System Center Configuration Manager 2007

Microsoft System Center Configuration Manager 2007 (formerly known as Microsoft

System Management Server)
Configuration Manager 2007 provides the following features:
Distributing and installing software applications.
Distributing and installing updates to software, for example security fixes.
Collecting hardware and software inventory.
Restricting computers from accessing the network if they do not meet specified
requirements, for example having certain security updates installed.
Deploying operating systems.
Specifying what a desired configuration would be for one or more computers and then
monitoring adherence to that configuration.
Metering software usage.
Remotely controlling computers to provide troubleshooting support.
Understanding Configuration Manager Sites
A System Center Configuration Manager 2007 site defines the scope of administrative
control. A site consists of a site server, site system roles, clients, and resources. A site
always requires access to a Microsoft SQL Server database. There are several types of
Configuration Manager 2007 sites. A Configuration Manager 2007 site uses boundaries
to determine the clients belonging to the site. Multiple sites can be configured into site
hierarchies and connected such that you can manage bandwidth utilization between sites.
A Configuration Manager 2007 site is identified by the three-character code and the
friendly site name configured during Setup.
Types of Sites
When you install a site, you decide whether it will be a primary site or a secondary site.
Then, as you install additional sites, you have the option arrange them in hierarchical
relationships so that there are parent sites that manage child sites, and a central site to
collect all of the site information for centralized management. Or, if you prefer, you can
leave the sites without any connections and manage them separately, according to your
business and administrative needs. For example, if your organization consists of
independent business units, each unit might resist having centralized management.
Primary Sites
The first Configuration Manager 2007 site you install must be a primary site. A primary
site stores Configuration Manager 2007 data for itself and all the sites beneath it in a SQL
Server database. This is called the Configuration Manager 2007 site database. Primary
sites have an administrative tool called the Configuration Manager 2007 console that
enables the Configuration Manager 2007 administrator to directly manage the site.

Secondary Sites
A secondary site has no Configuration Manager 2007 site database. It is attached to and
reports to a primary site. The secondary site is managed by a Configuration Manager
2007 administrator running a Configuration Manager 2007 console that is connected to
the primary site.
The secondary site forwards the information it gathers from Configuration Manager 2007
clients, such as computer inventory data and Configuration Manager 2007 system status
information, to its parent site. The primary site then stores the data of both the primary
and secondary sites in the Configuration Manager 2007 site database.
The advantages of using secondary sites are that they require no additional Configuration
Manager 2007 server license and do not require the overhead of maintaining an
additional database. Secondary sites are managed from the primary site it is connected to,
so they are frequently used in sites with no local administrator present. The disadvantage
of secondary sites is that they must be attached to a primary site and cannot be moved to
a different primary site without deleting and recreating the site. Also, secondary sites
cannot have sites beneath them in the hierarchy.
Parent Sites
A parent site is a primary site that has one ore more sites attached to it in the hierarchy.
Only a primary site can have child sites. A secondary site is always a child site. A parent
site contains pertinent information about its lower level sites, such as computer inventory
data and Configuration Manager 2007 system status information, and can control many
operations at the child sites.
Child Sites
A child site is a site that is attached to a site above it in the hierarchy. The site it reports to
is its parent site. A child site can have only one parent site. Configuration Manager 2007
copies all the data that is collected at a child site to its parent site. A child site is either a
primary site or a secondary site.
Central Site
A central site has no parent site. Typically, a central site has child and grandchild sites and
aggregates all of their client information to provide centralized management and
reporting. A site with no parent and no child site is still called a central site although it is
also referred to as a standalone site.
Site Systems
Each site contains one site server and one or more site systems. The site server is the
computer where you install Configuration Manager 2007 and it hosts services required
for Configuration Manager 2007. A site system is any computer running a supported
version of Windows or a shared folder that hosts one or more site system roles. A site
system role is a function required to use Configuration Manager 2007 or to use a feature
of Configuration Manager 2007. Multiple site roles can be combined on a single site

system, including running all site roles on the site server, but this is usually appropriate
only for very small and simple environments.
The following roles provides a brief description of each site system role.
Site server
The role assigned to the server on which Configuration Manager 2007 Setup has been
run successfully.
Yes. Every site must have exactly one site server role.
Site database server
The role assigned to the computer running Microsoft SQL Server and hosting the
Configuration Manager 2007 site database. You can use only Microsoft SQL Server 2005,
Standard or Enterprise Edition to host the site database. SQL Server 2005 Express is not a
supported SQL Server 2005 version for hosting the site database.
Every primary site requires a site database server role but secondary sites do not require
them.
Configuration Manager console
Any computer running the Configuration Manager console.
No. The Configuration Manager console is automatically installed by default on primary
site servers during Setup. You can install additional Configuration Manager consoles on
remote computers, for example the workstation of the Configuration Manager
administrator. However, some organizations write their own user interface using the
Configuration Manager software developer kit (SDK) and never use the Configuration
Manager console.
SMS Provider computer
The Configuration Manager console does not access the database directly but instead
uses Windows Management Instrumentation (WMI) as an intermediary layer. The SMS
Provider is the WMI Provider for Configuration Manager.
Yes, for primary sites. When you install a primary site, you select which computer will
host the SMS Provider, usually the site server or the site database server.
Component server
Any computer hosting a Configuration Manager 2007 site role that requires installing
special Configuration Manager 2007 services.
The only site system role that does not require the installation of a special Configuration
Manager 2007 service is the distribution point.
Distribution point
A site system role that stores packages for clients to install.
Required for the following features: software distribution, software updates, and
advertised task sequences.
Fallback status point

A site system role that gathers state messages from clients that cannot install properly,
cannot assign to a Configuration Manager 2007 site, or cannot communicate securely
with their assigned management point.
Not required, but very helpful to troubleshoot issues with clients.
Management point
The site system role that serves as the primary point of contact between Configuration
Manager 2007 clients and the Configuration Manager 2007 site server.
Every site with intranet clients must have one default management point, though the
default management point might be a cluster of several site systems configured as
management points.
PXE service point
A site system role that has been configured to respond to and initiate operating system
deployments from computers whose network interface card is configured to allow PXE
boot requests.
Required only for operating system deployment using PXE boot requests.
Reporting point
A site system role hosts the Report Viewer component for Web-based reporting
functionality.
Required only to use the reporting feature. Reports are often helpful when diagnosing
client issues.
Server locator point
A site system role that locates management points for Configuration Manager 2007
clients.
Required for some client deployment scenarios.
Software update point
A site system role assigned to a computer running Microsoft Windows Server Update
Services (WSUS).
Required only for the software update feature.
State migration point
A site system role that stores user state data while a computer is being migrated to a new
operating system.
Required for operating system deployment when migrating user state.
System Health Validator point
The site system role assigned to a computer running Network Policy Service.
Required only for the Configuration Manager 2007 Network Access Protection feature.
Site Communications

Clients communicate with site systems hosting site system roles. Site systems
communicate with the site server and with the site database. If there are multiple sites
connected in a hierarchy, the sites communicate with their parent, child, or sometimes
grandchild sites.
Sites are typically configured so that the clients and site systems have fast connectivity
with each other, usually LAN-speed. However, Configuration Manager 2007 also
supports clients that move between sites, mobile devices that connect over the cellular
network, clients that connect to the organization's network through dial-up or virtual
private networks (VPN), and clients that connect to the Internet but don't connect directly
into the organization's network.
Site Boundaries
Configuration Manager 2007 uses boundaries to determine when clients and site systems
are in the site and outside of the site. Boundaries can be IP subnets, IP address ranges,
IPv6 prefixes, and Active Directory sites. Two sites should never share the same
boundaries. Assigning the same IP subnet, IP address range, IPv6 prefix or Active
Directory site to two different sites makes it difficult to determine which clients should be
managed in the site.
The Configuration Manager 2007 administrator configures each boundary in the site to be
either a fast or slow boundary, depending on the connection speed. If a client computer is
connected to a fast boundary, such as a 10 MBPS local area network (LAN), it might
install software, but if the client computer is connected to a slow boundary, such as a dialup network or a wireless network, it might install the software differently, or might not
install the software at all. If the client computer connects to a boundary in a different site,
Configuration Manager 2007 might be able to determine a closer source for installing the
software.
Site-to-Site Communications
When you have a separate sites, Configuration Manager 2007 uses senders to connect the
two sites. Senders have sender addresses that help them locate the other site. When
sending data between sites, senders provide fault tolerance and bandwidth management.
For example, if the link between two sites goes down, the sender will attempt to reestablish the connection and resume sending where it was interrupted. If you want the
sender to use only a certain percentage of the available bandwidth, you can configure the
sender address to restrict how much bandwidth Configuration Manager 2007 uses at
certain times of day. You can also configure the sender address to be available for only
high-priority Configuration Manager 2007 communication at certain times of day, or to
be completely unavailable during specified times.
While there are several business, political, and security reasons you might have more
than one site, typically install multiple sites when you need to cross a slow link because
the senders let you manage how you use the slow link.
Intra-site Communications

When Configuration Manager 2007 components that are within the site boundaries
communicate with each other, they use either server message block (SMB), HTTP, or
HTTPS, depending on various site configuration choices you make. Because all of these
communications are unmanaged, that is, they happen at any time with no consideration
for bandwidth consumption, it is beneficial to make sure these site elements have fast
communication channels.

