Beruflich Dokumente
Kultur Dokumente
Secondary Sites
A secondary site has no Configuration Manager 2007 site database. It is attached to and
reports to a primary site. The secondary site is managed by a Configuration Manager
2007 administrator running a Configuration Manager 2007 console that is connected to
the primary site.
The secondary site forwards the information it gathers from Configuration Manager 2007
clients, such as computer inventory data and Configuration Manager 2007 system status
information, to its parent site. The primary site then stores the data of both the primary
and secondary sites in the Configuration Manager 2007 site database.
The advantages of using secondary sites are that they require no additional Configuration
Manager 2007 server license and do not require the overhead of maintaining an
additional database. Secondary sites are managed from the primary site it is connected to,
so they are frequently used in sites with no local administrator present. The disadvantage
of secondary sites is that they must be attached to a primary site and cannot be moved to
a different primary site without deleting and recreating the site. Also, secondary sites
cannot have sites beneath them in the hierarchy.
Parent Sites
A parent site is a primary site that has one ore more sites attached to it in the hierarchy.
Only a primary site can have child sites. A secondary site is always a child site. A parent
site contains pertinent information about its lower level sites, such as computer inventory
data and Configuration Manager 2007 system status information, and can control many
operations at the child sites.
Child Sites
A child site is a site that is attached to a site above it in the hierarchy. The site it reports to
is its parent site. A child site can have only one parent site. Configuration Manager 2007
copies all the data that is collected at a child site to its parent site. A child site is either a
primary site or a secondary site.
Central Site
A central site has no parent site. Typically, a central site has child and grandchild sites and
aggregates all of their client information to provide centralized management and
reporting. A site with no parent and no child site is still called a central site although it is
also referred to as a standalone site.
Site Systems
Each site contains one site server and one or more site systems. The site server is the
computer where you install Configuration Manager 2007 and it hosts services required
for Configuration Manager 2007. A site system is any computer running a supported
version of Windows or a shared folder that hosts one or more site system roles. A site
system role is a function required to use Configuration Manager 2007 or to use a feature
of Configuration Manager 2007. Multiple site roles can be combined on a single site
system, including running all site roles on the site server, but this is usually appropriate
only for very small and simple environments.
The following roles provides a brief description of each site system role.
Site server
The role assigned to the server on which Configuration Manager 2007 Setup has been
run successfully.
Yes. Every site must have exactly one site server role.
Site database server
The role assigned to the computer running Microsoft SQL Server and hosting the
Configuration Manager 2007 site database. You can use only Microsoft SQL Server 2005,
Standard or Enterprise Edition to host the site database. SQL Server 2005 Express is not a
supported SQL Server 2005 version for hosting the site database.
Every primary site requires a site database server role but secondary sites do not require
them.
Configuration Manager console
Any computer running the Configuration Manager console.
No. The Configuration Manager console is automatically installed by default on primary
site servers during Setup. You can install additional Configuration Manager consoles on
remote computers, for example the workstation of the Configuration Manager
administrator. However, some organizations write their own user interface using the
Configuration Manager software developer kit (SDK) and never use the Configuration
Manager console.
SMS Provider computer
The Configuration Manager console does not access the database directly but instead
uses Windows Management Instrumentation (WMI) as an intermediary layer. The SMS
Provider is the WMI Provider for Configuration Manager.
Yes, for primary sites. When you install a primary site, you select which computer will
host the SMS Provider, usually the site server or the site database server.
Component server
Any computer hosting a Configuration Manager 2007 site role that requires installing
special Configuration Manager 2007 services.
The only site system role that does not require the installation of a special Configuration
Manager 2007 service is the distribution point.
Distribution point
A site system role that stores packages for clients to install.
Required for the following features: software distribution, software updates, and
advertised task sequences.
Fallback status point
A site system role that gathers state messages from clients that cannot install properly,
cannot assign to a Configuration Manager 2007 site, or cannot communicate securely
with their assigned management point.
Not required, but very helpful to troubleshoot issues with clients.
Management point
The site system role that serves as the primary point of contact between Configuration
Manager 2007 clients and the Configuration Manager 2007 site server.
Every site with intranet clients must have one default management point, though the
default management point might be a cluster of several site systems configured as
management points.
PXE service point
A site system role that has been configured to respond to and initiate operating system
deployments from computers whose network interface card is configured to allow PXE
boot requests.
Required only for operating system deployment using PXE boot requests.
Reporting point
A site system role hosts the Report Viewer component for Web-based reporting
functionality.
Required only to use the reporting feature. Reports are often helpful when diagnosing
client issues.
Server locator point
A site system role that locates management points for Configuration Manager 2007
clients.
Required for some client deployment scenarios.
Software update point
A site system role assigned to a computer running Microsoft Windows Server Update
Services (WSUS).
Required only for the software update feature.
State migration point
A site system role that stores user state data while a computer is being migrated to a new
operating system.
Required for operating system deployment when migrating user state.
System Health Validator point
The site system role assigned to a computer running Network Policy Service.
Required only for the Configuration Manager 2007 Network Access Protection feature.
Site Communications
Clients communicate with site systems hosting site system roles. Site systems
communicate with the site server and with the site database. If there are multiple sites
connected in a hierarchy, the sites communicate with their parent, child, or sometimes
grandchild sites.
Sites are typically configured so that the clients and site systems have fast connectivity
with each other, usually LAN-speed. However, Configuration Manager 2007 also
supports clients that move between sites, mobile devices that connect over the cellular
network, clients that connect to the organization's network through dial-up or virtual
private networks (VPN), and clients that connect to the Internet but don't connect directly
into the organization's network.
Site Boundaries
Configuration Manager 2007 uses boundaries to determine when clients and site systems
are in the site and outside of the site. Boundaries can be IP subnets, IP address ranges,
IPv6 prefixes, and Active Directory sites. Two sites should never share the same
boundaries. Assigning the same IP subnet, IP address range, IPv6 prefix or Active
Directory site to two different sites makes it difficult to determine which clients should be
managed in the site.
