217 30 12MB
English Pages 1040 Year 2010
Chris Amaris, MCSE, CISSP Tyson Kopczynski, CISSF?GCIH Alec Minty, MCSE Rand Morimoto, Ph.D., MCITP Technical Edit by Guy Yardeni
Microsoft"
System Center Enterprise Suite I UNLEASHED
8 0 0 East 96th Street, Indianapolis, Indiana 4 6 2 4 0 USA
Microsoft® System Center Enterprise Suite Copyright © 2 0 1 0 by Pearson Education, Inc.
Editor-in-Chief
Unleashed
Karen Gettman
All rights reserved. No part of t h i s book shall be reproduced, stored In a retrieval system, or t r a n s m i t t e d by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability Is a s s u m e d with respect to the use of the Information contained herein. Although every precaution has been taken In the preparation of this book, the publisher and authors assume no responsibility for errors or omissions. Nor Is any liability a s s u m e d for damages resulting from the use of the Information contained herein. ISBN-13: 9 7 8 - 0 - 6 7 2 - 3 3 3 1 9 - 4 ISBN-10: 0 - 6 7 2 - 3 3 3 1 9 - 8
Executive Editor Neil Rowe D e v e l o p m e n t Editor M a r k Renfrow M a n a g i n g Editor Kristy H a r t
Library of Congress Cataloging-ln-Publlcation Data
Project Editor
Microsoft System Center Enterprise suite unleashed / Chris Amarls ... [et al.]. p. cm. Includes bibliographical references and Index. ISBN-13: 9 7 8 - 0 - 6 7 2 - 3 3 3 1 9 - 4 (alk. paper) ISBN-10: 0 - 6 7 2 - 3 3 3 1 9 - 8 (alk. paper)
B e t s y Harris
1. Integrated software. 2. QA76.76.I57M498 2010 005.5—dc22
Information technology—Management.
I. Amaris, Chris.
Copy Editor Karen Annett Indexer Erika M i l l e n
2010006460 Printed In the United States of America First Printing April 2 0 1 0
Proofreader Williams Woods Publishing
Trademarks
Technical Editor
All t e r m s mentioned In this book that are known to be trademarks or service marks have been appropriately capitalized. Sams Publishing cannot attest to the accuracy of t h i s Information. Use of a term In this book should not be regarded as affecting the validity of any trademark or service mark.
Guy Yardeni
Warning and Disclaimer Every effort has been made to make t h i s book as complete and as accurate as possible, but no warranty or f i t n e s s Is implied. The Information provided Is on an "as is" basis. The authors and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the Information contained In this book or from the use of the programs accompanying It.
Publishing Coordinator Cindy Teeters B o o k Designer Gary Adair Compositor N o n i e Ratclif f
Bulk
Sales
Sams Publishing offers excellent discounts on t h i s book when ordered In quantity for bulk purchases or special sales. For more Information, please contact
Contributing Writer R o b e r t Jue, MCP+I
U.S. Corporate and Government Sales
2 . 0 , MCSE, M C D B A ,
1-800-382-3419
MCTS
[email protected] For sales outside of the U.S., please contact International Sales [email protected]
Contents at a Glance Introduction 1
Introduction to the System Center Suite
2
System Center Configuration Manager 2007 R2 Design
3
System Center Configuration Manager Implementation
and Planning and Administration 4
1 5 51 ff3
Using Configuration Manager to Distribute Software, Updates, and Operating Systems
f 73
5
Configuration Manager Asset Management and Reporting
2f 9
6
Operations Manager Design and Planning
257
7
Operations Manager Implementation and Administration
323
8
Using Operations Manager for Monitoring and Alerting
387
9
Using Operations Manager for Operations and Security Reporting
495
10
Data Protection Manager 2010 Design, Planning, Implementation, and Administration
11
Using Data Protection Manager 2010 to Protect File Systems, Exchange, SQL, and SharePoint
12
583
Virtual Machine Manager 2008 R2 Design, Planning, and Implementation
13
543
627
Managing a Hyper-V Environment with Virtual Machine Manager 2008 R2 ...
665
14
Service Manager 2010 Design, Planning, and Implementation
709
15
Using Service Manager 2010 for Incident Tracking and Help Desk Support
759
16
Using Service Manager 2010 Change-Control Management
809
17
Using System Center Capacity Planner for Predeployment Planning
845
18
Using Mobile Device Manager to Manage Mobile Devices
865
19
Using System Center Essentials for Midsized Organizations
911
Index
987
Table of Contents
1
Introduction
1
Introduction to the System Center Suite
5
What Is System Center? Understanding System Center Understanding System Center Understanding System Center Understanding System Center Understanding System Center Understanding System Center Understanding System Center Understanding System Center Understanding System Center Summary Best Practices 2
3
Configuration Manager Operations Manager Data Protection Manager Virtual Machine Manager Service Manager Capacity Planner Mobile Device Manager Essentials Licensing
System Center Configuration Manager 2007 R2 Design and Planning
5 9 15 22 28 33 37 40 43 46 47 48 51
Explaining How Configuration Manager Works Understanding Content Distribution Understanding Asset Management Reporting from Configuration Manager Configuration Manager Architecture Components Securing Configuration Manager Understanding Fault Tolerance and Disaster Recovery Understanding Component Requirements Configuration Manager Design Considerations Planning for Native Mode Understanding Client Schedules Planning for Internet-Based Client Management Putting It All Together Summary Best Practices
52 57 61 64 65 79 84 86 90 102 104 105 107 109 110
System Center Configuration Manager Implementation and Administration
113
Reviewing ConfigMgr 2007 R2 Architecture Understanding the AD Site Topology
113 116
Contents
4
5
vii
Creating a Public Key Infrastructure Deploying Certificates Preparing the Site Database Server Extending the Active Directory Schema Configuring Active Directory Implementing Internet Information Services (IIS) Implementing the Central Site Deploying the Child Primary Sites Configuring the Hierarchy Implementing Asset Management Implementing Patch Management Implementing OS Deployment Implementing Regional Server Infrastructure Discovering and Managing Clients Summary Best Practices
118 120 129 133 134 135 138 148 148 158 158 160 161 163 167 168
Using Configuration Manager to Distribute Software, Updates, and Operating Systems
173
Understanding the Infrastructure Understanding How Clients Locate Content Understanding How Internet Clients Locate Content Understanding Computer Management Configuring the Computer Client Agent Configuring the Advertised Programs Client Agent Understanding Distribution Points Defining Collections Understanding Software Distribution Publishing Software Deploying Software Automatically Monitoring Software Deployment Understanding Update Distribution Understanding Operating System Deployment Preparing Required Packages Managing Operating System Install Packages Deploying Operating Systems Summary Best Practices
173 174 176 177 178 180 181 182 185 191 193 195 196 203 206 207 210 214 214
Configuration Manager Asset Management and Reporting
219
Understanding the Database Understanding Inventory Collection
219 220
viii
Microsoft System Center Enterprise Suite Unleashed
6
7
8
Using IDMIF and NOIDMIF Files Configuring Client Agents for Inventory Collection Customizing Hardware Inventory Validating Inventory Data Viewing Inventory Data Understanding Reporting Understanding Software Metering Understanding Asset Intelligence Importing Software License Data Customizing the AI Catalog Using System Center Online Services Understanding Asset Intelligence Reporting Understanding Desired Configuration Monitoring the Baselines and Compliance Summary Best Practices
221 221 223 227 228 228 234 235 243 245 246 247 247 252 253 253
Operations Manager Design and Planning
257
Explaining How OpsMgr Works OpsMgr Architecture Components Securing OpsMgr Fault Tolerance and Disaster Recovery Understanding OpsMgr Component Requirements OpsMgr Design Considerations Putting It All Together in a Design Planning an Operations Manager Deployment Summary Best Practices
25 7 262 278 283 289 295 302 312 320 320
Operations Manager Implementation and Administration
323
Installing Operations Manager 2007 R2 Deploying OpsMgr Agents Monitoring DMZ Servers with Certificates Configuring Operations Manager 2007 R2 Administering Operations Manager 2007 R2 Backing Up OpsMgr 2007 R2 Summary Best Practices
324 343 352 358 368 378 385 385
Using Operations Manager for Monitoring and Alerting
387
Using OpsMgr Consoles Administering OpsMgr
388 392
Contents
9
10
11
vii
Working with Management Packs Exploring the Operations Manager Management Pack Exploring the Windows Management Pack Exploring the Active Directory Management Pack Exploring the Exchange 2007 Management Pack Exploring the SQL Server Management Pack Exploring the Cross Platform Management Packs Management Pack Templates Custom Management Packs Distributed Application Monitoring Exploring SNMP Device Monitoring Summary Best Practices
399 408 415 423 438 454 461 468 480 486 489 492 493
Using Operations Manager for Operations and Security Reporting
495
Reporting from OpsMgr Generating and Scheduling Reports OpsMgr 2007 R2 Maintenance Reports Audit Collection Services Reporting Service Level Tracking Service Level Dashboards Summary Best Practices
496 498 513 522 529 534 541 541
Data Protection Manager 2010 Design, Planning, Implementation, and Administration
543
What Is System Center Data Protection Manager? Data Protection Manager Background Data Protection Manager Prerequisites Planning a Data Protection Manager Deployment Deploying Data Protection Manager Administrating Data Protection Manager Summary Best Practices
544 548 552 553 559 575 582 582
Using Data Protection Manager 2010 to Protect File Systems, Exchange, SQL, and SharePoint
583
Protecting Protecting Protecting Protecting Protecting
584 586 588 598 605
File Servers System State Exchange Servers SQL Servers SharePoint Farms
viii
Microsoft System Center Enterprise Suite Unleashed
12
13
14
15
Protecting Virtualized Environments Integrating Data Protection Manager with Operations Manager Summary Best Practices
615 620 625 625
Virtual Machine Manager 2008 R2 Design, Planning, and Implementation
627
What Is Virtual Machine Manager? Virtual Machine Manager Background Virtual Machine Manager Prerequisites Planning a Virtual Machine Manager Deployment Deploying Virtual Machine Manager Summary Best Practices
627 637 640 644 649 661 662
Managing a Hyper-V Environment with Virtual Machine Manager 2008 R2
665
Using the VMM Management Interfaces Understanding Virtual Machine Conversions Managing VMM User Roles Deploying Virtual Machines Migrating Virtual Machines Summary Best Practices
666 671 684 692 699 705 705
Service Manager 2010 Design, Planning, and Implementation
709
Explaining How Service Manager Works Service Manager Design Parameters Putting It All Together in a Service Manager Design Planning a Service Manager Deployment Deploying Service Manager Deploying Service Manager Connectors Backing Up Service Manager 2010 Summary Best Practices
710 714 719 726 735 746 753 756 757
Using Service Manager 2010 for Incident Tracking and Help Desk Support
759
Incidents and Problems Configuring Incident Settings Service Manager Notifications Creating New Incidents
759 761 770 775
Contents
16
17
18
vii
Working with Incidents Configuring Problem Settings Working with Problems Incident and Problem Reports Summary Best Practices
783 793 796 799 806 806
Using Service Manager 2010 Change-Control Management
809
Change Requests and Activities Configuring Change Settings Change Management Templates and Workflows Initiating Change Requests Working with and Approving Change Requests Implementing Change Requests Managing Configuration Items Change, Activity, and Configuration Management Reports Summary Best Practices
810 811 814 817 822 828 835 838 843 844
Using System Center Capacity Planner for Predeployment Planning
845
What Is System Center Capacity Planner? System Center Capacity Planner Features System Center Capacity Planner Background System Center Capacity Planner Prerequisites Installing System Center Capacity Planner Creating a Capacity Model Summary Best Practices
846 847 847 848 849 850 864 864
Using Mobile Device Manager to Manage Mobile Devices
865
Why Mobile Management? Background of Mobile Device Manager Planning and Designing the Implementation of MDM Prerequisites for Mobile Device Manager 2008 SP1 Installing System Center Mobile Device Manager Self-Service Tasks with Mobile Device Manager Device Management Tasks with Mobile Device Manager Policy-Based Tasks with Mobile Device Manager Mobility Access Controls Using Mobile Device Manager Adding Exchange and Configuration Manager to an MDM Rollout Summary Best Practices
865 868 870 875 876 886 889 898 903 904 909 910
X
viii Microsoft System Center Enterprise Suite Unleashed
19
Using System Center Essentials for Midsized Organizations
911
What Is System Center Essentials? Background of the System Center Essentials Product System Center Essentials 2010 Prerequisites Installing System Center Essentials 2010 on a Single Server Installing System Center Essentials 2010 on Separate Servers Getting Familiar with the SCE 2010 Management Console Performing Computer and Device Discovery Checking the Monitored Status of a Server and Application Using Remote Assist and Remote Desktop Using Essentials for Patching and Updating Systems Creating Packages to Push Out New Software Inventorying Systems Using System Center Essentials Authoring an Agent to Monitor a Custom Website Using the Virtualization Management Features of Essentials Generating Reports Out of Essentials Installing Agents on Target Systems Troubleshooting Common Problems in SCE Regular (Every 2-3 Days) Tasks an Administrator Should Perform Weekly Tasks an Administrator Should Perform Monthly Tasks an Administrator Should Perform Summary Best Practices Index
911 913 917 920 929 930 937 941 947 951 95 7 960 961 965 972 973 978 981 982 983 984 984
About the Authors Chris Amaris, MCSE, CISSP/ISSAP, CHS III, is the chief technology officer and cofounder of Convergent Computing. He has more than 20 years experience consulting for Fortune 500 companies, leading companies in the technology selection, design, planning, and implementation of complex information technology projects. Chris has worked with Microsoft System Center products such as Operations Manager and Configuration Manager since their original releases in 2000 and 1994. He specializes in messaging, security, performance tuning, systems management, and migration. A Certified Information Systems Security Professional (CISSP) with an Information System Security Architecture Professional (ISSAP) concentration, Certified Homeland Security (CHS III), Windows 2003 MCSE, Novell CNE, Banyan CBE, and a Certified Project Manager, Chris is also an author and technical editor for a number of IT books, including Network Security for Government and Corporate Executives, Exchange 2010 Unleashed, and Microsoft Windows Server 2008 R2 Unleashed. Chris presents on messaging, systems management, security, and information technology topics worldwide. Tyson Kopczynski, CISSP, GCIH, with more than ten years of experience in IT, has become a specialist in Active Directory, information assurance, Windows automation, PKI, and IT security practices. Tyson is also the founding author of the Windows PowerShell Unleashed series and has been a contributing author for such books as Microsoft Internet Security and Acceleration (ISA) Server 2006 Unleashed and Microsoft Windows Server 2008 R2 Unleashed. He has also written many detailed technical papers and guides covering various technologies. As a consultant at Convergent Computing, Tyson works with and has provided feedback for next generation Microsoft technologies since their inception and has also played a key role in expanding the automation and security practices at Convergent Computing. Tyson also holds such certifications as the Certified Information Systems Security Professional (CISSP), the SANS Security Essentials Certification (GSEC), SANS Certified Incident Handler (GCIH), and the Application Platform, Active Directory, and Network Infrastructure (MCTS). Alec Minty, MCSE, is a senior engineer for a large Internet company in the San Francisco Bay area. He has more than 10 years' industry experience with extensive knowledge designing and implementing enterprise-class solutions for a diverse array of organizations. Alec has been an early adopter of database technologies, operations management, systems management, and security technologies. He specializes in designing, implementing, migrating, and supporting complex infrastructures for a variety of large utility, telecommunications, and engineering organizations. Alec's experience spans the business and technology areas; he has in-depth experience in the deployment, migration, and integration of key business technologies such as SQL Server, Windows, Exchange Server, Active Directory, ISA, and Identity Management. Alec is coauthor of SQL Server 2005 Management
viii
Microsoft System Center Enterprise Suite Unleashed
and Administration and MOM 200S Unleashed and is a contributing author on Exchange Server 2007 Unleashed and ISA 2004 Unleashed, all published by Sams Publishing. Rand H. Morimoto, Ph.D., MVP, MCITP, CISSP, has been in the computer industry for more than 30 years and has authored, coauthored, or been a contributing writer for dozens of books on Windows, Security Exchange Server, BizTalk, and Remote and Mobile Computing. Rand is the president of Convergent Computing, an IT-consulting firm in the San Francisco Bay area that has been one of the key early adopter program partners with Microsoft, implementing the latest Microsoft technologies including Microsoft Windows Server 2008 R2, System Center Service Manager 2010, Windows 7, Exchange Server 2010, and SharePoint 2010 in production environments more than 18 months before the initial product releases.
Dedication I dedicate this book to my lovely wife, Sophia, whose love and support I cherish. And to my children, Michelle, Megan, Zoe, Zachary, and Ian, for whose sake all the hard work is worthwhile. I also want to dedicate the book to my late father, Jairo Amaris, who taught me to think on many different levels. —Chris Amaris, MCSE, MVP, CISSP/ISSAP, CHS III
I dedicate this book to the world's greatest hiking companion, my golden retriever Madison. Here's to climbing many peaks in the Japanese Alps this summer. Oh, and I can't forget to thank my wife (Maiko). Thanks for putting up with me writing these books. —Tyson Kopczynski, CISSP, GCIH
I dedicate this book to Rand Morimoto, Chris Amaris, Matt Morgensen, Thinh Luu, Vic Chapman, and Rob Fry. Thanks for all your help while writing this book. I also dedicate this book to my beautiful wife Sonia and my father David Minty. Way to beat cancer, Dad! —Alec Minty, MCSE
I dedicate this book to my brother Bruce, as I see the sibling rivalry between Kelly and Chip just as you and I had growing up as kids. You were always there for me, giving me guidance and helping me be who I am today. Thanks, bro! —Rand H. Morimoto, Ph.D., MVP, MCITP, CISSP
I dedicate this book to Elias Hill, a colleague and friend who always reminds me of the value of excellence for its own sake and of the need to find fun and humor at work. —Guy Yardeni, MCSE, MCITP, CISSP
Acknowledgments Chris Amaris, MCSE, MVP, CISSP I want to thank Rand for making it possible to get this book written. You provided guidance over the many years as we developed expertise in the System Center technologies and support with the multitude of clients where we deployed the technologies. Without that, it would have been very difficult to develop the knowledge that we've poured into the book. And I'd also like to thank Rand for agreeing to lead the project, taking on the difficult labor of making sure we got the book out in a very short timeline. Without your steady hand, this book would have never made those deadlines. And on top of all that, you found the time to write key chapters in the book as well. I don't know how you do it! And, finally, I cannot thank my family enough. Sophia, thank you for patiently supporting me through all the long hours of writing and lab work. Michelle, Megan, Zoe, Zachary, and Ian, thank you for putting up with my short temper while writing and still getting those good marks in school when I couldn't be there to help out.
Tyson Kopczynski, CISSP, GCIH Many thanks to Rand, Chris, and Alec for allowing me to be part of the team on this book. As always, it feels great to get another one under the belt. I would also like to thank all those great people out there in technology land. If it weren't for all of you, things would really be boring. Thanks to your hard work and dedication, I'm continuously challenged to learn and understand new and exciting technologies. If I was rich, I would buy you all a cold frosty beer.
Alec Minty, MCSE Thanks, Rand and Chris for the opportunity to work with you both again on another book. I had a tremendous amount of fun writing this one. Also wanted to thank the guys in my department, Matt, Thinh, Vic, Rob; you guys rock! You took on a ton of extra work so I could focus on writing, and I really appreciate it. Finally, a special thanks to my wife Sonia. I'm done for a little while; we can go outside now.
Rand H. Morimoto, Ph.D., MVP, MCITP, CISSP Congratulations to Chris for getting a System Center title out the door, especially one with this much coverage of the suite! I know how much of a passion you have for systems management; it was a pleasure collaborating with you on this title! I want to thank the team at Sams Publishing for turning this book around in record time, from contract to on store shelves in three and a half months, an amazing team effort! Thank you Neil, Mark, Betsy, and all the folks behind the scenes in making this happen! And my thanks to Karen Annett, my favorite copy editor!
Acknowledgments
xv
I also wanted to thank the consultants at Convergent Computing and our early adopter clients who fiddle with these new technologies really early on and then take the leap of faith in putting the products into production to experience (and at times feel the pain) as we work through best practices. The early adopter experiences give us the knowledge, based on the lessons learned, we need to share with all who use this book as their guide to their production environments. To Kelly and Chip: All right, so in my last book acknowledgement, I said that, after two 1300+ page books back to back in seven months, I was "done" with writing for a little while. Blame it on Mr. Chris.... I think "now" you might find me in bed at night instead of at the kitchen table writing at the wee hours of the morning. I just need to stop volunteering to write these books one after another. And thanks, Mom, for all your love and support through the years!
We Want to Hear from You! As the reader of this book, you are our most important critic and commentator. We value your opinion and want to know what we're doing right, what we could do better, what areas you'd like to see us publish in, and any other words of wisdom you're willing to pass our way. You can email or write me directly to let me know what you did or didn't like about this book—as well as what we can do to make our books stronger. Please note that I cannot help you with technical problems related to the topic of this book, and that due to the high volume of mail I receive, I might not be able to reply to every message. When you write, please be sure to include this book's title and author as well as your name and phone or email address. I will carefully review your comments and share them with the author and editors who worked on the book. E-mail:
[email protected]
Mail:
Neil Rowe Executive Editor Sams Publishing 800 East 96th Street Indianapolis, IN 46240 USA
Reader Services Visit our website and register this book at informit.com/register for convenient access to any updates, downloads, or errata that might be available for this book.
Introduction T h e System Center family of products from Microsoft has undergone quite the evolution over the past decade, with some products purchased through acquisitions, to other products evolving from earlier releases that didn't work all that well, to what is now a very broadly deployed management suite of products. In 2009, the System Center products crossed that magical $l-billion mark in revenues for Microsoft that signifies a product line has "made it" among the mass of products churned out of Redmond, Washington, every This book covers real-world experiences with the System Center products, not like a "product guide" simply with step-by-step installation and feature configurations, but with real-world notes, tips, tricks, best practices, and lessons learned in the design, planning, implementation, migration, administration, management, and support of the System Center technologies based on years of early adopter and enterprise production deployments. The 19 chapters of this book are written to highlight the most important aspects of the technologies that make up the System Center family of products. To combine the products into groups of technologies, this book covers the following: • Introduction—The first chapter of this book provides an introduction to the System Center family of products, what they are, what they do, and what business and IT challenges they solve. The introduction paints the picture of what the rest of the book will cover and how you as the reader can jump to those sections of the book most important to you in your day-to-day IT management tasks. • System Center Configuration Manager 2007—The first product covered in this book is the System Center Configuration Manager 2007 (SCCM) product, which is a product that has come a long way in the past decade. The earlier releases of Configuration Manager went by the name SMS, or Systems Management Server, which was known to take full-time personnel to manage the management system. However, now easily three to four generations later, SCCM with its latest R2 and service pack has really helped organizations with the patching, updating, imaging, reporting, and compliance management of their client and server systems. The four chapters in this book that cover SCCM address the planning and design process of implementing SCCM in an enterprise, the implementation of the product, and, more important, how administers use SCCM to image, update, manage, and support the servers and client systems in their environment. • System Center Operations Manager 2007—The second product covered in this book is the System Center Operations Manager 2007 (SCOM) product, which provides monitoring and alerting on servers and client systems. Rather than waiting for users to alert the help desk that a server is down, SCOM proactively monitors systems and provides alerts before systems fail, plus it logs error events and system
viii Microsoft
System
Center
Enterprise
Suite
Unleashed
issues to help organizations address system problems—usually before they occur. The chapters dedicated to SCOM cover the planning and design of SCOM, the rollout and implementation of servers and monitoring agents, and the best practices on how to understand errors and alerts that allow IT administrators to be more proactive in managing their servers and the systems in their environment. • System Center Data Protection Manager 2010—System Center Data Protection Manager 2010 (DPM) is a relatively new addition to the Microsoft management family of products. As traditional tape backups have been replaced by digital snapshots and digital data backups of information, DPM provides organizations the ability to have backup copies of their data. DPM incrementally backs up information from servers so that instead of backing up information once a night, DPM makes backups all day long for faster backup times and more granular recovery windows. This book covers the planning, design, implementation, and general recovery process of file systems, Microsoft Exchange, SharePoint Server, and SQL using DPM 2010. • System Center Virtual Machine Manager 2008—In the past couple of years, visualization has gone from something that was only done in test labs to data centers that are now fully virtualized—enabling organizations to have more than one server session running on a physical server system, and sometimes upward of 10 or 20 server sessions running on a single system. With the huge growth in virtualization in the data center, Microsoft released three major updates to the System Center Virtual Machine Manager (VMM) product in two years to address the needs of the enterprise. The two chapters dedicated to VMM go beyond the installation and setup of VMM 2008, and get into core components of the product that help organizations manage virtual guest sessions running on both Microsoft Hyper-V virtualization as well as VMware, and also how to convert physical servers to virtual servers (P2V), delegate the ability to administer and manage guest sessions, and the ability to share virtual host resources with users and administrators in the enterprise. • System Center Service Manager 2010—After more than five years in development and many many months in production deployment to fine-tune the product, Microsoft now has a help desk/incident management/asset life-cycle management/change management product called System Center Service Manager 2010 (SCSM). Being involved with the development of SCSM from its inception, the authors of this book have shared years of experience, tips, best practices, and lessons learned in the deployment, information tracking, reporting, and support of the SCSM product. SCSM brings together the information gathering, reporting, alerting, and knowledge-base information in the other System Center products into a single product that will help organizations better manage their IT infrastructures. • System Center Capacity Planner—System Center Capacity Planner (SCCP) is not one of the products that organizations hear much about compared with the mainstream products like SCCM, SCOM, DPM, and VMM; however, SCCP adds a lot of value to an organization looking for a comprehensive set of tools to manage their environment. SCCP monitors the state of running systems as well as models the
Introduction
3
planned operations of a future environment and provides IT architects and designers the information they need to properly size, procure, and deploy systems with the appropriate capacity needed to meet the needs of the organization. A single chapter is dedicated to SCCP and is content that is intended to help IT professionals better leverage a tool that is part of the System Center family of products. • System Center Mobile Device Manager—System Center Mobile Device Manager (MDM) was just a simple plug-in tool a few years ago that helped organizations inventory and manage their mobile devices. With the growth in sophistication of the mobile phone—with business applications installed on the mobile devices along with the proliferation of phones where some users use their mobile phone as their primary "client device"—the need to manage the mobile devices becomes ever so important for an organization. The chapter in this book dedicated to MDM covers how to use MDM to asset track, remotely secure, patch and update, and support mobile devices in the enterprise. • System Center Essentials 2010—The final chapter in this book covers the System Center Essentials 2010 (SCE) product, which is an all-in-one version of the product intended for organizations with fewer than 500 users and 50 servers. Rather than buying and implementing SCCM, SCOM, and VMM as separate individual products for a small or medium enterprise, SCE allows an organization to take advantage of the key components of the full-blown System Center products, but with much better ease as SCE leverages wizards, autoconfiguration components, and other features to simplify the management tasks of a smaller enterprise. It is our hope that the real-world experience we have had in working with the entire System Center family of products and our commitment to relaying to you information that will be valuable in your planning, implementation, operation, and administration of System Center in your enterprise will help you more quickly gain and receive benefits from these managements tools from Microsoft!
CHAPTER
1
Introduction to the System Center Suite System Center, which is licensed either individually or as a bundled suite, is a series of tools that help organizations manage their servers, client systems, and applications to be more proactive in responding to the needs of the IT data center. In fact, the name System Center actually didn't come about until just a few years ago; prior to that, the products were all sold separately. Like with many families or suites of products, the first rendition of the suite is nothing more than a bunch of disparate products bundled together under a common brand name, but really have no integration in working together. System Center was no different—with the first couple of years of the product line being nothing more than name and branding. Today however—three to four years and two to three versions later—the System Center products actually do work better together and an IT organization can leverage information in the various System Center components more easily and for a common benefit. This chapter introduces the System Center family of products, what the components are, and how the balance of the chapters in this book provide tips, tricks, best practices, and guidance on how to best leverage System Center in the enterprise.
What Is System Center? As mentioned at the start of this chapter, System Center is a family or suite of management tools from Microsoft; being a family of tools, you don't go out and buy Quantity 1 of
IN T H I S C H A P T E R •
What Is System Center?
•
Understanding System Center Configuration Manager
•
Understanding System Center Operations Manager
•
Understanding System Center Data Protection Manager
•
Understanding System Center Virtual Machine Manager
•
Understanding System Center Service Manager
•
Understanding System Center Capacity Planner
•
Understanding System Center Mobile Device Manager
•
Understanding System Center Essentials
•
Understanding System Center Licensing
6
CHAPTER 1
Introduction to the System Center Suite
System Center. Rather, you choose to buy an individual System Center component like System Center Configuration Manager 2007 for patching and updating systems, or you buy a licensed bundle of the main four products that Microsoft calls the System Center Management Suite and separately download and install additional System Center components that are outside of the licensed bundle for even more functionality. More details on the software licensing of the System Center products can be found in the section "Understanding System Center Licensing" later in this chapter.
Systems Management in the Enterprise For years, IT departments have struggled with managing their servers and client systems, and hundreds of companies have arisen that provide tools for patching computer systems, imaging workstations, pushing out new software, monitoring servers and network devices, and backing up systems. However, over the years, organizations have found that each individual product would require a separate server, a separate set of policies or rules setup, a separate agent to be installed on the computer system, and a separate set of tasks to inventory the systems all doing similar things. With several different products installed on a system and no real sharing of information between the management agents and tools, enterprise systems management has been quite a clumsy process. As an example, an organization would inventory its systems for asset tracking with one product to keep track of corporate assets. With a separate product, the organization would put an image onto its system. Yet another product would be used to patch and update the system. Another product would monitor the system and alert the administrators of a problem; this monitoring program would typically have to inventory the system to know what hardware and software it is monitoring and managing. The organization would have yet a completely different product to track help desk calls and problem tickets, in some cases capturing asset information from one of the other two tools mentioned earlier in this paragraph, but frequently the help desk tool would have its own management components to remotely control and support the user and system. Finally, the organization would have a separate product to back up data on the system, plus yet another separate product to provide security management of the system for security policies and controls. With all this going on for just a single system, there's no wonder why systems management has been a dirty word in the computer industry. Everyone knows they need to do something about it, but when you try to do something about it by going out and getting the best-of-breed product from each vendor in the industry, you have 5 or 10 different products all vying to do some type of management of the system. Naturally, with that many different products doing different but similar things, changes made by one of the 5 or 10 products frequently would cause problems with one of the other components— setting the organization's systems management efforts back a step at a time. Five to eight years ago, Microsoft provided tools for systems to do patching, monitoring, asset inventory, backup, and the like, but no better than the 5 to 10 separate vendor products, Microsoft tools were all separately installed, configured, and managed. Microsoft Systems Management Server (SMS) has a bad name in the industry for old-timers who tried to use the system years ago as even within this tool itself, it installed several separate agents on a computer to try to "help" the system monitor and manage updates, software
What Is System Center?
7
installation, inventory tracking, and remote control, with the SMS components themselves frequently conflicting and causing system problems. Roll forward several years, and Microsoft combined all of their products under a single brand called System Center and has spent the past half of a decade getting the products to work together. Three or four generations later under the System Center brand, Microsoft now has tools that work together so an organization that buys a suite license isn't just buying a bundle of separate products, but a family of products that work together. The whole premise of this book is how organizations can deploy the separate System Center components and then ultimately tie them together so that there is a coordinated effort from cradle to grave on a system that can be imaged, deployed, patched, updated, maintained, supported, and retired under a common management process. It's the full life cycle of a server or client system that is addressed in this book.
System Center Family of Products In looking at the cradle-to-grave life cycle, how the System Center products fit in, and how the various chapters in this book cover the topics, the family of products are as follows: • System Center Configuration Manager—System Center Configuration Manager (SCCM) starts with the ability of imaging or laying down the base operating system on a server or client system based on specific organizational guidelines for configurations. Once the operating system has been installed, SCCM continually patches and updates the system as well as provides the ability to push out new software to the system, also based on specific templates and guideline configurations. SCCM keeps track of system inventory provides remote-control capabilities, and provides IT administrators the ability to ensure the system configuration is maintained in a common configuration. • System Center Operations Manager—Once SCCM lays down the base configuration of the system and keeps it patched and updated, System Center Operations Manager (SCOM) takes over for monitoring the ongoing health of the system as well as the applications installed on the system. Specific rules are created that track the normal operations of the system, and any time the system falls out of the standards, the organization's IT personnel are notified of the changes. • System Center Data Protection Manager—Although SCCM and SCOM deploy and monitor system operations, there are times when data is corrupted or lost or systems fail and having a backup of the data is crucial. This is where Data Protection Manager (DPM) fits in as it backs up client systems, server file systems, Exchange databases, SharePoint data, or SQL databases on a continuous basis, providing an organization the ability to recover a single lost or corrupted file all the way through restoring a completely dead system. • System Center Virtual Machine Manager—As the industry has shifted from one made up of primarily physical server systems to one where servers are now virtualized in the data center, the Virtual Machine Manager (VMM) product from Microsoft helps organizations manage their virtual systems. In the fully managed scenario, in
8
CHAPTER 1
Introduction to the System Center Suite
the event that SCOM identifies a physical or virtual system is about to fail, it can automatically create a new guest session using SCCM to a Hyper-V or VMware virtual host, build out a brand-new system, and use DPM to automatically restore the latest backup of information all as a scripted disaster recovery process. VMM can also transfer fully running physical servers and transfer the operating system, application, and data to a virtual server in an automated physical-to-virtual (P2V) conversion process. • System Center Service Manager—Although all of the previous tools chug along doing IT-related tasks, such as imaging, patching, monitoring, and backing up, organizations also have a need to manage processes and change control. The System Center Service Manager (SCSM) product is an incident management and changecontrol system that tightly integrates with SCOM, SCCM, and VMM to take alerts, automatically log the problems, take inventory information, and track system configurations so that help desk personnel and support individuals have at their fingertips information they need to support users and application owners in the enterprise. SCSM brings together management policies and processes as the umbrella under which the other System Center tools facilitate day-to-day tasks and procedures. • System Center Capacity Planner—As an organization looks to replace servers and systems, or upgrade and deploy new software applications, the System Center Capacity Planner helps the organization test performance demands on current systems and model the future environment relative to the necessary hardware specifications needed to meet the performance demands of the organization. • System Center Mobile Device Manager—Throughout an enterprise, an organization doesn't have just servers and client workstations, but the proliferation of mobile devices make up the IT landscape. System Center Mobile Device Manager (MDM) integrates with SCCM to provide cradle-to-grave management of mobile devices similar to what SCCM does for servers and client systems, including provisioning, updating, securing, monitoring, and wiping devices in the course of a mobile device's life cycle. • System Center Essentials—Finally, not all enterprises have separate IT groups handling servers, client systems, and applications, such as enterprises with fewer than 500 users and fewer than 50 servers. Microsoft has System Center Essentials that provides key management functions around tracking inventory, patching and updating systems, deploying software, monitoring, and managing virtual systems that helps smaller enterprises meet their management needs in an all-in-one integrated tool. Each of the products have had variations over the years (2003, 2007, 2008, R2, SP1, SP2, 2010, and so on) with each successive version adding more functionality and capabilities than the version before it. The balance of this chapter details each of the System Center products and provides a snapshot of what to expect throughout the chapters of this book.
