SCCM 2007 How To - Site Configuration

March 12, 2007

In the first two articles of this series I discussed the preparation for setup and the installation process. In the third installment I go over the configuration of SCCM. To set the scenario, I am running a single site on VPC 2007, the guest OS is Windows 2003 SP1 already installed is IIS with BITS, SQL 2005 SP2, .NET Framework 2.0, MMC 3.0, and several hotfixes. During the installation I installed all the client components minus the NAP, without Longhorn (Server 2007) I cannot install NAP. I also installed the Software Center Updates Publisher. My VPC is running on an external hard drive and has three virtual disks, one for the OS, the second for SMS and SCUP, and the third for SQL. It is also configured with 1GB of RAM.

On to the configuration tasks, configuration is not that different from SMS 2003 so I will not go into great detail or depth in certain areas to avoid covering well known information, but will include screen shots for those who have not seen SCCM 2007 yet.

NOTE: The vast majority of the information found here can also be found on the TechNet site

Here is what we will cover:

· Configure site boundaries
· Configure client agent components
· Configure site server components

NOTE: Microsoft has provided a post install worksheet for the configuration tasks, it is located here.

This is not meant to be exhaustive but more for those who are familiar with SMS and those that want to get an idea of what they may be getting into if they are planning an SMS installation.

Here is a screen shot of the SCCM admin console after installation. This is the default view, and most of you will be happy to learn that when you close the console and reopen, it will open the console where you were last instead of collapsed like it does in SMS 2003.

I will start with the most important setting to configure first, and this is setting the site boundaries. Some may disagree with me on this, but I feel you can’t do anything without first setting the boundaries and I have seen people forget this and then wonder why their site does not work, it is easy to overlook if you get involved in other, more complicated, tasks.

Expand the Site Management until you can see the Boundaries node, right click the node and select New Boundary from the context menu.

This will look different than in SMS 2003, you can input a description, you can choose the type of network connection, be it slow or unreliable, or Fast (LAN). Also the type of boundary is different than in SMS 2003, you can choose from IP subnet, AD site names, IPv6 prefix, or IP range.

I am going to choose AD Site name and use the browse button to select the domain I setup for my lab.

Now you can see I have the boundary listed in the console.

Moving to the next configuration task, setting and configuring the site system roles.

This is also located under the Site Settings node and is at the bottom, Site Systems. You can see I have Component server, DP, MP, Site Server, Site System, and DB roles installed. On the left of the middle window you will notice the new link for New Roles, you can use this to start the process or right click on the server and select New Roles from the context menu.

When you select the New Roles you will start a wizard that follows the theme of task sequences, you will fill out a survey of questions, followed by a summary, and then the execution of those tasks you have selected.

On the first window, the General tab, you will see the options to use a FQDN, you must use this if you are running in native mode, the second selection is the FQDN for Internet connected clients, this is going to be different than your FQDN for intranet clients and is required if you are going to manage Internet based clients so they can connect to the server from outside your firewall. If you need to specify a different account to install the server roles you would provide this as well, I am going to use the servers computer account. The last two selections are to make the site a protected site, this means that only those clients that are assigned to it are the clients that will get a response from the site server, the last one is Retrieve all data from this site server, what this does is it will configure all communication to be initiated by the site server to the site system. I am not going to specify a FQDN for Internet connected systems since I am not running in Native mode, but I will specify the FQDN for intranet connected systems so I input “dclab.lab.local”, leave the protected system and retrieve data from this site system checkboxes blank and click the Next button.

Now on to the selection of the roles to add to your system. As you can see from the list there are some new roles as well as some classic roles. The new roles include System health validator which is part of the NAP, State migration point which is part of the USMT/OSD, PXE service point, Fallback status point, and Software update point. The others you should recognize, Server locator point and Reporting point.

Choose SLP, RP, SUP, and State migration point and click the Next button to continue.

