lxxxiii
Template User Instructions
Infrastructure Planning
and Design
Microsoft® System Center Configuration Manager 2007 R3 and Forefront® Endpoint Protection
Version 2.0
Published: October 2008
Updated: July 2011
For the latest information, please see www.microsoft.com/ipd
Solution Accelerators microsoft.com/technet/SolutionAccelerators
v
Configuration Manager
Copyright © 2011 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility. By using or providing feedback on this documentation, you agree to the license agreement below.
If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that user’s particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.
Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious.
Microsoft, Active Directory, Forefront, SQL Server, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries and regions.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.
Solution Accelerators microsoft.com/technet/SolutionAccelerators
Microsoft System Center Configuration Manager 2007 R3 and FEP 45
Contents
The Planning and Design Series Approach 1
Introduction to the Microsoft System Center Configuration Manager 2007 R3 and Forefront Endpoint Protection Guide 3
Step 1: Define the Project Scope 8
Step 2: Determine Which Roles Will Be Deployed 14
Step 3: Determine the Number of Sites Required 18
Step 4: Design the Sites 20
Step 5: Determine the Number of Hierarchies Required 31
Step 6: Design Each Hierarchy 32
Step 7: Design the Forefront Endpoint Protection Integration 33
Conclusion 37
Appendix A: Client Population Job Aid 38
Appendix B: Number of Configuration Manager Sites and Hierarchies Requirements Job Aid 40
Appendix C: Forefront Endpoint Protection Integration Job Aid 41
Appendix D: Forefront Endpoint Protection Fringe Scenarios 42
Appendix E: IPD in Microsoft Operations Framework 4.0 43
Appendix F: System Center Configuration Manager and Forefront Endpoint Protection in Microsoft Infrastructure Optimization 44
Version History 45
Acknowledgments 46
microsoft.com/solutionaccelerators
Microsoft System Center Configuration Manager 2007 R3 and FEP 45
The Planning and Design Series Approach
This guide is one in a series of planning and design guides that clarify and streamline the planning and design process for Microsoft® infrastructure technologies.
Each guide in the series addresses a unique infrastructure technology or scenario. These guides include the following topics:
· Defining the technical decision flow (flow chart) through the planning process.
· Describing the decisions to be made and the commonly available options to consider in making the decisions.
· Relating the decisions and options to the business in terms of cost, complexity, and other characteristics.
· Framing the decision in terms of additional questions to the business to ensure a comprehensive understanding of the appropriate business landscape.
The guides in this series are intended to complement and augment the product documentation. It is assumed that the reader has a basic understanding of the technologies discussed in these guides. It is the intent of these guides to define business requirements, then align those business requirements to product capabilities, and design the appropriate infrastructure.
Benefits of Using This Guide
Using this guide will help an organization to plan the best architecture for the business and to deliver the most cost-effective Microsoft System Center Configuration Manager 2007 R3 and Forefront® Endpoint Protection (FEP) infrastructure.
Benefits for Business Stakeholders/Decision Makers:
· Most cost-effective design solution for an implementation. Infrastructure Planning and Design (IPD) eliminates over-architecting and overspending by precisely matching the technology solution to the business needs.
· Alignment between the business and IT from the beginning of the design process to the end.
Benefits for Infrastructure Stakeholders/Decision Makers:
· Authoritative guidance. Microsoft is the best source for guidance about the design of Microsoft products.
· Business validation questions to ensure the solution meets the requirements of both business and infrastructure stakeholders.
· High-integrity design criteria that includes product limitations.
· Fault-tolerant infrastructure, where necessary.
· Proportionate system and network availability to meet business requirements.
· Infrastructure that is sized appropriately to meet business requirements.
Benefits for Consultants or Partners:
· Rapid readiness for consulting engagements.
· Planning and design template to standardize design and peer reviews.
· A “leave-behind” for pre- and post-sales visits to customer sites.
· General classroom instruction/preparation.
Benefits for the Entire Organization:
Using this guide should result in a design that will be sized, configured, and appropriately placed to deliver a solution for achieving stated business requirements, while considering the performance, capacity, manageability, and fault tolerance of the system.
Introduction to the Microsoft System Center Configuration Manager 2007 R3 and Forefront Endpoint Protection Guide
This guide leads the reader through the process of planning a System Center Configuration Manager infrastructure and optionally a Forefront Endpoint Protection (FEP) infrastructure. This guide presents both of these products together, as FEP requires an operational Configuration Manager infrastructure as its operational foundation. The guide addresses the following fundamental decisions and tasks:
· Identifying which Configuration Manager and FEP capabilities will be needed.
· Designing the components, layout, security, and connectivity of the Configuration Manager infrastructure.
· Designing the components and the dependencies that FEP requires.
Business objectives should be prioritized at the start of the project so that they are clearly understood and agreed on by IT and business managers.
Following this guide should result in a design that is sized, configured, and appropriately placed to deliver the stated business benefits, while considering the user experience, security, manageability, performance, capacity, and fault tolerance of the system.
The guide addresses the scenarios most likely to be encountered by someone designing a Configuration Manager infrastructure, with or without FEP functionality. An existing Configuration Manager infrastructure may be used in lieu of designing one specifically for FEP, as long as it supports the FEP design outlined in this guide.
Customers should consider having their architecture reviewed by Microsoft Customer Service and Support prior to implementation because that organization is best able to comment on the supportability of a particular design.
