ZENworks/ZCM:ZENworks Configuration Management 11
- 1 What Is ZCM?
- 2 Overview
- 3 Basic Concepts
- 4 BASIC INSTALLATION
- 5 INFORMATION and NOTES
- 5.1 User Sources
- 5.2 Database Information
- 5.3 Imaging
- 5.4 File Locations of Useful Programs
- 5.5 Inventory
- 5.6 Server-Backend Configuration Options
- 6 LOGS and TROUBLESHOOTING
- 7 FAQ and Technical Documents
What Is ZCM?
ZCM is the "third" generation of ZENworks management. The first generation encompassed versions 1.x and 2, second generation went from 3.0, 4.0, 6, 6.5 and 7 and the third generation starts with ZCM10 and now ZCM11.
ZCM is a full solution for the full lifecycle management of a Windows workstation, from initial imaging to deploying applications (bundles), policies (Group Policies, Dynamic Local User etc.), asset inventory and management/reconciliation of licencing and more.
ZCM supports Windows and Linux server platforms, and all currently supported Windows desktop environments (XP, Vista and Windows 7), some Linux Desktops and Macintosh (10.5 and higher). Note: Macintosh supported in ZCM 11 SP2.
ZCM consists of a zone. There is usually only one zone per organisation, as each zone is a discrete security boundary and cannot be linked to another. For a zone, think an eDirectory tree, GroupWise System, Active Directory forest or DNS domain - it's a similar concept. The zone is managed via the ZENworks Control Center (ZCC), which is a web based management tool to manage bundles, policies, devices, inventory etc. ZCM brings Asset Management and Patch Management into the main database and console, to provide a single point of administration for organisations.
ConsoleOne is not a management tool for ZENworks Configuration Management (ZCM).
ZENworks Primary Server
ZCM also consists of one or more Primary servers. The first Primary server into the zone also acts as the Certificate Authority (CA) for the zone, which is very important when considering how managed devices contact Primaries for information. The Primary Server may run on Windows Server 2003 and 2008, or SUSE Linux Enterprise Server 10 or 11, each with the latest support pack. When deciding which server platform to use for Primary servers, performance is about the same. You should think about which platform you are more comfortable with in terms of day to day management, backups and disaster recovery. Also, licencing issues may play a part in the decision. There is also a ZCM Appliance for the version being installed which is in .ova format for VM. It is built in the SuSE Studio and creates a ZCM Primary Server Appliance that is easy to install and ready within minutes of installation.
The Primary server also hosts a compressed and encypted file store known as the content repository. This repository is used to store such things as bundle content, Windows group policies, inventory scans and patch bundles for ZENworks Patch Management.
Each Primary server manages its own content repository, and repositories cannot be shared between Primaries. It is possible however to re-locate the content repository to remote storage such as a SAN, NAS or other location. Also, repository content is automatically mirrored (or replicated) between Primary servers for performance and fault tolerance.
ZENworks Database Server
The database server is generally a stand alone server running Windows or Linux and a choice of database from MS-SQL 2008, Oracle 11g or the supplied Sybase ASA database. The database server does not generally run any ZENworks services, unless the embedded Sybase option was selected with the initial Primary server for the zone.
In general terms, for large zones of over 500 managed devices, Oracle or MS-SQL 2008 is the preferred solution as it will scale much better. For deployments of under 500 workstations, the embedded Sybase option can be used (this can scale further by moving the database off the initial Primary server onto a dedicated server running no ZCM services).
Satellite servers are managed devices that are "promoted" to provide support for authentication, inventory rollup, imaging and authentication. Generally, Satellites are used at remote sites or branch offices where a slow link back to the data centre is in play. Satellites can help by keeping content local to the users who consume it, and prevent the slow link being saturated with bundle replication and authentication requests. Inventory rollups may also be scheduled to run at a prescribed time interval, thus further alleviating strain on the link to the data centre.
