System Center Configuration Manager (SCCM) 2007 Unleashed

Foreword xxiIntroduction 1Part I: Configuration Management Overview and Concepts 2Part II: Planning, Design, and Installation 2Part III: Configuration Manager Operations 2Part IV: Administering Configuration Manager 2007 3Part V: Appendixes 3Part I: Configuration Management Overview and ConceptsChapter 1 Configuration Management Basics 7Ten Reasons to Use Configuration Manager 8The Evolution of Systems Management 9Hurdles in the Distributed Enterprise 10The Automation Challenge 10Configuration “Shift and Drift” 11Lack of Security and Control 11Timeliness of Asset Data 12Lack of Automation and Enforcement 12Proliferation of Virtualization 13Lack of Process Consistency 13The Bottom Line 14Systems Management Defined 14Microsoft’s Strategy for Service Management 15Microsoft’s Dynamic Systems Initiative 16IT Infrastructure Library (ITIL) and Microsoft Operations Framework (MOF) 19Service Management Mastery: ISO 20000 24Optimizing Your Infrastructure 25Bridging the Systems Management Gap 29Central Control in the Distributed Enterprise 30Automation and Control 32Securing Systems 34Visibility 35Overview of Microsoft System Center 39Reporting in System Center 39Operations Management 40System Center Essentials 41Service Manager: A Complete Service Desk Solution 41Protecting Data 43Capacity Planning 44Virtual Machine Management 44The Value Proposition of Configuration Manager 2007 45Summary 46Chapter 2 Configuration Manager 2007 Overview 47The History of Configuration Manager 47The Earliest Versions 47Systems Management Server 1.2 48Systems Management Server 2.0 48SMS 2003 50SMS 2003 Service Packs and R2 52Configuration Manager 2007 53Configuration Manager Technology and Terminology 56Site Servers 56Site Systems 58Site Hierarchy 60Configuration Manager Client 60Inventory 61Configuration Manager Console 64Collections 66Discovery 67Software Metering 67Packages 68Advertisements 68Distribution Points 69Senders 69Addresses 69BITS 70Task Sequences 70Status System 71Desired Configuration Management 71Network Access Protection 72Reporting 73Security 74Key Concepts 75Standardization. 75Remote Management 76Software Distribution 76Minimizing Impact on the Network Infrastructure 77What’s New in ConfigMgr 2007 80Branch Distribution Points 80Software Update Point 80Fallback Status Point 82PXE Service Point 82Other Site Systems 82Operating System Deployment 83Asset Intelligence 83Device Management 83Internet-Based Client Management 85DCM and NAP 85SQL Support 85Client Support 86Feature Dependencies 86Summary 88Chapter 3 Looking Inside Configuration Manager 89Design Concepts 90Active Directory Integration 91Schema Extensions 93Benefits of Extending Active Directory 102Configuration Manager and WMI 104WMI Feature Set and Architecture 104Managing WMI 108Inside the WMI Object Model 113Looking Inside the CIMV2 Namespace 116The Root\\CCM Namespace 125Hardware Inventory Through WMI 126The Configuration Manager Client WMI Namespace 129WMI on Configuration Manager Servers 134Components and Communications 139Inside the ConfigMgr Database 149SQL Access to the Database 150Using SQL Server Management Studio 150Status Messages and Logs 156Example: Joining a Site to a New Parent 159Viewing Intersite Replication 168Summary 172Part II: Planning, Design, and InstallationChapter 4 Configuration Manager Solution Design 175MSF Process Phases for Configuration Manager 175Envisioning the Solution. 176Assessing the Current Environment 177Envisioning the Network Infrastructure 177Envisioning the Solution Architecture 178Envisioning Server Architecture 179Envisioning Client Architecture 179Licensing Requirements 179Training Requirements 182Planning for Implementation 183Planning the Proof of Concept 184Planning the Pilot 185Planning for Implementation 186Developing the Solution Architecture 186Developing the Network Infrastructure 189Extending the Schema 191Secondary Site Considerations 192Site Modes 193Configuration Manager 2007 Roles 193Developing the Server Architecture 201Capacity Planning. 