1 / 43

MGT 311 SMS 2003 最佳实践 SMS V4 展望

MGT 311 SMS 2003 最佳实践 SMS V4 展望. 课程内容概述. 在管理过程中,我们遇到了大量的问题 SMS 2003 设计结构 实现最佳的部署过程中的问题与解决 SMS V4 一瞥 System Center 的明天 问题时间. 谁来帮助我们解决在管理过程中,我们遇到了大量的问题. 钱和精力都花在哪里了?. 全球最佳桌面管理平台 23,000+ 最终用户. SMS2003 的主要功能. 安 全 补 丁 管 理. 资 产 管 理. 应 用 部 署. 支持移动应用. 充分利用 Windows 管理服务.

holden
Download Presentation

MGT 311 SMS 2003 最佳实践 SMS V4 展望

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MGT 311SMS 2003 最佳实践SMS V4 展望

  2. 课程内容概述 • 在管理过程中,我们遇到了大量的问题 • SMS 2003设计结构 • 实现最佳的部署过程中的问题与解决 • SMS V4 一瞥 • System Center 的明天 • 问题时间

  3. 谁来帮助我们解决在管理过程中,我们遇到了大量的问题谁来帮助我们解决在管理过程中,我们遇到了大量的问题

  4. 钱和精力都花在哪里了?

  5. 全球最佳桌面管理平台 23,000+ 最终用户

  6. SMS2003 的主要功能 安 全 补 丁 管 理 资 产 管 理 应 用 部 署 支持移动应用 充分利用Windows 管理服务

  7. SMS 2003设计结构

  8. SMS 2003 Site Design设计选择 • 基础层次 活动目录扩展 客户端版本 安全模式

  9. 总部/数据中心 WAN WAN No Local Servers 远程办公室 分支 SMS 2003 站点设计环境实例 地址位置

  10. 总部/数据中心 WAN WAN 远程办公室 分公司 SMS 2003 站点设计典型设计 #1 地理位置 SMS

  11. 总部/数据中心 WAN WAN 远程公司 分支办公室 SMS 2003 站点设计典型设计 #2 地理位置 SMS

  12. 总部/数据中心 WAN WAN No Local Servers 远程办公室 分支办公室 SMS 2003 站点设计典型设计 #3 地理位置 SMS

  13. SMS 2003 站点组件位置 • SMS 和 SQL在同一服务器,或不同服务器 Primary Sites for more than 1000 Secondary Sites for more than 100 每SMS架构下 1个 Server Locator Point 每个站点 1个 Management Point (4个NLB节点) 1 Client Access Point需接近传统客户 Distribution Point 需接近客户

  14. 内存随客户数量增加而不断增长 磁盘的输入输出开始成为潜在的瓶颈 处理能力需求的增加,随清单和包频率而增长 SMS Hardware Sizing 中型主站点: 1,000-5,000 客户 承载 推荐硬件 Inventory 5x/wk Software Distribution 10 pkgs/wk 双 1 Ghz 512 MB – 1 GB RAM 3 – 11 HDD

  15. 内存随客户数量增加而不断增长 磁盘的输入输出可能成为瓶颈 为了更好的性能,建议使用单独的硬盘卷和通道 SMS 硬件大小大型首要站点: 20,000-50,000+客户 承载 推荐硬件 Inventory 5x/wk Software Distribution 10+ pkgs/wk 4颗 1 Ghz+ CPU4 GB RAM推荐 14 HDD

  16. SMS 2003 站点设计带宽评估 • 策略分配请求 ~6k • 策略: • 广告 : ~20k • 软件计量: ~10-20k • SMS_DEF.MOF: ~40k 内容定位请求 ~8k 差量清单(Delta Inventories) ~1-7k 重要: 使用 Network Monitor

  17. 网络带宽考虑事项 SMS 2003 站点设计组件 Increasing size Increasing bandwidth control

  18. 实现最佳的部署过程中的问题与解决

  19. 部署过程中的问题表现 • 安装问题 • 通讯问题 • 管理点与数据库访问问题 • 其他各式各样的问题

  20. 解决管理点安装问题 • 确认系统需求 • Microsoft Windows 2000 Server SP3 or later • NTFS partition • Internet Information Services (IIS) • Background Intelligent Transfer Service (BITS) Server Extensions • MDAC 2.8或更新 • 确认SMS有权访问管理点

  21. 解决管理点安装问题(2) • 确认服务运行 • DTC • 计划任务 • Windows Management Instrumentation • World Wide Publishing Service (默认 Web site available 在80端口监听) • 如运行标准安全模式,确认SMS路径不能包含空格

