If you are provisioning computers for AMT in Configuration Manager 2007 SP1 and later without the corresponding client installed (out of band provisioning), you need to decide whether you should register an alias for the out of band service point in DNS.
 Note |
|---|
| The information in this topic applies only to Configuration Manager 2007 SP1 and later. |
AMT-based computers contact a provisioning server for out of band provisioning using the value specified in the BIOS extensions for the provisioning server. The value can be a short name, a fully qualified domain name (FQDN), or an IP address. Typically, the value is the short name of ProvisionServer. You can change this value on each computer by configuring the BIOS extensions, or you can request the value you want to use as part of a customized firmware image. For more information about customizing the firmware image, see Decide Whether You Need a Customized Firmware Image From Your Computer Manufacturer.
 Caution |
|---|
| Using the default name of ProvisionServer could present a security risk if a record with this name is configured to resolve to an IP address of the wrong or rogue computer. If an incorrect IP address is given to AMT-based computers, provisioning will not succeed and the AMT-based computers cannot be managed. Configuring the provisioning server value with an alternative name or IP address is more secure than using a well-known name. If you are using the default name of ProvisionServer, ensure that you have configured the entry in DNS before turning on the AMT-based computers. Additionally, ensure that you secure the DNS record (for example, using DNS secure dynamic updates so that only the owner can modify this record) to safeguard against the record being modified such that it no longer resolves to the out of band service point site system computer. |
When a name is used rather than an IP address, the AMT-based computer must be configured with an FQDN and at least one DNS server. This is typically achieved using DHCP configuration options, but these values can also be specified in the BIOS extensions. When an AMT-based computer first starts up, it uses DNS to resolve the name of the provisioning server using one of the following methods:
- If the short name of ProvisionServer is
specified in the BIOS extensions, DNS attempts to resolve this name
in the AMT-based computer's domain to the IP address that belongs
to the out of band service point in the computer's Configuration
Manager site. The computer then contacts this server to begin the
provisioning process. Unless the site system server is actually
configured with the name of ProvisionServer, this solution requires
an alias (CNAME) record in DNS for the out of band service point
site system server. You can configure Configuration Manager to
automatically register this alias in the out of band service
point's configured DNS domain, or you can manually create the alias
record. For more information, see How to Register an Alias
in DNS for the Out of Band Service Point.
- If an alternative short name is specified for
the provisioning server and this name is not the same as the
configured name of the out of band service point site system
server, you must manually create the alias record in DNS. For more
information, see the second procedure in How to Register an Alias
in DNS for the Out of Band Service Point. With the alternative
name resolved to the IP address of the out of band service point
site system server, the AMT-based computer then contacts this
server to begin the provisioning process.
- If an FQDN is specified for the provisioning
server and this value matches the FQDN of the out of band service
point site system server in the Configuration Manager site that
will manage the AMT-based computer, there is no need for an alias
in DNS. DNS resolves the FQDN to the IP address of the out of band
service point site system server, and the AMT-based computer then
contacts this server to begin the provisioning process.
If an IP address is specified as the provisioning server in the BIOS extensions, there is no need for an alias in DNS. This IP address must be owned by the out of band service point site system server in the Configuration Manager site that will manage the AMT-based computer.
Register an alias for the out of band service point in DNS if both of the following conditions apply:
- You will provision computers for AMT out of
band (without the client for Configuration Manager 2007 SP1 or
later installed).
- The AMT-based computers are configured with
either the value of ProvisionServer or an alternative server name
(short name or FQDN) that is not already registered in DNS as a
host name (an A record).
Do not register an alias for the out of band service point in DNS if any of the following conditions apply:
- You will provision computers for AMT in-band
only. (The client for Configuration Manager 2007 SP1 or later
is installed.)
- The AMT-based computers are configured with
the IP address of the out of band service point rather than a name
for the provisioning server.
- The DNS domain for the out of band service
point contains out of band service points from other Configuration
Manager sites, and all AMT-based computers are configured with the
same name for the provisioning server.