207Site Boundaries 210Roaming. 211Site Design 213Client Architecture 216Multilanguage Scenarios 218Testing 221Stabilizing During the Pilot 223Deploying 225Summary 226Chapter 5 Network Design 227Configuration Manager Network Communications 228Intrasite Server Communications 228Client-to-Server Communications 234Site-to-Site Communications 251Fast Networks and Slow Networks 262Use of BITS 263BITS Versions for Configuration Manager Clients 265Modifying BITS Functionality Through Group Policy 266Modifying BITS Functionality Within Configuration Manager 267Comparative Advantages of Group Policy and ConfigMgr Settings for BITS. 267Other BITS Features 269Enabling a Distribution Point for BITS 269Server Placement 269Disconnected Users and Sometimes-Connected Users 271Network Discovery 272Discovering Network Topology 274Topology and Client Discovery 275Discovering Topology, Client, and Client Operating Systems 276Using Subnets in Configuration Manager 277Troubleshooting Configuration Manager Network Issues 277Network Configuration Issues 278Basic Connectivity Problems 279Name Resolution Issues 279Blocked or Unresponsive Ports 280Timeout Issues 282Identifying Network Issues Affecting Configuration Manager 282Summary 290Chapter 6 Architecture Design Planning 291Hierarchy Planning 293About Sites 293Primary Sites Versus Secondary Sites 295Planning Your Hierarchy Structure 296Site Planning 299Site Servers and Site Systems Planning 299Planning Site Boundaries 306Planning for Site Security Modes 306Software Update Planning 307Software Updates Solution Planning 307Software Updates Architecture 309Device Management Planning 312Windows CE Operating Systems 313Communicating with Site Systems 314Installing Client Software 315Configuring Client Agent Settings 317Planning for Internet-Based Clients 318Choosing a Solution for Internet-Based Clients 318IBCM Features and Requirements 319Deploying Servers to Support Internet-Based Clients 320Certificate Requirements Planning 323About PKI 324Planning to Use PKI with Configuration Manager 324Windows Server 2008 Planning 326Operating System Deployment Planning 328Planning for Wake On LAN 330Out of Band (OOB) Management Planning 331Summary 333Chapter 7 Testing and Stabilizing 335Proving the Concepts 337Building the Proof of Concept Environment 338Testing in the POC Phase 347POC Exit Criteria and Deliverables 350Pilot Phase 355Results and Adjustments 357Customizing the Solution 357Summary 358Chapter 8 Installing Configuration Manager 2007 359Pre-Installation 360Windows Components 361SQL Server 362Windows Server Update Services 363The Prerequisite Checker 363Site Installation 363Installing ConfigMgr 364Installing a ConfigMgr Service Pack 374Installing ConfigMgr 2007 R2 378Configuring Site Properties 380Installing Site Systems 390New Site System Server Wizard 401New Site System Server Share Wizard 401Using Replicas and Offloading Site Roles 403Configuring Site Boundaries 415Multisite Configuration 417Configuring Addresses 417Configuring Senders 420Attaching to Parent 421Installing Child Primary Sites 422Installing Secondary Sites 422Troubleshooting Secondary Site Installation 424Transfer Site Settings Wizard 426Copy Packages Wizard 428Preload Package Tool 429Troubleshooting Site Installation 429ConfigMgr Service Manager 429Summary 431Chapter 9 Migrating to Configuration Manager 2007 433Planning Your Migration from SMS 2003 433Planning Hierarchy Changes During Migration 435Conducting an In-place Upgrade 435Feature Packs 436Upgrade Prerequisites 436Running the Prerequisite Checker 437Upgrading SQL Server 442Database Upgrade Tips and Tricks 445Upgrading a Primary Site 447Upgrading Secondary Sites 453Upgrading SMS 2003 Clients 455Post-Upgrade Considerations 457Migrating WSUS to Configuration Manager 