Security personnel are usually required to design for the confidentiality, integrity, and availability of computer systems. In order to keep the Configuration Manager 2007 hierarchy available, it is important to have a plan to provide service continuity and test it often.
Best Practices
Design a fault tolerant site An offline site is usually low risk unless there is an urgent need to deploy a critical update or a need to create Configuration Manager 2007 Network Access Protection policies to restrict network access. If the Configuration Manager 2007 site server is offline, it does not necessarily stop all Configuration Manager 2007 operations. For example, clients can still process existing advertisements if content is available on distribution points. Configuration Manager 2007 supports clustering the site database. You can also replicate the site database information, which is usually done for performance reasons, but would also allow a site system to access replicated data, even if the site database is offline.
Create a backup and recovery plan Recovering a failed Configuration Manager 2007 site is a complex task. For more information, see Maintaining Configuration Manager 2007.
Test your backup and recovery procedures Backup procedures are worthless unless they are periodically tested. Configuration Manager 2007 backup and recovery are complex procedures and should be routinely tested to ensure service continuity in the event of site failure.
Secure your backup media The Configuration Manager 2007 backup task makes copies of the registry, the file structure, and the Configuration Manager 2007 site database. Attackers who gain access to the backup media could gain valuable information about the network, such as IP addresses, Active Directory site names, and the state of all client computers. Attacks involving backup media are potentially as serious as physical attacks against servers. As with all backups, store Configuration Manager 2007 backup media in a secure location, consider encrypting the backup files, and institute a controlled procedure to check out and restore the media.
Use role separation to increase recoverability It is common in small sites for all roles to be installed on the site server. This increases the risk that if the site server is unavailable, all Configuration Manager 2007 functionality is disabled. If possible, configure a management point that is not on the site server to increase availability to the clients. Configure multiple reporting points and distribution points. You cannot create more than one default management point for the site, but you can use a computer with RAID, or other fault tolerant features. Alternately, you can keep a spare management point running, and configure it as the default if the first management point goes offline.
The following table describes the effect of various site systems being offline.
| Site Server | Site Database | Management Point | Distribution Point | Result | |
|---|---|---|---|---|---|
|
Off |
Online |
Online |
Online |
No site administration will be possible, including creation of new advertisements. The management point will collect client information and cache it until the site server is back online. Existing advertisements will run and clients can find distribution points. |
|
|
Online |
Off |
Online |
Online |
No site administration will be possible, including creation of new advertisements. If the client already has a policy assignment with new policies and if the management point has cached the policy body, the client can make a policy body request and receive the policy body reply. No new policy assignment requests can be serviced. Clients will be able to run programs only if they have already been detected and the associated source files are already cached locally at the client. |
|
|
Online |
Online |
Off |
Online |
Although new advertisements can be created, the clients will not receive them until a management point is online again. Clients will still collect inventory, software metering, and status information and store them locally until the management point is available. Clients will be able to run programs only if they have already been detected and the associated source files are already cached locally at the client. |
|
|
Online |
Online |
Online |
Off |
Clients will be able to run advertisements only if the associated source files have already been downloaded locally. |
|