Understanding Configuration Manager Clients

Microsoft System Center Configuration Manager 2007 supports many Windows-based
platforms as clients. You must install Configuration Manager 2007 client software on the
clients you want to manage.
Note
Configuration Manager 2007 supports only Windows-based platforms. Support for nonWindows platforms like Macintosh and Unix platforms might be provided by other
software vendors as add-on products to Configuration Manager.
Types of Clients
You can install Configuration Manager 2007 client software on desktop and laptop
computers, which are typically thought of as "client computers". In addition, you can
install Configuration Manager 2007 client software on server computers and manage
them as clients of Configuration Manager 2007. While servers often have specific
operational requirements, for example the times you are allowed to reboot server
computers might be more limited than desktop computers, Configuration Manager 2007
makes no functional distinction between server or client computers. Throughout the
documentation, the term client computer can mean either a server in a server room or a
computer on a user's desktop.
Client computers typically connect into the organization network directly, either by being
attached directly to the network or by using VPN or dial-up access. In Configuration
Manager 2007, client computers can also be managed by Configuration Manager 2007
sites if they have a connection to the Internet but never connect directly to the
organization network. For example, a home-based worker could be managed by
Configuration Manager 2007 without ever dialing into the corporate network. These
clients are called Internet-based clients, and they require additional infrastructure support.
For more information, see Deploying Configuration Manager Sites to Support InternetBased Clients.
Configuration Manager 2007 also supports installing the client components on mobile
devices, such as devices running Windows Mobile or Windows CE. Mobile device clients
support many but not all of the features supported by standard clients. For example, you
can deploy software to a client cell phone, but you cannot use remote control to provide
troubleshooting assistance to the cell phone user. For more information, see Mobile
Device Management in Configuration Manager.

Microsoft supports running an embedded version of Windows on devices that are not
traditional desktop, laptop, or server computers. For example, Windows XP Embedded
can be installed on automated teller machines or medical devices. Configuration Manager
2007 components can be installed by the manufacturer on these devices along with the
embedded operating system. Devices support many but not all of the features supported
by standard clients.
Throughout the documentation, the term client is used to refer to all clients that run the
Configuration Manager 2007 client components, while client computer is used to refer
servers, desktops, and laptops.
Discovering Clients
Configuration Manager 2007 has the ability to discover resources on the network using
several different discovery mechanisms. The following table describes the available
discovery methods.
Discovery Method Description
Active Directory System Discovery
Retrieves details about the computer, such as computer name, Active Directory container
name, IP address, and Active Directory site.
Active Directory System Group Discovery
Cannot discover a computer that has not already been discovered by another method. If a
resource has been discovered and is assigned to the site, Active Directory System Group
Discovery extends other discovery methods by retrieving details such as organizational
unit, global groups, universal groups, and nested groups.
Active Directory User Discovery
Retrieves information about user accounts created in Active Directory.
Active Directory Security Group Discovery
Retrieves security groups created in Active Directory.
Heartbeat Discovery
Refresh Configuration Manager client computer discovery data in the site database.
Unlike the other methods, this method works only on computers that already have the
Configuration Manager 2007 installed.
Network Discovery
Searches the network for resources that meet a specific profile. Network discovery can
discover resources that are Listed in a router's ARP cache for a specified network subnet
Running An SNMP agent and configured for a specified community Configured as
Microsoft DHCP clients.

Each discovery method creates data discovery records (DDRs) for resources and sends
them to the site database, even if the discovered resource is not capable of being a
Configuration Manager 2007 client. For example, Network Discovery might discover
routers and printers, which could be helpful for tracking purposes, but those devices will
not actually be managed by Configuration Manager 2007. Mobile devices cannot be
discovered until the mobile device client is installed. Computers running ActiveSync (for
Windows XP clients) or Mobile Device Center (for Vista clients) to synchronize with
mobile devices can be discovered and targeted to install the mobile device client on
connected mobile devices.
Note
All resources for which DDRs have been created show up in the Configuration Manager
2007 console under the following part of the tree: Configuration Manager / Site
Database / Computer Management / Collections / All Systems.

While it is possible to discover resources but never install a single client, usually
discovery is related to locating potential clients either prior to or as part of installing the
client software that makes a computer manageable by Configuration Manager 2007.
Active Directory User Discovery and Active Directory Security Group Discovery allow
you to target software distribution packages to users and groups instead of computers.
Installing the Client Components
Configuration Manager 2007 provides several options for installing the client software.
The following table lists the client computer installation methods.
Client Computer Installation Method Description
Software update point installation
Uses the Automatic Update configuration of a client to direct the client computer to a
WSUS computer configured as a Configuration Manager 2007 software update point.
The client computer installs the Configuration Manager 2007 client software as though it
was a software update.
Client push installation
Uses an account with administrative rights to access the client computers and install the
Configuration Manager 2007 client software. This method requires File and Print sharing
and the related ports to be enabled on the client computer.
Manual client installation
A user with administrative rights can install the client software by running CCMSetup on
the client computer. A variety of switches modify the installation options.
Group Policy installation
Uses Group Policy software installation to install CCMSetup.msi.

Imaging
The client software can be added to an image, including images created and deployed
with Configuration Manager 2007 operating system deployment.
Software Distribution
Existing clients can be upgraded or redeployed using Configuration Manager 2007
software distribution.
Mobile devices use different installation methods. A client computer that synchronizes
with a mobile device can be targeted to install the mobile device client the next time the
device is docked. Mobile devices can also install the client software from a memory card.
Client Assignment
Clients must be assigned to a site before they can be managed by that site. Clients can be
assigned to a site during installation or after installation. Assigning a client involves
either telling it a specific site code to use, or configuring the client to automatically assign
to a site based on boundaries. If the client is not assigned to any site during the client
installation phase, the client installation phase completes, but the client cannot be
managed by Configuration Manager 2007.
Clients cannot be assigned to secondary sites; they are always assigned to the parent
primary site, but can reside in the boundaries of the secondary site, taking advantage of
any proxy management points and distribution points at the secondary site. This is
because clients communicate with management points and management points must
communicate with a site database. Secondary sites do not have their own site database;
they use the site database at their parent primary site.
Authenticating Clients
Before Configuration Manager 2007 trusts a client, it requires some manner of
authentication. In mixed mode, clients must be approved, either by manually approving
each client or by automatically approving all clients or all clients in a trusted Windows
domain. In native mode, clients must be issued client authentication certificates prior to
installing the Configuration Manager 2007 client software.
Blocking Clients
If a client computer is no longer trusted, the Configuration Manager administrator can
block the client in the Configuration Manager 2007 console. Blocking applies to both
native mode and mixed mode sites. Blocked clients are ignored by the Configuration
Manager 2007 infrastructure. This is especially useful for laptop computers that are lost
or stolen, to help prevent attackers from using a trusted client to attack the site or the
network.
Client Agents

Client agents are Configuration Manager 2007 components that run on top of the base
client components. If you install only the Configuration Manager Client without enabling
any client agents, Configuration Manager 2007 cannot manage anything about the client.
Every client agent that you enable lets you use a different feature of Configuration
Manager 2007. You can configure the client agents to suit your environment. The
following table describes the client agents in Configuration Manager 2007.
Client Agent Description
Computer Client Agent Properties
Configures how often client computers retrieve the policy that gives them the rest of
their configuration settings. For example, after you configure the other client agent
settings, Configuration Manager puts those settings into policy and sends them to the
management point and client computers poll for them on the schedule you configure.
This agent also controls settings that are common to several Configuration Manager
features like how often users are prompted with reminders and what customized
organization names users see with the reminders.
Device Client Agent Properties
Configures all of the properties specific to mobile device clients. Mobile device clients
have settings for software distribution, software inventory, hardware inventory, and file
collection. This agent also controls the polling interval used by mobile device clients.
Hardware Inventory Client Agent
Enables and configures the agent that collects a wide variety of information about the
client computer. Information about the computer hardware is most commonly collected,
but you can inventory any information stored in the Windows Management
Instrumentation (WMI) repository of the computer, such as registry keys. You can
configure how often the client computer takes inventory.
Software Inventory Client Agent
Enables and configures which files Configuration Manager inventories and collects.
Copies of collected files are stored in the Configuration Manager database.
Advertised Programs Client Agent
Enables and configures the software distribution feature.
Desired Configuration Management Client Agent
Enables the client agent that evaluates whether computers are in compliance with
configuration baselines that are assigned to them. You can also configure the default
compliance evaluation schedule for assigned configuration baselines.
Remote Tools Client Agent
Enables Configuration Manager remote control and configures Configuration Manager
integration with Remote Assistance.
Network Access Protection Client Agent

10

Enables Configuration Manager Network Access Protection and configures how client
computers are evaluated for compliance by the Windows Network Policy Server. If client
computers are not in compliance with the configured policies, for example if they do not
have specified software updates, NAP can prevent the client computers from access
network resources until they complete remediation measures. Configuring this client
agent without proper planning and deployment can prevent your client computers from
accessing the network.
Software Metering Client Agent
Enables the agent that monitors which software is run and how often and configures how
often software metering data is collected.
Software Updates Client Agent
Enables the agent that scans for and installs software updates on client computers. This
agent allows you to configure how often clients are re-evaluated for software updates that
were previously installed. Before you can use the software update feature, you must also
install Windows Server Update Services (WSUS) and configure a software update point.
There is no client agent for operating system deployment.