The Configuration Manager 2007 administrator configures each boundary in the site to be
either a fast or slow boundary, depending on the connection speed. If a client computer is
connected to a fast boundary, such as a 10 MBPS local area network (LAN), it might
install software, but if the client computer is connected to a slow boundary, such as a dialup network or a wireless network, it might install the software differently, or might not
install the software at all. If the client computer connects to a boundary in a different site,
Configuration Manager 2007 might be able to determine a closer source for installing the
software.
Site-to-Site Communications
When you have a separate sites, Configuration Manager 2007 uses senders to connect the
two sites. Senders have sender addresses that help them locate the other site. When
sending data between sites, senders provide fault tolerance and bandwidth management.
For example, if the link between two sites goes down, the sender will attempt to reestablish the connection and resume sending where it was interrupted. If you want the
sender to use only a certain percentage of the available bandwidth, you can configure the
sender address to restrict how much bandwidth Configuration Manager 2007 uses at
certain times of day. You can also configure the sender address to be available for only
high-priority Configuration Manager 2007 communication at certain times of day, or to
be completely unavailable during specified times.
While there are several business, political, and security reasons you might have more
than one site, typically install multiple sites when you need to cross a slow link because
the senders let you manage how you use the slow link.
Intra-site Communications
When Configuration Manager 2007 components that are within the site boundaries
communicate with each other, they use either server message block (SMB), HTTP, or
HTTPS, depending on various site configuration choices you make. Because all of these
communications are unmanaged, that is, they happen at any time with no consideration
for bandwidth consumption, it is beneficial to make sure these site elements have fast
communication channels.
Microsoft supports running an embedded version of Windows on devices that are not
traditional desktop, laptop, or server computers. For example, Windows XP Embedded
can be installed on automated teller machines or medical devices. Configuration Manager
2007 components can be installed by the manufacturer on these devices along with the
embedded operating system. Devices support many but not all of the features supported
by standard clients.
Throughout the documentation, the term client is used to refer to all clients that run the
Configuration Manager 2007 client components, while client computer is used to refer
servers, desktops, and laptops.
Discovering Clients
Configuration Manager 2007 has the ability to discover resources on the network using
several different discovery mechanisms. The following table describes the available
discovery methods.
Discovery Method Description
Active Directory System Discovery
Retrieves details about the computer, such as computer name, Active Directory container
name, IP address, and Active Directory site.
Active Directory System Group Discovery
Cannot discover a computer that has not already been discovered by another method. If a
resource has been discovered and is assigned to the site, Active Directory System Group
Discovery extends other discovery methods by retrieving details such as organizational
unit, global groups, universal groups, and nested groups.
Active Directory User Discovery
Retrieves information about user accounts created in Active Directory.
Active Directory Security Group Discovery
Retrieves security groups created in Active Directory.
Heartbeat Discovery
Refresh Configuration Manager client computer discovery data in the site database.
Unlike the other methods, this method works only on computers that already have the
Configuration Manager 2007 installed.
Network Discovery
Searches the network for resources that meet a specific profile. Network discovery can
discover resources that are Listed in a router's ARP cache for a specified network subnet
Running An SNMP agent and configured for a specified community Configured as
Microsoft DHCP clients.
Each discovery method creates data discovery records (DDRs) for resources and sends
them to the site database, even if the discovered resource is not capable of being a
Configuration Manager 2007 client. For example, Network Discovery might discover
routers and printers, which could be helpful for tracking purposes, but those devices will
not actually be managed by Configuration Manager 2007. Mobile devices cannot be
discovered until the mobile device client is installed. Computers running ActiveSync (for
Windows XP clients) or Mobile Device Center (for Vista clients) to synchronize with
mobile devices can be discovered and targeted to install the mobile device client on
connected mobile devices.
Note
All resources for which DDRs have been created show up in the Configuration Manager
2007 console under the following part of the tree: Configuration Manager / Site
Database / Computer Management / Collections / All Systems.
While it is possible to discover resources but never install a single client, usually
discovery is related to locating potential clients either prior to or as part of installing the
client software that makes a computer manageable by Configuration Manager 2007.
Active Directory User Discovery and Active Directory Security Group Discovery allow
you to target software distribution packages to users and groups instead of computers.
Installing the Client Components
Configuration Manager 2007 provides several options for installing the client software.
The following table lists the client computer installation methods.
Client Computer Installation Method Description
Software update point installation
Uses the Automatic Update configuration of a client to direct the client computer to a
WSUS computer configured as a Configuration Manager 2007 software update point.
The client computer installs the Configuration Manager 2007 client software as though it
was a software update.
Client push installation
Uses an account with administrative rights to access the client computers and install the
Configuration Manager 2007 client software. This method requires File and Print sharing
and the related ports to be enabled on the client computer.
Manual client installation
A user with administrative rights can install the client software by running CCMSetup on
the client computer. A variety of switches modify the installation options.
Group Policy installation
Uses Group Policy software installation to install CCMSetup.msi.
Imaging
The client software can be added to an image, including images created and deployed
with Configuration Manager 2007 operating system deployment.
Software Distribution
Existing clients can be upgraded or redeployed using Configuration Manager 2007
software distribution.
Mobile devices use different installation methods. A client computer that synchronizes
with a mobile device can be targeted to install the mobile device client the next time the
device is docked. Mobile devices can also install the client software from a memory card.
Client Assignment
Clients must be assigned to a site before they can be managed by that site. Clients can be
assigned to a site during installation or after installation. Assigning a client involves
either telling it a specific site code to use, or configuring the client to automatically assign
to a site based on boundaries. If the client is not assigned to any site during the client
installation phase, the client installation phase completes, but the client cannot be
managed by Configuration Manager 2007.
Clients cannot be assigned to secondary sites; they are always assigned to the parent
primary site, but can reside in the boundaries of the secondary site, taking advantage of
any proxy management points and distribution points at the secondary site. This is
because clients communicate with management points and management points must
communicate with a site database. Secondary sites do not have their own site database;
they use the site database at their parent primary site.
Authenticating Clients
Before Configuration Manager 2007 trusts a client, it requires some manner of
authentication. In mixed mode, clients must be approved, either by manually approving
each client or by automatically approving all clients or all clients in a trusted Windows
domain. In native mode, clients must be issued client authentication certificates prior to
installing the Configuration Manager 2007 client software.
