I recently worked with a client to migrate their SCCM 2007 SP2 R2 enterprise to Native Mode. Performing this migration allowed me to focus my attention on PKI as there were 4 certificates that were created for this process to complete securely. Here are the steps I took and the links for instructions. There are many different scenarios to choose from and for a cost savings measure, we decided to allow communication through both firewalls. In this case, we allowed http and https traffic to the MP and DP but were able to create a SSL Bridge using their ISA box so not only do you need to have the correct cert installed on your client, you also need to be a domain computer. Great learning experience and I’d like to thank the folks on the Microsoft forums, especially Carol Bailey.
Native Mode Migration
1. Prereqs for Native Mode
http://technet.microsoft.com/en-us/library/bb680464.aspx
2. Certificate requirements
http://technet.microsoft.com/en-us/library/bb680733.aspx
3. Supported Scenarios for Native Mode
http://technet.microsoft.com/en-us/library/bb693824.aspx
4. Determine Admin roles for each department
http://technet.microsoft.com/en-us/library/bb694253.aspx
5. Create certificates
http://technet.microsoft.com/en-us/library/bb694035.aspx (Server 2003 CA)
http://technet.microsoft.com/en-us/library/cc872789.aspx (Server 2008 CA)
Don’t forget to add Web Site cert to WSUS Custom Website.
If client has ISA, a 4th cert will be used on ISA box for client authentication for SSL bridging. (add cert to Microsoft Firewall service store.) http://technet.microsoft.com/en-us/library/cc707697.aspx
6. Verify Clients are ready for Native Mode
http://technet.microsoft.com/en-us/library/bb680986.aspx
7. Ensure migration to Native mode checklist has been followed
http://technet.microsoft.com/en-us/library/bb632727.aspx
8. Change mode to Native (reboot required)
http://technet.microsoft.com/en-us/library/bb680769.aspx
9. Import root CA for OSD
http://technet.microsoft.com/en-us/library/bb632596.aspx
10. Enable/disable CRL
http://technet.microsoft.com/en-us/library/bb680540.aspx
11. Configure HTTP for roaming and client assignment
http://technet.microsoft.com/en-us/library/bb694220.aspx
12. If you client cert is not in the personal store, follow this procedure
http://technet.microsoft.com/en-us/library/bb632622.aspx
13. If you are using multiple client certificates, configure SCCM to use the correct one
http://technet.microsoft.com/en-us/library/bb632376.aspx
14. Ensure Native Mode migration completed successfully
http://technet.microsoft.com/en-us/library/bb694287.aspx
15. Configure MP for IBC
http://technet.microsoft.com/en-us/library/bb693517.aspx
16. Configure DP for IBC
http://technet.microsoft.com/en-us/library/bb632488.aspx
17. Configure FBSP for IBC
http://technet.microsoft.com/en-us/library/bb680746.aspx
18. Prepare SUP for SSL
http://technet.microsoft.com/en-us/library/bb633246.aspx
19. Configure SUP for IBC
http://technet.microsoft.com/en-us/library/bb694182.aspx
20. Test MP communication through the firewall(s)