Understanding System Center Data Protection Manager
9
Understanding System Center Configuration Manager The first product covered in this chapter is the System Center Configuration Manager (SCCM) product shown in Figure 1.1; the current rendition is System Center Configuration Manager 2007 R2 SP2. SCCM is the start of the life cycle that deploys a system's operating system as well as installs the applications onto a server or client system, and then it keeps the system patched and updated all based on common templates the IT department creates to ensure standardization from system to system.
c! Configuration M a n a g e r Contole .J File
Actjwi 0
Vky/
0
Wwvlov* Ö
Hck>
=JjsJ_I
E
¿y System Certer Configuefcion Manager R L j Site Database (STO - SCCM, CwnpanyAOC IIQ) FR 5ilc MaugciiKiiL R L | Computer Mdiiauenieiri. & ^f'ffllffl *X r i « i r i k u « j R « o f t k S • . ^ /l iwirr" Disl nl II il ii a i
Collections
22 Items found
Ig
S
^rfiwrtfff U n t i l r f s
-Í Wl Desktops and Servers
IS
0| iKf ill ii hj Sjrsl Kin FVjili lyiiin il
^ Ail l i m n Systran
**it
i i H frii iij
jj H
Wl mac ( A X Uesfcop xB6-b4 bystems =3? Wl Mac OS X Systems
+ rf". rwilreri r n r i k j r f l t t r i n r>1flnrwj»mprf ®
O
All mac OS X DesVtop PowerPC Systems
S j j j .sppnifing
All Non-Wndows Systems
QiipjIK
Export e j e c t s Update CoBecbo... Import (Jfcjects Distnbute
JV;
I ranker bite be...
^
Advertise Task 5..,
^ All Systems
Network Access Protection
Mew Cclection
-jfr Assign configur...
-i AJI R ml H i ' Fnlnr[ifisn l i u n «¡yslmir.
ffl 0 ' Mobie Device Management [5
4P
-ji' Wl Active C»cct«y Security Groups
S i j J A w l Hi il rJfajn H « r
Collections
r ^ i tissa
Iiifmrt Cxi I i i Fi...
nil User Groups
B L i System Status ffl {jJ? Advertisement Status
^ Wl Users
Instal Non-Wind..,
ffl l i ' j Package status
-i? AJI Windows 2000 Professional Systems
OÍ tribute Non-...
ffl
•jP All Wim kins Tnnn V i w i Sydkiiri.
9te
Status
j i ' btatus Message queries
V1 AJI Windows Motde Devices
becurlty Rights
^ AJI Windows Mofcde Pocket PC 2003 Devices
« Users
^ GvH F hfhfi H L-M k.
Vk5-„ 1 H « t
d l None 1 Ortnef
• 1 CPU-,. 1 -
Q
0-Wlri20Ö3FUxjtfif
Runnrig
hvlCO
Urtra. .
C*
l-Evsnar-K 2C07
Missrg
hvlOO
Unkro. .
0%
| > ) 1-OCS
Running
bvlOO
Urttro. .
0%
l > ; 1-RMS
Runrmg
hv 100
Urtow. .
0%
!.>;:• 1-SP2007
Runnrig
hvlOO
Urfcno. .
0%
(¥)
Stopped
hvlOO
Uriiro .
0%
Running
WINS—
Urtm), .
0%
•
1-VEta Off2D03
3Zn n Items
connected to SCSM2010
FIGURE 1 . 1 2
System Center Service Manager console.
Business Solutions Addressed by System Center Service Manager System Center Service Manager 2010 consolidates reports from client, server, physical, and virtual environments into a single reporting repository. SCSM allows an organization to leverage its investment in one System Center product into other System Center products. With the need to have formalized structure in change management, incident management, and reporting, SCSM leverages ITIL practices and procedures for an organization. Even being ITIL based, organizations that don't have a formal management practice can begin developing one based on the built-in processes in SCSM 2010. Also important to organizations is managing and maintaining change-control processes so that network administrators don't patch or update systems in the middle of the day and
34
CHAPTER 1
Introduction to the System Center Suite
accidentally bring down servers in the process. Or, as updates are needed on servers, rather than doing them one at a time, a maintenance window can be created where all updates are applied to a system at the same time. This managed change-control and maintenance process is something that SCSM 2010 helps to maintain and manage. SCSM 2010 improves the integration between existing investments in System Center products, including inventory information, error reports, reporting details, and the like rolled up to SCSM for centralized information access and report generation.
Major Features of System Center Service Manager System Center Service Manager is a very extensive product covering information reporting and management; some of the major features in the product are as follows: • Incident management—Incident management is probably better known as a "help desk"; however, beyond just taking in problem reports and processing the problem reports from users, SCSM ties into the System Center Operations Manager product so that errors and events coming off servers and workstations automatically trigger incident events in SCSM. Additionally, users can submit problem tickets or incidents whether through a console screen or by submitting the request via email or even text message that enters the incident management system where help desk or IT staff can provide support and assistance. The incident management system in SCSM, as shown in Figure 1.13, provides the ability to have problems or incidents easily submitted to the organization's IT support personnel. • Change control—Built in to SCSM 2010 is a change-control monitoring and management system. Change control leverages a workflow process where a change request is submitted, and a workflow routes the change request to key personnel who need to review and approve the change to be performed. Beyond just a workflow approval process, SCSM 2010 tracks that change control, logs the change, monitors and manages the change, and keeps a running record of the change so that if problems occur in the future on the system, the information about all historical updates and changes are tracked and available for the administrators to see. • Consolidated reporting—SCSM 2010 collects information from other Microsoft System Center products as well as creates connectors and links to the databases in other System Center products for consolidated reporting. Rather than having each individual database store isolated information, data from multiple sources can be viewed and analyzed to help make decisions about the operation, maintenance, and support of the environment. • Self-service access—Rather than simply a help desk submission system, the self-service access feature in SCSM 2010 allows a user to search the knowledge base to see if anyone else in the organization has had the same problem and, if so, what the fix was to the problem. Many users would rather fix a problem themselves if the fix is
Understanding System Center Data Protection Manager
Eg
35
- ¿t>J¡
fila View
Go
Took
lades Worit Items
•
Work Items
»
Inodert Managernsnt
ESSSSBmSm *
( t ) Work Items
*
a AdMty Management
Incident Management
Q Change Management
This folder contains all Incident Management views
Incident Management a CreaieFoifler
Q Al change ReqL«f • Change
Requests;
Create Incident
Folders (1)
¡V] Create v * *
Q Change Requests:
•
Q Change Requests:
jil
"í Incident Support Group This fclder contains all Incident Vanaae
Q Change Requests: Q Change Requests:
0 Incident IR4 • Problem Acccss'mg I n t r a n e t trom Itomr Office
Q Change Requests; en Chns Amans Contact mfo: (415) 555-0105
Ol Change Requests: Q Change Rsjuesa :
Created on: 12/13/20® 7:23:15 PM Resolve Sr-
Time .verted
Sí -ll
"" v j I
f lr t - 5 - i n .í w « r t r .jener«I f?f
üv.'ities
Platea
FesülOisn
Histn,
Administration
Incident Information
El
Alternóte Contact Method: J CEtfc Arnaris
., |
f
• Configuration Items I Problem Accessing Intranet from Home Office Connected ta 5C5N2D1Ü
FIGURE 1 . 1 3
Incident management within SCSM.
known and works, and as such, SCSM tracks the problem tickets and solutions of previous fixes on systems and databases. The problems and solutions can be queried by the IT staff or by end users to share the knowledge and experiences of previous service requests.
Background on System Center Service Manager System Center Service Manager 2010 is the first version of this product released to the public; however, internally, this product has been five years in the making. The product effectively had its version 1.0 release several years ago as a SharePoint-based tool, which was called System Center Service Desk at the time that Microsoft released it in beta to a limited number of organizations. Although the feedback was very positive on the feature sets, because it was based on SharePoint (2003 at the time), the product did not fit into the mold of other System Center products at the time, such as the robust management consoles found in System Center Configuration Manager or Operations Manager. Microsoft went back to the drawing board and released a new version of System Center Service Manager, this time with the same management interface found in other System Center products. This release, probably dubbed v2.0 of the product, was limited to just help desk-type incident management and reporting at a time when all other management
36
CHAPTER 1
Introduction to the System Center Suite
tools in the industry had evolved to support more than just trouble tickets, but to really address fully formed ITIL-based change-control and incident management systems. Not ready yet for release, Microsoft spent another couple of years adding more functions to the Service Manager product to get it at par with what other service management tools on the marketplace included. With the release of System Center Service Manager 2010, the product is probably like a v3.0 or v4.0 of the product, with years of development, redevelopment, and updates before its formal debut.
What to Expect in the System Center Service Manager Chapters In this book, three chapters are dedicated to the System Center Service Manager 2010 product. These chapters are as follows: • Chapter 14, "Service Manager 2010 Design, Planning, and Implementation"— This chapter covers the architectural design, server placement, and planning of the deployment of System Center Service Manager 2010 in the enterprise. The chapter addresses where to place management console servers as well as self-service portals for users to access, submit, and get responses back from the SCSM system. This chapter also covers the integration of SCSM 2010 into other System Center products as well as the integration of SCSM into Active Directory. • Chapter 15, "Using Service Manager 2010 for Incident Tracking and Help Desk Support"—Chapter 15 drills down into incident tracking and help desk support features in SCSM 2010 on how to configure the tracking system as well as how IT personnel and users interact with the tracking and incident management system. This chapter also covers the self-service features and capabilities built in to System Center Service Manager 2010. • Chapter 16, "Using Service Manager 2010 Change-Control Management"— Chapter 16 details the change management control process where information comes in from System Center Operations Manager as well as from users and administrators to be managed and processed. This includes the workflow process, the integration of the workflow into day-to-day systems management, and the scheduled maintenance and update process key to a managed change-control system. System Center Service Manager 2010 brings together the various System Center products into a single tool that helps IT organizations manage problems or incidents in their environment. Jump to Chapters 14 through 16 of this book for specific information and deployment and configuration guidance on how SCSM can be best leveraged in your enterprise.
Understanding System Center Capacity Planner
37
Understanding System Center Capacity Planner Not formally included in the licensing of the System Center suite, System Center Capacity Planner 2007 is a tool that helps organizations run models for determining the size and system requirements for products like Microsoft Exchange and others. By entering the number of users, the amount of messages sent and received, the number of sites, and the workload of communications traffic, SCCP helps IT architects and designers map out a design and plan for servers to host applications in their environment. The System Center Capacity Planner 2007 main screen, shown in Figure 1.14, provides the main console for launching capacity assessments. K
S y s t e m C e n t e r Capacity Planner 2007 - Fxchange S e r v e r 2DO/ Fie O
Go (2
_
ff
x|
Help —/
-iJ
Run simulation -
Microsoft'
System Center Capacity Planner2007
Capacity Models
i 1 Leam Abo
Use t+>e mode! wteard to create a n e w rapsrty model. Use t h e m o d e l editor t o r e v * w o r change a n e x i s t n g caoacity m o d e l | Exchange Server 2 0 0 7
SCCP 2 0 0 7 User SCCP 20117 Re le.
jJ
Q Create a n e w Capacity Model Q
Review or e d i t an existing Capacity Model Online
jJ
Hardware Configurations Use t h e hardware edit o r t o review a n d define configurations f o r c o m p u t e r s and devices. Q
FIGURE 1 . 1 4
Re?
Syst* m Center C
.
S y s t e m Center < View A p p l i c a t o r
Review or e d i t H a r d w a r e Configurations
System Center Capacity Planner main screen.
Business Solutions Addressed by System Center Capacity Planner System Center Capacity Planner is used to proactively (rather than reactively) size and scale servers for applications. Rather than building out servers based on a guess and then having to add more RAM, disk space, or CPU to the configuration to support the number of users or the amount of traffic/system demand of the users, Capacity Planner 2007 generates a model that suggests the type of system configurations and network bandwidth utilization anticipated in a system rollout. Even for organizations that have already rolled out something like Exchange Server 2007 that might be facing sluggish performance or users complaining they are getting responsetime errors, a model can be run based on actual user data to determine what SCCP suggests the servers should have in terms of performance and capacity.
38
CHAPTER 1
Introduction to the System Center Suite
SCCP can be used either proactively during the planning process or reactively after performance problems are experienced to determine what might be appropriate for an environment in terms of system configuration.
Major Features of System Center Capacity Planner The System Center Capacity Planner tool has a number of built-in features and functions for performance and capacity modeling; some of the major features in the product are as follows: • Performance assessment modeling—System Center Capacity Planner 2007 allows for information about an environment to be input into the system with a model simulation to be run to confirm the anticipated performance of the configuration. In the System Center Capacity Planner tool, simulation results are generated and displayed in a report similar to the one shown in Figure 1.15.
j.
SrHlnu f r t i l i T Tii|Mi:ily PLimirr 7 0 0 7 - Fu IMIIIJH S e r v i r Í(H17 go
HeJ|
a
J jJ
-J* Run anulefcon
Simulation Resulta • Results Summary Servers utitration of Utitzatton of Utilization of Utieation of connections U t t a t i o n of rrmnecticwis
Results Summary ^
Bottleneck analysis
Highest storage space utilization
CPU storage I / O storage space LAN
'IIIIII
SAN
Clients Utieation of client connections Latcncy by transaction Latcncy by site SANs Utilization of storage I / O Utilization of storage space utilization of SAN cunrietlicms
WANs Model Editor Simulation Results Haiti wait* Editen
FIGURE 1 . 1 5
Devices and Connections
Storage Devices
iQ Longest transactions (sec)
Q
Highest U ' U utilization
LQH\OWA Create Meeting
1.768
SFO\Maibox 5erver\CPUfs)
L U f f t U W A Send Message
lMl/
LON\Maibox s e r v c r \ U ' U { s )
LON\Outlook Anywhere Send Message
1.510
SF0\Ctent Access Server Z\CPU(
WDC\Otilluok (Cached) Send Meisdye
1.473
SFO\Cieiil A l l b ü Servei 1\CPU
ujinieUed within a stow i_n unreliable rielwurk boundary; ^
Do not r u i program
^
Dunrikidd uinlent fruni distiibuLwri [winlarnj r u i Iwjjfly
f"* R u i | i u / > i i i fmin i l k l i l u l i r n j | Mjiitt
Alllow d e r ts to fa1 back to unprotected cictnbuoon pottts v,hen the content is not available on the protected dratribjbon point
< Previous
FIGURE 2 . 9
||
wext >
|
hnish
)
cancel
Distribution options.
The advertisement allows the administration to specify distribution characteristics depending on the configuration of the site boundaries. For example, if you configure a site boundary as "slow or unreliable" and then configure the package to not run when the
96
CHAPTER 2
System Center Configuration Manager 2 0 0 7 R2 Design and Planning
client is connected to a slow or unreliable network boundary, the software will not run on any system that identifies itself as being within this boundary.
Planning Configuration Manager Client Settings The Configuration Manager client that is installed on managed systems is made up of several subcomponents, called agents. Agents are configured using the Client Agents container under the Site Settings container. Computer Client Agent is always enabled; this agent provides core functionality. Computer Client Agent The Computer Client Agent controls core Configuration Manager client functionality. This includes how often the client checks for new policies, how reminders are shown for mandatory assignments, branding configuration, BITS bandwidth control, and client restart options. Advertised Programs Client Agent The Advertised Programs Client Agent controls the software distribution functionality of the Configuration Manager client. This includes the ability to deploy content to systemand user-based targets. In addition, how newly published software is displayed and the countdown prior to having scheduled content executed can be configured. Desired Configuration Management Client Agent The Desired Configuration Management Client Agent defines how often baseline configuration is validated against target systems. The Desired Configuration Management (DCM) component in Configuration Manager is a powerful feature. DCM allows an administrator to create configuration baselines to validate the settings of managed systems. Hardware Inventory Client Agent The Hardware Inventory Client Agent provides access to enable or disable the ability to collect hardware inventory on managed systems. From within the agent, the inventory schedule can be configured, and IDMIF and NOIDMIF file collection can be enabled if necessary. Unlike the Software Inventory Client Agent, the hardware information collected by this agent cannot be extended through the Configuration Manager console. To customize the hardware inventory, it is recommended to make changes to the Configuration .mof and the sms_def .mof files. An example of this is detailed in Chapter 5, "Configuration Manager Asset Management and Reporting." Mobile Device Client Agent The Mobile Device Client Agent controls all mobile device functionality. This includes software and hardware inventory settings, file collection, software distribution settings, and how often the agent polls the Mobile Device Management Point. Network Access Protection Client Agent The Network Access Protection Client Agent configures how often the client health evaluation occurs. If the client does not pass the health test, communication might be blocked based on the NAP enforcement policy.
Configuration Manager Design Considerations
97
Remote Tools Client Agent The Remote Tools Client Agent provides the ability to configure the different aspects of remote tools in the site. This includes the level of access and the user notifications that can be provided or suppressed based on the business requirements. This agent also has the ability to configure the local Remote Desktop and Remote Assistance settings on the managed system. Software Inventory Client Agent The Software Inventory Client Agent provides access to enable or disable the ability to collect file properties on managed systems. From within the agent, the inventory schedule can be configured and the file extensions to search managed systems can be modified. Software Metering Client Agent The Software Metering Client Agent provides access to enable or disable the ability to collect software metering data on managed systems. From within the agent, the inventory schedule can be configured, which controls how often data is sent to the Configuration Manager hierarchy. Software Update Client Agent The Software Update Client Agent is responsible for the core functionality of the Software Updates Client Agent component on the client system. The default scan schedule and the deployment réévaluation schedule can be changed from within the Software Updates Client Agent. These settings control how often the local scans occur. The software updates scan defines how often the client reports compliance information to the Management Point. The scan done by the deployment réévaluation initiates a reinstallation of the patches that were previously installed but are now missing. NOTE The deployment réévaluation simply reruns existing Software Update deployment against the client. If the deployment doesn't have a deadline, or if the deadline for the updates hasn't passed, the client can schedule the installation of the previously removed updates.
Understanding the Data Flow The site settings for each site in the hierarchy can be managed independently. This includes settings to configure the client, such as how often an inventory is run, how clients are discovered, the networks to which the site provides management functionality, Configuration Manager component roles such as Distribution Points and Management Points, and all of the other configuration options found within the Site Management node in the Configuration Manager Administration Console. NOTE Site-specific settings are not replicated down to lower-level primary sites or up to parent sites. To copy site-specific settings, such as the client agent configuration, use the Transfer Site Settings Wizard.
98
CHAPTER 2
System Center Configuration Manager 2007 R2 Design and Planning
Conversely, all of the computer management settings are replicated to child primary sites in the hierarchy. This includes objects such as collections, software distribution packages, software update packages, and all of the other configuration options found within the Computer Management node of the Configuration Manager Administration Console. NOTE When opening a Configuration Manager Administration Console on a lower-level primary child site, a small padlock icon is shown on objects. This indicates the object was created on a parent site and cannot be modified from the lower-level site.
Only the data, such as hardware and software inventory along with client state and component status messages, are replicated up from lower-level primary sites to the parent site. Status messages provide information about the Configuration Manager components. State messages come from managed systems and provide insight as to what the client is doing, such as downloading content or installing updates.
Disk Subsystem Performance The disk performance is a critical factor in the Configuration Manager overall performance. Because of the volume of data that flows from the components into the various databases, data must make it into the databases quickly. However, for usability, console performance is the single most important factor. The console places a significant load on the server, primarily reading the data from the Configuration Manager database. If this read access is slow, console performance will be impacted and users will be dissatisfied with Configuration Manager.
Choosing Between SAN and DAS One of the common points of contention is what storage systems to use when deploying Configuration Manager. The two main contenders are a storage area network (SAN) disk subsystem and a direct attached storage (DAS) disk subsystem. The SAN is typically a switched-based, fiber-channel fabric and a large array of disks, which is managed by a dedicated storage team. The SAN provides high reliability and high performance, but also high cost. The DAS is a RAID subsystem of disks that are directly attached to the servers. Depending on the RAID configuration, this can have high reliability and high performance, but costs less than a SAN. Choosing between SAN and DAS can be tough, as there are competing claims as to which subsystem actually performs better. Consider the following three important performance measures when deciding on a disk subsystem: • I/Os Per Second (IOps)—This indicates how many I/O requests can be handled in a second. This measure is impacted by the size of the requests, with larger requests reducing the number of requests that the system can handle in a second.
Configuration Manager Design Considerations
99
• I/O Latency (Latency)—This indicates how long it takes to handle a given request. This measure is also impacted by the size of the requests, with larger requests increasing the latency. • Megabytes Per Second (MBps)—This indicates how many megabytes of data can be handled in a second. This measure is also impacted by the size of the requests, but larger requests actually increase the amount of data that can be handled (which is a good thing). For small data transfers, the IOps and Latency are the critical measures. For large data transfers, the MBps is the critical measure. The Site Database accesses are all large data transfers usually put into the database in batches through the SMS Provider, so the MBps measurement is the critical measure for the performance and scalability of the system. SQL uses 8KB pages, leading to random and sequential 8KB I/O on the disks that host the databases, which are relatively large data requests. In general, a SAN provides better performance than a DAS. This is especially true for large, block-level data transfers, which is what the SQL database will be doing. The SAN provides a faster data transfer due to the higher MBps. In general, most Configuration Manager database servers operate appropriately with DAS disk subsystems. NOTE The configuration of the SAN and the DAS can dramatically affect the performance of the two disk subsystems. For example, a DAS subsystem with six controllers, RAID 1+0, and a separate channel and disks for each set of databases and logs outperforms a standard SAN. However, for most implementations, the SAN is going to be the better bet for performance.
If using DAS, the design of the DAS is critical to ensuring the performance of the disk subsystem. Choose the RAID appropriately, as not all RAIDs are created equal in terms of performance. The following list compares the common RAID choices and their performance: • RAID 1—This is a pair of drives that are mirrored. RAID 1 provides no performance benefit, as the read/write performance is that of a single drive. The second drive in the RAID array is used simply for fault tolerance. • RAID 5—This is a set of drives with the data striped across them and with one drive providing parity for fault tolerance. RAID 5 provides mostly read performance benefit, as the parity drive is a write bottleneck in the RAID array. • RAID 10—The data is mirrored across drives and then striped to the other half of the drives in the array. There is both read and write performance benefit, which is a multiple of the number of disks in the RAID array divided by two.
100
CHAPTER 2
System Center Configuration Manager 2007 R2 Design and Planning
Given the read and write performance benefits, RAID 10 is always the preferred method. An important benefit of RAID 10 is that the size of the array can be increased by adding spindles (that is, disks) and this also increases the performance of the array. As the Configuration Manager servers are scaled up and better performance is needed, the disk subsystem needs to be scaled to increase performance. This allows target performance (that is, IOps) to be reached. A 10K RPM SCSI disk will be able to sustain approximately 125 IOps of random read/writes. Using this as a base, a target rate of IOps can be computed in terms of number of disks needed (because RAID-10 performance scales with the number of disks). The computation for the number of disks needed in the RAID-10 array is as follows: T a r g e t IOps
/
( 1 2 5 IOps per d i s k / 2)
= Number of Disk is RAID 10 A r r a y
For example, if a target of 500 IOps is needed, the computation is simply: 5 0 0 IOps
/
( 1 2 5 IOps per d i s k / 2)
= 8 disks
A RAID-10 array of eight disks would be sufficient to meet the 500 IOps goal. This allows designers to compute the sizing of RAID-10 arrays needed to achieve the desired performance in terms of IOps. For RAID 1 and RAID 5, the write performance is limited to that of a single drive, that is, 125 IOps.
Choosing SQL Versions Another issue is the edition of SQL to use. For Configuration Manager, which leverages the power of SQL heavily, there can be serious performance impacts in choosing the wrong edition of SQL. SQL Enterprise Edition is designed to scale to the largest of hardware platforms and handle large workloads, but has an associated high cost. SQL Standard Edition has built-in technology scalability limitations, but a much lower cost. SQL Enterprise Edition supports more parallel operations, allowing multiple databases to coexist. Both Enterprise and Standard Editions support parallel queries, but only Enterprise Edition supports parallel index and consistency check operations. Enterprise Edition has a host of other performance benefits, such as indexed views, table and index partitioning, dynamic memory management, and enhanced read-ahead and scanning. These enhancements allow Enterprise Edition to handle much larger Configuration Manager implementations and to handle multiple components on the same SQL server. SQL Standard Edition has a four-CPU limit, whereas SQL Enterprise Edition is only limited by the operating system. In other words, SQL Standard Edition limits parallel processing of queries to a maximum of four CPUs. This is a good example of when the difference between CPUs (that is, sockets on the motherboard) and cores is important. SQL Standard Edition counts the physical CPUs toward the limitation. NOTE The SQL license that is included in the Configuration Manager Server 2007 R2 with SQL Server Technology is a SQL 2008 Standard Edition license.
Configuration Manager Design Considerations
101
SQL licensing costs can be a complicated topic. In general, SQL can be licensed in three ways from a Configuration Manager perspective, as shown in Table 2.2. TABLE 2.2
SQL Licensing Costs
SQL 2008 License
Standard Edition
Enterprise Edition
Server Plus CAL
$1,849 with 5 CALs
$13,969 with 25 CALs
Per Processor
$5,999 x CPUs
$24,999 x CPUs
Configuration Manager Server 2007 R2 with SQL Server Technology
$ 1 , 3 2 1 x management servers
N/A
The Server Plus CAL option is licensed per SQL server and includes a certain number of CALs, but the number of processors is unlimited. The Per Processor option is licensed by the number of CPU sockets (not cores), but the number of CALs is unlimited. For Configuration Manager implementations, the best option is the Server Plus CAL licensing. Configuration Manager has very low CAL requirements, as the agents do not require CALs. Purchasing Per Processor licensing is not recommended, as a typical Configuration Manager database server will have a lot of CPUs and would not benefit from unlimited CALs. NOTE For comparison, the Configuration Manager license without the SQL technology is $579. All management servers must use the same licensing model to be in compliance.
In general, the best-practice guidance is to use SQL Enterprise Edition when • Multiple Configuration Manager Site Databases will coexist on the same database server, as SQL Enterprise Edition handles parallel processing more effectively and can take advantage of additional resources in a scaled-up server • More than four CPU sockets will be used, as SQL Enterprise Edition can use the additional resources • Clustering more than two SQL nodes is a requirement Given the cost differential, sometimes it is necessary to deploy SQL Standard Edition. Bestpractice guidance when using SQL Standard Edition is to • Keep each Site Server database component on a separate SQL server. • Deploy 64-bit versions. • Create a small two-node active-passive cluster. • Use extra memory in database servers to compensate.
102
CHAPTER 2
System Center Configuration Manager 2 0 0 7 R2 Design and Planning
Planning for Native Mode A Public Key Infrastructure (PKI) is an important aspect of the Configuration Manager 2007 implementation. Native mode allows clients to communicate to the Configuration Manager infrastructure components using HTTPS. It also allows infrastructure components to authenticate clients. If the client doesn't authenticate, either because it doesn't have a client authentication certificate or the current client authentication has been revoked or is otherwise invalid, the client cannot communicate with the Configuration Manager infrastructure. Native mode is a prerequisite to support the management of clients over the Internet.
Understanding Certificate Requirements When a certificate is issued, its usage is governed by an Object Identifier (OID). A certificate can have more than one OID, essentially allowing the certificate to be used for more than one purpose. A certificate with the Client Authentication OID is required on all managed clients, including mobile devices, to communicate with a Native mode Configuration Manager site. Client Authentication certificates are easily deployed through Group Policy Autoenrollment. This method of enrollment is important, especially when managing a large number of clients. A certificate with the Server Authentication OID is required on all Configuration Manager 2007 Site Systems, including Site Servers, Management Points, Distribution Points, Software Update Points, and State Migration Points. The Server Authentication certificate is used on each Site Server to encrypt communication between the managed systems and the Configuration Manager component. A certificate with the Document Signing OID is also required on Configuration Manager Primary Site Servers. The Document Signing certificate is used to sign the policies used to configure and manage clients. These certificates can be created through the Certificate Enrollment website or with the certreq.exe command-line utility. A certificate is also needed for operating system deployment. This is a Client Authentication certificate that is uploaded to the Site Server when the PXE Service Point role is deployed. This certificate is used to allow communication to the Configuration Manager infrastructure during all stages of the deployment process. The root certificate for the CA must also be uploaded into each site in the hierarchy to support OS deployment. If a reverse proxy SSL-gateway, such as Forefront Threat Management Gateway 2010, will be used to publish Configuration Manager components for Internet-based client management, then additional certificates for Server Authentication will be necessary. A certificate with the Subject Alternate Name of each Configuration Manager component should match each component's fully qualified domain name (FQDN).
Planning for Native Mode
103
Planning the Public Key Infrastructure Care should be taken to ensure the Public Key Infrastructure is well maintained. The security for the PKI is critical. If the PKI environment is compromised, the integrity of the Configuration Manager environment can also be compromised.
CAUTION The Windows Server 2008 Enterprise certificate template option is not compatible with System Center Configuration Manager 2007 R2 with Service Pack 2. Choosing the Windows Server 2008 Enterprise option results in a version 3 template. To create a version 2 template, select the Windows Server 2003 Enterprise template version.
You should become familiar with the following Native mode PKI terminology: • Enterprise root CA—This is a Certificate Authority that is integrated with Active Directory. The root certificate is automatically distributed to domain members through Active Directory. All domain members trust an enterprise root CA by default. • Client certificate—This is a unique certificate that is installed in the computer's personal certificate store on each managed system. The Configuration Manager agent uses this certificate to identify the computer when communicating with Site Component Servers. • Server certificate—This certificate is used by the different Configuration Manager components to encrypt the communication between the Configuration Manager server and the managed client. • Document Signing certificate—This certificate is used to sign the policies used to configure managed clients.
Using Certificate Templates Leveraging Active Directory certificate templates, an enterprise CA, along with automatic enrollment, greatly reduces the amount of overhead associated with Native mode site security. An enterprise CA integrates with Active Directory. This provides a way to automatically provision certificates to systems. This can be used for both Client Authentication certificates and Server Authentication certificates. When the server or client is started, it can be configured to automatically request the correct certificate needed to communicate with Configuration Manager in Native mode.
104
CHAPTER 2
System Center Configuration Manager 2007 R2 Design and Planning
NOTE The Enterprise version of Windows is required to support an enterprise CA.
Other certificates should still be created manually because they require specific information. For example, the Document Signing certificate requires a unique subject name; "The Site Code of This Site Server Is ABC" is an example if the site code was ABC. NOTE The certificate enrollment website provides a convenient way to generate the Document Signing and OS Deployment certificates. As an alternative to using the web enrollment site, certificates can be requested with the C e r t r e q . e x e command-line tool. For more information, visit the Certreq TechNet site at http://technet. microsoft. com/en-us/library/cc725793(WS. 10). aspx.
The certificate for mobile devices must be in Distinguished Encoding Rules (DER) encoded binary X.509 format. The Mobile Device certificate must also be placed in the personal store. All other certificates must be placed in the personal store for the computer account, with the exception of the OS Deployment certificate. The OSD certificate is uploaded to the Configuration Manager console when the PXE Service Point is created.
Understanding Client Schedules Several client actions, such as hardware and software inventory, provide the ability to define a simple schedule or a custom schedule. The simple schedule typically improves the overall scalability of the Configuration Manager infrastructure by distributing the load placed on the network, Management Points, and Site Servers. NOTE Use the simple schedule and a throttled agent deployment to distribute load and improve scalability of the infrastructure.
The simple schedule works by configuring the client to execute and schedule the inventory schedule dynamically. The first iteration of the schedule is set as the time of the client installation. Throttling the deployment of the Configuration Manager client keeps a relatively consistent load on the environment. The custom schedule instructs all clients to report inventory at a set time and recurrence pattern. If this configuration is desirable, ensure adequate resources are available for the expected load on the network and Configuration Manager hierarchy.
Planning for Internet-Based Client Management
105
Clients that are not members of the domain can also be supported. For example, if bastion hosts located in the DMZ need to be inventoried and managed, a Configuration Manager agent can be installed. In addition to the client software, the correct certificate configuration is imperative for Native mode communication. You can find additional information in the "Planning for Native Mode" section found earlier in this chapter. The Configuration Manager client can be installed many different ways, including manually on the target system, through Group Policy Objects (GPOs), through a logon script, as part of an OS image, through an existing WSUS infrastructure, and automatically through any of the Configuration Manager discovery methods. The Active Directory discovery method is commonly used to find and install clients. When a discovery method runs, a DDR file is generated and placed in a specific location on the Site Server. The Site Server monitors this folder and kicks off an installation. It's possible to programmatically create DDR files based on a custom discovery and place them in this folder.
