Getting Started with System Center Essentials 2007
At a Glance:
- Installing and upgrading
- Configuring Essentials 2007
- Troubleshooting steps
System Center Essentials 2007 is a new IT management solution specifically designed for midsize businesses with 50 to 500 PCs and 5 to 30 servers. Essentials 2007 came about in response to extensive feedback from IT professionals regarding their specific needs for a unified
management solution. Essentials 2007 addresses those needs and enables you to get up and running quickly with a single install and easy configuration.
More specifically, Essentials 2007 delivers monitoring, troubleshooting, and asset tracking functionality to help keep your IT environment secure and up-to-date. Essentials 2007 also provides a unified management console, where you manage your servers, clients, hardware, software, and IT services (see Figure 1). In addition, Essentials can make complex management tasks like troubleshooting end-user issues, monitoring, and server and client software deployment simpler and more efficient.
Figure 1 The Essentials 2007 management console (Click the image for a larger view)
Essentials 2007 Requirements
Before you start your Essentials 2007 installation and configuration, check to see that your systems meet the minimum software and hardware requirements. Your server operating system should be Windows Server® 2003 SP1 or R2 or Windows® Small Business Server 2003 SP1 or later. You will also need Active Directory®, IIS 6.0, the Microsoft® .NET Framework 2.0 and 3.0 or later, and SQL Server™ 2005 SP1. The server itself requires at least 1GB RAM, 12GB of free disk space, and a 1.8 GHz processor. A computer with 2GB RAM, 20GB of free disk space, and a 2.8 GHz or faster processor is recommended.
Managed client computers need to be running Windows 2000 Professional SP4, Windows XP SP2, or Windows Vista®. Both x86 and x64 operating systems are supported.
Managed server computers need to be running a Windows 2000 Professional SP4 or newer operating system. Both x86 and x64 operating systems are supported. Since many of you will probably want to monitor and manage your IT environment from your own desktop or laptop computer, you'll want to run the Essentials 2007 console-only installation on your machine. Before starting, just make sure it's running Windows XP SP2, Windows Vista, or Windows Server 2003 SP1.
Also, when you're planning your Essentials 2007 server configuration, allow enough disk space for handling update downloads and your reporting database. For updates, your update database can grow beyond 2GB and your update content can grow beyond 6GB. The Essentials operational and reporting databases can grow to 4GB. Plan accordingly so you don't run out of storage space.
Installing Essentials 2007
Setting up Essentials 2007 is straightforward because of its effective use of wizards that quickly guide you through critical tasks like installation and configuration, computer discovery, and update configuration. When you run the setup wizard, Essentials 2007 automatically checks for these prerequisites and lets you know if you're missing anything (see Figure 2).
Figure 2 Checking setup prerequisites (Click the image for a larger view)
If a required item isn't on the Essentials 2007 disk, there's a link from the setup screen to the missing software for you to install. As you move through the setup wizard, you'll need to enter a path for the installation location of Essentials 2007 and information for an account with administrative privileges. Managing computers using Essentials 2007 can be a much simpler task if this account has administrator rights on the management server and all the managed computers. Essentials supports using a single account to perform tasks such as installing agents on managed computers.
If you don't currently have SQL Server 2005 installed and available to use with Essentials 2007, either locally or remotely, you can choose to have Essentials 2007 install SQL Server 2005 Express with Advanced Services locally during setup. This version of SQL Server is included on the Essentials 2007 disk. You can also purchase a version of Essentials 2007 with SQL Server 2005 Standard that's licensed specifically for use with Essentials 2007.
The only other major decision you need to make during installation is where you want Essentials 2007 to store your updates. You can store updates locally and they'll be delivered to the managed computers over the network from your Essentials 2007 server. This is probably the best choice, especially if Internet access tends to be a bottleneck for your network. Updates can also be downloaded directly from Microsoft Update each time a computer needs to be updated. Selecting this option means one update for 50 computers is downloaded 50 times, once to each computer. This can be cumbersome, but the advantage is that you use less disk space on your management server.
