SCCM Basics & FAQ
A Short notes on ' SCCM 2007 Basics'
I've been looking for short notes that facilitate quick understanding knowledge on SCCM 2007. I finally put my efforts to bring a short notes on SCCM 2007 to help those who are already familiar with Systems Management Server (SMS) 2003 and who wish to quickly develop understanding knowledge on 'Microsoft System Center Configuration Manager 2007'.
SCCM 2007 Features
NAP Works with Windows Server 2008 operating system Network Policy Server to restrict computers from accessing the network if they do not meet specified requirements The System Center Family, The products included under the System Center umbrella address the challenges of managing information technology in organizations of different sizes.
What's New
For more information about Microsoft System Center,
SCCM Sites
Primary Sites-A primary site stores SCCM 2007 data for itself and all the sites beneath it in a SQL Server database.
Child Sites-A child site is a site that is attached to a site above it in the hierarchy. The site it reports to is its parent site. A child site can have only one parent site. SCCM 2007 copies all the data that is collected at a child site to its parent site. A child site is either a primary site or a secondary site.
Site Systems
Site System Roles
How Site communicates?
Blocking Clients- If a client computer is no longer trusted, the Configuration Manager administrator can block the client in the SCCM 2007 console.
Client Agents
Client agents are SCCM 2007 components that run on top of the base client components.
Computer Client Agent Properties-Configures how often client computers retrieve the policy that gives them the rest of their configuration settings.
Device Client Agent Properties-Configures all of the properties specific to mobile device clients. Hardware Inventory Client Agent-Enables and configures the agent that collects a wide variety of information about the client computer.
Software Inventory Client Agent-Enables and configures which files Configuration Manager inventories and collects.
Advertised Programs Client Agent-Enables and configures the software distribution feature.
Desired Configuration Management Client Agent-Enables the client agent that evaluates whether computers are in compliance with configuration baselines that are assigned to them
Remote Tools Client Agent-Enables Configuration Manager remote control
Network Access Protection Client Agent-Enables Configuration Manager Network Access Protection
Software Updates Client Agent-Enables the agent that scans for and installs software updates on client computers.
Administrator Console
Collections
Inventory
Reporting
Software Distribution
Software updates
Software Metering
Operating System Deployment
Desired Configuration Management
Mobile Device Management
Mobile devices are supported as SCCM 2007 clients. For documentation purposes, mobile clients are treated as a separate feature. Mobile clients can run a subset of SCCM 2007 features such as inventory and software distribution, but cannot be managed by remote control and cannot receive operating system deployments like desktop clients.
Remote Tools
Network Access Protection
Asset Intelligence
Tracking IT asset & reporting -Is an inventory monitoring capability of SCCM 2007
Wake On LAN
Sending a wake-up transmission prior to the configured deadline for a software update deployment. Sending a wake-up transmission prior to the configured schedule of a mandatory advertisement, which can be for software distribution or a task sequence.
Security Modes
Backup and Recovery
Ports Used by SCCM-2007
I've been looking for short notes that facilitate quick understanding knowledge on SCCM 2007. I finally put my efforts to bring a short notes on SCCM 2007 to help those who are already familiar with Systems Management Server (SMS) 2003 and who wish to quickly develop understanding knowledge on 'Microsoft System Center Configuration Manager 2007'.
Microsoft SCCM -2007 (ConfigMgr) provides a comprehensive solution for change and configuration management for the Microsoft platform, enabling organizations to provide relevant software and updates to users quickly and cost-effectively, Allows IT staff to monitor and manage the hardware & software in a modern distributed environment.
SCCM 2007 Features
- HW/SW Inventory
- Software Distribution
- Software Update
- Software Metering
- Operating System Deployment (Image capture/deployment, User State Migration, Task sequence)
- Manage site accounts tool (MSAC)
- Asset Intelligence Remote tools
NAP Works with Windows Server 2008 operating system Network Policy Server to restrict computers from accessing the network if they do not meet specified requirements The System Center Family, The products included under the System Center umbrella address the challenges of managing information technology in organizations of different sizes.
What's New
- Branch distribution point
- Desired configuration management
- Wake On LAN
- Network Access Protection (NAP)
In addition to SCCM 2007, the System Center products include: System Center Operations Manager 2007 -Allows IT staff to monitor and manage the hardware and software in a modern software distributed environment. System Center code name “Service Desk” When it released, “Service Desk” is expected to provide implementations of fundamental IT Service Management processes, including incident management, problem management, and change management.
