[SMS & SCCM] -
- Application Virtualization Management support
- Forefront Client Security Integration
- SQL REporting Services Reporting - Allows you to report on ConfigMan activity using Reporting Services
- Client Status Reporting that provides a set of tool and ConfigMan reports to assess status of client computers (Client health)
- OS deployment enhancements like:
- Unknown computer support without adding computer infomation to the SCCM database
- Multicast Support
- Running command lines in Task Sequences with credentials other than the Local System account
[SMS & SCCM] -
Sometimes the easiest way to install the client may be running it with psexec. That's especially true if the machine hasn't been discovered by some mechanism. The options for doing this often cause confusion, because there are two files involved - ccmsetup.exe and client.msi. CCMSETUP looks for client.msi in whatever folder ccmsetup is run from. If you use the -c switch that's normal with psexec, to copy the file being executed, it only copies the exe. That then hangs when it can't locate the msi, and the ccmsetup.log file is filled with messages reporting that it can't find client.msi in C:\Windows\System32 and will retry in 20 minutes.
The solution is to run ccmsetup from a location containing both files. The easiest is usually on an SMS site server. The proper command line is:
psexec -s \\computer \\SMSserver\client\i386\ccmsetup.exe [ccmsetup switches]
The -s command says to run using the system account. Do not use -c, as that will cause the errors described above. Using -d is optional; ccmsetup terminates pretty quickly. I generally leave it off so I can see the zero return code.
【个人引申】个人觉得 psexec 的最大一个用处是,可以写一个在远程机器上执行的批处理或者其他脚本,然后用 psexec –c 参数将这个脚本拷贝到远程机器上执行。例如本文中的例子可以这样写:
需要拷贝到远程机器的批处理文件,假设名称为 ClientInstall.bat,内容为:
\\SMSserver\client\i386\ccmsetup.exe [ccmsetup switches]然后可以在机器上执行:
Psexec \\computer –c ClientInstall.bat这样就达到了相同的目的。之后如需修改参数,只需要修改 ClientInstall.bat 中的参数即可。
[SMS & SCCM] -
11月15日,微软发布了 SCCM 2007 Toolkit,具体内容如下:
Client Spy - A tool to help troubleshoot issues related to software distribution, inventory, and software metering on Configuration Manager 2007 clients.
Policy Spy - A policy viewer to help review and troubleshoot the policy system on Configuration Manager 2007 clients.
Trace32 - A log viewer that provides a way to easily view and monitor log files created and updated by Configuration Manager 2007 clients and servers.
Security Configuration Wizard Template for Configuration Manager 2007 - An attack-surface reduction tool for the Microsoft Windows Server 2003 operating system with Service Pack 1 and Service Pack 2 (SP1 and SP2) that determines the minimum functionality required for a server's role or roles, and disables functionality that is not required.
DCM Model Verification - A tool used by desired configuration management content administrators for the validation and testing of configuration items and baselines authored externally from the Configuration Manager console.
DCM Digest Conversion - A tool used by desired configuration management content administrators to convert existing SMS 2003 Desired Configuration Management Solution templates to Desired Configuration Management 2007 configuration items.
DCM Substitution Variables - A tool used by desired configuration management content administrators for authoring desired configuration management configuration items that use chained setting and object discovery.
[SMS & SCCM] -
Content Location 是指Client 如何定位 advertisement 和Software update 发布的 Package Source Files。
当一个 Client 需要进行 content location 的时候,会发送 content location 的请求到 MP:
1. 当 Client 位于其 assigned site 的边界内,client 会发送 content location 请求到 default MP;
2. 当 client 位于和其 assigned site 有联系的 secondary site 的边界内的时候,如果 secondary site 有 proxy MP,client 会向 proxy MP 发送 contend location 请求;如果没有 proxy MP,client 会向 default MP 发送请求。
3. 当 client 不在其 assigned site 或和其 assigned site 有联系的 secondary site 的边界内的时候,client 可以通过 AD Domain Services (global roaming capability)获取 site 信息,然后向其目前当前roamed site 中的 resident MP 进行 content location;如果 resident MP 不能进行 content location(当前 site 中没有相应的 content 存在),client 会发送请求到其 default MP。
4. When a client is located within the boundaries of a primary site lower in the hierarchy than its assigned site or a secondary site attached to its assigned site, a client that cannot access site information from Active Directory Domain Services (regional roaming capability), will continue to request content location from its default management point in its assigned site.
