System Center
SMS Evolved: A Powerful New Solution to Manage Your Systems
John Orefice
At a Glance:
- Operating system deployment
- Software update management
- Desired configuration management
Systems Management Server (SMS) 2003 has become an important configuration management and software delivery tool for administrators around the world. Now Microsoft is preparing
to introduce a new version of its enterprise management solution, and the new version brings both new capabilities and a new name: System Center Configuration Manager 2007.
System Center is a family of Microsoft products designed to work together in making the day-to-day management of your complex IT infrastructure both easier and more cost-effective. System Center solutions are based on automation and best practices derived from the Microsoft® Operations Framework (MOF) and Information Technology Infrastructure Library (ITIL), and can be used at all levels of an organization.
Configuration Manager 2007 is just one part of the System Center family. System Center Data Protection Manager provides enterprise system backup and recovery. System Center Operations Manager gives you proactive system monitoring and automation. System Center Capacity Planner can be used for capacity planning and what-if analysis of infrastructure deployments. And the list continues to grow (have a look at www.microsoft.com/systemcenter for more information).
In this article I will walk you through several of the new and enhanced features planned for Configuration Manager 2007, based on the most recent beta release. I'll give you a broad look at what you can expect in this exciting release and I hope to get you thinking about how Configuration Manager will be able to save your organization time and money.
New Administrative User Interface
Since SMS 1.0, one of the most frequently requested new features in SMS has been a new and improved UI. Microsoft is answering that request by making several improvements to the System Center Configuration Manager 2007 administrative UI. To enable these new features, the new console in Configuration Manager 2007 is built with C# and the Microsoft .NET Framework, and it runs on top of Microsoft Management Console (MMC) 3.0 technology. In addition, like SMS 2003, the UI is extensible via an SDK so that users of the console can create their own add-ons to meet their individual needs.
Figure 1 shows the new console with the Computer Management node expanded, depicting all of the new management functions available. In addition, take note of the new appearance of the SMS Site Configuration section, which outlines common tasks that need to be completed before Configuration Manager will be operational after installation. The Links and Resources section contains relevant tasks that reduce the time it takes to navigate throughout the console for common functions.
Figure 1** Configuration Manager administration interface **(Click the image for a larger view)
Some of the benefits and features enabled by this new console are multiple item selection and drag and drop (great for collection management), search folders for organizing items in the console virtually rather than physically, the Actions pane for performing tasks appropriate to the current section, the Preview pane for viewing summary information on a specific item (for example, an operating system image), homepages for summarizing information on a particular topic such as software deployment, and an improved organizational structure to greatly simplify navigation.
As noted, the Actions pane is one of the major enhancements inside the newly revamped console. It provides a way to see the actions that are contextually appropriate for the section of the console you are currently using. For example, if you are viewing the All Systems collection, the Actions pane will have actions such as Update Collection Membership and Install Agent (see Figure 2).
Figure 2** Available actions are specific to the current view **(Click the image for a larger view)
In addition, Configuration Manager 2007 introduces a new concept called homepages, which give you the ability to very quickly review the status of a specific function such as Software Updates, Software Distribution, or Desired Configuration Management. You can do this within the console without running reports or looking elsewhere for the data. Look for more examples of homepages throughout this article as I outline the different features of the product.
Server Roles and Distribution Points
Configuration Manager 2007 introduces several new server roles to enable some of the new features I'll discuss here. These include the Fallback Status Point (FSP), the PXE Service Point (PSP), the Branch Office Distribution Point (DP), the State Migration Point (SMP), the Software Update Point (SUP), and the System Health Validator (SHV). As with all SMS and Configuration Manager server roles, these roles can be hosted on the same server as long as appropriate capacity planning exercises are performed.
