MGT 311 SMS 2003 最佳实践 SMS V4 展望. 课程内容概述. 在管理过程中，我们遇到了大量的问题 SMS 2003 设计结构 实现最佳的部署过程中的问题与解决 SMS V4 一瞥 System Center 的明天 问题时间. 谁来帮助我们解决在管理过程中，我们遇到了大量的问题. 钱和精力都花在哪里了？. 全球最佳桌面管理平台 23,000+ 最终用户. SMS2003 的主要功能. 安 全 补 丁 管 理. 资 产 管 理. 应 用 部 署. 支持移动应用. 充分利用 Windows 管理服务.
MGT 311SMS 2003 最佳实践SMS V4 展望
安 全 补 丁
资 产 管 理
应 用 部 署
No Local Servers
No Local Servers
Primary Sites for more than 1000
Secondary Sites for more than 100
每SMS架构下 1个 Server Locator Point
每个站点 1个 Management Point (4个NLB节点)
1 Client Access Point需接近传统客户
Distribution Point 需接近客户
Inventory 5x/wk Software Distribution 10 pkgs/wk
双 1 Ghz
512 MB – 1 GB RAM
3 – 11 HDD
Inventory 5x/wk Software Distribution 10+ pkgs/wk
4颗 1 Ghz+ CPU4 GB RAM推荐 14 HDD
差量清单（Delta Inventories） ~1-7k
重要: 使用 Network Monitor
Increasing bandwidth control
SMS V4 展望
支持各种平台 (桌面, 笔记本，服务器，移动设备和嵌入式设备 )
The Network Access Device grants the computer full network access and it can now connect to all computers on the network, which still includes its management point and distribution points.
Management point receives SMS NAP policies which connected clients download with machine policy.
Admin tests software updates, creating SMS software update deployments.
SMS NAP policies.
The SMS System Health Validator uses SMS health state references to validate compliance. If the client does not have up-to-date SMS NAP policies or requires software updates, the client is deemed non-compliant and requires remediation.
SMS retrieves Windows Update catalog.
Windows Update site
SMS Site Server
SMS Site Server
SMS Software Updates with ITMU (Inventory Tool for Microsoft Update) is used to retrieve the Windows Update catalog which lists the latest software updates. If you have other scan tools, such as ITDU (Inventory Tool for Dell Updates), you can also retrieve software update catalogs from third party vendors.
This animated presentation demonstrates how SMS works with Network Access Protection by stepping through the processes of how a non-compliant computer is restricted until compliant.
An SMS client becomes connected to the network - either through a VPN connection or it starts up and requests an IP address from a DHCP server. Other enforcement technologies include IPSec and 802.1x. The client requests network access and provides a statement of health by evaluating compliance with its existing SMS NAP policies.
Publishes SMS health state reference.
The Network Policy Server administrator has configured Network Access Protection policies to enforce compliance and restrict non-compliant computers. The Network Policy Server therefore instructs the Network Access Device to restrict the computer’s network access and initiate remediation in order to make this client compliant.
Client is granted full network access.
The Network Access Device instructs the computer that it is restricted because it is non-compliant, and it requires remediation. The user is informed with a popup message from the Notification Area that they have restricted access until compliant, but can continue to work locally.
Once the catalog is downloaded, the SMS administrator creates software update deployments using the Distribute Software Updates Wizard. During the wizard, software updates can be marked for NAP evaluation which creates SMS NAP policies. Or SMS NAP policies can be created afterwards, using the Create New Policies wizard under the Network Access Protection, Policies node.
The SMS System Health Validator point retrieves the SMS health state references from Active Directory on startup, and periodically. These are used to identify which site the client belongs to, and whether the client has up-to-date SMS NAP policies when determining its health state.
The Network Policy Server is configured with policies that check the SMS health state. The Policy Server asks the SMS System Health Validator point to validate the client and its compliance.
The creation of SMS NAP policies publishes SMS health state references in Active Directory. Active Directory must be extended and the site server must be configured to publish identity data to Active Directory.
The SMS client requests the latest SMS NAP policies or software updates required for compliance. It can connect to the SMS management point to download the SMS NAP policies, and it can connect to distribution points that host the software updates it requires. However, it cannot connect to other computers on the network unless they have also been configured as remediation servers. This helps to protect other computers on the network.
The Network Access Device asks the Policy Server what network access the computer should have based on the health state the client provided.
Here are your latest SMS NAP policies or software updates.
The client is remediated with the latest SMS NAP policies, or by downloading the software updates it requires for compliance.
The SMS System Health Validator again validates the client, but this time it confirms that the client is compliant.
The Policy Server again asks the SMS System Health Validator point to validate the client and its compliance.
The Network Access Device again asks the Policy Server what network access the computer should have based on its health state.
The client generates a new statement of health and requests access again, this time with a new health state.
Retrieves SMS health state reference from Active Directory.
The SMS NAP policies are automatically sent to the management point. Clients that are connected will download these SMS NAP policies as part of their machine policy download.
Requesting latest SMS NAP policies or software updates needed for compliance.
What network access should this client be granted based on its health state?
Requesting access. Here’s
my new health state.
May I have access?
Here’s my current
Restrict network access and initiate remediation.
SMS System Health
I can validate
client’s health state.
Yes, it’s compliant .
I can validate this client.
It’s not compliant.
Can you validate
Is it compliant?
Grant full network access.
You are being given restricted access until
( 分会场6） 18:00-19:15 9月22日
( 分会场6） 12:45-14:00 9月23日
( 分会场6） 14:15-15:30 9月23日