SCCMinfo

SCCMinfo

Everything about extending Active Directory Schema to publish SCCM Site

by

Extending active directory schema creates new container in Active Directory Database with several attributes which configuration manage can use to publish information which later SCCM client can use them for several purpose.

 

Points to be considered for extending Active Directory Schema,

 

  1. Benefit of extending Active Directory schema for publishing SCCM Sites
  2. Prerequisites for extending Active Directory schema
  3. Steps to extend Active Directory Schema
  4. Devices and clients which do not use the Active Directory Schema
  5. Active Directory classes and attributes for SCCM

Will see them in brief,

 

Benefit of extending Active Directory schema for publishing SCCM Sites :

 

  • Configuration manager clients can easily find out the information of SCCM sites using different attributed like site code, Software update server information or any other published information in Active Directory
  • It helps clients to locate content servers
  • Client could find the Management Point from Active Directory if schema extended
  • Port information for clients to be used which are stored in Active directory
  • Site public key is store in Active Directory if schema extended which help to communicate between two different primary sites

 Prerequisites for extending Active Directory schema :

 

  • Account which is going to be user for schema extension should be part of Schema Admins and Domain Admins

 

Steps to extend Active Directory Schema :

 

Below two steps to be followed to extend the schema,

 

Step 1 – Extend Schema

 

  • Using extadsch.exe tool
    • Log in with Schema Admin / Domain Admin and open CMD with high elevation
    • Copy extadsch.exe tool from Configuration Manger installation media. This would be available under SMSsetup\bin\x64. (this exe can be directly called from media as well)
    • Run the exe from copied location
    • Verify extadsh.log for details
  • Using LDIF file
    • Log in with Schema Admin / Domain Admin and open CMD with high elevation
    • Copy “configmgr_ad_schema.ldf” to local drive from SMSsetup\bin\x64 on Configuration Manager media
    • Edit file to replace instance of DC=x with “DC=test,DC=SCCMinfo,DC=com” ( considering here the FQDN is “test.sccminfo.com”
    • Then run below command to import the content of this ldf file to Active Directory
      • ldifde -i -f configmgr_ad_schema.ldf -v -j “%temp%”
    • Verify the log to check if schema is successfully extended

Step 2 – Create System Management Container in Active Directory

 

  • Under system account create container name “System Management” with account having permission to create object.
  • Under Properties of container “System Management” go to Security and give full control to computer account of all Site Server
  • Select option to this Object and all child Object

Devices and clients which do not use the Active Directory Schema :

 

  • MacOS Client computers
  • Mobile devices which are managed by Exchange Server connector
  • Mobile devices enrolled by Configuration Manager
  • Mobile devices enrolled by Microsoft Intune
  • Mobile device legacy clients
  • Windows clients which are configuring for internet only client management
  • Windows client which are detected by configuration Manager to be on the internet

Active Directory classes and attributes for SCCM:

 

  • Classes
    • cn=MS-SMS-Management-Point
    • cn=MS-SMS-Roaming-Boundary-Range
    • cn=MS-SMS-Server-Locator-Point
    • cn=MS-SMS-Site
  • Attributes
    • cn=mS-SMS-Assignment-Site-Code
    • cn=mS-SMS-Capabilities
    • cn=MS-SMS-Default-MP
    • cn=mS-SMS-Device-Management-Point
    • cn=mS-SMS-Health-State
    • cn=MS-SMS-MP-Address
    • cn=MS-SMS-MP-Name
    • cn=MS-SMS-Ranged-IP-High
    • cn=MS-SMS-Ranged-IP-Low
    • cn=MS-SMS-Roaming-Boundaries on
    • cn=MS-SMS-Site-Boundaries
    • cn=MS-SMS-Site-Code
    • cn=mS-SMS-Source-Forest
    • cn=mS-SMS-Version

Key information to note :

  • Active Directory schema extension is one-time activity and once done cannot be reversed.
  • It is not required to extend Active Directory schema but if extended Config Manager clients can be benefited from it.

Please share feedback in comment box

Securing SCCM IIS Configuration and SCCM Management Point Configuration

by

Key points on securing IIS

 

There are roles in SCCM which require IIS. And configuring IIS is one of the important ask for any SCCM implementor as configuring IIS component which are not at all require might put the SCCM infrastructure in risk for attacks.

