Microsoft claims it has the tool for deploying Vista: System Center Configuration Manager 2007. eWEEK Labs tests show that its indeed a tool for deploying Vista, but not the only one that should be considered.
Now in its second beta, SCCM 2007 is the successor to Microsofts Systems Management Server and slated to be released at the end of this summer.
Most of SCCM 2007s competitors, including Symantec (now with Ghost and Altiris imaging, deployment and inventory components) and LANDesk, have been offering integrated Vista deployment options for several months. To keep pace when Vista shipped late last year, Microsoft added a feature pack to SMS 2003.
Make no mistake: SCCM 2007 is a significant face lift, and in no areas is the platform more improved than in OS image creation, deployment workflow and inventory assessment. That said, we couldnt shake the feeling that with SCCM 2007—as well as with versions of SMS going back to the late 1990s—Microsoft is just dabbling in IT management, taking only those steps necessary to keep up with the competition.
For example, many of the new features in SCCM 2007 are simply echoes of services that competitors have offered for some time. These include SCCM 2007s Task Sequence and integrated OS deployment features, along with many of the platforms new server roles. In addition, SCCM 2007s improved image handling has more to do with changes in Vista than with fundamental changes in the Microsoft management platform.
While the SCCM 2007 installation process may take several hours to complete, depending on the installation settings, planning for SCCM 2007 will likely take several weeks. Select Microsoft beta users currently get between two and three weeks of special assistance to ensure that they install and configure SCCM 2007 correctly. Thats good, because the SCCM 2007 code base is twice as big as SMS 2003s.
Indeed, in addition to OS deployment and desired state configuration management capabilities, SCCM 2007 offers software update (patching), application distribution and asset management tools. Our tests show that Microsoft has a shot at expanding the role of SCCM 2007 beyond the more modest tasks performed by its predecessors, but until IT managers—and Microsoft—get OS deployment fully worked out, those other jobs will have to wait.
For organizations that cant wait for SCCM 2007, Microsoft is planning to release SMS 2003 Service Pack 3 at the end of April. SP3 will include many improvements for handling Vistas image-based deployment—again, as an add-on.
Major Face Lift
SCCM 2007 requires Microsofts Active Directory, SQL Server (and version) and extensions to the AD schema.
We had some initial trouble installing the management point correctly because we tested SCCM 2007 Beta 2 on a system running Windows Server 2003 with SP2. Only SP1 with a few new patches passes the prerequisite checker. After starting our installation over with the penultimate version of Windows Server 2003, we were able to get the management point working.
Although SCCM 2007 code was substantially rewritten to include many capabilities that were add-ons in SMS, it is possible to upgrade from SMS 2003 to SCCM 2007 to preserve collection groups and much of the inventory information that organizations may have already captured in SMS.
Microsofts acquisition in 2006 of inventory specialist AssetMetrix has substantially improved software identification over previous versions of SMS. IT managers who upgrade to SCCM 2007 should re-run most software and hardware inventory jobs so that SCCM 2007 can take advantage of the plethora of new data for determining which machines are Vista-capable and what software applications are in use throughout the organization.
SCCM 2007 uses its revamped inventory collection capability to enable greater license compliance. For example, during our tests, SCCM 2007 was able to distinguish between OEM and MSDN (Microsoft Developer Network) versions of Office.
Much of what was error-prone and tedious in SMS 2003 is now automated or wizard-driven, especially the task sequences in the now-integrated OSD (Operating System Deployment) module. With extensive advice from Microsoft support, we used the Task Sequencer to install Vista, configure network settings, migrate user state information and install updates and application software.
Once mastered, Task Sequencing will save IT staff significant time when it comes to deploying systems. However, expect considerable upfront learning and tuning time to get the most out of the feature.
SCCM 2007 preserves much of the look and architecture of SMS, including primary and secondary sites. However, a big change in this iteration of Microsofts management tool is the addition of six new server roles that improve the scalability of the product. All these server roles—which include management, server locator, reporting and distribution points—can run as services on a single Windows server. However, for performance and scalability, many of the services, including those used for distributing applications and OS and collecting inventory information, should be installed on separate servers.
