
7. Click OK to close the Add/Remove Snap-in window.
8. Double click on Certificates (Local Computer) in the center window.
9. Right click on the Personal Certificates Store (folder)
10. Choose > ALL TASKS > Import
11. Follow the Certificate Import Wizard to import your Primary Certificate from the .pfx file. You will need to browse for .pfx files.
12. Enter the password that was used when exporting the certificate to a .pfx file.
13. If desired, check the box to "Mark this key as exportable."
14. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
15. Click Finish to close the certificate wizard.
16. Close the MMC console. In the case that you are prompted, it is not necessary to save the changes made to the MMC console.

Configuring Your Site - IIS 7

1. Click on Start, then Administrative Tools, then Internet Information Services (IIS) Manager.
2. Click on the server name.
3. Expand the Sites folder.
4. Select the site to be secured (usually the default web site).
5. From the "Actions" menu (on the right), click on "Bindings..." under Edit Site.
   
6. In the "Site Bindings" window, click "Add..." This will open the "Add Site Binding" window.
   
7. Under "Type" choose https. The IP address should be the IP address of the site or All Unassigned, and the port over which traffic will be secured by SSL is usually 443. The "SSL Certificate" field should specify the certificate that was installed during the import process described above.
   
8. Click "OK."
   
9. Your SSL certificate is now installed, and the website configured to accept secure connections.