Planning for Internet-Based Client Management Internet-based client management (IBCM) requires a Public Key Infrastructure. With the correct certificates and infrastructure components in place, clients can be managed over the Internet. This includes receiving policies, downloading content, and uploading inventory reports, state messages, and compliance results. To support Internet-based client management, the site must be configured for Native mode security. Native mode requires that all clients use an SSL certificate to identify themselves. If the client cannot identify itself with a certificate, or the certificate has been expired or revoked, subsequent communication to the Configuration Manager infrastructure will fail.
Understanding Requirements and Limitations With IBCM, several limitations are presented and should be understood. The following features are not supported for Internet-based clients: •
Automatic site assignment
•
Branch Distribution Points
•
Client deployment
•
Network Access Protection
•
OS deployment
•
Out-of-band management
•
Remote tools
•
User-based software distribution
•
Wake On LAN
106
CHAPTER 2
System Center Configuration Manager 2007 R2 Design and Planning
The primary functionality for IBCM is to be able to deliver software updates, deliver software, and collect inventory data and compliance data without requiring the client to establish a VPN tunnel to the corporate infrastructure. An Internet client is also required to communicate with an Internet-enabled Management Point. This Management Point must reside in the client's assigned site. This is a very good reason to deploy as few Configuration Manager sites as possible. A protected Site System cannot be used for Internet-based client management.
Planning Site System Placement The Management Point, Distribution Point, Fallback Status Point, and Software Update Point can all support Internet clients. Existing roles within the organization can be enabled to support Internet clients or new roles can be established, dedicated to Internet clients. How infrastructure servers are deployed largely centers on the security requirements of the organization. CAUTION Use a certificate with Subject Alternate Name configured to allow the Site Server to support both intranet and Internet clients with two unique FQDNs.
For example, if servers in the DMZ cannot directly communicate with servers on the intranet, additional work must be done to create a SQL replica in the DMZ and configure the Management Point so it doesn't talk directly to the Site Server. Instead, the Site Server reaches out and gets information from the Management Point in the DMZ. A sample IBCM server infrastructure is shown in Figure 2.10.
FIGURE 2 . 1 0
Server infrastructure for Internet-based client management.
Putting It All Together
107
The Internet-based roles can be deployed as non-domain members. In this case, when the role is installed on the remote server, a specific Windows account must be specified to complete the installation. In addition, the Site Server can be configured to only allow Site Server-initiated data transfers. This configuration is provided to allow internal Site Servers to communicate into the DMZ, but prevent DMZ servers from communicating directly with the internal network.
Understanding Client Site Assignment Clients are typically assigned an Internet Management Point and Internet Fallback Status Point during installation. However, these settings can be configured after the client has already been deployed. When a client is deployed, both for mobile and standard clients, the options to enable Internet only and intranet only are available. Standard clients can also support both intranet and Internet management. This allows the client to roam between both management types. During installation, the client must be configured with the name of the Management Point and the Fallback Status Point. Although a FSP is not required, it is a good idea to enable this role to monitor the communication health of Internet clients.
Putting It All Together The primary components that directly affect scalability are the Site Server, Site Database, Management Point, and Distribution Point. It is also important to note that the configuration of various settings within the environment also affect performance. For example, configuring 1,000 clients to poll the Management Point every 1 minute and submit hardware and software inventory data based on a hard-coded hourly schedule will consume a lot of resources and will require very large, expensive servers. CAUTION The proceeding guidance should be validated with the desired Configuration Manager settings, before implementing a production infrastructure.
These high-level design scenarios cover a range of organizations from small to medium to large. The profile of the three enterprises is given in the following list: • Small enterprise—A total of 30 servers and 500 workstations, in 3 locations, a main office with a shared T1 to the branch offices, and 2 5 % bandwidth availability. • Medium enterprise—A total of 500 servers and 2,000 workstations, in 10 locations, a main office with a shared 11Mbps Fractional T3 to the branch offices, and 2 5 % bandwidth availability. • Large enterprise—A total of 2,000 servers and 10,000 workstations, in 50 locations, a main office with a shared 45Mbps T3 to the branch offices, and 2 5 % bandwidth availability.
108
CHAPTER 2
System Center Configuration Manager 2 0 0 7 R2 Design and Planning
Small and Medium Enterprise In a small-sized implementation of Configuration Manager, all major components can be hosted on the same server. For best performance, consider separating the following components onto separate physical drives: • Operating system • Configuration Manager installation • Site Database • Distribution Point content For very small environments, the OS and Configuration Manager installation can potentially reside on the same set of disks. However, the database should almost always be separated from the Configuration Manager installation files. The Distribution Point content should also be moved to a different set of disks, but this is dependent on how much content will be provisioned to target systems. For medium-sized deployments, the Distribution Point and Management Point should be moved to separate hardware if the load on the Site Server becomes heavy. Leverage Perfmon and Operations Manager to monitor load on the disk subsystem, memory usage, and CPU usage. A Branch Distribution Point should be placed in each remote office to allow the efficient provisioning of large software packages. Smaller deployments can be timed during offpeak hours and are capable of going across the WAN from the main office, assuming BITS downloading will be used. If Branch Distribution Points are not applicable, such as when the remote office consists of laptop users who travel, consider using the BITS throttling to manage bandwidth. In this scenario, large packages can be trickled down to clients to prepare for a deployment.
Large Enterprise In a large-sized implementation of Configuration Manager, the Site Database and the Site Server component can likely be hosted on the same server but can be moved to a separate SQL server to improve performance or to meet business requirements. For best performance, consider separating the following components onto separate physical drives: • Operating system • Configuration Manager installation • Backup location • VSS temporary location • Site Database
Summary
109
• Site Database transaction log • SQL Temp DB • Distribution Point content
NOTE Use the VSSAdmin command-line tool to change the VSS storage backup association. For example, to set a 15GB maximum size on the E: drive for the VSS backup association for the D: drive, run the following command: vssadmin Add ShadowStorage /For=D: /On=E: /MaxSize=51360MB.
In this type of environment, it is important to move the Management Point role to a separate server. Also, if the environment has multiple data centers, consider establishing a site in each data center. This spreads the load across data centers and reduces the impact if a single site experiences a problem, so that systems in the other site can still be managed. Don't go overboard with the definition of data center; the closet that holds the file and print server in half of the larger remote locations doesn't count. Performance in a large environment can be improved by implementing a central site that doesn't manage any clients. In this scenario, all boundaries would be placed in one to two child primary sites. The central site wouldn't have any boundaries and would only be used to manage the environment and run reports. The central site won't need to have a Management Point on separate hardware because it won't be actively managing clients. Remote offices with existing server infrastructure can leverage that hardware for a standard BITS-enabled Distribution Point. A standard Distribution Point is recommended when a remote site has more than 100 active workstations. One or more Branch Distribution Points should be placed in each remote office that supports between 50 and 100 workstations and doesn't have existing server infrastructure. Branch Distribution Points can also be installed on server operating systems, but will only support clients with the SMB protocol, which is not as efficient as BITS. Smaller deployments can be timed during off-peak hours and are capable of going across the WAN from the main office, assuming BITS downloading is used.
Summary Configuration Manager 2007 R2 supports a large array of functionality. From deploying and managing new operating systems, to provisioning content to intranet and Internetbased clients, Configuration Manager provides end-to-end management. Before starting a
110
CHAPTER 2
System Center Configuration Manager 2 0 0 7 R2 Design and Planning
Configuration Manager project, it is important to understand the goals and objectives of the business and plan the implementation accordingly. By understanding how the components and roles work, a successful implementation can be achieved.
Best Practices The following are best practices from this chapter: • For organizations with existing configuration management database (CMDB) implementations, use Configuration Manager to supply data for Windows-based managed assets. This can be accomplished several different ways, including through the predefined SQL views and the WMI provider. • Manage the Configuration Manager hierarchy from the central site, as this provides access to the entire infrastructure and all managed systems. Opening a Configuration Manager Administration Console on a lower-level primary child site only provides access to clients assigned to that site and child sites below that site. • By default, the contents of a package are pushed to Distribution Points from the Site Server that created the package. Enable the Send Package from the Nearest Site in the Hierarchy option to make effective use of Senders and Addresses. • To achieve global roaming, the Active Directory schema has to be extended. If the schema hasn't been extended, only regional roaming is available. Regional roaming only allows client roaming to child sites below the client's assigned site. • Use software publishing to provide users with the ability to execute the software when it's convenient for them. This is often beneficial for more savvy technical users, such as IT staff. • Use the Microsoft Deployment Toolkit (MDT) 2010 for additional OS deployment functionality, including full-file scripted-based installation without needing to capture an image. MDT integrates directly into the Configuration Manager console and can be downloaded from http://technet.microsoft.com/en-us/solutionaccelerators/ dd407791.aspx. • Don't use Configuration Manager as an authoritative source for making licensing purchases. The actual counts of licenses should be tracked as systems are provisioned and deprovisioned throughout the enterprise. Configuration Manager should be used to validate those numbers. For example, each SQL component is tracked separately. This artificially increases the count of some of the license reports. • Don't modify existing reports. Always make a copy of the report and make changes to the copy. During Configuration Manager service pack upgrades, the original reports can be updated by Microsoft; if the reports are customized, your changes will be lost.
Best Practices
111
• Use the PolicySpy utility from the Configuration Manager 2007 toolkit to review policies on the client system. The PolicySpy utility simply provides a view into the correct location within the WMI repository where all policies are stored. The Configuration Manager 2007 toolkit can be downloaded from http://www.mi crosoft.com/downloads/details.aspx?displaylang=en&FamilyID=948e4 77e-fd3b-4a09-9015-141683c7ad5f. • The Site Server database cannot be backed up while the SMS Executive service is running. Backing up the database while the SMS Executive service is running might result in inconsistencies between information in the database and the Configuration Manager site control file, which will prevent the site from being successfully restored in a disaster recovery scenario. Use the backup tasks from within the Configuration Manager Administration Console to schedule backups. • Software information that is uploaded and eventually categorized by Microsoft is made available to all Microsoft customers through System Center Online Services. Avoid uploading private software information that could be used to identify your business to other customers. • To override protected boundary behavior, enable the Allow Clients to Fall Back to Unprotected Distribution Points when the Content Is Not Available on the Protected Distribution Point option on the package advertisement. • Avoid customizing the default collections; they can be changed and reverted back to default during subsequent service pack upgrades. • Use the Network Access Account to allow network access from clients who are not in the same forest or workgroup. Normally, communication is done with the computers account; if the computers account fails, communication with the Network Access Account is attempted. • When programmatically executing client actions on a 64-bit system, make sure the 32-bit script interrupter is used. The 32-bit version of c s c r i p t . e x e is located here: %SystemRoot%\SysWow64\cscript.exe.
• Never configure overlapping boundaries. This can cause managed systems to use the wrong Site Server or Distribution Management Point. This often happens when using a combination of IP and Active Directory boundaries. • Site-specific settings are not replicated down to lower-level primary sites or up to parent sites. To copy site-specific settings, such as the client agent configuration, use the Transfer Site Settings Wizard. • The Windows Server 2008 Enterprise certificate template option is not compatible with System Center Configuration Manager 2007 R2 with Service Pack 2. Choosing the Windows Server 2008 Enterprise option results in a version 3 template. To create a version 2 template, select the Windows Server 2003 Enterprise template version.
112
CHAPTER 2
System Center Configuration Manager 2 0 0 7 R2 Design and Planning
• The certificate enrollment website provides a convenient way to generate the Document Signing and OS Deployment certificates. As an alternative to using the web enrollment site, certificates can be requested with the C e r t r e q . e x e commandline tool. For more information, visit the Certreq TechNet site at http://technet. microsoft.com/en-us/library/cc725793(WS.10).aspx. • Use the simple schedule and a throttled agent deployment to distribute load and improve scalability of the infrastructure. • Use a certificate with Subject Alternate Name (SAN) configured to allow the Site Server to support both intranet and Internet clients with two unique FQDNs.
CHAPTER 3
System Center Configuration Manager Implementation and Administration System Center Configuration Manager (ConfigMgr) 2007 R2 helps reduce the cost of managing the Windows infrastructure by providing scalable, secure, end-to-end administration and reporting functionality for the enterprise. It is important to fully understand the architectural design before Configuration Manager 2007 R2 infrastructure servers and roles are deployed. This chapter walks through the steps necessary to deploy, configure, and administer key Configuration Manager 2007 R2 functionality. This functionality includes deploying and administering the roles and features needed to enable operating system deployment, systems configuration management, patch management, software provisioning, asset management, and reporting.
Reviewing ConfigMgr 2007 R2 Architecture Configuration Manager contains many different roles along with several internal and external dependencies. The following list describes each Configuration Manager role. Each role can be installed on a separate server for a very high degree of scalability or colocated on the same server for smaller environments.
IN T H I S C H A P T E R •
Reviewing ConfigMgr 2007 R2 Architecture
•
Understanding the AD Site Topology
•
Creating a Public Key Infrastructure
•
Deploying Certificates
•
Preparing the Site Database Server
•
Extending the Active Directory Schema
•
Configuring Active Directory
•
Implementing Internet Information Services (IIS)
•
Implementing the Central Site
•
Deploying the Child Primary Sites
•
Configuring the Hierarchy
•
Implementing Asset Management
•
Implementing Patch Management
•
Implementing OS Deployment
•
Implementing Regional Server Infrastructure
•
Discovering and Managing Clients
114
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
The roles of Configuration Manager are as follows: • Site System—This is a term used to describe a server or a network share that hosts Configuration Manager functionality. A Site System can host a single role or several roles. • Site Database—The Central Site Server and each Primary Site Server require a Site Database. This database contains configuration data for the site and client data, such as hardware inventory, and patch compliance data. • Central Site Server—The Central Site Server is the highest-level Primary Site Server in the hierarchy. This server has the ability to manage all clients throughout the hierarchy. The Central Site Server provides essentially the same functionality as a Primary Site Server. • Primary Site Server—A Primary Site Server provides core functionality for Configuration Manager. This server manages Site Component Servers, provides an interface to manage systems, and manages data in the Site Database. • SMS Provider—All Configuration Manager Primary Site Servers use a WMI provider to communicate with the Site Database. This includes things like updating the Site Database when a client inventory is submitted. • Secondary Site Server—A Secondary Site Server does not require a database. A Secondary Site Server provides a proxy for client communication within an area and is often used when very specific bandwidth control is needed between two physical network locations. • Component Servers—A Component Server provides additional functionality beyond the basic Site Server. Components include the Management Point, Fallback Status Point, Distribution Point, Reporting Point, and so on. • Server Locator Point—The Server Locator Point (SLP) component provides a way for managed systems to find Site Systems. This is typically used when managing nondomain clients or when Active Directory schema has not been extended. • Management Point—All managed clients communicate with the Management Point (MP) web service. This communication is established by the client to receive management policies and send status. The Management Point receives policies from the Site Database and delivers client data and status messages to the Primary Site Server for processing. • Fallback Status Point—The Fallback Status Point (FSP) provides a safety net for clients. A client system can send status messages to a Fallback Status Point when initial communication has been established, such as when a new agent is installed, or when communication has failed and the client is orphaned or otherwise unable to establish normal communication with the site.
Reviewing ConfigMgr 2 0 0 7 R2 Architecture
115
• Distribution Point—The Distribution Point provides the distributed repository for packages. This repository can contain operating system packages, software packages, and patch packages. Clients query the Management Point for a list of local Distribution Points when asked to execute a package. • Software Update Point—The Software Update Point (SUP) communicates with the WSUS implementation to receive data from Microsoft Update about patches and updates available for clients. The Software Update Point also manages the Software Update Client Agent on systems that are managed by Configuration Manager. • Reporting Point—The Reporting Point (RP) is a legacy component that uses a static ASP web page to run queries against the Site Database. It provides a simple way to execute queries and produce basic reports that contain data from the Site Database. • Reporting Service Point—The Reporting Service Point (RSP) provides an extensible reporting infrastructure based on SQL Reporting Services. This provides a powerful way to access data in the Site Database, and includes the ability to schedule reports through subscriptions. • PXE Service Point—The PXE Service Point (PSP) provides network boot capabilities for managed systems during an OS deployment or refresh. • State Migration Point—The State Migration Point (SMP) provides a secure location to store the user state from a client system during the OS deployment. • Enterprise Root CA—This is a Certificate Authority that is integrated with Active Directory. The root certificate is automatically distributed to domain members through Active Directory. All domain members trust an Enterprise Root CA by default. • Client Certificate—This is a unique certificate that is installed in the computer's personal certificate store on each managed system. The Configuration Manager agent uses this certificate to identify the computer when communicating with Site Component Servers. • Server Certificate—This certificate is used by the different Configuration Manager components to encrypt the communication between the Configuration Manager server and the managed client. • Document Signing Certificate—This certificate is used to sign the policies used to configure managed clients. The Configuration Manager 2007 R2 architecture is shown in Figure 3.1, with all the major components and their data paths.
116
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
«
4J Software Update Point (SUP)
State Migration Point (SMP)
Reporting Services Point (RSP)
o
Ife
CS Server
FIGURE 3 . 1
Configuration Manager 2007 R2 architecture.
Understanding the AD Site Topology This chapter assumes a fully functional Active Directory domain has been configured with at least one domain controller. The Company ABC sample domain in the proceeding tasks and throughout this section consists of two domain controllers called DC1 and DC2. One domain controller is located in each of the primary sites. The first site is called SITE1 and the second site is called SITE2. All servers are running Windows Server 2008 R2 and are configured to communicate with the IPv4 protocol; the IPv6 protocol has been disabled. NOTE This configuration is only for demonstration purposes. Having a single domain controller in each site is not typical and not recommended. For additional information about Active Directory and domain controller planning, please visit the Active Directory Domain Services TechNet site at http://technet.microsoft.com/en-us/library/ cc770946(WS.10).aspx.
Understanding the AD Site Topology
117
Each domain controller is running Active Directory-integrated DNS, WINS, and DHCP to facilitate client communication. Each domain controller is also configured as a global catalog. The domain controller in SITE1 contains all five FSMO roles. The forest functional level and domain functional level are set to Windows Server 2008 R2. An Active Directory-integrated Enterprise Root Certificate Authority is used to issue client and server certificates. The enterprise CA is located in SITE1 on the server called CA1. The Active Directory site topology is shown in Figure 3.2.
FIGURE 3.2
Active Directory site topology.
The server CM1 is located in SITE1 and hosts the Management Point, Fallback Status Point, Distribution Point, Reporting Point, Server Locator Point, and the Software Update Point roles. The server SQL1 is running SQL Server 2008 with Service Pack 1, and hosts the Site Database and Reporting Service Point roles. The local firewall is configured for default settings unless otherwise noted. Typically when a Windows role or feature is added to Windows Server 2008 or Windows Server 2008 R2, the correct ports are automatically opened to allow communication.
NOTE If communication issues are a problem, make sure the setting on the local firewall has been configured correctly. For troubleshooting purposes, disable the local firewall temporarily.
118
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
Creating a Public Key Infrastructure A Public Key Infrastructure (PKI) is an important aspect of the Configuration Manager 2007 implementation. When a certificate is issued, its usage is governed by an Object Identifier (OID). A certificate can have more than one OID, essentially allowing the certificate to be used for more than one purpose. A certificate with the Client Authentication OID is required on all managed clients, including mobile devices, to communicate with a Native mode Configuration Manager site. Native mode is a prerequisite to support the management of clients over the Internet. A certificate with the Server Authentication OID is required on all Configuration Manager 2007 Site Systems, including Site Servers, Management Points, Distribution Points, Software Update Points, and State Migration Points. The Server Authentication certificate is used on each Site Server to encrypt communication between the managed systems and the Configuration Manager component. A certificate with the Document Signing OID is also required on Configuration Manager Primary Site Servers. The Document Signing certificate is used to sign the policies used to configure and manage clients.
Deploying an Active Directory Enterprise Root CA This example details the steps required to deploy an Enterprise Root CA in the Company ABC domain. When an Enterprise Root CA is configured, all clients in the domain automatically trust certificates issued from this CA. All Configuration Manager Site Servers and managed clients must trust the Certificate Authority. Any Configuration Manager Site Servers or managed clients that don't trust this Certificate Authority will not communicate with the infrastructure and might become orphaned. This typically happens when non-domain member servers, such as bastion hosts in the DMZ, are not part of the domain but have a Configuration Manager agent installed. To correct this problem, install the CA certificate into the local computer's Trusted Root Certificate Authorities certificates store. NOTE Status messages will still be sent to the Fallback Status Point, even if the client system has become orphaned due to certificate configuration issues. It is important to deploy the Fallback Status Point before deploying clients.
To deploy an Enterprise Root CA, complete the following steps: 1. Open the Server Manager console on CA1. 2. Select the Roles node. 3. Click the Add Roles action. 4. Client Next to skip the Roles Overview page.
Creating a Public Key Infrastructure
119
5. Enable the Active Directory Certificate Services role, and then click Next. 6. Click Next to skip the AD CS overview page. 7. Enable the Certification Authority role service. 8. Enable the Certification Authority Web Enrollment role service. 9. Click Add Required Role Services when prompted, and then click Next. NOTE Clicking the Add Required Role Services button automatically enables IIS and related features required to host the certificate enrollment website. The certificate enrollment website provides a convenient way to generate the Document Signing and OS Deployment certificates. As an alternative to using the web enrollment site, certificates can be requested with the C e r t r e q . e x e command-line tool. For more information, visit the Certreq TechNet site at http://technet. microsoft. com/en-us/library/cc725793(WS. 10). aspx
10. Select Enterprise and click Next. 11. Select Root CA and click Next. 12. Select Create a New Private Key and click Next. 13. Accept the default Cryptography settings and click Next. 14. Accept the default CA Name settings and click Next. 15. Accept the default Validity Period settings and click Next. 16. Accept the default Certificate Database Location settings and click Next. 17. Client Next to skip the IIS Overview page. 18. Accept the default IIS Role Services and click Next. 19. Confirm the installation selections and click Install. 20. Wait for the installation to complete and click Close. After implementing the CA, the CRL Distribution Point (CDP) settings need to be configured to allow HTTP access to the CRL files. For security reasons, this typically wouldn't be done on the issuing CA; the CRL would be published on a system designated for that role. However, for demonstration purposes, the CRL will be published on the server CA1, allowing Internet-based clients to check the CRL. To publish the CRL, complete the following steps: 1. Open the Server Manager console on CA1. 2. Expand the Roles node. 3. Expand the Active Directory Certificate Services node. 4. Right-click companyabc-CAl-CA and click Properties. 5. Select the Extensions tab. 6. Select http:///CertEnroll/... from the list of CDPs.
120
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
7. Enable Include in CRLs. Clients use this to find Delta CRL locations. 8. Enable Include in the CDP Extension of Issued Certificates. 9. Apply the changes and close the window.
Validating the Enterprise Root CA The newly installed Enterprise Root CA should be validated before certificates are issued to clients. To validate the CA, check the local application event log on the server CA1. This can be accessed through the Diagnostics node of Server Manager. If the application event log is clean and doesn't contain any error or warning messages about Certificate Services or related components, the server should be ready to issue certificates to clients. It is always a good practice to restart the certificate server to ensure the Certificate Services can start and stop without logging any issues. It is also important to resolve all problems before moving to the next section and deploying certificates to managed clients and Site servers.
Deploying Certificates An enterprise Certificate Authority simplifies management of certificates by providing a secure, scalable certificate provisioning process through Active Directory. This task assumes all of the Configuration Manager servers and the Enterprise Root CA server have been moved to an organizational unit (OU) called Servers, and all of the workstations have been moved to an OU called Workstations. The Servers and Workstations OUs are child objects of an OU called Managed. The Managed OU is located in the root of the domain. CAUTION Do not move domain controllers from the default OU. Moving domain controllers out of the default Domain Controllers OU is not supported. When an Enterprise Root CA is deployed, all domain controllers automatically receive a "Domain Controller" certificate. This certificate can be used for both client and server authentication.
Configuring the Auto-Enrollment Group Policy Object A Group Policy Object (GPO) called "Certificate Auto-Enrollment" will be created and linked to the Servers OU and the Workstations OU. This group policy will be used to enable the certificate auto-enrollment function for all managed systems. To create the Certificate Auto-Enrollment GPO, complete the following steps: 1. Open the Group Policy Management Console on DC1. 2. Expand Forest: companyabc.com.
Deploying Certificates
121
3. Expand Domains. 4. Expand companyabc.com. 5. Select the Group Policy Objects container. 6. Right-click the Group Policy Objects container and select New. Enter
7.
C e r t i f i c a t e Auto-Enrollment
in the Name field and click OK.
Once the GPO has been created, the setting that allows Certificate Auto-Enrollment can be enabled. To enable the Certificate Auto-Enrollment setting in the GPO, complete the following steps: 1. Right-click the "Certificate Auto-Enrollment" GPO and select Edit. 2. The Group Policy Management Editor opens. 3. Expand Computer Configuration. 4. Expand Policies. 5. Expand Windows Settings. 6. Expand Security. 7. Select the Public Key Policies container. 8. Double-click Certificate Services Client - Auto-Enrollment. The Certificate Services Client - Auto-Enrollment location is shown in Figure 3.3. I
MJ.IL-IHII.U.U.L.HÜ1WM HT
«ton
v*»
H(to
*. - : •• E •" JenowweHtSiftta . [ I K - Í I Onvc ( i K r ^ t f l d A j l r i k Cei b V i ï Regunl S e i t r v Fnawriw'i'njjt
si ^ A W V t W O H ¡H I iwaiPflto« 30 j E w r i e g > ¿ R ^ b K « CrOnx ij System Í e r n í í i Ö ¿fttCSfr DO i E i - VMrt«Hct*V*(IEEEa&-3] S
¡í,Je«li»T CirBfcjlr î i r « r »
* a. C0Tearyi6;-CA!-C* a ^WcbScrwvOtS) B P(Hm • p CMflrtwti» > Hg Cin'ijiilSön :* g i m p
¡iWPWi^gfitrt^CW
•
^lAuttncflbCflleü Seuwn ÜBwcfW 2C*tatwigr ÜC^&xrypew .«jCûdeSOnnç .•J'üir-ou'j3 Aglhonty ¿1 Cïrcttary Emu Rpffcatön
I VjrBW I M a f t f o
UAnda« MQJfnt... wmcbiw 2 0 »
3 Cv^oai . The default IIS web page should load and the certificate should be trusted.
Implementing Internet Information Services (IIS)
137
The trusted Server Authentication certificate providing SSL is shown in Figure 3.10.
f
^MjsI ~ fi -
I1S7 - Windows I n t e r n e t Explorer httpc
B
: coirpanyabc.com
3
**
x 15 "
W e b s i t e Identification ' ©
'
'
'W1
T
Page »
Safety »
Toots »
OT
coinpaiiyabc-CAt-CA has irtenlilifid this site as cm1 .companyabcco m Bienvenid TtiiE connection to the serv&r is encrypted. D e m - u i n d o S l i u u l d I l u i s l this Kile?
vftejtc-
View certificates
^
CO
^ ^ ^ ^ ^ • 'Knn
Velkommen
r 11J /
Benvenuto W e l k o m
internet
information
sei vices
Vàlkommpn
D'un n
VELkOMEN
M Witamy Lux J-Ü
Hû$ Geld in iz
http://go,fnCTO£oft, com/fvrfnk/Artod-bd 1J3
FIGURE 3 . 1 0
^ internet 1 Protected Mode: U f f
. -
Muu%
-
Trusted SSL encryption.
Configuring WebDAV The WebDAV component is used by the Configuration Manager Site Servers to stage content and create the appropriate folders on BITS enabled distribution points. To configure a WebDAV authoring rule, complete the following steps: 1. Select Default Web Site from within IIS Manager. 2. Double-click the WebDAV Authoring Rules icon. 3. Select Add Authoring Rule. 4. Allow Access to: All Content. 5. Allow Access from: All users. 6. Allow Permissions: Read. 7. Click OK. To configure WebDAV settings, complete the following steps: 1. Select the WebDAV Settings action. 2. Set Allow Anonymous Property Queries: True 3. Set Custom Properties: False
138
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
4. Set Property Queries with Infinite Depth: True 5. Set Allow Hidden Files to Be Listed: True 6. Click Apply and then click the WebDAV Authoring Rules action. 7. Click Enable WebDAV. The WebDAV settings page is shown in Figure 3.Tf.
f*t
«Mci
Vit*
Mifc
+•
njir
E
S
ï>**k> y Sj wtb5t«tr{ns)
^
# » CM:
•
»
J!K « OifWtVrtbS-Se *
ConiwtthhH
- (fi FtAhttS m ji too-i^te Hi ¿¡1 OG E3 Sw»K
i l CMftPfty
\ •> •
ACHM» ^
l i f t
WebDAV Settings
O Authoring Dthavlor HO* Unmiwil MIM. Tvfles
Posfc » &MS
3 larfcBrfwvkvr AbMLada latkSiBfF =L«5jre lode far y/ftmi • Property Behavior
Hon Property into iW! P Request' rice«« Behevwr Msernfl rim fte AlonhMjenScgrviLNiprig B WrhOAY BWIAVHW »Of H&en ftcs to be UMcd CD toietfiMty Opswn Hesjre 5S. Attest
V UWfel jy True
O"* WrtAiV k i t i n g Riin...
Trur »^hAiv ffeaplr lartr Frfsi
Trur (Cofcctkm) True True
To*
AHcm 1 Ihiden f i « to be Luted
ft. •
J
:
4t
X
P •
|b
* t '
I ©NioOToll Acftvr I V ^ t a V CcrtSwbt î p - ^ r .
|
1 Mícrosoír Aclrw Dirvctcfy Curtificalc S*»vm)s
|
^ - •
m -
•
uoinpjiiyjbc CAI CA
Safciv-
T«&» ». -I •
ÜMM
Advanced certificate Request CinlMkalii ÏOinpIntir: [Configurât«« Manager Ooeument Signing Identifying Information For Ofllinn Template: Nam* [The site code of tlvs site serwf is ABC [$vpi?wt@i(imp3ny:tf* Ct>m Company [CompinyA9C Department [information Technology C*y. [OaWand Sias* [CaOAMia CounUyTïegion f j S 1 Key Options: Create n*w key set
C Use existing key set
C$R 1 Microsoft RSA SCharmrt OyptoyaplW Provide' jJ
zi IHxíírOff 1
\UßK
'
1
J
| UïuiBaratrt | Pnmnry partition
FIGURE 3 . 1 2
-
.1
I
r
I
Identifying information for the Document Signing certificate.
Accept the default key options and Additional Options sections, and then submit the request to the CA by clicking the Submit button at the bottom of the web page. This certificate requires approval by the CA administrator before it can be downloaded and installed on the Site Server. To approve the certificate, open the Certificate Authority console on the server CAT. Select the Pending Requests container; the pending Document Signing certificate for the CMT server should be listed. Right-click this pending certificate, select All Tasks, and then select Issue. The Document Signing certificate will move from the Pending Certificates folder to the Issued Certificates folder. The certificate is ready to be installed on the Site Server. To install the Document Signing certificate, complete the following steps: 1. Open Internet Explorer on CMT. 2.
Type
h t t p s : / / c a 1 . companyabc. c o m / c e r t s r v /
in the address bar.
3. Enter domain administrator credentials if prompted. 4. Click View the Status of a Pending Certificate Request.
142
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
5. Click the dated certificate request. 6. When prompted, click Yes to allow the website to perform the operation. 7. Click Install This Certificate. 8. The web page will display the message "Certificate Installed." Export the certificate from the Personal Certificate store of the user account used to request the certificate, and import the certificate to the Personal Certificate store of the local computer. During the export, select the option to Export the Private Key. To export the Document Signing certificate, complete the following steps: 1. Open
MMC.exe
on CM1.
2. Select File, Add/Remove Snap-in. 3. Choose Certificates from the Snap-in list, and then click Add. 4. When prompted, select My User Account, and then click Finish. 5. Choose Certificates from the Snap-in list again, and then click Add. 6. When prompted, select Computer Account and click Next. 7. Choose the Local Computer option, click Finish, and then click OK. 8. Expand the Certificates - Current User node in the MMC. 9. Expand Personal and select Certificates. 10. The Document Signing certificate should be listed. Right-click the certificate, click All Tasks, and then click Export. 11. Click Next to skip the Welcome page. 12. Choose Yes, Export the Private Key. 13. Accept the default file format options and click Next. 14. Enter and confirm a password to protect the certificate and click Next. 15. Set the path to c:
\Temp\CM1 DS. pfx,
click Next, and then click Finish.
The certificate was exported from the user's certificate store. It can now be imported into the Private Certificate store for the local computer. Both the Local Computer and Users certificate store were added to the custom MMC console in the previous step. To import certificates into the Private Certificate store, do the following: 1. Expand the Certificates (Local Computer) node in the MMC. 2. Expand Personal and select Certificates. 3. Both the Client and Server Authentication certificates should be listed. 4. Right-click the Certificates container, click All Tasks, and then click Import. 5. Click Next to skip the Welcome page. 6.
Choose the c :
\Temp\CM1 DS. pf x
file and click Next.
7. Enter the password specified in the previous task and click Next. 8. Accept the default certificate store, click Next, and then click Finish.
Implementing the Central Site
143
The Document Signing certificate is now ready to be used by the Configuration Manager Site System. Close the custom certificates MMC; when prompted, select Yes to save the console. Save the file on the desktop as C e r t s .msc. The console can be used again to manage and view certificates on this server, and in the next section.
Requesting the OS Deployment Certificate The OS Deployment client certificate is used by all systems during the OS deployment. This is essentially a shared certificate that is imported when the PXE Service Point is established. The same procedure used to request the Document Signing certificate can be used to request the OS Deployment certificate. The main differences are instead of selecting the Configuration Manager Document Signing template from the template list, the Configuration Manager OS Deployment template must be selected. In the Name field, enter osd01 .companyabc.com.