We ran some of the new server roles on machines in the DMZ in our test network. For example, System Health Validation is a new Internet-facing function that checks the status of endpoint devices, including installed software and firewall settings.
Other new server roles, such as the fallback status point that we used in user state migration tests, can be distributed throughout the organization to improve new system deployment efficiency. Even though the services can be spread across organizations, they are managed from a primary site server for centralized reporting.
In our tests, the primary site server stored data for itself and all the sites beneath it in a SQL Server database. A primary site server has administrative tools that enable direct administration of the site.
In particular, the ability to perform bare-metal installations, such as those likely to occur in a centralized depot setting, is much improved in SCCM 2007. Using WDS (Windows Deployment Services) and a PXE (Preboot Execution Environment) server, we were able to advertise OS deployments for almost hands-free provisioning. Not surprisingly, because SCCM 2007 is in beta, we werent able to achieve the fully hands-off deployment that is promised in the final product.
But, even when the final version ships, SCCM 2007 will require the full-time attention of at least several IT staffers: Between building reference systems to create model images and testing deployments in either bare-metal deployments or in much more difficult side-by-side machine swaps, there are still many opportunities for errors to occur in an “automated” deployment.
Improved security
SCCM 2007 has two security modes.
SCCM 2007 Native Moode is for organizations that need the highest level of SCCM 2007 security. Native Mode requires an existing PKI (public-key infrastructure) and site server signing certificate. Internet-based clients can be managed only in SCCM 2007 Native Mode.
We used the other, less-stringent security mode, SCCM 2007 Mixed Mode, to support SMS 2003 sites in our test hierarchy. Mixed Mode security does not require a PKI, but dont think you can get away from PKI that easily: Microsofts NAP (Network Access Pro-tection) scheme, for which SCCM 2007 includes an agent, requires PKI. Indeed, it seems as though PKI is going to be a prerequisite for a secure Windows environment moving forward.
Agents of Change
SCCM 2007 agents are enabled after the initial SCCM 2007 setup process. At installation of SCCM 2007, default settings for client agents are selected. Agents can currently perform eight functions, including software and hardware inventory, advertisement of programs, network access control (via NAP), software updates, software metering, desired configuration management and remote management.
NAP is currently deselected by default because the functionality requires components that wont be available until the next version of Windows server, code-named Longhorn, is released.
However, the presence of the NAP agent ties directly to the new Desired Configuration Management capability in SCCM 2007. Desired Configuration Management enables IT managers to check the compliance of computers against a baseline. During tests, we configured the Desired Configuration Management agent to check for the operating system version, as well as the presence of applications such as Word and various software updates.
For IT managers in the midst of NAC (network access control) projects, these checks will sound quite familiar. The main difference between Desired Configuration State and NAC applications on the market is that Desired Configuration State doesnt check for the presence of malware. However, we would be surprised if the agent, especially after Longhorn is released and NAP becomes more widespread, starts to take on these tasks, too.
Next Page: Evaluation Shortlist.
Evaluation Shortlist
Almost every desktop management tool that can deploy Microsofts Windows XP is either already equipped to distribute Windows Vista or soon will be. In addition, new virtualization tools are being made available to IT managers that could significantly ease deployment issues. The drawback? These tools require heavy-duty computing power in the data center and can introduce some application latency. However, the benefits and risks are well-worth weighing. Following are some platforms to put on your evaluation shortlist when weighing the SCCM 2007 decision.
- CAs BDD (Business Desktop Deployment) Plus The CA-ification of Microsofts BDD tool
- Citrixs Desktop Server A new offering that deploys a Vista desktop to a thin client or PC
- LANDesks Management Suite Effectively combines inventory, OS and application deployment, and user state migration; new virtual capabilities are on the way
- ManageSofts Vista Management A bundle that combines three separate products into one: Compliance Manager, Deployment Manager and Windows Deployment
- Symantecs (Altiris) combo Multiple products provide Vista deployment along with so-called application virtualization tools akin to Citrixs
- Tivolis Provisioning Manager for OS Deployment A traditional image deployment system that can also use inventory information provided by other Tivoli components
Check out eWEEK.coms for Microsoft and Windows news, views and analysis.