System Center Data Protection Manager 2006 Provides data backup and restore for Windows file servers. System Center Essentials 2007 Provides tools for less-specialized IT staff in smaller organizations to manage their environments more effectively with the three most important management functions: monitoring distributed systems, automating software updates and installing applications. System Center Virtual Machine Manager Helps management staff with the process of consolidating applications onto virtualized servers. System Center Capacity Planner 2006 Capacity Planner is a tool for determining what hardware resources will be required to run an application, such as Exchange Server 2003, to meet specific performance and availability goals.
For more information about Microsoft System Center,
SCCM Sites
A site consists of a site server, site system roles, clients, and resources. A site always requires access to a Microsoft SQL Server database. There are several types of SCCM 2007 sites. A SCCM 2007 site uses boundaries to determine the clients belonging to the site. Multiple sites can be configured into site hierarchies and connected such that you can manage bandwidth utilization between sites. A SCCM 2007 site is identified by the three-character code and the friendly site name configured during Setup and types of sites as follows.
Primary Sites-A primary site stores SCCM 2007 data for itself and all the sites beneath it in a SQL Server database.
Secondary Site-A secondary site has no SCCM 2007 site database. It is attached to and reports to a primary site. The secondary site is managed by a SCCM 2007 administrator running a Configuration Manager 2007 console that is connected to the primary site. The secondary site forwards the information it gathers from Configuration Manager 2007 clients, such as computer inventory data and Configuration Manager 2007 system status information, to its parent site. The primary site then stores the data of both the primary and secondary sites in the SCCM 2007 site database. The advantages of using secondary sites are that they require no additional SCCM 2007 server license and do not require the overhead of maintaining an additional database. Secondary sites are managed from the primary site it is connected to, so they are frequently used in sites with no local administrator present. The disadvantage of secondary sites is that they must be attached to a primary site and cannot be moved to a different primary site without deleting and recreating the site. Also, secondary sites cannot have sites beneath them in the hierarchy.
Parent Site-A parent site is a primary site that has one ore more sites attached to it in the hierarchy. Only a primary site can have child sites. A secondary site is always a child site. A parent site contains pertinent information about its lower level sites, such as computer inventory data and SCCM 2007 system status information, and can control many operations at the child sites.
Central Site -A central site has no parent site. Typically, a central site has child and grandchild sites and aggregates all of their client information to provide centralized management and reporting. A site with no parent and no child site is still called a central site although it is also referred to as a standalone site. A central site to collect all of the site information for centralized management.
Site Systems
Each site contains one site server and one or more site systems. The site server is the computer where you install SCCM 2007 and it hosts services required for SCCM 2007. A site system is any computer running a supported version of Windows® or a shared folder that hosts one or more site system roles. A site system role is a function required to use SCCM 2007 or to use a feature of SCCM 2007. Multiple site roles can be combined on a single site system, including running all site roles on the site server, but this is usually appropriate only for very small and simple environments.
Site System Roles
- Management Point- The site system role that serves as the primary point of contact between SCCM 2007 clients and the Configuration Manager 2007 site server.
- Server locator Point -A site system role that locates management points for SCCM 2007 clients.
- Distribution Point-A site system role that stores packages for clients to install. Software Update Point-A site system role assigned to a computer running Microsoft Windows Server Update Services (WSUS).
- Reporting Point-A site system role hosts the Report Viewer component for Web-based reporting functionality.
- Fallback Status Point - A site system role that gathers state messages from clients that cannot install properly, cannot assign to a Configuration Manager 2007 site, or cannot communicate securely with their assigned management point.
- PXE Service Point-A site system role that has been configured to respond to and initiate operating system deployments from computers whose network interface card is configured to allow PXE boot requests. User
- State Migration Point-A site system role that stores user state data while a computer is being migrated to a new operating system.
How Site communicates?
Clients communicate with site systems hosting site system roles. Site systems communicate with the site server and with the site database. If there are multiple sites connected in a hierarchy, the sites communicate with their parent, child, or sometimes grandchild sites. Site Boundaries, SCCM 2007 uses boundaries to determine when clients and site systems are in the site and outside of the site. Boundaries can be IP subnets, IP address ranges, IPv6 prefixes, and Active Directory sites. Two sites should never share the same boundaries. Assigning the same IP subnet, IP address range, IPv6 prefix or Active Directory site to two different sites makes it difficult to determine which clients should be managed in the site.
Inter-Site Communication When you have a separate sites, SCCM 2007 uses senders to connect the two sites. Senders have sender addresses that help them locate the other site. When sending data between sites, senders provide fault tolerance and bandwidth management.
Discovery Methods
Client Installation
SCCM 2007 provides several options for installing the client software.
The following table lists the client computer installation methods.