This will take you into another list of sequences to configure each role individually, the first is the SLP, leave these as defaults, next is the State migration point, leave at the defaults but click the starburst button and input d:\SMP for the folder, this is where data will be stored during the OSD process if it has to be stored on the network. After specifying the folder click the Next button. Next up is RP, leave the defaults and click Next. For SUP settings you may need to specify proxy server settings if you need to in order to get out to the Internet, click the Next button to continue. On the next dialog you will need to check the box that says Use this server as the active software update point, leave the port set to 80 unless you changed this during the installation process. The SUP role should only be set on server where you want them to download all the patches, this would typically be your central site, where you will create the packages and then distribute them. For the topmost site you will leave it to sync with Microsoft Update, then the sites below would sync with it. The next dialog allows you to set the schedule you sync your updates. Leave this at its default and click the Next button.

The Classifications dialog allows you to choose what class of updates you want to download, the choices are Critical Updates, Definition Updates, Drivers, Feature Packs, Security Updates, Service Packs, Tools, Update Rollups, and Updates. You should note that if you are running a WSUS server and syncing with it, which I would not recommend the settings here will not override what you have set in WSUS server and you may end up with updates outside of what you configure here.

Choose the following Critical Updates, Definition Updates, Security Updates, Service Packs, Update Rollups, and Updates, then click the next button.

The next dialog is the products you want to downloads updates for, choose Office, SQL, and Windows and then click Next.

The last dialog before the Summary page is the languages to download the updates for, since this is a lab I am going to specify only English because I don’t want to take more space than I need to, if other languages is something you need to test then leave the defaults and click Next.

Now we are at the Summary page and you can review the settings and go back if you need to make any changes, once you click the Next button the install process will begin.

And we are done…with this portion of the configuration. Click Close.

Now you can see the new roles are listed in the console.

Next up client agents, the client agents that you selected to be installed were installed with the default settings so we only need to configure the agents that we want to change the defaults. Below are the default settings for each agent that we installed.

· Hardware Inventory – Simple Schedule run every 7 days, does not collect NOIDMIFS or IDMIFS.
· Software Inventory – Simple schedule run every 7 days, Inventory collected, all exe’s not compressed or encrypted on all drives including the Windows directory. Collect file and product details. No files collected.
· Advertised Programs – Allow user targeted advertisement requests enabled, provide a countdown of five minutes, and show advertised program notification icon is enabled. Countdown length is five minutes.
· Computer Client Agent Properties – NEW – You will specify the Network Access Account in this window in old school NT4 style domain\user, you can also modify the client polling time for policy updates in this window, the default is 60 minutes. The max is 1440 minutes.

And for all those that requested this over the years – it has finally arrived you can customize the message that is displayed to the users when they are notified of a new advertisement. While it is not a great leap forward allowing you to input only the org name, and a short message for each type of notification, it is better than nothing. I altered these just to make sure it will display what I want and it looks like you are limited to 120 characters.

And that is not all! On the Reminders tab you can now specify how often the client will get that balloon popup, the default settings are Deadline > 24 hours is 8 hours, < 24 hours remind them every 1 hour, and > 1 hour, every 15 minutes.

Oh but wait there’s more! If you call in the next 10 minutes we’ll throw in for free BITS throttling! That’s right folks you if you call now you can configure all your BITS needs from this magnificent window, how and when, and how much all at your finger tips, but you must call now! Included are Apply to branch distribution points only, throttling window of 9AM to 5PM, a max transfer rate of 20 Kbps during that time.

· Desired Configuration Management – NEW – Simple schedule every 7 days.
· Device Client Agent – Newish – Polling is set to 30 minutes, retry 3 minutes, number of retires is 3, the software inventory is not enabled, but the hardware inventory is and is set to every 1 day, file collection is also not enabled. I am not going to modify these settings at this point, if this is something you want to test in your lab then you should enable the software inventory at least.

