About AMT Provisioning for Out of Band Management

  • 發行項

Before AMT-based computers can be managed out of band in Configuration Manager 2007 SP1, they must be provisioned for AMT (set up and configured).

注意

The information in this topic applies only to Configuration Manager 2007 SP1.

AMT provisioning results in the following external interactions between Configuration Manager and the networking infrastructure:

  • The site server checks the Configuration Manager database to ensure that a public key infrastructure (PKI) certificate is not already issued to the AMT-based computer. If a certificate is found, it is revoked.

  • The site server requests a PKI certificate from an internal issuing certification authority on behalf of AMT-based computers. This certificate request contains the FQDN of the computer that will be managed out of band and uses a certificate template that is configured with server authentication capability. The issuing certification authority (CA) server approves the request, and the certificate is granted to the site server computer.

  • The AMT-based computers are published as a computer object to Active Directory Domain Services, with a link to the Windows computer object in Active Directory Domain Services.

  • A service principal name (SPN) for the AMT-based computers is registered in Active Directory Domain Services so that administrators can connect to them using the out of band management console.

Additionally, the following internal interactions occur between Configuration Manager and the nonvolatile random access memory (NVRAM) of the management controller in the AMT-based computer, after the out of band management component on the site server connects to the AMT-based computer by using a specified AMT provisioning account and port number:

  • The PKI certificate retrieved by the site server is installed on the AMT-based computer, including the certificate chain up to the root CA certificate.

  • The fully qualified domain name (FQDN) of the AMT-based computer is retrieved from the Configuration Manager database and is configured on the AMT-based computer. The Windows computer time is used to configure the system time.

  • The AMT settings configured in Configuration Manager, such as whether to use IDE redirection and serial over LAN, respond to a network ping, and support a Web interface, are configured on the AMT-based computers. Additionally, the AMT remote password is reset to a random and strong password, any AMT user accounts are deleted, and support for Kerberos authentication is enabled on the AMT-based computer.

注意

In the log file, Amtopmgr.log, you will see references to first-stage provisioning and second-stage provisioning. The first two points in the preceding list occur during the first-stage provisioning. The last point in the preceding list occurs during second-stage provisioning. For more information about the log files used with out of band management, see Log Files for Out of Band Management.

For more information about how to provision a computer, see How to Provision Computers for AMT.

For more information about the certificates used for AMT provisioning, see About Certificates for Out of Band Management.

Updating the Data in the Management Controller Memory

Computers that are already provisioned for AMT do not dynamically reconfigure with new AMT settings that are configured in Configuration Manager. If you change the Configuration Manager AMT settings after AMT-based computers are provisioned for AMT, you must initiate an action on these computer resources to update the data in the management controller memory. Updating the data in the management controller memory for an AMT-based computer results in it getting the latest AMT settings. Additionally, the AMT-based computer's SPN is reregistered, and its Active Directory object is refreshed (or published if it doesn't exist). Updating the data in the management controller memory does not result in revoking the AMT certificate.

Removing AMT Provisioning Information

There might be occasions when you want to remove the provisioning information for an AMT-based computer, such as when you no longer want the computer to be managed out of band by Configuration Manager 2007 SP1 but want to use another out of band solution. The following options are available for removing provisioning information from the computer:

  • You can remove the configuration data from the management controller but keep identification information about the computer, such as its name, IP address, and DNS suffix. Configuration data includes whether IDE redirection and serial over LAN are enabled, network pings are supported, and the Web interface is enabled.

  • You can remove both configuration data and identification information from the management controller.

In both cases, the AMT certificate is revoked, the SPN is deleted, and the Active Directory object is deleted.

After the AMT provisioning information is removed, by default, an AMT-based computer will automatically provision again if it is in a collection that is configured for automatic AMT provisioning. However, you can disable automatic provisioning and re-enable it later.

For more information about removing provisioning information for an AMT-based computer and using automatic provisioning again, see How to Remove Provisioning Information for AMT-Based Computers.

Renaming AMT-Based Computers and Domain Changes

If you rename a computer that is already provisioned for AMT by Configuration Manager or move the computer to another domain, you must remove all the provisioning information from the AMT-based computer and then reprovision it. You can remove the provisioning information either before naming or moving the computer or after renaming or moving the computer. However, do not reprovision the computer until the name change or domain move is complete. If you fail to perform these procedures, the AMT-based computer cannot be managed out of band after the change of name or domain move.

When you remove the provisioning information, select the option to remove both configuration data and identification information from the management controller; and if applicable, select the option to disable automatic provisioning and re-enable it after the name change or domain move has taken place.

See Also

Tasks

How to Run the Out of Band Management Console

Concepts

About Certificates for Out of Band Management
Certificate Requirements for Out of Band Management
Configuration Manager AMT Provisioning Process for Out of Band Management
Decide How to Migrate from an AMT-Based Management Solution to Out of Band Management in Configuration Manager
Overview of Out of Band Management