Managed Devices are Macintosh, Linux (supported) or Windows workstations running the ZCM Adaptive Agent (ZAA), which is a modular agent on the client with in-built functionality for policy management, patch management, asset management and others. It communicates back to Primary servers using the HTTP and HTTPS protocols, over standard ports 80 and 443 (by default).
ZCM may also optionally use LDAP directories as user sources, meaning that user accounts for ZCM do not have to be created and managed separately. Current supported user sources include eDirectory and Active Directory. The zone links to the user source by way of secure LDAP.
ZCM 11 brought in the capability to detect what location the device is connected. This allows the ability to be presented with different bundles/policies depending on the location to protect the device. (ie within the corporate network, vpn'd into the corporate network, or outside at a shared wifi).
ZENworks Reporting Server
ZCM also ships with an optional Reporting Server, which is a BusinessObjects Enterprise reporting engine, customised for use with ZCM. ZRS sits on top of a ZCM Primary server, and allows the organisation to report on any facet of their ZCM environment, from bundle deployment and usage to the number of devices in the zone, devices retired etc. Additional Reports can be found here on the ZRSLibrary Site on Cool Solutions.
In ZCM 11 application objects (known in ZDM 7 and before) have been replaced with the term "Bundles". For those of us that are new to ZENworks, Bundles are a compilation of files, scripts, or actions that should be performed. These actions could be performed when a user authenticates to a workstation, when a workstation boots, or when a user clicks an icon.
Depending on the bundle type, "Action Sets" may also be configured to copy files to a location, run an installer and delete the files again. Different action sets may also be configured for Distribute, Launch, Deploy, Verify, Uninstall and Terminate, making bundle management highly flexible and very powerful.
Troubleshooting information can be found at ZCM Bundle Troubleshooting
For ZCM customers coming from a legacy ZDM background, policy management is very much the same as it was previously. Dynamic Local User, Bookmarks, Windows Group, Power Management Policies, etc. all form part of ZCM policy management and are managed from ZCC. ZCM 11 introduced EndPoint Security Policies. These are more policies to be controlled at the Endpoint like; Application Control, Firewall, Communication Hardware, Data Encryption, Location Assignment, Scripting, Security, USB Management, VPN and WiFi Policies.
As mentioned previously, ZCM can manage its own database of users, but in an enterprise scale deployment, it's more likely you would utilise an existing directory such as eDirectory or Active Directory. ZCM has no requirement for existing Novell solutions, and can (and does) work very well in a pure Microsoft environment.
As well as leveraging existing directory users, groups may also be harnessed to target bundles and policies, thus reducing administrative overhead still further.
Previously, ZPM was a standalone product that was not part of the core ZDM suite and was managed as it's own silo. In ZCM, Patch Management is brought into the content repository and patch bundle information is stored in the ZCM database. This again reduces administrative overhead and means that each managed device no longer needs a separate ZPM agent, as patch management is a core part of the ZAA.
It is also important to keep in mind that ZPM does not only deploy Windows and Office suite patches, but also patches for products such as QuickTime, Flash and Adobe Reader, etc. So it isn't simply a replacement for WSUS, but it's a lot more powerful.
Previous versions of ZENworks relied on administrators updating all software pieces by hand. In ZCM, this is no longer required. From ZCC, an administrator may now download a patch from Novell and apply it to any and all devices in the zone by means of "push". This means that managed devices will be updated automatically, as soon as the administrator approves the update.
When Primary servers are built from the latest full version update (for example 11.2) and the zone is baselined at version 11.2, the Primary joins the zone at 11.2 and automatically detects the newer software and updates itself accordingly.
Intallation and deployment of Brimstone are two separate distinct administrative activities.
Typically installation is only required once within any Management Zone to establish the first Primary Server. Once this activity is completed the process of expanding the Management Zone is done using deployment tasks accessed from the ZENworks Control Center (ZCC).
Installation results in the creation of the first Primary Server in a particular Management Zone. This is done by executing an installation process available on DVD or download.
The installation process performs the following operations:
* Copies all programs and files to the local server for that server to function as a Primary Server. * Starts all processes found on a Primary Server. * Copies all programs and files to the local server for that server to become a Managed Device. * Start all processes for the server to become a Managed Device. * Copies all files required for future installation of any other Zone Server and/or Managed Device.
