You are on page 1of 19

Brought to you by Windows IT Pro

John Savill
SCCM
sponsored by
Windows IT Pro
Deployment and
Maintenance
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 2
CONTENTS
Microsoft System Center Confguration
Manager 2007
Getting Started 3
Confguring the SCCM Server for OS Deployment 4
Deploying the OS 5
Hands Of 6
Getting Started with System Center Service
Manager 2010
Background 7
Requirements 8
Using Service Manager 9
The Service Manager Console Up Close 9
The Self-Service Portal Up Close 12
More Than Just a Ticketing System 12
Microsoft Releases Free SCCM Dashboard 13
SCCM Deployment and Maintenance FAQs
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 3
Microsoft System Center Confguration Manager 2007
Easy OS deployment
By John Savill
I once had an important client who asked me to install Micro-
soft System Center Confguration Manager 2007 (SCCM) and
confgure it to deploy Windows Server 2008 and Windows Server
2003all within a day. Although I accomplished the task, I hit
some bumps along the way. In this article, I share the process
I followed, the problems I encountered, and the solutions I
employed. Because this is a high-level overview of OS deploy-
ment through SCCM, I dont discuss SCCM installation. The article
assumes that you already have SCCM 2007 installed, as well as a
working knowledge of it.
Getting Started
Before you try to deploy an OS, you need to ensure that your
environment is healthy.
Check for errors in your SCCM site systems. Open

SCCM and navigate to Site Database, System Status,
Site Status. Under the sites name, view the Compo-
nent Status and Site System Status areas, as Figure
1 shows. If you encounter any problems, view the error
messages, then resolve the errors. You can also check
C:\Program Files\Microsoft Configuration Manager\
Logs to see detailed messages about many of the
components.
Make sure you have site boundaries defned. Open SCCM

and navigate to Site Database, Site Management. Under
the sites name, select Site Settings, Boundaries.
Make sure you have a distribution point and management

point enabled. Open SCCM and navigate to Site Database,
Site Management. Under the sites name, select Site Set-
tings, Site Systems.
Install Windows Deployment Services (WDS) on the SCCM

server that will be the Preboot Execution Environment
(PXE) boot point. Dont try to confgure WDS directly;
SCCM does all the confguration work. Install WDS with
zero confguration.
Use the Microsoft Management Console (MMC) DHCP

snap-in to authorize the WDS (SCCM) server in Active
Directory (AD) for DHCP. Most likely, the SCCM server isnt
the DHCP server. However, you shouldnt need to set
scope options on the DHCP server to point to SCCM for
PXE. If you have multiple networks and your routers are
forwarding packets correctly, your clients should be able
to receive responses. Alternatively, you can use DHCP
option 67 to set your boot image to a value of \SMSBoot\
x86\wdsnbp.com and option 66 to your SCCM servers
Fully Qualifed Domain Name (FQDN) to force DHCP to tell
clients the SCCM server.
Create a standard AD user account for the network ac-

