Big Efficiencies for Big Environments
SCCM 2007's new maintenance, configuration-tracking and updated reporting features make it a must-have for large Windows sites.
The Wake Forest University Baptist Medical Center is a major teaching hospital. It can't just roll out software and patches to its 664 servers and more than 10,000 clients anytime it wants. With many critical applications running 24 hours a day, the window for making changes is extremely tight.
"We generally push our patches in the middle of the night, but the OR [operating room] is up and running 24/7, the sleep lab runs seven nights a week and it's completely booked, and the epilepsy-monitoring unit is another area that's constantly monitoring patients," explains Mary Whited, core client services technical lead at the Winston-Salem, N.C.-based hospital. "We can't just push updates out and reboot computers in those areas."
Instead, Whited used to dispatch technicians to these sensitive areas to do manual updates and patches as necessary.
It wasn't just patches that caused headaches at the hospital. Any software update was difficult. "Any kind of software update required a technician to go touch those computers," says Vicki Williams, one of the hospital's senior network systems analysts. "And that gets to be pretty expensive."
All that changed when the hospital installed Microsoft's System Center Configuration Manager (SCCM) 2007, the latest upgrade of the well-known Microsoft Systems Management Server (SMS) 2003 management tool. SCCM sports a new feature called Maintenance Windows that lets administrators schedule the best day and time for patches and updates for specific sets of computers and servers.
"We negotiated times with each area so that on certain days or evenings they won't use a particular OR for about three hours, or use a particular sleep room for three hours," Williams says. "It's very granular. You can specify any possible combination you can think of."
That level of scheduling granularity is a key factor, agrees Redmond columnist Greg Shields, cofounder and IT guru with Concentrated Technology LLC, a consulting group in Denver. He says he had been using SMS since the 2.0 version, but sees SCCM as a big step forward.
"SMS had a scheduling component, but it was limited," he says. "You really just had one schedule. But with SCCM, you can create multiple schedules."
Not only is it easier, but the Wake Forest IT staff estimates it's saving at least 20 to 30 technician hours a month, as they no longer need to send technicians out to perform manual updates.
Another feature Shields says is a big improvement is the Desired Configuration Manager (DCM). This lets you track a client's desired configuration. Once you set a baseline for an individual computer or set of computers, SCCM reports against that baseline to alert you when the configuration changes.
It's also effective for troubleshooting. "We all have applications where we know that if we click a certain box it breaks the entire application, so we tell people to never check the box," Shields says. "With SCCM, you can drill down to that level, where if you know what that checkbox is and how it manifests itself into the registry or file system, you can send that as a report. And you can give that report to your help desk, so they can tell why the app is breaking."
The Wake Forest IT department also uses DCM to ease software rollouts.
Roll Out the OS
Like SMS, SCCM can handle OS rollouts, but a new feature called Operating System Distribution (OSD) makes it far easier. This is significant if your company is looking to roll out Windows Vista and Windows Server 2008.
"OSD is substantially easier to use," Shields says. "But the way it goes about setting up your reference image is kind of wacky. It takes a second or two to get your brain wrapped around it, but once you do, it makes complete sense as to why it was done that way."
Products like Symantec's Ghost require you to first build a computer with the proper configuration and then make an image of that machine for distribution. SCCM lets you deploy standard images directly to bare-bones hardware.
"It actually takes a computer and it creates your scripts, installs the operating system, configures it with the applications you want, makes the configuration changes, snaps the image and then you're done," Shields says.
|Lessons Learned with SCCM
There are a few
tricks to getting the most out of System Center Configuration
Manager (SCCM) 2007, according to readers. While SCCM is easy
to install and deploy for the most part, pay attention to
these three key items.
1. Clean up AD: Because SCCM relies on Active Directory
to gather most of its information, enterprises need to first
ensure AD is as clean as possible before rolling out SCCM.
"If you have a bunch of machines that are no longer on the
network, but are still in Active Directory, Configuration
Manager will see those and put them in its database," says
Vicki Williams, a senior network systems analyst at Wake Forest
University Baptist Medical Center. "So if you have a lot of
old clients in your AD structure, they'll come into Configuration
Manager, but you'll end up with some that Configuration Manager
can't install on because they're not on the network. Then
you'll be stuck tracking them down."
2. Clean up duplicate GUIDs: Microsoft recommends
that you first clear up any conflicts with client IDs prior
to install. "I didn't pay attention to that and it kind of
bit me," Williams says. "You want to make sure that any duplicate
GUIDs -- computers having the same kind of SMS client ID --
have been cleared up. Because if you don't, SCCM will lose
track of which client it's really talking to because you have
10 machines that all have the same ID number. We had to stop
and fix all of those, and it really slowed down our upgrade."
3. Don't expect magic: Redmond columnist Greg
Shields, cofounder and IT guru with Concentrated Technology
LLC, a consulting group in Denver, says that although SCCM
will save you untold amounts of time and energy in performing
rote, mundane tasks, it doesn't just work by magic and requires
a good degree of knowledge up front. "You actually need a
comfort level with the registry and application packaging,
and automated scripted activities," he says.
SCCM also has improved patching capabilities. Now based on Windows Server Update Services (WSUS), users say patching is easier and more robust. "With SMS 2003, and especially the earlier versions of SMS, the patch management was somewhat challenging," Shields says. "Configuration Manager integrates its patch management with WSUS, and that makes the process of patch management really easy."
Wake Forest's Williams agrees. "With SMS, we didn't use WSUS, and I knew nothing about WSUS," she says. "But it's such an easy product that I was able to bring up the WSUS server, and I get the new Configuration Manager server to start doing the patching right away."
The only downside, Whited says, is that SCCM's patching doesn't include a delay feature like SMS 2003. "We have students who use laptops, but the laptops aren't here at night when we push out patches or software updates," she says. "When they come in the next day, they join the network, and boom, they start getting the patch or software update."
SMS had what she calls "a snooze feature" that would let students delay reboots up to three hours. "That functionality is gone with patching, which is a definite downside," she says.
Whited and Williams are looking forward to using SCCM's Asset Intelligence, which helps enterprises better track their hardware and software assets. "We're comprised of two separate entities, North Carolina Baptist Hospital and Wake Forest University health sciences, and we use different licensing," Whited says. "We have health-care licensing for the hospital and educational licensing for the school, so when we go to buy licenses for Microsoft products or anybody else's, we have to be able to say 6,000 are hospital and 5,000 are educational. That's not as easy as you'd think."
Although she hasn't yet entered her licensing information into SCCM, she's looking forward to the improved management it promises.
Perhaps the most improved part of SCCM is its reporting, users agree. "The reports are really good. You can drill down into very detailed reports as to why you're compliant or not," Shields says.
Williams agrees. "Before, with the software updates, SMS gave you a couple of reports, but a lot of times, you had to go out and write your own queries and reports to see which machines weren't compliant and what patches were out there," she says.
Overall, readers say they're pleased with the updates made to SCCM. "Microsoft did a really good job with this," Williams says.