The Branch Office DP is important and differs from the traditional DP for two reasons. First, it doesn't have to be installed on a server operating system—it can be installed on Windows Vista® or Windows® XP. It is the only Configuration Manager role that can be installed on a client operating system. This is great for a branch office without a local server or in cases where an IT department wants to remove servers from smaller branch offices to save money and reduce administrative overhead. In these cases where there are only machines running Windows XP or Windows Vista, the Branch Office DP can be used to reduce WAN traffic by ensuring that clients are not pulling packages from across the WAN when they are made available locally.
The second way that the Branch Office DP differs from a standard DP is through its connectivity to other DPs. Traditional distribution points replication data is not throttled or scheduled unless it's going from a primary site to a secondary site. Because of this, many organizations only replicate packages to branch offices at night, thereby delaying software distribution until those packages are available locally.
The Branch Office DP uses Background Intelligent Transfer Services (BITS) to download the information from other DPs. This is exceptional for throttling bandwidth over a WAN link between a branch office and a DP sitting in the central datacenter, especially when there is no Configuration Manager secondary site located at the branch office. Figure 3 shows the new DP Properties dialog box used to make a standard DP into a Branch Office DP.
Figure 3** Configuring a Branch Office DP **(Click the image for a larger view)
SMS 2003 introduced a replication technology that allowed for file delta replication of packages from a site server to a distribution point. This technology worked well for SMS packages that were composed of several smaller files. If, for example, an SMS administrator needed to make a change to just one file, or to several smaller files in a larger SMS package, only those changed files in the package were replicated rather than the whole package.
As operating system deployment becomes more mainstream in Configuration Manager 2007, you'll want to make sure that replicating operating system image packages and other larger packages throughout your infrastructure and over WAN links happens as efficiently as possible. With that goal in mind, Configuration Manager 2007 introduces binary delta replication from site server to site server, from site servers to DPs, and from DPs to Branch Office DPs.
For example, start with a new Windows Vista deployment image that has several applications preinstalled. This package may be 6GB in size and, because it's a Windows Imaging Format (WIM) image, it is also a single 6GB file. As described previously, in SMS 2003, if the new WIM image was opened up to change a setting or add a new 2MB patch that was released, because the image is one single WIM file, the entire 6GB SMS package would have to be replicated to the DPs. In contrast to this, with binary delta replication in Configuration Manager 2007, if a setting is changed or a single patch is added to the WIM image package, just that single 2MB patch or setting will be replicated throughout the infrastructure rather than the entire 6GB.
Common Processes for Mobile Devices
Shortly after the release of SMS 2003, Microsoft released the Device Management Feature Pack (DMFP) for managing Windows CE and Pocket PC mobile devices. As mobile devices become more pervasive within enterprise organizations, the need to manage them becomes a higher priority. Given this trend, Configuration Manager 2007 improves upon the SMS 2003 DMFP and delivers a great new integrated solution for managing mobile devices including Windows Mobile® smartphones and Pocket PC phones, much as you would manage servers, laptops, and desktop computers.
Basic management of mobile devices includes hardware and software inventory, file collection capabilities, software distribution, and settings for password and security policy management. Using Configuration Manager 2007 Internet-Based Client Management, all devices can now be managed on your intranet as well as over the Internet. This is great for smartphones or other devices that are very rarely, if ever, on the corporate LAN.
The process for deployment of the agent has been enhanced as well. Over-the-air client upgrades are now supported and client distribution can be automated via the Configuration Manager console.
Maintenance Windows
Many of the enterprise customers I work with have predefined maintenance windows for both servers and certain mission-critical desktops. In addition, they regularly ask for advice on how to deploy larger applications such as the 2007 Microsoft Office system, without interrupting the end user during typical business hours.
Configuration Manager 2007 introduces a new feature called maintenance windows. This allows you to define windows of time during which installations can occur for a particular collection. This gives you the freedom to make an advertisement mandatory without worrying about the repercussions of the package being installed during normal business hours or during times that are inconvenient for the users.
