Lesson 2: Designing Application Deployment
A constant challenge for enterprise administrators in large organizations is ensuring that staff members within the organization have access to the specific applications they need to perform their job functions but not to applications they do not need. Just as a missing application costs the organization money in terms of lost productivity, an installed application that is never used costs the organization money in terms of licensing fees. In this lesson, you learn about three application deployment technologies that can simplify the rollout of important productivity software to users in your enterprise environment. You learn the benefits and drawbacks of each method and which of these solutions is appropriate for a given situation or network environment.
Designing Application Deployment using Group Policy
As an enterprise administrator, you are aware that Group Policy enables you to publish software to users, assign software to users, or assign software to computers. You can use a combination of these methods to ensure that applications are available to users on the network, that the software automatically repairs if it becomes corrupted, and that updates and new revisions are installed as appropriate.
Publishing a software installation package to users in a site, domain, or OU enables users to use Programs and Features in Control Panel to install the software. The Auto-Install publishing option deploys the application when the user attempts to open an associated document. This process is known as document invocation.
You can assign software to users on demand, assign software to users on logon, or assign software to computers. If you assign software to deploy on demand, it is advertised on the desktop. The user installs the software by double-clicking the desktop shortcut, by accessing the software through the Start menu, or by document invocation. If Control Panel is available, the user can also install the software through Programs and Features. You can also assign software to users so that it installs the next time a user logs off (or reboots the computer) and logs on again. Even if the user removes the software, it becomes available again at logon. Updates and new versions are automatically installed at logon.
If you assign software to users in an OU and users in different OUs use the same computer, then the software might be available to one user and not to another. If you want the software to be available to all users of a computer or group of computers, you can assign software to computers. The software is installed when the computer powers on, and any updates or revisions are installed on reboot. If you assign software to a computer, the computer user cannot remove it. Only a local or domain administrator can remove the software, although a user can repair it.
When planning the deployment of applications, you might have to consider the automatic removal of the application if the computer or user is reassigned. For example, the computer a manager uses in one department is reassigned to an administrative assistant in another department when the manager receives a newer computer. The set of applications the manager uses might be significantly different from the set of applications the administrative assistant uses. If you have configured Group Policy software deployment just to install applications, the set of applications assigned for the administrative assistant are added to those already assigned to the manager. For example, if the manager is assigned applications A, B, C, and D and the administrative assistant is assigned applications C, D, E, and F, the computer now has applications A, B, C, D, E, and F installed after reassignment. By configuring software to be removed when the policy falls out of scope, as shown in Figure 7-8, applications A, B, C, and D are removed and applications C, D, E, and F are installed when the computer is reassigned to a new user.
Figure 7-8. Ensuring that applications are removed when they fall out of scope
When planning software deployment using Group Policy, it is important to remember the impact WAN bandwidth limitations will have on deployment. If not configured properly, application files might be pushed to clients across WAN connections, clogging them with traffic and causing the deployment to fail. When planning software deployments, remember that technologies such as distributed file system (DFS) enable you to replicate application packages to branch office locations prior to using Group Policy to publish them. Similarly, use Group Policy filtering to target application deployment precisely when using Group Policy. An excellent tool that assists you with planning application deployment using Group Policy is the Group Policy Modeling node of the Group Policy Management Console. With this tool, you can simulate an application deployment using Group Policy without having to perform the actual deployment to verify its efficacy.
Group Policy is another way to deploy applications configured as a RemoteApp. Applications added as a RemoteApp within the RemoteApp Manager can then be made into an .msi file for distribution using one of the previously discussed methods of application deployment for Group Policy. The user’s desktop or Start menu can be populated with these applications published as RemoteApps. The user does not need to wait for long installation routines because the only options necessary for the deployment as a RemoteApp are where the application will be deployed and whether the application will be configured for document invocation. This allows the RemoteApp to be associated with various extensions of documents that, when selected by the user on the remote client, will open up the associated RemoteApp. The user will feel as if the application was installed locally.
Planning Application Deployment with System Center Essentials
System Center Essentials 2010 is an application deployment solution suitable for organizations that have fewer than 500 clients. Although this number is significantly below what most people would consider an enterprise environment, your particular enterprise might include multiple domains or forests that have fewer than 500 clients, in which case it makes sense to consider System Center Essentials 2010 in your application deployment plans. A migration path to Microsoft System Center Configuration Manager 2007 is also available for organizations growing beyond the needs of managing more than 50 servers and 500 client management limits.