Blocking Clients
If a client computer is no longer trusted, the Configuration Manager administrator can
block the client in the Configuration Manager 2007 console. Blocking applies to both
native mode and mixed mode sites. Blocked clients are ignored by the Configuration
Manager 2007 infrastructure. This is especially useful for laptop computers that are lost
or stolen, to help prevent attackers from using a trusted client to attack the site or the
network.
Client Agents
Client agents are Configuration Manager 2007 components that run on top of the base
client components. If you install only the Configuration Manager Client without enabling
any client agents, Configuration Manager 2007 cannot manage anything about the client.
Every client agent that you enable lets you use a different feature of Configuration
Manager 2007. You can configure the client agents to suit your environment. The
following table describes the client agents in Configuration Manager 2007.
Client Agent Description
Computer Client Agent Properties
Configures how often client computers retrieve the policy that gives them the rest of
their configuration settings. For example, after you configure the other client agent
settings, Configuration Manager puts those settings into policy and sends them to the
management point and client computers poll for them on the schedule you configure.
This agent also controls settings that are common to several Configuration Manager
features like how often users are prompted with reminders and what customized
organization names users see with the reminders.
Device Client Agent Properties
Configures all of the properties specific to mobile device clients. Mobile device clients
have settings for software distribution, software inventory, hardware inventory, and file
collection. This agent also controls the polling interval used by mobile device clients.
Hardware Inventory Client Agent
Enables and configures the agent that collects a wide variety of information about the
client computer. Information about the computer hardware is most commonly collected,
but you can inventory any information stored in the Windows Management
Instrumentation (WMI) repository of the computer, such as registry keys. You can
configure how often the client computer takes inventory.
Software Inventory Client Agent
Enables and configures which files Configuration Manager inventories and collects.
Copies of collected files are stored in the Configuration Manager database.
Advertised Programs Client Agent
Enables and configures the software distribution feature.
Desired Configuration Management Client Agent
Enables the client agent that evaluates whether computers are in compliance with
configuration baselines that are assigned to them. You can also configure the default
compliance evaluation schedule for assigned configuration baselines.
Remote Tools Client Agent
Enables Configuration Manager remote control and configures Configuration Manager
integration with Remote Assistance.
Network Access Protection Client Agent
10
Enables Configuration Manager Network Access Protection and configures how client
computers are evaluated for compliance by the Windows Network Policy Server. If client
computers are not in compliance with the configured policies, for example if they do not
have specified software updates, NAP can prevent the client computers from access
network resources until they complete remediation measures. Configuring this client
agent without proper planning and deployment can prevent your client computers from
accessing the network.
Software Metering Client Agent
Enables the agent that monitors which software is run and how often and configures how
often software metering data is collected.
Software Updates Client Agent
Enables the agent that scans for and installs software updates on client computers. This
agent allows you to configure how often clients are re-evaluated for software updates that
were previously installed. Before you can use the software update feature, you must also
install Windows Server Update Services (WSUS) and configure a software update point.
There is no client agent for operating system deployment.
11
12
based. Query based collections are very powerful because they can group any resources
together based on criteria. For example, if you want to deploy Microsoft Office 2007 only
to computers with 1 GB of free disk space and 1 GB of RAM, you can create a collection
that uses a query against the Configuration Manager 2007 inventory information in the
database.
Inventory
You can configure Configuration Manager 2007 to inventory hardware and software on
Configuration Manager 2007 clients. Hardware inventory gives you system information
(such as available disk space, processor type, and operating system) about each computer.
You can configure the information returned in hardware inventory by modifying the
SMS_def.mof file. Software inventory agent gives you information such as inventoried
file types and versions present on client computers. Software inventory alone just returns
lists of file types, but combining software inventory with the information in the Asset
Intelligence knowledge base allows you to create reports on which applications are used
in your environment. Software inventory can also collect copies of files in the database,
but this is recommended only for small files that do not change very often.
Queries
The query feature in Configuration Manager 2007 uses WBEM query language (WQL) to
query the site database. Query results are returned in the Configuration Manager 2007
console, where they can be exported using the MMC export list feature. Queries can also
be used to create collections of resources that meet the query criteria.
Reporting
Reporting is a supporting feature to many other Configuration Manager 2007 features.
Reports are returned in Web pages in the browser. Programming is not required, but
knowledge about creating SQL queries is extremely helpful. With reporting you can
create reports that show the inventory you have collected or the software updates
successfully deployed. You can also create dashboards, which combine several different
views of information. Several pre-created reports are available to support common
reporting scenarios. For more information about the reports provided for each feature, see
the feature documentation.
Software distribution
Software distribution allows you to push just about anything to a client computer.
Packages in software distribution can contain source files to deploy software applications
and commands called programs that tell the client what executable file to run. A single
package can contain multiple programs, each configured to run differently. Packages can
also contain command lines to run files already present on the client, without actually
containing additional source files.
Important
Configuration Manager 2007 can cause any executable file to run on the client, however
it is important to understand that Configuration Manager 2007 does not actually package
the executables or source files. Configuration Manager 2007 is like the delivery man; it
13
gets the software or the command to the client, but the command must be able to run on
the client independently of Configuration Manager 2007. If the software or command
cannot run without Configuration Manager 2007 software distribution, it will never run
with software distribution.
Configuration Manager 2007 uses advertisements to specify which collections receive the
program and the package.
Software updates
The software updates feature provides a set of tools and resources that can help manage
the complex task of tracking and applying software updates to client computers in the
enterprise. Software updates in Configuration Manager 2007 requires a Windows Server
Update Services (WSUS) server to be installed and uses that to scan the client computers
for applicable software updates. The administrator views which updates are needed in the
environment and creates packages and deployments containing the source files for the
software updates. Clients then install the software updates from distribution points and
report their status back to the site database.
Software metering
Software metering enables you to collect and report software program usage data. The
data provided by these reports can be used by many groups within the organization such
as IT and corporate purchasing.
Software metering in Configuration Manager 2007 supports the following scenarios:
Identify which software applications are being used, and who is using them.
Identify the number of concurrent usages of a specified software application.
Identify actual software license requirements.
Identify redundant software application installations.
Identify unused software applications which could be relocated.