[SMS & SCCM] -
今天在邮件列表中看到关于 site database 和 site server 不在同一台机器情况的讨论,结论是:如果两者不在同
一台机器上,必须先在 site database server 上先建一个空的库实例(不要做任何设置),然后在安装是连接到
database server 的实例即可。
原文节选:
If ConfigMgr and SQL were on the same server, ConfigMgr would automatically create the database for
you. Since SQL is running on a remote server, you do indeed have to create the database on the remote
SQL server first.
Just create it with the defaults…don’t make any edits/changes; the install will do the rest for you.
讨论的延伸:
如果 site server 和 site database server 不在一台机器上,SMS Provider 最好和 site database server 在同
一台机器上,这样做的效率更高。除非 site database server 是 SQL Server Virtual Cluster Instance 形式的
时候( Provider 不能安装在 SQL Server Virtual Cluster 上),才需要安装在非这两者的机器上。
[SMS & SCCM] -
关于 Site Maintenance 中预定义的 Tasks
在 Site Maintenance 下存在两个节点,一个是 SQL Commands 【 默认为空,需要自定义 SQL 语句 】,一个是预定义的 Tasks 【不能新增,只能在已经的存在的 Task 上做配置】。
Backup ConfigMgr Site Server (默认关闭)
作用:可以设置对 Site Database 的备份时间和备份路径。
默认每周日零点开始。
Clear Install Flag (默认关闭)
作用:如果在设定的“Client Rediscovery Period”这个时间内,没有收到 Client 发送的 Heartbeat Discovery 信息则将清除掉 Client 客户机已经安装 SCCM Client的标识,这样就可以再次安装 client。
注意:如果开启这个 Task,
1. 要确保开启 Heartbeat Discovery;
2. 要设置“Client Rediscovery Period”的时间比 Heartbeat Discovery 时间要长,根据公司情况设置一个合理的倍数。(起码1.5倍,3倍以上是比较保险的)
默认21天。
Delete Aged Client Access License Data (默认关闭)
Client Access License:Many Microsoft server products utilize the Client Access License (CAL) model, including Exchange Server, SQL Server, and Systems Management Server. For a list of Microsoft products for which CALs are required, see the Microsoft CAL Guide (http://go.microsoft.com/fwlink/?LinkId=91230).
At this time, Configuration Manager 2007 only tracks CALs for Windows Server and Exchange Server.
默认180天。
Delete Aged Collected Files (默认开启)
Collected Files 是指从 site database 和 site server folder structure 中收集的 files data.
The Delete Aged Collected Files task is used to delete aged collected files data from the Configuration Manager 2007 site database and from the site server folder structure at the selected site only. Databases at other sites are not affected.
Once collected, files specified to be collected will only be collected during subsequent inventories if they have changed since the previous inventory. By default, the five most recent copies of collected files are stored on the site server in the inboxes\sinv.box\FileCol directory.
默认90天。
Delete Aged Computer Association Data (默认开启)
Computer Association Data 是指通过 OSD 方式完成系统按照并还原用户状态之后删除的计算机关联记录信息。
默认30天。
Delete Aged Configuration Management Data (默认开启)
Configuration Management Data:在修改 DCM、SUM、OSD 配置后,site database 会相应更新到最新的配置,而原有的配置信息仍然保存在 database 中。当 Client 都接收到新的配置 policy 之后(即不再根据老的 policy 报告其状态),和老的 policy 相关的信息将会根据配置的周期进行清除。
默认90天。
When changes are made to configuration items created when using desired configuration management, software updates management, or operating system deployment, the site database is updated with the new configuration item definition. The original configuration item definition is also stored in the site database. When clients have stopped reporting the original configuration item definition, the definition and any configuration item compliance history associated with that version is removed from the database according to the schedule you have specified.