cess account. Open SCCM and navigate to Site Database,
Site Management. Under the sites name, select Site Set-
tings, Client Agents, Computer Client Agent. Confgure
the account in the Computer Client Agent Properties
dialog box, as Figure 2 shows. Make sure the account
is a local administrator account on the SCCM server, or
at least give the account rights to the smspxeimages$
share and make it a member of the SMSAdmins group.
Otherwise, when clients boot from PXE they wont have
permission to read the Windows Preinstallation Environ-
ment (WinPE) fles from the share. For more information
about best practices for the network access account,
see the Microsoft article About the Network Access
Account.
For more OS deployment tips, see the Microsoft Operating Sys-
tem Deployment Checklists website.
Figure 1: Checking for errors in SCCM site systems
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 4
Figure 2: Creating an AD user account for the network access
account
Confguring the SCCM Server for OS
Deployment
The frst step in OS deployment is to prepare the server for the OS
images.
1. Create a folder and share to store the Windows Imaging
Format ( WIM) files. Copy the files into this folder, giving
them useful names (e.g., vistasp1x86.wim rather than install.
wim).
2. Import the WIM fles from the share into the Operating Sys-
tem Deployment portion of the SCCM management console.
Note that by default, if you import a WIM fle that has multiple
images in it, SCCM uses the name of the frst image (e.g.,
Windows Vista Business) to name the entire group of imported
images. A better alternative is to use a more meaningful name,
such as Windows Vista SP1 x86.
3. Add a distribution share for the new images.
4. Add a PXE distribution point for each of the boot images. (By
default, SCCM already has the boot images for x86 and x64 that
contain the WinPE environment; however, no distribution points
are assigned to these images.)
5. Enable PXE boot capability on the SCCM server. Open SCCM
and navigate to Site Database, Site Management. Under the
sites name, select Site Settings, Site Systems, PXE Service Point.
Then, enable the PXE site role to open various ports in your
frewall.
Although SCCM 2007 R2 can deploy OSs to unknown computers,
I recommend deploying only to computers for which you have
the MAC address. Deploying to an unknown computer can result
in SCCM wiping and reinstalling the computer.
In my case, I was deploying to a new computer that didnt have
an AD account and wasnt known to SCCM. Therefore, I needed to
create an SCCM record and add the computer to a collection.
Open SCCM and navigate to Site Database, Computer Manage-
ment, Operating System Deployment, Computer Associations,
Import Computer. Select Manual and enter the computer name
and MAC address. Force an update of the All Systems collection
(by frst selecting the Rebuild action, then the Refresh action) to
display the new computer.
Next, you need to create a collection where you can target your OS
deployments. Create a collection called OSDeployment, and use a
static rule to add to the collection any computers that need the OS.
(If youre just doing initial testing and need a controlled environ-
ment, add only your test machines.) Another option for bulk
deployments is to create dynamic collections with membership
based on attributes such as existing OS and computer locations.
Finally, create an application package as follows, so you can actu-
ally deploy the SCCM client to new installations.
1. Navigate to Site Database, Computer Management, Soft-
ware Distribution, Packages, New Package.
2. Confgure the package so that it has source fles. The
source should be \\sccm server\sms_site code\Client.
3. Select the options Always obtain fles from a source direc-
tory and Access distribution folder through common ConfgMgr
package share. Accept all the other default settings.
4. Create a program under the package. Set the value for the
command line as ccmsetup.exe.
5. Under Requirements, select Run on any platform.
6. Under Environment, set the Program can run option
to Whether or not a user is logged on, and set the Drive
mode option to Runs with UNC name.
7. Make sure all the advanced options are unchecked.
8. Add a distribution point.
Next, you need to create a task sequence to deploy the OS and
SCCM client package. (For more information about deploying
images, see the Microsoft TechNet article How to Deploy Operat-
ing System Images to a Computer; for more information about
creating a task sequence, see How to Create a Task Sequence to
Install an Existing Operating System Image Package.
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 5
1. Navigate to Site Database, Computer Management, Oper-
ating System Deployment, Task Sequences.
2. Select Install an existing image package.
3. Enter a name for the task sequence and select the option Boot
image matching OS deploy type. (Alternatively, you can select the
x86 option, which covers both x86 and and 64 architectures.)
4. Specify the OS image, partitioning, product key, licensing,
and administrator password action, as Figure 3 shows.
5. Continue through the options for confguring the work-
group and domain to join.
6. Under Install ConfgMgr, select the package you created for
the SCCM client.
7. Click through the rest of the screens. Note that you can
confgure patch and application deployments and can later
change these settings through Task Sequences.
Figure 3: Confguring task sequence options
By default, the disk formatting portion of the OS deployment is
quite slow. To improve the speed, you can change the disk parti-
tion to the format and partition option, which has a fast format
option. Add the rule to prevent formatting of the disk if a cache
exists that SCCM created by default, as Figure 4 shows.
Figure 4: Preventing disk formatting
Next, advertise the task sequence to the collection you created,
by adding a mandatory advertisement. In my case, I wanted
the advertisement take place immediately because I had a
controlled test collection. In a live environment, you might
want to set a certain time to start the advertisement. You could
advertise to the unknown computers collection, to allow OS
deployment on unknown computers. However, you should be
careful doing this, as I discussed previously. In fact, you should
be careful with this advertisement in general, because if you
create the advertisement to the wrong collection of comput-
ers, you could end up rebuilding all the computers in your
company.
Deploying the OS
If you confgured everything correctly, your test machine will
boot over the network and install the OS when you turn it on.
Although I used a Vista image for illustration purposes, you can
use any OS for which you have a WIM. I later prepared a Windows
Server 2003 WIM for the client by installing Server 2003 on a
virtual machine (VM). I patched the Server 2003 installation, mak-
ing sure not to install virtual additions. I downloaded the correct
version of Sysprep, ran Sysprep with the /generalize, /oobe, /
shutdown, and /reseal switches, then booted into WinPE and
captured a WIM fle. I then imported the WIM fle in SCCM and
followed the steps I outline in this article.
If you encounter problems, view SCCMs message and log fles for
help. Additional troubleshooting tips include the following:
Figure 5: Clearing the PXE advertisement
If you have a problem with PXE, open the collection and

clear the last PXE advertisement, as Figure 5 shows. You
can then retest the computer with the full advertise-
ment.
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 6
If you have a problem with WinPE, try enabling the

command prompt in the boot images. Navigate to Site
Database, Computer Management, Operating System
Deployment, Boot Images, then right-click the boot im-
age and select Properties. On the Windows PE tab, select
the Enable command support option. After you update
the boot images, be sure to refresh their distribution
points.
If WinPE fails to partition or format the disk, use the Disk-