The baseline deployment topology supported by Essentials 2007 is to install all management components on a single server (see Figure 3). However, you can also choose to install the Essentials 2007 management console on the desktop or laptop computer in your office and remotely control the management server. Before you install the remote console, you must run the Feature Configuration Wizard on the Essentials 2007 server. This process establishes whether domain Group Policy or local Group Policy is used to configure the remote console. If you select domain Group Policy, make sure that enough time has passed for it to update on the computer on which you are installing the remote console. You can install multiple remote consoles if necessary.
Figure 3 Baseline Essentials 2007 configuration
If you manage an IT environment with more than 200 computers, you'll need to install SQL Server 2005 on a remote server (not on the Essentials 2007 management server) and use this remote instance as your Essentials 2007 database (see Figure 4). This will give you increased performance as you scale up. Just remember that this remote server must be in the same domain as the Essentials 2007 management server.
Figure 4 Using a remote SQL Server database
If you choose to use an existing SQL database instance during Essentials 2007 installation, you must make sure that SQL Server 2005 SP1 Reporting Services is installed and configured on the Essentials 2007 management server.
Upgrading to Essentials 2007
It's likely that you are already running Windows Server Update Services (WSUS) 2.0 or 3.0 to handle your Microsoft updates. If so, and you want to upgrade to Essentials 2007 for a more comprehensive management solution, Essentials allows you to upgrade during the setup process. This in-place upgrade preserves existing update information including binaries, groups, and approvals.
If you are using Microsoft Operations Manager (MOM) 2005 or MOM 2005 Workgroup Edition to monitor critical servers, but you want the added Essentials 2007 features for asset inventory, software distribution, and updating, you can easily migrate your management packs by exporting, converting, then importing them directly into Essentials 2007. Just like MOM 2005, Essentials 2007 makes use of management packs for monitoring computers and devices. The management packs also contain the information you need to successfully diagnose and resolve IT problems. If you don't want to completely migrate to Essentials 2007, you can maintain side-by-side operation to preserve mission-critical monitoring and migrate at your convenience.
Be forewarned that some WSUS settings are not preserved during the upgrade to Essentials 2007. You will lose information about computers, automatic approvals and settings, and any existing approvals for groups named All Clients or All Servers. So, delete All Clients and All Servers groups from WSUS before upgrading. Next, you'll have to re-create these approvals after Essentials 2007 setup completes.
Please note that you can't perform this upgrade from WSUS if the existing server has active downstream servers. Essentials 2007 does not support WSUS Upstream Server (USS) mode. Because this cannot be reliably detected, you will be warned if the WSUS server has downstream servers. Also, do not proceed with an upgrade if you are using WSUS 2.0 or 2.0 SP1 with a remote database server that is not running SQL Server 2005 SP1 to store WSUS data.
A backup copy of the current database is created automatically during the upgrade process. If the upgrade is not successful, you can restore the previous environment using the backup copy. Make sure you have sufficient space to back up the current WSUS database by checking the current database file size and confirming that enough space exists to make a copy.
Configuring Essentials 2007
Essentials 2007 provides many wizards that help you with configuration and management tasks. The Feature Configuration Wizard takes you for a quick walk through some configuration steps that would be difficult if you had to perform them manually, such as configuring Group Policy. Figure 5 shows the first page of the wizard.
Figure 5 Starting the Feature Configuration Wizard (Click the image for a larger view)
If you want to use a proxy server when connecting to the Internet, one of the first steps is to enter the server name and port number. Next, you can choose a Group Policy type to configure managed computers—either local or domain Group Policy. You can also create a Windows Firewall Exception if you've chosen to use domain Group Policy to configure managed computers.