458Side-by-Side Migrations 459Migrating Site Boundaries 460Migrating Clients 460Migrating SMS Database Objects 462Migrating Hardware Inventory Customizations 462Interoperability Considerations 463Troubleshooting Upgrade Issues 463Summary 464Part III: Configuration Manager OperationsChapter 10 The Configuration Manager Console 467Using Microsoft Management Console 3.0 467Touring the Console 468New Console Features 469Console Nodes 473Console Keystrokes 477Launching Reports 478Console Deployment 482Supported Platforms 482Prerequisites 483Installation Using the Configuration Manager Setup Wizard 483Unattended Console Installation 490Customizing the Console 491Security Considerations 497Configuring Required DCOM Permissions for the ConfigMgr Console 497Verifying and Configuring WMI Permissions 498Configuration Manager Service Manager 500Starting the Configuration Manager Service Manager 500Using the Configuration Manager Service Manager 500Troubleshooting Console Issues 501Enable Verbose Logging 501Common Issues 502Summary 505Chapter 11 Related Technologies and References 507PKI Management References 508Cryptography Basics 508How SSL Works 511Establishing a PKI 512Certificate Templates 516Certificate Validation 517Deploying Certificates 517Certificate and PKI References 519Network Access Protection in Windows Server 2008 519NPS Overview in Windows Server 2008 520ConfigMgr NAP Policies 521ConfigMgr NAP Evaluation 522NAP Health State 523Windows Imaging and Image Management 524New PC Scenario 525Refresh PC Scenario 525Replace PC Scenario 526ImageX 527File Versus Sector Imaging 528Boot Images 529Driver Injection 530Image Capture 531Windows Deployment Integration 533AMT and vPro 534Summary 537Chapter 12 Client Management 539Configuring the Management Point 540Configuring Client Agents 541Hardware Inventory 542Modifying the SMS_Def.mof File 545Software Inventory 546Advertised Programs 549Computer Client 550Desired Configuration Management 553Mobile Devices 553Remote Tools 554Network Access Protection 556Software Metering 557Software Updates 559Client Discovery 560Active Directory System Group Discovery 561Active Directory Security Group Discovery 562Active Directory System Discovery 562Active Directory User Discovery 562Heartbeat Discovery 564Network Discovery 564Client Deployment 567Command-Line Properties 567Manual Installation 569Client Push Installation 570Client Push Installation Wizard 572Client Installation in Image Deployment 574Software Update Point Client Installation 574Client Uninstall 575Client Upgrade 575Client Patches 576Client Troubleshooting 576General Scenarios 576Online Assistance 577Conflicting Hardware IDs 579ConfigMgr Toolkit 579General Troubleshooting Information 581The ConfigMgr Client Agent 582Out of Band Management 584Fallback Status Point 584Client Approval 585Summary 585Chapter 13 Creating Packages 587The Case for ConfigMgr Software Packaging 588Automated Deployment 589Consistency 589Targeted Deployment 589Software Removal 590Software Package Reuse 590Comparing GPO-based Software Distributionto ConfigMgr Software Distribution 590About Packages, Programs, Collections,Distribution Points, and Advertisements 592Packages 593Programs 593Collections 594Distribution Points 594Advertisements 595How These Combine 595Creating a Package 596OpsMgr Client 597Forefront Client 620Custom Packages 626Integrating Virtual Applications 627What Is SoftGrid? 