09 August 2008

SCCM 2007 Intelligently about the product

Welcome to an era of technology where a single application can manage your entire organizations infrastructure. Whether your organization is based on a single campus or distributed throughout the world, System Center Configuration Manager (SCCM) 2007 has the mechanics to provide your company with the tools needed to distribute software, operating systems, security updates, collect hardware and software inventory, has reporting and an array of other tools to effectively manage your organizations assets. Based on the current version of Systems Management Server (SMS) 2003, SCCM 2007 is an upgraded version which leverages newer technologies such as Windows Vista and Windows Longhorn Server to provide greater security throughout the organization. While SCCM 2007 is currently in its Beta 1 release, code named SMS V4, understanding the new features now will provide the foundation needed to either acquire or upgrade to SCCM 2007 when it is scheduled for release in mid 2007.


Windows Vista will soon become the industry standard for corporate workstation operating Systems. SCCM 2007 is designed to deploy Windows Vista from its built-in Operating System Deployment (OSD) feature. SMS 2003 currently does not support the deployment of Windows Vista because of differences in the WMI file format. Furthermore, the SCCM OSD is based on the Business Desktop Deployment 2007 (BDD) technology not found in SMS 2003. The BDD technology will allow for easier deployments based on wizards which will help streamline the process. The OSD will allow an organization to create an operating system image and deploy such image across the environment without the need for local support staff. Imagine a remote building with 500 windows XP workstations and being able to upgrade every system to Vista in a few hours. The potential for SCCM 2007 is staggering when one considers the possibilities. The OSD allows the administrator to create custom task sequences during the upgrade process and leverages on the User State Migration Tool (USMT) 3.0 to save current user files and profiles. Some of the changes in the USMT include new ScanState changes, LoadState command line options and the migration behavior is controlled by .xml files rather than .ini files. Deploying operation system images in SCCM 2007 will not only become an industry standard, but will allow for greater protection from security threats.


Many organizations deploy images with a baseline of security updates to thwart common threats. One task for administrators is to devise a patch strategy to update systems on a monthly basis. Once the baseline is deployed, a systematic approach of validating and testing new updates is required on a monthly basis. SCCM 2007 has been completely redesigned from the ground up. For those who have utilized the Inventory Tool for Microsoft Updates (ITMU) in SMS 2003, you are aware that patching operating systems is a time consuming project every month. The newly designed Software Updates section of the SCCM administrator console is a welcomed improvement. Software updates are now divided by operating system and applications such as Exchange and ISA server. Software updates are also easier to read and one can simply drill down on each update to find the information related to the update. SMS 2003 software updates had a few columns in the administrator console that told the number of compliant and requesting systems for each patch. SCCM 2007 not only tells the administrator the number of systems that are installed and required, but also how many systems that are not required. Further improvements to the console are columns for percentage of compliance, EULA, NAP Evaluation, date released and a revision date if applicable. With the constant threat of operating system viruses and bugs, it becomes increasingly important to patch computer systems. Network Access Protection (NAP) will also become an industry standard by which administrators will be able to deny access to organizational resources if not patched to a baseline deemed by a network administrator.


NAP gives an IT administrator the ability to create a policy(s) for security updates. Once a policy is created and enabled, systems will be required to apply such patch(s) before being able to access the corporate network resources. NAP is a new feature embedded into SCCM 2007 and leverages the NAP technology provided by Windows Server "Longhorn" which is also currently in the Beta stage of development. The integration of Longhorn and SCCM 2007 will provide the security administrators have long been waiting for. Network restriction and remediation is dependent on how the NAP policies are configured on the Windows Network Policy Server (WNPS). Once a NAP policy has been created, a simple view in the SCCM 2007 administrator console shows the number of systems that meet the policy. The introduction of WNPS is also considered a role in SCCM 2007. Roles are responsibilities of specific servers to provide a specific function in the SCCM hierarchy.


SCCM 2007 has two new roles which were not available in SMS 2003 called System Health Validator Points and State Migration Points. The System Health Validator point is the SMS site system role that runs on a Windows Network Policy Server (NPS). When using Network Access Protection in SCCM, it is needed to validate the statement of health from NAP-capable SCCM clients to produce a client health state of healthy or unhealthy, or an error condition that prevented the health state from being determined. This server role is tightly integrated with NAP and is required for policies to be received by clients. The state migration point (SMP) is used by Operating System Deployment when migrating user state and settings from one computer to another as part of the operating system image deployment. Just as one would capacity plan for traditional server roles, one must also plan when using SMP as a role and can be calculated in the same fashion a distribution point. New features are abundant with SCCM 2007 and roles are just the beginning.