11

Understanding Configuration Manager Features

If you install a Microsoft System Center Configuration Manager 2007 site but do not
configure any of the features, the site is essentially useless. Features provide the actual
functionality of Configuration Manager 2007. You can install just one feature or several
features. Some features have dependencies on other features, for example Network
Access Protection requires the software updates feature be operational first.
The following features are provided in Configuration Manager 2007:
The administrator console
Collections
Inventory
Queries
Reporting
Software distribution
Software updates
Software metering
Mobile Device management
Operating system deployment
Desired configuration management
Remote tools
Network Access Protection
Wake On LAN
The Administrator Console
The Configuration Manager 2007 console is the most common way that Configuration
Manager administrators use Configuration Manager 2007, although some organizations
use the Software Development Kit (SDK) to build custom user interfaces and many
administrators use scripting to manage repetitive tasks more efficiently.
You can run the console from the site server or install additional consoles on your
desktop or help desk computers to facilitate management. One console can manage many
sites or many consoles can manage a single site. The Configuration Manager 2007
console runs as a Microsoft Management Console (MMC) snap-in, although you must
run Configuration Manager 2007 Setup on the computer so that the snap-in is available.
Collections
Collections represent groups of resources and can consist not only of computers, but also
of Microsoft Windows users and user groups as well as other discovered resources.
Collections provide you with the means to organize resources into easily manageable
units, enabling you to create an organized structure that logically represents the kinds of
tasks that you want to perform. Collections also serve as targets for performing
Configuration Manager operations on multiple resources at one time (such as software
distribution or software updates). Collection membership can be either direct or query

12

based. Query based collections are very powerful because they can group any resources
together based on criteria. For example, if you want to deploy Microsoft Office 2007 only
to computers with 1 GB of free disk space and 1 GB of RAM, you can create a collection
that uses a query against the Configuration Manager 2007 inventory information in the
database.
Inventory
You can configure Configuration Manager 2007 to inventory hardware and software on
Configuration Manager 2007 clients. Hardware inventory gives you system information
(such as available disk space, processor type, and operating system) about each computer.
You can configure the information returned in hardware inventory by modifying the
SMS_def.mof file. Software inventory agent gives you information such as inventoried
file types and versions present on client computers. Software inventory alone just returns
lists of file types, but combining software inventory with the information in the Asset
Intelligence knowledge base allows you to create reports on which applications are used
in your environment. Software inventory can also collect copies of files in the database,
but this is recommended only for small files that do not change very often.
Queries
The query feature in Configuration Manager 2007 uses WBEM query language (WQL) to
query the site database. Query results are returned in the Configuration Manager 2007
console, where they can be exported using the MMC export list feature. Queries can also
be used to create collections of resources that meet the query criteria.
Reporting
Reporting is a supporting feature to many other Configuration Manager 2007 features.
Reports are returned in Web pages in the browser. Programming is not required, but
knowledge about creating SQL queries is extremely helpful. With reporting you can
create reports that show the inventory you have collected or the software updates
successfully deployed. You can also create dashboards, which combine several different
views of information. Several pre-created reports are available to support common
reporting scenarios. For more information about the reports provided for each feature, see
the feature documentation.
Software distribution
Software distribution allows you to push just about anything to a client computer.
Packages in software distribution can contain source files to deploy software applications
and commands called programs that tell the client what executable file to run. A single
package can contain multiple programs, each configured to run differently. Packages can
also contain command lines to run files already present on the client, without actually
containing additional source files.
Important
Configuration Manager 2007 can cause any executable file to run on the client, however
it is important to understand that Configuration Manager 2007 does not actually package
the executables or source files. Configuration Manager 2007 is like the delivery man; it

13

gets the software or the command to the client, but the command must be able to run on
the client independently of Configuration Manager 2007. If the software or command
cannot run without Configuration Manager 2007 software distribution, it will never run
with software distribution.

Configuration Manager 2007 uses advertisements to specify which collections receive the
program and the package.
Software updates
The software updates feature provides a set of tools and resources that can help manage
the complex task of tracking and applying software updates to client computers in the
enterprise. Software updates in Configuration Manager 2007 requires a Windows Server
Update Services (WSUS) server to be installed and uses that to scan the client computers
for applicable software updates. The administrator views which updates are needed in the
environment and creates packages and deployments containing the source files for the
software updates. Clients then install the software updates from distribution points and
report their status back to the site database.
Software metering
Software metering enables you to collect and report software program usage data. The
data provided by these reports can be used by many groups within the organization such
as IT and corporate purchasing.
Software metering in Configuration Manager 2007 supports the following scenarios:
Identify which software applications are being used, and who is using them.
Identify the number of concurrent usages of a specified software application.
Identify actual software license requirements.
Identify redundant software application installations.
Identify unused software applications which could be relocated.

Mobile Device management

Mobile devices are supported as Configuration Manager 2007 clients. For documentation
purposes, mobile clients are treated as a separate feature. Mobile clients can run a subset
of Configuration Manager 2007 features such as inventory and software distribution, but
cannot be managed by remote control and cannot receive operating system deployments
like desktop clients.

14

Operating system deployment

Operating system deployment enables you to install new operating systems and software
onto a computer. You can use operating system deployment to install operating system
images to new or existing computers as well as to computers with no connection your
Configuration Manager 2007 site. By using task sequences and the driver catalog
operating system deployment streamlines new computer installations by allowing you to
install software using one dynamic image that can be installed on different types of
computers and configurations.
Operating system deployment provides the following solutions for deploying operating
system images to computers:
Provide a secure operating system deployment environment.
Assist with managing the cost of deploying images by allowing one image to work with
different computer hardware configurations.
Assist with unifying deployment strategies to help provide a solid deployment foundation
for future operating system deployment methods.

Desired configuration management

Desired configuration management enables you to define configuration standards and
policies, and audit compliance throughout the enterprise against those defined
configurations. Best practices configurations can be used from Microsoft and vendors in
the form of Microsoft System Center Configuration Manager 2007 Configuration
Packs. These Configuration Packs can then be refined to meet customized business
requirements. Additionally, desired configuration management supports an authoring
environment for customized configurations.
This feature is designed to provide data for use by many groups within the organization,
including IT and corporate security. Desired configuration management supports the
following scenarios:
Detect production server configuration drift and confirm provisioned servers meet
expected build requirements.
Provide the help desk with probable cause information, reducing the time-to-resolve
(TTR) of incidents and provide probable cause analysis for problems
Report compliance with regulatory policies, and in-house security policies

15

Provide change verification and tracking

Note
If you are familiar with the Business Solution Add-on, Desired Configuration Monitoring
with Systems Management 2003 Service Pack 1, see the following reference for a
comparison between the two features: Comparison of SMS 2003 Desired Configuration
Monitoring and Configuration Manager 2007 Desired Configuration Management.
Remote tools
Remote tools in Configuration Manager 2007 includes the remote control feature which
allows an operator with sufficient access rights the ability to remotely administer client
computers in the Configuration Manager 2007 site hierarchy.
You can use remote control to troubleshoot problems on client computers and to provide
remote help desk support where access to the user's computer is necessary.
Network Access Protection
Network Access Protection (NAP) is a policy enforcement platform built into the
Microsoft Windows Vista and Windows Server 2008 operating systems that helps you
to better protect network assets by enforcing compliance with system health
requirements. You can configure DHCP Enforcement, VPN Enforcement, 802.1X
Enforcement, IPSec Enforcement, or all four, depending on your network needs.
Note
For an overview of how Network Access Protection works in Windows, see the Webcast
"Introduction to Network Access Protection" (http://go.microsoft.com/fwlink/?
LinkId=68775).

Network Access Protection in Configuration Manager 2007 works with Windows

Network Policy Server (NPS) on Windows Server 2008, to enforce software update
compliance through client remediation. Network policies allow you to limit network
access for clients until they have the software updates that you designate as required.
Important
Network Access Protection is not designed to secure a network from malicious users. It is
designed to help administrators maintain the health of the computers on the network,
which in turns helps maintain the networks overall integrity. Network Access Protection
does not prevent an authorized user with a compliant computer from uploading a
malicious program to the network or engaging in other inappropriate behavior.

16

Wake On LAN
The Wake On LAN feature helps to achieve a higher success rate for scheduled
Configuration Manager 2007 activities, reducing associated network traffic during
business hours, and helps organizations to conserve power by not requiring computers to
be left on for maintenance outside business hours.
Wake On LAN in Configuration Manager 2007 supports the following scenarios:
Sending a wake-up transmission prior to the configured deadline for a software update
deployment.
Sending a wake-up transmission prior to the configured schedule of a mandatory
advertisement, which can be for software distribution or a task sequence.
Security Modes
There are two security modes in Configuration Manager 2007.
Native mode is the recommended site configuration for new Configuration Manager 2007
sites because it offers a higher level of security by integrating with a public key
infrastructure (PKI) to help protect client-to-server communication. PKIs can help
companies meet their security and business requirements, but they must be carefully
designed and implemented to meet the current and future needs. Installing a PKI solely to
support Configuration Manager 2007 operations could fulfill certain short term goals but
could hamper a more extensive PKI rollout to support other applications at a later time. If
your organization already has a well-designed, industry-standard PKI, Configuration
Manager 2007 should be able to use certificates from the existing PKI.
Important
Native mode requires extensive planning and lab testing prior to implementation. If the
PKI infrastructure is not implemented properly to support Configuration Manager 2007,
the whole site could stop functioning. Do not implement native mode in a production
environment without thoroughly understanding the requirements.

While native mode is the most secure mode available in Configuration Manager 2007,
mixed mode can be considered adequate security for many organizations and requires
less administrative overhead. Mixed mode is the default when upgrading from an existing
Systems Management Server (SMS) 2003 site and provides backwards compatibility for
hierarchies that have both SMS 2003 sites and Configuration Manager 2007 sites. It is
possible to install with mixed mode and then migrate to native mode later. It is also
possible to revert to mixed mode from native mode. Both migrating and reverting require
thorough planning prior to implementation.