· Remote Tools – There are still quite a few companies that use this tool. Ask for permission is checked, clients running 2000 you get full control, XP or later view only, you should be using RDP. You will need to populate the viewers list with your group of accounts that is allowed to use this tool as it is blank by default. On the notifications, display visual indicator and show status icon in taskbar are selected, as well as play sound – repeatedly during the session. You can configure Remote Assistance , but these settings are all unchecked by default. I have selected Configure unsolicited and solicited Remote Assistance settings, and set the level of control to Full control.
· Software Metering – Schedule is set to every seven days.
· Software Updates Client – NEW – The default settings for this agent are to scan every 1 week, for Updates Installation, nothing is configured by default with the only option to Enforce all mandated deployments and the schedule. The Deployment Re-Evaluation settings are set to a simple schedule of 1 week. This will re-evaluate the approved and deployed updates and reinstall them on clients that are found missing the patch. Removes the need to have that reoccurring ad to manage this. We can leave these settings as is for now.

NOTE: I skipped the NAP configuration because we are not using it without Longhorn. I do have a copy of it around here that I was sent for my suggestion during one of the webcasts so I may get to that later.

Let’s move on to the next section, Component Configuration, which contains Management Point configuration, Software Distribution, Software Update Point (SUP), Status Reporting, and System Health Validator Point.

Starting with the Management Point configuration, your server should be listed as the default MP, other selections are none, and Network Load Balance (NLB) cluster virtual server. If you have MP’s you want to virtually cluster you can select this option and then use IPv4 or IPv6 to specify their virtual IP address or use a FQDN, both public and private for the intranet and Internet based clients. In our setup there is no need to make any changes here.

Software Distribution configuration is next. This looks the same as it does in SMS 2003, you will need to specify the drive where packages are stored, the D drive in our case. And the Advanced Client Network Access Account. You may think to yourself, didn’t we already do this in the Computer Client Agent, and you would be correct, in the next build the Advanced Client Network Access Account will be gone, this is just left over legacy UI.

Software Update Point Component Properties – NEW – This is where you configure the SUP (Software Update Point). On the General tab you can leave the defaults. The possible settings are to point to a different SUP on a remote server, or use a NLB cluster. You can specify the port number if you need to change it in the future, including the SSL port number, and choose between allowing only intranet clients to use the SUP or both intranet and Internet clients, with or without SSL (nice feature!)

On the Sync Source tab you can leave these at the default as well. The options here are where to sync your server to get the patches. In our case we are going to grab the patches from the Microsoft Update site since we are the top level site. If we had child sites this would be where you would tell your sites to not go out to MU and get the patches but instead get them from your upstream server. Alternately, you could not sync the server with either and use the import export function if your SMS servers are not Internet facing machines.

The other four tabs are Classifications, Products, Sync Schedule, and Languages since we defined these during the installation we do not need to configure any of these but if you wanted to change some of these settings later on for further testing this would be where you would want to modify them, since we are not going to modify them I am not going to cover them again, and they are straight forward, if you are an SMS admin you certainly have the brain power to manage these settings without explanation.

Status Reporting an often over looked configuration in my experience. This is just as it was in SMS 2003, I will leave these settings up to you but I typically modify these settings to report more details.

System Health Validator Point – NEW – This is part of NAP so we will not configure this but I will briefly explain what its role is. This is the component that validates the statement of health that the client reports before it is passed on to the Network Policy Server (NPS) which is what will actually determine if a client is marked unrestricted or restricted and need remediation. The SHVP never actually communicates directly with SCCM it instead gets its policy from AD which was written by SCCM to AD and then it compares what the client sends to its policy and then passes along that information to the NPS. You can get much more detailed information from the SMS Docs team on the TechNet site regarding this component here.

Moving on now to Discovery Methods, these remain the same as you have in 2003 SP2, AD System, User, System Group, and Security Groups, what is missing is the NT4 discovery types you had in SMS 2003. There is also an additional component to the Network Discovery, now you can sync with a DHCP server. You specify which server(s) you want to query and it will get client information from the DHCP leases. For our testing enable all the AD discovery methods along with their groups.

This is not a complete reference for the configuration but it is enough to get you started and turned out to be much more work than I anticipated. The next article will cover OSD in the SCCM which should be more interesting!

Regards,

Anthony

Anthony Clendenen | Senior Technical Consultant | Microsoft Practices | Dimension Data