14
15
16
Wake On LAN
The Wake On LAN feature helps to achieve a higher success rate for scheduled
Configuration Manager 2007 activities, reducing associated network traffic during
business hours, and helps organizations to conserve power by not requiring computers to
be left on for maintenance outside business hours.
Wake On LAN in Configuration Manager 2007 supports the following scenarios:
Sending a wake-up transmission prior to the configured deadline for a software update
deployment.
Sending a wake-up transmission prior to the configured schedule of a mandatory
advertisement, which can be for software distribution or a task sequence.
Security Modes
There are two security modes in Configuration Manager 2007.
Native mode is the recommended site configuration for new Configuration Manager 2007
sites because it offers a higher level of security by integrating with a public key
infrastructure (PKI) to help protect client-to-server communication. PKIs can help
companies meet their security and business requirements, but they must be carefully
designed and implemented to meet the current and future needs. Installing a PKI solely to
support Configuration Manager 2007 operations could fulfill certain short term goals but
could hamper a more extensive PKI rollout to support other applications at a later time. If
your organization already has a well-designed, industry-standard PKI, Configuration
Manager 2007 should be able to use certificates from the existing PKI.
Important
Native mode requires extensive planning and lab testing prior to implementation. If the
PKI infrastructure is not implemented properly to support Configuration Manager 2007,
the whole site could stop functioning. Do not implement native mode in a production
environment without thoroughly understanding the requirements.
While native mode is the most secure mode available in Configuration Manager 2007,
mixed mode can be considered adequate security for many organizations and requires
less administrative overhead. Mixed mode is the default when upgrading from an existing
Systems Management Server (SMS) 2003 site and provides backwards compatibility for
hierarchies that have both SMS 2003 sites and Configuration Manager 2007 sites. It is
possible to install with mixed mode and then migrate to native mode later. It is also
possible to revert to mixed mode from native mode. Both migrating and reverting require
thorough planning prior to implementation.
17
Native mode sites cannot report to mixed mode sites. When migrating from mixed mode
to native mode, always convert the central site first and then work down.
Internet-based Clients
Computers that connect to the organization's network using VPN or dial-up technology
can be managed as regular Configuration Manager 2007 clients. Computers that connect
to the Internet but never connect to the organization network can be configured as
Internet-based clients. Internet-based clients can belong only to native mode sites.
Managing Internet-based clients requires carefully planning where site systems will be
located. For example, you could put management points and distribution points in your
perimeter network, or you could allow Internet-based clients to traverse your firewall to
access site systems inside your organization's network, or you could create a separate site
in the perimeter network just to support Internet-based clients.
Privacy
While network management products let you effectively manage large numbers of
clients, you must also be aware of ways that this software affects the privacy of users in
your organization. Configuration Manager 2007 includes many tools to gather data and
monitor client computers, some of which could raise privacy concerns.
For example, when you deploy the Configuration Manager 2007 client, you enable client
agents so you can use Configuration Manager 2007 features. The settings you use to
configure the features apply to all clients in the site, regardless whether they are directly
connected to the corporate network, connected through a remote session, or connected to
the Internet but supported by the site. Client information is stored in the database and is
not sent back to Microsoft. Before implementing Configuration Manager 2007, consider
your privacy requirements.
Configuration Manager Accounts and Groups
Configuration Manager 2007 uses the Local System account for most site operations.
Certain configurations might require creating and maintaining additional accounts.
Several default groups and SQL Server roles are created during Setup, but you might
have to manually add computer or user accounts to these default groups and roles.
Understanding Configuration Manager Operations
Microsoft System Center Configuration Manager 2007 interacts with many servers, client
computers, and client devices, using a variety of files, services, and database operations.
If any of these complex interactions are disrupted, features will not function as expected.
Configuration Manager 2007 includes some mechanisms to monitor site operations and
some tools to troubleshoot problems when they arise.
Maintaining Configuration Manager Site Operations
Most site operations are the result of services, files, and the site database working
together. For example, when you make a change to a site setting, a service called
Hierarchy Manager writes a change to a delta file. The Site Control Manager service
18
takes the changes from delta file the to the site control file, which contains all of the site
settings. Hierarchy Manager then makes the configuration change in the database. If there
are parent or child sites, Site Control Manager interacts with other services to send the
site settings up or down the hierarchy. Many of these site processes are documented in the
technical flow charts included in the Configuration Manager Documentation Library.
Status Messages
Most of the time, site operations just work and need no intervention. To monitor
operations, most services, including client services, generate status messages.
Informational and success status messages indicate that the site is performing as
expected. Error and Warning status messages indicate that problems exist. The status
messages often contain troubleshooting information like possible causes and solutions.
You can view status messages in the Configuration Manager console using the Status
Message Viewer. You can also run queries for status messages in the database. For more
information about status messages, see Using Status Messages for Configuration
Manager Troubleshooting.
Log Files
In addition to generating status messages, Configuration Manager services write more
detailed information about every action to log files. You can view the log files with any
text editor. Interactive flow charts will be available for many features on the
Configuration Manager TechCenter and provide samples of log file entries.
State Messages
Configuration Manager 2007 also uses state messages, which are different than status
messages, to track the current state of some site operations. Unlike status messages, there
is no viewer for state messages. All state messages are viewed using reports. More
information about using state messages to monitor site operations is included in the
features that use state messages.
Routine Maintenance
Routine monitoring operations for the site consist primarily of checking status messages,
file backlogs, and key log files. Some database tasks are automated and configurable in
the Configuration Manager console. For more information, see Predefined Maintenance
Tasks. To facilitate administration, you can use monitoring software like System Center
Operations Manager to alert you to conditions that could compromise optimal site
operations.
Because Configuration Manager 2007 uses Microsoft SQL Server as the back end
database, you might also need to perform routine SQL Server maintenance. It is helpful
to have resources in your organization who understands SQL Server administration.
Backup and Recovery
Like any enterprise software, your site should be backed up to provide recoverability in
case of unexpected events. Backing up a Configuration Manager 2007 site involves
backing up the database, the file system, and the registry all at the same point in time -
19
backing up just one of these elements is not sufficient to restore a working site.
Configuration Manager 2007 uses the Volume Shadow Copy Service (VSS) to take small,
frequent snapshots of the necessary components, making it easier to restore a failed site.
