Collaboration. The idea that we are better when we work together. Isn't that something we often hear about, especially in IT? Well kids, I'm here to say it AGAIN! Within Microsoft, 'collaboration' and working with others across boundaries is critical given the breadth and depth of our technologies. In fact, management has made collaboration one of the key criteria of our annual reviews within the PFE org.
In this post, I've lined out how to collaborate the use of one of the features of System Center Configuration Manager (SCCM) to keep tabs on your settings and configurations across your Windows systems while you sleep.
Now, I'm a Platforms guy and this is a Platforms blog but OH! how I love thee, Desired Configuration Management (a super-cool facet of SCCM). To keep me honest, I collaborated w/ a peer PFE whose focus is Configuration Manager, aka ConfigMan. He promised to make sure I'm not tellin' tales outside of school.
I'll walk you through using System Center Configuration Manager's Desired Configuration Management (DCM) to keep tabs on the critical configurations set on your server fleet:
First, a quick bit about Desired Configuration Management – DCM (http://technet.microsoft.com/library/gg681958.aspx)
DCM is designed around the idea of individual settings (called Configuration Items or CIs) combined into sets of settings (called Configuration Baselines or CBs) which are then 'deployed' to members of a 'Collection' within SCCM. Configuration Items in DCM have built-in versioning so if you change a setting, there is a whole UI dedicated to reviewing/comparing past and current values of settings, including export, restore, etc. This is known as 'Revision History' and is just one more of the really cool and powerful pieces of this DCM business.
You might create a common collection of settings that are universal to all your Windows Server systems, then layer on top of that common base, OS-specific settings and lastly, app-/role-/feature- specific settings. This is but one way of doing it - you might have a different idea for how you'd design the solution.
Step One – define the target settings and values.
\NTDS\Parameters\Global Catalog Promotion Complete
NTDS – GC Ready?
\NTDS\Parameters\DSA Working Directory
NTDS - AD DIT path
\NTDS\Parameters\Database log files path
NTDS - AD Log path
NTDS - SYSVOL path
\NTDS\Diagnostics\15 Field Engineering
4 or 5
NTDS - LDAP search logging
\NTDS\Diagnostics\6 Garbage Collection
NTDS - Whitespace logging
NTDS - Netlogon logging
NTDS - SYSVOL status
Step Two – Setup your DCM folder hierarchy and storage view/structure
Step Three – Create your CIs
Step Four – Create your Configuration Baseline(s)
Step Five – Deploy your Configuration Baseline(s)
Step Six – Pick-up sticks. Then, after your ConfigMan infrastructure and Agents have refreshed, you can check the individual systems and get a nice local Compliance Report and/or use the CM Console/Reporting
I really love the DCM piece of Config Manager and the 2012 UI and Wizards make it soooo easy even I can do it.
What settings do you watch? How do you watch them today? Do you have experience using DCM?
Happy trails and I'll see you out there on the march towards a 'well-managed infrastructure.'
Awesome article mate! Such a vast array of possibilities using DCM..... :-)
Adrian - glad you liked it. DCM is one of my favorite aspects of SCCM.
Nice Post.. Check this post that i wrote on DCM -prajwaldesai.com/sccm-2012-compliance-settings
Prajwal - thanks for the link to your post.
I'd like to call-out two points from your post. First, there are some SCCM infrastructure pieces that need to be enabled/setup on the back end. For one, the SCCM Agent on the target systems must have the DCM "pieces" turned on - known as 'Compliance Evaluation'.
You also present an example of downloading and importing a Configuration Pack with pre-defined rules, reports, etc. This is a great example of how to use a pre-canned ConfigPack.
Great post Michael.
I love this new DCM, but never really played with it before now, does anyone know if its possible to setup a Baseline that prevents the installation of a certain hotfix? I want to be able to easily exclude hotfixes that cause issues with software without having to manually track them and exclude them in Windows Update, or if there is another easy way to do this then please suggest.
Gareth - thanks for the comment. Unfortunately, I'm not an expert in DCM (or SCCM for that matter) so I am not much help here. I'd bet there's a way to prevent folks from using SCCM to deploy a certain patch but that wouldn't prevent an Admin from manually downloading and installing a given patch.
For that, you could likely use AppLocker to 'block' the specific EXE/MSU for a given patch?
Michael, Great post. Thanks a Lot.
Can the locally-rendered HTML report that is generated as a result of the evaluation be modified to include additional columns of information, such as the total number of rules and not just those that fail? If so, how?