MMS 2007 Day 4 (29 March)

  • Article

Unfortunately I missed the keynote address today because I had some work I had to do.  It was a customer and partner panel discussion with live Q&A: executives from Dell, EDS, Carnival Cruise Lines and Virgin Entertainment talking about their experiences with System Center.  The panel was hosted by David Williams, Research Vice President for Gartner.

My first session was System Center Configuration Manager 2007 SDK Improvements and Changes presented by Lamar Damata, Test Manager, SMS.  He was presenting because the testing team is extremely dependent upon the SDK for the automation that they require for the test scripts, therefore he is very knowledge on the SDK.

The SCCM SDK has lots of new features, one of the largest being the ability to programmatically modify the site control file (fully documented and supported).  All previous SMS 2003 admin UI extensions (e.g., custom right-click menus added through the registry) will break, as these extensions are now done via custom XML files.  There is no PowerShell in this release, but the product is very PowerShell ready.  The next version of the SDK will use PowerShell.

For the admin UI customizations, there are a series of directories under the SCCM program files directory that house custom XML files.  Folders are created named with the GUID of the console object to pin the action (fully documented in the SDK).  There are several types of actions: Executable type (e.g., .exe, URL) that accepts parameters and the same sort of variables (e.g., ##varname##) as used previously, Report type action with the GUID of the target report, Show Dialog type for creating custom dialogs, and AssemblyType for accessing custom DLLs.

Custom nodes can be created in the console, but not at the top level; they must be created as subnodes or below.  Home pages can be fully customized.  All of the XML files that control the built-in console elements are exposed in the SCCM program files directory, but they should never be altered - it's not supported and will break the UI.  The core wizards cannot be modified.  The MMC SDK should not be used.

The MP API is mainly used to support 3rd party clients.  An ISV Proxy must be used with the MP API.  ISV clients talk with the ISV Proxy which acts on their behalf to the MP.  This increases the attack surface so security is a serious consideration in this scenario.

Most of the major components (OSD, DM, SUM, etc.) are accessible programmatically.  All OSD core scenarios are available including task sequences and the driver catalog.  Custom task sequences can be created for a better administration experience instead of repeated using the generic Run Command task sequence.  SUM can be scripted using VBScript to the point that updates can be quickly deployed in two clicks; there are great automation capabilities.

 

The next session was SCCM 2007: Deploying Windows in the Enterprise, Part 2.  Michael Kelley went into greater detail on many of the features and components.  Building and capturing images can be done manually (install windows, configure, install applications, etc.), with an external tool (imagex.exe, WDS) or automated via task sequences thus providing better standardization of the image capture process.  (The task sequence method would use setup.exe installation process instead of an image.) 

The Driver Catalog exists to separate drivers from the image and install them during the deployment process.  With Vista this process will also insert the drivers into the Vista Driver Store.  There are two task sequence actions: Auto Apply Driver (which relies upon plug-and-play detection) and Apply Driver Package (which adds all of the drivers in a package to the system, which is useful for non-PnP devices).  When importing drivers they can be assigned to categories (completely custom) and it can even insert the drivers into WinPE boot images.

With the Computer Association node under OSD you can run the Import Computer Information wizard to create DDRs for systems not yet on the network (e.g., ordered).  This information is imported from a CSV which has custom rows that are mapped at import to computer property fields or computer variables. 

The PXE Service Point provides integration with WDS which allows it to be managed by SCCM as a site role.  WDS hosts multiple providers and ConfigMgr puts itself first.  So when a client PXE boots and checks with WDS, WDS checks with ConfigMgr first.  If the client is known by ConfigMgr, it passes the WinPe boot image for use.  Otherwise WDS falls through to the next provider.

In a system migration scenario (old hardware to new hardware) the State Migration Point (SMP) records the relationship between the old and new systems and uses encryption so that only the new system can restore the saved data.  After a successful restore SMP starts a retention timer (fully configurable).  Each SMP can define multiple directories, each with a maximum number of clients and disk space to use.  An SMP can also be set as read-only (for when retiring a server as an SMP).  It doesn't require the use of USMT; a custom script or third-party tool can be used.

Applications can be installed dynamically during image deployment which does not require advertisements but the package program does have to be authorized for it.

A Longhorn Server role installation task sequence action will be available in SCCM 2007 SP1.  Longhorn Server Core will be supported and there is full support for data centers without DHCP.

In low or no network connection scenarios all of the referenced packages and the task sequence runtime engine can be put on removeable media (multiple CDs, DVD, or USB disk).  However this does not provide any status messages and you can't use any task sequence actions that require the network (e.g., software updates).