Part utility (diskpart.exe) to partition and format the disk
from the command line, then try deploying the OS again.
This action will create the log fle smsts.log, which will
store failure information. I initially had problems accessing
the SMSPXEIMAGES$ share, because the network access
account lacked permission. When I tried to use the Net
Use command on the \\sccm server\SMSPXEIMAGES$
share, the command failed.
Hands Of
Now that you have an environment capable of deploying an OS
contained in a WIM fle, you can build on it to perform more au-
tomated OS confguration, services and application deployment,
patch deployment, and driver deployment. Once SCCM is fully
confgured, you have a complete zero-touch deployment solution.
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 7
System Center Service Manager 2010 is a mystery to most peo-
ple. Is it a ticketing system? Is it a change management system? Is
it a workfow engine? Its all of these and more.
In most organizations, IT operations are trying to reduce costs,
improve the end-user experience, deliver services faster, and
achieve better reporting and data sharing to meet internal and
regulatory compliance requirements. To help meet these goals,
Service Manager drives the implementation of four key concepts:
standardization, compliance, automation, and self-service. These
concepts complement each other. If you want to have compli-
ant systems, you need to standardize the environment and the
easiest way to standardize is through automating processes.
Automation is the key to enabling self-service for end users and
facilitates users triggering a certain workfow, which is completed
without further human intervention unless desired.
Before looking at Service Manager in detail, its important to under-
stand that its built around key IT Infrastructure Library (ITIL) concepts.
Although not required, I recommend gaining a basic understanding
of the ITIL fundamentals before implementing Service Manager.
Right now, Ill just focus on a few key ITIL terms youll need to know:
Incident management: An incident is an event that isnt

part of standard operations and might impact service
delivery. The incident management process returns service
to normal as quickly as possible, minimizing the incidents
impact. A user or system reports (i.e., raises) incidents. The
incident might lead to a change request or problem ticket.
Change management: The change management process

ensures standard methods and procedures are used
for any change activity. Change requests are managed
through the change management process.
Problem management: The problem management

process identifes the causes of incidents and prevents
recurrences of the issue.
Confguration items: A confguration item is ITILs term for

an object, such as a computer or user.
Work items: A work item is ITILs term for something that

needs some work performed, such as an incident, change
request, or problem.
Now that youre familiar with the terms used in Service Manager,
lets look at what it is, what you need to deploy it, and how to use it.
Background
Service Managers power comes from its confguration manage-
ment database (CMDB) and its integration with other IT systems.
CMDB links to IT systems and stores information about them.
Service Manager provides various portals and workfows to ac-
cess the information in CMDB.
Out of the box, Service Manager integrates with Active Directory
(AD), System Center Operations Manager, and System Center
Confguration Manager (SCCM), which gives Service Manager
knowledge about your systems, people, hardware, and software.
You can also integrate Service Manager with other products in the
System Center family (e.g., Opalis) and Microsoft Exchange. Plus,
you can use PowerShell to connect to third-party systems. Figure
1 shows Service Managers complete architecture and integration.
Figure 1: Service Managers main component
Getting Started with System Center Service Manager 2010
Drive the implementation of four complementary concepts: standardization,
compliance, automation, and self-service
By John Savill
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 8
Integrating with other systems is great for collecting information
and reportingand a whole lot more. A powerful workfow en-
gine lets Service Manager initiate complex sequences of actions
on connected systems across multiple platforms. The actions can
be initiated by users through web-based portals or in response to
alerts generated by connected systems. Here are some examples:
If Operations Manager triggers an alert, Service Manager

can automatically generate an incident, then follow a
predefned workfow. The workfow might entail a num-
ber of steps, such as notifying groups by email about the
alert, requesting input from an analyst, and using SCCM to
perform an action. You can automate as little or as much
as you want. More automation means better standardiza-
tion, less administrator overhead, and better compliance
with requirements. Even if automation isnt used, you can
use the Service Manager console to manage Opera-
tions Manager alerts and see information related to the
incident. Being able to obtain information from all the
management systems (e.g., AD, SCCM) rather than just
the information from Operations Manager might expose
details that will aid in the resolution of the incident.
When Service Manager is integrated with SCCM, all of

the inventory and packaged application information is
available to Service Manager. Thus, you can implement
workfows that allow users to access the Service Manager
self-service portal to request a software installation. Users
are presented with a software list thats automatically
populated using the inventory and packaged applica-
tion information in SCCM. If a user selects software that re-
quires a license, Service Manager can send an email to the
users manager, asking him or her approve the software
installation. Once approved, the Service Manager work-
fow adds the user or the users primary computer (which
is known based on SCCM asset intelligence) to a SCCM
collection (i.e., a group of defned computers in SCCM that
are used as the targets of deployments) to facilitate the
installation of the software.
SCCM has a great feature named Desired Confguration