17

Native mode sites cannot report to mixed mode sites. When migrating from mixed mode
to native mode, always convert the central site first and then work down.
Internet-based Clients
Computers that connect to the organization's network using VPN or dial-up technology
can be managed as regular Configuration Manager 2007 clients. Computers that connect
to the Internet but never connect to the organization network can be configured as
Internet-based clients. Internet-based clients can belong only to native mode sites.
Managing Internet-based clients requires carefully planning where site systems will be
located. For example, you could put management points and distribution points in your
perimeter network, or you could allow Internet-based clients to traverse your firewall to
access site systems inside your organization's network, or you could create a separate site
in the perimeter network just to support Internet-based clients.
Privacy
While network management products let you effectively manage large numbers of
clients, you must also be aware of ways that this software affects the privacy of users in
your organization. Configuration Manager 2007 includes many tools to gather data and
monitor client computers, some of which could raise privacy concerns.
For example, when you deploy the Configuration Manager 2007 client, you enable client
agents so you can use Configuration Manager 2007 features. The settings you use to
configure the features apply to all clients in the site, regardless whether they are directly
connected to the corporate network, connected through a remote session, or connected to
the Internet but supported by the site. Client information is stored in the database and is
not sent back to Microsoft. Before implementing Configuration Manager 2007, consider
your privacy requirements.
Configuration Manager Accounts and Groups
Configuration Manager 2007 uses the Local System account for most site operations.
Certain configurations might require creating and maintaining additional accounts.
Several default groups and SQL Server roles are created during Setup, but you might
have to manually add computer or user accounts to these default groups and roles.
Understanding Configuration Manager Operations
Microsoft System Center Configuration Manager 2007 interacts with many servers, client
computers, and client devices, using a variety of files, services, and database operations.
If any of these complex interactions are disrupted, features will not function as expected.
Configuration Manager 2007 includes some mechanisms to monitor site operations and
some tools to troubleshoot problems when they arise.
Maintaining Configuration Manager Site Operations
Most site operations are the result of services, files, and the site database working
together. For example, when you make a change to a site setting, a service called
Hierarchy Manager writes a change to a delta file. The Site Control Manager service

18

takes the changes from delta file the to the site control file, which contains all of the site
settings. Hierarchy Manager then makes the configuration change in the database. If there
are parent or child sites, Site Control Manager interacts with other services to send the
site settings up or down the hierarchy. Many of these site processes are documented in the
technical flow charts included in the Configuration Manager Documentation Library.
Status Messages
Most of the time, site operations just work and need no intervention. To monitor
operations, most services, including client services, generate status messages.
Informational and success status messages indicate that the site is performing as
expected. Error and Warning status messages indicate that problems exist. The status
messages often contain troubleshooting information like possible causes and solutions.
You can view status messages in the Configuration Manager console using the Status
Message Viewer. You can also run queries for status messages in the database. For more
information about status messages, see Using Status Messages for Configuration
Manager Troubleshooting.
Log Files
In addition to generating status messages, Configuration Manager services write more
detailed information about every action to log files. You can view the log files with any
text editor. Interactive flow charts will be available for many features on the
Configuration Manager TechCenter and provide samples of log file entries.
State Messages
Configuration Manager 2007 also uses state messages, which are different than status
messages, to track the current state of some site operations. Unlike status messages, there
is no viewer for state messages. All state messages are viewed using reports. More
information about using state messages to monitor site operations is included in the
features that use state messages.
Routine Maintenance
Routine monitoring operations for the site consist primarily of checking status messages,
file backlogs, and key log files. Some database tasks are automated and configurable in
the Configuration Manager console. For more information, see Predefined Maintenance
Tasks. To facilitate administration, you can use monitoring software like System Center
Operations Manager to alert you to conditions that could compromise optimal site
operations.
Because Configuration Manager 2007 uses Microsoft SQL Server as the back end
database, you might also need to perform routine SQL Server maintenance. It is helpful
to have resources in your organization who understands SQL Server administration.
Backup and Recovery
Like any enterprise software, your site should be backed up to provide recoverability in
case of unexpected events. Backing up a Configuration Manager 2007 site involves
backing up the database, the file system, and the registry all at the same point in time -

19

backing up just one of these elements is not sufficient to restore a working site.
Configuration Manager 2007 uses the Volume Shadow Copy Service (VSS) to take small,
frequent snapshots of the necessary components, making it easier to restore a failed site.
The Site Repair Wizard walks you through the necessary steps to complete the site
recovery.
Example Scenarios for Configuration Manager 2007
This scenario demonstrates how data moves within a Microsoft System Center
Configuration Manager 2007 site for software distribution.
The accounting department has just purchased a new line-of-business application and
wants it installed on all accounting computers as soon as possible. Kim uses the software
distribution feature of Configuration Manager 2007 to send the new software only to
computers in the accounting department based on their membership in an Active
Directory security group.
Kim enables Active Directory Security Group Discovery. Every day, Configuration
Manager 2007 queries Active Directory for all computers that are members of the
Accounting security group.
Kim creates a query in the Configuration Manager 2007 console to find all members of
the Accounting security group.
Kim creates a collection based on the query to find all members of the Accounting
security group. If the Active Directory administrator adds a new computer to the
Accounting security group, the next time Active Directory Security Group Discovery
runs it will add the new computer to the Configuration Manager 2007 database. The next
time the Accounting collection is evaluated, the query will find the new computer in the
database and it will be added to the collection.
Kim enables the Advertised Programs Client Agent, so that all clients in his site will be
able to receive software distribution packages.
Kim creates several distribution points in each site. If he configured only one per site, it
might not be able to service all of the clients in that site.
Kim creates a package for the accounting application. He configures the package to read
the source files from the CD and create a local copy of the package, because disks in his
office sometimes disappear without his permission.

20

The application has a tool to create a customized Windows Installer file that will install
the software with no user intervention and using all of the accounting department's
preferred defaults. Kim creates one program to run the customized Windows Installer and
he creates a second program to uninstall the accounting application, just in case. Both
programs are configured to run whether or not a user is logged on, and both will run with
administrative rights even if the logged on user is not currently an administrator, even if
the client computer is running Windows Vista with User Access Control enabled.
The default package access accounts allow all users to read the package. Because only
accounting members should have access, Kim removes the Users package access account
and adds an account for the accounting group.
Kim copies the package to all distribution points in his site. He also copies the package to
all distribution points in all child sites because there are some members of accounting in
every site.
As soon as Kim completes the distribution point wizard, the site server immediately
begins copying the files to the distribution points in his site. Kim purposefully waited
until the end of the day to run the distribution point wizard so the network would be less
busy. The sender controls the bandwidth utilization to the child sites, so it doesn't matter
when Kim runs the distribution point wizard. The sender from the parent site copies the
package to the child site in small chunks and verifies each chunk before sending the next
one. After the entire package is successfully received at the child site, the child site server
copies the package to all distribution points in that site.
After Kim has verified in the package status that the package has been distributed to all of
his distribution points, he creates an advertisement. He configures the advertisement to
use the accounting package and the program to run the customized Windows Installer
file. He sets the advertisement to send the package and program to the accounting
collection. He configures the advertisement to run next Wednesday at 4 pm in the client's
time zone. He could have configured it to run at 4 pm UTC but some of the sites in other
countries don't have local administrators and Kim doesn't want to get troubleshooting
calls in the middle of the night if 4 pm in his site is midnight in a different site. Even
though the application is rather large, Kim configures the advertisement to run even if the
client computer is connected to a slow network boundary; this means that accounting
users who work from home and connect using a VPN will still have to install the
program. Kim makes a note to send out an e-mail to the home-based workers to let them
know the large package is coming.

21

As soon as Kim completes the advertisement wizard, Configuration Manager 2007

creates a policy and sends it to the management points for all the sites. For the
management points at the child sites, the sender at the parent site copies the policy to the
site server at the child site and the child site server sends it to the site management point.
The clients in all the sites have been configured to poll for new policy every two hours
because it provides a nice balance between getting software out quickly enough but not
saturating the network with policy requests.
The next time a client in the Accounting collection polls the management point, it is told
that it has software advertised to it. It asks for the location of the content and is given a
list of distribution points in the site. The client sorts the list and finds three distribution
points on the same subnet, so it picks one at random. The client connects to the selected
distribution point and downloads the content into a local cache and then runs the program
from the cache to install the accounting software.