The Site Repair Wizard walks you through the necessary steps to complete the site
recovery.
Example Scenarios for Configuration Manager 2007
This scenario demonstrates how data moves within a Microsoft System Center
Configuration Manager 2007 site for software distribution.
The accounting department has just purchased a new line-of-business application and
wants it installed on all accounting computers as soon as possible. Kim uses the software
distribution feature of Configuration Manager 2007 to send the new software only to
computers in the accounting department based on their membership in an Active
Directory security group.
Kim enables Active Directory Security Group Discovery. Every day, Configuration
Manager 2007 queries Active Directory for all computers that are members of the
Accounting security group.
Kim creates a query in the Configuration Manager 2007 console to find all members of
the Accounting security group.
Kim creates a collection based on the query to find all members of the Accounting
security group. If the Active Directory administrator adds a new computer to the
Accounting security group, the next time Active Directory Security Group Discovery
runs it will add the new computer to the Configuration Manager 2007 database. The next
time the Accounting collection is evaluated, the query will find the new computer in the
database and it will be added to the collection.
Kim enables the Advertised Programs Client Agent, so that all clients in his site will be
able to receive software distribution packages.
Kim creates several distribution points in each site. If he configured only one per site, it
might not be able to service all of the clients in that site.
Kim creates a package for the accounting application. He configures the package to read
the source files from the CD and create a local copy of the package, because disks in his
office sometimes disappear without his permission.
20
The application has a tool to create a customized Windows Installer file that will install
the software with no user intervention and using all of the accounting department's
preferred defaults. Kim creates one program to run the customized Windows Installer and
he creates a second program to uninstall the accounting application, just in case. Both
programs are configured to run whether or not a user is logged on, and both will run with
administrative rights even if the logged on user is not currently an administrator, even if
the client computer is running Windows Vista with User Access Control enabled.
The default package access accounts allow all users to read the package. Because only
accounting members should have access, Kim removes the Users package access account
and adds an account for the accounting group.
Kim copies the package to all distribution points in his site. He also copies the package to
all distribution points in all child sites because there are some members of accounting in
every site.
As soon as Kim completes the distribution point wizard, the site server immediately
begins copying the files to the distribution points in his site. Kim purposefully waited
until the end of the day to run the distribution point wizard so the network would be less
busy. The sender controls the bandwidth utilization to the child sites, so it doesn't matter
when Kim runs the distribution point wizard. The sender from the parent site copies the
package to the child site in small chunks and verifies each chunk before sending the next
one. After the entire package is successfully received at the child site, the child site server
copies the package to all distribution points in that site.
After Kim has verified in the package status that the package has been distributed to all of
his distribution points, he creates an advertisement. He configures the advertisement to
use the accounting package and the program to run the customized Windows Installer
file. He sets the advertisement to send the package and program to the accounting
collection. He configures the advertisement to run next Wednesday at 4 pm in the client's
time zone. He could have configured it to run at 4 pm UTC but some of the sites in other
countries don't have local administrators and Kim doesn't want to get troubleshooting
calls in the middle of the night if 4 pm in his site is midnight in a different site. Even
though the application is rather large, Kim configures the advertisement to run even if the
client computer is connected to a slow network boundary; this means that accounting
users who work from home and connect using a VPN will still have to install the
program. Kim makes a note to send out an e-mail to the home-based workers to let them
know the large package is coming.
21
After the software is installed, the client sends a status message indicating success.
Kim creates a report to show which clients have successfully installed the accounting
software.
Customizing Configuration Manager
Microsoft System Center Configuration Manager 2007 functionality can be automated
and extended by using the System Center Configuration Manager 2007 Software
Development Kit (SDK). The Configuration Manager SDK provides the necessary
information to administrators who want to automate Configuration Manager 2007
functionality and to developers who want to extend the base Configuration Manager
functionality.
The Configuration Manager SDK contains the documentation, samples and reference
material necessary to write applications that access and modify Configuration Manager
data. In addition, the SDK contains code samples in C# and VBScript to support various
Configuration Manager features.
Support for Configuration Manager Features
The following features of Configuration Manager 2007 are supported by the System
Center Configuration Manager 2007 Software Development Kit (SDK):
Configuration Manager Console Extension
Configuration Manager Asset Intelligence
22
23
24
Manager console. Boundaries can now be defined by IP subnets, Active Directory site
names, IPv6 Prefix, or IP ranges.
In SMS 2003, roaming boundaries were either local or remote roaming boundaries. When
creating Configuration Manager 2007 boundaries, you instead decide if the boundary will
be used for either a Slow or unreliable or Fast (LAN) network connection.
In SMS 2003, you could not upgrade from the evaluation version of the product to the
full version. Configuration Manager 2007 now supports upgrading from the evaluation
version.
In SMS 2003 the client push installation method properties used when installing clients
have the default site code set to Auto. In Configuration Manager 2007 the default site
code used when installing clients using the client push installation method is set to the
site code of the primary site.
In Configuration Manager 2007, state messages are sent by Configuration Manager 2007
clients, using a new messaging system built into the product that allows clients to send
"checkpoints" of important changes of state. State messages are not the same as status
messages; whereas status messages provide information about component behavior and
data flow, state messages provide a snapshot of the state of a process at a specific time.
Configuration Manager 2007 also includes support for fully qualified domain names
(FQDN) and IPv6.
What's New in Asset Intelligence for Configuration Manager
First introduced in SMS 2003 SP3, Asset Intelligence has been enhanced significantly in
Microsoft System Center Configuration Manager 2007. New reports have been added to
the Asset Intelligence Hardware, Software, and License Management categories.
In addition to tracking installed software, auto-start software, and browser helper objects,
new software reports provide information about recently used executables. As well as the
hardware reports that track USB devices, processor age, and readiness for upgrade, new
reports identify computers that have software or hardware changes since the last
inventory cycle. New Client Access License reports, added to the existing License Ledger
reports, complete the ability to compare license usage with Microsoft License Statements.
License Management Reports
Nine new license management reports have been added, providing the means to track
Client Access Licenses (CAL) in addition to the existing volume license reports. One of
these new reports identifies the number of processors in computers running software that
can be licensed using the per-processor licensing model. The remaining 8 new reports
identify User CAL usage and Device CAL usage summaries, details, and history.
