準備 Windows Servers 以支援 Configuration ManagerPrepare Windows Servers to support Configuration Manager

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

Windows 電腦必須符合其作為站台伺服器或站台系統伺服器的預期用途必要條件,您才能使用它作為 Configuration Manager 的站台系統伺服器。Before you can use a Windows computer as a site system server for Configuration Manager, the computer must meet the prerequisites for its intended use as a site server or site system server.

  • 這些必要條件通常包含一個或多個 Windows 功能或角色,使用電腦伺服器管理員可加以啟用。These prerequisites often include one or more Windows features or roles, which are enabled by using the computers Server Manager.

  • 由於啟用 Windows 功能和角色的方法會因 OS 版本而異,因此請參考 OS 版本的文件,以取得有關如何設定您所使用 OS 的詳細資訊。Because the method to enable Windows features and roles differs among OS versions, refer to the documentation for your OS version for detailed information about how to set up the OS that you use.

這篇文章中的資訊提供支援 Configuration Manager 站台系統所需的 Windows 設定類型概觀。The information in this article provides an overview of the types of Windows configurations that are required to support Configuration Manager site systems. 如需特定站台系統角色的設定詳細資料,請參閱站台和站台系統必要條件For configuration details for specific site system roles, see Site and site system prerequisites.

Windows 功能和角色Windows features and roles

當您在電腦上設定 Windows 功能和角色時,可能需要將電腦重新開機,才能完成設定。When you set up Windows features and roles on a computer, you might be required to reboot the computer to complete that configuration. 因此,在安裝 Configuration Manager 站台或站台系統伺服器之前,找出即將裝載特定站台系統角色是個不錯的主意。Therefore, it's a good idea to identify computers that will host specific site system roles before you install a Configuration Manager site or site system server.

功能Features

下列 Windows 功能為特定站台系統伺服器所需,並且應該先加以設定,再將站台系統角色安裝於該電腦。The following Windows features are required on certain site system servers and should be set up before you install a site system role on that computer.

  • .NET Framework:包括.NET Framework: Including

    • ASP.NETASP.NET
    • HTTP 啟動HTTP Activation
    • 非 HTTP 啟動Non-HTTP Activation
    • Windows Communication Foundation (WCF) 服務Windows Communication Foundation (WCF) Services

    不同站台系統角色需要不同版本的 .NET Framework。Different site system roles require different versions of .NET Framework.

    由於 .NET Framework 4.0 和更新版本無法與舊版相容以取代 3.5 和更舊版本,因此當不同版本列為必要版本時,請規劃在同一部電腦上啟用每個版本。Because .NET Framework 4.0 and later isn't backward compatible to replace 3.5 and earlier versions, when different versions are listed as required, plan to enable each version on the same computer.

  • 背景智慧型傳送服務 (BITS) :管理點需要 BITS (和自動選取的選項) 才可支援與受管理裝置間的通訊。Background Intelligent Transfer Services (BITS): Management points require BITS (and automatically selected options) to support communication with managed devices.

  • BranchCache:可為發佈點設定 BranchCache,以支援使用 BranchCache 的用戶端。BranchCache: Distribution points can be set up with BranchCache to support clients that use BranchCache.

  • 重複資料刪除:可為發佈點設定重複資料刪除並從中獲得好處。Data Deduplication: Distribution points can be set up with and benefit from data deduplication.

  • 遠端差異壓縮 (RDC) :每部裝載站台伺服器或發佈點的電腦都需要 RDC。Remote Differential Compression (RDC): Each computer that hosts a site server or a distribution point requires RDC. RDC 可用於產生封裝簽章及執行簽章比較。RDC is used to generate package signatures and perform signature comparisons.

角色Roles

以下是支援特定功能 (例如軟體更新和 OS 部署) 所需的 Windows 角色,而最常見的站台系統角色則需要 IIS。The following Windows roles are required to support specific functionality, like software updates and OS deployments, while IIS is required by the most common site system roles.

  • 網路裝置註冊服務 (在「Active Directory 憑證服務」底下):此 Windows 角色是在 Configuration Manager 中使用憑證設定檔的必要條件。Network Device Enrollment Service (under Active Directory Certificate Services): This Windows role is a prerequisite to use certificate profiles in Configuration Manager.

  • 網頁伺服器 (IIS) :包括:Web server (IIS): Including:

    • 一般 HTTP 功能Common HTTP Features
      - HTTP 重新導向HTTP Redirection
    • 應用程式開發Application Development
      - .NET 擴充性.NET Extensibility
      - ASP.NETASP.NET
      - ISAPI 擴充程式ISAPI Extensions
      - ISAPI 篩選器ISAPI Filters
    • 管理工具Management Tools
      - IIS 6 管理相容性IIS 6 Management Compatibility
      - IIS 6 Metabase 相容性IIS 6 Metabase Compatibility
      - IIS 6 Windows Management Instrumentation (WMI) 相容性IIS 6 Windows Management Instrumentation (WMI) Compatibility
    • 安全性Security
      - 要求篩選Request Filtering
      - Windows 驗證Windows Authentication

    下列站台系統角色使用其中一或多項所列 IIS 設定:The following site system roles use one or more of the listed IIS configurations:

    • 應用程式類別目錄 Web 服務點Application Catalog web service point
    • 應用程式類別目錄網站點Application Catalog website point
    • 發佈點Distribution point
    • 註冊點Enrollment point
    • 註冊 Proxy 點Enrollment proxy point
    • 後援狀態點Fallback status point
    • 管理點Management point
    • 軟體更新點Software update point
    • 狀態移轉點State migration point

    所需的 IIS 最低版本是站台伺服器 OS 隨附的版本。The minimum version of IIS that's required is the version that's supplied with the OS of the site server.