 

Here are listing out key point to be considered while configuring IIS for roles in SCCM,

 

  • Install and enable only require component of IIS.
  • Enable HTTPS for sits system roles for the communication.
  • Setup CTL (Certificate Trust List) in IIS.
  • Add only CA (Certificate Authority) to the CTL which are use by Configuration Manager for accepting the client’s communications.
  • Do not select to put IIS on computer running site server as site servers computer account is having local admin rights on all computers having site systems roles installed.
  • Do not put any web-based application on IIS server which is being used for Configuration Manager as poorly configured application open the path for attackers to gain access to configuration manager environment.
  • Use custom website if at all there is need to run other web application with set-wide setting.
  • In case of using custom website delete default virtual directory.
  • Configure custom header to disable MIME sniffing.

Key point on securing Management Point

 

Securing Management point is very important as this is site system which is used to have communication between clients and site servers.

 

  • Best practice to assign client to the management point for same site other than management point of another site.
  • In case of migration from earlier site to current branch, migrate the clients on the management point to new site as soon as possible.

Please leave comment for any suggestions or corrections.

Securing SCCM Site Server and SQL Server

by

 

Points on Securing Site server installation

 

  • It is not required to install any of the Configuration Manager sites directly on domain controller. Install site on member server as Configuration Manager maintain the local account in local SAM (Security Account Management) Database. This help to prevent direct attack on Domain Controller.
  • Do not install Secondary Site over the network, instead run the Secondary Site installation by using option User source file at the following location on secondary site computer (most Secure). This way of installation prevents the data or source installation files getting tamper over the network before start of installation.  
  • Make sure to have correct permission set on root drive where site server installation is going to take place. This way you will secure the normal users modifying or accessing contents of configuration manager. By default, site installation inherit permission from root drive.

Points on securing SQL installation

 

It is very much important to secure SQL database as all the contents of configuration manager get stores in SQL DB in backend. This help prevent attacker gaining access to configuration manager.

 

  1. Make sure not to use SQL DB for any other application as increasing access to the DB can put the Configuration Manager Database in risk for attacks.
  2. Always use windows authentication mode for login to the DB instead mixed mode as using mix mode would always have some risk for attack surface.
  3. For Secondary server make sure to have latest version of SQL express as when installing Secondary Site from Primary Site it installs SQL express with previously downloaded version.

General requirement for SQL server installation:

 

  • Computer account of Database Site server should be part of local administrator group.
  • If to install SQL server using Domain user account, make sure site server’s computer account is configured as SPN (Service Principal Name) which is published in active directory.

Please share comment to improve us in comment section

Key points to secure SCCM Site Server

by

Here are the key points on consideration of securing Configuration Manager Sites administration:

  • Make sure to download the source file from trusted location and secure the network share where all these source files would be saved for the site installation.
  • Extending Active Directory Schema is not requirement, but it provide secure environment for the SCCM infrastructure.
  • Communication between site systems roles and SQL server is not secure, to make it secure either IPsec can be used or use SMB signing to make sure data is not tempered before clients download and use them.
  • At the time of Site installation, it creates below security groups on which doing any changes should be prevented.
    • SMS_SiteSystemToSiteServerConnection_MP_<SiteCode>
    • SMS_SiteSystemToSiteServerConnection_SMSProv_<SiteCode>
    • SMS_SiteSystemToSiteServerConnection_Stat_<SiteCode>
  • In case of non-active directory environment trusted root key must be managed properly by manual configuration to reduce the risk of client contacting untrusted Management point.
  • Advantage of non-default port can be taken as it is difficult for the attacker to attack the configuration manager environment. If decided to use non-default port need to plan properly and them through the hierarchy.
  • Avoid installing all or maximum site system on one computer as it would become single point of failure.
  • Configure Static IP address as it would be easy to protect and difficult to attack.
  • Do not allow installation of any other application which is not needed to avoid risk of attack.
  • Enable the signing and encryption option on Site
  • Allow only limited users to manage with required access and monitored them on periodically.
  • Make sure to secure Configuration Manager backup file as it has sensitive information which attacker can use to exploit.
  • Secure network location where you keep all configuration manager data like import/export objects, files, packages repositories.
  • Remember to remove certificate manually wherever site systems roles are not working properly, need uninstallation to fix issues, etc as this helps to remove the trust which was established. ( Affected site system servers’ certificate should be removed from other site systems in Trusted people certificate store)
  • Do not configure site systems which communicate to intranet and perimeter network as it removes boundary between intranet and internet.
  • By default, site system initiate connection to Site server, this is very risky when site system is located on perimeter network which is untrusted network. To avoid enable option Require the Site server to initiates connections to this site system.
  • When supporting internet-based client using web proxy server, need to use SSL bridging to SSL with termination and authentication. Configuring SSL with termination allow internet package to be inspected before they are forwarded to internet network.

