Configuration Manager 2012 R2 basic knowledge

Source: Internet
Author: User
Tags temporary file storage account security


1. Site:

When you first install System Center 2012 R2 Configuration Manager, you will create a Configuration Manager site, which is the basis for managing devices and users in the enterprise. This site is a management center site or main site. The management center site is suitable for large-scale deployment and supports centralized management and flexible support for devices distributed in the global network infrastructure. The primary site is suitable for small deployments and has fewer options to adapt to any future growth of the enterprise.

When installing the management center site, you must also install at least one primary site to manage users and devices. With this design, you can install other main sites to manage more devices and control network bandwidth when the devices are located in different geographic locations. You can also install another type of site called a secondary site. The secondary site expands the primary site to manage devices that are connected to the primary site through a slow network.

If the management center site is not installed, the first site you install is an independent primary site. By default, you cannot install other main sites that can communicate with each other. However, if you have to manage some devices that connect to the primary site through a slow network, you can still install one or more secondary sites to expand the primary site.

Displays System Center 2012 R2 Configuration Manager site topology information

650) This. width = 650; "Height =" 280 "Title =" image "style =" margin: 0px; "alt =" image "src =" "/>

2. Site System server and site system role:

To extend the Active Directory architecture for system center 2012 R2 Configuration Manager, you can publish the system center 2012 R2 Configuration Manager site to the Active Directory domain service, this allows the Active Directory computer to securely retrieve information about the system center 2012 R2 Configuration Manager site from trusted sources. Although you do not need to publish site information to the Active Directory domain service for the basic configuration manager function, this configuration improves the security of the system center 2012 R2 Configuration Manager hierarchy and reduces management overhead.

The Active Directory architecture can be expanded before or after system center 2012 R2 Configuration Manager is installed. You must also create a name in each domain that contains the system center 2012 Configuration Manager siteSystem ManagementTo publish site information. The active directory permission must be configured so that the site can publish its information to this Active Directory container. As with all architecture extensions, you can only scale the system center 2012 Configuration Manager architecture for each forest once.

3. Publish the site information to the Active Directory domain service:

Configuration Manager uses the site system role to support management operations on each site. When you install the Configuration Manager site, some site system roles are automatically installed and assigned to servers that have successfully run the Configuration Manager installer. One of these website system roles is the Site Server. You cannot transmit it to another server or delete it without uninstalling the site. You can use other servers to run other site system roles, or install and configure the Configuration Manager site system server to transfer some site system roles from the site server.

Each site system role supports different management functions. For details, see:

  • Site Server: A computer that runs the Configuration Manager installer and provides core site functions.

  • Site Database Server: the server that hosts the SQL Server database. It stores information about Configuration Manager assets and site data.

  • Component server: the server that runs the Configuration Manager service. When you install all site system roles except the distribution point role, Configuration Manager Automatically installs the component server.

  • Management point: A site system role that provides policies and service location information to the client and receives configuration data from the client.

  • Distribution point: A site system role that contains source files for client download, such as application content, software packages, software updates, operating system images, and startup images.

  • Reporting Services: A site system role integrated with SQL Server reporting services, used to create and manage reports for Configuration Manager.

When a company deploys Configuration Manager in a production environment for the first time, they usually run multiple site system roles on the Site Server and use additional site system servers for distribution points. They then install other site system servers and add new site system roles based on their business requirements and network infrastructure. The following lists other website system roles that you may need for specific functions.

  • Application catalog web service point: A site system role that provides software information to the application catalog website from the software library.

  • Application directory Website: A site system role that provides a list of available software from the application directory.

  • Asset smart synchronization point: A site system role that connects to Microsoft to download asset smart directory information and upload unclassified titles so that they can be included in directories in the future.

  • Endpoint Protection: A site system role that Configuration Manager uses to accept the Endpoint Protection license and configure the default membership for Microsoft Active protection service.

  • Certificate registration point: A site system role that communicates with the server running the network device registration service to manage device certificate requests using the simple certificate registration protocol (SCEP.

  • Registration point: A site system role that uses Configuration Manager's PKI certificate to register mobile devices and Mac computers, and sets up intel AMT-based computers.

  • Agent Registration: A site system role that is used to manage Configuration Manager registration requests from mobile devices and Mac computers.

  • Rollback status: A site system role that helps you monitor Client installation and determine clients that are not managed because they cannot communicate with their management points.

  • Out-of-band service point: A site system role used to set and configure an Intel AMT-based computer for out-of-band management.

  • Software Update point: A site system role that is integrated with Windows Server Update Services (WSUS) to provide software updates to the Configuration Manager Client.

  • Status migration point: the role of the site system that stores user status data when the computer migrates to the new operating system.

  • System Health verification program: A site system role used to verify the Configuration Manager network access protection (NAP) policy. It must be installed on the NAP health policy server.