As an example, consider a 2007 Office system package deployment. You want to be able to push this application out to your end users as quickly as possible, but you do not want the application push to interfere with work during the day. You can set the maintenance window to state the timeframe during which you want the system to perform the installation—perhaps 8:00 P.M. to 6:00 A.M. If, for whatever reason, the system is not available during this maintenance window on a particular day, Configuration Manager will wait until the next time defined inside of the maintenance window to ensure that business is not interrupted unexpectedly. You also have the option to ignore maintenance windows at an advertisement level, allowing you to deploy a critical update as soon as possible despite any restrictions that may be in place.
Operating System Deployment
Operating system deployment functionality is the single largest focus area for Configuration Manager 2007. Microsoft has designed Configuration Manager to be the primary means to deploy operating systems for both server and workstation platforms. The best features from the SMS 2003 Operating System Deployment (OSD) Feature Pack were integrated into Configuration Manager 2007 to fundamentally change the way that OS deployments are managed.
As you may know, Windows Vista introduced a new Windows Imaging (WIM) format for operating system deployment. There are several benefits to using this format, starting with the fact that Configuration Manager 2007 imports the WIM image format natively so that administrators can work on the images and deploy them directly from the console.
Another important new deployment feature in Configuration Manager is the integrated Task Sequencer. If you're familiar with the Microsoft Solution Accelerator for Business Desktop Deployment (BDD), you'll find many similarities with the features and options available to you in Configuration Manager, but with one major difference: no longer will you need to write scripts for deploying or capturing operating system images. And by taking advantage of the Task Sequencer, the operating system deployment process becomes completely hands-off.
The Task Sequencer can help lay out all of the steps that you need to execute throughout your OS deployment, including steps executed in the older OS prior to deployment (user state migration and application settings transfer), steps to deploy the new operating system (formatting, disk partitioning, product key, user name, company, licensing settings, drivers installation), and steps required after the new system is deployed (additional application installation, update installation, user state migration). As an example of this functionality, Figure 4 shows the Task Sequence Editor highlighting some of the features you can take advantage of in a Windows Vista deployment.
Figure 4** Editing steps for an operating system deployment **(Click the image for a larger view)
In addition to the Task Sequencer, there are several other enhancements to operating system deployment in Configuration Manager 2007, as outlined in Figure 5. For example, Configuration Manager supports bare-metal deployment with Pre-Boot Execution Environment (PXE) for x86 and x64 platforms with device driver management. The device driver management option allows your organization to significantly reduce the number of images that need to be maintained for different kinds of hardware. Combined with the single-image support introduced with the Windows Vista WIM image format, you are almost guaranteed to save time and money when you are doing operating system deployments.
Figure 5 Operating system deployment features
| Scenario | SMS 2003 | Configuration Manager 2007 |
| End-to-end deployment | Yes | Yes |
| Fully automated | Yes | Yes |
| Wipe-and-load upgrade | Yes | Yes |
| Bare-metal deployment with PXE | Loose integration with Remote Installation Services (RIS) | Built-in integration with Windows Deployment Services (WDS) |
| Side-by-side | BDD scripts | Yes, via built-in State Migration Point |
| Full offline deployment | No | Yes |
| Windows Vista upgrade planning | No | Yes |
| Full server deployment | No | Yes |
| Device driver management | No | Yes |
Software Update Management
Like many other features in Configuration Manager 2007, software update management has been dramatically revamped. Configuration Manager separates the way that updates and regular packages are pushed to a managed agent by creating a new state-based high-priority channel for all software updates and desired configuration management information. No longer will pushing another software package interfere with pushing software updates or receiving patch status from managed workstations, laptops, or servers.
The state-based method for software update management also means that patch and update status is no longer tied to hardware inventory scans and, as a result, the current Inventory Tool for Microsoft Updates (ITMU) and scan catalog will no longer be needed. Instead, Configuration Manager uses the new Software Update Point (SUP) server role running Windows Server Update Services (WSUS) on the back end as its software update engine and database.