627Activating Application Virtualization in ConfigMgr 2007 R2 629Creating Adobe Reader as a Virtual Application in ConfigMgr R2 631Avoiding Common ConfigMgr Software Packaging Issues 636Program and Package Properties 637Testing, Testing, Testing 637Summary 638Chapter 14 Distributing Packages 639About Queries 639Creating Collections 641Static Collections 642Dynamic Collections 649Subcollections 657Using Distribution Points 666Standard Distribution Points 667Protected Distribution Points 672Branch Distribution Points 674Advertised Programs Client Agent 677Creating Advertisements 678Forefront Advertisement 679OpsMgr Advertisement 686Distributing Adobe Reader as a Virtual Application in ConfigMgr R2 692Troubleshooting ConfigMgr Software Distribution Issues 702Start Simple 702Checking Status 702Summary 703Chapter 15 Patch Management 705Planning Your Software Updates Strategy 706Software Update Options in Microsoft Products 708The Windows Update Agent 708The SMS Inventory Tool for Microsoft Updates 708Standalone WSUS 709Configuration Manager 2007 709Preparing for Software Updates 710Software Updates Prerequisites 710Creating Software Update Points 712Synchronization Process 718Agent Configuration 719Group Policy Settings 721Software Updates Process 722Putting It All Together–A Quick-Start Example 727Update Repository 728Update Lists 731Deployment Templates 733Update Deployments 736Deployment Packages 738Creating and Managing Deployments 740A Recommended Approach 740A Few Best Practices 743Maintenance Windows 744SMS 2003 Clients 747Native Mode and Software Updates 749Using Wake On LAN Capability 751WOL Prerequisites 751Two Types of WOL 752Configuring WOL 753Using WOL 754Using NAP to Protect Your Network 754NAP Prerequisites 755Agent Settings 755System Health 756Client Compliance 758Remediation 760Troubleshooting Software Updates 760Monitoring Software Updates 761WSUS and SUP 762Downloading Updates 762Client Update Scanning and Deployment 763Summary 764Chapter 16 Desired Configuration Management 765Configuring Desired Configuration Management 767Configurations 769Configuration Items 769Configuration Baselines 772Creating and Modifying Configurations 777Console Authoring 777External Authoring 797Authoring with CP Studio 798DCM Strategies 800Reporting 801On-demand Results 802Alerting 802Remediation 803Troubleshooting 805Summary 808Chapter 17 Configuration Manager Queries 809Viewing Queries and Query Results 809Creating Queries 811The Query Language 811Objects, Classes, and Attributes 812ConfigMgr Query Builder 814Criterion Type, Operators, and Values 819Advanced Queries 821Example: Querying for Systems with a HardwareScan in the Last 30 Days 823Example: Querying for Systems Discovered Since Midnight 823Relationships, Operations, and Joins 824Querying Discovery Data 824Querying Inventory Data 825Using Query Results 826Exporting Query Results to a Text File 826Importing and Exporting Queries Between Sites 827Creating a Collection Based on Query Results 827Status Message Queries 828Summary 830Chapter 18 Reporting 831ConfigMgr Classic Reports Versus SQL Reporting Services 832Reporting Configuration 834Configuring the Reporting Point for Classic Reporting 835Configuring the Reporting Services Point for SRS Reporting 837Copying ConfigMgr Classic Reports to SQL Reporting Services 839Report Categories 842Console Reporting Links 844Relational Database Concepts 844Available Reports and Use Cases 847Reporting on Inventory and Discovery Data 848Reporting on Sites 856Reporting on Configuration Manager Operations 857Client Status Reporting 865Asset Intelligence 868Reporting on Application Compatibility 873Dashboards 875Customizing Configuration Manager Reports 876Customizing Report Layout and Display 878Customizing Report Data Selection 879Reporting on Custom Data 884Creating New Reports 894Creating Classic Reports 894Creating SQL Reporting Services Reports 896Creating SQL Reporting Services Subscriptions 898Troubleshooting 900Summary 902Chapter 19 Operating System Deployment 903Tools Overview 904Sysprep 904User State Migration Tool 905Microsoft Deployment Toolkit 905Windows Automated Installation Kit 906ImageX 906System Image Manager 907Windows PE 907What Works Best for You 908OSD Scenarios 908Imaging Goals 909Hardware Considerations 913Site Systems 915Distribution Points 916PXE Service Point 918State Migration Point 921Boot Images 922PXE Booting 922Removable Media 922Using a