In a production environment, implementing out of band management in Configuration Manager 2007 SP1 and later involves various processes that might require interaction and collaboration with a number of different groups across the enterprise.
|The information in this topic applies only to Configuration Manager 2007 SP1 and later.|
These groups might include the following:
- Procurement for new desktop computers that
support out of band management.
- Security advisors and infrastructure
administrators to help determine appropriate options and values in
the computer BIOS extensions. For more information, see Decide Whether You Need
a Customized Firmware Image From Your Computer
- Security auditors to help determine which AMT
features to audit and how to process the audit logs when you use
auditing in Configuration Manager 2007 SP2 and later.
- Active Directory Domain Services service
administrators to create and configure the Active Directory
container or organizational unit (OU) into which the AMT-based
computers are published.
- Public key infrastructure (PKI) specialists
to create, deploy, and manage the PKI certificates required for out
of band management.
- Active Directory Domain Services data
administrators to create the AMT user accounts that are used when
running the out of band management console.
- DNS and DHCP administrators so that AMT is
updated with the FQDN of the AMT-based computer during provisioning
and so that host records are created in DNS for each IP address
that the AMT-based computer might need for out of band
communication. Additionally, if you use out of band provisioning,
you might need an alias record in DNS so that AMT-based computers
can find a provisioning server.
- Infrastructure and network architects to
ensure that firewalls, routers, and switches are configured to
allow the network traffic associated with out of band activity, and
to ascertain the impact of network traffic when sending power-on
commands to multiple computers and across WAN links.
- Administrators who configure RADIUS solutions
for 802.1X authenticated wired and wireless networks, if you will
manage AMT-based computers on these networks with Configuration
Manager 2007 SP2 and later.
- Configuration Manager administrators
responsible for configuring software distribution, software
updates, and task sequences to identify which advertisements and
software update deployments should be enabled for Wake On LAN and
whether to configure the site for wake-up packets only, power-on
commands only, or both of these configurations.
- Help desk engineers who might require
training in using the out of band management console for
- End users who might require training and
notification about turning off their computers at the end of the
day if this is not their normal working practice.
Because an out of band management solution can involve a number of different roles and processes, a successful implementation will depend on identifying who is responsible for the various roles and ensuring collaboration between groups when necessary. A successful ongoing implementation will depend on identifying and adhering to processes that coordinate the various functions between the roles.
Some of the consequences of not having and following defined processes when out of band management in Configuration Manager is implemented in a production environment are as follows:
- Computers fail to provision or configure as
expected, which impacts the success rate of computer management.
This in turn can negatively affect service level agreements (SLAs)
and business continuity.
- A critical component, such as DNS
configuration or firewall configuration, prevents AMT provisioning
and delays out of band management operation because these
infrastructure changes were not requested in a timely manner.
- Computers are not woken up for scheduled
activities as expected, which impacts the success rate of software
distribution, software updates, and task sequences. In the case of
software updates, this can mean that computers are vulnerable to
- Not enough time is allowed to power on
multiple computers that need to install security updates by a
defined date to achieve required compliance levels.
- If nonfunctioning computers cannot be
successfully remediated without a visit to the computer,
productivity will be negatively impacted if users have to wait for
a help desk engineer to arrive.
Use a methodology such as ITIL or Microsoft Operations Framework (http://go.microsoft.com/fwlink/?LinkId=88047) to help you implement out of band management within a framework of defined processes. Make sure you document your design, testing procedures, the areas of responsibility, and the processes to follow for configuring, monitoring, and troubleshooting. Then disseminate this information, making sure that it is centrally available and updated.
|Review existing company security policies, and if necessary, modify them to include the implementation of out of band management.|