The 4 Pillars of System Center Configuration ManagerThe 4 Pillars of System Center Configuration Manager
The new SMS incarnation promises simplicity, comprehensiveness, security, and manageability
June 27, 2007
Microsoft has christened System Center Configuration Manager (SCCM) 2007 as the new incarnation of its vaunted System Management Server (SMS). The System Center moniker acts as an umbrella that covers Microsoft's family of manageability tools. Along with Configuration Manager, the current list of System Center solutions includes Operations Manager, Data Protection Manager, Reporting Manager, Essentials, Virtual Machine Manager, and Capacity Planner. The company also recently announced a new Help desk offering called System Center Service Desk (SCSD). But SCCM is the senior member of the System Center lineup, and it's arguably the anchor component.
Let's take a look at SCCM's architecture and the solid set of tools it provides formanaging your entire Windows infrastructure, highlighting some of the new andexciting features of SCCM 2007. Then, let's drill down into what you need to knowabout putting the new generation of Microsoft systems management software to workin your environment.
Built on 4 Pillars
SCCM is a major retooling of previous SMS technologies and capabilities. In its introduction of the new product, the Microsoft product team uses an analogy of four pillars upon which the new system is built. The pillars are simplicity, deployment, security, and configuration.
Simplicity. The simplicity pillar represents a worthwhile goal for a product with so many capabilities. Toward this end, Microsoft has rolled feature packs and add-ons into the core product so that administrators no longer need to find, download, and integrate such tools individually. A new setup routine tracks and displays setup tasks as they occur and builds a management point so that the SCCM installation is ready to begin client deployment following setup. Microsoft has also introduced the notion of maintenance windows and integrated Wake on LAN (WOL) capabilities, both of which let SCCM administrators more easily control when and how the tool's operations occur on managed systems. The Microsoft Management Console (MMC) 3.0–based UI, which Figure 1 shows, gets some terrific enhancements, including drag-and-drop and search folders. Microsoft has streamlined many administrative tasks with dynamic wizards to reduce the complexity of operations. Another great new feature—Volume Shadow Copy Service (VSS)–enabled backups for SCCM site systems—further simplifies administrators' lives.
Deployment. The deployment pillar focuses on making SCCM a complete solution for deploying both server and desktop OSs throughout the enterprise, in addition to applications and updates. These capabilities have existed in some fashion in SMS 2003, but Microsoft has redesigned them to integrate the latest Windows OS deployment technologies—such as Windows Preinstallation Environment (PE), Windows Imaging Format (WIM), and User State Migration Tool (USMT)—into an unattended OS deployment process. The product uses a task-sequencing engine during the deployment process to ensure that necessary steps (e.g., installing drivers and applications, restoring user documents and settings) occur.
Security. The security pillar is primarily composed of two security initiatives that make SCCM a better tool for managing security updates for your enterprise and make the SCCM infrastructure more secure than previous SMS versions. The first initiative involves enhanced vulnerability assessment and remediation technology, and the second initiative involves seamless, end-to-end, mutual authentication between SCCM systems and managed clients—whether they're connected via the Internet or on the LAN or roaming between the two.
Configuration. The configuration pillar entails giving IT organizations the ability to model and manage a desired configuration for a given system type. SCCM administrators can create management policies to establish a baseline for system-configuration items, including hardware configuration, installed software, system load, and specific settings. The system can report on compliance with the baseline configuration and can take knowledge-driven actions based on particular out-of-compliance conditions.
Core SCCM Features
Total cost of ownership (TCO) was once a huge driver for promoting tools to better manage IT systems, but the term TCO seems to have fallen out of vogue. However, we should never underestimate the necessity of keeping the cost of managing desktop and server systems in check. IT organizations are responsible for maintaining a healthy TCO bottom line.
That's where SCCM comes in. SCCM isgeared toward increasing the overall effectiveness of IT organizations, streamlining provisioning, and managing computing resourceswhile minimizing the overhead of doing so.The following core SCCM features all contribute in the effort of accomplishing these loftygoals: software distribution, inventory andreporting, device management, OS deployment, software update management, remotetools, desired configuration management, network access protection, and Internet-basedclient management.
Software distribution and updates. Software distribution is a huge part of SCCM and has been since the first version of SMS. Software distribution is the ability to remotely deploy software—typically an application—to one or more client systems. That summation sounds simple enough, but modern businesses' software-deployment needs reach far beyond simply installing a given software package onto a group of desktop computers. Attention must be paid to a target system's connection type, system type, and usage pattern, as well as the overall bandwidth of the network you're using for delivery. Furthermore, once you've installed a software package, it will likely need updates over the course of its service life. You can use collection machine variables—which help you categorize computers based on certain parameters (e.g., OS, memory, disk)—to ensure that SCCM targets only appropriate systems for certain software. Background Intelligent Transfer Service (BITS) and maintenance windows ensure that software installation doesn't hamper a user's productivity. If an uncooperative user insists on powering off his or her system each night, you can use WOL to power it on for software maintenance. SCCM uses binary deltas—with DFS replication (DFSR) hashing—to minimize the bandwidth impact of application updates for sites and distribution points across your network. (A binary delta copies only changed bits of an application update. For example, if you have a 700MB Microsoft Office package and you need to change one file, only the differences in that file will need to be transferred for the entire package to be current—as opposed to the entire 700MB package.)