System Center Essentials 2010 provides a single server solution for managing an organization’s servers, clients, hardware, and software. The tool provides an upgrade from Windows Server Update Services (WSUS) 2.0 or 3.0 as well as requiring access to a Microsoft SQL Server database to store configuration and reporting data. If your organization does not have a SQL Server 2008 instance, the System Center Essentials 2010 installation routine installs SQL Server 2008 Express Edition as well as its own instance (not shared) of SQL Server Reporting Services.
An administrator can use the System Center Essentials 2010 console to assess, configure, and deploy software to targeted groups and computers. System Center Essentials 2010 also simplifies the task of deploying operating system upgrades or installing application suites (for example, Office 2010) by providing a wizard that walks you through the process of deploying software by creating a package and targeting installation on clients and servers in your network. You can deploy Microsoft software installation (MSI) and non-MSI applications, drivers, and Microsoft and non-Microsoft hotfix releases. You can target software installations by grouping computers and defining command-line configurations.
Application deployment using System Center Essentials 2010 is configured through a wizard that enables you to deploy .msi or .exe packages to clients and servers within your organization. The wizard asks you to specify the destination of the application to be deployed and the application installation deadline. It then enables you to track installation progress and troubleshoot any problems that arise with the deployment.
Application deployment requires that the computers have an installed agent for management and be configured for Automatic Updates. To deploy the software packages, a computer group consisting of managed computers is required. The installation schedule for the package deployment is dependent on the configuration of Automatic Updates on the managed computers. Application packages can be installed automatically, on approval to download the application package via a notification from Automatic Updates, or any time a notification is given that the download of the package is complete and that the local user is configured to provide a manual installation of any software approved and downloaded through Automatic Updates. All of these options are consistent with the different configuration options for Automatic Updates. Automatic Updates configuration can also be controlled through System Center Essentials 2010.
System Center Essentials 2010 automates software and hardware inventory so you can review assets and optimize configuration and ensure that software deployed within your organization meets compliance requirements. You can perform searches, define filters, and generate reports that include up-to-date lists of all installed software applications and installed hardware. This is useful if you want to generate hardware readiness reports for the deployment of major applications or new operating systems.
From the perspective of planning application deployment for large network environments, System Center Essentials 2010 sits between using the Active Directory software deployment functionality and the greater functionality of System Center Configuration Manager 2007. System Center Essentials 2010 works best for single-domain environments with between 300 and 500 client computers. It is possible to deploy only one System Center Essentials 2010 server per domain, so when planning application deployment for domains with more than 500 clients, you will need to implement System Center Configuration Manager 2007.
System Center Essentials 2010 can be an appropriate application deployment solution for organizations with multiple domains, but only when the domains each have fewer than 500 client computers and software application deployment will be managed at the domain rather than at the organizational level. This is because System Center Essentials 2010 cannot be used in a hierarchy and each System Center Essentials 2010 server is essentially a stand-alone solution.
Planning the Deployment of Applications Using System Center Configuration Manager 2007
The Microsoft top-tier application deployment solution is System Center Configuration Manager 2007. If planned correctly, you can use a System Center Configuration Manager 2007 installation to manage the application deployment needs of thousands of clients across an enterprise network. This is possible because System Center Configuration Manager 2007 can be deployed in a hierarchy, with multiple software distribution points across different sites. System Center Configuration Manager 2007 also enables you to delegate the deployment of applications to administrators in regional offices.
System Center Configuration Manager 2007 is not limited to application deployment; you can also use it to deploy server and client operating systems and software updates. The software update functionality of System Center Configuration Manager 2007 is covered } in more detail in Chapter 11, “Designing a Software Update Infrastructure and Managing Compliance.” The extensive reporting functionality of System Center Configuration Manager 2007 enables administrators to meter and evaluate software usage, which is very important when you are attempting to assess which computers in an organization have a specific application already deployed.
System Center Configuration Manager 2007 can be configured to work with the Windows Server 2008 R2 Network Policy Server to restrict network access to computers that do not meet specified requirements, for example, when installing required security updates. System Center Configuration Manager 2007 can also be configured to perform automatic client remediation, removing unapproved software from clients and installing applications to meet the organization’s software configuration policies.
System Center Configuration Manager 2007 is an agent-based solution, and you must install the agent software on client computers before they can be managed. You can do this automatically for client computers that are members of the same Active Directory forest as the System Center Configuration Manager 2007 server.
