Windows Server 2008 : Planning Application Deployment

Planning the Deployment of Applications by Using Group Policy

As an enterprise administrator, you are aware that Group Policy enables you to publish software to users, assign software to users, or assign software to computers. You can use a combination of these methods to ensure that applications are available to users on the network, that the software automatically repairs if it becomes corrupted, and that updates and new revisions are installed as appropriate.

Publishing a software installation package to users in a site, domain, or OU enables users to use Add Or Remove Programs in Control Panel to install the software. The Auto-Install publishing option deploys the application when the user attempts to open an associated document. This process is known as document invocation.

You can assign software to users on demand, assign software to users on logon, or assign software to computers. If you assign software to deploy on demand, it is advertised on the desktop. The user installs the software by double-clicking the desktop shortcut, by accessing the software through the Start menu, or by document invocation. If Control Panel is available, the user can also install the software through Add Or Remove Programs. You can also assign software to users so that it installs the next time a user logs off (or reboots the computer) and logs on again. Even if the user removes the software, it becomes available again at logon. Updates and new versions are automatically installed on logon.

If you assign software to users in an OU and users in different OUs use the same computer, then the software might be available to one user and not to another. If you want the software to be available to all users of a computer or group of computers, you can assign software to computers. The software is installed when the computer powers on, and any updates or revisions are installed on reboot. If you assign software to a computer, the computer user cannot remove it. Only a local or domain administrator can remove the software, although a user can repair it.

When planning the deployment of applications, you might have to consider the automatic removal of the application if the computer or user is reassigned. For example, the computer a manager uses in one department is reassigned to an administrative assistant in another department when the manager receives a newer computer. The set of applications the manager uses might be significantly different from the set of applications the administrative assistant uses. If you have configured Group Policy software deployment just to install applications, the set of applications assigned for the administrative assistant are added to those already assigned to the manager. For example, if the manager is assigned applications A, B, C, and D and the administrative assistant applications C, D, E, and F, the computer now has applications A, B, C, D, E, and F installed after reassignment. By configuring software to be removed when the policy falls out of scope, as shown in Figure 1, applications A, B, C, and D are removed and applications C, D, E and F are installed when the computer is reassigned to a new user.

When planning software deployment by using Group Policy, it is important to remember the impact WAN bandwidth limitations will have on deployment. If not configured properly, application files might be pushed to clients across WAN connections, clogging them with traffic and causing the deployment to fail. When planning software deployments, remember technologies, such as distributed file system (DFS), enable you to replicate application packages to branch office locations prior to using Group Policy to publish them. Similarly, use Group Policy filtering to target application deployment precisely when using Group Policy. An excellent tool that assists you with planning application deployment using Group Policy is the Group Policy Modeling node of Group Policy Management Console. With this tool, you can simulate an application deployment using Group Policy without having to perform the actual deployment to verify its efficacy.

Planning Application Deployment with System Center Essentials

System Center Essentials (SCE) 2007 is an application deployment solution suitable for organizations that have fewer than 500 clients. Although this number is significantly below what most people would consider an enterprise environment, your particular enterprise might comprise multiple domains or forests that have fewer than 500 clients, in which case, it makes sense to consider SCE 2007 in your application deployment plans.

SCE 2007 provides a single solution for managing an organization’s servers, clients, hardware, and software. The tool is built on Windows Server Update Services (WSUS) 3.0 and requires access to a Microsoft SQL Server database to store configuration and reporting data. If your organization does not have a SQL Server 2005 SP2 or SQL Server 2008 instance, the SCE 2007 installation routine installs SQL Server Express.

An administrator can use the SCE 2007 console to assess, configure, and deploy software to targeted groups and computers. SCE 2007 also simplifies the task of deploying operating system upgrades or installing application suites (for example, Office 2007) by providing a wizard that walks you through the process of deploying software by creating a package and targeting installation on clients and servers in your network. You can deploy Microsoft software installation (MSI) and non-MSI applications, drivers, and Microsoft and non-Microsoft hotfix releases. You can target software installations by grouping computers and defining command-line configurations.

Application deployment using SCE 2007 is configured through a wizard that enables you to deploy .msi or .exe packages to clients and servers within your organization. The wizard asks you to specify the destination of the application to be deployed and the application installation deadline. It then enables you to track installation progress and troubleshoot any problems that arise with the deployment.

SCE 2007 automates software and hardware inventory so you can review assets and optimize configuration and ensure that software configurations within your organization meet compliance requirements. You can perform searches, define filters, and generate reports that include up-to-date lists of all installed software applications and installed hardware. This is useful if you want to generate hardware readiness reports for the deployment of major applications or new operating systems.

From the perspective of planning application deployment for large network environments, SCE 2007 sits between using the Active Directory software deployment functionality and the greater functionality of System Center Configuration Manager (SCCM) 2007. SCE 2007 works best for single domain environments with between 300 and 500 client computers. It is possible to deploy only one SCE 2007 server per domain, so when planning application deployment for domains with more than 500 clients, you will need to implement System Center Configuration Manager 2007.

SCE 2007 can be an appropriate application deployment solution for organizations with multiple domains but only when the domains each have fewer than 500 client computers and software application deployment will be managed on the domain rather than at the organizational level. This is because SCE 2007 cannot be used in a hierarchy, and each SCE 2007 server is essentially a standalone solution.

