Chapter 3: Looking Inside Configuration Manager

• Design Concepts

• Active Directory Integration

• Configuration Manager and WMI

• Components and Communications

• Inside the ConfigMgr Database

• Status Messages and Logs

Microsoft’s System Center Configuration Manager (ConfigMgr) 2007 delivers a variety of configuration management and system support services via a flexible and distributed architecture. ConfigMgr 2007 takes advantage of standards-based network protocols and security for its internal working and interaction with client systems. Configuration Manager components store and use data about ConfigMgr infrastructure and activity, the environment, and managed site systems in the site database. Microsoft provides an extensive set of queries and reports based on this data, as well as facilities for extracting data for your own queries and reports.

This chapter examines the inner workings of Configuration Manager. It describes the design concepts and working principles of ConfigMgr 2007, along with the ways that ConfigMgr utilizes core Windows technologies, specifically Active Directory (AD) and Windows Management Instrumentation (WMI). It also discusses the various components of Configuration Manager, how they communicate with each other, and how they work together to implement ConfigMgr features. The chapter looks inside the site database, which is the heart of Configuration Manager. It shows how you can view the inner workings of ConfigMgr through its status messages and logs, as well as through other tools for viewing database and process activity. The emphasis of this chapter is on depth rather than breadth. The authors have chosen some of the most important feature sets and data structures to use as examples throughout the chapter, rather than try to provide a comprehensive exposition of all ConfigMgr functionality.

For those readers who are simply looking to get Configuration Manager up and running, some of the material in this chapter may not be essential. These readers may still find a quick review of the “Schema Extensions” section helpful for planning purposes. They may also find some of the methods used in the “Status Messages and Logs” section useful for troubleshooting purposes. The “Managing WMI” section provides some additional guidance on troubleshooting WMI issues. For those who desire a deeper understanding of what is going on behind the scenes with ConfigMgr, the material in this chapter will help you grasp the architectural principles of the product and guide you into exploring the inner workings of Configuration Manager.

Design Concepts

Microsoft designed Configuration Manager 2007 to deliver enhanced management services to a wide variety of Windows-based systems. Its predecessor, Systems Management Server (SMS), eases managing desktop and laptop computers in an enterprise network environment. (For information regarding the different versions of SMS, see Chapter 2, “Configuration Manager 2007 Overview.”) Configuration Manager builds on the core functionality of SMS and adds an enhanced feature set that includes advanced operating system (OS) deployment capabilities and asset management features as well as support for new Out of Band (OOB) Management technologies. ConfigMgr also extends management capabilities to managed computers accessible through the Internet.

In this latest release of its systems management software, Microsoft emphasizes security and compliance, scalability and operational simplicity. To help customers meet security and compliance goals, Configuration Manager 2007 implements the following features:

• Patch Management—One of the most important features of ConfigMgr 2007’s SMS 2003 predecessor was its capabilities for deploying patches to Windows clients and reporting on system patch compliance status. Configuration Manager improves and extends this capability by integrating with Microsoft’s Windows Software Update Service (WSUS) and implementing Network Access Protection (NAP) to prevent noncompliant systems from joining the network. Chapter 15, “Patch Management,” discusses patch deployment and NAP.

• Configuration Management—ConfigMgr’s Desired Configuration Management (DCM) allows you to ensure compliance with defined standards to prevent misconfigurations and reduce the attack surface of your systems. You will find a discussion of DCM in Chapter 16, “Desired Configuration Management.”

• Active Directory Integration—Configuration Manager 2007’s integration with Active Directory provides authentication and access control. The “Active Directory Integration” section of this chapter discusses these features.

• Security—Configuration Manager uses certificate-based authentication, encryption, and data integrity controls to secure communications between the site systems and clients. Configuration Manager provides a new security mode, called native mode, which is required for some but not all certificate-based functionality. Chapter 6, “Architecture Design Planning,” discusses certificates and native mode.

Microsoft has also made ConfigMgr 2007 more scalable. Some scalability enhancements include the following:

• Distributed processing—SMS 2003 includes the ability to distribute functional roles to other systems in the environment. ConfigMgr 2007 introduces additional roles that can be distributed, helping to balance the processing load required by any single server.

• Scale out—Network Load Balancing (NLB) clusters enable scaling out certain roles.

• Flexible hierarchy—ConfigMgr’s flexible hierarchy model enables deploying its services to remote locations with limited network connectivity. This includes the branch distribution point capability, new with Configuration Manager 2007.

• Manageability—Configuration Manager uses Internet-standard protocols to extend management capabilities to Windows mobile devices and managed systems accessible through the Internet.

Chapter 6 includes a discussion on configuring site system roles, hierarchy design, and management of mobile devices and Internet clients.

Configuration Manager’s capabilities can help simplify your operations in the following areas:

• Planning—Inventory and discovery data provide a central information store you can use in intelligently planning your operations. The “Inside the ConfigMgr Database” section of this chapter introduces the database and some of its potential uses.

