Microsoft System Center Configuration Manager 2012: What's New and What's Different
The new upgrade to Microsoft System Center Configuration Manager 2012 provides substantial opportunities for organizations to gain better control over their hardware and software resources. It is a huge step forward that will require time and patience to fully learn and understand, but in the long run should prove to be a required system in all organizations that use Microsoft servers and workstations. This white paper outlines some of the components that have changed as well as features that have been added.
Experienced SMS and SCCM administrators will be surprised by the core structural revamp of the new version. Large enterprises were encouraged in SCCM 2007 to create parent and child relationships between their sites. This resulted in the propagation of child primary sites to centralize management and reporting. That is no longer possible in SCCM 2012.
Substituting for the parent-child topology is a new top level site system called the Central Administration Server (CAS). The role of the CAS is to allow for the consolidation of all reporting and management in one location. What makes the CAS different from the previous ad-hoc central site is that it can host no clients. Essentially, Microsoft has created a flat topology.
Also changed in SCCM 2012 is the structure of the secondary site. In earlier versions secondaries were used to provide some functions in locations where bandwidth was limited. Prior-version secondary servers had no database and could be installed locally using the setup executable or remotely from the console of its primary. Now the secondary has its own database (SQL Express is an option) and remote install is the only way to go. Personally, I prefer distribution points over secondaries, but that is for another discussion.
Note that the Active Directory Schema extensions are unchanged from SCCM 2007. That should make the Directory Services folks much happier for organizations that have already performed the integration of SCCM to AD.
The Console and the Ribbon
First introduced with the Office 2007 Suite, the now familiar "ribbon" graces the top of the SCCM console and as such, the console has been completely revamped. For experienced SCCM administrators, the new interface will present an initial obstacle in locating the nodes that they are accustomed to using for their day-to-day management tasks. Over time, with training, practice, and repetition, the console will become the admin's friend, providing all of the flexibility and granularity that is needed. By abandoning the Microsoft Management Console, we are told, we will see better performance. Let's hope so.
In SCCM 2007, an enterprise was required to designate that a site be in either mixed or native mode, the latter requiring a secure connection between the client and the server. While we are all concerned with the security of our data, the overhead in creating a native mode environment was not necessarily worth the added peace of mind provided by an encrypted connection on the physically secure local area network. Remedying this concern, SCCM 2012 allows for different settings to be applied on the site systems within a site.
The site system that "talks" to the clients is called the management point (MP). If an organization wanted to configure one of its MPs to require a secure HTTPS connection and another to permit HTTP, it could satisfy an internal/external structure and avoid frequently unnecessary encryption.
Hardware Inventory Controls
Experienced SMS and SCCM admins have probably spent some time altering the files that were used to granularly control the specificity of the hardware inventory that the product collected. For those of you who never had to modify the sms_def.mof file, you missed your chance. We will now customize hardware inventory collection using the console. For the hardcore geeks, we still have our mif files, and if you are not sure what those are - well, never mind. Another plus is the ability to apply different hardware inventory at the collection level by using client settings.
Role-Based Access Control (RBAC)
Most of the servers in the Microsoft portfolio have moved to a role-based approach to allow for a careful tailoring of the permissions that will be provided to individual administrators. Having worked with many approaches to RBAC from Exchange to SharePoint to Lync Server, I can easily say that SCCM has the most flexible and userfriendly approach to RBAC that I have seen. The built-in RBAC roles should satisfy many enterprise deployments.
The true power of SCCM RBAC is the ease of creating new roles and applying them to administrators. The mechanism for role creation and assignment is entirely GUI-based and allows for the cloning of an existing role and then modification either by adding or limiting its capabilities or the scope of its effectiveness.
Improved management capability is obtained through a fundamental change in the administrative boundaries that SCCM 2012 employs. In previous versions, most management tasks were delimited by the site. For large organizations, this sometimes created the need for more sites than would be required by the bandwidth and number of users. In 2012, we now use the collection as our primary administrative border, giving us many choices in how we assign capabilities to our IT workers.