After the software is installed, the client sends a status message indicating success.
Kim creates a report to show which clients have successfully installed the accounting
software.
Customizing Configuration Manager
Microsoft System Center Configuration Manager 2007 functionality can be automated
and extended by using the System Center Configuration Manager 2007 Software
Development Kit (SDK). The Configuration Manager SDK provides the necessary
information to administrators who want to automate Configuration Manager 2007
functionality and to developers who want to extend the base Configuration Manager
functionality.
The Configuration Manager SDK contains the documentation, samples and reference
material necessary to write applications that access and modify Configuration Manager
data. In addition, the SDK contains code samples in C# and VBScript to support various
Configuration Manager features.
Support for Configuration Manager Features
The following features of Configuration Manager 2007 are supported by the System
Center Configuration Manager 2007 Software Development Kit (SDK):
Configuration Manager Console Extension
Configuration Manager Asset Intelligence

22

Configuration Manager Desired Configuration Management

Configuration Manager Device Management
Configuration Manager Discovery
Configuration Manager Inventory
Configuration Manager Management Point Interface
Configuration Manager Network Access Protection Integration
Configuration Manager Operating System Deployment
Configuration Manager Remote Tools
Configuration Manager Server and Client Infrastructure
Configuration Manager Software Distribution
Configuration Manager Software Metering
Configuration Manager Software Updates Management
Configuration Manager System Status
Configuration Manager Wake On LAN

What's New in Configuration Manager 2007

Some aspects of Microsoft System Center Configuration Manager 2007 have changed
very little from Systems Management Server (SMS) 2003, while some have changed a
lot. Also, several new features have been added and some features have been removed.
The following features are new to Configuration Manager 2007:
Desired configuration management
Network Access Protection for Configuration Manager
Wake On LAN
The following features used to be available only in Feature Packs but are now
incorporated into the core product:
Mobile device management
Operating system deployment
Transfer site settings wizard
Manage site accounts tool (MSAC)
Asset Intelligence
The following features have changed significantly from SMS 2003:
Backup and recovery
Software updates
The following features have been improved but still function very much like they did in
SMS 2003:

23

The administrator console

Collections
Software distribution
Software metering
Remote tools
The following features either have not changed or have only very minor changes:
Discovery
Inventory
Queries
Reporting
The basic site infrastructure has not changed. You still have primary sites and secondary
sites, though the new feature for software distribution called the branch distribution point
might remove the need to create some child sites in your hierarchy. Site to site
communication is still configured using senders and addresses, however in Configuration
Manager 2007 senders can only be installed on primary or secondary site server systems.
Configuration Manager 2007 now supports hosting the site database on a clustered SQL
Server virtual instance as well as SQL Server 2005 named instances. Several new server
roles have been added to support new features.
In SMS 2003 you had two types of clients, but in Configuration Manager 2007 you have
only one client type, which is similar to the SMS 2003 Advanced Client. Some of the
client deployment methods have changed and some methods have been removed. A new
method, software update point client installation, allows you to leverage your software
update infrastructure to deploy Configuration Manager 2007 clients.
In SMS 2003 you had two security modes, but in Configuration Manager 2007 you have
the equivalent of SMS 2003 advanced security. However, you now have two site modes,
Configuration Manager 2007 native mode and Configuration Manager 2007 mixed mode.
Although site modes are not at all related to the SMS 2003 security modes, they do
involve the security of your Configuration Manager 2007 environment. Native mode is a
requirement to support Internet-based client management, a new feature that allows you
to manage clients that do not have a direct connection to your site.
In SMS 2003 the site server's local subnet is automatically used as the site boundary for
the site during setup. In Configuration Manager 2007, there is no default boundary
created during setup and you must manually create the boundary for a site when setup has
completed. In SMS 2003 there are site boundaries and roaming boundaries, but in
Configuration Manager 2007 there is only one type of boundary and it is equivalent to
SMS 2003 roaming boundaries. Computers are assigned as clients to Configuration
Manager 2007 sites according to the site boundaries you configure in the Configuration

24

Manager console. Boundaries can now be defined by IP subnets, Active Directory site
names, IPv6 Prefix, or IP ranges.
In SMS 2003, roaming boundaries were either local or remote roaming boundaries. When
creating Configuration Manager 2007 boundaries, you instead decide if the boundary will
be used for either a Slow or unreliable or Fast (LAN) network connection.
In SMS 2003, you could not upgrade from the evaluation version of the product to the
full version. Configuration Manager 2007 now supports upgrading from the evaluation
version.
In SMS 2003 the client push installation method properties used when installing clients
have the default site code set to Auto. In Configuration Manager 2007 the default site
code used when installing clients using the client push installation method is set to the
site code of the primary site.
In Configuration Manager 2007, state messages are sent by Configuration Manager 2007
clients, using a new messaging system built into the product that allows clients to send
"checkpoints" of important changes of state. State messages are not the same as status
messages; whereas status messages provide information about component behavior and
data flow, state messages provide a snapshot of the state of a process at a specific time.
Configuration Manager 2007 also includes support for fully qualified domain names
(FQDN) and IPv6.
What's New in Asset Intelligence for Configuration Manager
First introduced in SMS 2003 SP3, Asset Intelligence has been enhanced significantly in
Microsoft System Center Configuration Manager 2007. New reports have been added to
the Asset Intelligence Hardware, Software, and License Management categories.
In addition to tracking installed software, auto-start software, and browser helper objects,
new software reports provide information about recently used executables. As well as the
hardware reports that track USB devices, processor age, and readiness for upgrade, new
reports identify computers that have software or hardware changes since the last
inventory cycle. New Client Access License reports, added to the existing License Ledger
reports, complete the ability to compare license usage with Microsoft License Statements.
License Management Reports
Nine new license management reports have been added, providing the means to track
Client Access Licenses (CAL) in addition to the existing volume license reports. One of
these new reports identifies the number of processors in computers running software that
can be licensed using the per-processor licensing model. The remaining 8 new reports
identify User CAL usage and Device CAL usage summaries, details, and history.
For more information, see License Management Reports.

25

Hardware Reports
Three new hardware reports help identify computers that have changed since the last
inventory cycle. The changes identified in these reports include both hardware and
software changes.
For more information, see Hardware Reports.
Software Reports
Six new software reports extend previous inventory capabilities by adding software
metering. These new reports identify recently used executables, which users ran them,
and the devices on which the executables were run.
For more information, see Software Reports.
What's New in Client Deployment for Configuration Manager
Client deployment in Microsoft System Center Configuration Manager 2007 introduces a
number of changes and new features designed to improve the ease and security of client
deployment, and to improve the identification of any problems using standard reports.
The following section details some of the new or improved features.
Checking for Site Compatibility to Complete Site Assignment
The improved functionality from SMS 2003 means that a Configuration Manager 2007
client will not work if it is assigned to a site running SMS 2003. To prevent this situation,
site assignment in Configuration Manager 2007 now includes a version check to ensure
compatibility between the client and its assigned site.
For site assignment to complete in Configuration Manager 2007, you must either extend
the Active Directory schema for Configuration Manager 2007 or clients must be able to
communicate with a server locator point in the hierarchy. Additionally, if you have
extended Active Directory but have clients from a separate forest, or clients from
workgroups, you will need a server locator point.
For more information, see About Client Assignment and Determine If You Need a Server
Locator Point.
Important
If a Configuration Manager 2007 client cannot complete the check for site compatibility,
site assignment will not succeed.

Client Prerequisite Checks

26

When CCMSetup installs the Configuration Manager 2007 client, it checks the
destination computer for the correct prerequisites required by your Configuration
Manager 2007 site. If these are not found, CCMSetup will install these before installing
the client.
For more information, see Prerequisites for Client Deployment.
Approval for Clients in Mixed Mode
A new procedure called approval helps to protect the security of a site in mixed mode.
Only clients that are approved will be sent policies that might contain sensitive data. You
should ensure that all client computers that you trust are approved with their assigned
site.
The default site setting for approval in Configuration Manager 2007 is to automatically
approve trusted computers. This means that in most circumstances you will not have to
manually approve many computers, unless they are from a separate Active Directory
forest or a workgroup. However, if your Configuration Manager 2007 spans multiple
domains, ensure that the site's default management point (or NLB management point) is
configured with an intranet fully qualified domain name (FQDN).
For more information, see About Client Approval and Determine If You Will Use FQDN
Server Names.
Client Blocking
If a client computer is no longer trusted, the Configuration Manager administrator can
block the client from the Configuration Manager infrastructure. Blocked clients are
rejected by Configuration Manager so that they cannot communicate with site systems to
download policy, upload inventory data, or send state or status messages to the site. This
action is especially useful for laptop computers or mobile devices that are lost or stolen,
to help prevent attackers from using a trusted client to attack the Configuration Manager
2007 site or the network. However, it does not replace the use of certificate revocation
checking if this is supported in a public key infrastructure (PKI) environment.
Fallback Status Point
The fallback status point is a new site system role in Configuration Manager 2007 that
receives state messages from client computers during the installation process, and if they
cannot connect to a management point. This information is then displayed in reports to
help you more easily identify computers that have failed to install the client software or
that cannot communicate with their site.
The fallback status point is not published to Active Directory Domain Services as a site
setting, so it must be assigned to clients during installation.
For more information, see About the Fallback Status Point and Determine If You Should
Install a Fallback Status Point.
Group Policy Based Installation and Assignment

27

Configuration Manager 2007 supports using Windows Group Policy to install or assign
the client software to computers in your enterprise. You can use this method to assign
new or existing clients to a Configuration Manager 2007 site. An administrative template
to perform site assignment is included on the Configuration Manager 2007 installation
media.
For more information, see How to Install Clients Using Group Policy and How to Assign
Clients to a Site.
Software Update Point Based Client Installation
Software update point based client installation is a new client deployment method
introduced in Configuration Manager 2007 that allows the administrator to publish the
latest version of the Configuration Manager 2007 client into the WSUS catalog. This
allows the latest client software to be installed using standard software update
deployment methods. One of the advantages of this installation method is that it does not
require local administrative rights on the target computer.
For more information, see Determine the Client Installation Method to Use and How to
Install Clients Using Software Update Point Based Installation.
Default Management Point Published to DNS
The most secure method for a client to find its default management is through Active
Directory Domain Services. However, if this is not possible either because Active
Directory is not extended, or because clients are from a separate Active Directory forest
or a workgroup, DNS publishing offers a recommended alternative.
This configuration requires an entry in DNS that is added either automatically or
manually, and configuration on the client.
For more information, see Determine If You Need to Publish to DNS and Configuration
Manager and Service Location.
Uninstalling the Configuration Manager Client Software
The ccmclean.exe utility provided with SMS 2003 Toolkit 2 cannot be used to uninstall
the Configuration Manager 2007 client software. To successfully uninstall the
Configuration Manager 2007 client software you must use the CCMSetup.exe executable
together with the /uninstall property.
For more information, see How to Uninstall the Configuration Manager Client.
Client Network Access Account
The SMS 2003 client network access account is no longer used for client push
installations in Configuration Manager 2007.
For more information, see How to Install Clients Using Client Push.
Client Installation Properties Published in Active Directory