After the installation process is complete the media used to perform the installation is no longer required for that Management Zone.
On the installation server, insert the Novell ZENworks 11 Configuration Management with Service Pack 1a installation DVD.
For Windows, the installation page where you can select the language is displayed. If it is not automatically displayed after inserting the DVD, run setup.exe from the root of the DVD.
For Linux, mount the DVD, then run sh /media/cdrom/setup.sh.Using the sh command resolves rights issues.
INFORMATION and NOTES
Multiple LDAP servers can be configured for a single Directory. The directory would be Active Directory or eDirectory. Multiple LDAP servers allow for load balance and fault tolerance.
Novell has included a sample configuration file. Please see ZCM User Sources for more information and troubleshooting information.
Database authentication information can be found in the following places. This is the information that ZCM uses to authenticate to the external database.
Additional information, troubleshooting, moving databases, etc. Can be found in the ZCM 11 Administration Guide
How to modify, split, and interact with OS images created by ZCM can be found at ZCM Image Explorer
As in previous version of ZENWorks, utilies are provided both for the command-line and the Windows GUI to clear or edit the image safe data. Some of you may not know, so I will explain the Image safe Data. Image Safe Data, sometimes referred to as ZENworks Image Safe Data (ZISD), stores information about the device and it's location in eDirectory(ZFD7x and older) or ZCM management system. The information contains device name, IP address information, and GUID information.
See more information about Image Safe Data Here
File Locations of Useful Programs
Image Boot CD
This CD Image can be used to boot into imaging instead of using PXE Boot.
ZEN Cache, Bundle Cache
The ZEN Cache holds information about bundles and settings. In the ZDM days, this was known as the NALCACHE. This directory exists on every managed device.
I suppose I should say something about it then, if it's so great.
Collecting Information for Local Products
ZCM Inventory contains functionality to collect information about files and programs that Novell does not know about. With this information products can be created to better manage this information. These Local Products become inventory information like "Microsoft Office", "Microsoft Excel".
Server-Backend Configuration Options
You can control the address that the ZCM server listens on
By Default, the ZCM server listens on all IP addresses bound to the server Host. By modifying the server.xml configuration file and adding an address="IP_address" option, the ZCM server will only listen to this address.
LOGS and TROUBLESHOOTING
Server-Side Logs Loader Logs
The loader handles almost all messages and acts as the primary service for most all functions.
On Linux, the loader-messages.log is located here
/var/opt/novell/log/zenworks/loader-messages.log /var/opt/novell/log/zenworks/services-messages.log /var/opt/novell/log/zenworks/zcc.log A lot of useful information is stored in this log
ON Windows, The Loader-messages.log is located here
%ZENWORKS_HOME%\Novell\Zenworks\logs\loader-messages.log %ZENWORKS_HOME%\Novell\ZENworks\logs\services-messages.log %ZENWORKS_HOME%\Novell\ZENworks\logs\zcc.log A lot of useful information is stored in this log
I thought I would compile a page with log entries and the resolution associated. Hopefully it would help with tracking issues and understand what's being logged.
Discovery and Deployment Tasks
conf\loader there's a
discovery xml file - in there, change INFO to FINEST, then restart the
loader process. you should get messages in the loader log...
Controls all communication between the workstation and server. In ZFD days, the agent was called zfdagent. Or ZENworks NAL Agent.
List all bundles first, so we can see the path to the bundle and the bundle name
zman bl --host ZCM_host -U admin_user -P admin_password -r
Export the Bundle to an XML file
zman bundle-export-to-file /Bundles/BUNDLE_NAME bundle_name.xml --host ZCM_host -U admin_user -P admin_password
Additional information can be found at ZCM Bundle Troubleshooting
FAQ and Technical Documents
I usually hate these type of sections, FAQ are usually worthless, but I thought I would list TIDs in this section for a lot of common things. It will probably become long and useless also.