The introduction of Wake on LAN (WOL) technology will reduce the need for third party WOL solutions. However, the WOL technology included with SCCM 2007 will only support direct broadcast. Direct broadcast will use the "magic packet" technology used by other vendors. Organizations that do not allow direct broadcast over routers will not be able to use the new technology. However, there are several third party vendors such as 1E that provide proxy solutions which will solve the problems associated with organizations that do not support direct broadcast. Network security is always a concern for any organization. SCCM 2007's new security model will be another welcomed feature.


SCCM will provide two types of security modes. The first mode will be an SMS 2003 compatibility security mode and the second will be a SCCM 2007 security mode which will enable functionality to manage clients over the Internet. In order to use the "internet facing" functionality of SCCM security mode, certificates will be required on all SMS server infrastructure and all SMS managed clients. To utilize SCCM security mode, you will need trusted certificates to be available on all server and managed nodes. You will need a PKI to do this. The "auto enrollment" capabilities provided by Active Directory and Certificate Services are a great way to do this. Despite the fact that there is not a true VPN solution developed into SCCM, Internet facing clients will still need to be able to validate themselves. Servers in the perimeter will need a method to validate "trust" of certificates from clients requesting access, and should be implemented in concert with a firewall like ISA server. Management Point and Distribution Point roles will need to be available to external clients. A great way to do this would be to have ISA server in the front end as an SSL termination point with the MP and DP server roles behind ISA server. As for internal support and functionality for the SCCM security mode, the certificate based security will work in a cross forest or workgroup scenario, but a PKI will be required and the certificate issuer will need to be trusted by the client. Microsoft has spent a great deal of time working on the security enhancements in SCCM and shows that trusts are beginning to become a standard in network security.


Desired Configuration Management (DCM) is the ability to define a configuration model and be notified of any drift or deviation from that desired configuration. DCM is intended to be an all-up settings compliance solution for the IT environment. DCM will utilize the Systems Definition Model to allow administrators to define "as desired" policy views of their environment from an Operating System, Application, or Business Policy perspective. It is designed to scale its focus from single settings on single nodes to broad policies across the entire IT organization.


The improvements to the SCCM 2007 administrator console are seen in every part of the tree. SCCM 2007 is required to run in the new MMC console, version 3.0. The introduction of the Action pane allows an administrator to execute functions quicker. The ability to drag and drop objects in packages, advertisements, reports and queries will make administration simpler. The update collection membership option has also been moved to a more appropriate location rather than having to traverse the menu. One frustration when working with collections in SMS 2003 is that only one resource can be selected at a time. In SCCM, multiple resources can be selected to quickly mange those resources. Despite the new features in the console, there are some upgrades to your current software that will have to be acknowledged if you use SMS 2003.


The Beta 1 refresh release of SCCM 2007 will co-exist in your current SMS hierarchy. Microsoft currently supports the use of SQL 2000 with both SMS 2003 and SCCM 2007; however, the Beta 2 release of SCCM 2007 will not support SQL 2000. Organizations will have to upgrade to SQL 2005 or create a new hierarchy using SQL 2005. For organizations that currently use SMS 2003, Microsoft recommends that SCCM 2007 sites that are a part of an existing SMS 2003 hierarchy be disjoined to start a new hierarchy independent of SMS 2003. When SCCM 2007 Beta 2 is released we expect more information on this subject.


Based on my initial experiences with SCCM, I believe this technology will become a standard in almost any organization. I do feel some of the console items could have been better developed and there should have been more development with the WOL technology, but based on what we have today in SMS 2003, I welcome the changes and improvements. Documentation on SCCM is lacking in the Beta version, but I would expect a lot more when the final release is shipped in 2007. Whether you are a seasoned SMS 2003 administrator or an early adopter of SCCM 2007, there is much to learn with the emerging technology. Deploying security updates and restricting access to network resources with NAP will surely become an industry standard. Deploying Windows Vista to sites will standardize your environment which will lead to more successful deployments of applications and security updates. We must continue to research SCCM 2007 as new betas are released and strive to understand how to best deploy this application in each unique environment.
 
Enjoy,
Paddy
 
Source of this Artical

 

No comments: