Take Control With System Center Configuration Manager
It's well documented that a managed infrastructure can bring significant savings. System Center Configuration Manager (SCCM) 2007 is Microsoft's answer for managing medium and large enterprises.
While SCCM is a popular management solution, one major drawback is the lack of support for non-Windows devices. Despite the complexities of SCCM, it offers some compelling benefits over standard Active Directory (AD) management tools and can considerably reduce the costs of managing large distributed networks.
Integrating SCCM into your existing infrastructure can be a mammoth undertaking and will be further complicated if the hierarchy includes multiple sites. SCCM is likely to require an experienced engineer, so small companies should consider System Center Essentials or using the native AD tools.
What Can SCCM Do For You?
Software distribution is the No. 1 feature that comes to mind when discussing SCCM. The ability to schedule the distribution of both physical and virtual (APP-V) applications with granular targeting across the enterprise — and outside the boundaries of the corporate network using Internet-based client management — makes SCCM more flexible than Group Policy software deployment. Integration with Windows Server Update Services (WSUS) provides software updating and patching.
The ability to perform software and hardware inventories is known as asset intelligence in SCCM, with comprehensive reporting capabilities that allow enterprises to track licences and determine how often users run programs.
Desired configuration management is now a native SCCM component and lets organizations set configuration baselines, generate compliance reports and take action on devices that don’t comply with a given policy.
SCCM can be used to deploy Windows client and server operating systems and has many advantages compared with native Windows Deployment Services, such as:
- automatic generation of unattended files
- image pre-staging
- automatic build and capture of reference images
- automatic driver deployment and reporting based on hardware IDs
- ability to deploy multiple disk partitions
- Wake-On-LAN integration
Other noteworthy SCCM features include remote control, out-of-band management using Intel Active Management Technology (AMT) and integration with Network Access Protection.
Planning for SCCM
The two most important technical decisions to make before installing SCCM regard the hierarchy of SCCM sites and their mode (native or mixed).
An SCCM hierarchy can consist of three types of sites: central, primary and secondary. In a simple scenario with only one site, the central and primary site roles are combined. Multiple sites might be required because of network bandwidth restrictions or for scalability.
The central site should be placed in a location with the best network connections, and if the hierarchy will support more than 100,000 nodes, the central site should be dedicated for administration and not include any clients.
Secondary sites don’t require an SQL server and support fewer roles than primary sites. The branch distribution point (BDP) role can be hosted on low-powered hardware with a server or client operating system and uses Background Intelligent Transfer Service (BITS) for bandwidth throttling to download software packages from a distribution point, which may be preferable to deploying a secondary site.
There’s a long list of SCCM roles, but the most important are:
- Managements Point (MP): Client-to-SCCM-site server communication
- Server Locator Point (SLP): Not required if you extend the AD schema to support SCCM, and all sites and clients are members of the same forest
- Software Update Point (SUP): For integration with Windows Server Update Services (WSUS)
- Distribution Point (DP): Stores software for distribution to clients
- Branch Distribution Point (BDP): Uses BITS to download software packages from a distribution point. Can be enabled on any machine with the SCCM client agent installed.
SCCM requires a public key infrastructure (PKI) to support secure management of Internet-connected devices in native mode and removes the need for remote users to establish a virtual private network (VPN) connection to the corporate intranet to receive updates from SCCM. Mixed mode allows integration with System Management Server 2003.
SCCM can be installed on Windows Server 2003 Service Pack 1 or later (note that Server Core is not supported); the recommended minimum requirements from Microsoft are a 2 gigahertz processor, 1 megabyte of RAM and 15 gigabytes of free disk space. Sizing your server will depend on the roles it hosts and the number of clients supported.
The steps below assume you have a single Windows Server 2008 AD forest and domain, and one Windows Server 2008 server that will host a primary SCCM site with SQL 2005 SP2, WSUS 3.0 SP1 and Internet Information Services (IIS). In a production environment, it’s best practice to deploy SQL, WSUS and SCCM on separate physical servers.
The SCCM server must be a member of an AD domain. In most cases, IIS should be installed with web-based Distributed Authoring and Versioning (WebDAV) and BITS server extensions. Detailed prerequisites for the various SCCM roles are available online at Microsoft TechNet. The SCCM installation DVD includes a prerequisite check tool, but don’t expect it to verify everything.
Make sure that the server on which you choose to install SCCM is joined to your domain and begin by setting up the prerequisite components:
- Log on to the member server with domain administration privileges.
- Save answer.xml to the root directory of your C: drive.
- Open a command prompt and run the servermanagercmd to install IIS prerequisites for SCCM, WSUS 3.0 SP1 and IIS Manager:
servermanagercmd.exe -inputPath c:\answer.xml -logPath c:\IISinstall.log
- Download and install WebDAV 7.5.
- Run webdav.bat to configure WebDAV for IIS 7.
- Install SQL Server 2005 SP2.
- Make sure that the server has all Windows updates applied and then install WSUS 3.0 SP1 as follows: Open Server Manager from the Start menu. Right click Roles in the left pane and select Add Roles.
- Skip the Before You Begin screen, check Windows Server Update Services on the Select Server Roles screen and click Next.
- Use the existing SQL database and create a Windows Server Update Services 3.0 SP1 website during the install. Don’t use Server Manager to configure WSUS options. WSUS configuration should be managed by SCCM.