  • Windows intune connector: A site system role in Configuration Manager SP1, which uses Windows intune to manage mobile devices in the Configuration Manager Console.

Displays the basic site system roles and other site system roles that you can add to your site server computer or distribute by installing other site system servers.

650) This. width = 650; "Height =" 414 "Title =" image "style =" margin: 0px; "alt =" image "src =" "/>

4. Client:

The system center 2012 R2 Configuration Manager Client is a device that is installed with the Configuration Manager Client so that you can manage it, such as workstations, laptops, servers, and mobile devices. Management includes operations such as reporting hardware and software inventory information, installing software, and setting required for configuration compliance. Configuration Manager provides some discovery methods. You can use these methods to find devices on the network to help you install client software on these devices.

Configuration Manager provides several options for installing client software on a device. These options include client request installation, Software Update-based installation, Group Policy, and manual installation. You can also include a client when deploying an operating system image.

Configuration Manager uses a collection to group devices so that you can perform management tasks on multiple devices that share a set of common conditions. For example, you may want to install the mobile device application on all mobile devices registered through Configuration Manager. In this case, you can use the "all mobile devices" set, which will automatically exclude computers. You can create your own set based on your business needs to logically group devices you manage.

5. user-centered Management:

In addition to the device set, there are also some user sets, including users in the Active Directory domain service. By using the user set, you can install software on all the computers on which the user logs in, or configure user device relevance so that the software is only installed on the Main devices used by the user. These are called primary devices. You can have one or more primary devices. One of the ways users can control their software deployment experience is to use the new computer client interface: Software Center. The Software Center is automatically installed on the client computer and accessed through the user's "start" menu. This client interface allows you to manage your own software and perform the following operations:

  • Install software

  • Schedule software installation out of work hours

  • Configure the time when Configuration Manager can install software on its device

  • Configure access permission settings for remote control (if remote control is enabled in Configuration Manager)

  • Configure the power management option (If this option is enabled by the Administrator)

By using the link in the Software Center, you can connect to the application directory where you can browse, install, and request the software. In addition, the app catalog enables users to configure certain preference settings and erase their mobile devices. Because the application directory is a website hosted in IIS, you can also directly access the application directory from the Intranet or Internet through a browser. You can also specify the primary device from the application directory (if you allow this configuration ). Other methods for configuring User device relevance information include importing information from a file and automatically generating data based on usage.

6. Client settings

When system center 2012 R2 Configuration Manager is installed for the first time, all clients in the configuration hierarchy are configured by using the default client that you can change. These client settings include the following configuration options: Frequency of device-site communication, whether the client is enabled for software updates, and other management operations, and whether users can register their mobile devices for management through Configuration Manager. If you need different client settings for users or device groups, you can create custom client settings and assign these settings to the set. Users or devices in the set are configured with custom settings. You can create multiple custom client settings and apply these settings in the order you specify. If you have multiple custom client settings, these settings are applied based on their serial numbers. If any conflict exists, the settings with the lowest serial number take precedence over other settings. Shows how you can create and apply custom client settings.

650) This. width = 650; "Height =" 414 "Title =" image "style =" margin: 0px; "alt =" image "src =" "/>

7. limited management without clients

The system center 2012 R2 Configuration Manager Client provides complete management functions for users and devices. However, in either of the following situations, you can manage devices independently of client software: use intel's active management technology (AMT) for out-of-band management, and the mobile devices that connect to the Exchange Service (such as local exchange server or exchange online (Office 365.

Configuration Manager uses the client software to set and configure the computer for AMT. However, the client software is not used when you perform the AMT management operation. In this case, Configuration Manager is directly connected to the AMT management controller. This means that you will continue to control the management of unstarted or unresponsive computers at the operating system level to a certain extent. For example, you can restart these computers, remirror them, or run diagnostic utilities to help solve their problems.

If you cannot install the Configuration Manager Client software on a mobile device, you can still use the Exchange Server Connector to manage these devices. This connector allows you to configure settings in the default exchange ActiveSync mailbox policy. Configuration Manager can configure any settings defined in this policy, and this connector also supports remote erasure and exchange access rules for blocking and isolation. Any mobile devices you manage using the Exchange Server Connector are displayed in the "all mobile devices" collection, even if the system center 2012 R2 Configuration Manager Client is not installed on the device. Unable to deploy the software to these devices because no client is installed.

8. Client Management Tasks

After the Configuration Manager Client is installed, You can execute different client management tasks, including:

  • Deploy applications, software updates, maintenance scripts, and operating systems. You can configure them to be installed on a specified date or time, or provide them to the user for installation upon user request. You can also configure the application to uninstall.

  • Help computers defend against malware and security threats and notify you when problems are detected.

  • Defines the settings of the client configuration to be monitored and corrected when compliance is violated.