  22. 高级客户端安装问题 • 这个问题可能是由于无法访问管理点造成的 • 没有配置管理点 • 没有指派站点 • 由于管理点其他问题导致管理点出现问题

  23. 高级客户端安装问题(2) • 如高级客户端实际安装失败,可能由于: • 该站点没有设置管理点 • 无目标计算机管理特权 • Client 推安装帐号或者枚举登陆用户帐号 • Admin$ 不可用

  24. 高级客户端安装问题(3) • 其他原因导致高级客户端安装失败(WMI 问题) • 在安装日志中的错误代码0x800400xx • 重建WMI • 高级客户端和管理点十分依赖WMI

  25. 管理点通讯 • 高级客户端以匿名的形式访问管理点 • 不能限制匿名访问 • 高级客户端通讯使用以下帐号: • IWAM_mpcomputername • IUSR_mpcomputername • 不要改变该计算机的ACLs

  26. 解决管理点访问问题确认管理点访问 • SMS Agent Host (Ccmexec.exe) 需要运行在管理点上 • World Wide Publishing Service (W3svc.exe or W3wp.exe) • 默认 Web site 可用 • Default Web site 必须支持80端口 • SMS 2003 SP1 后允许配置高级客户端通讯端口

  27. 解决管理点访问问题从高级客户端 • 检查 ClientLocation.log 确认客户端站点分配 • 检查 LocationServices.log 确认客户端识别默认管理点 • 检查 Ccmexec.log 确认与管理点通讯问题 • 通常 HTTP Error: 12xxx 和 WINHTTP 错误

  28. 解决管理点访问问题从高级客户端 (2) • 确认连接问题: • http://mpname/sms_mp/.sms_aut?mplist • 应该返回空白屏 • http://mpname/sms_mp/.sms_aut?mpcert • 应返回一长串字符

  29. 解决 SQL 访问问题确认 SQL Server 访问 • 确认管理点可以访问 SQL Server • SMS_SiteSystemToSQLConnection_sitecode 成员 • 能够成功连接: • Osql –S sqlserver –d sitecode –E

  30. 解决 SQL 访问问题确认 SQL Server访问(2) • 如使用高级安全模式,确认 SQL Server SP3 或更高 • 确认SQL Server 使用命名管道 • 用于管理点访问 • 使用 MP Spy • 确认与SQL的连接以及查看策略

  31. 管理点的故障转移 • 仅提供针对管理点一种方式的故障转移(NLB) • 最多支持4个节点 • 必须在相同网段 • 如使用代理型管理点,并当代理型管理点不可用时,将不会转移至所分配站点的管理点 • 客户端将持续等待代理管理点可用

  32. 站点边界对比 漫游边界 • 一般原则, 站点边界专有的被传统客户端使用 • 站点分配和发现数据除外 • SMS 发现数据管理器使用站点边界分配资源并确定是否建立CCR • 漫游边界为高级客户端所专有使用 • 自动分配站点 • 分发点的选择

  33. 本地边界对比远程边界 • 一般原则,您不必非要添加任何本地漫游边界 • 如使用站点边界 • 默认配置为包括全部站点边界作为本地漫游边界 • 可以添加额外没有包含在本地站点边界的子网 • 如涉及任何缓慢连接时才需要添加远程漫游边界

  34. WMI 问题 • WMI 对于SMS是至关重要的 • 客户端和服务器在众多实例中使用WMI • 如权限不正确,设置错误,WMI库受损,SMS将丧失功能 • 识别WMI权限与设置 • 如必要情况,重建WMI原库

  35. SMS V4 展望

  36. System Center Configuration Manager 2007帮助 IT人员驱动企业价值 IT 效率 减少手工任务,释放 IT匮缺资源, 增加最终用户成产力, 降低基础结构方面的成本 安全与兼容 轻松操作 可扩展性 升级或部署新的操作系统 轻松快速的更新应用 无间断的管理系统 精确的资产清单管理和管理管理 支持各种平台 (桌面, 笔记本,服务器,移动设备和嵌入式设备 ) 可扩展到200k+ 管理节点 可以像管理公司内部资源一样管理远程分支机构 发现系统弱点和不符合公司标准化的欠缺 确认系统符合标准 对不安全系统的管理 确定系统软件和硬件最新的安全