WSUS enables you to have one central location for all update management in Configuration Manager. This gives you the ability to download all content available on Microsoft Update including non-critical updates, drivers, and other software packages for the Microsoft platform. In addition, Microsoft is also encouraging its partners to release software updates via this method. Adobe and Citrix are just two of the companies that are currently publishing manifests for the Inventory Tool for Custom Updates (ITCU) in SMS 2003 R2 and plan to do so for Configuration Manager moving forward.
This new software update engine also provides near real-time update status to enable better reporting and enhanced homepage views. These customized views can show you quick graphical charts of patch status throughout an IT infrastructure or for a specific collection of computers. Figure 6 shows how easy it is to view patch compliance data for a specific bulletin via one of the new homepage views customized for software update management.
Figure 6** Viewing software update status **(Click the image for a larger view)
Finally, software update deployment templates dramatically reduce the number of steps required to push new updates to a system or collection. By using software update deployment templates to store common configuration information such as whether to force a restart or whether the client should download patches from the DP locally before executing the installation, this feature reduces the number of steps from the 18 required with the ITMU in SMS 2003 down to just 6 in Configuration Manager 2007.
Desired Configuration Management
Configuration management is another terrific feature that has been greatly improved in Configuration Manager 2007. SMS 2003 Desired Configuration Monitoring was released in the fall of 2006 and provided many of the key features that are included in Configuration Manager 2007 Desired Configuration Management. For background on Desired Configuring Monitoring, see the TechNet Magazine article at microsoft.com/technet/technetmag/issues/ 2006/09/HighStandards. Figure 7 depicts the Desired Configuration Management homepage showing compliance for two specific configuration baselines.
Figure 7** Reporting desired configuration baseline compliance **(Click the image for a larger view)
The key driver for Desired Configuration Management in Configuration Manager comes from a significant amount of research with Microsoft customers showing that most service outages are caused by operating system or application misconfiguration on mission-critical servers and desktops. By using the Desired Configuration Management functionality in Configuration Manager, administrators can quickly catch configuration drift by running periodic baseline scans on systems. These baselines are created using configuration items (CIs) and provide compliance information for a collection of computers in your organization.
In addition to catching configuration drift, Desired Configuration Management can help with both regulatory compliance reporting as well as change verification. In most organizations, chances are good that you have a need for regulatory compliance reporting such as Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA). Configuration Manager 2007 can help provide you with the reports you need though Desired Configuration Management.
Here's how Desired Configuration Management works. An administrator will define CIs—units of configuration that can be detected, applied, and removed from computers. Once these CIs are defined, you can create a configuration baseline that is made up of one or more of these CIs. These baselines are then assigned to Configuration Manager collections for compliance monitoring and regulatory reporting.
The CIs can look at several different aspects of a computer to gather information, including Active Directory®, file metadata, script results, data stored in SQL Server™, software update data, WMI, XML, registry values, IIS metadata, and Microsoft Installer presence and configuration. The information gathered from these different locations is stored in the Configuration Manager database and used to verify whether a system is in compliance.
As an interesting note, the Desired Configuration Management process and the process for pushing new updates through Configuration Manager 2007 are now fully integrated. As with the new software update engine, all Desired Configuration Management data is using the state-based high-priority channel. The integration of these two mission-critical features allows an administrator to define a new Desired Configuration Management baseline or update an existing one with new updates as part of the update deployment process.
Internet-Based Client Management
Have you ever had a computer disconnected from the network for so long that the computer object inside SMS became obsolete? Based on conversations with my customers, this seems to happen far too often. Fortunately, Configuration Manager 2007 introduces new Internet-based client management. This feature works much like the way Microsoft Office Outlook® communicates with Exchange Server over HTTPS without a virtual private network (VPN). If you're not familiar with that scenario, it simply means you get a more secure communication with client machines without requiring the complication of a VPN connection.