NOTE This certificate does not need to be added to the Local Computer certificate store. The PFX file created will be imported during the deployment of the PXE Service Point detailed later.
Remember to approve the certificate osdl.companyabc.com from within the Pending Requests container. When exporting the certificate, enter c : \Temp\OSD01 . p f x as the file.
installing the Central Site Server Before running the Configuration Manager setup, run the prerequisite checker to verify the required components have been successfully installed. The prerequisite checker can be launched from a link on the s p l a s h . h t a page. The s p l a s h . h t a page can be found in the root of the Configuration Manager media. WARNING Make sure the Configuration Manager Site Server Computer Account is in the local administrators group on all component servers and other Site Servers; this includes the Site Database server. The computer account of the Site Server is used to access and manage the remote server by default.
Before starting the installation process, create a folder on the D: drive called downloads. This folder will store the latest prerequisite components downloaded during the installation process. This folder can be reused during subsequent Site Server installations.
144
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
To install the Central Site Server, complete the following steps: 1.
Launch s p l a s h . h t a from the Configuration Manager 2007 SP2 media.
2. Click the Configuration Manager 2007 SP2 link. 3. Click Next to skip the Welcome page. 4. Choose Install a Configuration Manager Site Server, and then click Next. 5. Accept the license terms and click Next. 6. Choose Custom Settings and click Next. 7. Choose Primary Site and click Next. 8. Accept the default CEIP options and click Next. 9. Enter the product key, if necessary, and click Next. 10.
Type d : \SCCM\ as the installation path and click Next.
11. Enter ABC as the site code. 12.
Enter C e n t r a l S i t e as the friendly name and click Next.
CAUTION The site code specified during setup must match the site code in the subject name of the Document Signing certificate.
13. Select Configuration Manager Native Mode. 14. The correct certificate should be automatically selected. 15. If the correct certificate is not selected, click Browse to locate it, and then click Next. The Document Signing certificate automatically discovered by the Configuration Manager 2007 SP2 setup wizard is shown in Figure 3.13. 16. Accept the default Client Agent Selections and click Next. 17. Enter SQL1 for the SQL server name. 18. Accept the default database name and click Next. 19. Enter CM1 as the location for the SMS Provider and click Next. 20. Choose Install a Management Point. 21. Accept the default name, CMl.COMPANYABC.COM, and click Next. 22. Accept the default HTTPS port 443 and click Next. 23. Choose Check for Updates and Download Newer Version, and then click Next. 24.
Type d : \Downloads\ as the alternate path and click Next.
25. Wait for the download to complete, and then click OK. 26. Review the Settings Summary, and then click Next. 27. Wait for Setup to evaluate the server.
Implementing the Central Site
145
Mil n m i f l S y s l f i n ( V t i l r r r n i i f i y n r r t l inn M r i t i n y r r 3fl07 SP? Sue M o d e !n| in ify t»* • CiwJîj ÏAjt a i r niciilr Ter Ii m si r
£» fj n iiij. rrtiii n I ,'ii;,iyh N ^ i v r M • 'ü d e d native made it you need the hghesl fevel cH Lenl.gumt on YJnnriJwnEiinta
yvv^'C sc
-1
KCfKHI
Naive made rabies f ooa^-g ptiiltc key iff restructure ;H KJ) to supjKfl cior/a m th o ate and some i! Itir dr L, v LJ . r i : T1 " :• ! m Kfi un •w^n i cj [ : m I ( >: jd r i ; ."J ¿ilirnly he inrdidlrLl i i i l t i s c z i n j i i n
5te server storing certfmite detarb: .OiiD-diEcovered ftrwyly nflmF (uuedtci ty
[ma iNftrwî The ate code rrf this sile servef is ADC ; 1 '.A -T:71 unt/Trmta l î ^ t i r T o i o
; i r i f v
.
Confirmation Morraqer Mwed Made Spied rrJxed rmxie t the '.< e -»' suKxrt SMS 2003 räerts, or heï a parent sue configured for mtted mods. r ; — f c a i e d c f l e f t a cannul berr-anagedi the afie l a c p e n t ^ r mfeed
c Bare
FIGURE 3 . 1 3
.
[
Nmn :
|
Cjinrjd
|
Auto-discovered Document Signing certificate.
28. If the prerequisites pass, click Begin Install. 29. When the installation is finished, click Next, click Finish, and then restart the server.
Validating the Installation and Reviewing Site Status To validate the installation, check the contents of the System Management container in Active Directory. The System Management container can be seen with the advanced view of Active Directory Users and Computers, or with ADSI Edit. The Site Server and Management Point objects should both exist in this container. It is important to validate the installation after each role is deployed; this ensures everything is functioning correctly before moving to the next step. It is also important to monitor site status on a continuous basis to ensure the health of the environment. For additional information on automatically monitoring the Configuration Manager hierarchy with Operations Manager, review Chapter 8, "Using Operations Manager for Monitoring and Alerting." Validating Component Status In addition, open the Configuration Manager console and review the Site Status component in the System Status container. This console is called ConfigMgr Console and is located under the Microsoft System Center folder in the Start menu on the Site Server. To view the Component Status in the ConfigMgr Console, do the following: 1. From within the ConfigMgr Console, expand Site Database. 2. Expand the System Status node. 3. Expand the Site Status node.
146
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
4. Expand the ABC - Central Site node. 5. Select Component Status. The Component Status page shows all of the subprocesses that make up the Configuration Manager infrastructure for this site. The component status is based on status messages that are received from the component. Because the component has to send the Site Server status, and the Site Server has to process the status message, the condition of components can be delayed. This is especially true when looking at the status of child sites within the Central Site console because status messages are sent to parent sites based on the site sender configuration. If a component is marked with a red error or a yellow warning icon, the component has received status messages indicating a problem with the component. Right-click the component, select Show Messages - All from the menu. TIP The status summarizer for the different components is not automatically changed from red or yellow to green if the component that experienced the problem is fixed. The component summarizer simply counts the number of warning and error status messages that have been received. To reset the status of a component, right-click the component and select Reset Counts - All from the menu. The count of status messages will be reset and the icon will change back to green in a few minutes.
The delay in status messages is often a source of frustration for administrators starting out with Configuration Manager. For a better, real-time view into site components, check the log files with T r a c e 3 2 . e x e , a Configuration Manager 2007 Toolkit utility. You can identify the log file for a specific component by right-clicking the component and selecting Start, ConfigMgr Service Manager from the menu. Navigate to the component within the Service Manager, right-click the component from the Actions pane, and then select Logging. The site component Logging option is shown in Figure 3.T4. Validating Site System Status The Site System Status page is also located in the Site Status node. This page shows the status of each Site System in the hierarchy. This includes systems external to the Site Server, such as Distribution Points, which are key to deploying updates and provisioning software. To view status messages associated with each Site System, right-click any of the Site System server nodes and select Show Messages - All. When prompted, select how much historic data is displayed by setting the date values.
Implementing the Central Site
fie
£St
147
CsrCöOirt
•IHllM-l-el «I T
« H
-
I » " - —
¿I CWNPOÍWL»
Wn
I
Cbt+O
SMS „4UT „fftCwv „ O X t X N T SNGJ^JtSSGMCNTJUNdGES
OTS.cowPoríHtjw3Hríc«
oajjATj»i»j«FnFKATWN>iowro«
SMS^fifomve SMS jmuotjsrmjsjcsHr SHS _M B U f t O f f J U f ¡jMS,l)W3XJWWKÍIR
SMSjHi&ncti't j u r A j O A « * 5M5JMiÇNK*YJ*OCESS« SHSJJW_SB«R S^J^JXUfítíXJWMÍA CHi SNS^JUJCSMTOOWUOSl SNS^NFnvofw.wscCÂçair ÎHJJWBCTJtÂTCATÏCHJUNJWBI WJHHJWlML !| 3C.CÍWR_STATUS_SLI*UftLïôl $MS.0yT90ï.Hi«trcft
J
0 4 J Ï E * rCATTÍ*t.HJ«i3P(
]| S M S . ç r r î , C Î * P O Î N Î j u t u O B t SHS^ÎTIf^COHma^HiNA«» S^S.HTt.SfltJJOO.CHl V-a _Wtl J f i UM.ÎT ATUÎ_ÎCWAftiaft í im V« « a n »
FIGURE 3 . 1 4
d L i
Service Manager.
Implementing the Configuration Manager 2007 R2 Upgrade The next step is to apply the Configuration Manager 2007 R2 upgrade. This is important as the R2 upgrade provides enterprise enhancements, such as integration with SQL Reporting Service and the ability to manage Intel vPRO technology. To install the Configuration Manager 2007 R2 upgrade, complete the following steps: 1. Launch
splash. hta
from the Configuration Manager 2007 R2 media.
2. Select the Configuration Manager 2007 R2 link. 3. Click Next to skip the Welcome page. 4. Accept the license agreement and click Next. 5. Accept the default name and organization and click Next. 6. Click Next to start the installation process. 7. Wait for the installation to complete, and then click Finish. When the R2 installation is complete, be sure to validate the installation and the health of the site by reviewing the Component Status and Site System Status pages from within the Configuration Manager console.
148
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
Deploying the Child Primary Sites Deploying child Primary Sites follows the same process as deploying the Central Site Server. When the installation of the Site Server is complete, the correct addresses along with the parent/child relationship can be established. To establish a parent/child relationship within the Configuration Manager hierarchy, the Configuration Manager "addresses" need to be defined on both the source and destination servers. Typically, this is from the Central Site Server to a lower-level child Primary Site Server.
NOTE When configuring the parent/child relationship, be sure to add the parent Site Server computer account to the local administrators group on the child Site Server. In addition, add the child Site Server's computer account to the SMS_SiteToSiteConnection_ ABC group found on the parent Site Server.
To configure the correct addresses, from the parent server, navigate to the Addresses container in the Site Management section, and click New - Standard Sender Address. Configure the destination site code and FQDN server name of the child Primary Site Server. Then from the child server, repeat this process to create the corresponding address, but this time specify the destination site code and FQDN server name of the parent. When the addresses have been configured, the parent/child relationship can be established by going to the properties of the child Primary Site Server in the Site Management section, clicking the Set Parent Site button, and choosing the parent site code from the drop-down list.
Configuring the Hierarchy The Configuration Manager 2007 console is divided into five main nodes. The Site Settings container within the Site Management node can be used to configure the different components and functionality provided by Configuration Manager. Prior to managing clients, the appropriate functionality should be implemented and configured to ensure clients are managed properly following the agent deployment. The Configuration Manager console with the Site Management and the Computer Management nodes expanded is shown in Figure 3.15. Subsequent sections will refer to the Site Settings container. To find the Site Settings container within the Configuration Manager console, do the following: 1. From within the ConfigMgr Console, expand Site Database. 2. Expand Site Management.
Configuring the Hierarchy
149
jStelBlra "jty System G i r t s CwAU'aUofi *Una?*r .. ; ME Database Me - CHI, Cerfrtf Ste] H _ij &ts Maracersnt E ijjfMC-CmtrjISta H é iif itithp Ui .^jCtertAoo-te ¡^ CfcntlnsttlaBm Kettnds . ..I Cuoncrent ConfoLradon 1 j ctftfiniK ^ Acrouin
i
J«-C«f*»IS*
i*, îenderi
S
-a COTOJ» MMaSMWt t* J C i t e t w n ff. £ if !± !*:
B® ioftwan Sahr.aii -i Çper»tnç 5»SÎBT r e p a i e n t i j J All*t lAMpr«* a S a f a m Cfctti «s
IS IS ^'j Syison S u b i M Stûrtt/flj^flï
FIGURE 3 . 1 5
Configuration Manager console.
3. Expand ABC-Central Site. 4. Expand Site Settings. TIP The Trace32.exe log viewer provides a real-time view of the Configuration Manager status logs. This tool is invaluable when troubleshooting problems and understanding the environment. This tool is part of the System Center Configuration Manager 2007 Toolkit. The Toolkit can be downloaded from Microsoft at http://technet.microsoft.com/ en-us/configmgr/bb892848.aspx.
Deploying Site System Roles When deploying Site System roles to either the Site Server or a remote server, it is important to note the component installation wizard doesn't actually do the installation—it simply queues the installation for the site component manager service. Even through the wizard always completes with a successful message, it is important to review the corresponding log files and the System Status container to ensure the component was actually installed correctly. The log files for component installation is typically located on the server the component is being installed on, in a folder called SMS \ Logs. Additional status messages can be viewed in the sitecomp.log file on the Primary Site Server.
150
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
NOTE When a Configuration Manager role is deployed, the setup routine automatically selects the drive with the largest amount of free space. To prevent Configuration Manager from selecting a particular drive, create a file called no_sms_on_drive. sms in the root of the drive on the remote system.
Deploying the Server Locator Point The Server Locator Point (SLP) is important. It provides non-domain member systems, such as standalone servers in a DMZ or clients from an external Active Directory forest, the ability to locate Site Servers.
NOTE A single SLP is needed for the entire Configuration Manager infrastructure; this SLP instance should be installed off the highest-level Primary Site Server, the Central Site.
To install SLP, complete the following steps: 1. From within the Site Settings container, select Site Systems. 2. Right-click CM1 and select New Roles. 3. On the General page, click Next. 4. Enable the Server Locator Point role and click Next. 5. Choose Use the Site Database and click Next. 6. Review the summary and then click Next. 7. Wait for the installation to complete, and then close the wizard. The site role wizard doesn't actually install the site component. It instructs the site component manager server to queue and execute installation of the component. To review the installation progress, open the SLPMSI. l o g and SMSSLPSetup. l o g with T r a c e 3 2 . e x e . In addition, make sure the SMS_SLP virtual directory has been registered in IIS. To complete the configuration of the SLP, you need to manually add the correct record to the WINS environment and enable the site option to enable HTTP communication for roaming. Type the following command to create the SMS_SLP record on the WINS server: n e t s h wins s e r v e r
\\dc1
add name Name=SMS_SLP endchar=1A r e c t y p e = 0 i p = { l 0 . 1 0 . 1 . 1 3 }
The IP address represents where the SLP component is installed, in this case the SLP is colocated on the server CM1, which has the 10.10.1.13 IP address. The WINS feature is running on DC1 and DC2, and the record was created on \\dcl and will replicate to the other server based on the push/pull replication configuration.
Configuring the Hierarchy
151
To enable HTTP communication, right-click ABC - Central Site from within the Configuration Manager console, and select Properties. From the Properties window, select the Site Mode tab and enable the Allow HTTP Communication for Roaming and Site Assignment option.
Deploying the Fallback Status Point The Fallback Status Point (FSP) is very important. It provides a safety net for clients. The Configuration Manager agent should always be able to communicate status messages to the FSP, even if other communication has failed or is being blocked due to certificate issues. To install FSP, complete the following steps: 1. From within the Site Settings container, select Site Systems. 2. Right-click CM1 and select New Roles. 3. On the General page, click Next. 4. Enable the Fallback Status Point role and click Next. 5. Accept the default configuration and click Next. TIP When a client is deployed, it sends several status messages to the FSReven when the deployment is successful. If a large client rollout is planned, increase the number of messages allowed to prevent a backlog.
6. Review the summary and click Next. 7. Wait for the installation to complete, and then close the wizard. Review the fspMSI . l o g and the S M S F S P S e t u p . l o g files for installation status. During normal operation, problems can be identified with the f s p m g r . l o g file.
Deploying the Reporting Point The Reporting Point (RP) provides the ability to view data in the Configuration Manager Site Database through an ASP web page. This is a legacy component that will eventually be phased out for the more robust Reporting Service Point. To install RP, complete the following steps: 1. From within the Site Settings container, select Site Systems. 2. Right-click CM1 and select New Roles. 3. On the General page, click Next. 4. Enable the Reporting Point role and click Next. 5. Select the Use HTTPS option and click Next. 6. Review the summary and click Next. 7. Wait for the installation to complete, and then close the wizard.
152
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
Review the S M S R e p o r t i n g I n s t a l l . l o g and the R s e t u p . l o g files for installation status. To test the Reporting Point, open Internet Explorer and go to the Reporting Point URL. In this case, the URL is https://cml.companyabc.com/smsreporting_abc. In addition, check for the SMSReporting_ABC application in IIS.
Deploying the Reporting Service Point The Reporting Service Point (RSP) provides reporting of Configuration Manager data through SQL Reporting Services (SRS). SRS is a significantly more powerful platform for developing and delivering reports. TIP The Reporting Service Point does not required SSL to operate in a Native mode Configuration Manager hierarchy.
The Reporting Service Point component is installed in three steps. Initially, the role is added to the correct server from the Site Management\Site Systems node. Then the Reporting Point needs to be configured with a data source; this is necessary to establish communication with the database holding the Configuration Manager data. Finally, reports need to be migrated from the legacy Reporting Point to the Reporting Service Point. To install RSP, complete the following steps: 1. From within the Site Settings container, select Site Systems. 2. Right-click SQL1 and select New Roles. 3.
Enter the FQDN
(SQL1 .COMPANYABC.COM) of
the SQL server, and then
click
Next.
4. Enable the Reporting Service Point role and click Next. 5. Accept the default report folder name and click Next. 6. Review the summary and click Next. 7. Wait for the installation to complete, and then close the wizard. Review the S R S R P S e t u p . l o g and the s r s r p . l o g files. These log files are located on the server hosting the Reporting Service Point in a folder called SMS \ Logs in the root of the drive with the largest amount of free space. To check the status of the Reporting Services Point, navigate to https://sqll.companyabc.com/reports from Internet Explorer. To configure the Reporting Service Point, complete the following steps: 1. From within the ConfigMgr Console, expand the Computer Management node. 2. Expand the Reporting node. 3. Expand the Reporting Services node. 4. Select the SQL1 object. 5. Click Properties from the Actions pane.
Configuring the Hierarchy
153
6. Wait for the General tab to populate. 7. Select the Data Source Settings tab. 8. Wait for the console to communicate with the SQL server. 9. Enter SQL1 as the server name. 10. Enter SMS_ABC as the database name and click the Test button. 11. Click Apply and then click OK. If the Test action doesn't show any errors, the test was successful. The next step is to import existing reports from the legacy Reporting Point. This can be done by selecting the SQL1 server from within the Reporting Services node, then clicking the Copy Reports to Reporting Services action. All of the reports can be transferred at the same time and all of the legacy reports should be compatible with Reporting Services. The Reporting Service Point can be accessed through the Configuration Manager console or directly through the SRS site. The Reporting Service Point web page is shown in Figure 3.16.
Ô
i
3
i j
*
' ' •
'
T -
My
faee-
S«foy-
Took-
are Spinas
usb
Search
ConfigMgr ABC
'"-»New Data Source
Ki
HQPVB
S q t S m v i r KJ'polling S«ïviMS Home i
j New f o l d e r ?
*»
I I
^¡..«MrtVjr-w
i
-
Mpload f i l e
¿J Report Guider
l5£fei5a£2^BBfcii
-i ftsictJUltdJiooicj; ! USSifiri-L -1 Desired Configuration M a n a g e m e n t
C o m p t a g e I HEW
CaauaLCgaiiflura t w n Mg!îàflgiaen.L_£ug[i
- i g g f l n r t Pfttrifrutran •
i««
-A S-PflVliJit; M l t l i l l M iw w
J PLVitt; Miinjgi:iTn:nl »mw - i Priver M a n a g e m e n t i w w
-I tiiUtw.irs, ; CP.'BQM - i lito&KaiJLiJîttS
l*w
-i software Updates - D scan 'w
_ i Hardware,- C e n t a l » " f w - i HattfffOT. -
i ww
SOFTWARE W F A T E S : E TRONBTESFRAGTROA INEW
-J HaBÈSJIfi^JafliîSîQ ï^EW
Hardware
SCSI I m w
J S t a t u s Messages FLW^T INE
Hirtfw OT • art art
J L A A I L ^ G G Y E N « • FTFE«LFI«MFINL STATUA LITW
—t H i i i d w i i n : - Y i d t B t u i d J l a i i K Zi-'-auenct; - A d v a U i i e p h i H t e
B J.ask f u g a c e • ,f?.e,fences i«nw | (h i i i fmin i l k l i l u l i r n j | Mjiitt
A l o w d e r ts to fa1 back to unprotected d s u i b u o o n p a n t s v,hen the content is n o t available on the protected dratribjbon point
|
hnish
)
cancel
Distribution options.
client is connected to a slow or unreliable network boundary, the software will not run on any system that identifies itself as being within this boundary.
Deploying Distribution Points In this sample infrastructure, the Central Site Server CM1 will act as a BITS-enabled Distribution Point. Another Distribution Point role will be deployed on the server DP2; this is described in the section "Implementing Regional Server Infrastructure." To enable CM1 as a BITS-enabled DP, complete the following steps: 1. From within the ConfigMgr Console, expand the Site Management node. 2. Expand ABC - Central Site. 3. Expand Site Settings. 4. Expand Site Systems. 5. Select CM1. 6. Double-click the ConfigMgr Distribution Point role. 7. On the General tab, enable the option to Allow Clients to Transfer Content from the Distribution Point Using BITS, HTTP, and HTTPS. Click OK. Because IIS has already been configured, configuring the BITS-enabled Distribution Point functionality was trivial. When a Distribution Point or another component is hosted on a remote server, be sure to enable the correct IIS prerequisites.
156
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
Enabling Internet-Based Client Management Site Servers have to be explicitly configured to enable Internet-Based Client Management (ICBM). This is typically done on one or more systems dedicated to handling Internet traffic, but the actual configuration can depend on specific business and security requirements. For additional information, review Chapter 2. When a client communicates over the Internet, it needs to talk to a Management Point, Distribution Point, Software Update Point, and a Fallback Status Point. All communication is done over HTTPS, with the exception of the Fallback Status Point, which communicates over HTTP. The first step in the process is to enable IBCM on the Site Server. To enable the Site Server to support IBCM, complete the following steps: 1. From within the ConfigMgr console, expand the Site Management node. 2. Expand ABC - Central Site. 3. Expand Site Settings. 4. Expand Site Systems. 5. Select CM1. 6. Select ConfigMgr Site System and click the Properties action. 7. Enable Specify an Internet Based Fully Qualified Domain Name. 8.
Enter
CM1 .COMPANYABC.COM
as the FQDN, and then
click
OK.
After the Site Server has been enabled, the individual roles can be configured to allow communication from Internet-based systems. To enable the required roles to support IBCM, complete the following steps: 1. Select ConfigMgr Distribution Point and then click the Properties action. 2. Choose Allow Both Intranet and Internet Client Connections and click OK. 3. Select ConfigMgr Management Point and click the Properties action. 4. Choose Allow Both Intranet and Internet Client Connections and click OK. The FSP and SUP do not require additional configuration and are automatically enabled with the Site Server. Finally, to support IBCM, the following ports need to be open from the Internet: • CRL Web Site: TCP 80 • Fallback Status Point: TCP 80 • Management Point: TCP 443 • Distribution Point: TCP 443 • Software Update Point: TCP 8531
Configuring the Hierarchy
157
It is not recommended to connect any internal system directly to the Internet; for production deployments, consider using a reverse proxy, such as ISA Server 2006.
Enabling Client Agents The Configuration Manager agent that is installed on managed systems is made up of several subcomponents, also called agents. Agents are configured using the Client Agents container under the Site Settings container. Computer Client Agent is always enabled; this agent provides core functionality. When managing clients that are not members of the domain, the Network Access Account needs to be defined. The Network Access Account can be defined on the General tab of the Computer Client Agent properties page.
NOTE When managing clients that are not members of the domain, the Network Access Account needs to be defined. The Network Access Account only requires Domain User rights.
The Network Access Account is shown in Figure 3.T8.
General | Customization [ Reminder | BITS | Restart |
£
Speafy the accoLnt and interval settings used by the dient.
Access A c c o u n t A c c o u n t (domainViser);
Policy polling i n t e r v a l (minutas):
*j
Spedfy how frequently dients send consolidated state messages to the management point.
S t a t e message r e p o r t i n g c y d e (minutes):
115
¿M»
FIGURE 3 . 1 8
j
Computer Client Agent.
Heb
158
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
Implementing Asset Management The majority of the asset management functionality was configured during the site configuration. This included enabling the hardware and software inventory client agents, which control how often managed systems report and update data as well as enabling the Software Metering client agent that collects and reports software usage data. In addition to collecting the data from the client, asset management functionality includes the Reporting Point and Reporting Service Point features, which allow an extensible way to look at the data collected. An additional component called the Asset Intelligence Synchronization Point is also available. This component provides integration between Configuration Manager and Microsoft System Center Online services provided by Microsoft. The configuration of this role and integration with SC online can be seen in Chapter 5, "Configuration Manager Asset Management and Reporting."
Implementing Patch Management To facilitate Configuration Manager patch management, several key components need to be implemented and configured. This includes the Software Update Point (SUP) role and Distribution Points. The Software Update Point role is typically installed on the Central Site Server. The SUP also requires an installation of WSUS 3.0 with the latest service pack. The SUP role for Configuration Manager 2007 SP2 requires WSUS 3.0 with SP2. To enable the SUP role on CM1, complete the following steps: 1. From within the ConfigMgr console, expand the Site Management node. 2. Expand ABC - Central Site. 3. Expand Site Settings. 4. Expand Site Systems and select CM1. 5. Select the New Roles action. 6. Click Next to skip the General page. 7. Enable the Software Update Point role and click Next. The next part of the New Site Role wizard walks through the configuration of the SUP and how it interacts with the WSUS implementation on the Site Server. 1. Click Next to accept the default proxy settings. 2. Enable Use This Server as the Active Software Update Point. 3. Enter 8530 as the port number. 4. Enter 8531 as the SSL port number and click Next. 5. Choose Synchronize from Microsoft Update. 6. Choose Do Not Create WSUS Reporting Events, and then click Next. 7. Enable the Enable Synchronization on a Schedule option.
Implementing Patch Management
159
8. Accept the default Simple schedule and click Next. 9. Enable All Classifications and click Next. 10. Enable Office, SQL, and Windows in the Products list, and then click Next. 11. Uncheck All Languages, Except Those Required and click Next. 12. Review the summary, click Next, and then close the window when complete. The Software Update component will be installed on the Site Server. To see the SUP setup progress, review the S U P S e t u p . l o g file. For real-time status and to assist with any troubleshooting, review the W S U S C t r l . l o g file. The SUP was configured with the default "simple" schedule. This configures the SUP to synchronize with Microsoft Update every seven days, starting from the time the SUP was installed. This setting is adequate for some environments but can be modified if necessary.
TIP The default list of "Products" supported by the Software Update Point is refreshed and updated during the synchronization process. This adds things like Windows 7 and Windows Server 2008 R2 to the Windows section. Because the entire Windows product was selected, new operating systems will automatically be enabled as they are made available on the Windows Update site and through WSUS.
To configure the proxy settings for the SUP, navigate to the Site Systems container, select CM1, and open the properties of the ConfigMgr Software Update Point. Additional settings for this role can be modified from within the Component Configuration container, located within the Site Settings node. To manage advanced SUP configuration settings, do the following: 1. From within the ConfigMgr console, expand the Site Management node. 2. Expand ABC - Central Site. 3. Expand Site Settings. 4. Select the Component Configuration node. The properties of the Software Update Point component can be opened to change SUP settings, such as the classification and type of updates that are downloaded, and the synchronization schedule. To start the manual SUP synchronization, do the following: 1. From within the ConfigMgr console, expand the Computer Management node. 2. Expand Software Updates. 3. Select the Update Repository node. 4. Click the Run Synchronization action. 5. Click Yes when prompted to execute the synchronization.
160
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
The synchronization progress can be monitored with the wsyncmgr. log file. The initial synchronization can take a considerable amount of time depending on the options selected. The options configured in this environment will take several hours to synchronize.
Implementing OS Deployment To support OS deployment using network boot, the PXE Service Point is required. To also support a complete operating system refresh with the ability to capture the users' existing settings, store them securely on the network, then reapply them to the new operating system; the State Migration Point is required. Both of these components will be installed on the CMT server. The PXE Service Point requires the WDS transport feature. This is available by default on Windows Server 2008, and can be enabled through the Server Manager roles node.
NOTE Deploy the WDS role before continuing with the deployment of the PXE Service Point role on the server.
To enable CMT to support OS deployment for SITET, complete the following steps: 1. From within the ConfigMgr console, expand the Site Management node. 2. Expand ABC - Central Site. 3. Expand Site Settings. 4. Expand Site Systems and select CMT. 5. Select the New Roles action. 6. Click Next to skip the General page. 7. Enable the PXE Service Point role. 8. Enable the State Migration Point role and click Next. 9. When prompted, click Yes. 10. Add the d:\state folder and click Next. 11. Uncheck Require a Password for Computer to Boot Using PXE, and then click Next. 12. Select Import Certificate. 13. Click Browse and select c:\Temp\OSDOT.pfx. 14. Enter the certificate password and click Next. 15. Review the summary and click Next. 16. Close the wizard when the installation is complete.
Implementing Regional Server Infrastructure
161
Implementing Regional Server Infrastructure Because SITE1 and SITE2 are located on different subnets separated by a WAN connection, a regional Distribution Point will be configured on the server DP2. In addition to the DP role, the State Migration Point and PXE Service Point roles will be deployed to support OS deployment for this region. To support the BITS-enabled Distribution Point and State Migration Point roles, first install and configure IIS, as described in the "Implementing Internet Information Services (IIS)" section. Also be sure to configure SSL and the correct WebDAV settings.
Deploying Windows Deployment Services The PXE Server Point also requires the Windows Deployment Service (WDS) role. This role is available natively on Windows Server 2008. To enable WDS on DP2, complete the following steps: 1. From DP2, open Server Manager. 2. Select the Roles node. 3. Click the Add Roles action. 4. Enable Windows Deployment Services and click Next. 5. Only enable the Transport Server role service, and then click Next. 6. Confirm the deployment and click Install. 7. Close the wizard when the installation is complete.
Deploying Regional Site Components Before deploying any regional site component, make sure the CM1 computer account has been added to the local administrators group on the local server. This can be done through the Configuration node of Server Manager on the regional server. To enable Site System roles on DP2, do the following: 1. From within the ConfigMgr console on CM1, expand the Site Management node. 2. Expand ABC - Central Site. 3. Expand Site Settings. 4. Select Site Systems. 5. Select the New - Server action. 6. Type DP2 in the Name field. 7.
Type
DP2.COMPANYABC.COM
in the FQDN field and click Next.
8. Enable Distribution, State Migration, and PXE Service Point, and then click Next. 9. When prompted, click Yes.
162
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
The next section configures each component. 1. Enable Allow Clients to Transfer Content from This Distribution Point Using BITS, HTTP, and HTTPS. Click Next. 2. Do not enable multicast and click Next. 3. Do not enable virtual application streaming and click Next. 4. Add the d:\state folder and click Next. 5. Uncheck Require a Password for Computer to Boot Using PXE, and then click Next. 6. Select Import Certificate. 7. Click Browse and select \\cmf\c$\Temp\OSDOT.pfx. 8. Enter the certificate password and click Next. 9. Review the summary and click Next. 10. Close the wizard when the installation is complete. During deployment, Configuration Manager automatically adds the computer account of the component server to the local SMS_SiteSystemToSiteServerConnection security group located on CMT and the correct SQL role on the SQLT server.
NOTE Branch Distribution Points are deployed in the same way standard Distribution Points are. The primary difference is the selection of the Enable as a Branch Distribution Point option during the configuration. Branch Distribution Points are also supported on client operating systems, such as Windows 7, but are limited to 10 concurrent connections.
The installation of the site components can be monitored with the s i t e c o m p . l o g file on the CMT server. In addition, logs for each service can be located in the SMS\Logs folder on the remote system. These log files can assist with troubleshooting problems with deployment or administration.
Controlling Client Access to Regional Servers A client will attempt to download from a regional Site Server before trying a Site Server in a remote site. When a Site Server is protected, the boundaries that the Site Server is allowed to communicate with are added to the ConfigMgr Site System properties component. If a client is within the boundaries of a protected Site Component Server, the client is required to use that Site Server. Managed systems that fall outside the boundaries of a protected Site Server cannot access that Site Server. This effectively protects the site and is often used to ensure effective bandwidth control.
Discovering and Managing Clients
163
NOTE Software deployments can be configured to override the protected status for the component, allowing clients to download software from a remote Distribution Point even when the client is located within the protected boundaries of a regional Distribution Point.
To protect DP2, do the following: 1. From within the ConfigMgr console, expand the Site Management node. 2. Expand ABC - Central Site and then expand the Site Settings node. 3. Expand Site Systems and select DP2. 4. Select ConfigMgr Site System and click the Properties action. 5. Enable the Enable This Site System as a Protected Site System option. 6. Click Select Boundaries and click the New button. 7. Select SITE2 from the list, and click OK to apply the changes. This Site Server will exclusively manage clients that belong to SITE2. This includes Distribution, PXE Service, and State Migration Points. Clients in this site will continue to use the Management Point on CM1.
NOTE It is reasonable to also protect the Site Server in SITE1. However, having an unprotected Distribution Point is often beneficial in specific scenarios. For example, a critical package deployment might supersede the risk of potential network impact. If this functionality is desired, then plan to have at least one unprotected Distribution Point, typically located in a site with a large amount of bandwidth.
It is important to make sure content is replicated to the appropriate Distribution Points throughout the hierarchy and the setting to override protected Distribution Points is used very carefully.
Discovering and Managing Clients After the Configuration Manager hierarchy has been fully implemented, client systems can be discovered and agents installed. Configuring Client Agents with a "simple" schedule allows the distribution of load placed on the system. Unless the server and environment have been sized to receive and process data from all clients simultaneously, care should be taken to distribute the load over a longer period.
