How to - System Centre Configuration Manager - Part 3 (Initial Configuration)
by, 7th February 2012 at 10:39 AM (67468 Views)
Welcome to Part 3 of my System Centre Configuration Manager (SCCM) series! I know its taken me a bit longer to get this lot sorted, and I hope that Im covering the mailbag of questions Ive had - but if there is something specific you need, please comment or send me a PM. Alternatively, you can find me on Twitter @TheScarfedOne.
Part 3 is going to deal with your initial configuration. Im going to take you on a whistle-stop tour to get your basic SCCM system ready to do a Build and Capture in Part 4 (which will be a 3 parter itself I think - 4a: Build and Capture, 4b: Deployment and 4c: Advanced Deployment Options [already published based on questions]).
So... introductions over with, lets get started! First things first, lets get into the SCCM Console. Im going to assume for the purposes of this guide that you have followed parts 1 and 2 of the guide; and that you are Remote Desktop'd to the SCCM Server.
Clients are assigned to SCCM sites based on the boundaries defined for the site. Even though you are likely to only have one Site in a School Environment - you still need to set this up.
SCCM boundaries are used to identify a roaming client's position in the hierarchy, which in turn facilitates locating the nearest distribution points that host the content requested by clients. When a change in network location results in a client being outside its assigned site's boundaries, it relies on roaming behavior to locate content. More information about Boundaries can be found on technet - http://technet.microsoft.com/en-us/l.../bb632910.aspx.
Boundaries can be defined by IP subnets, Active Directory site names, IPv6 prefixes, IP ranges or a combination of these. We need to configure the Site Boundaries in order for auto-site assignment to succeed (the clients network location must fall within one of the configured boundaries for site assignment to succeed).
To set our Boundary, click on the + beside Site Management. Then, click on your SCCM Site Server name, and underneath that we have the Sites Settings node.
Next, click on the Boundaries node, right click the node and select New Boundary from the context menu. We need to change the type to Active Directory Site - which you can select from the drop down list. AD Site is by far the easiest to use here. Click on the Browse option, and select your AD site name. In most cases, this will be Default-First-Site-Name, but you can check this from your Domain Controller (or your machine if it has the Windows Server Administration Toolkit installed) - using the AD Sites and Services tool.
Management and Distribution Points
Technet: How to Configure the Default Management Point for a Site (http://technet.microsoft.com/en-us/l.../bb632897.aspx)
Next up, time to configure the Distribution and Management Points. Hopefully – you’ve still got the console open! Highlight your SCCM server, which should be listed under Site Systems, under Site Settings. In the right pane we'll see the roles we've already installed – as part of the setup.
Now, double click on ConfigMgr distribution point and place a checkmark in Allow clients to transfer content from this distribution point using BITS. That will help speed up your installs, as it enables the “trickle-feed” option; like Windows Update uses. You can leave the rest alone.
Click on Configmgr Management Point to bring up its' properties. If you are planning on managing mobile devices (phones) put a checkmark in Allow devices to use this management point and click Apply.
This basically does what it says on the tin. It will control the way in which the various components of the SCCM Client work. Select the Client Agents option, under Site Settings.
Lets start with the Hardware Inventory Client Agent – choose it from the list on the right side and verify that it is enabled. Set the inventory schedule to 7 days – unless you really need to gather your hardware specs more often. The more regularly you do this, the more beating you do of your SQL DB and your network. Click ok to close.
Next up is the Software Inventory Agent, again, a schedule set to 7 days will do fine. Theres a few more options here though - click on the inventory collection tab, and delete the default scan listed. It’s a bit OTT going through every HDD looking for exe’s! We are going to create one to just look in Program Files – as that’s where you install your Applications….right?!
Click on the yellow star and add files of type *.exe, then click on Set beside location, select Variable or Path name and enter %ProgramFiles%\ as the program path; and make sure you remove the tick from the windows directory as well.
Next you can enable the Advertised programs client agent. This is the one you will want to use to allow users to do “self-installs” of registered safe software – and you also use it to do push installs as well. Enabling it is simple – open up the General tab and check the box for Enable software distribution to clients. Getting the hang of how easy it can be? One other setting you may want to do is change the New Program notification icon opens Add or Remove Programs option. If you are planning to use AppV, then also enable Allow virtual application package advertisement.
From the notification tab – you can choose whether to tell your users about new software. I tend to turn this off or your get popups every time and you generally don’t want this. You will have other ways of letting users know you’ve put new software out – like bulletins?
Next we will configure the Computer Client Agent properties. Health warning here - Failure to configure this correctly or failure to configure it will lead to a failure in Operating system deployment.
Under Network Access Account we need to enter an account to be used by Configuration Manager 2007 client computers to communicate with network resources. You should be careful about what account you use as the Network Access Account - it only really needs enough to connect to your distribution point shares. It should never have domain admin rights.
You can then also change the text on screens shown to the user, via the Customization tab. On the BITS Settings screen, make sure that it is set to All Clients, and unless you want to get clever with throttling settings and time windows – you can leave the rest alone. Click apply and ok.