System Center Configuration Manager 2007 is deployed on a per-site basis. System Center Configuration Manager 2007 sites can be the same as Active Directory sites or can be independent of the Active Directory structure, so it is important to understand that the same term can be used differently, depending on whether it relates to System Center Configuration Manager 2007 or to AD DS. System Center Configuration Manager 2007 sites have the following properties:
Primary site A primary site always stores the System Center Configuration Manager 2007 data for itself and for all sites below it in a System Center Configuration Manager hierarchy using a SQL Server database. This database is typically located on the same local area network as the initial System Center Configuration Manager 2007 server and is called the Configuration Manager 2007 site database. The first site in which System Center Configuration Manager 2007 is deployed is always a primary site.
Secondary site A secondary System Center Configuration Manager site has no local SQL Server database because all configuration data is stored in the database at the primary site. The secondary site is attached to the primary site and administered from the primary site. Secondary sites require no additional System Center Configuration Manager 2007 license and cannot have other sites below them in the hierarchy.
Parent sites Parent sites have other sites attached to them in a hierarchy.
Child sites Child sites are attached to sites above them in the hierarchy. A child site can be either a primary site or a secondary site.
Central site Central sites have no parent sites. These sites are sometimes called standalone sites.
System Center Configuration Manager 2007 Client Deployment
Before you can use System Center Configuration Manager 2007 to deploy an application to a computer on your network, the client computer must have the System Center Configuration Manager 2007 agent software installed. You can use a number of methods to deploy this software on computer systems in your network. Table 7-1 lists and briefly describes these methods.
Table 7-1. Methods of Deploying System Center Configuration Manager 2007 Client
Client push installation
Targets the agent to assigned resources
Software update point installation
Installs the agent by using the System Center Configuration Manager 2007 software updates feature
Group Policy installation
Installs the agent by using Group Policy
Logon script installation
Installs the agent by means of a logon script
Installs the agent manually
Installs upgrades to the agent software by using the software distribution feature in System Center Configuration Manager 2007
Prestages the agent installation as part of an operating system image
Deploying Applications with System Center Configuration Manager 2007
You can use the System Center Configuration Manager 2007 software distribution functionality to push applications and updates to client computers. It uses packages (for example, MSI packages) to deploy software applications. Within those packages, commands known as programs tell the client what executable file to run. A single package can contain multiple programs. Packages can also contain command lines to run files already present on the client. Advertisements specify which clients receive the program and the package. The distribution of applications using System Center Configuration Manager 2007 involves creating the software distribution package, creating programs to be included in the package, selecting package distribution points, and then creating an advertisement for a program.
A significant difference between using System Center Configuration Manager 2007 and deploying applications through Group Policy is software metering, by which administrators collect software usage data from System Center Configuration Manager 2007 clients. Software metering will inform you of which applications are actively being used as well as which applications are being installed. This enables organizations to rationalize their software licensing, removing applications that have been deployed but are not used from client computers throughout the organization.
Another advantage of System Center Configuration Manager 2007 over traditional software deployment methods is the ability to use a feature known as Wake On LAN. Wake On LAN can send a wake-up transmission prior to the configured deadline for a software deployment. This enables deployment of applications to computers when their users are not present rather than waiting for installation to proceed when the user first logs on.
Practice: Planning Application Deployment
The Wingtip Toys Active Directory infrastructure consists of three forests, each of which shares a forest trust. As enterprise administrator, you are responsible for planning the software deployment infrastructure for all three forests, although the actual software deployment tasks will be carried out by systems administrators who report directly to you and who have administrative rights only at the forest level.
The wingtiptoys.internal forest consists of 20 Active Directory domains, each of which has between 400 and 1,000 computer accounts. These 20 domains are spread across seven Active Directory sites. No domain spans more than a single site. Because of the large number of clients in this forest, the chief information officer has asked that application usage be strictly monitored to ensure that only applications that are used are deployed to computers within the organization. All application deployment and configuration data should be stored centrally. Application deployment will also be handled by administrators in the wingtiptoys.internal forest root domain and will not be handled by staff at individual sites.
The wingtiptoys.development forest consists of five Active Directory domains, one for the development department in each regional head office. Each domain has between 400 and 450 computer accounts and a maximum of 20 servers. Each domain is deployed at a single Active Directory site.
The wingtiptoys.design forest consists of a single-site Active Directory domain with 150 computer accounts. It is necessary to deploy several custom applications that are not in MSI format to all computers in the wingtiptoys.design domain.
Where possible, the technology with the lowest cost should be used. Assume that it costs the least to use software deployment through Group Policy and the most to use System Center Configuration Manager 2007. Although it will be necessary in some instances to deploy third-party applications, your application deployment plans should avoid tools and deployment mechanisms that use third-party products.
EXERCISE Plan the Appropriate Application Deployment Technology
In this exercise, you review the business and technical requirements as a precursor to planning an application deployment strategy for the various divisions of Wingtip Toys.