164
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
Configuring the Client Installation Methods The Client Installation Methods container holds the two installation options. The Client Push Installation option is typically used to perform client deployment. The settings within the Client Push Installation configure the command-line options used when the client is pushed, the account used to access the remote computer, and if one of the Configuration Manager discovery methods triggers an installation of the client on remote systems. A client can be pushed manually from the Configuration Manager console or executed automatically when a Discovery Method is executed. It is important to disable the Automatic Push Installation option until the client is tested and the correct options set. To configure the Client Installation account, complete the following steps: 1. Open the properties of the Client Push Installation. 2. Select the Accounts tab. 3. Add an account with local administrative rights to the systems. 4. Select the Client tab. 5. Add CCMHOSTNAME="cmf .companyabc.com" to the Installation properties. 6. Apply the changes. This account will be used to push the Configuration Manager agent to client systems. The command-line option CCMH0STNAME="cm1 . c o m p a n y a b c . c o m " is used to configure the Internet-Based Management Point. This is the Management Point the agent will communicate with when outside the local network. The SMSSITECODE=ABC command is configured by default to set the agent's assigned site. If the agent is being pushed from a Central Site Server, but will be managed by a lower-level Site Server, this value should be changed to SMSSITECODE=AUTO, allowing the client to choose the correct site code based off of the configured boundaries. Verifying the agent installation and configuring the correct options is the first step. Deploying agents in phases is the second step, before finally enabling the automatic client deployment.
Configuring Discovery Methods The Active Directory System Discovery option is the most common method used to find potential systems to manage. The main advantage to the AD System Discovery option is its efficiency in a well-maintained domain. Ensure that computer accounts that are no longer used have been disabled or removed from the Active Directory domain. To enable the Active Directory Discovery method, do the following: 1. From the ConfigMgr console, expand the Site Settings node. 2. Select the Discovery Methods node. 3. Open the properties of the Active Directory System Discovery method. 4. Enable Active Directory System Discovery. 5. Click the New button to add an AD container.
Discovering and Managing Clients
165
6. Accept the default options and click OK. 7. When prompted, select companyabc.com, and click OK. 8. Select the Polling Schedule tab and enable Run Discovery as Soon as Possible. 9. Click OK to execute the discovery now and then reoccur every day. The status of the AD server discovery can be viewed in the the results of the discovery, do the following:
a d s y s d i s . log
file. To review
1. From the ConfigMgr console, expand the Computer Management node. 2. Expand Collections and select the All Systems collection. 3. Click the Update Collection Membership task. 4. Click OK when prompted. 5. Click the Refresh action. The collection should show all the clients in the domain. It is important to make sure the Assigned column is set to "yes" for all clients. If clients are not assigned, the boundaries for the client have not been added to the Site Server. Unassigned clients will not be automatically installed. To monitor the client deployment, watch the c c m . l o g and f s p m g r . l o g files.
Configuring Collections Many client attributes are collected when an Active Directory System Discovery takes place. One of the useful properties is the AD Site Name. Collections can be configured to dynamically group systems from the different sites around the network together. This can assist in the phased client deployment approach. To configure a collection, do the following: 1. Select Collections. 2. Click the New Collection action. 3.
Enter
SITE1
in the Name field and click Next.
4. Click the Query Rule button. 5.
Enter
SITE1
in the Name field.
6. Click Edit Query Statement. 7. Click the Criteria tab. 8. Click the New button. 9. Click the Select button. 10. Select System Resource from the Attribute Class menu. TIP All of the attributes found in the System Resource class are available through the system discovery and do not require an agent.
166
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
11. Select AD Site Name as the Attribute and click OK. 12.
Type SITE1 in the Value field.
13. Click OK to close all windows and save the query. 14. Click Next to accept the remaining default collection settings. Repeat this process for SITE2. Now all the servers located in SITET are part of the SITET collection, whereas systems that are physically in SITE2 are in the SITE2 collection. In a real-world scenario, the reliability of this type of collection is governed by how much the clients "roam" between sites, how often the discovery is executed, and how often the collection is updated. Running the discovery more often doesn't typically put any additional load on Active Directory, even for very large environments with adequate domain controller hardware. Increasing the rate of collection updates should be done carefully to reduce the overhead on the Configuration Manager Site Server.
Installing the Agent After systems have been discovered and the appropriate collections have been created, the Configuration Manager agent can be pushed. To manually push the agent to remote systems, complete the following steps: 1. Select the SITET collection from the Collections node. 2. Select one of the servers and click Install Client action. 3. Click Next on the Welcome page. 4. Enable Include Domain Controller, if a domain controller was selected. 5. Click Next and then click Finish to start the installation. The client installation progress can be monitored from the c c m . l o g file and f s p m g r . l o g file. When the installation is successful, run the Update Collection Membership action and then refresh the collection to show the client status within the Configuration Manager console. NOTE Updating the membership of a collection is a two-part process: First execute the Update the Collection Membership action and then refresh the collection to show changes.
The agent deployment can be monitored from the client computer when troubleshooting issues. During installation, the agent creates a folder called ccmsetup in the Windows folder. Review the log files in this folder to examine the installation. CAUTION The ADMIN$ share must be available on the client for push installation to work.
Summary
167
If a client agent is not installed correctly, a service is left behind called ccmsestup. Restart the service to try the installation again without needing to redeploy the agent. The service attempts to restart the deployment every hour on its own.
Enabling and Monitoring Automatic Client Installation After the client deployment options have been tested and the Configuration Manager agent can communicate with the correct Management Point from both inside the network and across the Internet, the automatic client push settings can be enabled. This option is located on the General tab of the Client Push Installation properties. When enabled, both Servers and Workstations will have the agent automatically installed. Additional options are available to include domain controllers and Configuration Manager Site Systems. The automatic client push is triggered by one of the Discovery Methods. When a client push is executed, either manually or automatically with a Discovery Method, a Client Configuration Request (CCR) file is generated for each system. These CCR files are placed in a folder called c c r . b o x , this folder is a subfolder within Inboxes, which is located in the Configuration Manager Installation folder. If the client push fails, the CCR is copied to a folder called c c r r e t r y . box, which is also located in the Inboxes folder. Configuration Manager will attempt to install the agent once an hour for a week. A system that is continuously discovered but cannot install the agent will result in a perpetual deployment loop. This can place an unnecessary load on the Site Server, and should be addressed. To correct this problem, remove the CCR files from the c c r r e t r y . b o x to a temp directory. The CCR file can be opened with Notepad and the name of the systems that are failing to install the client can be identified. The CCR files can be safely deleted after analysis.
NOTE If the name of the computer exceeds 15 characters, the agent push might fail. This is because the name is truncated inside the CCR to 15 characters, which is the NetBIOS limit. To correct this problem, locate the CCR file for the failed installation. Set the Machine Name option to the FQDN and then copy the CCR file in the ccr.box to trigger the push installation.
Summary System Center Configuration Manager 2007 R2 provides a scalable, secure, end-to-end administration and reporting functionality. The deployment can be scaled out over many servers to support hundreds of thousands of managed clients, or installed on a single server for small enterprise deployments. In both cases, it is important to understand how each of the Configuration Manager roles works and the required dependencies for each role so the implementation is successful.
168
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
Best Practices The following are best practices from this chapter: • It is important to fully understand the architectural design before Configuration Manager 2007 R2 server infrastructure servers and roles are deployed. • If communication issues are a problem, make sure the settings on the local firewall have been configured correctly. For troubleshooting purposes, disable the local firewall temporarily. • Status messages will still be sent to the Fallback Status Point, even if the client system has become orphaned due to certificate configuration issues. It is important to deploy the Fallback Status Point before deploying clients. • Do not move domain controllers from the default OU. Moving domain controllers out of the default Domain Controllers OU is not supported. When an Enterprise Root CA is deployed, all domain controllers automatically receive a Domain Controller certificate. This certificate can be used for both client and server authentication. • Provisioning certificates with unnecessary OIDs is not recommended. Only provision the minimum requirements needed by the client to communicate with Configuration Manager. • The Windows Server 2008 Enterprise certificate option is not compatible with System Center Configuration Manager 2007 R2 with Service Pack 2. Choosing Windows Server 2008 Enterprise results in a version 3 template. To create a version 2 template, select Windows Server 2003 Enterprise. • When a computer object is added to a group, it can take a long time for the setting to take effect. This is because the Kerberos ticket takes seven days to renew. The renewal time is governed by the Maximum Lifetime for User Ticket Renewal setting located in the Default Domain Policy GPO. It is not recommended to change this setting. Instead, restart the computer to refresh the Kerberos ticket. • Make sure the subject name of the Site Servers' Document Signing certificate is set to: The site code of this site server is . The represents the site code that will be entered during the Configuration Manager implementation. • Until the Windows Server 2008 R2 managed service accounts are supported, use domain user accounts with limited access to run SQL Server services. • The RTM version of SQL server 2008 is not compatible with Windows Server 2008 R2 until the latest service pack is applied. Download and install the latest service pack to ensure compatibility. • Make sure the SPN on the SQL service account is configured correctly; otherwise, the installation of the Configuration Manager database will fail. The failed installation needs to be removed and then tried again. This is time consuming, so it's beneficial to get it right the first time.
Best Practices
169
• Make sure the correct SQL server ports are opened in the local Windows firewall. For additional information and a script to open SQL ports, see the following Microsoft Knowledge Base article at http://support.microsoft.com/kb/968872. • Review the E x t A D S c h . l o g file for any errors after the AD schema has been extended. This log file is located in the root of drive C on the server used to execute the schema extensions. The log file should show 14 attributes and four classes have been defined. • The WebDAV service is available natively on Windows Server 2003 and Windows Server 2008 R2 editions. For Windows Server 2008 RTM, the WebDAV component must be downloaded from Microsoft and installed separately, prior to configuring IIS. • Do not bother with the WSUS Configuration Wizard. When the wizard opens after WSUS is successfully installed, click the Cancel button. The Configuration Manager console provides the interface to configure synchronization with Microsoft. • Do not require all virtual directories within the WSUS Administration site to use SSL. Only the APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService should require SSL. • Make sure the W S U S U t i l . e x e c o n f i g u r e s s l is run after the WSUS website is configured to use SSL or the SUP communication to WSUS will fail. • Make sure the domain name has been added to the trusted Internet Explorer zone. This will be helpful when requesting certificates and working with Configuration Manager web pages. • Make sure the Configuration Manager Site Server Computer Account is in the local administrators group on all component servers and other Site Servers; this includes the Site Database server. The computer account of the Site Server is used to access and manage the remote server by default. • The status summarizer for the different components is not automatically changed from red or yellow to green if the component that experienced the problem is fixed. The component summarizer simply counts the number of warning and error status messages that have been received. Manually reset the counts of status messages to clear the error or warning status. • When configuring the parent/child relationship, be sure to add the parent Site Server computer account to the local administrators group on the child Site Server. In addition, add the child Site Servers computer account to the SMS_SiteToSiteConnection group found on the parent Site Server. • The T r a c e 3 2 . e x e log viewer provides a real-time view of the Configuration Manager status logs. This tool is invaluable when troubleshooting problems and understanding the environment.
170
CHAPTER 3
System Center Configuration Manager Implementation
and Administration
• When deploying Site System roles to either the Site Server or a remote server, it is important to note the component installation wizard doesn't actually do the installation. Check the Site Status container from within the console along with the local installation logs for details on role installation. • A single SLP is needed for the entire Configuration Manager infrastructure; this SLP instance should be installed off the highest-level Primary Site Server, the Central Site. • To complete the configuration of the SLP, the correct record needs to be manually added to the WINS environment. Use the NETSH command-line tool to add this record to WINS. • Increase the number of messages allowed per hour by the FSP to support large client deployments. This prevents a backlog of status messages from occurring. • When a Configuration Manager role is deployed, the setup routine automatically selects the drive with the largest amount of free space. To prevent Configuration Manager from selecting a particular drive, create a file called n o _ s m s _ o n _ d r i v e . sms in the root of the drive on the remote system. • Never configure overlapping boundaries. This can cause managed systems to use the wrong Site Server or Distribution Point. This often happens when using a combination of IP and Active Directory boundaries. • Define the Network Access Account on the Computer Client Agent when managing non-domain members. This account is provided as a way for non-domain members to authenticate to Configuration Manager. This account should be a Domain User without additional permissions. • The default list of "Products" supported by the Software Update Point is refreshed and updated during the synchronization process. This adds things like Windows 7 and Windows Server 2008 R2 to the Windows section. Because the entire Windows product was selected, new operating systems will automatically be enabled as they are made available on the Windows Update site and through WSUS. • Use protected Site Servers to control access to a site. This is helpful to protect the bandwidth of a Configuration Manager managed site. • Having an unprotected Distribution Point is often beneficial in specific scenarios. For example, a critical package deployment might supersede the risk of potential network impact. If this functionality is desired, plan to have at least one unprotected Distribution Point, typically located in a site with a large amount of bandwidth. • It is important to make sure content is replicated to the appropriate Distribution Points throughout the hierarchy and the setting to override protected Distribution Points is used very carefully. • Configuring Client Agents with a "simple" schedule allows the distribution of load placed on the system. Unless the server and environment have been sized to receive and process data from all clients simultaneously, care should be taken to distribute the load over a longer period.
Best Practices
171
• A client can be pushed manually from the Configuration Manager console or executed automatically when a Discovery Method is executed. It is important to disable the Automatic Push Installation option until the client is tested and the correct options set. • All of the attributes found in the System Resource class are available through the system discovery and do not require an agent. This class can be used to create collections for systems that don't yet have an agent. • Review the \\client\admin$\ccmsetup\ folder on remote systems for information about the client deployment. • Updating the membership of a collection is a two-part process: First execute the Update the Collection Membership action and then refresh the collection to show changes.
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and Operating Systems System Center Configuration Manager (ConfigMgr) 2007 R2 provides a highly scalable, bandwidth-aware distribution and execution system. Several Configuration Manager key roles have been designed specifically to facilitate the provisioning of Windows software, updates, and operating systems throughout the Microsoft infrastructure. This chapter helps the administrator understand how each role within the Configuration Manager hierarchy is used and how to create an effective way for managed systems to locate and receive content. This includes how to provision content based on an array of complex business deployment scenarios. In addition, this chapter explains how to monitor distribution of content to ensure accuracy and compliance.
Understanding the Infrastructure Several key roles within the Configuration Manager hierarchy work collectively to provide the rich deployment infrastructure. The following list describes each Configuration Manager role as it relates to the distribution of software, updates, and operating systems. Each role can be installed on a separate server for a very high degree of scalability or colocated on the same server for smaller environments. Additional information on planning the Configuration Manager infrastructure can be found in Chapter 2, "System Center Configuration Manager 2007 R2 Design and Planning."
IN THIS CHAPTER •
Understanding the Infrastructure
•
Understanding How Clients Locate Content
•
Understanding How Internet Clients Locate Content
•
Understanding Computer Management
•
Configuring the Computer Client Agent
•
Configuring the Advertised Programs Client Agent
•
Understanding Distribution Points
•
Defining Collections
•
Understanding Software Distribution
•
Publishing Software
•
Deploying Software Automatically
•
Monitoring Software Deployment
•
Understanding Update Distribution
•
Understanding Operating System Deployment
•
Preparing Required Packages
•
Managing Operating System Install Packages
•
Deploying Operating Systems
174
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
Distribution roles of Configuration Manager are as follows: • Computer Client Agent—This agent controls core Configuration Manager client functionality. This includes how often the client checks for new policies, how reminders are shown for mandatory assignments, branding configuration, BITS bandwidth control, and client restart options. • Advertised Programs Client Agent—This agent controls the software distribution functionality of the Configuration Manager client. This includes the ability to deploy content to system- and user-based targets. In addition, how newly published software is displayed and the countdown prior to having scheduled content executed can be configured. • Distribution Points—The Distribution Point site role hosts content for clients in a specific location. Content includes software, updates, and images used for OS deployment. Strategically placed Distribution Points are key to effectively deploying content. • Default Management Point—This is the Management Point located in the client's assigned site. The client will use this Management Point when the client is within the boundaries of the assigned site, or when a Regional or Proxy Management Point is unavailable. • Resident Management Point—This is a Management Point located in a different site other than the client's assigned site. When global roaming is configured, the client will use this Management Point to locate Resident Distribution Points with the content. • Internet Management Point—This is a Management Point that handles Internet clients. When a client is managed over the Internet, it is configured with the FQDN of the Management Point designated to handle this type of traffic.
Understanding How Clients Locate Content The Configuration Manager infrastructure along with Active Directory integration provides clients with the ability to roam the entire Configuration Manager infrastructure and find the closest Distribution Point (DP) to receive content. A client will attempt to get content from a Resident Distribution Point before a remote Distribution Point.
NOTE Global roaming can be achieved when the Active Directory schema has been extended. If the schema hasn't been extended, then only regional roaming is available. Regional roaming only allows client roaming to sites lower in the hierarchy. If the client roams to a peer site, or parent site, content cannot be downloaded from Resident Distribution Points.
When a client is started, or changes networks, a local discovery is triggered to identify the closest Management Point. The closest Management Point then provides the client with a
Understanding How Clients Locate Content
175
list of Distribution Points for content. The agent evaluates the list of DPs and chooses the most appropriate DP to obtain content based on several factors. For example, the client will choose a BITS-enabled Distribution Point over a non-BITS Distribution Point. A client will also choose a standard Distribution Point before choosing a Branch Distribution Point, How a client locates content is shown in Figure 4.1. PC1 (10.10.1.x)
(172.16.1.x) FIGURE 4 . 1
How clients locate content.
An agent locates content in the following way: 1. The client queries Active Directory to identify the closest Management Point in the hierarchy. The client will choose the Management Point based on the network boundaries in which the client currently resides. 2. If a Resident Management Point is unavailable, the client will default to the Management Point in the site the client was originally assigned. The client communicates with the selected Management Point to locate content. The Management
176
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
Point provides the list of Distribution Points that contain the appropriate content. Only applicable DPs are provided. 3. If the client is within the boundaries of a protected site, the Management Point only provides a list of DPs for the protected site, even if an unprotected Distribution Point with the content is available.
NOTE To override protected boundary behavior, enable the Allow Clients to Fall Back to
Unprotected Distribution Points when the Content Is Not Available on the Protected Distribution Point option on the package advertisement.
If the Distribution Point chosen by the client is not available, the client will attempt to download content from that Distribution Point for 8 hours. If after 8 hours the client's default Distribution Point is unavailable, the client system will locate the content on a different Distribution Point and begin the download process. It is important to monitor the health of Distribution Points and make sure they are available. If necessary, remove the Distribution Point role from unhealthy servers to prevent clients from selecting the server for content. The same rule doesn't apply to Branch Distribution Points. If a Branch Distribution Point is not available, the client only retries the connection once before moving to the next Distribution Point.
Understanding How Internet Clients Locate Content A client configured for Internet-based client management is configured with the FQDN of a Management Point accessible from the Internet. This is typically done with specific command-line options during installation, but can also be done after the agent is installed.
NOTE It is important to only assign an Internet Management Point from the client's assigned site. Assigning an Internet Management Point from a different site than the client's assigned site is not supported.
If multiple Configuration Manager sites have been implemented and they support clients on the Internet, multiple Internet-facing Management Points are needed. When a client on the Internet contacts the assigned Internet Management Point, the Management Point provides the list of Distribution Points that are also accessible from the Internet. The client chooses from one of these Distribution Points to locate content.
Understanding Computer Management
177
Understanding Computer Management It is important to ensure the infrastructure has been configured correctly to support effective content distribution. To deploy content, the Configuration Manager client should be installed on the target, Management Points need to be configured and working correctly, Distribution Points should be strategically placed, and the overall health of the environment should be validated. For additional information on implementing these roles and validating the health of the infrastructure, review Chapter 3, "System Center Configuration Manager Implementation and Administration." The Computer Management node in the Configuration Manager console provides access to all of the functionality needed to distribute software. Subsequent sections and examples refer to the Computer Management node. To locate the Computer Management container within the Configuration Manager console, do the following: 1. Open the ConfigMgr console. 2. Expand Site Database (ABC - CMf, Central Site). 3. Expand Computer Management. The Computer Management node is shown in Figure 4.2. Configuration Manager Console -¿I F i e
Action
" » I '
-if J
View F I :
a
I B
ITH
•¡¿y System Center CanfiojratwnManager
Computer Management
I
Action»
S -3 5 t e Database (ABC - C M l , Central s t e ) f f i i j j Ste Management ^ *
Colections Conflicting Records
dP Colertons Conflicting Records
Software Qsb button Software Updates
¡ E ¡ r Saftware updates
'£
•i Operatng Sysîcrn DecioyT^nt . i J A s e t i n teft pence
O,
50 L- Asset Inteligente
« S o f t w a r e Metering
I if
*
Software Hetenrg
¿ j j Reporting
Reporting
• ^ D e s r e d Configjmöon Management
f
S
Í Qperatng System Deployment
B
± . ^ j Dçsred Configurata", Management
Quenes
S LA Quenes
MoWe D e v r a Management
*
Metale Device Management
T¿¡ Metwort A c c è s Protection
'£ f j j NetÄdric ACCESS Protecmn ffl I J i System States ffl Mj Security PtÇhts f f l S f Tools
FIGURE 4 . 2
Computer Management container.
Refresh &OOrt Lut..,
178
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
The Software Distribution node, the Software Updates node, and the Operating System Deployment node are detailed throughout this chapter. In addition, several Site Settings that facilitate content distribution are also identified.
Configuring the Computer Client Agent The ability to effectively distribute software with Configuration Manager requires an understanding of how the Configuration Manager hierarchy has been configured and which of the Site Settings affect the software distribution functionality.
NOTE In a multisite Configuration Manager hierarchy, the client agents are independent and can be uniquely configured for each site depending on business requirements. Use the Site Setting Transfer Wizard to copy settings from one site to another.
The Computer Client Agent is located in the Site Settings \ Client Agents container within the Site Management container. This agent is responsible for the core functionality of Configuration Manager and can be used to manage several key Configuration Manager aspects.
Configuring Network Access and Policy Retrieval On the General tab of the Computer Client Agent, several important configuration options are available. It is important to configure the Network Access Account when deploying to managed systems that are not part of the domain or otherwise don't have a way to authenticate and receive content from Distribution Points. The Network Access Account is also used during operating system deployments. The policy polling interval configures how often the client asks the Management Point for new policies. A policy can contain many different things, such as a schedule to run software or updates or a change to the client settings.
NOTE The polling interval for specific groups of computers can be controlled through the collection settings. This is typically used to increase the polling cycle of Branch Distribution Points to improve how quickly they become aware of new content.
The state messages reporting cycle controls how often client state is reported back to the Management Point. State messages provide information about client actions and are helpful when monitoring the progress of content distribution. Be cautious if lowering the default polling cycle for either policies or state messages because this directly increases the load on the Management Point and the underlying network infrastructure.
Configuring the Computer Client Agent
179
Customizing the User Experience The Customization tab provides the ability to brand messages to improve the user experience when provisioning content. At a minimum, the Organization Name field should be changed from the default "IT Organization" to the actual name of the company. In this case, the name was changed to Company ABC. It could be helpful to put support and contact information in the Software Updates, Software Distribution, and Operating System Deployment fields. The Reminders tab contains customization options for how often the user is reminded about a mandatory assignment. This means content is scheduled to be executed on the system and might impact the users' productivity. This setting can be overridden during software deployment, specifically when no user impact will occur or the deployment contains custom notifications, such as with update distribution. The option to override reminders and notifications is shown in Figure 4.3. Office Enterprise (Hidden) Properties Windows lr*îtâ*r General
|
I
Requirements
MOM MaintenanceMod« |
Ênvrorment
Advanced
You can specify additional criteria for installing and rursnintj the program. You can also temporarily disable the program.
Run another program first:
r I
3
Ar,vnyn u i th'~ prcigrnm f i r : "
When this program is assigned to a computer:
h
-—
3
Supsress program notifications A disabled program is not displayed cm run on clients. Disable this program on computers where it s advertised.
P Allow ths program to be installed from the Instail Software task sequence without beng adverteed OK
FIGURE 4 . 3
I
Cared
|
11
Help
Suppress Program Notifications option.
The Restart tab simply provides the global settings to control how much time is given before the Configuration Manager agent restarts the target system. This is only used when the program is set to ConfigMgr Restart Computer after the program is run.
NOTE The restart settings for specific groups of computers can be controlled through the collection settings. This is typically used when a department has different business requirements for computer restarts.
180
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
Controlling Bandwidth The BITS tab is very important. This provides the ability to control bandwidth utilization for all systems managed by the site. The default setting is to only apply bandwidth control to Branch Distribution Points; however, BITS bandwidth control can also be applied to all clients in the site. BITS can be set up to throttle downloads within a specific time frame. This is typically used to limit bandwidth during peak hours. The Allow BITS Download Outside of Throttling Window setting is used to set a bandwidth usage limit that falls outside the defined start and end times. If this configuration is not enabled, BITS downloads will occur at full speed when outside the defined window.
NOTE For more granular BITS configuration, consider using a group policy to control BITS communication for specific sites and/or groups of systems. Domain-level group policies override the settings configured through the Configuration Manager console.
The BITS settings found on this tab are actually used to configure the local computer policy on the client system. To verify the settings have been applied correctly, open gpedit.msc on the local computer, expand Computer Configuration, Administrative Templates, Network, and then select the Background Intelligent Transfer Server (BITS) container. The Limit the Maximum Network Bandwidth for BITS Background Transfers setting will be enabled if the settings have been correctly applied to the client. The resulting GPO after configuring the BITS to 20Kbps between 8:00 a.m. and 5:00 p.m. is shown in Figure 4.4.
Configuring the Advertised Programs Client Agent The Advertised Programs Client Agent is located in the Site Settings \ Client Agents node within the Site Management container for the site. This agent is responsible for content distribution functionality on managed systems. The General tab can be used to enable and disable the ability to distribute software to managed systems. When software distribution to clients is enabled, managed computers can receive advertisements. In addition, several additional settings are available, including the ability to target users and integrate with Add or Remove Programs.
NOTE The Integration with Add or Remove Programs setting provides the same type of OSlevel integration as Active Directory software publishing.
Understanding Distribution Points
-JSl-ii
L i m i t t h e m a x i m u m n e t w o r k b a n d w i d t h f o r BITS b a c k g r o u n d t r a n s f e r s f**]
Limit tire m a x i m u m n e t w u t k b a n d w i d t h fm BIT5 bai.kyruurid transferí
181
Previous Setting
Next Setting
C Neil CtjrifTyurrrî f
Enabled
r
Uisabied
Options:
Help:
Limit b a c k g r o u n d transfer rate I Kbps) to:
[3
3
Tram to
|s AM
fiPM
I his policy settinq limits t h e n e t w o r k b a n d w i d t h t h a t B ac k gr oun d Intelligent Transfer Service (BITS) uses f o r b a c k g r o u n d transfers. (This policy setting does n o t affect f o r e g r o u n d transfers.) V o u con specify a l i m i t to use d u r i n g a specific t i m e interval a n d at ell other t i m e s . For example, l i m i t t h e use of n e t w o r k b a n d w i d t h to 1U Kbps f r o m B:tK) A . M . to P.M., a n d use all available unus e d b a n d w i d t h t h e rest of t h e day's hours.
^
At all o t h e r times ^
Use all available u n u s e d b a n d w i d t h
OR I iiuil Ihu k y n i u n r l l i r t i i v f n riili* I Klips) lu:
E
'
If y r m Mirth lr I Ins piiIn y s r l l i n y , RFTS w i l l limit it% t M n d w i d t h usage lu t l i e specified values. Y u u (.an u p c t i f y t h e l i m i t in fcilubits per second (Kbps). If y o u specify a value less t h a n 2 kilobits, DHS will c o n t i n u e to use approximately J kilobits, I o prevent B l l b transfers f r o m occurring, s p e c i f y a l i m i t o f 0 . If Yiin d t u i h l r EM tin riul c rinficfiiir llus policy s r t l i n i j , BITS u i t j all available u n u s e d b a n d w i d l h . N o t e Y o u s h o u l d base t h e l i m i t o n t h e speed o f t h e n e t w o r k link, n o t t h e c o m p u t e r ' s n e t w o r k interface card (NIC). This policy setting does not affect Peercaching transfers b e t w e e n peer
I
FIGURE 4 . 4
Cancel
|
Apply
j
BITS local Group Policy setting.
Understanding Distribution Points Client computers request policies from Management Points. When the client receives a policy for content, the content for the target can be executed interactively or automatically. In either scenario, the client asks the Management Point for a list of potential Distribution Points, and the Management Point returns a list of Distribution Points based on the current location of the client. This includes Resident Distribution Points when the client roams throughout the hierarchy and Internet Distribution Points when the client roams outside the hierarchy. It is imperative that Distribution Points are strategically placed and assigned the correct protected boundaries to ensure cost-effective deployment. When content is assigned to a standard Distribution Point, it's pushed to the Distribution Point from the Site Server. When using a Branch Distribution Point, the Configuration Manager client on the branch system is used to download the content from a Distribution Point configured to support BITS transfers. It is important to make sure the Branch Distribution Point has access to a standard Distribution Point and isn't completely isolated due to protected boundaries.
182
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
NOTE When using a Branch Distribution Point, it is important to ensure this system is relatively static. For example, assigning a Branch Distribution Point to a laptop that roams to different sites is not recommended.
After the Management Point provides the list of available Distribution Points to the client, the client chooses the best-suited Distribution Point to receive content. Distribution Points that are located on the same IP subnet are chosen first, followed by Distribution Points in the same Active Directory site, before falling back to a Distribution Point in the client's assigned site. For additional information on Distribution Point design, review Chapter 2. By default, the contents of a package are pushed to Distribution Points from the Site Server that created the package. This behavior can be changed by enabling the Send Package from the Nearest Site in the Hierarchy option, located on the Distribution Point tab of the Software Distribution properties. To locate the Software Distribution properties, expand Site Settings and select Component Configuration. Select the Software Distribution item, and click the Properties action. The options to control content distribution are shown in Figure 4.5.
Gineal
Distribution P o l l * ]
Packages can b e d i s t n b i r t f f d c o n n * r e r i t J y t o m L i t j p i e ctstrtwjtton p o i i t s . Specify f c n i t a für r o n o j r r e n ï d i s t r i t w t a n a n d r e t r y s e t t n g s .
Concurrent distribution settings Maximum nt/nber or'packages:
|{3
Maximum threads per package:
Is
-d
Retry settings Number of retries:
1100
d
M a y before refryrig (minutes):
I30
=d
Number of retries:
|3
-d
• d a y before retryng (minutes):
Ji
id
Multicast retry se tings
I?
Send package from T i e near e s t site m I h e hierarchy
OK
FIGURE 4 . 5
I
CanoH
I
I-UI-.I.:
I
Htlp
Software Distribution Properties.
Defining Collections Collections are an important aspect of successfully delivering content. A collection defines a group of systems based on many different attributes. For example, all the systems in a specific area can be part of a site-specific collection or all the systems that share a
Defining Collections
183
common piece of software can be part of a software-specific collection. A system can be part of more than one collection. It is important to define collections based on your requirements. Collections can be used for content distribution, and many reports can filter results based on collection membership. A collection can be based on many different attributes. For example, it is common to create collections for each location, which allows region-specific content provisioning and reporting. Even if content is provisioned to the entire organization, region-specific collections can be used to report compliance and status for each area. Collections can be created with static, manually added members. However, this type of management is not very scalable and should only be used when necessary. Designing collections based on queries is recommended for a much more scalable infrastructure. The query that defines a collection can be based on any hardware or software inventory data, along with information collected during the client discovery cycles.
NOTE The collection query language is based on WMI Query Language (WQL), which is similar to T-SQL. For example, the % character is used for wildcard matching. For additional information, see the following Microsoft TechNet site: http://msdn.microsoft.com/en-us/library/aa394552.aspx
To create this custom collection that only contains workstations from the SITEf Active Directory site, complete the following steps: 1. Expand Computer Management and select Collections. 2. Click the New Collection action. 3. Type SITE1 -Workstations as the name, and then click Next. 4. Click the New Query button. 5. Enter SITE1 -Workstations as the name, and then click Edit Query Statement. 6. Select the Criteria tab and click the New button. 7. Click the Select button and then choose the System Resource attribute class. 8. Choose the AD Site Name attribute, and click OK. 9. Click the Value button, select SITEf from the list, and then click OK twice. 10. Click the New button again. 11. Click the Select button, and then choose the System Resource attribute class. 12. Choose the Operating System Name and Version attribute, and then click OK. 13. Choose the Is Like operator, and then type %Workstation% in the Value field. 14. Click OK, and then click OK again to save the query statement. 15. Click OK again to save the query.
184
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
Create another collection called SITE2-Workstations that only contains workstations from the SITE2 Active Directory site. The software distribution and update distribution tasks will use these new collections for software deployments.
NOTE If the scope of a collection is limited based on another collection, be sure to set the appropriate collection update schedule. The source collection should update before the target collection, or the results of the collection could be almost a complete update cycle behind. By default, a collection is updated every 24 hours, starting from when it was created.
Maintenance windows on collections (select the Modify Collection Settings action) control when a system can run an advertisement. This is important because it can affect how content is provisioned. For example, if the sum of the package program Run Time and the countdown delay time are greater than the maintenance window, the scheduled advertisement won't run.
NOTE It is important to understand how maintenance windows work. When more than one maintenance window affects a system, the maintenance windows are effectively combined.
The maintenance window on the SITE2-Servers collection is shown in Figure 4.6. J U . U , I . . , L L J J J . , „ B
X]
UTE 2 Server Maintenance
Effective date:
1 1/ 2/2010
Start:
1 1:00:00 AM
Duration:
|3Hour{s)0Miriute(s)
Bid:
1 4:00:00 AM
r UTC Recurrence pattern C* None
Rpn ir pvpry
(• Weeldy
ijqAjpi^ltfc.
O
197
ÂftrtJïrtjnfP~
^ Ht#l Home Pa$e 1... I Wn
Dstfay »fTnare I Í ) I ' ( «nctonce 'v » spe-=-*í ven^f, uodéls { j u s ^ i t r 1 , «*J r«¡c«e dale.