Delete Aged Discovery Data (默认开启)
Discovery Data:包括通过 heartbeat discovery、network discovery、and Active Directory Domain Services discovery methods (System, User, and System Group) 获得的记录。
默认90天。
Delete Aged Inventory History (默认开启)
【似乎只和 hardware inventory 有关】
If the hardware inventory client agent is enabled at a site, or at any of its child sites, the Delete Aged Inventory History task deletes all client hardware inventory history data older than the number of days specified. The inventory history data is deleted from the Configuration Manager 2007 site database at the selected site only. After this task runs, only the current inventory data is left in the Configuration Manager 2007 site database. Site databases at other sites are not affected.
Defaults: Delete hardware inventory data older than 90 days; runs on Saturday between midnight and 5:00 A.M.
Delete Aged Software Metering Data (默认开启)
The minimum number of days that you can set to delete all software usage data is two. The maximum number is 255.
Defaults: Deletes software usage data older than five days; runs daily.
Delete Aged Software Metering Summary Data (默认开启)
【不清楚这里的 summary 到底是干了什么】
Delete Aged Status Messages (默认开启)
Defaults: Deletes status messages older than seven days; runs daily between midnight and 5:00 A.M.
Delete Inactive Client Discovery Data (默认关闭)
Clients 会被标识为 inactive 的两种情况:
1. When a client is flagged as obsolete it is also marked as inactive.
2. Clients can be marked inactive by the client health tool if the tool is configured to mark clients as inactive.
注意:The client health tool is not included in Configuration Manager Setup and must be downloaded and installed separately.
Delete Inactive Client Discovery Data 和 Delete Aged Discovery Data 比较相似,但是前者只针对 SCCM 2007 Client 操作,后者可以针对所有 discovered 的资源。
如果启用,其时间必须长于 Heartbeat 时间。This allows active clients to send a Heartbeat Discovery record to mark their client record as active so that this task does not delete them.
Defaults: Delete inactive client discovery data older than 90 days; Runs on Saturday between midnight and 5:00 A.M.. Not enabled by default.
Delete Obsolete Client Discovery Data (默认关闭)
一个新的记录会造成这个 Client 原有记录的obsolete。The newer record becomes the client's current record, and the older record becomes obsolete.
如果开启这个任务,要保证其时间长于 heartbeat 时间。This allows clients to send Discovery Data Records (DDRs) so that the obsolete bit is set correctly.
Defaults:Deletes obsolete client discovery data older than seven days; runs on Saturday. This task is not enabled by default.
Monitor Keys (默认开启)
这个任务的作用是监视 database primary keys 的完整性。A primary key is a column or combination of columns that uniquely identify one row and distinguish it from any other row in a Microsoft SQL Server database table.
Defaults:Runs every Sunday, between midnight and 5:00 A.M.
Rebuild Indexes (默认开启)
作用:重建 SCCM 2007 site database 使用的 indexes。An index is a database structure created on a database table to speed up data retrieval. For example, searching an indexed column is often much faster than searching a column that is not indexed.
To improve performance, the Configuration Manager 2007 site database indexes are frequently updated to remain synchronized with the constantly changing data stored in the database. This task creates indexes on database columns that are at least 50 percent unique, drops indexes on columns that are less than 50 percent unique, and rebuilds all existing indexes that meet the data uniqueness criteria.
Defaults:Runs every Sunday, between midnight and 5:00 A.M.
Summarize Client Access License Weekly Usage Data (默认关闭)
Defaults:Not enabled. Runs on Saturday between midnight and 5:00 A.M.