28

If you have extended the Active Directory schema for Configuration Manager 2007 and
the site is configured to publish to Active Directory Domain Services, a number of client
installation properties are published. These settings can remove the need to specify
CCMSetup command line properties under certain circumstances, such as when you
install the Configuration Manager 2007 client using software update point based
installation or use Group Policy installation.
For more information, see About Client Installation Properties Published in Active
Directory.
Provision Client Installation Properties Using Group Policy
You can use Windows Group Policy to provision client installation properties on
computers prior to installing the Configuration Manager 2007 client. When the client is
installed, these properties will be used if no other installation properties have been
specified. An administrative template to provision client computers with installation
properties is included on the Configuration Manager 2007 installation media.
For more information, see How to Provision Client Installation Properties using Group
Policy.
Low Rights Client Installation No Longer Supported
In SMS 2003, users without administrative rights to the computer could manually install
the SMS advanced client. These computers would then submit a CCR to the site server
which would initiate the installation. In Configuration Manager 2007, this feature is no
longer supported. You can install the Configuration Manager 2007 client on computers
logged on with non-administrator rights using the following methods:
Client push installation (if a valid client push installation account has been specified)
Software update point based client installation
Group Policy installation
For more information, see How to Install Clients Using Client Push, How to Install
Clients Using Software Update Point Based Installation and How to Install Clients Using
Group Policy.
CAPINST.EXE is No Longer Supported
Capinst.exe is no longer used in Configuration Manager 2007 for logon script client
installation. For information about how to install Configuration Manager 2007 clients
using a logon script, see How to Install Clients Using Logon Scripts.
Client Installation Files are Downloaded from the Management Point over HTTP

29

In SMS 2003, client installation files were downloaded from an SMB share on the
management point. In Configuration Manager 2007, the default behavior is to download
these files using a HTTP connection. You can still use an SMB share to download client
installation files, but you must create this share yourself and specify the CCMSetup
installation property /source.
For more information, see About Client Installation Properties.
Managing Client Identity
Configuration Manager 2007 manages client identity to help eliminate duplicate GUIDs.
For each client computer, Configuration Manager 2007 calculates a hardware ID using a
proprietary algorithm to help ensure that each client is uniquely identified. If
Configuration Manager 2007 detects a duplicate hardware ID, Configuration Manager
2007 can automatically create a new client record for the duplicate record. This setting
allows you to easily upgrade or deploy clients that might potentially have duplicate
hardware IDs, without requiring manual intervention. However, with this setting, if you
recover a computer and it maintains the original hardware ID, Configuration Manager
2007 will create a new record and you lose the historical continuity for reporting
purposes. If you want to manually resolve conflicting records, you can change the setting
on the Site Properties Advanced tab so that conflicting records will be displayed in the
Conflicting Records node. If you enable manual conflict resolution for all sites in a
hierarchy branch, then the administrator at the top of the branch can manually resolve
conflicts for all child sites. For more information, see How to Manage Conflicting
Records.
What's New in Mobile Device Management for Configuration Manager
The Mobile Device Management feature in Microsoft System Center Configuration
Manager 2007 introduces a number of changes from the version found in Microsoft
Systems Management Server (SMS) 2003 Device Management Feature Pack.
Mobile device platform support added
Support for the following mobile devices has been added:
Windows Mobile 2003 Smartphone
Windows Mobile for Pocket PC 2003 Second Edition
Windows Mobile for Pocket PC 5.0
Windows Mobile for Pocket PC Phone Edition 5.0

30

Windows Mobile 6 Standard

Windows Mobile 6 Professional
Windows Mobile 6 Classic
For a complete list of supported mobile devices, see Supported Mobile Devices.
Internet-based Client Management Support for Mobile Device Clients
Internet-based client management allows you to manage Microsoft System Center
Configuration Manager 2007 mobile device clients when they are not connected to your
company network but have a standard Internet connection. For more information about
configuring Internet-based mobile device clients, see Administrator Checklist:
Configuring Mobile Devices for a Site that Supports Internet-Based Client Management.
DMConsole removed
The Device Management Console for the mobile device client has been removed. Mobile
device clients retain a Device Management view under Start / Settings.
SMS_Def.mof for hardware inventory extension now in a defined package
Microsoft System Center Configuration Manager 2007 administrators no longer have to
deploy SMS_Def.mof to extend the hardware inventory. A defined Device Management
Inventory Extension package now contains everything needed to target and deploy
mobile devices. For more information about extending the inventory to desktop
computers for mobile device management, see How to Distribute Inventory Extension to
Client Desktop Computers for Mobile Device Management.
DMScript removed
Device Management Scripts have been removed from Configuration Manager. Device
Management Scripts will not function on a Configuration Manager client because the
DMScript engine has been removed. Administrators that need this functionality are
encouraged to use the .NET Compact Framework and any of the .NET languages to
create command applets to perform these functions.
New Mobile Device Management Reports
The following new reports have been added to the mobile device management feature:
New Client Status Reports:
Client Agent Deployment Success

31

Client Agent Deployment Failure

Client Agents Healthy
Client Agents Unhealthy
Client Agent Health Summary
Client Agent Unhealthy Local
For more information about reports for mobile devices, see How to Use Reports for
Mobile Devices.
What's New in Operating System Deployment for Configuration Manager
Operating System Deployment (OSD) provides the Configuration Manager 2007
administrator with a tool for creating images that can be deployed to computers managed
by Configuration Manager 2007, and to unmanaged computers using bootable media
such as CD or DVD. The image, a Windows Image (WIM) format file, contains the
desired version of a Microsoft Windows operating system and can also include any lineof-business applications that need to be installed on the computer. Operating System
Deployment provides the following functionality:
Image capture
User state migration using the User State Migration Tool
Image deployment
Task sequences
Disconnected and Remote Deployment
You can deploy Windows via CD set or DVD with or without network connectivity.
Windows PE, boot image, and applications can all be stored on removable media.
Advanced Task Sequencing

32

OSD offers a new task sequence editor with many built-in features that provide flexible
operating system deployment options both with operating system deployments and for
use with performing other related tasks.
What's New in Remote Tools for Configuration Manager
The Remote Tools feature in Microsoft System Center Configuration Manager 2007
introduces a number of changes from the version found in Systems Management Server
2003. These changes are designed to provide the following improvements:
Improved security.
Use of the latest communications protocols.
Improved performance.
Provide compatibility with new operating systems.
New Remote Tools Agent
Configuration Manager 2007 includes a new remote tools agent which uses the Microsoft
RDP protocol. This is a standard protocol used for applications such as Remote Desktop
and Remote Assistance. The RDP protocol is supported on client computers running
Windows XP and Windows 2003 Server and above. The following levels of access are
supported by the new remote tools agent:
No access
View only
Full control

Windows 2000 Remote Tools Agent

The Microsoft RDP protocol is currently not supported on computers running Windows
2000. To support Configuration Manager 2007 client computers running Windows 2000,
a modified version of the SMS 2003 remote tools agent is included. The following levels
of access are supported by the Windows 2000 remote tools agent:
No access

33

Full control

Remote Tools UI
The following options are no longer included in the Configuration Manager 2007 remote
tools:
Reboot
Chat
File transfer
Remote execute
Windows 98 diagnostics
Ping

34

What's New in Security for Configuration Manager

Microsoft System Center Configuration Manager 2007 introduces some significant
security changes from Systems Management Server (SMS) 2003.
Configuration Manager 2007 Has One Security Mode
In SMS 2003 you had the option of standard security or advanced security and advanced
security was recommended. In Configuration Manager 2007, you have only one security
mode and that mode is equivalent to SMS 2003 advanced security mode. In SMS 2003
some sites could not comply with the advanced security requirements that all sites
systems belong to an Active Directory domain, but this is now a requirement to run
Configuration Manager 2007.
If you are installing a new site, you will not be prompted to choose a security mode. If
you are upgrading from SMS 2003, you must convert your site to advanced security prior
to running Setup. After converting, should delete any accounts that will not be required.
For more information, see Accounts to Delete after Upgrading from SMS 2003. You
should also verify that you have the proper accounts in place for Configuration Manager
2007 to function. For more information, see Checklist for Configuration Manager
Account Security.
Configuration Manager 2007 Has Two Site Modes
Configuration Manager 2007 gives you a choice between Configuration Manager 2007
native mode and Configuration Manager 2007 mixed mode. Native mode requires an
existing Public Key Infrastructure (PKI) implementation, but provides mutual
authentication between Configuration Manager 2007 clients and servers. It is the most
secure choice. Mixed mode is provided for backward compatibility with hierarchies that
must support SMS 2003 sites and for organizations without the resources to deploy a
PKI. If you deploy in mixed mode, you have the option to manually approve all clients
before they can join the site or you can allow all domain-joined clients to be
automatically approved. It is possible to allow all clients to be automatically approved,
whether or not they belong to a trusted domain, but that increases your security risk by
allowing unknown clients to join your site.
Configuration Manager 2007 Supports Only One Client Type
In SMS 2003, you had a choice between the Legacy Client and the Advanced Client.
Starting with SMS 2003 SP1, you could install the Legacy Client only on Windows 98 or
Windows NT 4.0 clients. In Configuration Manager 2007, there is just one client called
simply the Configuration Manager 2007 client and it is similar to the SMS 2003
Advanced Client. Before upgrading to System Center Configuration Manager 2007, you
must remove all Legacy Clients in the site hierarchy.
Configuration Manager 2007 Supports Only SQL Server Windows Authentication
In SMS 2003 you configure SMS to access the site database server using either SQL
Server Authentication, previously known as standard security, or Windows
Authentication, previously called integrated security. If you used SQL Server