- Extend the AD schema with the following command:
ldifde –i –f c:\configmgr_ad_schema.ldf –v –j c:\ldifde.log
- Type ADSI edit in the search box on the Start menu and press ENTER.
- Right click ADSI Edit in the left pane and select Connect to... Click OK on the Connection Settings screen.
- Expand Default naming context in the left pane until you find CN=System.
- Right click CN=System and select New > Object. Select container from the list and click Next.
- Type System Management as the value, click Next and then Finish.
- Right click the System Management container in the central window and select Properties. Switch to the Security tab, add the SCCM server’s computer account, give it full control permissions and click OK to continue. Close ADSI Edit.
- On the Windows Server 2008 member server, insert the SCCM DVD installation media and run the prerequisite tool from the splash screen.
- If all prerequisites are verified, install SCCM.
Note that SCCM’s software update point role is not enabled by default even if WSUS is installed on the same box as SCCM.
You should run the following command on a machine designated as a schema master and using an account that is a member of the Schema Admins group. configmgr_ad_schema.ldf can be found on the SCCM installation media. ADSI Edit can be run on any Windows Server 2008 member server with an account that is a member of the Domain Admins group.
Note here that the prerequisite tool doesn’t check for successful implementation of the system management container.
Before installing SCCM, if you’ve decided to go with native mode, you’ll need to issue a site server signing certificate to the SCCM server, a web server certificate to the default website in IIS and client certificates to managed devices, including the SCCM server itself. Detailed instructions can be found at Microsoft TechNet.
Once SCCM has installed, configure a SCCM site boundary:
- Open the Configuration Manager (ConfigMgr) Console from Start > All Programs > Microsoft System Center > Configuration Manager 2007.
- In the left pane expand Site Database until you reach the Site Settings node, where you’ll find Boundaries.
- Right click Boundaries and select New Boundary from the menu.
- Give the new boundary a description and then select Active Directory site from the Type menu (Figure 1). Click Browse, select your AD site and click OK.
- Select the Network Connection speed as appropriate and click OK.
Let’s configure the distribution and management points to support Internet-based clients (native mode only):
- In the left pane, expand Site Systems under Site Settings and click your SCCM server.
- In the central window, right click ConfigMgr site system and select Properties.
- Check Specify an Internet-based fully qualified domain name for the site system, enter the Internet FQDN for your SCCM server (Figure 2) and click OK.
- Right click ConfigMgr distribution point and select Properties.
- Check Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS, select Allow both intranet and Internet client connections from the menu (Figure 3) and click OK.
- Repeat steps 4 and 5 for ConfigMgr management point.
Before you configure and push out clients to our workstations, you need to set a discovery method:
- In the left pane under Site Settings click Discovery Methods.
- In the central window double click Active Directory System Discovery.
- On the General tab check Enable Active Directory System Discovery and then click the yellow star. Leave the default settings of Local domain and Recursive checked and click OK.
- Select the top level of your AD hierarchy to include all systems for discovery and click OK. The Lightweight Directory Access Protocol path will be added as shown in Figure 4.
- Switch to the Polling Schedule tab and set the schedule to hourly. Check Run discovery as soon as possible and click OK.
- In the left pane under Site Database expand Computer Management, right click All Systems and select Update Collection Membership. If discovery has run, you should see all workstations joined to your domain appear in the central window.
Here’s a tip: Before the SCCM agent can be pushed out to clients, you must allow inbound access on Windows Firewall for file and printer sharing and Windows Management Instrumentation (WMI). For Windows XP clients, WMI inbound access can be enabled from the command line (netsh firewall set service remoteadmin enable) or using Group Policy. More information on firewall settings for SCCM clients can be found at Microsoft TechNet. If you’re running in native mode, clients must have an SCCM client certificate installed.
Now you need to set up some agents and properties for the computer client agent:
- Click Client Agents under Site Settings and double click Advertised Programs Client Agent in the central pane.
- On the General tab, check all three settings and click OK.
- Double click Computer Client Agent, click Set under Network Access Account on the General tab and specify an AD user account with domain user privileges.
- Move to the BITS tab and make sure that Apply to branch distribution points and all clients is selected and Allow BITS downloads outside of throttling window is checked (Figure 5). Click OK to continue.
- In the left pane, click Client Installation Methods and then double click Client Push Installation in the central window. On the General tab, check Enable Client Push Installation to assigned resources and Workstations.
- On the Accounts tab, click the yellow star and select an AD user account that has local administrator privileges on workstations where the SCCM client will be installed.
- On the Client tab, you’ll add two additional parameters: SMSCACHESIZE=16000 and CCMHOSTNAME=sccm.contoso.com (Figure 6). Click OK to continue. CCMHOSTNAME sets the FQDN on the client for contacting SCCM across the Internet (native mode only). SMSCACHESIZE allows the local cache to grow to 16GB.
- In the left pane under Site Database, expand Computer Management, right click All Systems and select Install Client.
- Click Next on the welcome screen. Check Include only clients in the site’s boundaries, click Next and then Finish on the summary screen.
The All Systems collection should be populated with computer accounts from your AD domain. Check one of your workstations and you should find that within a few minutes the client software control panel applets will be deployed (Figure 7).
Russell Smith is an independent consultant based in the United Kingdom who specializes in Microsoft systems management.