For more information, see License Management Reports.
25
Hardware Reports
Three new hardware reports help identify computers that have changed since the last
inventory cycle. The changes identified in these reports include both hardware and
software changes.
For more information, see Hardware Reports.
Software Reports
Six new software reports extend previous inventory capabilities by adding software
metering. These new reports identify recently used executables, which users ran them,
and the devices on which the executables were run.
For more information, see Software Reports.
What's New in Client Deployment for Configuration Manager
Client deployment in Microsoft System Center Configuration Manager 2007 introduces a
number of changes and new features designed to improve the ease and security of client
deployment, and to improve the identification of any problems using standard reports.
The following section details some of the new or improved features.
Checking for Site Compatibility to Complete Site Assignment
The improved functionality from SMS 2003 means that a Configuration Manager 2007
client will not work if it is assigned to a site running SMS 2003. To prevent this situation,
site assignment in Configuration Manager 2007 now includes a version check to ensure
compatibility between the client and its assigned site.
For site assignment to complete in Configuration Manager 2007, you must either extend
the Active Directory schema for Configuration Manager 2007 or clients must be able to
communicate with a server locator point in the hierarchy. Additionally, if you have
extended Active Directory but have clients from a separate forest, or clients from
workgroups, you will need a server locator point.
For more information, see About Client Assignment and Determine If You Need a Server
Locator Point.
Important
If a Configuration Manager 2007 client cannot complete the check for site compatibility,
site assignment will not succeed.
26
When CCMSetup installs the Configuration Manager 2007 client, it checks the
destination computer for the correct prerequisites required by your Configuration
Manager 2007 site. If these are not found, CCMSetup will install these before installing
the client.
For more information, see Prerequisites for Client Deployment.
Approval for Clients in Mixed Mode
A new procedure called approval helps to protect the security of a site in mixed mode.
Only clients that are approved will be sent policies that might contain sensitive data. You
should ensure that all client computers that you trust are approved with their assigned
site.
The default site setting for approval in Configuration Manager 2007 is to automatically
approve trusted computers. This means that in most circumstances you will not have to
manually approve many computers, unless they are from a separate Active Directory
forest or a workgroup. However, if your Configuration Manager 2007 spans multiple
domains, ensure that the site's default management point (or NLB management point) is
configured with an intranet fully qualified domain name (FQDN).
For more information, see About Client Approval and Determine If You Will Use FQDN
Server Names.
Client Blocking
If a client computer is no longer trusted, the Configuration Manager administrator can
block the client from the Configuration Manager infrastructure. Blocked clients are
rejected by Configuration Manager so that they cannot communicate with site systems to
download policy, upload inventory data, or send state or status messages to the site. This
action is especially useful for laptop computers or mobile devices that are lost or stolen,
to help prevent attackers from using a trusted client to attack the Configuration Manager
2007 site or the network. However, it does not replace the use of certificate revocation
checking if this is supported in a public key infrastructure (PKI) environment.
Fallback Status Point
The fallback status point is a new site system role in Configuration Manager 2007 that
receives state messages from client computers during the installation process, and if they
cannot connect to a management point. This information is then displayed in reports to
help you more easily identify computers that have failed to install the client software or
that cannot communicate with their site.
The fallback status point is not published to Active Directory Domain Services as a site
setting, so it must be assigned to clients during installation.
For more information, see About the Fallback Status Point and Determine If You Should
Install a Fallback Status Point.
Group Policy Based Installation and Assignment
27
Configuration Manager 2007 supports using Windows Group Policy to install or assign
the client software to computers in your enterprise. You can use this method to assign
new or existing clients to a Configuration Manager 2007 site. An administrative template
to perform site assignment is included on the Configuration Manager 2007 installation
media.
For more information, see How to Install Clients Using Group Policy and How to Assign
Clients to a Site.
Software Update Point Based Client Installation
Software update point based client installation is a new client deployment method
introduced in Configuration Manager 2007 that allows the administrator to publish the
latest version of the Configuration Manager 2007 client into the WSUS catalog. This
allows the latest client software to be installed using standard software update
deployment methods. One of the advantages of this installation method is that it does not
require local administrative rights on the target computer.
For more information, see Determine the Client Installation Method to Use and How to
Install Clients Using Software Update Point Based Installation.
Default Management Point Published to DNS
The most secure method for a client to find its default management is through Active
Directory Domain Services. However, if this is not possible either because Active
Directory is not extended, or because clients are from a separate Active Directory forest
or a workgroup, DNS publishing offers a recommended alternative.
This configuration requires an entry in DNS that is added either automatically or
manually, and configuration on the client.
For more information, see Determine If You Need to Publish to DNS and Configuration
Manager and Service Location.
Uninstalling the Configuration Manager Client Software
The ccmclean.exe utility provided with SMS 2003 Toolkit 2 cannot be used to uninstall
the Configuration Manager 2007 client software. To successfully uninstall the
Configuration Manager 2007 client software you must use the CCMSetup.exe executable
together with the /uninstall property.
For more information, see How to Uninstall the Configuration Manager Client.
Client Network Access Account
The SMS 2003 client network access account is no longer used for client push
installations in Configuration Manager 2007.
For more information, see How to Install Clients Using Client Push.
Client Installation Properties Published in Active Directory
28
If you have extended the Active Directory schema for Configuration Manager 2007 and
the site is configured to publish to Active Directory Domain Services, a number of client
installation properties are published. These settings can remove the need to specify
CCMSetup command line properties under certain circumstances, such as when you
install the Configuration Manager 2007 client using software update point based
installation or use Group Policy installation.
For more information, see About Client Installation Properties Published in Active
Directory.
Provision Client Installation Properties Using Group Policy
You can use Windows Group Policy to provision client installation properties on
computers prior to installing the Configuration Manager 2007 client. When the client is
installed, these properties will be used if no other installation properties have been
specified. An administrative template to provision client computers with installation
properties is included on the Configuration Manager 2007 installation media.
For more information, see How to Provision Client Installation Properties using Group
Policy.