Distribution Point 924Incorporating Windows PE 925Computer Associations 925Recovery 926Unknown Computer Support 928Operating System Install Packages and Image Packages 930Automated Image Creation and Capture 931Manual Image Creation 935Image Deployment 937User State Migration 940Task Sequences 942Variables 943Task Conditions and Grouping 944Tasks 947Custom Commands 960Task Sequence Targeting 960Change Control and Portability 962Customizing Task Sequences 963Tips and Techniques 963Confirm Packages Are Available 964Control PXE Network Boots 964Don’t Add Unnecessary Windows XP Drivers 964Conflicting Hardware IDs 965Test Task Sequences 965Beware the Überbug 965Test Thoroughly 966Drivers 966Drivers in the Image 969Drivers After the Image 970Post Deployment Tasks 971ConfigMgr Software Deployment 971Group Policy 971Troubleshooting 972Operating System Deployment Home Page 972Check Advertisement Status 972The Smsts.log File 972Status Reports 973Command Line Support 974Native Mode 974Upgrading from SMS 2003 976Summary 977Part IV: Administering Configuration Manager 2007Chapter 20 Security and Delegation in Configuration Manager 2007 981Basic Security Concepts 983Securing Administrative Access to Configuration Manager 987Administrative Access at the Operating System Level 989Administrative Access Within Configuration Manager 996Security for Remote Administration 1003Auditing Configuration Manager Administration 1003SQL Server Administrative Security 1003Securing the Configuration Manager Infrastructure 1004Building Security into Your Hierarchy 1004Securing Site Systems 1007Securing Configuration Manager Communications 1015Securing Configuration Manager Accounts 1019Securing Service Dependencies for Configuration Manager 1026Securing Configuration Manager Reporting 1027Securing Configuration Manager Operations 1029Best Practices for Configuration Manager Administration 1029Operational Security for Software Distribution 1030Operational Security for Operating System Deployment 1032Operational Security for Remote Tools Administration 1032Operational Security for Configuration Manager Inventory 1033Operational Security for Mobile Device Management 1034Summary 1035Chapter 21 Backup, Recovery, and Maintenance 1037Site and SQL Server Backups 1037Backing Up ConfigMgr 1037Restoring ConfigMgr Backups 1041Using Back Up and Restore to Migrateto New Environments 1048Site Maintenance 1049Site Maintenance Tasks 1049Data Discovery Record (DDR) Retention 1055Obsolete Records 1060Database Maintenance 1062Making the Status Message System Work for You 1065Maintaining Status Data 1070Status Filter Rules 1070Monitoring Configuration Manager with Operations Manager 1073Services and Descriptions 1073Summary 1075Part V: AppendixesAppendix A Configuration Manager Log Files 1079Related Documentation 1079Enabling Logging 1080Debug and Verbose Logging 1080Using ConfigMgr Service Manager 1080SQL Logging 1081NAL Logging 1081Reporting Point Logging 1081ConfigMgr Setup Logs 1082Client Log Files 1082Site Server Log Files 1084Backup Log Files 1086Management Point Log Files 1086Admin User Interface Log Files 1087Mobile Device Log Files 1087Mobile Device Management Log Files 1087Mobile Device Management Client Logs 1088OSD Log Files 1089Multicast for OSD Log Files 1091Network Access Protection Log Files 1092Desired Configuration Management Log Files 1093Wake On LAN Log Files 1094Software Updates Log Files 1094Software Updates Site Server Log Files 1094Software Updates Client Computer Log Files 1095WSUS Server Log Files 1096Windows Update Agent Log File 1097Out of Band Management Log Files 1097Out of Band Service Point Log Files 1097Out of Band Management Console Log File 1098Out of Band Management Computer Log File 1098Appendix B Reference URLs 1099General Resources 1099More Specific Information 1103Blogs 1107The System Center Family 1109Public Forums 1110Free Utilities 1111Other Utilities 1113Index 1115