Example Scenarios for Implementing Out of Band Management

Atualizada: Outubro de 2004

Aplica-se a: System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

The following sections in this topic provide example scenarios for implementing out of band management in Configuration Manager 2007 SP1 and later:

noteNota
As informações neste tema aplicam-se apenas ao Configuration Manager 2007 SP1 ou posterior.

In the following scenarios, the company already has an existing public key infrastructure (PKI) infrastructure, using Windows Server 2003 Certificate Services, and has an enterprise certification authority running Windows Server 2003 Enterprise Edition.

AMT Provisioning Out of Band for New Computers

This scenario demonstrates how you can use out of band provisioning for AMT-based computers for new computers that do not have an operating system installed.

A. Datum Corporation receives a batch of new computers that are AMT-based and meet all the prerequisites for out of band management in Configuration Manager 2007. This company has recently updated their central site to Configuration Manager 2007 SP1, but other sites are still running Configuration Manager 2007, and all the Configuration Manager clients are also running Configuration Manager 2007.

Until the clients are upgraded to a version that supports AMT in Configuration Manager 2007 SP1 and later, these computers cannot be provisioned in-band.

Tommy Hartono is the Configuration Manager administrator responsible for provisioning these computers in the central site. The computers will all be joined to the company's single domain, and they meet all the requirements to support out of band management in Configuration Manager 2007 SP1 and later.

The AMT-based computers do not have a customized firmware image, and Tommy has an agreement from his manager to purchase an AMT provisioning certificate from one of the external certification authorities (CAs) that are configured in the firmware of these computers.

To provision these new ATM-based computers out of band, Tommy takes the course of action outlined in the following table.

 

Process Reference

Tommy checks the prerequisites for out of band management and makes the following changes for his Configuration Manager site:

  • He designates a site system server on which he will install the out of band service point. This computer has the fully qualified domain name (FQDN) of server15.adatum.com. This server is running Windows Server 2003 SP2, so he installs the required hotfix 942841.

  • He installs the latest version of Windows Remote Management (WinRM) on the site system server.

For more information about the hotfix, see http://go.microsoft.com/fwlink/?LinkId=106107.

To download the latest version of WinRM and for more information, see http://go.microsoft.com/fwlink/?LinkId=105682.

Tommy then works with his Active Directory service administrators to create an OU in the adatum.com domain for the published AMT-based computer objects and to configure the OU so that the site server has full control for this OU and of all its child objects.

The following Windows security groups are also created in preparation for the PKI certificates:

  • A group named ConfigMgr Out Band Service Points that contains server15.

  • A group named ConfigMgr Primary Site Servers that contains the primary site server in the central site.

For more information, see the following topics:

Tommy also works with his infrastructure services team with the following results:

  • He confirms that routers and firewalls do not need to be reconfigured for out of band communication.

  • He confirms that their DNS servers accept dynamic updates so that the new site system server on which he will install the out of band service point can automatically register an alias record in DNS.

  • He confirms that the DHCP server is already configured appropriately with the following settings:

    1. There is an active scope with available addresses.

    2. The scope is configured with option 006 for domain servers and with option 015 for the domain name.

    3. The DHCP server is automatically updating DNS with computer resource records.

For more information about the ports used with out of band management communication, see the port information as an external dependency in Prerequisites for Out of Band Management.

For more information about the DNS and DHCP settings, see the following topics:

Tommy works with the PKI team with the following results:

  • A custom template is created to request the AMT provisioning certificate from an external CA.

  • The certificate request for the AMT provisioning certificate is issued from server15 and saved to a file so that it can be sent to the external CA.

  • The certificate request file is sent to the external CA with a purchase order, and Tommy receives the certificate response in e-mail the following day. He installs the certificate on server15.

  • The installed AMT provisioning certificate is exported to a .PFX file and stored securely on the server.

  • The Web server certificate template is duplicated and configured so that it is appropriate for out of band management.

For guidance on how to deploy the PKI certificates required for out of band management, see Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2003 Certification Authority.

For more information about the certificate requirements, see Certificate Requirements for Out of Band Management.

For more information about how the certificates are used in out of band management, see About Certificates for Out of Band Management.

Tommy then configures the central site and makes the following changes in the primary site:

  • He installs a new site system server on server15, configures it with the intranet FQDN of server15.adatum.com, and installs the out of band service point.

  • On the Out of Band Component Properties dialog box, he configures the out of band management component with the following:

    • On the General tab, he specifies the OU created in adatum.com; enables the option Register ProvisionServer as an alias in DNS; configures a strong password for the MEBx Account; browses to the exported AMT certificate file and supplies the password that was used during the export process; selects the issuing CA and the AMT certificate template to use.

    • On the AMT Settings tab, he specifies as an AMT User Account a Windows domain global security group that contains help desk engineers who will be using the out of band management console. He selects all the available AMT features for this AMT User Account. He also selects the option Enable serial over LAN and IDE redirection.

