It's well documented that a managed infrastructure can bring significant savings. System Center Configuration Manager (SCCM) 2007 is Microsoft's answer for managing medium and large enterprises.
While SCCM is a popular management solution, one major drawback is the lack of support for non-Windows devices. Despite the complexities of SCCM, it offers some compelling benefits over standard Active Directory (AD) management tools and can considerably reduce the costs of managing large distributed networks.
Integrating SCCM into your existing infrastructure can be a mammoth undertaking and will be further complicated if the hierarchy includes multiple sites. SCCM is likely to require an experienced engineer, so small companies should consider System Center Essentials or using the native AD tools.
Software distribution is the No. 1 feature that comes to mind when discussing SCCM. The ability to schedule the distribution of both physical and virtual (APP-V) applications with granular targeting across the enterprise — and outside the boundaries of the corporate network using Internet-based client management — makes SCCM more flexible than Group Policy software deployment. Integration with Windows Server Update Services (WSUS) provides software updating and patching.
The ability to perform software and hardware inventories is known as asset intelligence in SCCM, with comprehensive reporting capabilities that allow enterprises to track licences and determine how often users run programs.
Desired configuration management is now a native SCCM component and lets organizations set configuration baselines, generate compliance reports and take action on devices that don’t comply with a given policy.
SCCM can be used to deploy Windows client and server operating systems and has many advantages compared with native Windows Deployment Services, such as:
Other noteworthy SCCM features include remote control, out-of-band management using Intel Active Management Technology (AMT) and integration with Network Access Protection.
The two most important technical decisions to make before installing SCCM regard the hierarchy of SCCM sites and their mode (native or mixed).
An SCCM hierarchy can consist of three types of sites: central, primary and secondary. In a simple scenario with only one site, the central and primary site roles are combined. Multiple sites might be required because of network bandwidth restrictions or for scalability.
The central site should be placed in a location with the best network connections, and if the hierarchy will support more than 100,000 nodes, the central site should be dedicated for administration and not include any clients.
Secondary sites don’t require an SQL server and support fewer roles than primary sites. The branch distribution point (BDP) role can be hosted on low-powered hardware with a server or client operating system and uses Background Intelligent Transfer Service (BITS) for bandwidth throttling to download software packages from a distribution point, which may be preferable to deploying a secondary site.
There’s a long list of SCCM roles, but the most important are:
SCCM requires a public key infrastructure (PKI) to support secure management of Internet-connected devices in native mode and removes the need for remote users to establish a virtual private network (VPN) connection to the corporate intranet to receive updates from SCCM. Mixed mode allows integration with System Management Server 2003.
SCCM can be installed on Windows Server 2003 Service Pack 1 or later (note that Server Core is not supported); the recommended minimum requirements from Microsoft are a 2 gigahertz processor, 1 megabyte of RAM and 15 gigabytes of free disk space. Sizing your server will depend on the roles it hosts and the number of clients supported.
The steps below assume you have a single Windows Server 2008 AD forest and domain, and one Windows Server 2008 server that will host a primary SCCM site with SQL 2005 SP2, WSUS 3.0 SP1 and Internet Information Services (IIS). In a production environment, it’s best practice to deploy SQL, WSUS and SCCM on separate physical servers.
The SCCM server must be a member of an AD domain. In most cases, IIS should be installed with web-based Distributed Authoring and Versioning (WebDAV) and BITS server extensions. Detailed prerequisites for the various SCCM roles are available online at Microsoft TechNet. The SCCM installation DVD includes a prerequisite check tool, but don’t expect it to verify everything.
Make sure that the server on which you choose to install SCCM is joined to your domain and begin by setting up the prerequisite components:
Note that SCCM’s software update point role is not enabled by default even if WSUS is installed on the same box as SCCM.
You should run the following command on a machine designated as a schema master and using an account that is a member of the Schema Admins group. configmgr_ad_schema.ldf can be found on the SCCM installation media. ADSI Edit can be run on any Windows Server 2008 member server with an account that is a member of the Domain Admins group.
Note here that the prerequisite tool doesn’t check for successful implementation of the system management container.
Before installing SCCM, if you’ve decided to go with native mode, you’ll need to issue a site server signing certificate to the SCCM server, a web server certificate to the default website in IIS and client certificates to managed devices, including the SCCM server itself. Detailed instructions can be found at Microsoft TechNet.
Once SCCM has installed, configure a SCCM site boundary:
Let’s configure the distribution and management points to support Internet-based clients (native mode only):
Before you configure and push out clients to our workstations, you need to set a discovery method:
Here’s a tip: Before the SCCM agent can be pushed out to clients, you must allow inbound access on Windows Firewall for file and printer sharing and Windows Management Instrumentation (WMI). For Windows XP clients, WMI inbound access can be enabled from the command line (netsh firewall set service remoteadmin enable) or using Group Policy. More information on firewall settings for SCCM clients can be found at Microsoft TechNet. If you’re running in native mode, clients must have an SCCM client certificate installed.
Now you need to set up some agents and properties for the computer client agent:
The All Systems collection should be populated with computer accounts from your AD domain. Check one of your workstations and you should find that within a few minutes the client software control panel applets will be deployed (Figure 7).
Russell Smith is an independent consultant based in the United Kingdom who specializes in Microsoft systems management.