Which application deployment method would be most appropriate for use in the wingtiptoys.design forest, and why?
System Center Essentials 2010 is the most appropriate for use in the wingtiptoys.design forest. The forest has a single domain, fewer than 500 client computers, and the necessity to install software packages that are not in MSI format. Software packages that are not in MSI format cannot be deployed using standard Group Policy software deployment tools. Some technologies allow conversion of third-party applications to MSI format, but the business and technical requirements specify that these must be avoided. You can learn more about creating MSI packages for third-party products by accessing the following link: http://support.microsoft.com/default.aspx/kb/257718.
Which application deployment infrastructure plans would you make for the wingtiptoys.internal forest? Include information about the infrastructure that will be deployed at each Active Directory site.
Deploy a System Center Configuration Manager 2007 primary site at the wingtiptoys.internal forest root site. Application deployment will be managed from here. This site will also host the System Center Configuration Manager 2007 configuration database.
Deploy a System Center Configuration Manager 2007 secondary site at the other six Active Directory sites so that application deployment can be managed centrally from the primary site.
Configure System Center Configuration Manager 2007 software metering to monitor application usage.
Under what circumstances would it be necessary to use System Center Configuration Manager 2007 rather than System Center Essentials 2010 as an application deployment solution for the wingtiptoys.development forest?
You would use System Center Configuration Manager 2007 rather than System Center Essentials 2010 when administration needs to be performed in a top-down manner. System Center Essentials 2010 is limited to 500 clients, which means it would be necessary to deploy a System Center Essentials 2010 server in each domain for application deployment, each of which would be managed on an individual basis.
It would be necessary to use System Center Configuration Manager 2007 if the number of clients in each domain grows to more than 500. Each System Center Essentials 2010 instance can be used to deploy applications to a maximum of only 500 client computers.
It would be necessary to use System Center Configuration Manager 2007 if centralized reporting for the entire forest is necessary. System Center Essentials 2010 can perform reports only for the clients it manages. System Center Configuration Manager 2007 could be generated for every client in the forest.
Group Policy software deployment enables applications prepared as MSI packages to be distributed to clients by linking GPOs.
Group Policy software deployment provides no reporting functionality.
You can target deployments by using GPO filtering.
System Center Essentials 2010 can be used to perform application deployment and reporting, but it is limited to 500 clients.
System Center Essentials 2010 deployment can be targeted to specific computers or users irrespective of OU membership.
Only one System Center Essentials 2010 server can be installed in an Active Directory domain.
System Center Configuration Manager 2007 can perform sophisticated application deployment and reporting and has no client limitation.
Like System Center Essentials 2010, System Center Configuration Manager 2007 can target specific computers or users for application deployment irrespective of OU membership.
Software metering enables administrators to rationalize application software licensing.
You can use the following questions to test your knowledge of the information in Lesson 2, “Designing Application Deployment.” The questions are also available on the companion CD if you prefer to review them in electronic form.
You are planning an application deployment strategy for a single domain forest that has 600 client computers spread across five Active Directory sites. Which of the following technologies can you use to deploy applications to all client computers in this environment? (Choose two. Each correct answer forms a complete solution.)
Group Policy software deployment
System Center Essentials 2010
System Center Operations Manager 2007
System Center Configuration Manager 2007
System Center Virtual Machine Manager 2007
You are planning to use Group Policy software deployment to deploy several important applications to client computers on your organization’s network. Before performing the actual deployment, you want to verify that the Group Policy configuration will behave in the planned manner. Which of the following tools can you use to verify that the application deployment strategy has been correctly configured prior to application rollout?
Group Policy Results
Group Policy Modeling
Active Directory Users and Computers
Active Directory Sites and Services
You are planning the deployment of an important computer-aided design (CAD) application to a select group of users within your organization. You need to ensure that the application will be removed from the users’ computers if they are transferred to another department and their user accounts are moved to a new OU within the Active Directory structure. Which of the following plans should you make?
Plan to use the Published, rather than Assigned, deployment type.
Plan to use the Ignore Language When Deploying This Package advanced deployment option when configuring the software deployment.
Plan to use the Install This Application At Logon option when configuring software deployment.
Plan to use the Uninstall The Application When It Falls Out Of The Scope Of Management option when configuring software deployment.
As part of your application deployment plans, you want to review application deployment every six months to ensure that your organization is using software licenses efficiently. You want to locate those computers in your organization that have unused applications. Which of the following tools enables you to accomplish this?
System Center Configuration Manager 2007
Windows Server Update Services 3.0 SP1
Group Policy Management Console
Active Directory Users and Computers