Management. It allows a baseline to be created on how a
system should look, which can be defned in terms of fles,
registry settings, software packages, and confgurations.
The baseline enables standardization and compliance on
applied systems. If a system deviates from the baseline,
SCCM reports on this deviation. However, it doesnt take
action to make the system compliant with the desired
state. Service Manager flls this gap. For instance, when
a machine falls out of the desired confguration, Service
Manager can create an incident, which triggers workfows
that will make the machine complaint again. Making the
machine compliant is typically achieved by interacting
with SCCM to re-install software or reset confgurations.
Requirements
Before I go any further, I want to talk about the servers and
software youll need to implement Service Manager. To begin,
youll need at least two Service Manager servers, which can be
physical or virtual. The Service Manager servers take on diferent
roles: One becomes the Service Manager management server,
and the other becomes the data warehouse management server.
Both servers require the 64-bit version of Windows Server 2008
SP1 or later.
The Service Manager management server is Service Managers
brain. It manages connections, manages the integration with
other systems, executes workfows, and performs any other ac-
tion thats required. This server has its own database, which must
be hosted on the 64-bit version of SQL Server 2008 SP1 or later.
Typically, a Service Manager management server can handle
around 80 concurrent active console sessions. To handle more
active console sessions, you can add additional servers to form a
Service Manager management group. The servers in the group
can share the same database.
The data warehouse management server houses and manages
the data warehouse, which consists of three databases hosted
on the 64-bit version of SQL Server 2008 SP1 or later. The data
warehouse is used for the long-term archival of the information
that Service Manager generates or gathers. In addition, all reports
are run against the data warehouse. After you create the data
warehouse management server, you connect it to the Service
Manager management server to enable the transfer of data into
the data warehouse and establish the link to the Service Manager
console.
Service Manager uses SQL Server Reporting Services (SSRS) for
reports. SSRS typically runs on the data warehouse management
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 9
server, but this doesnt have to be the case. Reports can be run
from the Service Manager console or through the browser-acces-
sible SSRS interface.
In test environments, the data warehouse management server
doesnt have to be running all the time. You can run it once a day
to trigger the jobs that pull data from the Service Manager data-
base into the data warehouse and when you want to run reports.
When data is pulled into the data warehouse, it isnt deleted from
the Service Manager database because that data is needed for
other Service Manager operations. Grooming processes run pe-
riodically on the Service Manager database, deleting data based
on the status of the work items and the date and time of the last
modifcation.
You can fnd detailed instructions for installing Service Manager
in the System Center Service Manager 2010 SP1 Deployment
Guide (http://technet.microsoft.com/en-us/library/f460909.aspx).
Using Service Manager
There are three main types of Service Manager users:


Service Manager architects and administrators. They
design and implement the Service Manager installation,
customize workfows and forms, and manage Service
Managers integration with other systems in the IT infra-
structure.


Analysts. They use Service Manager to manage and work
on incidents and change requests. They often work in
the IT department or man Help desks. Sometimes theyre
managers or HR staf members who need to authorize
certain types of actions.


End users. They use Service Manager to request software,
change their passwords, search the knowledge base (i.e., a
collection of articles that can aid in the resolution of inci-
dents and problems), log new incidents, look at announce-
ments, and perform other actions.
Coincidentally, Service Manager provides three UIs out of the box:
Service Manager console. Like the consoles for the other

System Center products, the Service Manager console is
built on the common Service Manager UI framework and
not the Microsoft Management Console (MMC). The big
advantages with the Service Manager UI framework are
its fexibility and its ability to only show items that a user
has permission to access, which gives a much cleaner in-
terface to users who have been granted specifc rights to
specifc groups of objects. The Service Manager console
is primarily used by administrators, analysts, and people
who run reports.
IIS-based self-service portal. This self-service portal

provides two separate websites. The frst website is for
end users. On this website, end users can search the
knowledge base, check the status of change requests,
raise new incidents, and more. The second website is for
analysts. On it, analysts can approve change requests,
view work items assigned to them, and more.
SharePoint-based self-service portal. This portal provides