35

Authentication, you had to provide a SQL login for SMS to use when accessing the site
database. Configuration Manager 2007 supports only Windows Authentication, meaning
Configuration Manager 2007 uses the site server computer account to access the site
database. Several database roles have been added to better control Configuration
Manager 2007 access to the SQL Server.
Inter-site Communication Security
In SMS 2003, you had the option of whether or not a site could accept unsigned data
from another site. In Configuration Manager 2007, all data must be signed between sites
and there is no option to disable the signing requirement.
Also, in SMS 2003, secure key exchange was not enabled by default between sites. In
Configuration Manager 2007, the requirement for secure key exchange between sites is
enabled by default for fresh installations.
Client Push Installation Can Use Computer$ Account
Even if your SMS 2003 site used advanced security, you had to configure a user account
to perform Client Push Installation. In Configuration Manager 2007, if you do not have a
user account configured, Configuration Manager 2007 will try the site server computer$
account. If no client push installation accounts are defined, and if the computer$ account
does not have administrative rights to the client computer, Client Push Installation will
fail.
Important
Adding the site server computer$ account to the Domain Admins global group is not
recommended because it is excessive privilege. A better alternative is to add the site
server computer$ account to a different global group, then use Group Policy to add the
global group to the local Administrators group as a restricted group. For more
information, see Microsoft KB article 320065 , "How to Configure a Global Group to Be
a Member of the Administrators Group on all Workstations."

Security Configuration Wizard Helps Secure Site Roles

With the release of Windows Server 2003 SP1, the Security Configuration Wizard (SCW)
provides server hardening based on the roles performed by the server. Configuration
Manager 2007 templates can be added to SCW to provide the recommended security
configuration for Configuration Manager 2007 site system roles. Running the SCW
replaces the previous security recommendations to run IIS Lockdown and URLScan on
Configuration Manager 2007 roles that require IIS. Because the SCW provides an
automated way to help secure servers, the manual hardening checklists for IIS and SQL
provided in "Scenarios and Procedures for SMS 2003: Security" are no longer provided.
Before you can run the SCW on your site server and site systems, you must complete
some manual steps. For more information, see How to Configure Windows SCW for
Configuration Manager.

36

Upgraded Administrators Do Not Have Access to All Objects

After upgrading, the user who ran the upgrade has access to all of the objects in the
Configuration Manager 2007 console but existing administrators have access only to
objects that existed prior to upgrade. This is true even for software updates objects. Users
who had full rights to all SMS 2003 software updates objects will have full rights to the
same objects in Configuration Manager 2007 but will not have any rights to new object
types such as templates.
Account Changes
Because standard security and the Legacy Client are not used in Configuration Manager
2007, any accounts related to those configurations are no longer needed. Configuration
Manager 2007 does not create any user accounts during Setup or client installation.
Several new accounts are introduced in Configuration Manager 2007.
Account Name Used for
Site System Installation account
Installing and configuring site systems
Health State Reference Publishing account
Network Access Protection publishing to Active Directory Domain Services
Health State Reference Querying account
Network Access Protection querying from Active Directory Domain Services
Capture Operating System Image account
Capturing images for operating system deployments
Software update point proxy server account
Synchronizing the software update catalog, if your proxy server requires authentication
Task Sequence Editor Domain Joining account
Task sequences in operating system deployment that require a security context to join a
domain
Proxy Account for Internet-based clients
Internet-based clients that need to authenticate to a proxy server when accessing the
Internet
The SMS_SiteSystemToSQLConnection group is no longer needed because database
access is controlled by SQL Server roles that are automatically created during
Configuration Manager 2007 Setup. For more information, see About the Database Roles
for Configuration Manager.

37

A new group, the ConfigMgr Remote Control Users group, has been added to contain the
members of the Permitted Viewers list.

38

What's New in Software Distribution for Configuration Manager

With this release, Microsoft System Center Configuration Manager 2007 expands the
abilities of system administrators to centrally manage computers effectively. Building on
the capabilities provided by System Management Server (SMS) 2003, Configuration
Manager provides a refined tool set for software distribution that includes the following
new characteristics:
Branch Distribution Points
A new Configuration Manager server role, the branch distribution point allows small
office locations to host packages on workstation computers without requiring a secondary
site to be hosted. This is particularly useful for offices with fewer than ten workstations,
where maintaining a separate server for a secondary site might not be practical.
Branch distribution points function in much the same fashion as standard distribution
points, but have the advantage of providing greater control over network traffic,
necessary for branch offices that may have limited network bandwidth availability.
Branch distribution points allow not only allow for manual content provisioning, but also
provide configurable settings for scheduling and throttling network traffic, BITS
(Background Intelligent Transfer Service) enabling, to help minimize network impact.
Additionally, on-demand package distribution are allowed, in which packages are only
downloaded to the branch distribution point when specifically requested by a client
computer.
For more information, see About Branch Distribution Points.
Maximum Allowed Run Time Program Attribute
A program attribute that existed in previous versions of Configuration Manager,
Maximum Allowed Run Time has taken on greater significance in Configuration
Manager 2007. If a program is advertised to a collection that is utilizing maintenance
windows, the value of the Maximum Allowed Run Time attribute is used to determine
when and if the program can be run within the allotted window. For instance, if the run
time is set to 90 minutes, but the collection it is advertised to only has a maintenance
window of 60 minutes, that program will not run. Exceptions to this can be set, in the
form of options to disregard existing maintenance windows, but care should be taken to
ensure that this attribute is accurate.
This value can be set when creating a program in the New Program Wizard, or on the
Requirements tab of the Program Property page for existing programs. By default, this
value is automatically set to 120 minutes.
For more information on maintenance windows and their interaction with the maximum
allowed run time attribute, see About Maintenance Windows and Program Run Scenario
using Maintenance Windows.
Improved Program re-run behavior

39

Software distribution now exposes program re-run behavior options to administrators to a

greater degree than previously. The number of available behavior options has also
increased. These can be seen when configuring a new or existing advertisement and allow
administrators greater flexibility in determining what rerun behavior is most appropriate
for each specific advertisement. Additionally, Configuration Manager prevents
administrators from selecting an incompatible program re-run option.
For more information on program re-run behavior, see Advertisement Name Properties:
Schedule Tab.
Greater control over program run and restart notifications
With Configuration Manager 2007, users now have greater control over many program
run and notification settings. Administrators can now set bandwidth throttling, system
restart countdown and restart notifications on the Computer Client Agent, advertised
program notification and program run countdown settings on the Advertised Programs
Client Agent, and collection-specific restart and policy polling settings on the collections
themselves.
Branding support for client agent
Software distribution provides now support for customized branding through the
Computer Client Agent. This allows administrators to use customized organizationspecific text to be displayed on the client computer, such as with the Run Advertised
Programs dialog box. Additional custom branding can be used for the software
distribution, software updates, and operating system deployment features.
For more information, see Computer Client Agent Properties: Customization Tab.
Binary Delta replication
Although delta replication has existed in previous versions of System Management
Server, this has previously been available only on the file level. For instance, if a file
within a package or program changed, filed-based delta replication would copy the
changed file to distribution points (and other destinations) instead of copying the entire
package. With binary delta replication, only those specific changes within a file are
copied to the destination, thereby greatly reducing the network traffic involved. This can
be used on a site-to-site, site-to-distribution point, or standard distribution point-to-branch
distribution point basis.
For more information about binary delta replication, see About Binary Differential
Replication.
Increased Default Cache Size
With the release of Configuration Manager 2007, the size of the cache for storing
packages when they're downloaded has increased dramatically, from 250 Mb in size to
5120 Mb. Because when a package must be downloaded, it competes with other, often
older packages for the available space in the cache, in the past these older packages might
be deleted to free enough space to place the new package in the cache. For very large

40

packages, downloading might not have been possible at all if the size of the package (or
image) exceeded the size of the cache. With the increased default cache size, however,
this is far less likely to happen, and older packages will remain in the cache and available
longer.
Advertisements Not Replicated to Secondary Sites
In SMS 2003, all advertisement information was sent to both secondary and primary sites
because Legacy Clients could be assigned directly to secondary sites. However,
Configuration Manager 2007 does not use Legacy Clients, and all clients can only be
assigned to a primary site.
Because of this, Configuration Manager no longer replicates advertisement information
to secondary sites, resulting in significant performance improvements and savings in
network bandwidth.