Next up is the optional step of enabling remote assistance of computers. This applies if you chose to use domain Group Policy to configure clients. Note that this creates a firewall exception on all managed computers to allow DCOM over TCP port 135.
You can choose whether to collect Agentless Error Monitoring from managed computers. If you select Yes and pick a location for storing the errors, then managed computers will send error reports to the Essentials 2007 server and you can view reports to see which applications are having problems.
There are options specifying whether to forward your error report to Microsoft, and whether to configure and send a Daily Health Report, which contains information about alerts, updates, software, and inventory. If you configure the Daily Health Report to be sent to you via e-mail, you can quickly determine what is going on in your IT environment when your workday begins.
Finally, you can choose to set daily scheduled discovery of new computers. I would recommend selecting this option as it tells Essentials 2007 to run a daily scan of Active Directory for new computers and configure them to be managed automatically.
Running the Computer and Device Management Wizard configured for automatic computer discovery prompts the Essentials 2007 server to query Active Directory and discover all listed computers in the domain to be managed (see Figure 6). If you select the Advanced discovery option, you can filter discovered devices by types such as clients only or network devices, search within an IP address range, or create advanced queries. I would recommend selecting Automatic computer discovery and running that first to discover all clients and all servers. Since Essentials 2007 also monitors Simple Network Management Protocol (SNMP)-enabled network devices, you can then run the wizard again in the advanced mode and discover network devices.
Figure 6 Starting the Computer and Device Management Wizard (Click the image for a larger view)
If your network is larger than approximately 300 computers, you should probably choose Advanced discovery and provide more specific criteria to locate your computers. When specifying an Administrator account, ensure the account has administrative privileges on the computers you want to discover and on which you want to install agents. Once discovery is complete, choose the computers you want to manage and click Finish.
If you've used WSUS, some of the settings in the Update Management Configuration Wizard will be familiar to you. If a proxy server is required when connecting your server to the Internet, enter the Proxy server settings. Select the products for which you want to download and deploy updates, then select the languages you need for updates (the language of the server is the default). Select the categories of updates you want to download and deploy (Critical Updates, Security Updates, and Service Packs is the default). Select which, if any, categories of updates you want to automatically approve and to which groups. (Critical and Security Updates for All Computers group is the default). Finally, set the schedule for synchronizing updates (daily is the default).
If you can log on with Domain Administrator or Group Policy Administrator credentials when configuring Essentials 2007, you should select domain Group Policy to configure managed computers; this makes configuration much easier. If you select domain Group Policy, you can automate configuration of Windows Firewall and Remote Assistance settings on all managed computers. This option directs Essentials 2007 to create the policy configurations for you. If you select local policy, you'll have to perform quite a bit of manual configuration.
There are several things to consider when troubleshooting problems with computer discovery, agent deployment, and communication. First, here's a quick look at how the computer discovery process works. Essentials 2007 takes your search input parameters and creates a Lightweight Directory Access Protocol (LDAP) query, (LDAP is the query language used to search for objects in Active Directory). The LDAP query is then passed to the local domain controller and submits a search task, and Active Directory returns the results to the management server. The management server then tries to connect to each computer returned in the list to ensure it can communicate with these discovered computers so management agents can be installed. Once a computer is verified, it is added to the list of discovered computers for you to manage.
Be aware, however, that the Essentials 2007 server may not be able to discover computers if there are issues with Active Directory, the network and DNS, or verification.
Open the Active Directory Users and Computers management console to see if the computer is listed. This tool is installed by default on Windows Server 2003 and can be installed on Windows XP Professional from the Windows Server 2003 Administration Pack. Select the Saved Queries folder, right-click on it, point at New, then click Query. Enter a name for the query, then click the Define Query button. Click the dropdown list marked Find and select Computers. Enter the name or search prefix and click OK a few times to generate the query.
Now verify that the computer appears in the list of results. If not, add the computer to Active Directory. Make sure the DNSHostname property is set correctly for the computer; this property can be found on the General tab of the computer's property dialog in the Active Directory Users and Computers management console.