Inventory and reporting. Even small IT shops can have trouble getting a clear picture of the hardware and software assets that comprise their fleet. SCCM's inventory and reporting features help with this challenge. You can configure the inventory component to collect hardware and software information from client systems at a prescribed interval. The reporting component then assembles appropriate pieces of the collected data into meaningful reports. These reports can be quite simple (e.g., a breakdown of desktop computer platforms) or quite complex (e.g., HP laptops in the accounting department with a specific BIOS version and video driver version, running Microsoft Internet Explorer—IE—7.0 on Windows XP SP2). Software-inventory and software-metering reports can also help you get a firm grasp on license management.
Device management. Device management—which Microsoft really should call mobile device management—originated as a feature pack add-on to SMS 2003. The company has enhanced the feature and incorporated it into SCCM. Device management lets you perform on mobile devices management functions similar to those available to traditional clients. For example, you can perform hardware and software inventory, file collection, software distribution, settings control, and password management. Current SCCM-manageable devices include those running Windows Mobile software on Pocket PC, or smart phones and devices running Windows CE. The SCCM documentation—accessible from the Learning Path—contains an exhaustive list.
OS deployment. SCCM's OS-deployment capabilities add up to a dramatically enhanced version of the SMS 2003 feature pack add-on and solution accelerator. These new core functions are based on OS deployment technologies in Windows Server 2008 and Windows Vista. Using the OS deployment tools, you can build a reference machine and capture a single image of it for deployment to an entire enterprise. SCCM supports such deployment scenarios as bare-metal installations, in-place upgrades, and machine-to-machine migrations.
Software update management. SCCM leverages Windows Server Update Services (WSUS) as the underlying technology for updates and patches. However, you'll use the SCCM interface to wield enhanced control over the approval and application of updates. Additionally, SCCM's update-management features give you a means with which to deploy updates from third-party and internal software providers and—for the purpose of compliance—allow for tracking and reporting of updates applied throughout your enterprise.
Remote tools. The ability to remotely control managed systems has been a long-standing, useful SMS feature for troubleshooting and providing end-user support. Microsoft has revamped SCCM's remote tools so that, by using Vista's RDP protocol, they realize the benefits of improved performance, security, and richer collaboration technologies. SCCM also still supports Remote Desktop and Remote Assistance.
Desired configuration management. Every IT organization recognizes the benefits of standardizing systems and configurations. SCCM's desired configuration management component—previously an SMS 2003 solution accelerator, now enhanced and integrated into SCCM—lets you define a model for the configuration of a certain class of system. SCCM will then monitor managed systems for compliance according to that definition.
Network access protection. Microsoft's Network Access Protection (NAP) is an entirely new feature in SCCM. In simple terms, NAP is a tool for monitoring your network for noncompliant, potentially vulnerable systems, and proactively correcting any potential compliance problems before permitting such systems network access. However, NAP implementation requires Windows Server 2008 to be running Network Policy Server. NPS policies measure system compliance, and SCCM's NAP performs any required remediation.
Internet-based client management. Although SMS has traditionally managed many types of clients—including desktops, laptops, and servers—the ability to manage portions of the client population connected via the Internet has been lacking. SCCM has incorporated secure Internet-based management capabilities into the core feature set. Using public key infrastructure (PKI), clients can securely participate in traditional software deployments, inventory schedules, and other SCCM functions while connected only via the Internet.
What You Need to Know
Now, you're probably wondering what else you need to know before taking the SCCM plunge—either as a new deployment or as an upgrade to an existing SMS installation. For new deployments, the first thing you need to consider is the size and complexity of your environment, and whether you require and can benefit from SCCM's extensive management capabilities. If you read my beta review of System Center Essentials (see the Learning Path), you might remember that tool's limit of 30 servers and 500 client systems. Those numbers also serve as a reasonable point at which implementing SCCM starts to make sense: If you have fewer than 500 systems, you might not benefit from the robust, complex beast that is SCCM. If you have an existing SMS implementation, an upgrade to SCCM should be on your radar at release time. After you make the decision to move to SCCM, you'll want to spend some time on two preparatory steps, involving PKI and site system roles.
PKI. Of primary concern, if you don't have an existing PKI implementation, you'll need to learn about the technology and deploy PKI to support SCCM's advanced security features. PKI is a requirement for native-mode deployments (i.e., full deployments of SCCM clients and required servers) because the system uses a site server signing certificate to sign all SCCM policies. Through this infrastructure, site systems and managed clients establish mutual trust.
Site system roles. Your next area of study is site system roles. SCCM offers numerous new roles and dispenses with or renames a few old ones. Although adding new roles might seem to contradict the goals of the simplicity pillar, Microsoft has designed the roles to help you better manage and maintain your SCCM infrastructure and managed systems.