Internet-based client management enables you to manage computers on the Internet with the same level of control as computers on the intranet. In fact, all features discussed in this article will work with Internet-based client management except for operating system deployment, wake-on-LAN, and remote tools since they use different ports for communication and cannot be tunneled over SSL or TLS. Some great examples of situations where Internet-based client management comes into play are point-of-sales devices for restaurants, retail stores, and gas stations; employees' home computers; and road warriors such as a distributed sales force or team of consultants.
There are some requirements you'll need to put in place before enabling Internet-based client management in your Configuration Manager 2007 infrastructure. First, you'll need a Public Key Infrastructure (PKI) to assign digital certificates to all agents managed by Configuration Manager. This enables you to use mutual authentication between the Configuration Manager servers and all management agents to ensure the data you are receiving is encrypted and from a trusted source. You will also need an SSL terminator to work as the connection point between the Configuration Manager servers and all Internet-based clients. Microsoft Internet Security and Acceleration (ISA) Server 2006 is a software-based solution that meets these requirements.
Internet-based client management is where the new Fallback Status Point (FSP) server role is used. Should any of your Internet-based agents fail to communicate correctly or if a certificate should expire, the agent will report the problem to the fallback status point available in your organization's perimeter network. This ensures you will never lose contact with your Internet-managed systems. In addition, the clients can roam in and out of the Internet-based management to intranet-based management automatically to best utilize the appropriate resources at the appropriate times.
Other New Features
Although not seen as a mission-critical feature, wake-on-LAN is an extremely valuable one to have in an administrator's arsenal of tools to get a software distribution, software update, or OS deployment accomplished quickly and quietly. Configuration Manager 2007 enables wake-on-LAN functionality for all intranet-based managed agents that have a compatible network card. Figure 8 shows an example of how you can use wake-on-LAN for an advertisement in the newly designed New Advertisement Wizard. In this case, I am deploying a new package to a group of computers. If a wake-on-LAN-compatible device is turned off, with this setting enabled in the wizard Configuration Manager will start the system to deploy the package which was defined by the advertisement.
Figure 8** Wake-on-LAN in a software distribution advertisement **(Click the image for a larger view)
Remote Control was completely rewritten in Configuration Manager to deliver a more secure and reliable solution with significantly faster performance. Rather than the old tools that have been in place since SMS 1.0, Configuration Manager now uses the Windows Vista native collaboration technology built on the Remote Desktop Protocol (RDP). The basic functionality is the same as with SMS 2003 in that there is no need for end user acceptance of new sessions. However, three new levels of access are being introduced: full control, view only, and none. In addition to this new technology, Configuration Manager 2007 is still integrated with Remote Assistance for times when that functionality is needed.
Wrap-Up
I've walked you through several of the new features and enhancements in System Center Configuration Manager 2007. These features were designed to help ease administrative effort, enable new workloads, and lower costs within your IT environment. With Configuration Manager 2007, as well as the other products in the System Center family, you will be equipped to handle the most demanding IT infrastructures while giving your business a competitive edge.
In addition to the features outlined in this article, there are many more enhancements in the product, such as Windows Server® 2008 Network Access Protection (NAP) integration and enhanced software asset management (SAM) capabilities based on the same Asset Intelligence technology included in SMS 2003 SP3. I encourage you to download the Configuration Manager 2007 release candidate or RTM trial version to see these features at work in your infrastructure.
For more information and an overview of all of the products in the System Center family please visit microsoft.com/systemcenter. From here you can navigate to any solution in the System Center family, including Configuration Manager.
John Orefice is a Technology Solution Professional in the Microsoft mid-Atlantic states district. He has worked with Microsoft management solutions for several years first as a consultant with Microsoft Consulting Services (MCS) and now in his current role. He can be reached at john.orefice@microsoft.com.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.