If you need to contact a computer through the network, use the ping command to try reaching the computer using the same name provided to the discovery wizard. If the machine responds to a ping command, run ping with the -a switch and the IP address:
The following command will display the DNS of the machine; it should match what was used in the original ping command. Use this command to see the registered NetBIOS name and domain for the computer:
nbtstat -a <computer name>
This will accomplish the same task with the IP address of the machine.
The command switch, –a, is case-sensitive. Note that you use –A when using the IP address. If the machine does not respond to a ping request or fails a remote agent install with the message "RPC Service Unavailable," then Windows Firewall is turned on. In the event that a firewall is enabled in the Essentials 2007 deployment environment, exceptions must be created so that the Essentials 2007 management server can successfully install agents on managed computers and so that managed computers can communicate with the management server. (When using a managed computer, you do not need to create any firewall exceptions manually if you are using domain Group Policy rather than local Group Policy.)
If the agent installation fails, navigate to the Administration space (the gold cog in the lower-left corner of the main Essentials 2007 management console next to the Reporting navigation button), then click Pending Management. This view will provide troubleshooting steps, as well as offering you the ability to re-push the agent to computers that failed to install on first try.
Make sure you allow up to several hours for the firewall policy to be applied to all of the computers to be managed. If you try to run the Feature Configuration Wizard, select domain Group Policy, and the Computer and Device Management Wizard, all in quick succession, the firewall policy may not have had a chance to get applied to the computers you are discovering and thus cause discovery to fail if the firewall is still enabled.
One way to see whether an agent can be successfully pushed to a computer is to try to telnet to that computer from the management server. If you can telnet via port 135 from the management server to the computer, you are ready to go. If not, the firewall on that computer may be blocking TCP port 135. To run telnet, just launch a command window and type:
telnet <computer_name> 135
This will connect you to the computer name you specify with telnet via port 135. Port 135 is important because that's the port you use when installing the agent remotely.
If this doesn't work, make sure that the proper Windows Firewall exceptions have been created to allow agent deployment and communication with the management server. If not, you need to create the port exceptions shown in Figure 7. For all these exceptions, limit scope to the Essentials 2007 management server's IP address using the Custom list option.
If your computers use firewall software from a third-party manufacturer, you should refer to the documentation for that product on how to create exceptions. However, the port exceptions listed in Figure 7 still apply.
If the NetBIOS name and fully qualified domain name (FQDN) do not match, then the DNS records for the machine must be corrected. If the agent installs, but fails to contact the management server, connect via Terminal Services or Remote Desktop to the agent computer and use the ping and nbtstat commands to verify that the agent can resolve the NetBIOS and FQDN names of the management server.
If the IP address of the Essentials 2007 management server is dynamically assigned, you must update firewall policies on managed computers when the IP address changes. To update firewall exceptions for a new management server IP address, enable the following two policy settings in Group Policy Object Editor, and configure them as I describe here. For "Windows Firewall: Allow remote administration exception," set Allow unsolicited incoming messages from to the new IP address of the Management Server. For "Windows Firewall: Allow file and printer sharing exception," set Allow unsolicited incoming messages from the new IP address of the Management Server.
I hope you find the information in this article helpful in getting started with System Center Essentials 2007. For more information about this new System Center product, go to microsoft.com/sce.
Just remember that there's no substitute for careful planning before deployment. In this case, you'll be deploying a brand new solution to manage your IT environment, so you need to take some time to think about your current network configuration, the way your users work, and the way you want to manage your IT resources. Considering these things first will help you successfully configure Essentials 2007 for your needs.
David Mills has been with Microsoft for seven years and is the Senior Technical Product Manager for System Center Essentials 2007. Before joining the System Center Marketing team, David led User Assistance teams in the Windows Server division shipping IT professional technical documentation for Core Networking and Management technologies.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited