Configuration Manager: State of the Union

Configuration Manager... ActuallyJason Sandys Kim OppalfensPrincipal ConsultantCatapult Systems Inovativ

UD-B408

Overview

Five issues, commonly addressed on the forums and mailing lists

Boundaries

Client identity

Business hours and maintenance windows

Deployment type evaluation

Upgrade to SP1

Boundaries

Boundaries: common questionsWhat type of boundary should I being using?Why are my resources not being assigned to my site?Should I use a site assignment boundary group for my secondary site?Why won’t my content download?

Boundary usage

Are

used for

•Content location by clients•Auto-site assignment by clients•Secondary site MP location

Are not used for

•Primary site MP or SUP selection by clients•Internet clients•Any server side processes•Client site re-assignment

Boundary types

Pro Con

IP Subnet

• Fast processing time • Requires knowledge of all client subnet masks

• No aggregation• Requires no aggregation of IP

subnets in AD for site assignment to function correctly

AD Site

• Fast processing time• Easy to setup

• Requires AD sites to be properly defined

• Requires AD sites to be granular• Software Updates during OSD has

issues

IP Range• Easy to implement• No dependencies on AD• Granular

• Slow processing time

Boundary groups

Boundaries must be contained within a boundary group to be used

Site assignment• One per primary site• One per secondary site• Published to AD

Content location• One per DP/SMP

orOne per location

• Not published to AD

Boundary general recommendations

AD Sites•AD subnets are well defined or Auto-site assignment is not needed•A lot of boundaries are needed•Cannot be used by workgroup clients

IP Range•Client subnet masks are unknown•AD subnets are not well defined•Granularity is needed or aggregation is possible•Performance is not an issue

IP Subnets•AD subnets are well defined or Auto-site assignment is not needed•Client subnet masks are known•A lot of boundaries are needed

Mix and match as needed Performance threshold: 100 clients / boundary

DEMO

Boundary and boundary group creation

Scenario 2:System within SS1 content location boundary

groupSystem within SS1 site assignment boundary

group

Secondary sites and site assignmentSite assignment during discovery determines which site initiates client agent installation for auto client push

PrimaryPR1

Secondary(SS1)

SS1DP

Site = PR1

Client Push

Client DL

Scenario 1:System within SS1 content location boundary

groupSystem within PR1 site assignment boundary

group

Client = No

Client Push

Client = YesResource

Site = <empty>Site = SS1

Boundary references• Secondary Sites and Boundary Groups• Known Issue: Supernets

in Active Directory Sites Used as Site Boundaries • Clarification on issues resulting from the use of

supernets in ConfigMgr 2007• When not to use IP Address Ranges as Boundaries in

Configuration Manager

• IP Subnet Boundaries are EVIL

Client Identity

Common questionsWhy am I getting duplicate GUIDs?Why is having duplicate GUIDs bad?When and how can a client’s identity be preserved? Is the Windows SID used to define the ConfigMgr client identity (aka GUID)?

ID overload

Security Identifier (SID)• Used by Windows• Known to AD and local

system but never used by anything except local client*

• Uniquely generated for each Windows system

• Not used by ConfigMgr to generate GUID

Globally Unique Identifier (GUID)• Used by ConfigMgr• Uniquely generated

by the ConfigMgr client agent

• Known to ConfigMgr site and client

• “Secret” generation process

Hardware Identifier (HWID)• Generated by

ConfigMgr client agent to uniquely identify hardware

• Known to ConfigMgr site and client

• Helps identity systems that have been “reimaged”

Resource ID• Sequential ID

known only to the site

• Used for nearly all client centric activity

Client certificate• Used to

generate new client GUID

• The Machine SID Duplication Myth (and Why Sysprep Matters)

• New for SMS 2003 SP1: Client Obsoletion and the Hardware ID

References

Business hours and maintenance windows

Common questionsHow do I set the business hours on all of my systems?Which takes precedence?When do I use one and not the other?Do they work together?

Key factsDeadlines define when a deployment is enforcedThe ConfigMgr client agent enforces deploymentsThe ConfigMgr client agent will not enforce a deployment outside of a maintenance window (if one exists)User initiation of a deployment is not subject to maintenance windows

Comparison

Maintena

nce windows

•Evaluated by the client•Administrator centric•Control when deployments with deadlines can (and can’t) be enforced

Business

hours

•Evaluated by the client•User centric•Can initiate deployments before deadlines

A scenario

Computer is idle at deadline 9:30 PM

Client business hours: 5 AM – 8 PMMaintenance window: 9 PM – 4 AMInstallation deadline: 9:30 PMDeployment start time: 6 PM

User working at 9:30 PM 9:30 PM

Computer off at deadline until the next morning

9:00 PM next evening

User enables installation during non-business hours 8:00 PM

DEMO

Using business hours

• Business Hours vs. Maintenance Windows with System Center 2012 Configuration Manager

• Software Center – Business Hours auslesen / setzen (auf Deutsch)

Business hours references

Deployment type evaluation

Evaluation flow

Requirements met?

New Policy App Install Schedule

Dependencies installed?

Yes

Install dependencies enabled?No

No

Yes

Install Application

Is installed?

No

Yes

Dependencies installed

Next Deployment type Next Deployment

type

No

Common questionsWhen do I use applications/packages & programs?How does the client determine which deployment type to run within an application?Can I use AD security groups as global conditions?Should I use AD security groups as global conditions?

Global conditions vs Collection exclusionsUse collections and collection rules to targetUse global conditions for locally “verifyable” dataUse global conditions to handle exceptions and application requirements

ReferencesSteve Rachui – Application model internals Part 1Steve Rachui – Application model internals Part 2Sample script based requirement rule

Upgrade to SP1

Common questionsShould I upgrade to SP1?What should I do to prepare for SP1?Are there any “gotchas” when upgrading to SP1?Do my clients automatically upgrade also?

Preparations

Pre-downloa

d all requirem

ents

Run the pre-

requisite checker

on all site servers

Check your SQL Server

version and

upgrade to the latest

SP

Backup your DBs, reports,

and source

files

Install KB2734608 for WSUS, upgrade Windows Update Agents

Uninstall WAIK, install ADK

Post upgrade

Update the ConfigMgr client

package

Upgrade your clients to SP1

Recreate and redeploy boot

images

Learn about and explore new features and

functions

Gotchas

Anti-virus• Turn it off for the

upgrade• Exclusions in

place• Offline

servicing/boot image updates

WinPE 4.0• vSphere 4 not

compatible• Requires NX bit

Microsoft Policy Provider signing• Re-download

mediaor

• Use hotfix from KB2801987

• How to upgrade System Center 2012 Configuration Manager to SP1

• Planning to Upgrade System Center 2012 Configuration Manager

• ConfigMgr 2012 SP1 Upgrade Guide• Configuration Manager 2012 RTM to SP1 Upgrade

Overview• DISM.exe generates an Error: 5 or Access Denied whe

n VSE 8.8 Access Protection is enabled

References

SummaryConfigMgr is a many layered, deep and wide productDon’t be a ghost, use BingUse the forums and lists (just don’t be a ghost, search first)TechNet System Center 2012 Configuration Manager forumsTechNet System Center Configuration Manager 2007 forumsmyITForum System Center 2012 Configuration Manager forummyITForum System Center Configuration Manager 2007 forumSystem Center Central System Center Configuration Manager forumWindows-Noob System Center 2012 Configuration Manager forumWindows-Noob System Center Configuration Manager 2007 forum

Evaluation

Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.

We want to hear from you!

Resources

http://channel9.msdn.com/Events

Access MMS Online to view session recordings after the event.

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.