Nr™ kVryfe». fro... A
BS53£B*S1
í&3a KHJ9-0/Ï
* Q4 MúbfcOtvtteMviaQcmcr S Ntfwrfc *C«SÍ íWeCtO ffl J^SrttpnSwajj S Uí S«Lrtyfcshfc» « 13 T e *
A £ sa»
««-o«
*
HS09-OÏ*
»1052
3
Síarvty UOdtft ftr mstrrHtOstOrtr 9 fir Wrtí Síftíltí MWíte fir MírOSOftOffí*
£ 9Í136
XS09-030
Seftnty update ftrmuw Svi(r 3506 ' M ü t i r Wsí
MSOS-OJq
Sífcrty u>í*to fir w r t W Swcf aw 09971W)
*
MS09-0« J
SífcntyW>í4tc
fir
SoÄv.« ...
3009 0*t Str*tr mi K B ' l W )
, B
fraserB« >
»Software UOdaies fiuid.
UM 01« Me*r>Q irii, rejero, and rtswcei 10 nwijfle »finare it-ijífcj Inürni« f-Ttatr
Web Reports tj Confore Software Update; Offit
4 Conptonce
«orage Sofanre '.Çdates
# Sotes 1
^ Contare Software Update Poril
^ Scan 1
Software Updates Chetttm Ô Software update TïoutMw... ^
4 Maragener^ .
FIGURE 4 . 1 2
HcriKQftUpdateCaíatoganH...
IWfeprMtct «M ïrttF" njt^ng n i H*Uitr frwi Mtrawftyou retal ihs lien, you may t*ve tú restart Ar
Ccifltf-V TediCoiter on Mn„.
Software Updates home page.
The default scan schedule and the deployment reevaluation schedule can be changed from within the Software Updates Client Agent. These settings control how often the local scans occur. The software updates scan defines how often the client reports compliance information to the Management Point. The scan done by the deployment reevaluation initiates a reinstallation of the patches that were previously installed but are now missing.
NOTE The deployment reevaluation simply reruns the existing software update deployment against the client. If the deployment doesn't have a deadline, or if the deadline for the updates hasn't passed, the client can schedule the installation of the previously removed updates.
Understanding Deployment Templates A deployment template is a set of rules for deploying updates to a collection. The update template contains information such as the name of the collection, if updates should restart the target system, custom notification options, update deadlines, and if the system should be restarted outside of the predefined maintenance windows.
198
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
NOTE A deployment template is only used to préconfiguré part of the update deployment with collection-specific settings. Changes to the template do not affect existing software update deployments.
A deployment template is typically created for each type of deployment and for each collection that will receive updates. This can often result in multiple templates for each collection. For example, a well-planned software update deployment strategy usually requires a template to assist with routine deployments and a different template to facilitate emergency deployments. The emergency template can be configured to restart systems outside of maintenance windows, whereas the template used for routine deployments would not allow this type of restart. To create the Workstations template, complete the following steps: 1. Expand Software Updates and select the Deployment Templates container. 2. Click the New Deployment Template action. 3. Enter SITE1 -Workstations as the name and click Next. 4. Select the SITEl-Workstations collection and click Next. 5. Click Next to accept the defaults; close the wizard when you are finished. This template points to the SITEl-Workstations collection and allows the deployment to restart the computer if necessary. Restarts are not permitted outside of the maintenance window for the collection. Another template can be created called SITEl-Workstations Emergency; during creation, enable the Allow System Restart Outside of Maintenance Windows option, found on the Restart Setting page of the wizard.
Identifying Updates and Creating Update Lists The appropriate updates for the environment need to be identified and added to an update list. An update list provides a simple method to add patches to a new or existing software update deployment and a way to report on the compliance for the patches on the update list. It is common to create as many update lists as necessary to meet the deployment and reporting requirements for the organization. For example, an administrator might create a new update list each month to assist with the deployment and reporting for a specific group of patches. An update list can be as broad or granular as necessary. For example, all patches for all workstations can be added to a list, or individual lists can be created for each workstation operating system for more granular deployment and reporting. Static update lists can be created to list all patches, with new patches added each month. A static update list is a good candidate to schedule the Overall Compliance report through email delivery. This shows the ongoing compliance for specific collections.
Understanding Software Distribution
199
NOTE Use the Overall Compliance report located in the Software Updates - A Compliance folder to show the compliance of a specific collection against a specific update list.
The updates are identified with a search folder, which includes the Security Updates, Critical Updates, and Updates patch classifications for Windows 7 workstations. To create the Windows 7 - Updates search folder, complete the following steps: 1. Expand Software Updates and then expand the Update Repository container. 2. Select the Search Folders container, and then click the New Search Folder action. 3. Enable the Product option, and then add "Windows 7" to the Product search criteria. 4. Enable the Update Classification option, and then add Security Updates, Critical Updates, and Updates to the Classification search criteria, and then click OK. 5. Enable the Search All Folders Under This Feature option. 6. Enter Windows 7 - A l l Updates as t h e n a m e , a n d click OK.
Select the Windows 7 - All Updates search folder. All of the Windows 7 updates will be listed. This is a combined list from the Security Updates, Critical Updates, and Updates classification. From this folder, all of the missing patches for Windows 7 can be identified and added to a Windows 7 - All Updates list.
NOTE Establish baseline update lists and update deployments to get the environment current.
To create the Windows 7 - All Updates update list, complete the following steps: 1. Select the Windows 7 - Updates search folder. 2. Sort the list by the requested column. 3. Hold Ctrl and select each requested update, and then click the Update List action. 4. Choose Create a New Update List. 5. Enter Windows 7 - All Updates in the Name field, and then click Next. 6. Accept the default values to complete and then close the wizard. When new Windows 7 updates are released by Microsoft, they can be added to the Windows 7 - All Updates list for overall compliance reporting and a new update list for controlled deployment.
200
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
Deploying Software Updates The deployment package is a combination of the the patch list and the deployment templates along with some unique information specific to the deployment, such as the package name. The process of deploying patches essentially creates both the package and the deployment for a collection.
NOTE The package is used to get the updates to Distribution Points, whereas the "deployment" is simply the Software Updates version of an advertisement.
When software update deadlines are used, it's common to create a new software deployment each time patches are released. The Software Update Deployment package defines the deadline for the patches added to the package; by default, this is two weeks from the date the package was created. If patches were added to an existing Software Update Deployment package and the deadline has expired, the patches would be installed immediately and the system restarted. If deadlines are not used, the patches can be added to an existing software update deployment without causing the patches to be installed immediately.
NOTE Leverage nested collections and the ability to include members of subcollections to potentially reduce the number of software update deployments needed.
Software update deployments target a single collection, so it is often necessary to have several software update deployments, essentially a deployment for each collection. To create the deployment package, complete the following steps: 1. Select the Windows 7 - All Updates list. 2. Click the Deploy Software Updates action. 3. Type Windows 7 - Baseline in the Name field, and click Next. 4. Select the SITE1 - Workstations template, and click Next. 5. Enter Windows 7
- Baseline in t h e N a m e field.
6. Enter \\companyabc\library\source\updates\windows 7
-
baseline in t h e
Package Source field, and click Next. 7. Click Browse and select the Distribution Points, and click Next. 8. Accept the remaining default settings, and then finish and close the wizard.
Understanding Software Distribution
201
The wizard downloads the requested patches from Microsoft Update and places them in the source folder on the network. The individual patches are taken from the source folder on the network and placed on the selected Distribution Points for target systems. The package is advertised to the target systems, and based on policy polling cycles, the targets will receive the update package.
NOTE Keeping the source folder name and the Software Update Deployment package name the same makes it easier to identify and clean up old patches and reclaim space on the file server.
The Software Update Installation notification reminder is shown in Figure 4.13.
•ir T
&
FIGURE 4 . 1 3
E Software Update Installation notification.
Managing the Update Deployment The software update deployment consists of two parts. This is similar to a package/advertisement configuration of a standard software distribution. The first part of the package is located under the Deployment Packages node. This contains a list of updates and is primarily used to get the updates to Distribution Points. The second part of the deployment is located in the Deployment Management node. This part is responsible for advertising the software updates on managed systems and controls the deadline to install updates.
202
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
Both the package and deployment contain a list of software updates. When creating a new deployment, updates can be added to an existing package or added to a new package. If updates need to be added to an existing deployment, select the updates from the update list, then drag and drop the update from the list onto the software update deployment located in the Deployment Management node. The Software Update Deployment Wizard opens and the update can be added to an existing package or a new package can be created. The software update package and deployment relationship is shown in Figure 4.14.
Patches:
Patches:
MS09-072 8 MS09-061
MS09-072 & MS09-061
Distribution Points: CM1
Distribution Points: CM1
Package
Package Patches: Patches:
MS09-072
MS09-072 8 MS09-061
Deadline: 1/15/2010
Deadline: 1/15/2010
Deployment
W\J Deployment
Patches: MS09-061 Deadline: 12/15/2009
Deployment
I Collection of Systems FIGURE 4 . 1 4
Collection of Systems
Software update deployment scenarios.
The deployment package has several options that allow granular control of the package. When used together, these options along with Maintenance mode windows on the collection allow for simple and effective patch deployment capable of addressing a wide range of potential deployment scenarios. The date and time to make the patches available controls when the user is initially given the notification stating that patches are available for installation. The deadline for the package forces the patches to be installed by a specific time. By default, target systems are given 2 weeks from the time the package was created to install the patches and, if necessary, restart the computer.
Monitoring Software Update Deployment The distribution of updates can be monitored with the different reports provided with Configuration Manager. All reports are located in the Software Updates folder on the Reporting Services Point and in the Software Updates category on the legacy Reporting Point. There are five main classifications, plus a folder to host legacy SMS 2003 update deployment reports. It is important to explore and understand each report.
Understanding Operating System Deployment
203
The Software Updates - A Compliance folder contains reports that detail the deployment of updates throughout the enterprise. The Overall Compliance report shows the compliance versus noncompliance percentage for a collection. The person running the report needs to select the collection and the update list to evaluate compliance. From this report, an administrator can view the percentage of systems that are compliant versus noncompliant. By clicking the collection ID in the Compliance or Noncompliance row, a subreport opens showing the names of the systems in each category.
NOTE Use the ability to drill through reports to quickly analyze a large amount of data. The Back and Forward buttons in the Reporting Services window can assist with quick navigation. When using the Reporting Services web interface, the navigational bread crumb trail can be used to assist with navigation.
The reports in other folders facilitate administration and troubleshooting of deployment updates. It is important to understand each report and the information that is provided.
Understanding Operating System Deployment The OS deployment functionality in Configuration Manager is highly modular. Each component is layered together to create a simple, effective system for distributing Windows operating systems. For example, the drivers, updates, and software are all managed independently outside of the base OS image. Each component is dynamically installed during the deployment process. Software packages and Software Update Deployment packages can be maintained as necessary without having to change the base OS image. New operating systems automatically get the latest software and updates during deployment. Device drivers are managed the same way; during the OS deployment, the PnP IDs are enumerated and the best drivers are automatically selected from the list of available drivers. The list of available drivers is maintained within the Configuration Manager console. Updating the drivers can be done at any time; subsequent OS deployments automatically install the latest driver. Common OS deployment technologies are as follows: • WinPE—The Windows Preinstallation Environment runs a small version of Windows used to initiate the OS deployment. The WinPE environment is typically initiated over the network with the PXE Service Point. • Operating system source—This is the location of the OS files. The OS media images are typically downloaded from Microsoft. The files are extracted and placed in the Operating System Source folder on the network.
204
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
• Operating system install package—This is the operating system package inside the Configuration Manager console that points to the Operating System Source folder on the network. • Task sequence—This set of tasks is used to execute the complete deployment. This includes everything from configuring the hardware, installing the OS, and deploying the correct software packages. • Drivers—These are the drivers that have been uploaded to the Configuration Manager driver repository. These drivers can be installed dynamically during the deployment process. • Driver packages—Specific drivers are grouped together for easier management. For example, all the drivers for a specific make and model of a server can be grouped together in a Driver package. The operating system deployment functionality is powerful and provides the ability to fully automate all or part of the OS provisioning throughout the Windows environment. Common OS deployment scenarios are as follows: • OS deployment—When a new system is procured, Configuration Manager is used to deploy a fully functional operating system either through a scripted installation or an image-based installation to a system that doesn't have an operating system. This is commonly used for both client and server systems. • OS refresh—A new operating system or an updated version of the existing operating system is deployed to an existing system. Existing profile and user data can be saved to an encrypted network location and applied to the new OS. The workstation is fully patched with all required software when the deployment is complete. This is typically scheduled by an administrator to run automatically or can be initiated by the end user. This is generally only done for user systems. • Hardware migration—When a new system is procured for an end user, existing profile and user data can be copied from the original system to an encrypted network location and then applied to the new OS on the new system. The new system is fully patched with all required software when the deployment is complete. This is typically scheduled by an administrator to run automatically or can be initiated by the end user. This is generally only done for user systems. Each scenario can be initiated several different ways. The most effective way to achieve an automated deployment is with the PXE Service Point and DHCP. If these protocols have not been made available on the network, deployments can be done with removable media, but this always requires additional administrative effort and should be avoided when possible. The deployment of server operating systems to enterprise server hardware can be greatly simplified by leveraging vendor-specific Configuration Manager add-ons. HP, Dell, and IBM have all published add-ons and whitepapers for Configuration Manager 2007 available at no additional cost. These publications contain detailed guidance for deploying
Understanding Operating System Deployment
205
server operating systems to their hardware and include things like configuring the RAID controller and performing hardware firmware updates from within the WinPE environment.
Operating System Deployment Requirements The Network Access Account is used during stages of the OS deployment when the system is not a member of the domain and cannot authenticate the Configuration Manager infrastructure. It is important to configure the network access account. The Network Access account can be configured within the Computer Client Agent properties. The correct client authentication certificates need to be installed on each PXE Service Point role. The required tasks to generate and import the PXE Service Point certificate are detailed in Chapter 3. In addition to the PXE Service Point certificate, the CA certificate needs to be downloaded and added to the Configuration Manager site.
NOTE If CRL checking is enabled, ensure the PXE Service Point certificates contain the HTTP path to the CRL. If only the default LDAP CRL path was specified on the OS deployment certificates, the deployment process will fail because the WinPE environment cannot authenticate to Active Directory to access the LDAP path to check the CRL.
To download the CA certificate, complete the following steps: 1. Open Internet Explorer and browse to https://cal.companyabc.com/certsrv. 2. Select Download a CA Certificate, Certificate Chain, or CRL. 3. If prompted, select Yes to allow the website to perform the operation. 4. Click the Download CA Certificate link. 5. Save the certificate to c : \Temp and close the website. Now the CA certificate needs to be imported into the Configuration Manager console. To import the CA certificate, complete the following steps: 1. Expand Site Database. 2. Expand Site Management. 3. Select ABC - Central Site and click the Properties action. 4. Select the Site Mode tab. 5. Click the Specify Root CA Certificates button. 6. Click the New button, browse and select the certificate, and then click Open. 7. Click OK and then apply the changes. During OS deployment, the certificates generated by the CA certificate will be trusted now that the CA certificate has been installed on the Site Server. If the server authentication certificates on the Site Servers were not trusted, the OS deployment would fail.
206
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
Preparing Software Distribution Packages Software distribution packages can be installed as part of the OS deployment on a target system. To prepare for OS deployment, an additional program should be added to the existing package or an existing program can be modified with the correct settings to support OS deployment. The OS Deployment Wizard does not allow selection of packages unless these options are configured correctly. In the "Understanding Software Distribution" section found earlier in this chapter, a package was created for Microsoft Office 2007. The package contains a program called Office Enterprise. To support deploying Microsoft Office 2007 during an OS deployment, create another program called "Office Enterprise (Hidden)" with the correct program settings. When adding a new program to support OS deployment, on the Environment page of the Program Creation Wizard, disable the Allow Users to Interact with This Program option. On the Advanced page of the Program Creation Wizard, enable the Allow This Program to Be Installed from the Install Software Task Sequence Without Being Advertised option.
NOTE The command line used to install the package during OS deployment should never initiate a reboot. Instead, the return code 3 0 1 0 should be used to tell the Configuration Manager client to restart the system and continue the deployment after the reboot. With Microsoft Installer (MSI)-based packages, reboots can be suppressed with the REB00T=ReallySuppress command.
Preparing Required Packages Dependent software deployment packages need to be created to support OS deployment. At a minimum, a package that contains the Configuration Manager client needs to be defined. The package doesn't need any programs created, but the contents need to be available on Distribution Points. If the user state needs to be captured, a package that contains the User State Migration Tools is also required.
Creating the Configuration Manager Client Package The Configuration Manager client is located in the Client folder within the Configuration Manager installation folder. The client package doesn't require a program; the OS deployment task sequence locates the correct executable and runs it with the appropriate command-line arguments. To create the Configuration Manager Agent package, complete the following steps: 1. Expand the Software Distribution container. 2. Select Packages. 3. Click the New - Package action.
Managing Operating System Install Packages
207
4. Type Configuration Manager Client in t h e N a m e field.
5. Type 2007 in the Version field. 6. Type Microsoft in the Manufacturer field and click Next. 7. Set t h e source to d:\SCCM\Client.
8. Complete and close the wizard. Add the required Distribution Points to the package. All areas for which OS deployment will be used need access to this content from a Distribution Point.
Creating the User State Migration Package The User State Migration Tool needed for Windows 7 deployments is already installed on the Configuration Manager Site Server as part of the Windows Automated Installation Kit (AIK) setup. The source files are located in the Windows AIK\Tools\USMT folder found within the Program Files folder. To create the USMT package, complete the following steps: 1. Expand the Software Distribution container. 2. Select Packages. 3. Click the New - Package action. 4. Type User State Migration Tool in t h e N a m e field.
5. Type 4.0 in the Version field. 6. Type Microsoft in the Manufacturer field, and click Next. 7. Set t h e source to c:\Program Files\Windows AIK\Tools\USMT.
8. Complete and close the wizard. Add the required Distribution Points to the package. All areas for which OS deployment will be used need access to this content from a Distribution Point.
NOTE A user state can only be captured from within a full operating system, before the new operating system is deployed. The user state cannot be captured from the WinPE environment.
Managing Operating System Install Packages Operating system install packages are managed the same way packages are managed for software distribution. It is important to establish a clean source on the network to host the operating system media. A Distributed File System (DFS) share is commonly used to facilitate moving the source content to different back-end servers without having to update the image source path in Configuration Manager.
208
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
The next tasks assume the operating system media for Windows 7 is located in the Windows 7 Enterprise 64-bit folder source in the DFS share called \\companyabc\library\source\0perating
Systems\.
The Windows 7 Enterprise 64-bit folder contains a copy of the Windows 7 DVD media. This is typically downloaded from Microsoft. To add the Windows 7 OS install package, complete the following steps: 1. Expand the Computer Management container. 2. Expand Operating System Deployment. 3. Select Operating System Install Packages. 4. Click the Add Operating System Install Package action. 5. Type the UNC of Windows 7 Enterprise 64-bit folder in the field and click Next. 6. Type Windows 7 64-bit in the Name field and click Next. 7. Complete and close the wizard. Expand the newly added operating system and select the Distribution Points tab. Click the New Distribution Points action and add this package to each Distribution Point that will support OS deployment functionality. In this example, both CM1 and DP2 Distribution Points should be added. The same process can be used to add the Windows Server 2008 R2 operating system to the environment. The original operating system image file provides a starting point for the OS deployment upon which drivers, software, and updates are layered.
Managing Drivers The required drivers can be downloaded from vendor websites and extracted to a network source location, similar to the source location for the software distribution and OS images. It is important to categorize the drivers by manufacturer, name, and version to ensure the correct drivers are imported into the console. When a driver is downloaded, it is often compressed inside an EXE file. The contents of the EXE need to be extracted. When drivers are imported, the INF, SYS, and CAT files are identified by Configuration Manager. Drivers can be imported by selecting the Drivers container and clicking the Import action. During the import process, the drivers are identified and can be added to a Driver package. The task sequence for a specific installation can be configured to look for all matching drivers or only drivers in a specific Driver package. It is common for all the drivers for a specific make and model to be grouped within a Driver package. If the driver being imported provides network or storage functionality, it is important to include the driver in the boot images. This ensures the WinPE environment can access the network and storage devices during deployment. During the import process, the drivers can be automatically added to the appropriate boot images. Make sure to update the Distribution Points after the boot images have been updated.
Managing Operating System Install Packages
209
Managing Boot Images Before deploying an operating system, make sure the boot images have been distributed to the correct Distribution Points. This can be done from the Boot Images node of the Configuration Manager console. To configure the boot images, complete the following steps: 1. Expand the Computer Management container. 2. Expand the Operating System Deployment container. 3. Expand the Boot Images container. 4. Expand Boot Image (x64) and select the Distribution Points container. 5. Click the New Distribution Point action. 6. Add the image to the SMSPXEIMAGES$ share on each PXE Service Point.
Managing Task Sequences A task sequence is responsible for initiating the set of tasks on the target system. This can include capturing the user state; deploying the operating system, drivers, and software packages; and then reapplying the user state. If the deployment is to a server, the user state capture and reapplication process is not typically used.
NOTE Capturing an existing user state is only necessary when performing a user migration. It is not required for new deployments or when the existing profile configuration and data is not required, for example, when roaming profiles are used.
The next tasks assume the image capture folder for Windows 7 is located in a share on the Site Server called \\cm1 \capture\. To create the Windows 7 deployment task sequence, complete the following steps: 1. Expand the Computer Management container. 2. Expand the Operating System Deployment container. 3. Select Task Sequences and click the New Task Sequence action. 4. Select Build and Install a Reference Operating System Image and click Next. 5. Type Windows 7 64-bit in t h e N a m e field.
6. Click Browse, select the 64-bit boot image, click OK, and then click Next. 7. Click Browse, select the Windows 7 64-bit OS install package, and then click OK. 8. Select Windows 7 ENTERPRISE from the image list, and then click Next.
210
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
CAUTION Be aware that not entering the product key might stop the Windows 7 installation during deployment, and an administrator needs to click Next to continue when prompted for a Windows 7 product key.
9. Select Join a Domain. 10. Click the Browse Domain button, choose companyabc.com, and then click OK. 11. Click the Browse Domain OU button, choose the Workstations OU, and then click OK. 12. Click the Set button, enter the domain join account, and then click Next.
NOTE As a best practice, use a limited user account that has been delegated the ability to join systems to the domain as the domain join account for OS deployments.
13. Browse and locate the Microsoft Configuration Manager Client 2007 package. 14. Accept the default installation properties and click Next. 15. Choose All Software Updates and click Next. 16. Add Microsoft Office 2007 - Enterprise Suite (Hidden) package and click Next. 17. Click Next twice to skip the System Preparation and Properties pages. 18. Enter the UNC location and name of the WIM file in the path. 19. Enter the username and password needed to access the share and click Next. 20. Complete and close the wizard. The deployment task sequence installs the Windows 7 64-bit operating system; the computer joins the domain and installs Microsoft Office and all applicable updates, and then captures the custom image to the capture share.
Deploying Operating Systems Importing the computer is not necessary in Configuration Manager 2007 R2 with the introduction of the Enable Unknown Computer Support option on the PXE Service Point role. This option allows a PXE-booted system to deploy an operating system without having to be imported into the console first. The option to enable unknown computer support is shown in Figure 4.15.
NOTE If the unknown computer support option is used for OS deployments, make sure to advertise the OS deployment task sequence to the All Unknown Computers collection.
Deploying Operating Systems
211
r o n f i r j M r j r PXF w r v i r p p n r n t P r n p e r t i K
General j Database | The PXE service point hosts boot rnsoes and responds to PXE requests from Configuration Manager dents to download those images.
& Alow this PXE service point to respond to incoming PXE requests W Enatëe unknown computer support I- Reqiire a password for computers to boot using PXE Password:
Confirm password: Interfaces — R e s p o n d to PXE r e q u e s t s on oil n e t w o r k i n t e r f a c e s
C Respord to PXE requests on soedfic network interfaces
Ulxl Spedty tile PXE ser;er response delay Delay
fceconifs): OK
FIGURE 4 . 1 5
jo |
Cancel
|
App'y
|
Helo
Support for unknown computers.
For additional control around which systems can PXE boot and deploy an operating system, use the traditional method to import the computer information first. To import computer information, complete the following steps: 1. Expand the Operating System Deployment container. 2. Select Computer Association. 3. Click the Import Computer Information action. 4. Select Import a Single Computer and click Next. 5. Enter PC2 as the Computer Name. 6. Enter the MAC or SMSBIOS GUID number and click Next. 7. Review the data and click Next. 8. Choose Add Computer to the Following Collection. 9. Click Browse, select the SITE2-Prerelease collection, and then click Finish. Select the SITE2-Prerelease collection. Choose the Update Collection Membership action, and then refresh the collection. The new computer PC2 should be listed. To assign the task sequence, complete the following steps: 1. Expand the Collections container. 2. Select SITE2-Prerelease collection. 3. Click the Advertise Task Sequence action. 4. Type Windows 7 64-bit in t h e N a m e field.
5. Click Browse, select the Windows 7 64-bit task sequence, and then click OK.
212
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
6. Enable the Make This Task Sequence Available to Boot Media and PXE option and then click Next. 7. Accept the default schedule and click Next. 8. Click Next to accept the default Distribution Point options. 9. Accept the default settings on the remaining pages, and close the wizard. If, after a network (PXE) boot, the computer doesn't boot into WinPE and deploy the operating system, check the MAC address or SMSBIOS GUID. The PXE Service Point only responds to computers that exist in the Configuration Manager console unless the option to enable unknown computers has been configured. The task sequence selection option on a target system is shown in Figure 4.16.
_x|
Trtxk S*f | i i f n r r Wt/«irrl Sclcct a Task Scqucnce Se'ect the t K k sequerce to execute
Nome
Desdipbw
< Previa«
FIGURE 4 . 1 6
I
Next > .
Ii
1
C*Kd
1
Task Sequence Wizard from within WinPE.
NOTE If a computer has been recently removed from the Configuration Manager database, it is not automatically considered "unknown" for about an hour. To speed up this process, restart the Windows Deployment Services Server service on the PXE Service Point.
A task sequence with a mandatory assignment will run automatically when the new system is PXE booted. A task sequence that does not have a mandatory assignment requires user interaction, specifically to press the F12 key to boot into the WinPE environment and to manually select the desired task sequence from the list of available task sequences.
Troubleshooting Operating System Deployments To assist with troubleshooting the OS deployment process, a command-prompt option is available. Opening the command prompt during an installation prevents the WinPE session from canceling the installation and restarting the computer if a problem occurs.
Deploying Operating Systems
213
To enable the command prompt inside WinPE, complete the following steps: 1. Expand the Operating System Deployment container. 2. Expand Boot Images and select Boot Image (x64) from the list. 3. Click the Properties action. 4. Select the Windows PE tab. 5. Enable the Command Support option and click Apply. 6. Update the Distribution Points when prompted. When the WinPE environment starts on the target system, press the F8 key to launch the command prompt. If a problem is encountered, the system will not restart until the Command Prompt window is closed. From the command prompt, many Windows tools are available, such as ipconfig, ping, and Notepad. It is very important to check the network configuration and make sure the correct IP address has been received and the target system can access the Configuration Manager infrastructure over the network. Use Notepad to review the smsts.log file; this is either located on the C: drive or the RAM disk in a folder called SMSTSLog.
Monitoring the Operating System Deployment Process The distribution of operating systems can be monitored with the different reports provided with Configuration Manager. All reports are located in the Task Sequence folder on the Reporting Services Point and in the Task Sequence category on the legacy Reporting Point. There are four main classifications of reports; each classification provides details on a different aspect of the OS deployment. It is important to understand each report. For example, the Status Summary of a Specific Task Sequence Advertised for a Specific Computer report shows if any task sequences are running and provides drill-down functionality to subreports used to identify what step of the task sequence the computer is currently performing.
Deploying Custom Operating System Images It is now possible to deploy the captured operating system. In this scenario, a fully functional Windows 7 operating system was captured as a WIM file and added to the Operating System Images container just like the original Microsoft OS images were added to the Operating System Install Packages container.
NOTE When possible, it is highly recommended to establish a scripted installation to automatically create the baseline. This allows new base images to be created very quickly through a controlled and reproducible method. This is key to eliminating human error when manually installing and configuring the operating system and software packages
Deploying a custom image is preferred or necessary in some scenarios, such as when many different software packages are required for installation and these don't provide a way to
214
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
silently deploy them with a script. These nonstandard software applications can be manually installed and configured; the fully configured OS can be captured as a WIM file and deployed through Configuration Manager.
Summary Configuration Manager 2007 R2 provides an incredible array of technology to distribute content to managed systems and manage the end-to-end system configuration and life cycle. From the initial operating system deployment, to software deployment and software update deployment, Configuration Manager facilitates management of any size infrastructure.
Best Practices The following are best practices from this chapter: • Extend the Active Directory schema to support global roaming. Global roaming can be achieved when the Active Directory schema has been extended. If the schema hasn't been extended, only regional roaming is available. Regional roaming only allows client roaming to sites lower in the hierarchy. If the client roams to a peer site, or parent site, content cannot be downloaded from Resident Distribution Points. • To override protected boundary behavior, enable the Allow Clients to Fall Back to Unprotected Distribution Points when the Content Is Not Available on the Protected Distribution Point on the Package Advertisement option. • It is important to only assign an Internet Management Point from the client's assigned site. Assigning an Internet Management Point from a different site than the client's assigned site is not supported. • In a multisite Configuration Manager hierarchy, the client agents are independent and can be uniquely configured for each site depending on business requirements. Use the Site Setting Transfer Wizard to copy settings from one site to another. • Be cautious if lowering the default polling cycle for either policies or state messages because this directly increases the load on the Management Point and the underlying network infrastructure. • Customize the collection settings to control the polling interval for specific groups of computers. This is typically used to increase the polling cycle of Branch Distribution Points to improve how quickly they become aware of new content. • For more granular BITS configuration, consider using a group policy to control BITS communication for specific sites and/or groups of systems. Domain-level group policies override the settings configured through the Configuration Manager console. • It is important to make sure the Branch Distribution Point has access to a standard Distribution Point and isn't completely isolated due to protected boundaries.
Best Practices
215
• When using a Branch Distribution Point, it is important to ensure this system is relatively static. For example, assigning a Branch Distribution Point to a laptop that roams to different sites is not recommended. • If the scope of a collection is limited based on another collection, be sure to set the appropriate collection update schedule. The source collection should update before the target collection, or the results of the collection could be a complete update cycle behind. By default, a collection is updated every 24 hours, starting from when it was created. • It is important to understand how maintenance windows work. When more than one maintenance window affects a system, the maintenance windows are effectively combined. • Review the Status report of a specific advertisement to monitor software and operating system deployments. Look for status message ID 10073 to indicate an advertisement has been received but not run because no maintenance window is currently available. • It is beneficial to leverage a DFS namespace for the Configuration Manager content source folders. This allows the back-end server hosting the content to be moved or replaced without needing to update all of the software distribution packages. • Only MSP files can be placed in the Office Updates folder. Copying the downloaded Microsoft Office 2007 EXEs to the Updates folder directly is not supported. The EXE needs to be extracted first, and then the extracted MSP files need to be placed in the Updates folder within the source directory. • Do not include Microsoft Office 2007 service packs or hotfixes in the Additional Content section of the Office Customization Tool. Updates need to be placed in the Updates folder; adding them as part of the installation is not supported. • It is recommended to set the estimated disk space requirements for the program high enough to ensure enough space for both the installation and continued normal operation after the software package has been deployed. • It is important to take advantage of the ability to support multiple programs with the same software package. This prevents the same application from being stored multiple times on the Site Server, Distribution Points, and in the clients' local cache. • With large software packages, downloading software with BITS and running it locally is considered a safe option because network interruptions do not affect the installation process. However, downloading the package locally requires a potentially large amount of disk space, and on older computers, can place heavy I/O on the disk subsystem as the software is decompressed and installed. If the network is very reliable, consider installing the software from the Distribution Point for local intranet clients.
216
CHAPTER 4
Using Configuration Manager to Distribute Software, Updates, and
Operating Systems
• A large software package deployment can negatively impact performance of the target system. A user might restart the system to address the perception of sluggish performance, possibly causing a corrupt installation. Establish an effective changecontrol and communication process prior to silently deploying software and making changes to systems in the environment. • Select the Schedule Home Page Summarization action to change how often the page is refreshed. Select the Run Home Page Summarization action to execute the summary process manually. The status of the summarization process can be seen in the statesys. log file on the Site Server. • Use the Overall Compliance report located in the Software Updates - A Compliance folder to show the compliance of a specific collection against a specific update list. • Keeping the source folder name and the software update deployment package name the same makes it easier to identify and clean up old patches and reclaim space on the file server. • Establish baseline update lists and update deployments to get the environment current. • The deployment of server operating systems to enterprise server hardware can be greatly simplified by leveraging vendor-specific Configuration Manager add-ons. HP, Dell, and IBM have all published add-ons and whitepapers for Configuration Manager 2007 available at no additional cost. These publications contain detailed guidance for deploying server operating systems to their hardware and include things like configuring the RAID controller and performing hardware firmware updates from within the WinPE environment. • If CRL checking is enabled, ensure the PXE Service Point certificates contain the HTTP path to the CRL. If only the default LDAP CRL path was specified on the OS deployment certificates, the deployment process will fail because the WinPE environment cannot authenticate to Active Directory to access the LDAP path to check the CRL. • The command line used to install the package during OS deployment should never initiate a reboot. Instead, the return code 3010 should be used to tell the Configuration Manager client to restart the system and continue the deployment after the reboot. With Microsoft Installer (MSI)-based packages, reboots can be suppressed with the REBOOT=ReallySuppress command. • As a best practice, use a limited user account that has been delegated the ability to join systems to the domain as the domain join account for OS deployments. • If the unknown computer support is used for OS deployments, make sure to advertise the OS deployment task sequence to the All Unknown Computers collection. • If a computer has been recently removed from the Configuration Manager database, it is not automatically considered "unknown" for about an hour. To speed up this process, restart the Windows Deployment Services Server service on the PXE Service Point.