  • Collect hardware and software inventory information, including monitoring and coordination license information from Microsoft.

  • Solve computer problems by using remote control or performing AMT operations on computers that are not responding to AMT.

  • Implements power management settings to manage and monitor the power consumption of computers.

By using alarms and status information, you can use the Configuration Manager Console to monitor these operations in near real time. You can use the Integrated SQL Reporting Services report function to capture data and analyze historical trends.

9. Configuration Manager (Windows Control Panel)

When the Configuration Manager Client is installed, the Configuration Manager Client application is installed in the control panel. Unlike the software center, this application is designed for technical support engineers rather than end users. Some configuration options require local management permissions, and most options require technical knowledge about how Configuration Manager works. You can use this application to execute the following tasks on the client:

  • View the properties of the client, such as the internal version number, the site assigned to it, the management point of its communication with it, and whether the client uses the PKI certificate or self-signed certificate.

  • Confirm that after the client is installed for the first time, the client has successfully downloaded the client policy, and confirmed that the client settings are enabled or disabled on schedule according to the client settings configured in the Configuration Manager Console.

  • Start the client operation. For example, if you have recently changed the configuration in the Configuration Manager Console and you do not want to wait for the next scheduled time, you can start the download client policy operation.

  • Manually allocate the client to the Configuration Manager site, or try to find the site, and then specify the DNS suffix for the management point published to DNS.

  • Configure the client cache for temporary file storage, and delete files in the cache when more disk space is required to install software.

  • Configure the settings used to perform Internet-based client management.

  • View the configuration baselines deployed on the client, start the compliance evaluation, and view the compliance report.

10. Security

The security of system center 2012 R2 Configuration Manager consists of multiple layers. First, Windows provides many security functions for the operating system and network, such:

  • Used to transfer files between system center 2012 R2 Configuration Manager Components

  • Access Control List (ACL) that helps protect files and registry entries)

  • IPSec used to protect communication

  • Group policies used to set security policies

  • DCOM permissions for distributed applications, such as the Configuration Manager Console

  • Active Directory domain service used to store security subjects

  • Windows Account Security, including the groups created during system center 2012 Configuration Manager Installation

Additional security components (such as firewalls and intrusion detection) help provide deep protection for the entire environment. Certificates issued by the PKI Implementation of industry standards help provide identity authentication, signature and encryption.

System Center 2012 R2 Configuration Manager controls access to the Configuration Manager Console in multiple ways. By default, only the local administrator has the right to access the files and registry keys required to run the console on the computer where the Configuration Manager Console is installed.

The next security layer is built on access through Windows Management Instrumentation (Wmi) (specifically the SMS provider. By default, only members in the local SMS Administrator group can access the SMS provider. This group initially only contains users who have installed system center 2012 R2 Configuration Manager. To grant permissions to other accounts on Common Information Model (CIM) repositories and SMS providers, add these accounts to the SMS Administrator group.

The last security layer is based on permissions related to objects in the site database. By default, the local system account and the user account you use to install System Center 2012 Configuration Manager can manage all objects in the site database. You can use Role-Based Management in the Configuration Manager Console to grant permissions and restrict permissions to other management users.

11. Role-Based Management

System Center 2012 R2 Configuration Manager uses role-based management to help protect objects (such as collections, deployments, and sites ). This management mode centrally defines and manages the security access settings for all sites and sites within the hierarchies. Security roles are assigned to management users, and group permissions are assigned to different configuration manager object types, such as creating or changing permissions set by the client. Security scopes combine specific object instances managed by management users (such as applications installed with Microsoft Office 2010. The combination of security roles, security scopes, and sets defines objects that can be viewed and managed by management users. System Center 2012 R2 Configuration Manager installs some default security roles to perform common management tasks. However, you can create your own security roles to meet your specific business needs.

12. Protect the communication between the client and the site system role

By using a self-signed certificate or a public key infrastructure (PKI) certificate, you can protect the communication between the client and the role of the site system. Configuration Manager detects that PKI certificates must be used for computer clients and mobile device clients located on the Internet, so that HTTPS can be used to protect client endpoints. You can configure the website system role that the client connects to for https or HTTP client communication. The client computer always uses the most secure method available for communication, in addition, only website system roles that allow HTTP Communication will be rolled back to the most insecure HTTP Communication Method on the Intranet.

13. Configuration Manager account and group

System Center 2012 R2 Configuration Manager uses a local system account to perform most site operations. However, some management tasks may need to create and maintain other accounts. Several default groups and SQL Server roles are created during installation. However, you may need to manually add computers or user accounts to these default groups and roles.

This chapter is written with reference to the official Microsoft technet website. For details, see:


This article is from "Xu Ting's blog", please be sure to keep this source

Configuration Manager 2012 R2 basic knowledge

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.