the same functionality as the IIS-based self-service portal.
However, it uses SharePoint Web Parts, which enable the
Service Manager web interface to integrate with the exist-
ing SharePoint infrastructure.
Other interfaces are available, but theyre primarily used for
custom forms and workfows. You can create custom forms,
workfows, and other components with the Service Manager
Authoring Tool. To use this tool, you dont need a huge amount
of training because it uses drag-and-drop functionality. You can
download the Authoring Tool here. For more information about
customizing Service Manager, see the System Center Service
Manager 2010 SP1 Authoring Guide
The Service Manager Console Up Close
The easiest way to get a feel for the use and capability of
Service Manager is to look at the Service Manager console. As
Figure 2 shows, there are six workspaces in the console, which
reflect Service Managers six main functionality areas: Admin-
istration, Library, Work Items, Configuration Items, Data Ware-
house, and Reporting. Before I highlight the key points in each
workspace, I want to point out that in Figure 2 Im logged on
as a full administrator so all the workspaces and options are
displayed. If I were running the console as an end user, I would
only see the workspaces and options I have permission to
access. Role-based access control is a big feature of Service
Manager and the rest of the System Center products.
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 10
Figure 2: The Service Manager console
Administration. The Administration workspace will be the start-
ing point for any new Service Manager deployment. In it, you can
confgure Service Managers integration with other systems, such
as AD, SCCM, and Operations Manager. Youll defnitely want to
connect Service Manager to AD, as this will allow you to import
your user, group, printer, and computer objects, along with any
attributes youve set for them.
Note that the connector to AD is one-way. Thus, if you modify
the attributes of confguration items (aka objects) in Service
Manager, you also need to change the attributes in AD. Oth-
erwise, the next time AD synchronizes with Service Manager,
AD will overwrite the changes you made. You can have Service
Manager synchronize with the entire AD namespace or a subset
of it (in which case, you specify the types of objects that should
be synchronized).
Besides confguring integration, youll need to assign user roles
to users in the Security area of the Administration workspace.
By default, there are 11 roles: Activity Implementers, Admin-
istrators, Advanced Operators, Change Initiators, End Users,
Read-Only Operators, Authors, Problem Analysts, Workfows,
Incident Resolvers, and Change Managers. If these roles dont
meet your organizations needs, you can create custom user
roles.
Another confguration youll probably want to make is set-
ting the retention times for the data in the Service Manager
database. You do this in the Settings area of the Administration
workspace. This is also where you confgure incident settings.
For example, you can attach a prefx to the incident IDs that
will be generated, specify how the priority should be calcu-
lated for an incident, and set limits for fles that users can afx
to incidents they raise (e.g., allow only two attachments up to
512KB each).
Making confgurations isnt the only thing you can do in the
Administration workspace. You can perform a variety of other
tasks, such as creating announcements and importing man-
agement packs. The Announcement area is where you create
announcements that will appear on the self-service portal. You
have the option of setting an expiration date, so you dont have
to worry about removing announcements once theyre no
longer valid.
Management packs are .xml fles that defne forms, workfows,
classes, views, and reports in Service Manager. When you create
a new workfow, for example, youre creating a new manage-
ment pack. To import that management pack into Service
Manager, you use the import functionality in the Administration
workspace.
Library. The Library workspace exposes the various confgura-
tion data elements of the Service Manager system, which are
used throughout the product. For example, all the options shown
when creating an incident can be easily changed by modify-
ing the relevant list item, which Ill elaborate on shortly. You can
defne groups of confguration items, much like you can create
containers for objects in AD.
The Library workspaces Knowledge area is where you can
create and maintain the knowledge base. The knowledge base
articles are the primary vehicle for sharing knowledge. When
users access the self-service portal, a list of the top knowledge
base articles is automatically generated and shown on the start
page.
Another key part of the Library workspace is the Lists area. When
users create and modify work items, there are often drop-down
lists they can use to select the type of problem theyre hav-
ing and what system its afecting. If you want to change what
options are displayed in the drop-down list, you go into the ap-
propriate list and add or remove items, as Figure 3 shows. Figure
4 shows this drop-down list in a form.
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 11
Figure 3: The Incident Classifcation list
Figure 4: The Incident Classifcation list in a form
Templates are another great feature in the Library workspace. Be-
sides using the self-service portal, users can submit incidents and
changes by email or phone. Rather than have the analyst waste
time repeatedly typing in the same information and settings, they
can quickly apply a template that populates most of the com-
mon felds for various types of common requests. Templates can
also be automatically applied by workfows to route and classify
work items based on certain conditions.
Work items. Analysts often use the Work Items workspace, as it
contains the incident, problem, change, and activity items they
work on. In each workspace area (e.g., Change Management area,
Incident Management area), there are a number of default views.
For example, Figure 5 shows the default views for Incident Man-
agement (e.g., All Incidents, All Open Incidents, All Open Portal
Incidents). On the right, note the tasks pane. Each view includes
the tasks that are available for that type of work item. In this case,
there are many available tasks for incidents. For example, analysts
can change an incidents status, create a change request based
on an incident, escalate an incident, and even perform certain
tasks to help resolve an incident, such as perform a ping. Any task
performed is automatically logged in the incidents history, giving
a full account of the actions taken and progress made. By default,
end users can see the history for the incidents they create. How-
ever, analysts have the option to mark certain items in the history
(e.g., comments) as private so they wont be visible to end users.
Analysts also have the ability to create custom views.
Figure 5: The Incident Management default views
Conguration items. The Confguration Items workspace gives
you access to the computers, printers, users, software, software
updates, business services, and any other type of defned or
imported confguration item within your organization. In most
environments, there isnt a lot of manual management of con-
fguration items in Service Manager. Instead, the confguration
items are managed through their respective connected systems
(e.g., AD, SCCM, Operations Manager).
The Confguration Items workspace doesnt provide a dumb
view of the confguration items replicated from diferent
sources. Because the confguration items from the con-
nected systems are consolidated in CMDB, relationships are
ascertained. So, when you examine a confguration item in
the workspace, youll see AD, SCCM, and Operations Manager
information about that item as a single entity, which helps with
analyses. For example, if youre examining a software package,
youll see any related change requests or incidents that involved
that piece of software.
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 12
Data warehouse. In the Data Warehouse workspace, you per-
form the tasks that relate to populating, managing, and securing
the data warehouse management server.
Reporting. The Reporting workspace exposes all the available
reports, which actually run on the SSRS instance. You can also
run the reports directly on the SSRS instance, as Figure 6 shows.
You can create your own custom reports and display them in
the Reporting workspace by following the instructions in the
SCSM Engineering Team blog, How to create a custom report and
display it in the console.
Figure 6: Service Manager reporting on the SSRS instance
The Self-Service Portal Up Close
End users and analysts interact with Service Manager through the
self-service portal. On the end user website, end users can easily
raise an incident, request new software, and request other types
of changes. Once submitted, they can use the portal to easily see
the state of all their open and resolved incidents and requests.
The ability for end users to self-resolve problems by searching for
known issues in the knowledge base can cut down on the number
of incidents the users actually raise, reducing the overhead for the
Help desk team.
On the analyst website, analysts can view and manage the
incidents and change requests assigned to them. This site could
also be used by managers who need to approve a change for an
employee or sign-of on a document.
Figure 7 shows the IIS-based portal out of the box, with no
changes made to it. The source code for the self-service portal is
available, so you can customize the look, feel, and functionality of
it. For more information on the customizations possible, see
Service Manager Portal Source Code Released!
Figure 7: I IS-based self-service portal
As I previously mentioned, if you use SharePoint, you dont need
to use the IIS-hosted portal. Instead, you can use the SharePoint-
based portal. You can even place Service Manager Web Parts
on users My Sites to give them easy access to Service Manager
information.
More Than Just a Ticketing System
Its important not to think of Service Manager as a ticketing
system. Yes, it has great ticket-management features, but its true
power lies in its integration with the rest of the IT infrastructure
and in the CMDB, which enables workfows to get separate
systems working together. Although Service Manager is in its frst
released version, it already has a rich partner network, including
a key partnership with Provance, which adds asset-management
capabilities to Service Manager.
Ive spoken to a number of Service Manager adopters, and the
common message from all of them is just how quickly they
were able to achieve great results. The SCSM Engineering Team
Blog has been instrumental in a number of successful Service
Manager rollouts and has a lot of great content about imple-
menting Service Manager.
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 13
Microsoft Releases Free SCCM Dashboard
If you use System Center Confguration Manager, it might be worth your time to check out the Microsoft System Center Confgu-
ration Manager 2007 Dashboard, now available as a free download. From Microsofts site, the key benefts of the dashboard are:
Actionable information out of the box.