Summarize Software Metering File Usage Data (默认开启)
作用:summarizes software metering file usage data from multiple records into one general record. This record provides summarized information about the application name, version, language, number of concurrent users, and hourly usage over a specified length of time. Data summarization helps compress the amount of data stored in the Configuration Manager 2007 site database.
This task can be used with the Summarize Software Metering Monthly Usage Data task to summarize software metering data, and to conserve space in the Configuration Manager 2007 site database.
Defaults:Runs daily, between midnight and 5:00 A.M.
Summarize Software Metering Monthly Usage Data (默认开启)
Defaults:Summarizes messages older than one month; runs daily, between midnight and 5:00 A.M.
[SMS & SCCM] -
SCCM 2007 于 2007 年 8 月下旬发布 RTM 版,现阶段其资料可说是非常匮乏,能够利用的只有微软的在线 Library 和联机文档了。当然,SCCM 2007 不是一蹴而就的,我们仍然可以利用 SMS 2003 现有的丰富文档资源。在查看 SMS 2003 资料的时候,应该注意一下 SCCM 2007 和 SMS 2003 在哪些地方做了更新,哪些地方没有变化。原文地址: http://www.faqshop.com/configmgr2007/configmgr2007whatsnew.htm
#####
# SCCM 2007 特有的功能
#########################
ConfigMgr 包含了以下一些新功能:
- Desired Configuration Management (DCM)
- Network Access Protection (NAP)
- Wake-On-LAN (WOL)
- Site Modes (either Native or Mixed Mode with Native being used to facilitate management of Internet-based Clients or those that do not have a direct connection to your ConfigMgr infrastructure)
- Full support for Fully Qualified Domain Names (FQDNs) and IPv6
- Clients send new State Messages based on the state of a process at a given time of changes to their state (compared to Status Messages which provide information relating to data flow and component behaviour)
- A new improved version of the SMS Administrator Console
- Introduction of several new Site System Roles:
Branch Distribution Point (BDP)
Fallback Status Point (FSP)
Pre-boot Execution Environment (PXE) Service Point
Software Update Point (SUP)
State Migration Point (SMP)
System Health Validator Point (SHVP)
NOTE: These are explained in the "What are the ConfigMgr 2007 Site System roles?" article - Support for hosting the Site Database on a clustered SQL Server virtual instance or SQL Server 2005 named instances
- New Software Update Point Client installation method
- Boundaries can be defined based on IPv6 Prefix (as well as AD Site, IP subnet, and IP range as in SMS 2003)
- Support for upgrading from the Evaluation Version to the Full Version of the product without having to re-install/ reconfigure everything
#####
# SCCM 2007 相比 SMS 2003 做了改变的地方
#########################
- Feature Packs that used to be separate add-ons in SMS 2003 are now incorporated into the core ConfigMgr product (for example the Administration Feature Pack, Device Management Feature Pack, Operating System Deployment Feature Pack Update)
- Asset Intelligence introduced as an optional component in SMS 2003 SP3 is now included in the core product
NOTE: As a result of the above two changes the core product requires a greater amount of server resources. - Major changes to the way Backup and Recovery, and Software Updates work compared to SMS 2003
- Minor improvements to Collections, Remote Tools, Software Distribution and Software Metering compared to SMS 2003
- Senders can only now be installed on Primary or Secondary Site Servers
- Only one Client type (basically the SMS 2003 Advanced Client so no Legacy Clients)
- Only a single Security mode (similar to SMS 2003 Advanced Security mode)
- The Site Server's local boundary is no longer automatically configured as a Site Boundary - you need to define this post installation
- Site Boundaries are no longer supported - only Roaming Boundaries are with a choice of "Slow or unreliable" or "Fast (LAN)"
- Client Push uses the Site Code of the Primary rather than being set to "Auto" as in SMS 2003
#####
# SCCM 2007 相比 SMS 2003 没有变化的地方
#########################
Some things have remained the same or have changed very little in ConfigMgr compared to SMS 2003:
- Discovery, Inventory, Queries and Reporting
- Key terminology such as Sites, Primary Sites, Secondary Sites remains the same
- Services, file names, share names and ConfigMgr-related groups retain the SMS prefix
- Many Status Messages still mention SMS as these could potentially refer to a Child SMS SMS 2003 Site
- Some programmatic elements have not been renamed such as the SMS Provider to avoid potential backwards compatibility issues for those people using WMI scripting
[SMS & SCCM] -
SCCM 2007 中的术语
2007年8月24日,微软 System Center Configuration Manager 2007 (SCCM 2007) 已经正式发布了。详情见: http://www.myitforum.com/absolutenm/templates/IndustryNews.aspx?articleid=3845&zoneid=71
本文根据个人理解编写,欢迎大家指出我的错误,我会努力不断将其完善。谢谢!
