In my earlier post,we saw how to manage work group computers using SCCM Configmgr 2007.http://www.windows-noob.com/forums/index.php?/topic/2029-managing-workgroup-computers-in-sccm-sms-environment/
In this blog post,we are going to see how to manage workgroup/ DMZ computers using SCCM Configmgr 2012. This procedure involves working with lmhost and host files on work group machines.
For some reason,i find that ,Technet library is not so clear on how to manage workgroup computershttp://technet.microsoft.com/en-us/library/bb680962.aspx. TEchnet document just illustrates the overall procedure but not in detail.
Before we jump into the details of updating lmhost,other files,lets have a look at workgroup limitations,site assignment,approval etc.
There are some limitation while managing the workgroup computers listed below:
Limitations:
Workgroup clients cannot locate management points from AD and instead we must use DNS, WINS or another Management Point.
Global Roaming is not supported because clients cannot query AD for site information.
AD discovery cannot discover computers in workgroups.
You cannot deploy software to users of Workgroup computers.
You cannot use client push installation method to install client on workgroup computers.
Workgroup clients cannot use Kerberos for authentication so might require manual approval.
Workgroup client cannot be configured as a Distribution Point. SCCM 2012 requires that distribution point computer be members of a Domain.
Site Assignment:
After you install the Client, it must join a configmgr primary site before it can be managed. The site that a client joined is referred to as its assigned site.
Clients cannot be assigned to CAS or secondary Site.
A client is considered to be unmanaged when it is installed but not assigned to a site or is assigned to a site but cannot communicate with a management Point.
Manual Vs. Auto assignment:
Auto assignment will not work for workgroup clients
To manually assign the workgroup clients SMSSITECODE installation property must be used
Ccmsetup.exe SMSSITECODE=PRI SMSMP=cm12pri.eskonr.com
Use SMSMP property to specify management point or use DNSSUFFIX for the clients to automatically locate MP from DNS.
Ccmsetup.exe SMSSITECODE=PRI DNSSUFFIX=eskonr.com
Client approval:
You can either choose to approve all automatically (not recommended) or manually approve each workgroup client from site setting properties.
Softwares/Application deployment to Workgroup clients:
Setup Network Access Account
If boundaries and boundary groups are configured properly clients can automatically locate Distribution Points.
If boundaries and Boundary Groups are not configured, you should setup the deployment option
Package properties: Deployment option: download content from DO and run locally which means all these clients will fall under SLOW.
Note : The above information is captured from Taj mohammed (Microsoft) session.
Before installing SCCM client on workgroup machines,we need to do some configurations on the workgroup/DMZ computer.
If have managed to get work group computer working with SCCM using SCCM 2007 ,you may find the steps more or like same in this blog post.
Do the below steps on Workgroup machine.
Disable the Firewall,If you don't want to disable,allow the required ports http://technet.microsoft.com/en-us/library/hh427328.aspx (ccmhttp and WSUS ports mainly to inbound rules)
work with Network Team to get the required port opened for communication between the Client and SCCM Server (Management Point,it could be the primary MP or secondary MP,SUP) and DP and FSP (if you running on different server).
Go to the control Panel-->Network Connections-->Local Area Network
Go to Internet TCP IP Protocol .Click on Properties---> click on Advanced --->Go to DNS Tab .
add the DNS suffix as shown below.
Next to DNS,WINS Tab,select ‘Enable NetBIOS Over TCP\IP
Next Go to C:\Windows\System32\drivers\etc
open lmhost file with admin rights using notepad
copy the below lines to the host file
192.168.1.10 SGCMCEN #PRE
192.168.1.10 "MP_PRI \0x1A" #PRE
Where SGCMCEN is SCCM Primary site name and PRI is Site code
Make sure you have 20 characters (Including blank Spaces) between the quotes .
Note:am not adding SLP entries to lmhost file since SLP is integrated into Management Point in CM12.
save as “lmhost” in C:\Windows\System32\drivers\etc
Note:If you have Name resolution issues,you are required to add the Management point info and Distribution Point info to hosts file.entries look like below:
10.64.152.53 sgcmcen sgcmcen.cm12lab.com
10.64.144.146 sgcmdp1 sgcmdp1.cm12lab.com
Next to purge and preload Remote cache table. To do this, open cmd with admin rights again and run the below commands
nbtstat �CR
nbtstat -c
You see the changes are loaded into cache.
Next is to have local administrator Account for remote control using SCCM 2012 .If you do not have this account,remote control will not work.
Now we are done with the required changes for the client installation.
Copy the sccm client installation files to local drive on work Group machine.
Run the command prompt with local admin rights .
use the below command to install sccm client on your workgroup computer.
ccmsetup.exe /source:C:\client SMSSITECODE=PRI SMSMP=sgcmcen.cm12lab.com DNSSUFFIX=cm12lab.com
monitor ccmsetup.log from C:\Windows\ccmsetup\Logs
notice from ccmsetup.log installation is completed.
lets look at configuration manager applet from control panel
go to Site tab and try to discover the site to see if it work or not
look at Actions Tab if all the agents are loaded or not
from the above screen,there are just only 2 actions loaded and this is because ,client is not approved in SCCM yet. (By default ,the site is set to approve clients in trusted domain)
go back to Configuration manager console,assets and compliance,devices ,search for the computer, and approve it.
Right click on the computer and approve.
Go back to the client,see if you see more than 2 actions or not.
If you have issues appearing the client in console,you will have to checkclientIDmanagerStartup.log, clientlocation.log and locationservices.log
Till now we saw ,how to manage the Workgroup SCCM client is able to communicate MP,getting policies etc.
Now we see if Application Deployment,Remote Tools and Other functions work not.
Try to create simple application or if you already have any ,Deploy it to workgroup computer.
Note: Make sure you configured Network Access Account to access resources from domain for the workgroup computer.
I deployed 7zip application and it appears in software center.
run the installation
You see it is successfully ran.
same way,you can also deploy software updates,packages and what else you can,Do it.
What next ,Remote Control ?
For this to happen,you need to add the workgroup IP address,hostname in your sccm server host file(C:\windows\system32\drivers\etc\hosts)
After you do this,try to do remote control of the Workgroup computer from sccm console,you get prompt for authentication since domain cred wont work.
workgroup hostname\administrator and password.
Note:if your local administrator account is disabled for other reasons,use the account which as local admin rights on the workgroup computer.
Note: By Default ,windows 7 and later Operating Systems,GPO setting set to Classic-Local Users Authenticate themselves.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options-->Network access: Sharing and security model for local accounts
On the workgroup computer,you see something like this ,you can change the settings to not ask user permission in client agent settings.
Update: If you are trying to manage Windows XP Workgroup computers,GPO setting is not set to classic by Default and it is required to change it manually or via scripting else you keep on prompting for password that never works.
Thanks to Niall for finding the GPO setting on WinXP computers.
Hope it helps!
转载自:http://eskonr.com/2013/08/sccm-configmgr-2012-manage-workgroup-computers-for-deploymentremote-tools-etc/