System Center Essentials 2007 Offers SMBs Enterprise-Level Management

System Center Essentials (SCE) 2007 offers midsize businesses management and monitoring technology usually available only to large companies. Besides offering an integrated console for all your management needs, SCE 2007 has several important advantages over Active Directory and Windows Server Update Services (WSUS). Several important features in SCE 2007 can help your IT department improve its service.

Designed for Windows shops with between 50 and 500 clients and no more than 30 servers, SCE 2007 offers a subset of features from Microsoft’s System Center series of products. With technology based on WSUS and System Center Operations Manager (SCOM), SCE provides a unified management console for patch management, application deployment, software and hardware inventory, error collection, monitoring, alerting and reporting for Windows clients, and servers and Simple Network Management Protocol (SNMP) network devices.

Windows operating systems and Active Directory have never included strong enterprise reporting or monitoring capabilities, and although software can be deployed using Group Policy, it is typically limited to Microsoft Installer (MSI) packages over reliable network links, with minimal reporting. SCE 2007 is designed to fill the void for SMBs, between the vanilla functionality provided with Windows and full enterprise monitoring and deployment solutions.

Installing System Center Essentials 2007

SCE can manage Windows systems in a single forest and up to 50 SNMP-enabled network devices. At press time, SCE Service Pack 1 could not be installed on Windows Server 2008, but support has been promised within 90 days of SP1’s release. SCE requires Windows Server 2003 SP1 and should be a domain member. Despite the fact that 1 gigabyte of RAM is specified as a minimum requirement, if you’re going to install SCE 2007 and SQL on the same system, I’d recommend 2GB. Between 12GB and 20GB of free disk space is required, depending on whether you store Windows updates on the disk. Other prerequisites for SCE 2007 are SQL Server 2005 (Express/Full edition), Microsoft’s .Net Framework 2.0 and Internet Information Services (IIS).

During the setup process, you can choose to install SQL Server 2005 Express edition or use an existing local or remote SQL Server. Which option you select will largely depend on how many devices you want to manage with SCE 2007. Microsoft also warns that due to limitations with SQL Server 2005 Express edition, some SCE reports do not display properly; be sure to check this out in a lab environment before you commit to the Express edition.

If the .Net Framework is installed before IIS, you will need to reregister Asp.Net 2.0; otherwise the setup fails. This can be remedied by running the command line below in the following directory:

%WINDIR%\Microsoft.net\framework\V2.0.50727\aspnet_regiis.exe –i

Configuration Wizards

Configuration is a breeze using the SCE 2007 console, which can be started from Start > All Programs > System Center Essentials 2007. Group Policy Objects (GPOs) for creating Windows Firewall exceptions on managed clients, forwarding of health reports by e-mail and scheduled discovery of new managed computers are all set up with the Features Configuration Wizard (Figure 1).

Figure 1

The Computer and Device Management Wizard handles discovering computers in Active Directory and installing SCE 2007 agents. Before running the wizard, you should make sure that any clients on which you want to install the agent have had a Group Policy refresh to ensure that settings configured by the Features Configuration Wizard have taken effect. Group Policy can be refreshed on a client by running the following command:

gpupdate /force

Finally, the Update Management Configuration Wizard sets up WSUS patch management.

The Computers Space

SCE 2007’s management console is divided into five spaces: Computers, Monitoring, Updates, Software and Reporting. The Computers space is the default view when you first open the console, which offers a summary of all managed computers (Figure 2). Devices can be divided into groups for ease of management. Three groups are provided as standard: All Clients, All Computers and All Servers.

Figure 2

Selecting a managed device in the central pane of the Computers space gives you a more detailed view of the device’s status. As shown in Figure 2, the Actions pane gives you access to various reports, troubleshooting tools and actions. From the Computers space you can also create new groups and launch the Computer and Device Management Wizard to add new managed devices.