• Deployment—Features for capturing, managing, and distributing system images and migrating user state information make it easier to provision new systems and upgrade existing ones. Chapter 19, “Operating System Deployment,” presents ConfigMgr’s Operating System Deployment (OSD) capabilities.

• Enhancing—Configuration Manager provides capabilities to easily deploy and maintain software applications on large numbers of client systems. Chapter 14, “Distributing Packages,” discusses ConfigMgr software distribution in detail.

• Life cycle management—ConfigMgr 2007’s improved Asset Intelligence capabilities help you track and manage hardware and software assets throughout their life cycle. Chapter 18, “Reporting,” discusses the use of Asset Intelligence.

To implement these capabilities, Configuration Manager leverages key elements of the Windows platform. The two most important Windows components are AD and WMI. The next sections look in depth at how ConfigMgr uses these technologies.

 Active Directory Integration

Active Directory is the central information store that Windows Server uses to maintain entity and relationship data for a wide variety of objects in a networked environment. AD provides a set of core services, including authentication, authorization, and directory services. Configuration Manager requires an Active Directory environment and takes advantage of AD to support many of its features. For more information about Active Directory in Windows Server 2003 and Windows Server 2008, see the following references:

• http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx for information regarding Windows Server 2003 and Active Directory

• http://www.microsoft.com/windowsserver2008/en/us/active-directory.aspx for details on Active Directory in Windows Server 2008

In an Active Directory environment, all processes run in the security context of a user or a security context supplied by the operating system. System accounts are special accounts included on each Windows system used to run processes in a context supplied by the operating system. Prior to AD, the only built-in system account context was the Local System account. The Windows NT Local System account provided unlimited access to system resources, but you could not use it for network requests.

Using Active Directory, each system has a computer account that you can add to user groups and grant access to resources anywhere on the network. Windows Server 2003 and later operating systems add two other built-in accounts with limited access:

• The Local Service account has essentially the same rights on the local system as a nonprivileged user and no access to the network.

• The Network Service account has rights and network access similar to a nonprivileged user account.

ConfigMgr 2007 makes extensive use of system and computer accounts to run processes. Using system accounts greatly simplifies administration, eliminating the need to create and manage the large number of service accounts required using early versions of SMS.

In addition to authentication and access control services, Configuration Manager 2007 can use AD to publish information about its sites and services, making ConfigMgr easily accessible to Active Directory clients. To take advantage of this capability, you must extend the AD schema to create classes of objects specific to Configuration Manager. Although extending the schema is not required for ConfigMgr to work, it is required for certain Configuration Manager features. Extending the schema also greatly simplifies ConfigMgr deployment and operations. The “Schema Extensions” section of this chapter discusses extending the AD schema, and the “Benefits of Extending Active Directory” section covers the feature dependencies and administrative advantages provided by the schema extensions.

Configuration Manager can also take advantage of Active Directory in the following ways:

• Discovering information about your environment, including the existence of potential client systems. Chapter 12, “Client Management,” discusses the discovery process.

• Assigning and installing clients through group policy, also described in Chapter 12. In addition, you can use group policy to configure basic services used by ConfigMgr.

• Using certificates and certificate settings deployed through AD to enhance its own security, as discussed in Chapter 6.

 Schema Extensions

All objects in Active Directory are instances of classes defined in the AD schema. The schema provides definitions for common objects such as users, computers, and printers. Each object class has a set of attributes that describes members of the class. As an example, an object of the computer class has a name, operating system, and so forth. Additional information about the AD schema is available at http://msdn.microsoft.com/en-us/library/ms675085(VS.85).aspx.

The schema is extensible, allowing administrators and applications to define new object classes and modify existing classes. Using the schema extensions provided with Configuration Manager eases administering your ConfigMgr environment. The ConfigMgr schema extensions are relatively low risk and involve only a specific set of classes not likely to cause conflicts. Extending the schema is a recommended best practice for Configuration Manager because it allows you to avoid additional configuration tasks and implement stronger security. Nevertheless, you will want to test any schema modifications before applying them to your production environment.

Tools for Extending the Schema

You can extend the schema in either of two ways:

• Running the ExtADSch.exe utility from the ConfigMgr installation media

• Using the LDIFDE (Lightweight Data Interchange Format Data Exchange) utility to import the ConfigMgr_ad_schema.ldf LDIF file

If you are extending the schema on a Windows 2000 domain controller, you must use the LDIF file.

Using ExtADSch

Using ExtADSch.exe is the simplest way to extend the schema, and in SMS 2003, it was the only way to extend the schema. ExtADSch.exe creates the log file extadsch.log, located in the root of the system drive (%systemdrive%), which lists all schema modifications it has made and the status of the operation. After the list of attributes and classes that have been created, the log should contain the entry “Successfully extended the Active Directory schema.”

Using LDIFDE

LDIFDE is a powerful command-line utility for extracting and updating directory service data on Active Directory servers, beginning with Windows 2000. LDIFDE provides command-line switches, allowing you to specify a number of options, including some you may want to use when updating the schema for ConfigMgr. Table 3.1 includes the options that you are most likely to use.

Table 3.1  LDIFDE Command-Line Switches and Descriptions