Windows Server Reference Guide

System Center Configuration Manager

Last updated Apr 27, 2007.

Under the new Microsoft marketing scheme which officially takes effect when Longhorn is released, there is a basic set of free management tools for Windows Server, and a commercial set that competes with third-party tools, under the new "System Center" brand.

So the two words you should pay attention to with respect to SCCM are "Configuration Manager," because you are not actually configuring the system center. Quite the opposite: This will be Microsoft's principal tool for remote deployment of software throughout the network, including both operating systems and applications. It is the center for configuration, not the configuration of the center, that we're concerned with.

System Configuration from a Distance

SCCM is the replacement for Systems Management Server. A replacement was absolutely necessary because of the way Vista is installed. It uses a pre-assembled image of the complete installation, as though it were backed up from the hard drive, although the image purpose is to become imprinted to the hard drive. This is the Windows Image (WIM) file, and the Vista tool for deploying it is called System Image Manager. In Longhorn, the deployment of WIM files for operating systems and applications—conceivably for both—can be directed through SCCM.

In easily one of the more convenient features of any management tool ever devised for Windows, SCCM enables you to set up a basic configuration of any Windows OS on a test machine, including customizations and certain applications. That image may then be captured as a WIM installation image and distributed to multiple workstations. The SCCM scheme is designed to be able to manage thousands of clients simultaneously (one engineer recently said "hundreds of thousands," although we doubt such a configuration had yet been tested).

If you're thinking, "There's no way SCCM could account for all the personalizations that need to take place during a client installation, if the base image it's captured comes from a generic computer..." Microsoft's already solved this problem. Client installation procedures take account of client names, personal logons, and other necessarily personalized portions during the image distribution phase. In essence, what happens is that the personalized data writes over the generic data once the image of that data has been imprinted onto local storage.

SCCM Takes a NAP

Another aspect of late versions of SMS that have been carried on into SCCM is network access protection (NAP). Here, clients that request access to the network may be denied access until they're upgraded or tuned up with specific updates or other measures. SCCM can perform this process, effectively tuning the client to the state it needs to be, before it's allowed to conduct business with other computers on the network.

For this scheme to work, you need to have set up two separate server components: an SCCM management server and an SCCM remediation server. (By way of virtualization, you could conceivably set up both of these on the same hardware, but they do need to be independently addressable.) The management server must be relegated to a zone that's inaccessible from a client that fails to make the grade. But the remediation server must be accessible, because it will be the one that poses the solution.

Here's how NAP works: The management server contacts Windows Update and other online distribution points for updated software. In learning about these updates, the SCCM software on the management server activates a wizard, which will of course require your intervention. Using this wizard, SCCM builds a series of policies whose rules govern whether non-updated systems have full or restricted network access. Those policies are distributed to the remediation server.

When a client seeks a DHCP server, under Longhorn, it provides that server with a kind of signature that represents its "health." Under Microsoft parlance, a non-updated client is relatively unhealthy (although in practice, the update can sometimes cause the problem, which is why it's necessary that you know your updates thoroughly as you're using the SCCM wizard).

The DHCP server runs the health certificate by the SCCM policy manager to see whether the client is healthy enough to be granted access. If the certificate fails this test, the DHCP server places the client on a kind of quarantine. It can access the remediation server, but not much else. The remediation server "heals" the client with the updates, then the client requests access again. If the health certificate passes the test the second time around, all is forgiven.

Books and E-books

• Morimoto, Rand; Noel, Michael; et al. Microsoft Exchange Server 2007 Unleashed. Sams, 2007. Preview Deploying with Microsoft Systems Management Server from Chapter 30, "Deploying the Client for Microsoft Exchange," on Safari.
• Doshi, Darshan; Lubanski, Michael. SMS 2 Administration. Sams/New Riders, 2000. Preview Part I, Introduction to SMS on Safari.

Online Resources

• Insiders Edge: System Center Configuration Manager 2007 by Brian Tucker, Service Line Architect, Intrinsic Technologies. From his company's Web site.
• System Center Configuration Manager (SMS) Network Access Protection Process Flow. PowerPoint slide show demonstrating the steps SMS and SCCM take to deploy NAP on a network. From microsoft.com.