Please share the comments in comment box

MPList for Configuration Manager Client

by

MPList

 

MP list is nothing but list of the Management point sets in order as per the priority that configuration manager client is identified earlier. This is the list client uses as favourite source for service location to find the Management point. This list gets build on basis of network location in which client resides. This list is stored in WMI on local computer.

 

There are two types of MP list describe below,

 

Building initial MP list – this list gets build in below order

 

  • First includes management point found at time of client installation.
  • Client look for ADDS (Active Directory Domain Service) for published management point.
  • If client does not get MP by above two approach, then it checks DNS and WINS.
  • In this list some of other Management points information might not be there.

Organizing MP list – this list prioritises in below order

 

  • Proxy – This is the Management point at Secondary Site
  • Local – This is the Management point which is define by boundary group or by assigned site.
  • Assigned – This could be any Management point of site system under client assigned site.

Selecting Management point to use

 

For general purpose and commonly clients use the management point in below order according to the current network locations they fall into.

  1. Proxy Management point
  2. Local Management point
  3. Assigned Management point

But in case of management point registration and certain policies messages client uses assigned management point only and other communication would be sent to proxy and local Management point.

 

Client always try to connect with HTTPS secure connection if client is enabled for HTTPS

 

 Keynote:
 
 Once Client found MP it would continue to use same until:
    25 hours passed.
    Client is not able to connect MP for five tries over period of 10 mins.

Please give your feedback on the information in comment box.

SCCM Management Point

by

Key information on how Configuration Manager Client look for Management Point (MP)

  • Very first time Config Manager clients selects default Management Point when it gets assign to Primary Site.
  • Client selects the preferred management point on the base of configured boundary group and current network location.
  • This default Management point would become the preferred management point. And at the time of Client installation we can add command line to set preferred management point.
  • Client would always use preferred management point before any other management point if preferred management point setting is enabled for the hierarchy.
  • Management point affinity can be used to allow clients to user one or more management point over preferred management point.
  • At the time of installation client store initial MP list in WMI
  • Whenever client need to contact Management point it checks first in the MP list
  • This MP list would be updated periodically.
  • When client do not find valid MP then it searches in order with Management Point, AD DS, DNS, WINS.
  • And then via this process when client find the valid management point then it updates the local MP list.

Let us know was this information useful in comment box.

Understanding service location information in Configuration Manager

by 
Here we are going to see key points on how clients find its site, resources, and services.
  • Client use process called Service Location to find site systems with whom they communicate.
  • With this service location process, they find core and other systems for the services and resources they would be using.
  • Site system could be Management point, Software Update point, Distribution point.
  • Service location uses current network location, protocol preference and assigned site to get management point assigned to it.
  • Client communicate with Management point to get list of available MPs (MP List), upload data for inventory and status.
  • Download the policies which have the information on deployment schedule of applications, software updates.
  • Clients also request to Management point on information about other site systems for it such as distribution point, software update point for respective services.
  • Clients makes services location request every 25 hours.
  • If there are any change in network client makes service location request.
  • When ccmexec.exe service start or restart on client computer then also it sends request for service location.
  • And when client must find respective sites system for services.

Please provide your inputs on if this information was useful in comment section.

How data transfer between sites in SCCM hierarchy

by

Configuration Manager uses below type of replication to transfer data between sites in the hierarchy.

 

  1. File-based replication
  2. Database replication

 

Let talk about these two types of replication in brief,

 

File-Based replication

 

Configuration Manager uses this type of replication to transfer data such as the source contents for packages, applications to be transferred to distribution points in other sites. It also transfers discovery data which is unprocessed to primary sites.

 

It uses SMB server message block protocol on TCP/IP port 445 and has below settings to be configured to control transfer process,

 

  • File replication route
  • File replication account
  • Schedule
  • Rate limits
  • Sender
  • Routes between secondary sites
  • Maximum concurrent settings
  • Retry settings

 

Database Replication

 

For this replication method database replication uses SQL server to transfer the data from Site to Site, in this data gets merger with the data received from other sites so that all sites share the same data set or copy.

 

Point on this method of replication,

 

  • At the time of any site installation in the hierarchy database replication automatically gets set.
  • After finishing site installation replication gets start automatically.
  • It uses SSB SQL Server Service Broker on TCP port 4022 to replicate the changes.

 

Database replication classify the data in below two categories,

 

  1. Global Data
  2. Site Data

 

Global Data

 

This data includes objects which are created by administrator at either Central Administration Site or at Primary Site. This includes Software updates, Software Deployment, collection definitions, Role based security scope. Secondary receives only subset of this.