Planning the Deployment of Applications by Using SCCM 2007

The Microsoft top-tier application deployment solution is SCCM 2007. If planned correctly, you can use an SCCM 2007 installation to manage the application deployment needs of thousands of clients across an enterprise network. This is possible because SCCM 2007 can be deployed in a hierarchy, with multiple software distribution points across different sites. SCCM 2007 also enables you to delegate the deployment of applications to administrators in regional offices.

SCCM 2007 is not limited to application deployment; you can also use it to deploy server and client operating systems and software updates.The extensive reporting functionality of SCCM 2007 enables administrators to meter and evaluate software usage, which is very important when you are attempting to assess which computers in an organization have a specific application already deployed.

SCCM 2007 can be configured to work with the Windows Server 2008 Network Policy Server (NPS) to restrict network access to computers that do not meet specified requirements, for example, when installing required security updates. SCCM 2007 can also be configured to perform automatic client remediation, removing unapproved software from clients and installing any applications to meet the organization’s software configuration policies.

SCCM 2007 is an agent-based solution, and you must install the agent software on client computers before they can be managed. You can do this automatically for client computers that are members of the same Active Directory forest as the SCCM 2007 server.

SCCM 2007 is deployed on a per-site basis. SCCM 2007 sites can be the same as Active Directory sites or can be independent of the Active Directory structure, so it is important to understand that the same term can be used differently, depending on whether it relates to SCCM 2007 or to AD DS. SCCM 2007 sites have the following properties:

• Primary site A primary site always stores the SCCM 2007 data for itself and for all sites below it in an SCCM hierarchy using a SQL Server database. This database is typically located on the same local area network as the initial SCCM 2007 server and is called the Configuration Manager 2007 site database. The first site in which SCCM 2007 is deployed is always a primary site.

• Secondary site A secondary SCCM site has no local SQL Server database because all configuration data is stored in the database at the primary site. The secondary site is attached to the primary site and administered from there. Secondary sites require no additional SCCM 2007 license and cannot have other sites below them in the hierarchy.

• Parent sites Parent sites have other sites attached to them in a hierarchy.

• Child sites Child sites are attached to sites above them in the hierarchy. A child site can be either a primary site or a secondary site.

• Central site Central sites have no parent sites. These sites are sometimes called standalone sites.

System Center Configuration Manager 2007 Client Deployment

Before you can use SCCM 2007 to deploy an application to a computer on your network, the client computer must have the SCCM 2007 agent software installed. You can use a number of methods to deploy this software on computer systems in your network. Table 1 lists and briefly describes these methods.

Deploying Applications with SCCM 2007

You can use the SCCM 2007 software distribution functionality to push applications and updates to client computers. It uses packages (for example, MSI packages) to deploy software applications. Within those packages, commands known as programs tell the client what executable file to run. A single package can contain multiple programs. Packages can also contain command lines to run files already present on the client. Advertisements specify which clients receive the program and the package. The distribution of applications by using SCCM 2007 involves creating the software distribution package, creating programs to be included in the package, selecting package distribution points, and then creating an advertisement for a program.

A significant difference between using SCCM 2007 and deploying applications through Group Policy is software metering, by which administrators collect software usage data from SCCM 2007 clients. Software metering will inform you of which applications are actively being used as well as of which applications are being installed. This enables organizations to rationalize their software licensing, removing applications that have been deployed but are not used from client computers throughout the organization.

Another advantage of SCCM 2007 over traditional software deployment methods is the ability to use a feature known as Wake On LAN. Wake On LAN can send a wake-up transmission prior to the configured deadline for a software deployment. This enables deployment of applications to computers when their users are not present rather than waiting for installation to proceed when the user first logs on in the morning.

Practice: Planning Application Deployment

The Wingtip Toys Active Directory infrastructure consists of three forests, each of which shares a forest trust. As enterprise administrator, you are responsible for planning the software deployment infrastructure for all three forests, although the actual software deployment tasks will be carried out by systems administrators who report directly to you and who have administrative rights only at the forest level.

The wingtiptoys.internal forest consists of 20 Active Directory domains, each of which has between 400 and 1,000 computer accounts. These 20 domains are spread across seven Active Directory sites. No domain spans more than a single site. Because of the large number of clients in this forest, the Chief Information Officer (CIO) has asked that application usage be strictly monitored to ensure that only applications that are used are deployed to computers within the organization. All application deployment and configuration data should be stored centrally. Application deployment will also be handled by administrators in the wingtiptoys.internal forest root domain and will not be handled by staff at individual sites.

The wingtiptoys.development forest consists of five Active Directory domains, one for the development department in each regional head office. Each domain has between 400 and 450 computer accounts and a maximum of 20 servers. Each domain is deployed at a single Active Directory site.

The wingtiptoys.design forest consists of a single-site Active Directory domain with 150 computer accounts. It is necessary to deploy several custom applications that are not in Microsoft Installer format to all computers in the wingtiptoys.design domain.

Where possible, the technology with the lowest cost should be used. Assume that it costs the least to use software deployment through Group Policy and the most to use SCCM 2007. Although it will be necessary in some instances to deploy third-party applications, your application deployment plans should avoid tools and deployment mechanisms that use third-party products.

▸ Exercise Plan the Appropriate Application Deployment Technology

In this exercise, you will review the business and technical requirements as a precursor to planning an application deployment strategy for the various divisions of Wingtip Toys.