The Modify Collection Settings right grants the ability to set/change collection variables and maintenance windows.  The Modify Resource right grants the ability to set/change computer variables.  There are twelve new reports for Vista/Longhorn requirements.  There is an Upgrade Assessment SCCM add-on to add a new node to interface with the Application Compatibility Toolkit v5.

When upgrading from SMS 2003, OSD must first be uninstalled.  Existing packages are preserved in the OSD FP Packages node; but they can't be used and must be recaptured.  SMS 2003 clients will reject task sequence advertisements.

So what's the difference between SCCM 2007 OSD and BDD 2007?  BDD has lots of good methodology and best practices that are technology independent.  BDD LTI was originally created to fill a void before SMS 2003 OSD.  SMS 2003 OSD built upon that and then BDD ZTI filled in some of the gaps.  SCCM 2007 OSD bridges most of that gap, but BDD 2007 still provides some additional functionality.  The Standalone Task Sequencer was derived from ConfigMgr and used in BDD 2007 so they have the same variables and interfaces.  A whitepaper is in progress on how to migrate from BDD to SCCM.

 

The next session was IT Asset Management Using Microsoft System Center Technologies hosted by Michael Nappi and Nigel Cain, Program Manager, SCCM.  Michael presented again some of his slides from the SMS 2003 SP3 session.  He did make a comparison of System Center to a Swiss Army knife, and said it's like the Office Suite for IT Professionals.  There is an ITIL concept of a "custodian" of an asset as the primary user, rather than referring to them as the "owner" which implies too much.

Assets are defined as hardware, software, licenses, contracts, etc.; anything with value to the business.

System Center Service Manager can record standard system configurations for purchasing.  They can include all hardware and software components.  In the SCSM catalog you can specify the environment for the asset (production, testing, DR, etc.).  Then if an instance of that asset shows in an unapproved environment you can create a custom event, e.g., log an incident.  (For example, if you define that Vista is not ready for the production environment.)

The SCSM change management process is customizable to add multiple levels of approval including asset owner approval.

In the future Windows will be a core platform for license management.

 

The final session of the day (and perhaps the week for me?) was SCCM 2007 Security Architecture and Internet Client Management presented by Prabhu Padhi.  The official name is Internet-Based Client Management (IBCM, not be confused with ICBM).  Managing clients via VPN is too hard, too complex and iin many environments is blocked.

The client must be deployed manually (e.g., from CD or secure extranet) or over VPN and then released.  The client must be stamped with the Internet-based MP and FSP because a system on a foreign network cannot dynamically lookup the MP, thus needs to be hardcoded.

A proxy can be specified in the client.  If that doesn't work the client attempts to discover the proxy under the system context.  If that fails the client attempts to use the user settings.  If that fails the client attempts to connect the MP with no proxy.

Clients hash the data to be sent (e.g., using SHA1), signs it and then sends it to the MP.  The MP decrypts it, calculates the hash and compares to the client's hash.  If ok the client is authorized and the policy is issued.  If a client roams from the Internet to intranet it will dynamically detect the local MP and DP and resume operation.

There are four supported topologies:

  1. The site server and database are in the core, the MP, DP, and FSP are in the DMZ and all clients are remote.
  2. The site server and database are in the core with MP/DP/FSP and internal clients, plus MP/DP/FSP in the DMZ for remote clients.
  3. The site server and database in the core, MP/DP/FSP in the DMZ with clients internal and remote.
  4. A primary site with all roles in the DMZ for remote clients plus a parent primary site in the core for internal clients

Currently unsupported features: OSD, client deployment, NAP, remote tools, and BDP cannot be an IBC.

Mode (native vs mixed) is site-wide not hierarchy.  Modes can be switched at any time (to avoid any possible administrator errors).  In native mode SCCM 2007 automatically configures IIS with security.  When switching clients to native mode, it will contact the MP on HTTP which sends an HTTP 403 error.  The client checks with AD (with schema extended, or GPO or registry) for instruction, switches to native mode and communicates securely with the MP.

CRL - Certificate Revocation List is used, but because of possible infrastructure latency when revoking a certificate, you also need to "block" the revoked client in the SCCM console.  There is an option to allow clients to fallback to mixed mode (HTTP) when roaming to a mixed mode site.  The client's default certificate store is "Personal" but it can be configured in the site settings.  The MP, DP, FSP and SUP roles can all be marked Internet-only, intranet-only or both.

The site server option "Retrieve all data from this site system" (push/pull option) is for when the MP is in the DMZ and you don't want it writing data into the site server.  Enable this option and the site server will get data from the MP.  (This is off by default.)

Three whitepapers are in progress: SCCM 2007 IBCM Overview, SCCM 2007 IBCM FAQ, and SCCM 2007 Certificate Services.