Collaboration. The idea that we are better when we work together. Isn't that something we often hear about, especially in IT? Well kids, I'm here to say it AGAIN! Within Microsoft, 'collaboration' and working with others across boundaries is critical given the breadth and depth of our technologies. In fact, management has made collaboration one of the key criteria of our annual reviews within the PFE org.
In this post, I've lined out how to collaborate the use of one of the features of System Center Configuration Manager (SCCM) to keep tabs on your settings and configurations across your Windows systems while you sleep.
Now, I'm a Platforms guy and this is a Platforms blog but OH! how I love thee, Desired Configuration Management (a super-cool facet of SCCM). To keep me honest, I collaborated w/ a peer PFE whose focus is Configuration Manager, aka ConfigMan. He promised to make sure I'm not tellin' tales outside of school.
I'll walk you through using System Center Configuration Manager's Desired Configuration Management (DCM) to keep tabs on the critical configurations set on your server fleet:
First, a quick bit about Desired Configuration Management – DCM (http://technet.microsoft.com/library/gg681958.aspx)
DCM is designed around the idea of individual settings (called Configuration Items or CIs) combined into sets of settings (called Configuration Baselines or CBs) which are then 'deployed' to members of a 'Collection' within SCCM. Configuration Items in DCM have built-in versioning so if you change a setting, there is a whole UI dedicated to reviewing/comparing past and current values of settings, including export, restore, etc. This is known as 'Revision History' and is just one more of the really cool and powerful pieces of this DCM business.
You might create a common collection of settings that are universal to all your Windows Server systems, then layer on top of that common base, OS-specific settings and lastly, app-/role-/feature- specific settings. This is but one way of doing it - you might have a different idea for how you'd design the solution.
Step One – define the target settings and values.
\NTDS\Parameters\Global Catalog Promotion Complete
NTDS – GC Ready?
\NTDS\Parameters\DSA Working Directory
NTDS - AD DIT path
\NTDS\Parameters\Database log files path
NTDS - AD Log path
NTDS - SYSVOL path
\NTDS\Diagnostics\15 Field Engineering
4 or 5
NTDS - LDAP search logging
\NTDS\Diagnostics\6 Garbage Collection
NTDS - Whitespace logging
NTDS - Netlogon logging
NTDS - SYSVOL status
Step Two – Setup your DCM folder hierarchy and storage view/structure
Step Three – Create your CIs
Step Four – Create your Configuration Baseline(s)
Step Five – Deploy your Configuration Baseline(s)
Step Six – Pick-up sticks. Then, after your ConfigMan infrastructure and Agents have refreshed, you can check the individual systems and get a nice local Compliance Report and/or use the CM Console/Reporting
I really love the DCM piece of Config Manager and the 2012 UI and Wizards make it soooo easy even I can do it.
What settings do you watch? How do you watch them today? Do you have experience using DCM?
Happy trails and I'll see you out there on the march towards a 'well-managed infrastructure.'