The Monitoring Space

Perhaps the most complex aspect of SCE 2007, monitoring and alerting is based on SCOM management packs, which contain predefined models of an object’s health. The models-based management provides more immediate and useful information for troubleshooting than standard Windows event logs. In addition to management packs for Windows 2000 and later, SCE 2007 also contains packs for Exchange Server 2003, SQL Server 2005 and Active Directory (Windows Server 2000 and 2003). Third-party management packs can also be added to SCE 2007.

Selecting the Monitoring space in the SCE 2007 console shows an overview of states and alerts for managed devices. Under Actions you can select all active alerts or computer states, delivering immediate insight into any problems in your environment. Figure 3 shows active alerts for managed devices in my domain. Once a problem in an alert has been resolved, you can mark it as complete by closing the alert from the Actions pane. If the level of monitoring is excessive for your needs, you can configure overrides to suppress the amount of information collected. SCE 2007 also contains a tool called Health Explorer, which allows you to browse an object’s health model and view alerts and changes.

Figure 3

Deploying Software with SCE 2007

SCE 2007’s biggest advantage over Group Policy software deployment is that there’s no prerequisite for using an MSI package, potentially saving considerable effort if no MSI file is supplied. Anyone who’s ever tried to repackage a product will know how much testing is involved in creating a reliable installer.

SCE 2007 transforms installer files, usually something like setup.exe, into CAB (Cabinet) files, and installs them via WSUS. This means that you can distribute software over slow or unreliable networks with the help of the Background Intelligent Transfer Service (BITS). If it’s not possible to specify a silent install for a program using a command-line switch, SCE 2007 can still deploy the application, although user interaction will be required on the client.

In this example, let’s install Microsoft Silverlight, which comes supplied as a standard executable file:

1. Open the System Center Essentials 2007 Console from Start > All Programs > System Center Essentials 2007.
2. In the lower half of the left-hand pane, click Software. This part of the console is known as the Software space.
3. In the main window, under Actions, click Create and deploy a new software package.
4. In the New Software Package Wizard, click Browse and select the Silverlight.1.0.exe file.
5. Complete the Package Name and Package Description fields and click Next.
6. In the Installation Parameter(s) field, type /q for a silent install and click Next (Figure 4).
7. On the Ready to Create Package screen, click Create and then Finish once the process has completed.
8. In the Approve Groups for Deployment dialog, click All Clients and then OK. Click Close on the Approval Progress dialog.

Figure 4

The new Silverlight package should appear in the central pane of the SCE 2007 console under All Software Packages. The software will be installed on managed computers in the All Clients group the next time the Automatic Updates (AU) client is scheduled to detect changes. You can easily check to see on which computers the software package has been installed (Figure 5), by highlighting the package under All Software Packages and clicking Deployment Status in the Actions pane.

Figure 5

You can force AU clients to detect changes on the server and perform an (almost) immediate install:

1. Navigate to the Computers space in the SCE 2007 console.
2. Select a group such as All Clients.
3. Select either an individual device or group of devices in the central pane, and click Detect Software and Updates Now under Windows Computer Tasks in the Actions pane.

A report will be displayed notifying you if the action was successful and at what time it’s scheduled to start. Once the new software package has been detected by the AU client on the managed devices, Windows Update will notify users that the software is available for installation.

The Reporting and Updating Spaces

SCE 2007 contains a comprehensive set of predefined reports based on information from software and hardware inventories and other data collected by SCE 2007, such as performance, availability and capacity information. Figure 6 shows a simple hardware inventory report. Unlike System Center Configuration Manager however, reports cannot be customized.

Figure 6

The Updating space in SCE 2007 is essentially a front end for WSUS, although there are some WSUS functions that cannot be performed from the SCE 2007 console. However, this isn’t too much of a problem because WSUS is installed in its entirety, including its management console. SCE 2007 can’t be incorporated into a distributed WSUS network as an upstream or downstream server, which may be a disadvantage if WSUS is already deployed in your organization. The principle benefit of hooking into WSUS through SCE is the ability to distribute third-party drivers and software updates.