For Remote Tools, set your Remote Assistance settings to Full control for both solicited and unsolicited remote assistance and add Domain Admins to the Security page.
Client Installation Methods
From the menu list to the left select Client installation methods. Unless you really need to – don’t enable Push Installations. The best way is to build your machines and include the client there. If your don’t have that luxury, then enable it by double clicking it in the right pane – and selecting Enable Client Push Installation to assigned resources. You will get a warning message. Click OK, and then check the options for Workstations and Enable to Site Systems.
You then need to specify an account to install the client under. To successfully install the Configuration Manager 2007 client, the Windows user account used must have Local Administrative rights on the destination computer. If the install fails with all accounts in the list then the installation will be attempted using the computer account from the Configuration Manager 2007 site server. If the user account does not have Local Administrative permissions on the destination computer then the Client will not install.
Next click on the Advanced client tab and set your Installation Properties string to something like this “SMSSITECODE=SITECODEHERE SMSCACHESIZE=8000”
Configure Discovery methods
Now we need to set up how SCCM will find your machines! This can be in terms of finding agents that are out there; or new "unmanaged" machines which then our Client Push will deal with. So, a bit about it first... taken from Technet (http://technet.microsoft.com/en-us/l.../bb633276.aspx)
Active Directory System Discovery – Discovers computers from the specified locations in Active Directory Domain Services.
Active Directory User Discovery - Discovers user accounts from the specified locations in Active Directory Domain Services.
Active Directory Security Group Discovery - Discovers security groups, including local, global, and universal groups from the specified locations in Active Directory Domain Services.
Active Directory System Group Discovery – Discovers additional information about previously discovered computers from the specified locations in Active Directory Domain Services. This information includes the OU and group membership of the computer. Active Directory System Group Discovery does not discover information about new resources that did not previously exist in the Configuration Manager site database.
Heartbeat Discovery – Used by active Configuration Manager clients to update their discovery records in the database. Because it is initiated by an active client, Heartbeat Discovery does not discover new resources.
Network Discovery – Searches your network infrastructure for network devices that have an IP address. This allows you to discover devices that might not be found by other discovery methods, including printers, routers, and bridges.
In the Discovery Methods section, select Heartbeat Discovery, and set the discovery to something like an an hour or 2 hours to start with. This will help ensure all clients get connected quickly. Once you are all up and running – you can then set these to be a bit longer. I usually use 4 hours.
You can use the same setting for the other discovery methods - Active Directory System Discovery, Active Directory User Discovery, Active Directory Security Group Discovery and Active Directory System Group Discovery. I tend not to enable Network Discovery. To give things a kick start - you should also check the Run discovery as soon as possible is ticked for all of the above.
For all the “AD” related discoveries – you can target where abouts in your OU structure you want to look. To do this, open the properties and click on the Yellow star to add an Active Directory container. You can use the Domain, or a custom query if you want to tie down to an OU (or multiple OUs).
That's it you are done. The basic configuration is ready – and if you have enabled Push Client Install, you will start to see your machines “check-in”.
Add the PXE Service Point (PSP) role to SCCM
More Technet Bedtime reading....Planning for PXE Initiated Operating System Deployments (http://technet.microsoft.com/en-us/l.../bb680753.aspx) - no seriously, read this one. It will save you a whole world of trouble later.
Ok – so Im guessing one of the real reasons you want SCCM is for the uber OS deployment handling that it does. This section will walk you through that – from installing the role down to getting your basic OS Build and Capture image made ready to deploy.
So, first things first – what you need. You need to have the Windows 7 DVD ready, and also Remote Desktop access to your SCCM Server. Open the Console, and go down to Site Database > Site Management > Site Code > Site Settings > Site Systems and highlight your server. You need to then right click on it and choose New Roles.
When the New Site Role Wizard appears, click Next – and then highlight the PXE role and select it. You will be prompted about “incoming PXE requests” which you can accept.
Next up is the PXE - General options page. For texting you might want to remove the password requirement – but in production, definitely set one! Choose a delay for your SCCM to wait before answering a PXE Request. This is useful if you currently have another deployment method in use – such as FOG or another WDS/RIS server.
Now let's continue with configuring SCCM's PXE role – and you will need to accept the PXE-database settings. You will also be setting up a Certificate for the PXE server. Make sure you create this with an expiry way into the future. You don’t want to go around having to redo that in a years time! The usual summary screen will be show, then that’s that done.
If you have any problems with getting WDS to start once the PSP role is installed then please take a look at http://blogs.technet.com/b/configura...ager-2007.aspx.
Next up in Part 4A (yes, its got to be that big an uber topic that Im now breaking it down a bit more) - we finish off with our boot images, set up the actual Config Manager client installer; and then lastly our OS install. Then, we will build a task sequence - and watch as SCCM sets up Windows, then captures that for us ready to use.
Total Trackbacks 0