The dashboard comes with valuable, built-in datasets that IT managers can access
without using the Confguration Manager console.
Centralized, near-real-time access to key information.

The graphical dashboard lets customers view any Confguration
Manager data set in near-real timewithout leaving their desk.
Easy to build and confgure.

The dashboards wizard-based tools let customers easily create new dashboards in minutes.
Easy to customize.

The dashboard can easily be customized to meet the needs of diferent departments and other groups.
Any data set in the Confguration Manager database can be presented on the dashboard, in chart, gauge, and table formats.
Flexible & interactive.

Users can easily flter data and create ad hoc, custom views. Filters allow users to quickly drill down
from high-level to more specifc data.
Check the announcement in Microsoft IT Pro Evangelist Kevin Remdes blog for more information, or just go to the dashboards
site to read more or download it.
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 14
SCCM Deployment and Maintenance FAQs
You can now deploy applications using Computer Management,
Software Distribution, Packages, New, Virtual Application Package.
Select the XML manifest from the generated virtual application
package.
Q. How can I check the value of Microsoft System
Center Confguration Manager 2007 (SCCM) task
sequence variables during a deployment?
A. Assuming the boot image has enabled command line sup-
port during the Windows Preinstallation Environment (WinPE)
boot, you can press F8 then run commands to view variables.
I created the following script to view the _SMSTSInWinPE and
_SMSTSLaunchMode variables in a test environment.
Dim env : set env = CreateObject-
(Microsoft.SMS.TSEnvironment)
wscript.echo env(_SMSTSInWinPE)
wscript.echo env(_SMSTSLaunchMode)
Q. How do I allow System Center Confguration
Manager (SCCM) to deploy Microsoft Application
Virtualization (App-V) virtualized applications?
A. SCCM 2007 R2 adds support for delivering App-V virtualized
applications. To enable this deployment, you need to make the
following changes:
Launch the Confguration Manager Console.

Navigate to Site Database, Site Management, <Site>, Site

Settings, Client Agents.
Right-click Advertised Programs Client Agent and select

Properties.
Under the General tab, select

Allow virtual application
package advertisement and click OK.
Navigate to Site Database, Site Management, <Site>, Site

Settings, Site Systems, <Site Server>.
Right-click

ConfgMgr distribution point and select Proper-
ties.
Make sure

Allow clients to transfer content from this distribu-
tion point using BITS, HTTP, and HTTPS is enabled on the
General tab.
Select the Virtual Applications tab in the same dialog and

select Enable virtual application streaming. Click OK.
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 15
I then ran the above script with the command cscript showvar.
vbs
If you want to list all TS environment variables, use the following
script instead.
Dim env : set env = CreateObject
(Microsoft.SMS.TSEnvironment)
For Each envVar In env.GetVariables
WScript.Echo envVar & = & env(envVar)
Next
Q: I was using System Center Confguration Manager
(SCCM) 2007 for software updates, but Ive disabled
it. How do I reset the clients to the Windows Update
defaults?
A: When a client is confgured to use SCCM 2007 for software
updates, the policy of the machine is confgured with the SCCM
software update point as an intranet Microsoft update service
location. To undo this, just use Group Policy to set that policy to
Not Confgured.
Navigate to Computer Confguration, Administrative Templates,
Windows Components, Windows Update and set Specify
intranet Microsoft update service location to Not Confgured, as
shown below. Windows Update will use the Microsoft servers
again.
Q. Im trying to use remote tools from System Center
Confguration Manager (SCCM) 2007 but I get an er-
ror when I try to connect. Whats wrong?
A. You need several ports open on the clients for SCCM to be
able to remotely connect from the SCCM Management Console.
The ports and exception rules needed are:
Remote Assistance

Remote Desktop

TCP Port 135 (RPC)