Intra-site Communications They use either server message block (SMB), HTTP, or HTTPS, depending on various site configuration choices you make. Because all of these communications are unmanaged, that is, they happen at any time with no consideration for bandwidth consumption, it is beneficial to make sure these site elements have fast communication channels.
Discovery Methods
- Active Directory System Discovery -Discovers details about the computer
- Active Directory System Group Discovery - Discovers details such as organizational unit, global groups, universal groups, and nested groups.
- Active Directory User Discovery-Retrieves Active Directory User Discovery
- Active Directory Security Group Discovery-Discovers security groups created in Active Directory.
- Heartbeat Discovery-Refresh Configuration Manager client computer discovery data in the site database.
- Network Discovery-Searches the network for resources that meet a specific profile, From router's ARP cache, SNMP agent and DHCP Each discovery method creates data discovery records (DDRs) for resources and sends them to the site database, even if the discovered resource is not capable of being a SCCM 2007 client.
Client Installation
SCCM 2007 provides several options for installing the client software.
The following table lists the client computer installation methods.
- Software update point installation -Uses the Automatic Update configuration of a client to direct the client computer to a WSUS computer configured as a SCCM 2007 software update point.
- Client push installation -Uses an account with administrative rights to access the client computers and install the SCCM 2007 client software.
- Manual client installation -A user with administrative rights can install the client software by running CCMSetup on the client computer. A variety of switches modify the installation options.
- Group Policy installation -Uses Group Policy software installation to install CCMSetup.msi.
- Imaging -The client software can be added to an image, including images created and deployed with SCCM 2007 operating system deployment.
- Software Distribution -Existing clients can be upgraded or redeployed using SCCM 2007 software distribution.
Mobile devices use different installation methods Client Assignment Clients must be assigned to a site before they can be managed by that site. Clients can be assigned to a site during installation or after installation. Assigning a client involves either telling it a specific site code to use, or configuring the client to automatically assign to a site based on boundaries. If the client is not assigned to any site during the client installation phase, the client installation phase completes, but the client cannot be managed by SCCM 2007.
Clients cannot be assigned to secondary sites; they are always assigned to the parent primary site, but can reside in the boundaries of the secondary site, taking advantage of any proxy management points and distribution points at the secondary site. This is because clients communicate with management points and management points must communicate with a site database. Secondary sites do not have their own site database, They use the site database at their parent primary site. Authenticating Clients Before SCCM 2007 trusts a client, it requires some manner of authentication. In mixed mode, clients must be approved, either by manually approving each client or by automatically approving all clients or all clients in a trusted Windows domain. In native mode, clients must be issued client authentication certificates prior to installing the SCCM 2007 client software.
Client Agents
Client agents are SCCM 2007 components that run on top of the base client components.
Computer Client Agent Properties-Configures how often client computers retrieve the policy that gives them the rest of their configuration settings.
Device Client Agent Properties-Configures all of the properties specific to mobile device clients. Hardware Inventory Client Agent-Enables and configures the agent that collects a wide variety of information about the client computer.
Software Inventory Client Agent-Enables and configures which files Configuration Manager inventories and collects.
Advertised Programs Client Agent-Enables and configures the software distribution feature.
Desired Configuration Management Client Agent-Enables the client agent that evaluates whether computers are in compliance with configuration baselines that are assigned to them
Remote Tools Client Agent-Enables Configuration Manager remote control
Network Access Protection Client Agent-Enables Configuration Manager Network Access Protection
Software Updates Client Agent-Enables the agent that scans for and installs software updates on client computers.
Administrator Console
You can run the console from the site server or install additional consoles on your desktop or help desk computers to facilitate management. One console can manage many sites or many consoles can manage a single site. The SCCM 2007 console runs as a Microsoft Management Console (MMC) snap-in, although you must run SCCM 2007 Setup on the computer so that the snap-in is available.
Collections
Collections represent groups of resources and can consist not only of computers, but also of Microsoft Windows users and user groups as well as other discovered resources. Collections provide you with the means to organize resources into easily manageable units, enabling you to create an organized structure that logically represents the kinds of tasks that you want to perform.
Inventory
Hardware inventory gives you system information Software inventoried file types and versions present on client computers Queries It uses WBEM query language (WQL) to query the site database. Query results are returned in the SCCM 2007 console, where they can be exported using the MMC export list feature.
Reporting
Reporting is a supporting feature to many other SCCM 2007 features. Reports are returned in Web pages in the browser. With reporting you can create reports that show the inventory you have collected or the software updates successfully deployed. You can also create dashboards, which combine several different views of information. Several pre-created reports are available to support common reporting scenarios. For more information about the reports provided for each feature, see the feature documentation.