Low Rights Client Installation No Longer Supported
In SMS 2003, users without administrative rights to the computer could manually install
the SMS advanced client. These computers would then submit a CCR to the site server
which would initiate the installation. In Configuration Manager 2007, this feature is no
longer supported. You can install the Configuration Manager 2007 client on computers
logged on with non-administrator rights using the following methods:
Client push installation (if a valid client push installation account has been specified)
Software update point based client installation
Group Policy installation
For more information, see How to Install Clients Using Client Push, How to Install
Clients Using Software Update Point Based Installation and How to Install Clients Using
Group Policy.
CAPINST.EXE is No Longer Supported
Capinst.exe is no longer used in Configuration Manager 2007 for logon script client
installation. For information about how to install Configuration Manager 2007 clients
using a logon script, see How to Install Clients Using Logon Scripts.
Client Installation Files are Downloaded from the Management Point over HTTP
29
In SMS 2003, client installation files were downloaded from an SMB share on the
management point. In Configuration Manager 2007, the default behavior is to download
these files using a HTTP connection. You can still use an SMB share to download client
installation files, but you must create this share yourself and specify the CCMSetup
installation property /source.
For more information, see About Client Installation Properties.
Managing Client Identity
Configuration Manager 2007 manages client identity to help eliminate duplicate GUIDs.
For each client computer, Configuration Manager 2007 calculates a hardware ID using a
proprietary algorithm to help ensure that each client is uniquely identified. If
Configuration Manager 2007 detects a duplicate hardware ID, Configuration Manager
2007 can automatically create a new client record for the duplicate record. This setting
allows you to easily upgrade or deploy clients that might potentially have duplicate
hardware IDs, without requiring manual intervention. However, with this setting, if you
recover a computer and it maintains the original hardware ID, Configuration Manager
2007 will create a new record and you lose the historical continuity for reporting
purposes. If you want to manually resolve conflicting records, you can change the setting
on the Site Properties Advanced tab so that conflicting records will be displayed in the
Conflicting Records node. If you enable manual conflict resolution for all sites in a
hierarchy branch, then the administrator at the top of the branch can manually resolve
conflicts for all child sites. For more information, see How to Manage Conflicting
Records.
What's New in Mobile Device Management for Configuration Manager
The Mobile Device Management feature in Microsoft System Center Configuration
Manager 2007 introduces a number of changes from the version found in Microsoft
Systems Management Server (SMS) 2003 Device Management Feature Pack.
Mobile device platform support added
Support for the following mobile devices has been added:
Windows Mobile 2003 Smartphone
Windows Mobile for Pocket PC 2003 Second Edition
Windows Mobile for Pocket PC 5.0
Windows Mobile for Pocket PC Phone Edition 5.0
30
31
32
OSD offers a new task sequence editor with many built-in features that provide flexible
operating system deployment options both with operating system deployments and for
use with performing other related tasks.
What's New in Remote Tools for Configuration Manager
The Remote Tools feature in Microsoft System Center Configuration Manager 2007
introduces a number of changes from the version found in Systems Management Server
2003. These changes are designed to provide the following improvements:
Improved security.
Use of the latest communications protocols.
Improved performance.
Provide compatibility with new operating systems.
New Remote Tools Agent
Configuration Manager 2007 includes a new remote tools agent which uses the Microsoft
RDP protocol. This is a standard protocol used for applications such as Remote Desktop
and Remote Assistance. The RDP protocol is supported on client computers running
Windows XP and Windows 2003 Server and above. The following levels of access are
supported by the new remote tools agent:
No access
View only
Full control
33
Full control
Remote Tools UI
The following options are no longer included in the Configuration Manager 2007 remote
tools:
Reboot
Chat
File transfer
Remote execute
Windows 98 diagnostics
Ping
34
35
Authentication, you had to provide a SQL login for SMS to use when accessing the site
database. Configuration Manager 2007 supports only Windows Authentication, meaning
Configuration Manager 2007 uses the site server computer account to access the site
database. Several database roles have been added to better control Configuration
Manager 2007 access to the SQL Server.
Inter-site Communication Security
In SMS 2003, you had the option of whether or not a site could accept unsigned data
from another site. In Configuration Manager 2007, all data must be signed between sites
and there is no option to disable the signing requirement.
Also, in SMS 2003, secure key exchange was not enabled by default between sites. In
Configuration Manager 2007, the requirement for secure key exchange between sites is
enabled by default for fresh installations.
Client Push Installation Can Use Computer$ Account
Even if your SMS 2003 site used advanced security, you had to configure a user account
to perform Client Push Installation. In Configuration Manager 2007, if you do not have a
user account configured, Configuration Manager 2007 will try the site server computer$
account. If no client push installation accounts are defined, and if the computer$ account
does not have administrative rights to the client computer, Client Push Installation will
fail.
Important
Adding the site server computer$ account to the Domain Admins global group is not
recommended because it is excessive privilege. A better alternative is to add the site
server computer$ account to a different global group, then use Group Policy to add the
global group to the local Administrators group as a restricted group. For more
information, see Microsoft KB article 320065 , "How to Configure a Global Group to Be
a Member of the Administrators Group on all Workstations."
36
37
A new group, the ConfigMgr Remote Control Users group, has been added to contain the
members of the Permitted Viewers list.
38
39
40
packages, downloading might not have been possible at all if the size of the package (or
image) exceeded the size of the cache. With the increased default cache size, however,
this is far less likely to happen, and older packages will remain in the cache and available
longer.
Advertisements Not Replicated to Secondary Sites
In SMS 2003, all advertisement information was sent to both secondary and primary sites
because Legacy Clients could be assigned directly to secondary sites. However,
Configuration Manager 2007 does not use Legacy Clients, and all clients can only be
assigned to a primary site.
Because of this, Configuration Manager no longer replicates advertisement information
to secondary sites, resulting in significant performance improvements and savings in
network bandwidth.
41
42
Manager 2007 client computers is not supported. For more information, see Planning the
SMS 2003 Software Updates Upgrade.
Software Update Bundles
SMS 2003 displayed the same software update multiple times in the SMS Administrator
console for each language and product for the update. Configuration Manager 2007 has
introduced the concept of software update bundles, where a software update is displayed
only once in the Configuration Manager console. Software update deployments are
initiated by selecting the bundle update, and when creating the deployment the
administrator can define which language specific update files will be downloaded and
made available to client computers.