Best Practices
217
• When possible, it is highly recommended to establish a scripted installation to automatically create the baseline. This allows new base images to be created very quickly through a controlled and reproducible method. This is key to eliminating human error when manually installing and configuring the operating system and software packages.
CHAPTER 5
Configuration Manager Asset Management and Reporting System Center Configuration Manager (ConfigMgr) 2007 R2 provides exceptional functionality for managing and reporting on Microsoft Windows assets. The asset management functionality includes things like hardware inventory software inventory software metering, software and license management through Asset Intelligence, and Desired Configuration Management. All of the data collected is located in the Configuration Manager database, and can be reported on through the built-in reporting features. This data can also be accessed with external applications and programmatically through a variety of methods, including Windows Management Instrumentation (WMI) and with the predefined database views. This chapter helps the administrator understand how each role within the Configuration Manager hierarchy is used to support the management and reporting of assets. This includes how to customize the hardware and software inventory, implement and manage software metering and Asset Intelligence features, monitor configuration through Desired Configuration Management, and develop custom reports to present the data from both an administrative and management viewpoint.
Understanding the Database Configuration Manager data primarily flows up the hierarchy, which means the database server at the top of the hierarchy holds all of the asset data from lower-level sites. The site database at lower-level sites only contains asset data from clients directly assigned to the site. This is an important aspect to consider when managing assets.
IN THIS CHAPTER •
Understanding the Database
•
Understanding Inventory Collection
•
Using IDMIF and NOIDMF Files
•
Configuring Client Agents for Inventory Collection
•
Customizing Hardware Inventory
•
Validating Inventory Data
•
Viewing Inventory Data
•
Understanding Reporting
•
Understanding Software Metering
•
Understanding Asset Intelligence
•
Importing Software License Data
•
Customizing the Al Catalog
•
Using System Center Online Services
•
Understanding Asset Intelligence Reporting
•
Understanding Desired Configuration
•
Monitoring the Baselines and Compliance
220
CHAPTER 5
Configuration Manager Asset Management and Reporting
NOTE Create and run reports from the central site to ensure data from the entire infrastructure can be seen. Site-specific reports can be created by filtering out data that isn't needed.
Understanding Inventory Collection Inventory collection is the process of scanning for hardware configuration and file data on the managed system and reporting the results back to Configuration Manager. Both the Hardware and Software Inventory Client Agents use WMI to perform the actual scan of the managed system. The Configuration Manager client is told what to include in the inventory with rules sent to the client as signed, encrypted policies. The results of the inventory are temporarily stored in an XML file on the managed system before being sent to the Management Point. The inventory process can be monitored on the client system with the InventoryAgent.log file, which is located in the Logs folder within the Configuration Manager client installation folder. The inventory collection process is shown in Figure 5.1.
SITE1 (10.10.1.0/24)
FIGURE 5 . 1
Inventory collection process.
The Management Point converts the files from XML to MIF and places the file in the \inboxes\auth\dataldr.box folder on the Site Server, which is located in the Configuration Manager installation folder. This process can be monitored through the MP_Hinv.log located in the Logs folder on the Management Point. After the MIF file is copied to the correct folder on the Site Server, it's parsed, and the data is uploaded into the Site Database. This process can be monitored with the Dataldr. log file on the Site Server. If new hardware has been inventoried, the database is dynamically extended with custom tables, views, and other database objects necessary to allow Configuration Manager to manage and report the data.
Configuring Client Agents for Inventory Collection
221
Using IDMIF and NOIDMIF Files Configuration Manager can also collect hardware inventory through custom Management Information Format (MIF) files. Both IDMIF and NOIDMIF files can be programmatically created and placed on the client. During inventory collection cycles, NOIDMIF files are parsed by the client and added to the hardware inventory report before being sent to the Management Point. Conversely, IDFMIF files are sent to the Management Point, parsed by the Site Server, and added to the database as a separate record, not directly related to the actual managed system. IDFMIF files would typically be used to identify and manage assets that cannot support a traditional client, such as a non-Windows system. For additional information on MIF files, review the Configuration Manager 2007 R2 software development kit (SDK), available at http://msdn.microsoft.com/en-us/library/ccl45334.aspx.
CAUTION Avoid using IDMIF or NOIDMIF files to extend the hardware inventory. These files reside on the client computer and can dynamically modify the Configuration Manager database with custom data during the hardware inventory cycle. If this type of collection is necessary, ensure the risks are fully understood and the appropriate security has been implemented.
Configuring Client Agents for Inventory Collection To enable inventory collection, the Hardware Inventory Client Agent and the Software Inventory Client Agent need to be configured and enabled. Both client agents can be accessed from the Client Agents node within the Configuration Manager console. The steps to access the Client Agents node are as follows: 1. Open the ConfigMrg 2007 console. 2. Expand Site Management and the site itself. 3. Expand Site Settings. 4. Select the Client Agents node. Both the Hardware Inventory Client Agent and the Software Inventory Client Agent provide the ability to define a simple schedule or a custom schedule. The simple schedule typically improves the overall scalability of the Configuration Manager infrastructure by distributing the load placed on the network, Management Points, and Site Servers.
NOTE Each Configuration Manager site can be configured with unique settings. Leverage the Transfer Site Settings option to copy configuration settings and other objects to different sites in the hierarchy.
222
CHAPTER 5
Configuration Manager Asset Management and Reporting
The simple schedule works by configuring the client to execute and schedule the inventory schedule dynamically. The first iteration of the schedule is set as the time of the client installation. Throttling the deployment of the Configuration Manager client keeps a relatively consistent load on the environment. The custom schedule instructs all clients to report inventory at a set time and recurrence pattern. If this configuration is desirable, ensure adequate resources are available for the expected load on the network and Configuration Manager hierarchy.
Configuring the Software Inventory Client Agent The Software Inventory Client Agent provides access to enable or disable the ability to collect file properties on managed systems. From within the agent configuration, the inventory schedule can be configured and the file extensions to search on managed systems can be modified. The software inventory cycle uses WMI queries to scan for files. If the agent is enabled, the default configuration searches all local drives for files with the EXE extension. Depending on the number of files, the software inventory cycle can take several hours. The inventory scan process has a timeout value assigned to each unique query; the default timeout is 14,400 seconds (4 hours).
NOTE Similar queries are grouped together to improve performance. This is important to avoid searching the entire system multiple times when scanning for files. For example, searching all hard drives for EXEs and DLLs using the same options for the path, subdirectories, and exclusions results in a single query to find both types. If any of the options are different, multiple queries are used, which can significantly increase the time needed to complete the inventory.
To exclude a drive or folders from being inventoried, create a hidden file called skpswi.dat. This file can be placed in any folder to prevent that folder from being inventoried, or at the root of a drive to prevent the entire drive from being inventoried. Use Desired Configuration Management to locate rogue skpswi.dat files that could be used to hide file data.
Configuring the Hardware Inventory Client Agent The Hardware Inventory Client Agent provides access to enable or disable the ability to collect hardware inventory on managed systems. From within the agent, the inventory schedule can be configured, and IDMIF and NOIDMIF file collection can be enabled if necessary. Unlike the Software Inventory Client Agent, the hardware information collected by this agent cannot be extended through the Configuration Manager console.
Customizing Hardware Inventory
223
To customize the hardware inventory, it is recommended to make changes to the configuration .mof and the sms_def .mof files. An example of this is detailed in the section "Customizing Hardware Inventory." The complete hardware inventory cycle typically completes in a few minutes, with the actual scanning process typically placing a light load on managed systems. The initial inventory for hardware is relatively small, normally less than 1MB, and subsequent inventories are substantially smaller, as only changes are collected.
Customizing Hardware Inventory The hardware inventory collection process can be customized by modifying the configuration .mof a n d sms_def .mof files. T h e configuration .mof file is a u t o m a t i c a l l y
sent to the client and the information within the file is added to the local WMI repository. This file essentially shows the client how to collect the correct data. The sms_def .mof file defines the policy that tells the client what WMI classes to report during the inventory cycle.
NOTE When editing the Configuration Manager MOF files, a backup is automatically created in the \data\hinvarchive folder located in the Configuration Manager installation directory. However, it's still recommended to make a copy of the MOF file before performing manual edits. Also, test hardware inventory extensions in a development environment before making changes to the production environment.
It is common to add additional custom data in the hardware inventory as this allows unique management of assets based on custom attributes, such as the hardware warranty and contract information for an asset.
Creating Registry Keys on the Client The Registry on the local system contains a significant amount of information and is commonly used to hold custom data for the organization. For example, during the deployment of servers, the department responsible for the server along with extended functionality such as warranty data can be added to the Registry automatically with a custom OS deployment package. For testing, the Registry can be manually populated on a test system with the appropriate data. In this example, several string values located in a custom Registry key are added to the hardware inventory. To create the Registry entries on the client, do the following: 1. Open regedit.exe on a test Configuration Manager client system. 2. Expand HKEY_LOCAL_MACHINE, and then select the SOFTWARE key. 3. Right-click SOFTWARE, select New, and then click Key.
224
CHAPTER 5
Configuration Manager Asset Management and Reporting
4. Type CompanyABC as the key name. 5. Right-click the CompanyABC key select New, and then click Key. 6. Type Warranty as the key name. 7. Right-click the Warranty key, select New, and then click Key. 8. Type Hardware as the key name. 9. Right-click the Hardware key, select New, and then click String Value. 10. Type Contract as the string value name. 11. Repeat steps 9 and 10 to add the remaining attributes from Table 5.1.
TABLE 5 . 1
Sample List of CompanyABC Attributes
Name
Description
Sample Value
Contract
Warranty contract terms
24x7x365, 4-hour response
Expiration
Warranty end date
6/5/2012
Owner
Server owner
IT Operations
Organization-specific data is commonly stored in one or more locations external to Configuration Manager. It is common to query for information during the deployment of the operating system and dynamically add it to the Registry of the local system. For example, a custom package can match key values, such as the MAC address from the local system, to the external database to retrieve organization-specific values. These values can be used to dynamically update the Registry of the local system. The CompanyABC Registry customizations are shown in Figure 5.2.
Fir Ed] V*«
- ~ ••' rirti
HK^SJ • Om* J e j ? if.
* Si SB McnWY SE • MsBwtBowî 1
FIGURE 5 . 4
-» böj- röKTM
tT Ooefi'Jrv mtfC+ar*
g
Hardware inventory with custom data.
Understanding Reporting The reporting functionality in Configuration Manager exposes the data collected from the different components in the hierarchy. Configuration Manager has more than 300 reports predefined, including several for each of the Configuration Manager computer management areas. All reports can be accessed through the Reporting node of the Configuration Manager console. The Reporting Services node, located under the Reporting node, provides access to the Configuration Manager Reporting Services instance.
Understanding Reporting
229
NOTE Don't modify existing reports. Always make a copy of the report and make changes to the copy. During Configuration Manager service pack upgrades, the original reports can be updated by Microsoft, and if they're customized, the changes are lost.
Knowledge of the various reports is imperative to effectively manage assets. Understanding where the data is located is important to developing custom reports. Microsoft has created an extensive set of documentation detailing the Configuration Manager views needed to create custom reports. This can be obtained from the following URL: http://www. microsoft, com/downloads/details. aspx?FamilyId=8 7BBE64E-5439-4FC8-BECCDEB372A40F4A&displaylang=en. The CreatingCustomReportsByUsingSQLViews. msi download contains a CHM Help file, an Excel spreadsheet, and a Visio diagram detailing the extensive number of views available to create reports and providing numerous samples to help get started. Several options are available when creating custom reports. The legacy reports and the new Reporting Services reports both use SQL Server views to access the data. To establish a custom report, the extended hardware inventory will be used to identify hardware warranty compliance for servers owned by the IT Operations team. The custom hardware inventory data was added in the previous section, "Customizing Hardware Inventory." The SQL query shown in Listing 5.3 can be used to show this data. LISTING 5 . 3
Querying Custom Inventory Data
select sys.Netbios_NameO as 'Server 1 , sup.TypeO as 'Type', sup.OwnerO as 'Owner 1 , sup.Expiration© as
'Expiration',
sup.Contracto as 'Terms' from v_R_System_Valid sys inner join v_GS_Company_ABC_WarrantyO sup on sys.ResourcelD = sup.ResourcelD
When the query in Listing 5.3 is executed with the SQL Server Management Studio against the SMS_ABC database, the rows shown in Table 5.2 are returned. This information was added to the Registry of each managed system and inventoried during the hardware inventory collection cycle.
230
CHAPTER 5
TABLE 5 . 2
Configuration Manager Asset Management and Reporting
Sample List of CompanyABC Attributes
Name
Type
Owner
Expiration
Terms
CM1
Hardware
IT Operations
6/10/2009
24x7x365, 4-hour response
SQL1
Hardware
IT Operations
6/10/2009
24x7x365, 8-hour repair
DC1
Hardware
IT Operations
7/15/2011
24x7x365, 4-hour response
CAI
Hardware
IT Operations
6/5/2012
24x7x365, 4-hour response
The v_R_System_Valid view contains information about all discovered resources, including the name of the system and a unique identifier called the ResourcelD. The ResourcelD column is frequently used to join other views. The v_GS_Company_ABC_WarrantyO view was created dynamically when the hardware inventory was extended and managed systems started reporting custom data. The name of the view is based on the WMI class with a unique number appended. To identify the correct view, use the SQL Server Management Studio. To locate Configuration Manager views with SQL Server Management Studio, complete the following steps: 1. Open the SQL Server Management Studio on SQL1. 2. When prompted, enter SQL1 as the server name. 3. Click Connect. 4. Expand Databases. 5. Expand the SMS_ABC database. 6. Expand Views. 7. Locate the v_GS_Company_ABC_WarrantyO view. 8. Locate the v_HS_Company_ABC_WarrantyO view. 9. Locate the v_R_System view and the v_R_System_Valid view. Right-click any of the views and choose Select Top 1000 rows to see the data the view provides access to. The GS view contains current data, whereas the HS view contains historical data. The v_R_System and v_R_System_Valid views provide access to several key columns, including information obtained through system discoveries, such as the system name, operating system, and AD site code.
NOTE Use the v_R_System_Valid view when obsolete and decommissioned systems need to be excluded from the report. This view contains a subset of information that can be obtained from the v_R_System view.
Understanding Reporting
231
The v_GS_Company_ABC_WarrantyO view provides access to the custom hardware information collected from the Registry of each managed system. The ResourcelD column can be used to join the v_R_System_Valid and the v_GS_Company_ABC_WarrantyO views.
Creating Custom Reports Both legacy and Reporting Services custom reports can be created directly from within the Configuration Manager console. Reporting Services reports can also be created directly from within SQL Server Business Intelligence Development Studio for advanced customization.
NOTE Make sure the correct view is queried for hardware data. Most current hardware inventory data can be accessed with the v_GS_ views. Historical hardware inventory data can be accessed with the v_HS_ views.
Creating a Legacy Report The legacy Reporting Point provides simple, but limited reporting functionality. To create a legacy report from the ConfigMgr console, complete the following steps: 1. From within the ConfigMgr console, expand Computer Management. 2. Expand Reporting. 3. Select the Reports node. 4. Click the New - Report action. 5. Type CompanyABC Warranty in t h e N a m e field.
6. Type CompanyABC in the Category field. 7. Click the Edit SQL Statement button. 8. Type the SQL statement from Listing 5.3 into the field and click OK. 9. Click Next and complete and close the wizard. Run the report from the Configuration Manager console to view the data. The data can be exported to a CSV file from the menu located at the top of the report.
Creating a Reporting Services Report The Reporting Services Point also provides a simple method to create custom reports. Unlike the legacy reports, these reports provide a lot of customizability and the delivery can be scheduled. To create a custom report folder to hold Reporting Services reports, complete the following steps: 1. From within the ConfigMgr console, expand Computer Management. 2. Expand Reporting.
232
CHAPTER 5
Configuration Manager Asset Management and Reporting
3. Expand the Reporting Services node. 4. Expand SQL1 and select the Report Folders node. 5. Click the New Folder action. 6. Type CompanyABC in the Folder Name field, and then click OK. After the custom report folder has been created, reports can be created and added to the folder. To create a Reporting Services report to show custom warranty information, complete the following steps: 1. Select the CompanyABC folder. 2. Select the Create Report action. 3. Choose SQL-based Report. 4. Type CompanyABC Warranty in the Name field, and then click Next. 5. Click the Properties button for DataSetl. 6. Type the SQL statement from Listing 5.3 into the field, and then click OK. 7. Click Finish and complete the wizard. The newly created report will be published to the SQL Reporting Services site. Run the report from the Configuration Manager console or the SQL Reporting Services web portal to view the data. A Reporting Services report detailing warranty is shown in Figure 5.5.
^
f|p
{anpjnyubf.cam
| ut r * * * * * * H
^
H
îî] ^
| jii»
ijwesird 3 t d -
-iSJ^f p •
* Mi WtbSkiiirfery »
W
ft * •
'
m *
P»Qf
SaA-ty -
«fa - »)
M ï - S u t i s i s l s » ^ ; SAï.Siîlt-ii IV i Hv!p J
Haroi
SQL Server Repwtmg Services Iksps > C«i!iaMai ADC > Cen?jîflnï«JK ? Cttinpiiiiy ABC W a r r a n t y
search
ror: f -
c]
vi«-* î i.
j r
e* j
•
¡Haver "
i
iico*.
[ypv •
»j
1 ,
i
| s * i « t a fwmat
V
«1
Owner •
txpirdliuri •
fera» "
CHI
Hardware
IT Operations
6/10/2004
24x?x3«, 4 hour respcise
SOLI
Hardware
ET Operator«
6/10/2009
24x7x3«, 8 tiWr rep«
OCt
HxJwire
IT Opfdtwns
7/15/3011
2-ix7x3«5. 4 how rwportsp
«1 h Lb ; /ML. ConoorTrMlCam iftepCr ts *
FIGURE 5 . 5
f fJ
iutJ •ft «net 1 PrgtKled M9dc: Of!
- r urn -
1
CompanyABC Warranty report.
Scheduling Reporting Services Reports Reporting Services provides extensive customizability. From within the Configuration Manager console, subscriptions to reports can be established. A subscription will run the report automatically and deliver the report to a file share or an email address.
Understanding Reporting
233
To configure email subscriptions for reports, complete the following steps: 1. To configure email report delivery, you must have an SMTP server the email can be sent through. It is common to use an existing email infrastructure for this purpose, such as an Exchange Hub Transport or Edge server. 2. Reporting Services must be configured with the SMTP server. This can be done with the Reporting Services Configuration Manager console on the server SQL1. Open the console and connect to the Reporting Services instance. Select the E-mail Settings page, and type the sender email address and the FQDN of the SMTP server. 3. The SQL Agent service for the SQL instance must be configured to automatically start. This can be done through the SQL Server Configuration Manager on the SQL1 server. Open the SQL Server Configuration Manager and select the SQL Server Service node. Right-click the SQL Server Agent service and select Properties. Select the Service tab, and set the Start mode to Automatic. Apply the settings, select the Log On tab, and click the Start button. Once the prerequisites have been configured, the permissions can be set up. The following tasks use the account svcCMlReport to automatically run the scheduled email reports. This account is a normal Active Directory user. To configure the permissions on the svcCMlReport account, complete the following steps: 1. Open SQL Server Management Studio on SQL1. 2. Select the Database Engine component on SQL1, and then click Connect. 3. Expand Security. 4. Right-click Logins and select New Login. 5.
Type
C0MPANYABC\svcCM1 R e p o r t
in the Login Name field.
6. Select the User Mapping page. 7. Enable SMS_ABC in the Users Mapped to This Login list. 8. Enable the smsschm_users database role, and then click OK. To configure the Data Source Authentication credentials, complete the following steps: 1. From within the Configuration Manager console, expand the Reporting node. 2. Expand the Reporting Services node. 3. Select SQL1 and click the Properties action. 4. Select the Data Source Authentication tab. 5. Choose Credentials Stored Securely in the Report Server. 6. Enter credentials for the svcCMlReport user. 7. Enable the Use as Windows Credentials when Connecting to the Data Source option. To set up an email subscription, select the Reporting Services Point report that will be included in the subscription, and then click the New Subscription action. On the Subscription Delivery page, select E-mail as the Report Delivery By option. Type the To email address, the Reply email address, and the subject of the message. Other settings can be configured as necessary, such as the CC and BCC email addresses. Enable the Include
234
CHAPTER 5
Configuration Manager Asset Management and Reporting
Report option, and select the render format. Render formats include XML, CSV, TIFF, PDF, Web archive, and Excel. To modify an existing report subscription, select the report and click the Properties action. Select the Subscriptions tab to modify or delete the subscription. Reports can also be modified in the SQL Server Business Intelligence Development Studio. The Business Intelligence Development Studio is a custom version of Visual Studio that comes with SQL Server and has specific functionality for working with SQL Server-related projects.
Understanding Software Metering The software metering functionality provided with Configuration Manager simply tracks software usage on managed systems. The creation of software metering rules can be automated through the properties of the Software Metering node. To enable autocreation of software metering rules, do the following: 1. From within the ConfigMgr console, expand Computer Management. 2. Select the Software Metering node, and click the Properties action. 3. The autocreation of software metering rules can be enabled or disabled. Automatically creating the software metering rules simplifies management by determining what is actually being used in the environment and creating a "disabled" rule to automatically meter this software. To enable one of the automatically created rules, select the rule, then click the Enable action. The software metering rules must be enabled before any of the metering reports will show data. The software metering process can be monitored on the client system with the and the SWMTRReportGen. l o g log files.
Mtrmgr.log
Configuring the Software Metering Client Agent The Software Metering Client Agent provides access to enable or disable the ability to collect software metering data on managed systems. From within the agent, the inventory schedule can be configured to control how often data is sent to the Configuration Manager hierarchy.
Reporting on Software Metering Data All the software metering reports are located in the Software Metering folder on the Reporting Services Point and the Software Metering category on the legacy Reporting Point. To effectively use software metering, familiarity with the reports is necessary. As data is collected and summarized, the reports become more effective. For example, the Concurrent Usage Trend Analysis of a Specific Metered Software Program report shows the maximum and average number of users who concurrently ran the software each month for the previous year. This report requires a years' worth of metering summary data to be effective.
Understanding Asset Intelligence
235
Another useful report is called Computers That Have a Metered Program Installed but Have Not Run the Program Since a Specified Date. This report can be used to target systems to uninstall the unused software, which can free up licenses for other users. Computers that have never run the TextPad software are shown in Figure 5.6.
_-J *T x P I
Ô -
rrtrrtrt
rf.
p
P -
- p I
I
& • Q -
T«*. « j»
SQL StrvL-i Repotting Siivices Ho-mii J CMlfiOHOT ABC > SoflHJrti MvtL'fMW >
"J
C o m p u t e r s t h a t h a v e a m e t e r e d p r o g r a m instaHed b u t h a v e n o t r u n t h e p r o g r a m since a s p e d lie d d a t e
LMt
| t/J/WIO lï:OOtW AM
UHf Date
H
«
ft
aFi >
M
Ri"|nirt holder:
S:uk |T
U* fcr Hkmrolrti, mat*, mi r i w r n to r.v.yy drvrd reMprum.
J
fsnfij/f
J J
UrwrrperCi
i»..
ibniH
v 0 O Q 0
FIGURE 5 . 1 0
Default DCM page.
Similar to the Hardware and Software Inventory Client Agents, the simple schedule will begin the evaluation cycle based on the time the Configuration Manager client was installed. However, unlike the Hardware and Software Inventory Client Agents, if a custom schedule is selected, the actual time the DCM agent triggers the evaluation is delayed by up to 2 hours to improve scalability.
Defining Configuration Items to Monitor The configuration settings that will eventually constitute a baseline need to be defined. DCM provides many options for monitoring the state of both objects and settings on the managed system. DCM can monitor several objects, including Registry keys, files, and managed code assemblies. DCM can also be configured to validate settings. Setting data can be obtained through AD-, IIS-, Registry-, Script-, SQL-, WQL-, and XML-based queries. Based on the "Customizing Hardware Inventory" section, several Registry keys were added to the Registry of managed systems. These settings contained a string value showing when the warranty of a specific system would expire. The DCM configuration item in the proceeding tasks verifies the hardware warranty key is present on the system and checks the expiration value to determine if the warranty has expired. The PowerShell script in Listing 5.4 can be used to query the string value, convert the string to a date, and then check if the date is older than the current date. If the date stored in the Registry has already passed, the script doesn't return anything. Conversely, if the warranty expiration date is in the future, the script returns the text "ok."
Understanding Desired Configuration
LISTING 5 . 4 $string
if {
=
249
PowerShell Script to Check the Hardware Warranty Status
get -ItemProperty
((Get-Date)
-It
"hklm:\SOFTWARE\CompanyABC\Warranty\Hardware\"
[datetime]: :ParseExact($string.Expiration,
"M/d/yyyy",
$null))
"ok"
NOTE Digitally sign PowerShell scripts. This allows the PowerShell execution policy to be configured for AllSigned. The AllSigned policy ensures that only authorized, signed scripts can be run in the environment. For additional information on script signing, type g e t - h e l p a b o u t _ s i g n i n g in a PowerShell console.
By default, the PowerShell execution policy is set to Restricted. This essentially prevents scripts from being executed. The execution policy should be set to AllSigned if the script can be digitally signed or RemoteSigned if PowerShell scripts will not be signed. This can be done with the command S e t - E x e c u t i o n P o l i c y R e m o t e S i g n e d . If PowerShell is not an applicable option, the VBScript in Listing 5.5 does essentially the same thing. LISTING 5 . 5 option
explicit
dim o S h e l l , sKey = set
VBScript Script to Check the Hardware Warranty Status
sValue,
sKey
"HKEY_LOCAL_MACHINE\SOFTWARE\CompanyABC\Warranty\Hardware\Expiration"
oShell = CreateObject("WScript.Shell")
sValue = oShell.RegRead(sKey) if
(Now()
< CDate(sValue))
wscript.echo end
then
"ok"
If
To create a Configuration Item to monitor, follow these steps: 1. From within the ConfigMrg console, expand Computer Management. 2. Expand the Desired Configuration Management node. 3. Select the Configuration Items node.
250
CHAPTER 5
Configuration Manager Asset Management and Reporting
4. Select the New - General Configuration Item. 5.
Type
Check W a r r a n t y
in the Name field, and click Next.
The Registry configuration object is shown in Figure 5.Tf.
FIGURE 5 . 1 1
Properties of the Registry object.
The Object section of the Configuration Items Wizard provides the ability to monitor for the existence of specific objects on the local system. This includes .NET assemblies, files, folders, and Registry keys. This section is configured to look for the existence of the SOFTWARE\CompanyABC\Warranty\Hardware key located within the HKEY_LOCAL_MACHINE Registry hive. To configure the Registry key validation object, follow these steps: 1. Click New - Registry Key. 2. Select the HKEY_LOCAL_MACHINE hive. 3.
Type
SOFTWARE\CompanyABC\Warranty\Hardware
in the Key field.
4. Set the Instance count operator to Equals. 5. Set the Values field to f and the Severity to Warning. 6. Click OK and then click Next. When DCM checks for the Registry key, it must find one instance. If exactly one instance is not found, the system is not compliant and a warning is generated. The Settings section of the Configuration Items Wizard provides the ability to check the value of configuration items on the local system by querying for the setting and checking the return value.
Understanding Desired Configuration
251
To implement a script to monitor the configuration, complete the following steps: 1. Click New - Script. 2.
Type
Check W a r r a n t y
in the Name field.
3. Set the Script language to either PowerShell or VBScript. 4. Type the script into the Script field. 5. Select the Validation tab. 6. Set the Data Type to String. 7. Click the New button. 8. Type ok in the Value field. 9. Set the Severity to Error, and click OK. 10. Click OK to save the new script. 11. Click Next, and then complete and close the wizard. If the script doesn't return the text "ok," the system is considered noncompliant and an error is generated. If the correct Registry key isn't found, a warning is generated. Defining the object and configuration item is not totally necessary and is only provided as an example. If the script fails because the Registry key is missing, the system is considered noncompliant.
Defining a Configuration Baseline After the configuration items have been established, and the appropriate rules to monitor them have been created, the baseline can be set up. To create a configuration baseline, do the following: 1. Select the Configuration Baselines node. 2. Click the New Configuration Baseline option. 3.
Enter
System Warranty S t a t u s
in the Name field, and click Next.
4. Click the Applications and General link. 5. Enable the Check Warranty configuration item, and click OK. 6. Click Finish and complete and close the wizard. Many different configuration items can be added to a baseline. How the baselines are used depends on how the configuration items are related. For example, if one of the configuration items in a baseline is not compliant, then the system is not compliant for this baseline.
Applying a Baseline to a Collection The baseline configuration is applied to a collection. This can be done from within the Desired Configuration Management node or the Collections node.
252
CHAPTER 5
Configuration Manager Asset Management and Reporting
To add the baseline to a collection, complete the following steps: 1. Select the Configuration Baselines node. 2. Select the System Warranty Status baseline. 3. Click the Assign to a Collection action. 4. Click Next as the correct baseline is already listed. 5. Click Browse, locate the All Systems collection, and click OK. 6. Click Next, and then set the Simple schedule to run every 1 day. 7. Complete and close the wizard. To update, change, or remove the baseline to a collection, complete the following steps: 1. Select the Configuration Baselines node. 2. Select the baseline that should be removed. 3. Click the Properties action for the baseline. 4. Select the Assignments tab. 5. Click the Properties button to view and change the properties. 6. Click the Delete button to remove the collection.
Monitoring the Baselines and Compliance The Desired Configuration Management home page provides a summary of the different baselines. Select each baseline to view how many systems are compliant, how many systems are not compliant, and if any systems reported errors.
NOTE Schedule the home page summary to ensure the information displayed is accurate. To speed up the process when testing, run the Run Home Page Summarization action.
The name of each baseline is linked to the legacy report that details the status for the baseline. The report provides drill-through functionality to find details for each system the baseline was executed against. When testing and troubleshooting issues, the DCM baselines can be viewed from the client. To view the baseline report from a managed system, do the following: 1. Log on to a managed system. 2. Open Control Panel. 3. Select the System and Security category. 4. Open the Configuration Manager control panel applet.
Best Practices
253
5. Select the Configurations tab. 6. Select a baseline, and then click the View Report button. The DCM Compliance Report from CAT is shown in Figure 5.T2.
If L
ifcii.L::.:,.
-
+r
A
pj
—
!
-
• PS«« » Safetr * Took • H •» BASELIKE NAME: System Woraitfy 5uiu> CONFIGURATION iTtU VfRSKKf; Î .00 CONTEXT \tBSIO\: 1 ACTUAL C O M P L L W C I S T A T I
Non-COMILMXCS SFATRITY: DESCRIPTION:
None
Summary: Cùuifm Valida Veriion Failm Cimünuraüon Baseline
System Warranty Stata^ „
FIGURE 5 . 1 2
»o
I ¡»"(HMeiJ Motte Off
DCM Compliance report.
Summary System Center Configuration Manager 2007 R2 provides a powerful set of features to facilitate end-to-end asset management. From the moment the system is born onto the network, it can be managed, tracked, and audited to ensure the hardware and software is monitored and managed correctly and effectively. With the highly customizable reporting infrastructure, both Configuration Manager administrators and IT managers can stay informed about assets and the overall compliance of the infrastructure.
Best Practices The following are best practices from this chapter: • Create and run reports from the central site to ensure data from the entire infrastructure can be seen. Site-specific reports can be created by filtering out data that isn't needed. • Avoid using IDMIF or NOIDMIF files to extend the hardware inventory. These files reside on the client computer and can dynamically modify the Configuration Manager database with custom data during the hardware inventory cycle. If this type of collection is necessary, ensure the risks are fully understood and the appropriate security has been implemented. • Each Configuration Manager site can be configured with unique settings. Leverage the Transfer Site Settings option to copy configuration settings and other objects to different sites in the hierarchy.
254
CHAPTER 5
Configuration Manager Asset Management and Reporting
• Similar queries are grouped together to improve performance. This is important to avoid searching the entire system multiple times when scanning for files. For example, searching all hard drives for EXEs and DLLs using the same options for the path, subdirectories, and exclusions results in a single query to find both types. If any of the options are different, multiple queries are used, which can significantly increase the time needed to complete the inventory. • To exclude a drive or folders from being inventoried, create a hidden file called s k p s w i . d a t . This file can be placed in any folder to prevent that folder from being inventoried, or at the root of a drive to prevent the entire drive from being inventoried. • Use Desired Configuration Management to locate rouge be used to conceal file data.
skpswi.dat
files that could
• When editing the Configuration Manager MOF files, a backup is automatically created in the \ data\hinvarchive folder located in the Configuration Manager installation directory. However, it's still recommended to make a copy of the MOF file before performing manual edits. Also, test hardware inventory extensions in a development environment before making changes to the production environment. • Use the m o f c o m p . e x e utility to compile and test custom hardware inventory classes before adding the information to the c o n f i g u r a t i o n .mof file. • Don't modify existing reports. Always make a copy of the report and make changes to the copy. During Configuration Manager service pack upgrades, the original reports can be updated by Microsoft, and if they're customized, the changes are lost. • Microsoft has created an extensive set of documentation detailing the Configuration Manager views needed to create custom reports. Use this information when creating custom reports. • Use the v_R_System_Valid view when obsolete and decommissioned systems need to be excluded from the report. This view contains a subset of information that can be obtained from the v_R_System view. • Make sure the correct view is queried for hardware data. Most current hardware inventory data can be accessed with the v_GS_ views. Historical hardware inventory data can be accessed with the v_HS_ views. • Don't use Configuration Manager as an authoritative source for making licensing purchases. The actual counts of licenses should be tracked as systems are provisioned and deprovisioned throughout the enterprise. Configuration Manager should be used to validate those numbers. • Each time licensing data is uploaded, the previous license data is overwritten. To avoid accuracy problems, make sure the complete list of licensing information is uploaded every time.