  37. X ? ? X X ? X ? X ? X ? ? X X ? X ? ? X SMS with Network Access Protection The Network Access Device grants the computer full network access and it can now connect to all computers on the network, which still includes its management point and distribution points. Management point receives SMS NAP policies which connected clients download with machine policy. ITMU Admin tests software updates, creating SMS software update deployments. Admin creates SMS NAP policies. The SMS System Health Validator uses SMS health state references to validate compliance. If the client does not have up-to-date SMS NAP policies or requires software updates, the client is deemed non-compliant and requires remediation. SMS retrieves Windows Update catalog. Microsoft Windows Update site SMS Site Server SMS Site Server SMS Remediation Servers SMS Software Updates with ITMU (Inventory Tool for Microsoft Update) is used to retrieve the Windows Update catalog which lists the latest software updates. If you have other scan tools, such as ITDU (Inventory Tool for Dell Updates), you can also retrieve software update catalogs from third party vendors. This animated presentation demonstrates how SMS works with Network Access Protection by stepping through the processes of how a non-compliant computer is restricted until compliant. An SMS client becomes connected to the network - either through a VPN connection or it starts up and requests an IP address from a DHCP server. Other enforcement technologies include IPSec and 802.1x. The client requests network access and provides a statement of health by evaluating compliance with its existing SMS NAP policies. Publishes SMS health state reference. Management point The Network Policy Server administrator has configured Network Access Protection policies to enforce compliance and restrict non-compliant computers. The Network Policy Server therefore instructs the Network Access Device to restrict the computer’s network access and initiate remediation in order to make this client compliant. Client is granted full network access. The Network Access Device instructs the computer that it is restricted because it is non-compliant, and it requires remediation. The user is informed with a popup message from the Notification Area that they have restricted access until compliant, but can continue to work locally. Once the catalog is downloaded, the SMS administrator creates software update deployments using the Distribute Software Updates Wizard. During the wizard, software updates can be marked for NAP evaluation which creates SMS NAP policies. Or SMS NAP policies can be created afterwards, using the Create New Policies wizard under the Network Access Protection, Policies node. The SMS System Health Validator point retrieves the SMS health state references from Active Directory on startup, and periodically. These are used to identify which site the client belongs to, and whether the client has up-to-date SMS NAP policies when determining its health state. Active Directory Active Directory Distribution points The Network Policy Server is configured with policies that check the SMS health state. The Policy Server asks the SMS System Health Validator point to validate the client and its compliance. The creation of SMS NAP policies publishes SMS health state references in Active Directory. Active Directory must be extended and the site server must be configured to publish identity data to Active Directory. The SMS client requests the latest SMS NAP policies or software updates required for compliance. It can connect to the SMS management point to download the SMS NAP policies, and it can connect to distribution points that host the software updates it requires. However, it cannot connect to other computers on the network unless they have also been configured as remediation servers. This helps to protect other computers on the network. The Network Access Device asks the Policy Server what network access the computer should have based on the health state the client provided. Here are your latest SMS NAP policies or software updates. The client is remediated with the latest SMS NAP policies, or by downloading the software updates it requires for compliance. The SMS System Health Validator again validates the client, but this time it confirms that the client is compliant. The Policy Server again asks the SMS System Health Validator point to validate the client and its compliance. The Network Access Device again asks the Policy Server what network access the computer should have based on its health state. The client generates a new statement of health and requests access again, this time with a new health state. Retrieves SMS health state reference from Active Directory. The SMS NAP policies are automatically sent to the management point. Clients that are connected will download these SMS NAP policies as part of their machine policy download. Requesting latest SMS NAP policies or software updates needed for compliance. Windows Server “Longhorn” with Network Policy Server (NPS) What network access should this client be granted based on its health state? Requesting access. Here’s my new health state. May I have access? Here’s my current health state. Restrict network access and initiate remediation. SMS System Health Validator point I can validate client’s health state. Yes, it’s compliant . I can validate this client. It’s not compliant. Initiate remediation. Can you validate this client? Is it compliant? Grant full network access. You are being given restricted access until compliant. Network Access Device (DHCP, VPN) Client Policy Server

  38. DEMO 浏览SMS V4

  39. System Center 的明天

  40. 技术资源

  41. 填反馈表

  42. 与本次主题有关的Session和活动 • MGT 312 SMS R2 ( 分会场6) 18:00-19:15  9月22日 • MGT 320 MOM 企业应用与展望 ( 分会场6) 12:45-14:00  9月23日 • MGT 321 MOM最佳实践 ( 分会场6) 14:15-15:30  9月23日

More Related