Topic last updated—November 2007
Use the following best practices for desired configuration management in Configuration Manager 2007.
|For best practices relating to security and desired configuration management, see Desired Configuration Management Security Best Practices and Privacy Information.|
- Author configuration items that combine
multiple objects and settings when these define compliance at the
level of independent change.
Combining logically related objects and settings in a single configuration item rather than defining a single configuration item for each individual object or setting provides better client-side performance when evaluating compliance. It also greatly reduces the number of configuration items for an administrator to manage and for the site to replicate down the Configuration Manager hierarchy.
Additionally, combining related objects and settings into a single configuration item greatly simplifies the administrative tasks related to a configuration item, including remediation of non-compliant settings. Managing individual settings for an application or component presents an unwieldy approach to configuration management.
For example, define compliance for server roles, such as Microsoft Exchange mailbox server, rather than through individual Windows or application settings, even if these individual settings are used by more than one server role. An administrator without specialized knowledge of the individual settings that make up compliance for a server role can then use it in his or her configuration baseline.
- Provide meaningful display names and
descriptions for configuration data (and configuration categories)
so that they can be used by other administrators without the need
to check and interpret their properties.
Desired configuration management is designed to abstract the complexity of defining computer compliance so that configuration data can be used by administrators who do not have detailed knowledge of the compliance information but want to make use of it. The display names and descriptions should be sufficient for another administrator to successfully identify its purpose without having to understand its contents.
Additionally, using a standard naming format will help administrators efficiently search and find configuration data.
- Minimize the number of configuration
items, dependent configuration baselines, and configuration
baselines that are targeted to computers to define desired
Having an unnecessarily high number of configuration items and configuration baselines evaluated on a computer will have a negative impact on client performance. Aim to define desired compliance in as few configuration items and configuration baselines as possible.
- Use child configuration items where
possible, rather than duplicating configuration items.
Child configuration items provide reuse and a layered administration approach that provides an efficient method of refining the required compliance for different roles. For example, a parent configuration item can identify basic settings and objects once, with multiple child configuration items adding their own compliance requirements that are suitable for different server roles. If the compliance requirements for the basic settings and objects change, they need be changed only once, and this change is automatically inherited by all the child configuration items.
Similarly, when child configuration items are created from imported configuration data, such as Microsoft System Center Configuration Packs, an administrator can import a later version (for example, when Microsoft or a vendor releases an upgrade to one of their Configuration Packs), and the child configuration item will automatically use the updated parent configuration item.
For more information about whether you should create a child configuration item or a duplicate configuration item, see Determine If You Need to Create Child Configuration Items for Desired Configuration Management and Determine If You Need To Create Duplicate Configuration Baselines or Duplicate Configuration Items for Desired Configuration Management.
- Schedule compliance evaluations according
to business requirements and available computing resources.
Each configuration baseline assignment has its own evaluation schedule. Configure the schedule such that up-to-date compliance information is available when it is most likely to be required. For example, this might be before the beginning of an administrative work shift so that staff has current configuration information, or immediately after a scheduled maintenance window to confirm the changes that were made.
Also, allow sufficient time for computers to evaluate their compliance and send their compliance information to its site. The client does not initiate evaluation immediately at the scheduled time, but within a two-hour window. For more information, see About Compliance Evaluation Schedules in Desired Configuration Management.
Because compliance evaluation consumes computer resources, do not schedule compliance evaluations too frequently without first assessing the impact on users. For this reason, you will probably want to evaluate workstations less frequently than servers.
- Use wildcards and searches with
It is possible and sometimes justified to create configuration items that use wildcards and extensive searches. Be mindful of their impact on both the computer when undergoing evaluation, and related activity. For example, searching for files with wildcards will have a negative impact on the computer CPU usage as well as disk activity, and searching multiple locations in Active Directory Domain Services will have an impact on domain controllers and network bandwidth.