Software Updates Supersedence
Supersedence is when a new software update contains the same fixes that were in a
previously released software update. In the past, new and previously released software
updates, which contained the same fix, might have both been marked as required when
the only one that was necessary was the newer software update.
In Configuration Manager 2007, software updates uses the Windows Update Agent which
partially addresses the issue of supersedence. When new software updates are released
that contain fixes for previously released updates, Microsoft Update is refreshed with
information relating to the new software update and any software updates that it
supersedes. As client computers scan for software update compliance, any required
software updates that supersede previous updates are returned with compliance state but
the previously released software updates are not returned. The exception to this is when a
Service Pack contains a required software update. The Windows Update Agent returns
both the software update and the service pack with a required compliance state. This
provides administrators with the flexibility to deploy individual software updates or full
service packs.
Deploying Software Updates
Software updates are deployed to client computers using the Deploy Software Updates
Wizard, much like it is in SMS 2003, but new objects have been introduced and there
have been changes to the deployment process. The following sections briefly describe
these changes.
Deployments
Configuration Manager 2007 no longer uses advertisements for delivering software
updates. Software update deployments are now used as the vehicle that delivers software
updates to client computers. The deployment properties contain the relevant information
about the software updates in the deployment, the target collection, the settings that
impact client behavior when running the deployment, the deployment schedule settings,
and so on. When a deployment is created, client computers receive it as part of the
Configuration Manager policy. For more information, see About Software Update
Deployments.
43
Deployment Packages
Deployment packages are used to host the files for the software updates in a deployment,
much like that of software distribution packages. The main difference is that the
deployment package is used to get the files to the distribution points, but once that
process completes, client computers will access the software update files from any
package shared folder on any distribution point regardless of whether the package was
defined in the deployment that targeted the client. When the client computer receives a
new deployment, it determines where the software update files are located, independent
of the deployment, and install from the preferred location. For more information, see
About Deployment Packages in Software Updates.
Selective Download
Configuration Manager 2007 provides selective download technology. This technology
allows a deployment package to contain a large number of files, but client computers will
retrieve only the files that are required. For example, if a client receives a deployment
that contains ten software updates but only two of them are required on the client
computer, the client will connect to the distribution point and download only the files that
it needs.
Deployment Templates
Deployment templates provide the ability to save a set of deployment properties for use
in future software update deployments. When a deployment template is used in creating a
new deployment, it populates the deployment with the preconfigured properties. This
provides consistency among deployments with similar requirements and saves a lot of
administration time. For more information, see About Deployment Templates in Software
Updates.
Update Lists
Update lists provide the ability to initiate a deployment for a set of software updates
contained in the list. Using the update list provides several benefits when deploying and
monitoring software updates and is, therefore, part of the recommended software updates
workflow. Update lists allow administrators to create a deployment from the update list
instead of manually selecting the set of updates every time a new deployment is created.
They allow administrators to use reports for specific update lists to monitor the
compliance for the software updates and help to troubleshooting updates contained in the
list. Update lists also allow administrators to create update lists with approved updates,
and then delegate the responsibility to deploy the update lists. For more information, see
About Update Lists in Software Updates.
Network Access Protection
Network Access Protection (NAP) is a policy enforcement platform built into the
Microsoft Windows Vista and Windows Server 2008 operating system that allows you to
better protect network assets by enforcing compliance with system health requirements.
Configuration Manager 2007 provides Network Access Protection as a new feature,
which lets you include software updates in your system health requirements.
Configuration Manager NAP policies define which software updates to include, and a
44
Configuration Manager System Health Validator point passes the client's compliant or
non-compliant health state to the Network Policy Server. The Network Policy Server then
determines whether the client has full or restricted network access, and whether noncompliant clients will be brought into compliance through remediation.
For more information, see Network Access Protection in Configuration Manager.
Upgraded Administrators Do Not Have Access to New Software Updates Objects
After upgrading, the user who ran the upgrade has access to all of the objects in the
Configuration Manager 2007 console but existing administrators have access only to
objects that existed prior to upgrade. This is true even for software updates objects. Users
who had full rights to all SMS 2003 software updates objects will have full rights to the
same objects in Configuration Manager 2007 but will not have any rights to new software
updates object types, such as update lists and deployment templates.
Software Updates Reporting
The predefined software updates reports and underlying software updates SQL Server
views have been modified in Configuration Manager 2007 to work with the new software
updates infrastructure. During a site upgrade, the Systems Management Server 2003
reports are migrated, but they might fail to run or retrieve the expected data. Most of the
software updates reports use state messages sent from client computers, not hardware
inventory results, to report on the state for compliance or for a process. Several new
reports have been created to support software updates in Configuration Manager and are
grouped in the following categories:
Software Updates - A. Compliance
Software Updates - B. Deployment Management
Software Updates - C. Deployment States
Software Updates - D. Scan
Software Updates - E. Troubleshooting
Software Updates - F. Distribution Status
For a complete list of the software updates reports, see Software Updates Reports.
45
46
After you have exported an XML file from the Transfer Site Settings Wizard, you can use
the command line version of the Transfer Site Settings Wizard, Replstcfg.exe, to import
or transfer settings to a different site. Replstcfg.exe is located in
<ConfigurationManagerInstallDirectory>\AdminUI\bin.
Note
In Configuration Manager 2007 if you need to transfer settings to a site in an untrusted
forest, you must either log on with an account that exists in both forests with the same
user name and password, or you must export the settings from the first site and then
import, but not transfer, the settings on the destination site. The user name and password
options available in the SMS 2003 command line tool have been removed so it is no
longer possible to transfer the settings to an untrusted forest with Replstcfg.exe.
You can use the Manage Site Accounts tool (MSAC.exe) through the command-line
interface to quickly and easily update, create, verify, delete, and list user-defined
Windows accounts for your Configuration Manager 2007 sites. The Manage Site
Accounts tool is located in <ConfigurationManagerInstallDirectory>\AdminUI\bin.
Folder Replication
When you create a folder in a parent site, it automatically replicates to the child sites.
New Wizards for Object Creation
Several new wizards have been added to facilitate object creation.
47