我的MSN: xnming21@hotmail.com
SCCM 中服务器的角色有:
Branch Distribution Point
Component Server
Distribution Point
Fallback Status Point
Management Point
PXE Service Point
Reporting Point
Server Locator Point
Site Database Sever
Site Server
Software Update Point
State Migration Point
System health Validation Point
Advanced Client: 运行 Win2000 及其之后的操作系统的 Client。Advanced Client 可以被委派到 Mixed 模式的 Site。
Asset Intelligence: 智能资产管理。是 SCCM 2007 的一个功能,可以生成一个关于 Client 上安装的软件硬件清单的报告。
binary delta replication: SCCM 2007 一个功能,与 delta replication 不同,delta replication 是文件级的差别比较后复制,binary delta replication 是二进制级的差别比较复制。这个应用在管理远程分支机构比较有用。比如下发一个200M的软件,过了不久当这个软件升级(不可能 200M 都重写吧)后再次下发时,BDP 会将它现有的文件和 DP 上的新文件进行二进制级别的比较,然后只更新下载变化的部分。这样就大大节省了带宽。当然,同时这也增加了 CPU 的负责,对 CPU 要求比较高。这就叫以 CPU 换带宽嘛!^_^
BitLocker: 这是 Windows Vista 之后的操作系统才具有的功能,提供了对硬盘卷分区的底层加密,实现保护硬盘数据的目的。具体怎么回事偶也不清楚。
BITS: Background Intelligent Transfer Service. 提供了断点续传功能已经低带宽占用。
boundary: 管理边界,可以是一个 IP 子网,一个 IP 网段,一个 Ipv6 Prefix 以及一个 AD 站点等,用于定义一个 Configuration Manager site 的管理边界。Client 端可以利用边界确定被委派到哪个 Site 以及距离自己最近的一个 DP。这应该和 AD 中的关于站点的作用类似。Boundry 分两种网络连接类型:Lan 和 Slow or unreliable。
BDP: branch distribution point
client component: 在客户端上运行的 Configuration Manager 线程、服务或者程序,从而为 Client 提供 Configuration Manager 功能。
Configuration Manager client:任何运行着 Configuration Manager client 组件的计算机、Smart Phone、PPC等设备。一句话,可被 Configuration Manager 管理的设备。
Configuration Manager Site:位于多个子网下或同在一个域中的许多 Client 和 Site System 的集合。
Site Server: 成功安装了 Configuration Manager 的计算机,每个 Configuration Manager Site 只有一个 Site Server。
Site System: 具有配置管理功能的一台服务器,也就是被赋予了特定角色的服务器。一个 Site System 可以被赋予一个或多个角色。
[SMS & SCCM] -
一、Client Setup Log Files
位置:%windir%\system32\CCMSetup
| Log file name | Description |
| CCMSetup.log | Records setup tasks performed by CCMSetup. Can be used to troubleshoot client installation problems. |
| Client.msi.LOG | Records setup tasks performed by client.msi. Can be used to troubleshoot client installation problems. |
二、Client Computer Log Files
位置:
1. 在充当 management points 的 client 上,log 位置为 SMS_CCM\Logs
2. 在其他 client 上, log 位置为 %Windir%\System32\CCM\Logs folder
| Log file name | Description |
| CcmExec.log | Records activities of the client and the SMS Agent Host service. Can help to troubleshoot scenarios where the client is corrupted or not functioning. For example, this log file applies to a scenario where the client cannot communicate with a management point. |
| CertificateMaintenance.log | Records certificate maintenance for Active Directory and management points. Can help to troubleshoot scenarios where the client cannot communicate with a management point or with Active Directory. |
| ClientIDManagerStartup.log | Records the creation and maintenance of client GUIDS. Can help to troubleshoot scenarios where the client changes its GUID after a hardware change or after Windows activation. |
| ClientLocation.log | Records site assignment tasks. Can help to troubleshoot scenarios where the client is not assigned to a Configuration Manager 2007 site. |
| LocationServices.log | Records attempts to find management points and distribution points. Can help to troubleshoot scenarios where the client cannot find a management point or distribution point. |