Best Practices
255
• Use the Installed Software node within the Hardware section of Resource Explorer to identify the correct values for the non-Microsoft software licensing CSV file. • Use custom labels to categorize AI inventoried software. This allows customization and grouping of software based on specific business requirements. • Software information that is uploaded and eventually categorized by Microsoft is made available to all Microsoft customers through System Center Online Services. Avoid uploading private software information that could be used to identify your business to other customers. • Digitally sign PowerShell scripts. This allows the PowerShell execution policy to be configured for AllSigned. The AllSigned policy ensures that only authorized, signed scripts can be run in the environment. For additional information on script signing, type g e t - h e l p a b o u t _ s i g n i n g in a PowerShell console.
CHAPTER 6
Operations Manager Design and Planning System Center Operations Manager (OpsMgr) 2007 R2 provides the best-of-breed approach to end-to-end monitoring and managing IT services. This includes servers, applications, and devices. OpsMgr helps to identify specific environmental conditions before they evolve into problems through the use of monitoring and alerting components. OpsMgr provides a timely view of important server and application conditions and intelligently links problems to knowledge provided within the monitoring rules. Critical events and known issues are identified and matched to technical reference articles in the Microsoft Knowledge Base for troubleshooting and quick problem resolution. For Operations Manager to accomplish all this effectively, the infrastructure must be designed and implemented properly. This ensures that the systems have the resources and capacity to handle the anticipated data flows and storage requirements. To be able to create an effective design, a good understanding of the Operations Manager components, requirements, and constraints is important. This chapter provides specific analysis of the way OpsMgr operates, presents OpsMgr design best practices, and presents three sample designs. In addition, planning is discussed.
Explaining How OpsMgr Works OpsMgr is a sophisticated monitoring system that effectively allows for large-scale management of mission-critical servers. Organizations with a medium to large investment in Microsoft technologies will find that OpsMgr allows for an unprecedented ability to keep on top of the tens of
IN T H I S C H A P T E R •
Explaining How OpsMgr Works
•
OpsMgr Architecture Components
•
Securing OpsMgr
•
Fault Tolerance and Disaster Recovery
•
Understanding OpsMgr Component Requirements
•
OpsMgr Design Considerations
•
Putting It All Together in a Design
•
Planning an Operations Manager Deployment
258
CHAPTER 6
Operations Manager Design and Planning
thousands of event log messages that occur on a daily basis. In its simplest form, OpsMgr performs two functions: processing monitored data and issuing alerts and automatic responses based on that data. The monitoring is accomplished using standard operating system components such as Windows Management Instrumentation (WMI) and WS-Management, Windows and UNIX event logs, and Windows and UNIX performance counters, along with API calls and scripts. OpsMgr-specific components are also designed to perform synthetic transactions and track the health and availability of network services. In addition, OpsMgr provides a reporting feature that allows administrators to track problems and trends occurring on the network. Reports can be generated automatically, providing network administrators, managers, and decision makers with a current and long-term historical view of environmental trends. These reports can be delivered via email or stored on file shares for archiving or to power web pages. The model-based architecture of OpsMgr presents a fundamental shift in the way a network is monitored. The entire environment can be monitored as groups of hierarchical services with interdependent components. Microsoft, in addition to third-party vendors and a large development community, can leverage the functionality of OpsMgr components through customizable monitoring rules. OpsMgr provides for several major pieces of functionality, as follows: • Management packs—Application-specific monitoring rules are provided within individual files called management packs. For example, Microsoft provides management packs for Windows Server systems, Exchange Server, SQL Server, SharePoint, DNS, and DHCP, along with many other Microsoft technologies. Management packs are loaded with the intelligence and information necessary to properly troubleshoot and identify problems. The rules are dynamically applied to agents based on a custom discovery process provided within the management pack. Only applicable rules are applied to each managed server. • Monitors—Management packs contain monitors, which allow for advanced statebased monitoring and aggregated health rollup of services. There are monitors for events, performance, logs, services, and even processes. Monitors also provide self-tuning performance threshold monitoring based on a two- or three-state configuration. • Rules—Management pack rules can monitor for specific event log data, collect performance data, or even run scripts on a timed basis. This is one of the key methods of responding to conditions within the environment. Management pack rules can monitor for specific performance counters. This data is used for alerting based on thresholds or archived for trending and capacity planning. A performance graph shown in Figure 6.1 shows DC Response Time data for the DC1 domain controller. There was a brief spike in latency at about 6:00 p.m., but the latency is normally less than 0.2 seconds.
Explaining How OpsMgr Works
r -
259
Active PrVCtOy 2000 Active Diedtty Seivei 2003 _JÎ DC Sewer 2003 Active Afci j j j DC £ttv«f 2003 £v«rtS DC$#v* 20035«** B tfj PftOHMfKi l^JlPnlorowcrOai« ¿¡J O ^ A w m d l e f l O w e — DC OS Mrtits Overi»* ag DC Rfrrpcoîe Tift* ^DO^CRe:«™
1Î.3MC« Î Î W
FIGURE 6 . 1
:
uanon
. :O* IMMCÙSJCOP
Operations Manager 2007 R2 performance charts.
• Alerting and notification—OpsMgr provides advanced alerting functionality such as alert notifications via email, paging, short message service (SMS), and instant messaging (IM). Alerts are highly customizable, with the ability to define alert rules for all monitored components. • End-to-end service monitoring—OpsMgr provides service-oriented monitoring based on System Definition Model (SDM) technologies. This includes advanced object discovery and hierarchical monitoring of systems, as well as synthetic transactions that confirm the health of the system from a client perspective. This includes URLs, ports, Active Directory, LDAP, database access, and Exchange services. Operations Manager 2007 R2 can present the collected information in a variety of ways. The OpsMgr monitoring environment can be accessed through three sets of consoles: an Operations Console, a Web console, and a command shell. The Operations Console provides full monitoring of agent systems and administration of the OpsMgr environment, whereas the Web console provides access only to the monitoring functionality. The command shell provides command-line access to administer the OpsMgr environment. Major OpsMgr components are as follows: • Consoles—The main method for presenting information is the Operations Console and the Web console. The Operations Console is the full console and presents alert, event, and performance data in a highly scalable fashion. This allows an operator to drill into the information needed very quickly and effectively.
260
CHAPTER 6
Operations Manager Design and Planning
• Notifications—Notifications are generated from alerts and can be sent as email, SMS, or IM messages. There is also a generic command notification, which allows any command line or script to execute. • Reports—Monitoring rules can be configured to send monitored data to both the operations database for alerting and the reporting database for archiving. • Dashboards—The Service Level Dashboards Solution Accelerator leverages the new Service Level Tracking feature of OpsMgr 2007 R2 and the ubiquitous SharePoint to present a flexible view of how objects and applications are meeting defined Service Level Objectives such as 99.9% uptime or other metrics.
NOTE Service Level Dashboards are a Solution Accelerator and require Microsoft SharePoint. This is an add-on developed by Microsoft to leverage the functionality of Operations Manager, but is not really a part of the product. Interestingly, the Service Level Tracking (SLT) feature of Operations Manager was developed expressly to enable Service Level Dashboards, though SLTs can be used completely independently using the Operations Manager reporting feature.
These consoles, management packs, monitors, and rules are covered in detail in Chapter 8, "Using Operations Manager for Monitoring and Alerting." Reports are covered in Chapter 9, "Using Operations Manager for Operations and Security Reporting."
Processing Operational Data OpsMgr manages Windows Server 2008 R2 infrastructures through monitoring rules used for object discovery, Windows event log monitoring, performance data gathering, and application-specific synthetic transactions. Monitoring rules define how OpsMgr collects, handles, and responds to the information gathered. OpsMgr monitoring rules handle incoming event data and allow OpsMgr to react automatically, either to respond to a predetermined problem scenario, such as a failed hard drive, with predefined corrective and diagnostics actions (for example, trigger an alert, execute a command or script), or to provide the operator with additional details based on what was happening at the time the condition occurred. Another key feature of OpsMgr is the capability to monitor and track service-level performance. OpsMgr can be configured to monitor key performance thresholds through rules that are set to collect predefined performance data, such as memory and CPU usage over time. Rules can be configured to trigger alerts and actions when specified performance thresholds have been met or exceeded, allowing network administrators to act on potential performance issues. Performance data can be viewed from the OpsMgr Operations Console. In addition, performance monitors can establish baselines for the environment and then alert the administrator when the counter subsequently falls outside the defined baseline envelope.
Explaining How OpsMgr Works
261
Generating Alerts and Responses OpsMgr monitoring rules can generate alerts based on critical events, synthetic transactions, or performance thresholds and variances found through self-tuning performance trending. An alert can be generated by a single event or by a combination of events or performance thresholds. Alerts can also be configured to trigger responses such as email, pages, Simple Network Management Protocol (SNMP) traps, and scripts to notify you of potential problems. In brief, OpsMgr is completely customizable in this respect and can be modified to fit most alert requirements. A sample alert is shown in Figure 6.2. The alert indicates that the domain controller's DNS is incorrectly configured. Also note that there are two information alerts shown, indicating that the domain controller stopped and started. ^ Syrern Center OperaUum Manager 2007 R2 - CCO Ffa
Eilt
VBTT
GO
Allkra
Tttfc
HQ O
Hsfc 1f íhCwWltMt 1 taMfcflf daté » ; iT Ovirrtd« '
III g ^ U ' f l l l lull 1 1 1 '| Monitoring
Ji $0t 5m • - J Hurmdl Syriern C«fa UriwidtaiK • - J HKimil Wntom KCi C'ittfajed fi
IJMttd
HiirWCft WiVk*K Ac Irrt Diettoy
«omilyirrilh.it ( I )
OC Active 4M: l i l oes«**
^ 4ttaAMCO.COM
ATWNA
OHS it he^iMUy < o V " l
1:33:1 ow
- Severity: Information
iJOCSWe
athervs.íío.corri
.J Ac irre (li«f-ay •>«A f n h d m MUCO W&tiOW IIsffleM PH
At* DNF. CwilvaurntKin in
ar. Thin monitor prrfermi variant chcekf On í^e ONS ïoftip. rniiviriual olorVf for 4 number
.1 of DNS lor ditailt-
FIGURE 6 . 2
Operations Manager 2007 R2 alert.
Reporting from OpsMgr OpsMgr management packs commonly include a variety of preconfigured reports to show information about the operating system or the specific application they were designed to work with. These reports are run in SQL Reporting Services. The reports provide an effective view of systems and services on the network over a custom period, such as weekly, monthly, or quarterly. They can also help you monitor your networks based on performance data, which can include critical pattern analysis, trend analysis, capacity planning, and security auditing. Reports also provide availability statistics for distributed applications, servers, and specific components within a server.
262
CHAPTER 6
Operations Manager Design and Planning
Availability reports are particularly useful for executives, managers, and application owners. These reports can show the availability of any object within OpsMgr, including a server (shown in Figure 6.3), a database, or even a service such as Windows Server 2008 R2 that includes a multitude of servers and components. The Availability report shown in Figure 6.3 indicates that the SP server was down on 9/29/2009 for about 4.17% of the time or just slightly over 1 hour. The rest of the time it had been up. W^yj8ab*ty Time - Sy» em Center DperdUiim Mmav1er 21)07 R2 - Rppwl - CCD
ÏW
1 »
8 OA
ti&fl Tun
n
m->-
#
EV
HHE3
C ^ ^ ^ B
» M -ÍMíneta* Ííf '•(«»! i i t ß & m IÎIHPH !
htlA^ltlMA 'WCtl Cuitan
1 Fro« t&tôo» Iii» PH II»
-
lafi/ttM sïiïî w
MO 1 Avriat-ttr
••mm W2M*
V2I/3H*
t/WMH
(WW
•MtD^mdHMMK i) -"'i V OQWfí (Uf«l*M*i
FIGURE 6 . 3
Availability report.
iWlfîM*
W/MH
It^XH
• uP(H«nu> diiaife!}
IWV2M*
U»(UMMte
|
J
Canoel
Database component install.
8. Type the management group name in the Management Group text box and click Next. 9. Select the instance of SQL Server on which to install the Operations Manager 2007 R2 database, and then click Next. 10. Leave the default database size of 1,000MB. Change the data and log file locations, if needed, and then click Next. 11. On the Error Report page, check the box to send reports to Microsoft and click Next. 12. On the Microsoft Update page, select Use Microsoft Update and click Next. 13. Click Install to start the installation. 14. Click Finish to exit the install wizard.
NOTE The default SQL installation does not open any firewall ports. This needs to be done before the Operations Manager server can be installed. More details on firewall requirements are in the Microsoft KB article at http://support.microsoft.com/kb/968872.
Installing Operations Manager 2 0 0 7 R2
335
The second part of the install is to install the Server, Console, and Web Console components on the RMS server. Once the RMS server meets all the prerequisites and is ready for installation, complete the following steps to run the install: 1. Log on to the RMS server (OM1 in this example) with the OpsMgr service account. 2. Launch SetupOM.exe from the OpsMgr installation media. 3. Click Install Operations Manager 2007 R2. 4. Click Next. 5. Accept the license agreement and click Next. 6. Enter the User Name, Organization, and CD Key, if required, and then click Next. 7. When the Custom Setup page opens, change the components to only have the Management Server, User Interfaces, Command Shell, and Web Console components selected (as shown in Figure 7.6), and then click Next. ISyslfin Crnl t*r 0|i»-rrt tiling Miniayrr Î007 R7 Sri up Custom Setup
*J
Select the components that you want ta install C k k an icon in t h e 1st bdow to d w x j e how that contrarient wfl be instated,
J- [ User Interfaces _J - j Command shell -1 web consoe l
CuniLvient d e s u uLw i Thft rnmponwit Insftte Mrrasnfr Operations Manager Management Sri v n .
T» lv in it rrtjárs ÍTQNRai ynu hard drive. I ALLIEN
I orator: C : 'program F ü e s ^ y s t e m Cen ter Operations Manager 2007\
U *
FIGURE 7 . 6
Dis* Usage
< Dad:
Browse
text >
I
Caned
RMS and Console components install.
8. Enter the name of the database server and instance (if not default) in the System Center Database Server text box and click Next. 9. Select Domain or Local Computer Account, type the Management Server Action Account and password, select the domain or local computer from the list, and then click Next. 10. On the SDK and Config Service Account page, select Domain or Local Account, type the user account and password, select the domain or local computer from the list, and then click Next. 11. On the Web Console Authentication Configuration page, select Use Windows Authentication and click Next. 12. On the Customer Experience Improvement Program page, leave the default option of I Don't Want to Join the Program selected, and then click Next. 13. On the Microsoft Update page, select Use Microsoft Update and click Next.
336
CHAPTER 7
Operations Manager Implementation and Administration
14. On the Ready to Install page, click Install. 15. When the Completing the System Center Operations Manager 2007 R2 Setup Wizard page opens, leave the Backup Encryption Key check box selected to back up the encryption key.
NOTE A copy of the encryption key is needed to promote a management server to the role of the Root Management Server in the event of a failure of the RMS. It is recommended to go through the tool when it launches and to save a backup of the encryption key.
16. Leave Start the Console selected to open the Operations Console. 17. Click Finish. The third part is to install the Reporting and Data Warehouse components on the database server. Complete the following steps to run the install: 1. Log on to the database server (OM2 in this example) with the OpsMgr service account. 2. Launch SetupOM.exe from the OpsMgr installation media. 3. Click Install Operations Manager 2007 R2 Reporting. 4. Click Next. 5. Accept the license agreement and click Next. 6. Enter the User Name, Organization, and CD Key, if required, and then click Next. 7. The Data Warehouse and the Reporting Server components will be selected. Change the directories, if needed, and then click Next. 8. Enter the name of the Root Management Server and click Next. 9. Select the instance of SQL Server on which to install the Operations Manager 2007 R2 Data Warehouse database, and then click Next. 10. Leave the default database size of 1,000MB. Change the data and log file locations, if needed, and then click Next. 11. Select the SQL Server Reporting Services server and click Next.
WARNING The warning is indicating that the Windows security module for the Reporting Services instance will be replaced with the custom OpsMgr security module to provide integrated security with the OpsMgr console. This causes problems with any other preexisting applications that are using the Reporting Services instance.
12. Enter the Data Warehouse Write Account username and password, and then click Next.
Installing Operations Manager 2 0 0 7 R2
337
13. Enter the Data Reader Account username and password, and then click Next. 14. On the Operational Data Reports page, select whether to send reports to Microsoft and click Next. 15. On the Microsoft Update page, select Use Microsoft Update and click Next. 16. Click Install to start the installation. 17. Click Finish to exit the install wizard. Operations Manager 2007 R2 is now installed in a multiserver configuration. This configuration can manage up to 500 servers.
OpsMgr 2007 R2 Audit Collection Services Install Audit Collection Services (ACS) collects security events from the security log of agents configured as alert forwarders. This can be quite a heavy load, so the ACS functionality is typically installed on separate servers to avoid impacting the operational data collection and alerting. There will be two servers in this example, with the audit collection server named ACS1 and the audit database server named ACS2. Figure 7.7 shows the architecture for the ACS build. ACS1
Ü
Audit Collector Server
ACS2 / " " " " I Audit Database Server 1 «
8
FIGURE 7 . 7
Operations Manager 2007 R2 ACS architecture.
NOTE The ACS architecture and build are essentially the same for small, medium, and even large organizations. The differences are only in the size and configuration of the audit database server disk subsystem.
The hardware specification for the ACS1 audit collection server configuration is as follows: • 2 cores • 4GB of RAM • 2-disk RAID 1
338
CHAPTER 7
Operations Manager Implementation and Administration
The steps in this section assume that the audit collection server ACS1 has been prepared with the following: • Windows Server 2008 R2 operating system installed • .NET Framework 3.5.1 features installed • WS-MAN v l . l (for UNIX/Linux audit collection) • An OpsMgr service account with local administrator rights to the server and system administrator rights to SQL Server 2008 The hardware specification for the ACS2 audit database server configuration is as follows: • 4 cores • 4GB of RAM • 6-disk RAID 10 for data and 2-disk RAID 1 for logs These hardware requirements ensure that the system can perform to specification. The steps in this section assume that the database server ACS2 has been prepared with the following: • Windows Server 2008 R2 operating system installed • Web role with the appropriate role services installed • .NET Framework 3.5.1 features installed • SQL Server 2008 with Reporting Services installed • An OpsMgr service account with local administrator rights to the server and system administrator rights to SQL Server 2008
NOTE Although the configuration will work with either SQL Enterprise or SQL Standard Edition, SQL Enterprise Edition is the preferred choice due to the performance improvements. See Chapter 6 for details.
For the audit collection database server ACS2, the following Web Server roles services are needed: • Static Content • Default Document • Directory Browsing • HTTP Errors • Request Filtering • ASP.NET
Installing Operations Manager 2 0 0 7 R2
339
• .NET Extensibility • ISAPI Extensions • ISAPI Filters • Windows Authentication • IIS 6 Metabase Compatibility • IIS 6 WMI Compatibility The first five are selected by default when adding the Web Server role to Windows Server 2008; the other services must be added. There are three parts to the installation of the ACS functionality. These parts are as follows: 1. Management Server component install 2. Audit collection server install 3. ACS report model install The first part is to install the Management Server component on the audit collection server ACS1, which is needed for the ACS collector to function. All ACS collectors are also management servers.
NOTE There is no prerequisite checker for ACS specifically, but the prerequisite checker can be used to verify the management server install readiness, which is a requirement for the Audit Collection Server installation.
To use the Prerequisite Viewer for the ACS management server, complete the following steps: 1. Log on to the audit collection server (ACS1) with an account that has administrator rights. 2. Insert the Operations Manager 2007 R2 installation media. 3.
The setup starts automatically or you can launch
Setup0M.exe.
4. Click Check Prerequisites to start the Prerequisite Viewer. 5. Select Server and then click Check. 6. When you are finished with the Prerequisite Viewer, click Close.
NOTE The prerequisite checker findings can be updated without having to relaunch the application after remediating findings by clicking the Check button.
340
CHAPTER 7
Operations Manager Implementation and Administration
Follow the corrections in the prerequisite checker to resolve any problems before proceeding to the installation. Some of the guidance will be warnings, particularly with some of the hotfixes. Leaving out hotfixes might allow the installation to proceed, but might make the OpsMgr application less stable. It is highly recommended that all the recommendations be applied to ensure the most stable platform possible. If any of the installations require a reboot, it is recommended to run the prerequisite checker again. Once the audit collection server meets all the prerequisites and is ready for installation, complete the following steps to run the install: 1. Log on to the audit collection server (ACS1 in this example) with the OpsMgr service account. Launch
2.
SetupOM.exe
from the OpsMgr installation media.
3. Click Install Operations Manager 2007 R2. 4. Click Next. 5. Accept the license agreement and click Next. 6. Enter the User Name, Organization, and CD Key, if required, and then click Next. 7. When the Custom Setup page opens, change the components to only have the Management Server component selected (as shown in Figure 7.8), and then click Next. »
[(y S y s t e m Center Operations Manager 2007 U Setup C u t t o m Setup Select the components that yoj want to ins at O c k e r «n m tfceistbeiow to d e n g e hew that component wil be instated. Component descriptor
X - J X - User Interfaces X Command She! X -I 'ActaConsole
Ths component instáis Microsoft Operations Manöver Management Server.
ttis component reojires 32QM5 on your hard drive.
Location: C; "program "les\5ystem Center Cperabons Man*£« 200A
Disfc ¡ ¿ » p e
FIGURE 7 . 8
I
< Back
|
!*e*t >
[
Cancel
Management Server component install for ACS.
8. Enter the name of the database server and instance (if not default) in the System Center Database Server text box and click Next. 9. Select Domain or Local Computer Account, type the Management Server Action Account and password, select the domain or local computer from the list, and then click Next. 10. On the SDK and Config Service Account page, select Domain or Local Account, type the user account and password, select the domain or local computer from the list, and then click Next.
Installing Operations Manager 2 0 0 7 R2
341
11. On the Microsoft Update page, select Use Microsoft Update and click Next. 12. On the Ready to Install page, click Install. 13. Click Finish. The second part of the ACS installation is the audit collection server install on ACS1, which also creates the audit collection database.
NOTE Before installing the audit collection database, firewall ports need to be opened per the Microsoft KB article at http://support.microsoft.com/kb/968872.
Once the appropriate firewall ports have been opened, complete the following steps to install ACS: 1. Log on to the audit collection server (ACS1) with the OpsMgr service account. 2. Launch SetupOM.exe from the OpsMgr installation media. 3. Click Install Audit Collection Server. 4. Click Next. 5. Accept the license agreement and click Next. 6. Select Create a New Database and click Next. 7. Leave the data source name at the default (OpsMgrAC) and click Next. 8. Enter the audit database server name (ACS2 in this example) and click Next. 9. Select Windows Authentication and click Next. 10. Specify the database and log file locations. These need to be created beforehand. Then click Next. 11. On the Event Retention Schedule page, note that the daily database maintenance will take place at 2:00 a.m. and that the default number of days to retain data is 14. Accept the defaults by clicking Next.
WARNING Changing the default retention can have a large impact on the size of the audit database. ACS collects large quantities of events, so increasing the retention window can create very large databases. Only change after careful review. See Chapter 6 for details on sizing the databases.
12. Leave the Time Stamp Format at Local and click Next. 13. Click Next to start the install. 14. At the SQL Server Login pop-up, click OK to use the existing credentials or enter credentials to use.
342
CHAPTER 7
Operations Manager Implementation and Administration
NOTE These credentials are used to connect to the remote database server and set up the OperationsManagerAC database. They need appropriate rights to the remote database server.
15. Click Finish to exit the wizard. The third part of the installation is the ACS Report Model install, which provides access to the database via reports. This is done on the Operations Manager Reporting Server (OM2 in this example) to allow for full integration into the Operations Manager console. The model install is done via command line, rather than a wizard. The command line takes the format: UploadAuditReports.cmd
{DatabaseServer\Instance}
{ReportingServicellRL}
{ReportFolder}
In this example, the database server is the ACS2 audit database server, the Reporting Service URL is https://om2.companyabc.com/ReportServer, and the report folder is d : \ R e p o r t M o d e l s \ a c s . To install the reports, use the following steps: 1. Log on to the database server (OM2 in this example) with the OpsMgr service account. 2. Insert the OpsMgr installation media. 3. Open a command prompt, using Start, Run, cmd. 4. Change to the installation media drive letter, D: in this example. 5.
Enter the command directory.
6.
EnterthecommandUploadAuditReports.cmd
cd
\ReportModels\acs
to change to the
A CS
report models
ACS2
h t t p s : / /om2. companyabc. com/ReportServer d: \ReportModels\acs and press Enter
to execute the command. The results will be as follows: C:\>d: D:\>cd
\ Re p ort M od e l s \ a c s
D:\ReportModels\acs>UploadAuditReports.cmd
ACS2
h t t p s : / / o m 2 . c o m p a n y a b c . c o m / R e p o r t S e r v e r d:\ReportModels\acs Warning(s)
Loading
file
d:\ReportModels\asc\Models\Audit.smdl:
Warning(s)
Loading
file
d:\ReportModels\asc\Models\Audit5.smdl:
D: \ReportModels\acs>
The warnings are normal and do not indicate a problem. After executing the command, in the Operations Manager console in the Reporting space there will be a new folder named "Audit Reports" with 25 reports. The ASC infrastructure is now deployed and ready for use.
Deploying OpsMgr Agents
343
NOTE Although the ACS infrastructure has been deployed, no audit forwarders have been configured and, thus, no security data will be collected. In the next section, agents are configured as audit forwarders to enable the collection of security events.
Deploying OpsMgr Agents OpsMgr agents are deployed to all managed servers through the OpsMgr Discovery Wizard, or by using software distribution mechanisms such as Active Directory GPOs or System Center Configuration Manager 2007. Installation through the Operations Console uses the fully qualified domain name (FQDN) of the computer. When searching for systems through the Operations Console, you can use wildcards to locate a broad range of computers for agent installation. Certain situations, such as monitoring across firewalls, can require the manual installation of these components. The Discovery Wizard can discover and configure monitoring for Windows computers, UNIX/Linux computers, and for network devices. It will push agents to Windows and UNIX/Linux computers, as long as the proper rights are provided, such as an account with local administrator rights or a root account.
Installing Windows Agents To install domain member agents using the Discovery Wizard, complete the following steps: 1. Launch the Operations Console and select the Administration section. 2. Right-click the top-level Administration folder and select Discovery Wizard. 3. Select Windows computers and click Next. 4. Select Automatic Computer Discovery and click Next. This scans the entire Active Directory domain for computers. 5. Leave the Use Selected Management Server Action Account selected and click Discover. This starts the discovery process. 6. After the discovery process runs (this might take a few minutes), the list of discovered computers is displayed. Select the devices that should have agents deployed to them, as shown in Figure 7.9.
NOTE The list only includes systems that do not already have agents installed. If a computer has an agent installed, the wizard excludes it from the list of devices.
344
CHAPTER 7
Operations Manager Implementation and Administration
Computer and Device H i M B c m e n f Wizard
~
^
Select Objects to Manage
Î ^ H B c Ë J
_
—- -
Discovery Type Auto or .Advanced?
Discovery Results
Discovery Method The dis co very process found the folio wing un-managed devices. Administrator Account Select t h e devices you w a n t to m a n a g e :
Ssfect OfcfBctE to Manage
Select All
|
Deselect AH
|
PI ACS2.conipanyabc.com
Summary
l~l DAl.companyabc.cEm 0
DCl.njmpanyabccom
0 DC2. company a c t com El QM2,companyabc.com • SERVER Lcompenyabc.com 0 SM 1. coripanyabc. can |~| 'iVSLcornparvfabccarn • '»VSLconipartyabc.com Q WIS 2. componrfibc. com
N o « : Tf you do rot s e e ail of the computers you ewpeci to see r you car, obtain i nf ormati on on troubles hooting disco v ery i ss ues a: tap ://ao .nucros oftcorn/fv^rfrp LlnkID= 126940. Menflgemcnt Server |0M 1-companyabc-com Management Mode; | Agent
jJ
< Previous 11
FIGURE 7 . 9
Next >
|
|
Cancel
|
Discovered computers.
7. Click Next. 8. Leave the Agent Installation Directory and the Agent Action Account at the defaults, and then click Finish. 9. The Agent Management Task Status window opens, listing all the computers selected and the progress of each installation. As shown in Figure 7.10, the agent installation task started for the selected computers. The ACS2 and OM2 agents have been installed successfully and the others are in progress. 10. Click Close when the installation completes. Even if the window is closed before the installs complete, the results of the installs can be viewed in Task Status view in the Monitoring section of the Operations Console. The agent deployment is very efficient and a large number of computers can be selected for deployment without any issues. The agents start automatically and begin to be monitored as they are discovered. After installation, it might be necessary to wait a few minutes before the information from the agents is sent to the management server.
Deploying OpsMgr Agents
A g e n t M a n a g e m e n t Task Status
345
j a l ^ i"
Task target
| status
¿íjDC 1.compon'íobc.cwn
Started
'¿i>DC2.LLKtipai iwfat.tuni @f)M?.rampanifahr.fniti
Started SllíTPSS
j£jj5M l-companyabc.com
Started
Task Output
Copy Tpit -ïà Cupy HTM
T h e tack completed successfully.
Yuu riui cliisr Ihis [lining rit riiiy limp. DJIÍIHJ su Î ill nut iiilpjiupl pipculiiig lask-s. YIIU 4 di eck the status of tasks in a task status vi ew.
FIGURE 7 . 1 0
Agent installation progress.
During the next few minutes after installation, the agent contacts the management server and establishes a mutually authenticated, encrypted communication channel with the assigned management server. If the agent was pushed through a software delivery system such as System Center Configuration Manager 2007 R2, the agent determines the management server through Active Directory-integrated discovery. Figure 7.11 shows the state of the agents after deployment. The computers show the Agent or Management Server state as healthy. However, the Windows Operating System state shows as Not Monitored. This is because there have been no additional management packs imported on this newly installed Operations Manager infrastructure. Management packs must be imported and configured for OpsMgr to monitor additional objects like the Windows operating systems. See Chapter 8, "Using Operations Manager for Monitoring and Alerting," for detailed instructions on importing, configuring, and using management packs. Once management packs are imported, the agent downloads rules to discover the various applications and components it's hosting, allowing the correct application-specific management packs to be applied. This discovery process runs periodically to ensure the correct rules are always applied to the server.
346
CHAPTER 7
FIGURE 7 . 1 1
Operations Manager Implementation and Administration
Agent state in a new infrastructure.
Configuring Alert Forwarders The Audit Collection Services does not start collecting security event data after installation of the audit collection server. The audit collection server install creates the following ACS components: • Audit collection • Audit collection database It does not enable the third ACS component, which is the: • Audit forwarder The audit forwarder is installed with each agent and the service is the Operations Manager Audit Forwarding Service, but is disabled by default, as shown in Figure 7.12. The service must be enabled through the console, which configures the audit forwarder to send security events to the correct audit collector and enables the service. The steps to enable the Audit Forwarder component and, thus, enable audit collection are done on an agent-by-agent basis. To enable audit collection, complete the following steps: 1. Launch the Operations Manager console. 2. Select the Monitoring space. 3. Expand the Operations Manager folder. 4. Expand the Agent folder. 5. Select the Agent Health State view.
Deploying OpsMgr Agents
347
-JAI X F*
Airar
I #
7
V»l «nd M«$R t. rVflvdet iMIy t ^ í I t f w S s. Ihr NtlnOk J«Ct» ftfllttBçrt ffUP) agent « . « W
EiTOip C M k v S m * n denote ProttAre Cal (BtC) & Kernet* Tœedire Cal (RK) Lauto Ù- fteroie leffilj f Ai ÎH t í Wv« Oetn,*« nebwK noîSteta* (je.g. nlcfaíeadSSonJÍ,.. « . t í » ¿ « i r f w . Enafcm remet* WPS «nde*ttrpr«essrj ta gjery p r t a n w w e». Pffferain«lH6P«nd AlffBCíí«W9rfenM«rd«»fre"il««l0...
•.V.,Prrtnmianfe CiUW OU Mo« • T.1- fyrfamtrvr loci & iîçrts i^WjÇ ond P\n & PnM-J. IP Bui I f u w i m ä f t r u t i e Oevte trunerit» sei tice
\Su*a SWrted Sorted Staled
Értf»teíSrPWi**e»£r lomjitemattttoiapefeues. inanes ... Hirmín p o f r fdUy tnS pOmn pntcy rtaMeatlärt A l m .audi Kri Ig Bfmtty fer lacrf ¡ f i ü n j Thf «mtecBwidcf acefftfar \**nç,«ndngandd«»eWflf»-.ÍYíwsSeS sroceowí SÖST«* ftr SM01 « C*S5»0riíí. Creetet í « e n e e s « ¡A»reettCenetwsdi rfienever » Bre$rímréf.,, Hanaçet AaKtf **d t*iud ¿rrrate n e t m t CiPN] cumr;ta* fröre.,.
IU>t*d Start«!
l«al$idttn Local Servtce WtwikStrwce AJÜHTJSÍ CHjbW Maruií M|««t fatoraftc Odabied MiruJt Jhutomtb« Aalonaof mhm# M»iW Minuit Mtnrif
LwalSyítra l«al îyïte*
dlo*i u*rs M « n x o «t*r#csvrtf » • < the » G S SBvee s ï»e 5erwíe Control HMfle'fbr COM *a DC... In VWdWts ¡MJ «nd eerier m i m * of Wildem, Vie fttmsie rr«,,, rlttftfmHBBOCan ttü cemrier. L..
Started Started
mm*
Started
Oflr« rnuHrc v r o r n » bgsnps»« n öcal area and vud? «rea ft»... a*wke*^«iterfew
Co
Mw
Took
Http
— • « H ü H f l