As you see in Figure 2, the SCCM 2007 system roles are primary site server, site database server, Configuration Manager console, branch office distribution point, fallback status point, management point, PXE service point, reporting point, server locator point, software update point, state migration point, and system health validator. Note that not all roles are necessary, and each role doesn't need to reside on a dedicated server. In fact, for very small implementations, it's feasible—but not recommended—that all required roles reside on one server. Your determination of appropriate roles and supporting hardware will be a factor of your environment's workload and security requirements. You can find many planning aids for SCCM deployment in Microsoft's Configuration Manager Documentation Library (see the Learning Path), which can help you come up with the right mix of roles and hardware.
Two new roles of note are branch office distribution point and fallback status point. A branch office distribution point (which replaces the old secondary site role) can be a Vista or XP system. This system can hold software applications and updates for distribution to a branch office. SCCM utilizes BITS technology to initially populate and apply delta changes to software on branch office distribution points. SCCM uses the fallback status point as a catchall for communications from managed systems that have somehow become orphaned from their intended management point. This system role is instrumental in discovering and fixing client-reporting problems in your fleet.
Installation Considerations
You'll want to become familiar with the various installation options available to you, depending on your current situation. If you're installing a brand-new SCCM 2007 site, you have two options—simple setup and custom setup— although the simple setup isn't very useful unless you're deploying for test purposes. SCCM's Setup Wizard checks for prerequisites (as Figure 3 shows), helps you mitigate any software deficiencies, then walks you through the process of specifying site and managed system parameters. If you already know exactly how you want to deploy SCCM, you can streamline this process by using the scripted installation option.
If you're upgrading an existing SMS 2003 site, you have a number of options, decisions, and prerequisites to consider. First, before you can add SCCM to the mix, your SMS 2003 site must be running SMS 2003 SP2. Second, SCCM doesn't support Windows 2000 servers, so you'll need to upgrade any SMS systems running on that OS. Third, you need to decide whether you'll use a side-by-side or in-place upgrade strategy.
Organizations that aren't heavily invested in their current version of SMS will find the side-by-side upgrade acceptable. This upgrade amounts to bringing up the new SCCM site, then reassigning and upgrading existing managed systems to the new site. More probable though, is an in-place upgrade. An in-place upgrade migrates your existing data to the new database schema and lets you run in an interoperable mode while you convert to SCCM 2007. One caveat is that the upgrade process removes any unsupported feature packs—particularly those for OS deployment and device management. However, although the upgrade removes the legacy feature packs, their functionality is replaced natively in SCCM 2007, and the new SCCM-native features will use the settings previously configured for the feature packs.
When you upgrade, you should go from the top of your hierarchy down. One helpful tip is to consider placing a central SCCM 2007 site above your existing SMS 2003 primary site, then let your data flow up. Using this scenario, you can familiarize yourself with the new SCCM console while using your own data. From the SCCM 2007 console, you can view—but not edit—SMS 2003 site settings. You can upgrade secondary SMS 2003 sites to SCCM 2007 manually, by pushing them via SMS, or by installing them through remote control. You can assign SMS 2003 clients to SCCM 2007 sites, and SCCM 2007 clients—in mixed mode—can roam back to an SMS 2003 site for interoperability.
Client-Deployment Considerations
You can assign SCCM clients based on AD OUs so that the assignment strategy can be more aligned with the structure of your business than an SMS site structure. In addition to standard push-client installations and software distribution methods, there's a new way to perform client installation. Using the Software Update Point, you can piggyback on your WSUS implementation to overcome client-installation obstacles such as account permissions and unopened ports. When Microsoft releases SCCM to manufacturing, the company will provide an .adm template for distributing SCCM client settings via Group Policy.
Microsoft has also made notable improvements to the SCCM client-installation executable. The tool uses a single binary file— ccmsetup.exe—for all client installations. The new executable has bandwidth awareness through BITS, and it downloads a simple XML manifest first to determine which components are applicable to a given client, then downloads and installs only what is necessary.
Other Caveats
SCCM's native mode and the PKI infrastructure it requires are requirements for Internet-based client management. Also, you're going to have to modify your AD schema to use NAP, but that prospect isn't as scary as it might sound. If you're comfortable with it, you can run the ExtADSch.exe file (from SMSSETUPBIN I386) on the SCCM 2007 installation media, or you can use a Microsoft-provided LDF file. The LDF file documents the classes and attributes added in the process of modifying the schema, as well as the SCCM features they're associated with. (NAP is one such feature that requires an update to the AD schema.)
Worthwhile Investment
Microsoft's investment in its four-pillar strategy of simplicity, deployment, security, and configuration should pay dividends for IT organizations ranging in size from medium to huge. Existing SMS users will benefit greatly from an upgrade to Microsoft's latest and greatest configuration management tool, and SCCM's new capabilities and usability add up to a compelling argument for deployment in many IT organizations where previous versions of SMS might not have made the cut.
About the Author
You May Also Like