TCP Ports 2701-2702

The best way to enable these exceptions is using Group Policy for
the domain-joined machines.
Q. Where can I get the SCCM Toolkit?
A. The address for the SCCM Toolkit will change over time as
newer versions are released. As of this writing, the latest version
for SCCM 2007 (version 2) is available here . The easiest way to
fnd it is to use Bing to search for SCCM 2007 Toolkit.
If you use SCCM, its highly recommended that you use this
toolkit. One tool youll use a lot is Trace32, which makes the SCCM
logs easy to read. The frst time you launch Trace32, it will prompt
if it should be used as the default viewer for SCCM logs. I suggest
you say Yes, as shown here.
Q. Does SCCM 2007 have to use the default SQL
Server instance?
A. Unlike previous versions of SMS, SCCM 2007 lets you specify
a named instance during the SCCM 2007 installation. Therefore,
SCCM 2007 can use a clustered SQL Server instance without it
needing to be the default
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 16
Q. Is System Center Confguration Manager 2007
(SCCM) 64-bit compatible?
A. Yes, System Center Confguration Manager 2007 is 32-bit
code, but it runs on a 64-bit platform. A native 64-bit version isnt
expected until the next major release (not a service pack or R2
release).
Q. Will the next version of System Center Confgura-
tion Manger (SCCM) be 32 bit?
A. No. The next version of SCCM will be 64-bit only, except for
distribution points, which can still be 32-bit.
Q. How do I update the AD schema with the SCCM
2007 updates?
A. Previously, you had to perform schema changes with SMS
from within the SMS installation wizard. Microsoft has changed
this procedure in SCCM 2007, based on customer feedback. Now,
you perform the AD schema update via the extadsch.exe tool,
which youll fnd in the SCCM 2007 medias \SMSSETUP\BIN\I386
folder. The only fle you need is extadsch.exe, which you can copy
to the schema master domain controller (DC).
To get the detail about the schema-update process, navigate to
the root of the drive where the tool was executed and open the
extadsch.log fle, which should look like the following:
Modifying Active Directory Schema - with SMS extensions.
DS Root:CN=Schema,CN=Confguration,DC=lab,DC=savilltech,D
C=net
Defned attribute cn=MS-SMS-Site-Code.
Defned attribute cn=mS-SMS-Assignment-Site-Code.
Defned attribute cn=MS-SMS-Site-Boundaries.
Defned attribute cn=MS-SMS-Roaming-Boundaries.
Defned attribute cn=MS-SMS-Default-MP.
Defned attribute cn=mS-SMS-Device-Management-Point.
Defned attribute cn=MS-SMS-MP-Name.
Defned attribute cn=MS-SMS-MP-Address.
Defned attribute cn=mS-SMS-Health-State.
Defned attribute cn=mS-SMS-Source-Forest.
Defned attribute cn=MS-SMS-Ranged-IP-Low.
Defned attribute cn=MS-SMS-Ranged-IP-High.
Defned attribute cn=mS-SMS-Version.
Defned attribute cn=mS-SMS-Capabilities.
Defned class cn=MS-SMS-Management-Point.
Defned class cn=MS-SMS-Server-Locator-Point.
Defned class cn=MS-SMS-Site.
Defned class cn=MS-SMS-Roaming-Boundary-Range.
Successfully extended the Active Directory schema.Please refer to
the SMS documentation for instructions on the manual confgu-
ration of access rights in active directory which may still need to
be performed. (Although the AD schema has now be extended,
AD must be confgured to allow each SMS Site security rights to
publish in each of their domains.)
Q. How can I move a secondary Systems Manage-
ment Server (SMS)/ Microsoft System Center Confg-
uration Manager (SCCM) site to a new primary site?
A. You cannot move a secondary site to a new parent; you can
only uninstall, then reinstall the secondary sites. If you do not de-
lete the SMSPKG and SMSPKGx$ folders, you can use the preload-
pkgonsite.exe tool that is part of the SMS toolkit to avoid having
to resend packages down the network for SMS sites. SCCM has
the population capability built-in for packages.
Q. How can I change the organization name thats
displayed in OS deployments, software updates, and
other places within System Center Confguration
Manger (SCCM) 2007?
A. When deployments are performed from SCCM 2007, the orga-
nization name is displayed, as shown in this OS deployment.
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 17
To set this name, use the Confguration Manager Console and
navigate to Site Database (site), Site Management, <site>, Site
Settings, Client Agents and select properties of the Computer
Client Agent. Select the Customization tab and change the orga-
nization name, as shown here.
Q. Does System Center Confguration Manager
(SCCM) have to be in native mode to provide zero-
touch deployment of OSs?
A. No. Native mode predominantly relates to security, more spe-
cifcally to the use of certifcates. Native mode isnt a requirement
for zero-touch OS installation using SCCM.
Q. Can I deploy updates to non-Microsoft applications
using System Center Confguration Manager (SCCM)?
A. Microsoft has released System Center Updates Publisher 2011,
which lets you deploy and track third party and in-house application
updatesusing SCCM 2007, 2012 Beta 2, or System Center Essentials
2007. Now you can use SCCM to manage updates for all applications
within your organization, the same technologies that have enabled
rich update management for Microsoft OSs and applications.
Q. How can I enable the frewall exceptions for de-
ploying the System Center Confguration Manager
(SCCM) 2007 client using Group Policy?
A. To deploy the SCCM 2007 client by pushing the client from
SCCM, you need the File and Printer Sharing and Windows
Management Instrumentation (WMI) frewall exceptions on
the clients. Additionally, clients need HTTP/HTTPS exceptions
for communication to the SCCM site systems and TCP ports
2701, 2702, and 135 for remote control.Microsoft has a full list
available.
The easiest way to create these exceptions is to defne a Group
Policy Object (GPO), as Ill describe here.
Create a new GPO.