What’s New in System Center Configuration Manager 2007 R3 and Forefront Endpoint Protection
This guide has been revised to include these new enhancements in Configuration Manager 2007 R3 that may affect the infrastructure choices and design:
· Enhanced scalability and performance. Increased number of supported clients to 100,000 per primary site and 300,000 per entire hierarchy.
· Power management. Provides a set of tools that enable the site administrator to configure standard Windows® power settings across computers.
· Operating system deployment improvements. Provides prestaging of boot images and Windows Imaging Format (.wim) files on new computers, enabling the administrator to apply a task sequence to the device that can use the prestaged media.
· Dynamic collection evaluation. Enables rapid evaluation of a collection membership by adding only newly discovered resources.
· Active Directory Delta Discovery. Performs an intermediate discovery cycle that adds only new resources to the Configuration Manager 2007 database.
· Simplified resource management. Enables searching for and adding resources to a specified collection.
· Desired configuration management. Enables creation of a collection of compliant or noncompliant computers in desired configuration management.
In addition, this guide contains new material about designing a Forefront Endpoint Protection infrastructure. FEP uses Configuration Manager’s capabilities to perform tasks such as deploying antimalware clients, enforcing security policies on endpoints, managing devices, and alerting administrators to events related to FEP.
Assumptions
To limit the scope of material in this guide, the following assumptions have been made:
· The design being created is for Configuration Manager 2007 R3 and/or Forefront Endpoint Protection.
· Active Directory® Domain System (AD DS) is already designed. For assistance in designing AD DS, see the Infrastructure Planning and Design Guide for Windows Server 2008 and Windows Server 2008 R2 Active Directory Domain Services at http://go.microsoft.com/fwlink/?LinkId=157704.
System Center Configuration Manager 2007 R3 and Forefront Endpoint Protection Design Process
This guide addresses the following decisions and activities that must occur in planning the design for a functional infrastructure. The seven steps that follow represent the most critical design elements in a well-planned Configuration Manager and Forefront Endpoint Protection design:
· Step 1: Define the Project Scope
· Step 2: Determine Which Roles Will Be Deployed
· Step 3: Determine the Number of Sites Required
· Step 4: Design the Sites
· Step 5: Determine the Number of Hierarchies Required
· Step 6: Design Each Hierarchy
· Step 7: Design the Forefront Endpoint Protection Integration
Figure 1 provides a graphic overview of the steps involved in designing a Configuration Manager infrastructure.
Figure 1. The Configuration Manager and Forefront Endpoint Protection infrastructure decision flow
Figure 2 is a graphical representation of one Configuration Manager and FEP implementation. Note that the figure does not provide a comprehensive view of all possible options; rather, it is a single representation that shows the architectural items that must be considered for each Configuration Manager and FEP design.
Figure 2. Example Configuration Manager and FEP architecture
The components can be designed in many ways. Figure 2 shows the components in one implementation for illustrative purposes only.
A Configuration Manager instance can include three types of sites:
· Central site. There is one central site, which is the top of the site hierarchy. If there is only one site in the hierarchy, that site is both a central site and a primary site. This site requires a site server and a site database.
· Primary sites. These sites report up to either the central site or another primary site; there can be an unlimited number of tiers of primary sites. Each primary site requires a site server and a site database.
· Secondary sites. Each secondary site reports up to one primary site. A secondary site requires a site server but not a database.
A FEP instance can be integrated into Configuration Manager in the following ways:
· Centralization of services. All FEP services exist in a single location: the central primary site. This allows for management of all FEP resources in a single place.
· Decentralization of services. FEP services exist in each individual child primary site. This provides distributed management that is delegated at the child primary site level. FEP reporting is also done at the child primary site level, with only that subset of devices available to reports.
· A combination of both. FEP services are distributed across central primary and child sites. This provides a finer level of manageability while also providing a roll-up reporting view of all FEP resources.
Applicable Scenarios
This guide addresses the planning and design decisions involved in creating a successful infrastructure. It is written to address the needs of the following groups:
· Organizations with no configuration management solution that want to use Configuration Manager.
· Organizations that presently use another configuration management solution and are planning to move to Configuration Manager.
· Organizations with multiforest environments in which Configuration Manager will be employed to manage systems that span AD DS forest boundaries.
· Organizations that have distributed environments with systems separated by wide area network (WAN) links.
· Organizations with mobile devices, such as smart phones, that operate beyond firewalls but must be managed centrally.
· Organizations upgrading from Microsoft Systems Management Server 2003 to System Center Configuration Manager.
· Organizations that want to use Forefront Endpoint Protection.
The design of non–Microsoft System Center–integrated Forefront Endpoint Protection scenarios are described in Appendix C: “Forefront Endpoint Protection Integration Job Aid.” These scenarios include:
· The use of Microsoft System Center Operations Manager for event alerting.
· Implementing FEP without client update distribution servers.
· Client-only implementations of FEP (no monitoring or management servers).
Out of Scope
This guide does not address the following topics:
· Multi-tenancy. Configuration Manager can be delivered as a hosted service for shared use by more than one organization.
· System Center Essentials. Microsoft System Center Essentials 2007 is a separate product that includes both software update and operations management functions. It is specifically designed for midsized businesses (up to 500 client computers and 30 servers).
· Configuration Pack development. The standard Configuration Packs provided for use with desired configuration management (DCM) on Microsoft server applications, such as Microsoft Exchange Server, can be extended. New Configuration Packs can be created for other applications, as well.
· In-place upgrade. If an organization is planning an in-place upgrade, the architectural choices will likely be significantly constrained by limitations of the existing system and its specific implementation. This guide does not attempt to address these permutations.