Software distribution allows you to push just about anything to a client computer. Packages in software distribution can contain source files to deploy software applications and commands called programs that tell the client what executable file to run. A single package can contain multiple programs, each configured to run differently. Packages can also contain command lines to run files already present on the client, without actually containing additional source files.
The software updates feature provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise. Software updates in SCCM 2007 requires a Windows Server Update Services (WSUS) server to be installed and uses that to scan the client computers for applicable software updates. The administrator views which updates are needed in the environment and creates packages and deployments containing the source files for the software updates. Clients then install the software updates from distribution points and report their status back to the site database.
Software Metering
Software metering enables you to collect and report software program usage data. The data provided by these reports can be used by many groups within the organization such as IT and corporate purchasing. Software metering in SCCM 2007 supports the following scenarios: Identify which software applications are being used, and who is using them. Identify the number of concurrent usages of a specified software application. Identify actual software license requirements. Identify redundant software application installations. Identify unused software applications which could be relocated.
Operating System Deployment
Operating system deployment enables you to install new operating systems and software onto a computer. You can use operating system deployment to install operating system images to new or existing computers as well as to computers with no connection your SCCM 2007 site. By using task sequences and the driver catalog operating system deployment streamlines new computer installations by allowing you to install software using one dynamic image that can be installed on different types of computers and configurations. Operating system deployment provides the following solutions for deploying operating system images to computers: Provide a secure operating system deployment environment. Assist with managing the cost of deploying images by allowing one image to work with different computer hardware configurations. Assist with unifying deployment strategies to help provide a solid deployment foundation for future operating system deployment methods.
Desired Configuration Management
Desired configuration management enables you to define configuration standards and policies, and audit compliance throughout the enterprise against those defined configurations. Best practices configurations can be used from Microsoft and vendors in the form of Microsoft System Center SCCM 2007 Configuration Packs. These Configuration Packs can then be refined to meet customized business requirements. Additionally, desired configuration management supports an authoring environment for customized configurations. This feature is designed to provide data for use by many groups within the organization, including IT and corporate security.
Mobile devices are supported as SCCM 2007 clients. For documentation purposes, mobile clients are treated as a separate feature. Mobile clients can run a subset of SCCM 2007 features such as inventory and software distribution, but cannot be managed by remote control and cannot receive operating system deployments like desktop clients.
Remote Tools
Remote tools in SCCM 2007 includes the remote control feature which allows an operator with sufficient access rights the ability to remotely administer client computers in the SCCM 2007 site hierarchy.
Network Access Protection
Network Access Protection (NAP) is a policy enforcement platform built into the Windows Vista and Windows Server® 2008 operating systems that helps you to better protect network assets by enforcing compliance with system health requirements. You can configure DHCP Enforcement, VPN Enforcement, 802.1X Enforcement, IPSec Enforcement, or all four, depending on your network needs.
Asset Intelligence
Tracking IT asset & reporting -Is an inventory monitoring capability of SCCM 2007
Wake On LAN
The Wake On LAN feature helps to achieve a higher success rate for scheduled SCCM 2007 activities, reducing associated network traffic during business hours, and helps organizations to conserve power by not requiring computers to be left on for maintenance outside business hours. Wake On LAN in SCCM 2007 supports the following scenarios:
Security Modes
There are two security modes in SCCM 2007.Native mode is the recommended site configuration for new SCCM 2007 sites because it offers a higher level of security by integrating with a public key infrastructure (PKI) to help protect client-to-server communication. PKIs can help companies meet their security and business requirements, but they must be carefully designed and implemented to meet the current and future needs. Installing a PKI solely to support SCCM 2007 operations could fulfill certain short term goals but could hamper a more extensive PKI rollout to support other applications at a later time. If your organization already has a well-designed, industry-standard PKI, SCCM 2007 should be able to use certificates from the existing PKI.
Backup and Recovery
Like any enterprise software, your site should be backed up to provide recoverability in case of unexpected events. Backing up a SCCM 2007 site involves backing up the database, the file system, and the registry all at the same point in time - backing up just one of these elements is not sufficient to restore a working site. SCCM 2007 uses the Volume Shadow Copy Service (VSS) to take small, frequent snapshots of the necessary components, making it easier to restore a failed site. The Site Repair Wizard walks you through the necessary steps to complete the site recovery.
Ports Used by SCCM-2007
- Port used for client to site system communication -port 80 (HTTP) and default HTTPS port 443
- Port used for Site Server to Site Server -SMB 445(Server Message Block) and its bi-directional