For more information, see the following topics:

Tommy then makes the final steps required to provision the computers out of band for AMT by performing the following actions:

  • He creates a new collection that will contain the AMT-based computers.

  • He prepares a comma-separated values (CSV) file with the computer details, including their FQDN and UUID.

  • He runs the Import Computer for Out of Band Management Wizard and specifies the CSV file and the collection he created.

  • He updates the collection to view and confirm the computers that he has just imported.

For more information, see the following topics:

Tommy provides instructions stating that, when the computers are delivered, the power cable and network adapter be connected but that there is no requirement to turn them on.

He monitors the provisioning process.

For more information, see How to Identify Computers That Are Provisioned for AMT.

As a result of this course of action, the new computers are provisioned for AMT. When the operating system is installed on each computer, the same FQDN is used that was specified in the CSV file and these computers can now be managed out of band.

AMT Provisioning In-Band for Configuration Manager Client Computers

This scenario demonstrates how you can use in-band provisioning for AMT-based computers that are running the Configuration Manager 2007 SP1 client.

Trey Research has a Configuration Manager 2007 SP1 hierarchy and is interested in using out of band management to manage computers that are located in remote offices. The company purchases all their computers from the same supplier. Because these computers are delivered directly to the remote offices, they are installed with a build image specific to Trey Research that includes the Windows operating system, standard applications and settings, and the Configuration Manager 2007 SP1 client.

In addition to this custom computer build, Trey Research requests a customized firmware image that includes the certificate thumbprint of their internal root CA so that they do not need to purchase an AMT provisioning certificate from an external CA. The certificate thumbprint is referred to as the root CA hash by the supplier, and this value is located by using the following procedure: How to Locate the Certificate Thumbprint of Your Internal Root Certificate for AMT Provisioning.

Terry Adams is the Configuration Manager administrator responsible for provisioning these computers in the Configuration Manager site. The computers will all be joined to the company's child domain of testnet.treyresearch.net, and the site system servers reside in treyresearch.net. When the Configuration Manager client installs with auto-site assignment, they will reside within the boundaries of multiple secondary sites that all belong to the central site.

To provision these new ATM-based computers in-band, Terry takes the course of action outlined in the following table.

 

Process Reference

Terry checks the prerequisites for out of band management and makes the following changes for his Configuration Manager site:

  • He designates a site system server on which he will install the out of band service point. This computer has the fully qualified domain name (FQDN) of server15.treyresearch.net. This server is running Windows Server 2003 SP2, so he installs the required hotfix 942841.

  • He installs the latest version of Windows Remote Management (WinRM) on the site system server.

For more information about the hotfix, see http://go.microsoft.com/fwlink/?LinkId=106107.

To download the latest version of WinRM and for more information, see http://go.microsoft.com/fwlink/?LinkId=105682.

Terry then works with his Active Directory service administrators to create an OU in the testnet.treyresearch.net domain for the published AMT-based computer objects and to configure the site server to have full control for this OU and of all its child objects.

The following Windows security groups are also created in preparation for the PKI certificates:

  • A group named ConfigMgr Out Band Service Points that contains server15.

  • A group named ConfigMgr Primary Site Servers that contains the primary site server in the central site.

For more information, see the following topics:

Terry knows that there is a firewall between his site and the remote offices, so he identifies the ports that will need to be open to allow out of band communication between the site systems and the AMT-based computers. He submits a change request for the required firewall changes.

For more information about the ports used with out of band management communication, see the port information as an external dependency in Prerequisites for Out of Band Management.

Terry works with the PKI team with the following results:

  • A custom template is created to request the AMT provisioning certificate for their internal CA.

  • The certificate request for the AMT provisioning certificate is issued from server15 and is automatically approved and installed.

  • The installed AMT provisioning certificate is exported to a .PFX file and stored securely on the server.

  • The Web server certificate template is duplicated and configured so that it is appropriate for out of band management.

For guidance on how to deploy the PKI certificates required for out of band management, see Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2003 Certification Authority.

For more information about the certificate requirements, see Certificate Requirements for Out of Band Management.

For more information about how the certificates are used in out of band management, see About Certificates for Out of Band Management.

Terry then configures the Configuration Manager primary site and makes the following changes:

  • He installs a new site system server on server15, configures it with the intranet FQDN of server15.treyresearch.net, and then installs the out of band service point.

  • On the Out of Band Management Properties dialog box, he configures the out of band management component with the following:

    • On the General tab, he specifies the OU created in testnet.treyresearch.net; configures a strong password for the MEBx Account; browses to the exported AMT certificate file and supplies the password that was used during the export process; selects the issuing CA and the AMT certificate template to use.

    • On the AMT Settings tab, he specifies as an AMT User Account a Windows global domain security group that contains help desk engineers who will use the out of band management console. He selects all the available AMT features for this AMT User Account. He also selects the options Enable serial over LAN and IDE redirection, Allow ping responses, and Enable BIOS password bypass for power on and restart commands.