| PolicyAgent.log | Records policy requests using the Data Transfer service. Can help to troubleshoot policy request problems. |
| PolicyAgentProvider.log | Records policy changes. Can help to troubleshoot policy request problems or WMI errors. |
| PolicyEvaluator.log | Records new policy settings. Can help to troubleshoot policy override issues. |
| StatusAgent.log | Records status messages that are created by the client components. Can help to troubleshoot scenarios where the client cannot send status to the management point. |
三、Configuration Manager Site Server Log Files
位置:SMS\Logs
| Log file name | Description |
| Ccm.log | Records client configuration manager tasks. Can help to troubleshoot scenarios where the site cannot connect to computers because of permissions or name resolution. |
| Fspmgr.log | Records fallback status point activities. Can help to troubleshoot problems with the fallback status point. |
| Hman.log | Records site configuration changes and publishes site information in Active Directory. Can help to troubleshoot site control serial number or delta serial number issues, or scenarios where the site cannot publish site information to Active Directory. |
| Mpcontrol.log | Records the registration of the management point with WINS. Records the availability of the management point every ten minutes. Can help to troubleshoot possible IIS issues if the management point is unavailable. |
| Policypv.log | Records updates to the Advanced Client policies to reflect changes to client settings or advertisements. Can help to troubleshoot scenarios where policy updates do not occur after you make changes to advertisements or to client settings. |
| Sitecomp.log | Records maintenance of the installed site components. Can help to troubleshoot upgrade issues, registry or file system permission issues, or scenarios where the site cannot publish site information to Active Directory. |
[SMS & SCCM] -
Clients Fail to Assign to a Site Because the Site Compatibility Check Fails
当 SCCM 2007 的客户端被成功安装,但是不能委派到站点中时,一个可能的原因是在委派的过程中 site compatibility 失败。
解决方法:
- 首先确定 client 具有检查 site compatibility 的机制,用如下两种方法:
- Active Directory Domain Services is extended for Configuration Manager 2007, and clients belong to this forest.
- Clients can find a server locator point that's published in WINS, or they are reinstalled and assigned to a server locator point during installation.
延伸知识
- What's New in Client Deployment for Configuration Manager
- About Client Assignment
- Determine If You Need a Server Locator Point
- How to Specify the Server Locator Point for Client Computers
Clients Cannot be Managed Because they Cannot Locate their Default Management Point
如果 client 以及被成功安装,并且被委派到一个站点中,但是不能下载 policy,一个可能原因是站点中没有 management point,或者 client 找不到 management point。
解决方法:确认站点中存在 management point。
client 通过以下方法中的一种找到 management point: 1. AD Domain service(if the schema is extended for Configuration Manager 2007) 2. DNS (if Configuration Manager 2007 is configured for DNS publishing) 3. WINS 4. Server locator point.