Navigate to Computer Confguration, Policies, Win-

dows Settings, Security Settings, Windows Firewall with
Advanced Security, Windows Firewall with Advanced
Security <LDAP>, Inbound Rules.
Select New Rule.

Select Predefned then File and Printer Sharing and then

click Next.
Select all the rules and click Next.

Select Allow the connection then click Finish

Repeat the above steps for WMI, World Wide Web Services

(HTTP Trafc-In), and World Wide Web Services (HTTPS
Trafc-In).
For remote control, you need to create a Port rule specify-

ing protocol type TCP and ports 2701, 2702, and 135.
Apply this GPO to your SCCM client computers. Once group
policy has refreshed, you should be able to push the SCCM client
(providing youve correctly confgured SCCM).
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 18
Q. I have some general System Center Confguration
Manager (SCCM) 2007 R2 OS deployment pains. Any
hints?
A. This weekend I confgured SCCM 2007 R2 from scratch to
deploy a Windows 7 image that would automatically join the
domain. I hit a number of fun issues that I wanted to share, and
how to resolve them.
1. First, I wanted to change the organization name thats
displayed during the OS deployment from IT Organization to
something custom. You wont fnd it under the preinstallation
environment, the task sequence or anywhere else. To change
the organization name, you have to change the Computer Ac-
cess Account properties, which you fnd at Site Database, Site
Management, <Site>, Client Agents. Select the Computer Client
Agent and the Customization tab to change the name shown.
2. My next problem was that I had to press F12 on the machine
where I was installing Windows 7 to select to boot over the net-
work. This is an easy fxjust make sure to set SCCM so that the
advertisement of the new OS is mandatory and you wont have
to hit F12. You could also rename pxeboot.n12 to pxeboot.com
under architecture in the RemoteInstall folder, but this isnt recom-
mended, because if you rename the fle it will make the user boot
from the network every time the computer turns on. You only
want to boot over the network if the user has toif its mandatory.
3. I tried to set a custom background, but the image I set was
ignored. The problem was that I used a JPG. You have to pass a
BMP and it will work fne, as shown here.
Make sure your images are published to the PXE distribution
points and not the standard distribution points. Deploy to
the \\<PXE Service Point>\SMSPXEIMAGES$ distribution
point.
4. Intermittently, clients couldnt boot to the preinstallation
environment. I had checked that the previous advertisement
had been cleared, but it still didnt work. The SMSPXE.log fle
showed the following:
ProcessDatabaseReply: No Advertisement
found in Db for device
After some investigation, I found that it was a problem with
Windows Deployment Services (WDS). Restarting the WDS Server
service from Server Manager solved this problem.
5. My domain join task sequence action was failing. I had
specifed the default Computers container as the target for the
object, but this isnt supported. If you want the object created
in the default container, leave the target feld blank. You can
only specifc OUs as valid data.
Q. How do I enable pushing the System Center Con-
fguration Manager (SCCM) 2007 client to discovered
systems?
A. By default, SCCM will try to use its own computer account to
deploy the SCCM client to systems. However, its unlikely that
this account will be a member of the clients local administra-
tors group, so its best to confgure the account to use for client
deployment. Do the following:
Navigate to Site Database, Site Management, <site>, Site

Settings, Client Installation Methods.
Right-click Client Push Installation and select Properties.

Do

NOT check Enable Client Push Installation to assigned
resources. This would automatically deploy the agent to
any system discovered that meets the selected system
types, such as servers and workstations. (Obviously, if
you do want this automatic deployment, then check the
option.)
Select the Accounts tab.

Click New and enter the domain account that has admin-

istrative rights on the client, and then its password twice.
Brought to you by Windows IT Pro
Tech Advisor Windows IT Pro | p. 19
Note that you can specify multiple accounts and set the
order in which they should be used. SCCM will go down
the list in order until it fnds an account with administra-
tive rights on the client. If no accounts are listed or none
of them work, the SCCM computer account will be used.
Take care which account you use, because you dont really
want to use the main domain administrator account. You
just need an account that has administrator rights on
the target systems, which you could do by adding the
account to the local administrators group through Group
Policy Restricted Groups settings.
Note that the Client tab allows you to confgure the site

code to use for the deployed clients. However, the site
code is normally automatically discovered, so make sure
your clients are within the boundary of your SCCM sites.
Click OK.

You can now deploy clients using the Install Client action for
discovered systems
If you have problems deploying the client, look at the ccm.log
fle on the SCCM server, found in the C:\Program Files [(x86)]\
Microsoft Confguration Manager\Logs folder. Use the SMS Trace
utility, which is part of the SCCM 2007 Toolkit, to view the log
fles for easier reading (you could use Notepad). In the example
below, you can see an attempt that failed because no account
was specifed. It tried to use the SCCM computer account, which
didnt have the necessary permissions.
If you need to troubleshoot at the client level based on informa-
tion on the server, look at ccmsetup.log on the client (found in
the C:\Windows\ccmsetup folder). It will give more detail if the
problem is client-side. You can also check the event log.