For more information, see the following topics:

Terry wants to use Wake on LAN to install critical software updates on computers. He has tried this feature in the past and discovered that subnet-directed broadcasts consumed too much network bandwidth over the remote links and that few of their network adapters worked with unicast transmissions.

He enables Wake on LAN and decides to keep the default option of Use power on commands if the computer supports this technology; otherwise, use wake-up packets.

For more information, see the following topics:

To enable automatic in-band provisioning for AMT, Terry then performs the final steps:

  • Enables discovery for management controllers.

  • Creates a query-based collection that dynamically adds computers that have management controllers that can be provisioned for AMT by Configuration Manager.

  • Configures the collection with the collection setting to enable automatic out of band management controller provisioning.

For more information, see the following topics:

Terry monitors the collection and the provisioning process of the new computers when they are installed and join the site.

For more information, see How to Identify Computers That Are Provisioned for AMT.

As a result of this course of action, the computers running the Configuration Manager 2007 SP1 client are provisioned for AMT and can then be managed out of band, even if they later fail to boot, the operating system stops responding, they require powering on for routine maintenance, or their BIOS settings need reconfiguration.

For example scenarios of using of band management, see Example Scenarios for Using Out of Band Management.

AMT Provisioning for a Wireless Network with Configuration Manager 2007 SP2

This scenario demonstrates how you can provision AMT-based computers to be managed on a wireless network with Configuration Manager 2007 SP2 after they were originally provisioned by using Configuration Manager 2007 SP1.

Trey Research has recently upgraded its Configuration Manager 2007 SP1 hierarchy and clients to Configuration Manager 2007 SP2 and wants to extend their out of band management support for their laptop computers to their wireless network. Their wireless network uses a Windows Server 2008-based server that is running Network Policy Server (NPS) and requires a client certificate for authentication.

Terry Adams is the Configuration Manager administrator responsible for making sure these laptops can continue to be managed out of band on the wireless network. He takes the course of action outlined in the following table.

 

Process Reference

Terry checks the wireless support prerequisites for out of band management and confirms that the versions of AMT on the laptops will support wireless profiles. He notes the wireless configuration settings that are required by the Network Policy Server as WPA2 security, AES encryption, and EAP-TLS authentication.

To check whether there is anything additional to configure to support this environment, Terry also checks the planning documentation for additional information related to supporting wireless networks.

For more information about the prerequisites, see Prerequisites for Out of Band Management.

To confirm the decision to configure out of band management support for wireless networks, see Determine Whether You Should Configure Support for 802.1X and Wireless Networks.

Terry works with the PKI team to create an additional certificate template that the AMT-based computers will use to authenticate with the Network Policy Server.

For more information about creating the client certificate template, see the section “Preparing the Client Authentication Certificates for 802.1X AMT-Based Computers” in Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2003 Certification Authority.

For more information about the certificate requirements, see About Certificates for Out of Band Management.

Terry configures the Out of Band Management Properties: 802.1X and Wireless tab in the Component Configuration node of the Configuration Manager primary site:

  • He creates a wireless profile that contains the wireless network name, the security type of WPA2-Enterprise, and the encryption method of AES. He then selects the trusted root certificate for the Network Policy Server, and the client certificate template that was created earlier.

  • He does not select the Automatically add AMT-based computers to security group option because for greater security, the computer accounts for the AMT-based laptops that will be manually added to a security group for authentication to the Network Policy Server.

For more information, see How to Configure AMT-Based Computers for 802.1X Authenticated Wired and Wireless Networks.

Using a custom collection for laptops, Terry identifies the computer names that are already provisioned for AMT by using the AMT Status of Provisioned. He exports the list of computer names from the console and gives these to the administrator for the Network Policy Server, so that they can be added to a security group that is used to provide network access.

For more information about the AMT Status, see About the AMT Status and Out of Band Management.

For more information about exporting list views from the Configuration Manager console, see How to Export List Views to a File.

To update the provisioning information so that these laptop computers can be managed out of band on the wireless network, Terry right-clicks the computers in the collection, clicks Out of Band Management, and then clicks Update Provisioning Data in Management Controller Memory.

For more information, see How to Update AMT Settings in Provisioned Computers Using Out of Band Management.

Terry uses the log file, Amtopmgr.log, to verify that the wireless profile is successfully configured for these AMT-based computers.

For more information, see the “To verify whether AMT-based computers are configured for authenticated wired and wireless connections” procedure in How to Configure AMT-Based Computers for 802.1X Authenticated Wired and Wireless Networks.

As a result of this course of action, the out of band management support for these AMT-based computers is extended to the wireless network. For example, if they fail to boot, the operating system stops responding, they require powering on for routine maintenance, or their BIOS settings need reconfiguration, they can be managed even when they are connected to the wireless network.

For more information and example scenarios about how to use out of band management, see Example Scenarios for Using Out of Band Management.

Consulte Também

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.

Conteúdo da Comunidade

Mostrar: