Yesterday afternoon I attended a meeting of MSII – the Melbourne Security and Infrastructure Interchange – at Microsoft’s Melbourne offices in Freshwater Place.
The topic was using Desired Configuration Management (DCM) in System Center Configuration Manager 2007, and was presented by Andrew McMurray, who is a Presales Technician with the System Center Group.
Coming from a Novell environment, I don’t have much experience with Microsoft’s range of system management tools (OK, make that NO experience beyond WSUS) but we are in the process of implementing a fairly comprehensive set of systems to support our migration away from Windows XP and SCCM 2007 is destined to be part of the management array (while the Novell apps slowly wither and die). So it was particularly interesting for me to hear some of the things you can make SCCM do for you.
DCM is something particularly close to any sysadmin’s heart – how can you track changes to your systems, either done by you or by other people? If you have an idea of best practise, how can you tell whether you’re adhering to it? If you don’t have a clue what best practise is, where do you start? DCM in SCCM 2007 is one of those features which sounds like a silver bullet to all those problems, and it is while at the same time being anything but.
The problem with workflow-based management systems is that the workflows you’re interested in are almost always going to be specific to your environment, so you can’t look at DCM with its ability to create a myriad array of configuration items and baselines and compliance reports and say “Aha, I shall install this then swan off to the beach, as my work here is done.” No, it’s like setting up Sharepoint or any other application for which iceberg imagery applies; the vast bulk of the work lies with the organisation (ie: you) to supply DCM with the necessary information and guidelines which turn it into a rich and powerful compliance and reporting system.
Some of the topics Andrew covered which I particularly liked were:
- using DCM to track changes on servers – essentially tracking their “drift” from the initial setup and configuration. It’s so easy to make changes and not keep proper track of them, especially when you’re under the pump – this gives you the peace of mind that at least SOMETHING is paying attention
- keeping track of changes on users’ workstations – it might be company policy to allow users to change their systems, but at least when they ring claiming that it’s “just stopped working and I haven’t changed anything honestly really and truly”, your helpdesk can let the waffle vanish into the ether while scanning the list of inventoried changes. Heh heh heh…
- creating baselines for operating systems and core applications. The heart of a good SOE is consistency and while it’s tempting to make small changes to circumvent minor issues so that you can get on with more important tasks, you can end up creating a cascade of problems which come back to bite you. Create intelligent yet flexible baselines which force you to think about and properly consider any proposed changes, and you’ll save yourself and your users a lot of heartache and frustration
Of course there’s plenty more which DCM can do, so if you don’t have it already installed you can get a free trial from the SCCM 2007 homepage. There’s also a publicly-available VHD of SCCM 2007 R2.
One of the very nice things about DCM is that in spite of the large amount of work required to get it up and running, Microsoft and various partners are on hand to give you a kick-start with Configuration Packs. Configuration Packs contain configuration baselines and settings for all sorts of systems – server and client operating systems, server appliations, backup applications and so on. They’re signed which means you can’t edit them, but you can use them as a parent configuration baseline to which custom child configuration items are bound, or you can simply duplicate them and go nuts customising them for your own environment. Some or all of the configuration packs developed by Microsoft are free, depending on your license agreement. Third-party packs come at a cost. If you’re really dedicated you can even develop your own.
Grab the slide deck of the presentation here.
Oh, and if you’re a Windows admin based in Melbourne, come along to the next MSII meeting. The talks are always good and there’s pizza… 