Clients Fail to Install Using Client Push Because Windows Firewall Blocks Installation
需要在防火墙设置例外规则,如下:
1. File and Printer Sharing 2. Windows Management Instrumentation (WMI)For more information, see Firewall Settings for Configuration Manager 2007 Clients.
Missing Data in Client Deployment and Assignment Reports
- If you view the following reports and they do not contain client data, ensure that clients are assigned to a fallback status point:
- Client Assignment Detailed Status Report
- Client Assignment Failure Details
- Client Assignment Status Details
- Client Assignment Success Details
- Client Deployment Failure Report
- Client Deployment Status Details
- Client Deployment Success Report
解决方法:
Assign a fallback status point to Configuration Manager 2007 clients and view the reports from the site in which the fallback status point is installed.
Attention!!!
1. SMS 2003 clients do not use these reports.
2. 在同时布署许多台 client 的时候,client 反馈到 Fallback status point 的消息会有延迟的问题。一个变通的方法是在 fallback status point 上设置 throttling settings。
延伸知识:
1. How to Assign the Fallback Status Point to Client Computers
2. Determine If You Need to Configure Throttle Settings for the Fallback Status Point
Clients Fail to Install Because the Management Point is Not Operational
当一个站点的所有 client 都不能被管理时,这只能是 mangagement poing 的问题了。
解决方法:
Ensure that the management point has the required dependencies in the section "General Site Server Prerequisites" in the following topic: Prerequisites for Installing Configuration Manager.
Also reference Configuration Manager Supported Configurations to verify that you running in a supported environment.
Consider manually running the Configuration Manager 2007 Setup Prerequisite Checker to identify any missing dependencies for the management point.
Clients Fail to Assign to Correct Site Using Auto-Site Assignment
If you install clients using auto-site assignment which either fails or the client is assigned to the wrong site, the most likely reason for this failure is that boundaries are not configured correctly for the Configuration Manager 2007 sites, or that the client roamed into another site during the upgrade process.
解决方法:
Check that boundaries are configured correctly for each site in the Configuration Manager 2007 hierarchy.
- For more information about boundaries, see the following topics:
- Planning Configuration Manager Boundaries
- Choose Configuration Manager Boundaries
- How to Configure Configuration Manager Boundaries
If clients are likely to roam during the upgrade process, do not use auto-site assignment.
[SMS & SCCM] -
site mode 被用来配置 client-to-server 的通信。SCCM 2007 中存在两种模式:native mode and mixed mode。
Native mode was introduced in Configuration Manager 2007 to provide a higher level of security between clients and servers than mixed mode provides.
Mixed mode exists to provide a supported site mode for networking environments without an existing PKI infrastructure and backward compatibility with SMS 2003 clients and sites.
在对安全性要求较高,以及需要支持 Internet-based clients 时,只能选择 native 模式。配置 native mode 的前提条件如下:
- An existing public key infrastructure (PKI)
- A site server signing certificate installed on the site server
- Web certificates on certain site system roles
- Client authentication certificates on all Configuration Manager clients, and the management point.
Attention!!!
Native mode secures client-to-server communications only.
To protect server-to-server communication, implement IPSec.
To protect site-to-site communication, use secure key exchange between sites.
当存在如下任一种情况时,必须设置为 mixed mode:
- The site will support SMS 2003 clients
- The site has a parent site configured for mixed mode
- You have an existing PKI but have not yet installed the site server signing certificate on the site server.
Attention!!!
Mixed mode sites cannot use client certificates to authorize clients and so uses a configurable approval setting.
[SMS & SCCM] -
Fallback status point 是 SCCM 2007 系统中的一个 site system role,帮助管理员监控 client 的布署情况以及用来确定 client 安装和委派情况,还可以用来确认 client 是否处于可管理状态。总之,和 client 相关的问题大多可以通过 fallback status point 来排错。
+---------+ send +--------------+ relay +--------+ + SCCM + ---------> + Fallback + ---------> + Site + + client + message + status point + + server + +---------+ +--------------+ +--------+
Attention!!!
