SCCM 2007 R3 Deployment – Hurdles and Barriers

We are piloting a deployment of SCCM 2007 R3 as part of our evaluation of Forefront Endpoint Protection 2010.  I thought I would have SCCM up in a day to a day and a half… Ha!  If you are planning to do something similar, schedule a good four+ days for initial configuration (unless you are the Windows equivalent of Bruce Lee).

Troubles:

  • Complex PKI certificate requirements.  You need to create a Windows PKI server template just to deploy one signing cert to the site management server!  These certs cannot use the next-generation crypto (CNG) templates that came with Server 2008… you must use Server 2003 templates (CAPI).
  • Logging shortcommings.  I suppose veteran SCCM folks will think I am daft.  After all, SCCM makes more logs that just about any other MS product.  However, the logs are long on data, short on information.  I wasted over a day troubleshooting client to management point communications that turned out to be related to permissions problems with a cert in the SCCM server  system account’s “My” certificates store.  The problem was that I used drag/drop in the cert MMC to install the cert, but that method did not set cert permissions properly.  After exporting/importing the cert, then setting permissions as detailed here:
    http://www.zerohoursleep.com/2010/11/a-fatal-error-occurred-when-attempting-to-access-the-ssl-server-credential-private-key/
    I was able to get IIS to bind reliably to the cert, and clients started to check in.  The SCCM client and server logs were no help with this.
  • Reporting Services – Since I last configured reporting on SQL 2005, things have gotten easier.  However, RTM releases still are not reliable enough.  I discovered we needed SQL 2008 R2 CU4 or later to get SCCM to work reliably with reporting services.
  • Schema Extensions – Never fun.  The process is well documented on Tech Net, but it’s still a pain.
  • Server installation prerequisites – There are many prereqs for SCCM.  The documentation lists them reliably.  What is not mentioned is that the server role prereqs need to be installed simultaneously.  If BITS, WebDAV, and ASP.NET are not installed at the same time, SCCM will fail to function after installation.

All that being said, the product has made great strides since I last looked at it (When it was called SMS 2003).  Integration with WSUS is a plus, as is the “Advanced Client” which uses a simple client pull over HTTPS to fetch configurations and submit status.  Good stuff… less dependency on RPCs and File/Print Sharing.

Update:

Comments are closed.