41

What's New in Software Updates for Configuration Manager

The software updates feature was introduced with Systems Management Server (SMS)
2003 and provides a set of tools and resources that can help manage the complex task of
tracking and applying software updates to client computers in the enterprise. The same
basic objectives are achieved, but software updates in Configuration Manager 2007
provides more advanced configuration options and utilizes new components and
improved technology to achieve these objectives.
Software Update Point Site System Role
The software update point is installed as a site system role in the Configuration Manager
console. Each site must have an active software update point before the software updates
feature is enabled. A second software update point can be installed to handle the
communications from Internet-based client computers. The software update point site
system role must be created on a server that has Windows Server Update Services
(WSUS) 3.0 already installed and configured. The software update point provides the
communication with WSUS and synchronizes with the WSUS database to retrieve the
latest software update metadata from Microsoft Update, as well as locally published
software updates. For more information, see About the Software Update Point.
Software Updates Client Agent
The Software Updates Client Agent in Configuration Manager 2007 is enabled by
default, and client agent components are installed on client computers with the other
Configuration Manager client components. The Software Updates Client Agent handles
scan requests for software updates compliance, software update evaluation requests,
deployment policies for the client, and content download requests. For more information,
see About the Software Updates Client Agent.
Software Updates Compliance Data on Clients
Configuration Manager 2007 no longer uses hardware inventory to report the compliance
for software updates on Configuration Manager 2007 client computers. Client computers
now create state messages that contain the compliance assessment data and send these
messages to the management point, which in turn sends the data to the site server. The
compliance assessment data is displayed in the Configuration Manager console and in
Software Updates compliance reports.
Inventory Scan Tools
Configuration Manager client computers no longer use a variety of inventory scan tools
to scan for software update compliance, but instead the Windows Update Agent (WUA)
on client computers. There are several inventory scan tools in SMS 2003 that scan client
computers for software update compliance. When a site is upgraded to Configuration
Manager 2007 and the Inventory Tool for Microsoft Updates is found on the site server,
most likely the central site, the tool is automatically upgraded. After the upgrade, the
Inventory Tool for Microsoft Updates is fully operational for SMS 2003 client computers
at the site, the Inventory Tool for Custom Updates is supported, but with conditions, and
the other scan tools have very limited support. Using the scan tools on Configuration

42

Manager 2007 client computers is not supported. For more information, see Planning the
SMS 2003 Software Updates Upgrade.
Software Update Bundles
SMS 2003 displayed the same software update multiple times in the SMS Administrator
console for each language and product for the update. Configuration Manager 2007 has
introduced the concept of software update bundles, where a software update is displayed
only once in the Configuration Manager console. Software update deployments are
initiated by selecting the bundle update, and when creating the deployment the
administrator can define which language specific update files will be downloaded and
made available to client computers.
Software Updates Supersedence
Supersedence is when a new software update contains the same fixes that were in a
previously released software update. In the past, new and previously released software
updates, which contained the same fix, might have both been marked as required when
the only one that was necessary was the newer software update.
In Configuration Manager 2007, software updates uses the Windows Update Agent which
partially addresses the issue of supersedence. When new software updates are released
that contain fixes for previously released updates, Microsoft Update is refreshed with
information relating to the new software update and any software updates that it
supersedes. As client computers scan for software update compliance, any required
software updates that supersede previous updates are returned with compliance state but
the previously released software updates are not returned. The exception to this is when a
Service Pack contains a required software update. The Windows Update Agent returns
both the software update and the service pack with a required compliance state. This
provides administrators with the flexibility to deploy individual software updates or full
service packs.
Deploying Software Updates
Software updates are deployed to client computers using the Deploy Software Updates
Wizard, much like it is in SMS 2003, but new objects have been introduced and there
have been changes to the deployment process. The following sections briefly describe
these changes.
Deployments
Configuration Manager 2007 no longer uses advertisements for delivering software
updates. Software update deployments are now used as the vehicle that delivers software
updates to client computers. The deployment properties contain the relevant information
about the software updates in the deployment, the target collection, the settings that
impact client behavior when running the deployment, the deployment schedule settings,
and so on. When a deployment is created, client computers receive it as part of the
Configuration Manager policy. For more information, see About Software Update
Deployments.

43

Deployment Packages
Deployment packages are used to host the files for the software updates in a deployment,
much like that of software distribution packages. The main difference is that the
deployment package is used to get the files to the distribution points, but once that
process completes, client computers will access the software update files from any
package shared folder on any distribution point regardless of whether the package was
defined in the deployment that targeted the client. When the client computer receives a
new deployment, it determines where the software update files are located, independent
of the deployment, and install from the preferred location. For more information, see
About Deployment Packages in Software Updates.
Selective Download
Configuration Manager 2007 provides selective download technology. This technology
allows a deployment package to contain a large number of files, but client computers will
retrieve only the files that are required. For example, if a client receives a deployment
that contains ten software updates but only two of them are required on the client
computer, the client will connect to the distribution point and download only the files that
it needs.
Deployment Templates
Deployment templates provide the ability to save a set of deployment properties for use
in future software update deployments. When a deployment template is used in creating a
new deployment, it populates the deployment with the preconfigured properties. This
provides consistency among deployments with similar requirements and saves a lot of
administration time. For more information, see About Deployment Templates in Software
Updates.
Update Lists
Update lists provide the ability to initiate a deployment for a set of software updates
contained in the list. Using the update list provides several benefits when deploying and
monitoring software updates and is, therefore, part of the recommended software updates
workflow. Update lists allow administrators to create a deployment from the update list
instead of manually selecting the set of updates every time a new deployment is created.
They allow administrators to use reports for specific update lists to monitor the
compliance for the software updates and help to troubleshooting updates contained in the
list. Update lists also allow administrators to create update lists with approved updates,
and then delegate the responsibility to deploy the update lists. For more information, see
About Update Lists in Software Updates.
Network Access Protection
Network Access Protection (NAP) is a policy enforcement platform built into the
Microsoft Windows Vista and Windows Server 2008 operating system that allows you to
better protect network assets by enforcing compliance with system health requirements.
Configuration Manager 2007 provides Network Access Protection as a new feature,
which lets you include software updates in your system health requirements.
Configuration Manager NAP policies define which software updates to include, and a

44

Configuration Manager System Health Validator point passes the client's compliant or
non-compliant health state to the Network Policy Server. The Network Policy Server then
determines whether the client has full or restricted network access, and whether noncompliant clients will be brought into compliance through remediation.
For more information, see Network Access Protection in Configuration Manager.
Upgraded Administrators Do Not Have Access to New Software Updates Objects
After upgrading, the user who ran the upgrade has access to all of the objects in the
Configuration Manager 2007 console but existing administrators have access only to
objects that existed prior to upgrade. This is true even for software updates objects. Users
who had full rights to all SMS 2003 software updates objects will have full rights to the
same objects in Configuration Manager 2007 but will not have any rights to new software
updates object types, such as update lists and deployment templates.
Software Updates Reporting
The predefined software updates reports and underlying software updates SQL Server
views have been modified in Configuration Manager 2007 to work with the new software
updates infrastructure. During a site upgrade, the Systems Management Server 2003
reports are migrated, but they might fail to run or retrieve the expected data. Most of the
software updates reports use state messages sent from client computers, not hardware
inventory results, to report on the state for compliance or for a process. Several new
reports have been created to support software updates in Configuration Manager and are
grouped in the following categories:
Software Updates - A. Compliance
Software Updates - B. Deployment Management
Software Updates - C. Deployment States
Software Updates - D. Scan
Software Updates - E. Troubleshooting
Software Updates - F. Distribution Status
For a complete list of the software updates reports, see Software Updates Reports.

45

What's New in Software Metering for Configuration Manager

The software metering feature in Configuration Manager 2007 introduces a number of
changes from the version found in Systems Management Server 2003.
The following section lists some new features found in Configuration Manager 2007
software metering:
Automatic Software Metering Rule Generation
Configuration Manager 2007 allows you to configure software metering to automatically
generate disabled software metering rules from recent usage inventory data held in the
Configuration Manager 2007 database. This feature can be configured so that only
applications used on a specified percentage of computers will have metering rules
created. You can also specify the maximum number of automatically generated software
metering rules allowed on the site.
What's New in the Configuration Manager Console
The administrator console has been updated for Microsoft System Center Configuration
Manager 2007. Several key features now have home pages that summarize information
about that feature, including graphs and reports that you can access from the home page.
The following section lists some new features in the Configuration Manager 2007
console.
Multithreaded Console Operation
In SMS 2003, the SMS Administrator console was single threaded and you could be
blocked from completing actions in one snap-in while an action completed, so it was
useful to connect multiple times to the same site in one MMC window and then switch
between them as needed.
In Configuration Manager 2007 you can connect only one time to the same site in an
MMC window, but because the Configuration Manager 2007 console is multi-threaded, it
can perform several actions simultaneously, eliminating the need to switch when an
action is running.
Drag and Drop
It is now possible in Configuration Manager 2007 to drag some objects to other objects.
For example, you can drop a program onto a collection to create an advertisement.
Administration Feature Pack Integration
The Transfer Site Settings Wizard and Manage Site Accounts tool were available as part
of the Administration Feature Pack for SMS 2003 but in Configuration Manager 2007
they are installed by default.
To run the Transfer Site Settings Wizard

46

In the Configuration Manager console navigate to System Center Configuration

Manager / Site Database / Site Management / <site code> - <site name>.
Right-click <site code> - <site name> and then click Transfer Site Settings.
Note
You can also start the wizard by right-clicking the Collections or Packages nodes.

After you have exported an XML file from the Transfer Site Settings Wizard, you can use
the command line version of the Transfer Site Settings Wizard, Replstcfg.exe, to import
or transfer settings to a different site. Replstcfg.exe is located in
<ConfigurationManagerInstallDirectory>\AdminUI\bin.
Note
In Configuration Manager 2007 if you need to transfer settings to a site in an untrusted
forest, you must either log on with an account that exists in both forests with the same
user name and password, or you must export the settings from the first site and then
import, but not transfer, the settings on the destination site. The user name and password
options available in the SMS 2003 command line tool have been removed so it is no
longer possible to transfer the settings to an untrusted forest with Replstcfg.exe.
You can use the Manage Site Accounts tool (MSAC.exe) through the command-line
interface to quickly and easily update, create, verify, delete, and list user-defined
Windows accounts for your Configuration Manager 2007 sites. The Manage Site
Accounts tool is located in <ConfigurationManagerInstallDirectory>\AdminUI\bin.
Folder Replication
When you create a folder in a parent site, it automatically replicates to the child sites.
New Wizards for Object Creation
Several new wizards have been added to facilitate object creation.

47