1. SMS 2003 client computers cannot use a fallback status point.
2. There is no equivalent of the status message viewer for state messages.
如果决定使用 fallback status point,那就在布署 client 之前就添加好这个 role。另外,虽然可以在一个站点中布署多个 fallback status point,但是每个客户端只能制定一个 fallback status point。
Using the Fallback Status Point for Client Deployment
- 在安装 client 遇到问题的时候,client 会发送到 fallback status point 的消息有如下几种:
- The client failed to install properly (for example, because of incorrect setup options or syntax errors, or because it failed to locate the required files).
- The client failed to be assigned to a site.
- The client failed to register with its assigned site.
- The client failed to locate its management point.
- There was a network connectivity problem between the client and the management point.
- The management point is not configured correctly (for example, Internet Information Services (IIS) is not configured correctly for a Configuration Manager management point).
Attention!!!
在 client 在成功安装之后,也会向 fallback status point 发送一个消息。当需要重启才能完成安装时,也会向 fallback status point 发送一个消息。
Using the Fallback Status Point to Identify Native Mode Communication Problems
因为 fallback status point 能够接收 unauthenticated 的通信,可以从处于 native 模式的客户端接收到由于 PKI 验证问题造成客户端和管理节点之间的通信问题的消息。Examples of state messages a client might send to a fallback status point to identify problems with native mode communication include the following:
- There is no valid client certificate.
- There is more than one possible valid client certificate without an appropriate certificate selection configuration specified.
- A server certificate needed for native mode communication fails to chain successfully to the trusted root certification.
- A server certificate needed for native mode communication is expired.
- A server certificate needed for native mode communication is revoked.
[SMS & SCCM] -
SCCM 2007 Beta 对 Site Servers 和 SMS clients 的软硬件要求不同。
Site Server 的硬件要求:
CPU: 750 MHz processor (2.0 GHz or faster recommended)
RAM: 256 MB minimum (1024 MB recommended)
硬盘空间: 2 GB minimum (5 GB free recommended if using operating system deployment)
Site Server 的软件要求:
Win2003 SP1 or later
Win2003 R2Vista is required for the system health validator point site role
SMS site Server 的一些其他方面的软件要求:
必须安装 IIS 6.0 or later,如果 Site Server 需要执行以下角色:
1. Background Intelligent Transfer Service (BITS)-enabled distribution point (requires BITS server and Web Distributed Authoring and Versioning [WebDAV] extensions)
2. Management point (requires BITS server and WebDAV extensions)
3. State migration point (requires BITS server and WebDAV extensions)
4. Reporting point (requires Active Server pages)
5. Server locator point
6. All SMS distribution point systems using BITS bandwidth throttling require BITS 2.0 or later.
7. System health validator points require that the Network Policy Server service is enabled.
8. The SMS site database server requires Microsoft SQL Server 2005 or SQL Server 2000 SP3a or later.
9. All site systems require Internet Explorer 5.0 or later.
10. All site servers must be a member of a Windows 2000 or Windows 2003 Active Directory domain.
11. SMS primary site servers, secondary site servers, and any computers running the SMS Administrator console require Microsoft Management Console (MMC) 3.0, which is available at Microsoft Management Console 3.0.
12. All computers running the SMS Administrator console require the .NET Framework 2.0
SMS Client 硬件要求:
CPU: 233 MHz or faster processor
RAM: 128 MB minimum, 256 MB or more recommended, 384 MB RAM required if using operating system deployment
硬盘空间: 80 MB
SMS Client 软件要求:
Win2000 SP4 or later
WinXP SP1 or later
Win2003 SP1 or later
Win2003 R2
所有系统上的 Internet Explorer 都必须在 5.0 版以上