    除了這些 IIS 設定外,您可能還需要設定用於發佈點的 IIS 要求篩選In addition to these IIS configurations, you might need to set up IIS Request Filtering for distribution points.

  • Windows 部署服務:此角色會與 OS 部署搭配使用。Windows Deployment Services: This role is used with OS deployment.

  • Windows Server Update Services:此角色是軟體更新的必要角色。Windows Server Update Services: This role is required for software updates.

用於發佈點的 IIS 要求篩選IIS request filtering for distribution points

IIS 預設會使用要求篩選來封鎖 HTTP 或 HTTPS 通訊存取伺服器數個副檔名和資料夾位置。By default, IIS uses request filtering to block several file name extensions and folder locations from access by HTTP or HTTPS communication. 在發佈點上,如此可預防用戶端下載包含遭封鎖副檔名或資料夾位置的套件。On a distribution point, this prevents clients from downloading packages that have blocked extensions or folder locations.

如果您的套件來源檔案包含在 IIS 中遭要求篩選設定封鎖的副檔名,您就必須將要求篩選設定為允許這些副檔名。When your package source files have extensions that are blocked in IIS by your request filtering configuration, you must set up request filtering to allow them. 在您發佈點電腦上的「IIS 管理員」中編輯要求篩選功能,即可完成此操作。This is done by editing the request filtering feature in the IIS Manager on your distribution point computers.

此外,Configuration Manager 的套件和應用程式使用下列副檔名。Additionally, the following file name extensions are used by Configuration Manager for packages and applications. 請確認您的要求篩選設定未封鎖下列副檔名:Make sure that your request filtering configurations don't block these file extensions:

  • .PCK.PCK
  • .PKG.PKG
  • .STA.STA
  • .TAR.TAR

例如,軟體部署的來源檔案中可能包含名為 bin的資料夾,或是副檔名為 .mdb 的檔案。For example, source files for a software deployment might include a folder named bin or have a file that has the .mdb file name extension.

  • IIS 要求篩選預設會封鎖對這些項目的存取 (bin 會以「隱藏區段」的形式遭到封鎖, .mdb 則以副檔名的形式遭到封鎖)。By default, IIS request filtering blocks access to these elements (bin is blocked as a Hidden Segment and .mdb is blocked as a file name extension).

  • 當您在發佈點上使用預設的 IIS 設定時,使用 BITS 的用戶端會無法從發佈點下載此軟體部署,並且會表示他們正在等候內容。When you use the default IIS configuration on a distribution point, clients that use BITS fail to download this software deployment from the distribution point and indicate that they're waiting for content.

  • 若要讓用戶端下載此內容,請在每個適用的發佈點上編輯 IIS Manager 中的 [要求篩選] ,以允許存取您所部署套件及應用程式中的副檔名和資料夾。To let the clients download this content, on each applicable distribution point, edit Request Filtering in IIS Manager to allow access to the file extensions and folders that are in the packages and applications that you deploy.

重要

編輯要求篩選可能會增加電腦的受攻擊面。Edits to the request filter can increase the attack surface of the computer.

  • 您在伺服器層級進行的編輯適用於伺服器上所有網站。Edits that you make at the server level apply to all websites on the server.
    • 您對個別網站所做的編輯僅使用於該網站。Edits that you make to individual websites apply to only that website.

最佳安全作法是在專用 Web 伺服器上執行 Configuration Manager。The security best practice is to run Configuration Manager on a dedicated web server. 如果必須在該 Web 伺服器上執行其他應用程式,請使用 Configuration Manager 的自訂網站。If you must run other applications on the web server, use a custom website for Configuration Manager. 如需相關資訊,請參閱站台系統伺服器的網站For information, see Websites for site system servers.

HTTP 動詞HTTP verbs

管理點: 為了確保用戶端可以成功地與管理點進行通訊,請在管理點伺服器上確認允許下列 HTTP 動詞︰Management points: To ensure that clients can successfully communicate with a management point, on the management point server ensure the following HTTP verbs are allowed:

  • GETGET
  • POSTPOST
  • CCM_POSTCCM_POST
  • HEADHEAD
  • PROPFINDPROPFIND

發佈點: 發佈點需要允許下列 HTTP 動詞:Distribution points: Distribution points require that the following HTTP verbs as allowed:

  • GETGET
  • HEADHEAD
  • PROPFINDPROPFIND

如需詳細資訊,請參閱設定 IIS 中的要求篩選 (英文)。For more information, see Configure request filtering in IIS.