 

Site Data

 

This data included the information generated by Primary Site or its assigned clients and then this data gets replicate to CAS. This includes Hardware inventory, Status messages, Alerts, Query based collection results.

 

Database Replication has below configuration setting to control replication,

 

  • Database replication links
  • Distributed views – this can be used to choose replication links
  • Schedule transfer of data
  • Summarization of traffic
  • Database replication thresholds
  • Site Database replication controls  

 

Please leave your comments in comment box.

Understanding basic fundamentals of content management in SCCM

by

Managing contents and its distribution or replication in Configuration Manager is one of the important factor as deployment of software such as Operating system, applications, software updates, applications would have contents which need to be distributed or replicated across LAN, WAN locations in the organization. And size of the contents might have in large size due to which its distribution and replication put burden on the network bandwidth causing impact during production hours for many organizations. For such reason it is very much important to understand the basic concept and fundamental of content management.

 

Here we are going to put the list of options which would help in optimizing content distribution and then understand some of them in brief,

 

  • Bandwidth throttling and scheduling
  • Binary differential replication
  • Delta replication
  • Peer Cash Technology
    • Branch Cache
    • Delivery Optimization
    • Configuration Manager peer cache
    • Microsoft connected cache
    • Peer cache
    • Windows PE peer cache
  • Windows LEDBAT
  • Client Locations
  • Content Source priority
  • Content Library
  • Distribution Points
  • Distribution Point Group
  • On-demand content distribution
  • Package transfer manager
  • Prestige content
  • Fallback
  • Network Bandwidth

 

Bandwidth throttling and scheduling

 

Both these built-in option helps to provide control over managing network bandwidth when large amount of content being transferred on the network. These settings are available on Distribution Point and then can be configured when and how contents should be transferred.

 

Binary differential replication

 

This method only sees for the changes within the file and then transfer only those which helps in saving the time and network bandwidth. This is basically working on block level transfer within the file. This is always enabled for applications but optional for legacy packages. If the file is already available on the Distribution Point and only changes need to be transferred, then we should use this option

 

Delta replication

 

This work on file level. If there are new files added in package, then those files only be get transferred with delta replication. This option is by default on and is not configurable.

 

Branch Cache

 

This is windows in-built features from Windows server 2012 or later. With enabling this feature who ever first BranchCache enabled clients gets content form BranchCache enabled server, that client downloads the content and cache it. Later, when any other client request for the same content within the same subnet, it contacts that first BranchCache enable client and get the contents from it instead taking the content from Distribution Point. The contents get distributed across multiple clients on that subnet.

 

Delivery Optimization

 

This is cloud based peer to peer service to share the contents between windows 10 device and recommended to use for optimization delivering of Microsoft 10 update.

 

Microsoft connected cache

 

Distribution Point can be enabled as Microsoft connected cache to cache the content for delivery optimization, instead clients enabled for delivery optimization download the contents from internet service point they download same contents from local distribution point which have cached contents saving the WAN bandwidth.

 

Peer cache

 

Enabling the peer cache for the client would help clients in the remote sites which are connected with low network bandwidth. After enabling the Peer Cache on the collection, client cache the contents and then share contents to another client on the same boundary group or same subnet.

 

Windows PE peer cache

 

This would help in for the client which are getting newly operating system via task sequence and get the required contents from the peer cache source instead downloading from distribution point. This help in reducing the WAN traffic.

 

Please share your comments on this topic.

 

Quick points on Site Database for Configuration Manager

by

Placing database for the sites in Configuration Manager hierarchy is going to be one of the very important task of the planning and designing phase.

 

Below quick points to be considered,

 

  • Site Database is server which runs the supported version of SQL to host the database for storing information of Configuration Manager.
  • Site Database can be Site server, or it can be hosted on Remote server.
  • On Central Administration Site and Primary Site full version of SQL should installed
  • On secondary site SQL express can be installed instead SQL full version.
  • Need to make sure high bandwidth, high availability, and speed between Site server a remote server where  you decided to host the database as some of the sites server and site systems constantly talk to Database server.
  • For SQL always on availability database recovery model need to be set to full.
  • For SQL non-availability database recovery model need to be set to simple.
  • Default instance of SQL server can be used.
  • SQL server must be part of domain where all sites servers are part of it with two-way trust to site servers and computers running SMS provider.
  • Failover cluster for SQL can not be use when database is on site server.

Please share your valuable comments.