This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
SMS 2003 Administrator’s Reference Systems Management Server 2003
Ron D. Crumbaker
49508ffirs.qxd:WroxBeg
10/4/06
12:59 PM
Page ii
49508ffirs.qxd:WroxBeg
10/4/06
12:59 PM
Page i
SMS 2003 Administrator’s Reference Systems Management Server 2003
49508ffirs.qxd:WroxBeg
10/4/06
12:59 PM
Page ii
49508ffirs.qxd:WroxBeg
10/4/06
12:59 PM
Page iii
SMS 2003 Administrator’s Reference Systems Management Server 2003
Ron D. Crumbaker
49508ffirs.qxd:WroxBeg
10/4/06
12:59 PM
Page iv
SMS 2003 Administrator’s Reference: Systems Management Server 2003 Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com
I dedicate this book to my lovely wife, Martha, who has stuck with me throughout this endeavor. I also want to dedicate the book to my three wonderful children, Nate, Abby Dale, and Cole Thomas. I know during this project you heard “In a second” or “After a while I will,” so I owe you some serious play time with Daddy. I love you guys so much!
49508ffirs.qxd:WroxBeg
10/4/06
12:59 PM
Page vi
49508ffirs.qxd:WroxBeg
10/4/06
12:59 PM
Page vii
About the Author Ron Crumbaker has an Electrical Engineering degree but found himself in the Information Technology field. Ron is a huge Chevrolet Camaro fan and was greatly disappointed when GM decided to “pull the plug” on the Camaro. Ron currently owns two Camaros, a 1967 SS350 and a 1994 Z28. Ron has three children — Nate, Abby, and Cole — and a wife, Martha. Ron is very active in his church and community and is an ordained deacon in a Southern Baptist Church. Ron is also the CTO for myITforum.com, Inc., and is a two-time Microsoft MVP in the Windows Server System, SMS.
49508ffirs.qxd:WroxBeg
10/4/06
12:59 PM
Page viii
49508ffirs.qxd:WroxBeg
10/4/06
12:59 PM
Page ix
Credits Senior Acquisitions Editor Jim Minatel
Vice President and Executive Group Publisher
Development Editor Kelly Dobbs Henthorne
Vice President and Executive Publisher
Technical Editor
Compositor
Todd Meister
Maureen Forys, Happenstance Type-O-Rama
Copy Editors Kathy Carlyle Nancy Rapoport
Proofreaders Ian Golder Jen Larsen
Editorial Manager
Indexer
Mary Beth Wakefield
Johnna VanHoose Dinse
Production Manager
Anniversary Logo Design Richard Pacifico
Tim Tate
Richard Swadley
Joseph B. Wikert
49508ffirs.qxd:WroxBeg
10/4/06
12:59 PM
Page x
49508ffirs.qxd:WroxBeg
10/4/06
12:59 PM
Page xi
Acknowledgments This being my first book, I want to express my sincere thanks to Jim Minatel for sticking with me on this project and allowing me to get the book published after all the ups and downs throughout the writing process. I want to thank my development editor, Kelly Henthorne, for all her hard work bringing the writer out of me. It has been a true pleasure working with her. She is purely professional, very dedicated, and extremely hard working. I also want to thank Randy Hammer for his hard work helping me out of a jam and his contributions in a few chapters. I appreciate his hard work and dedication in assisting me on such short notice and in an extremely short time frame. Randy Hammer currently manages a team responsible for SMS administration and software packaging at VeriSign Inc. He has administered and implemented small to medium SMS sites since 2001. I also want to thank Brian Rogers and April Cook for their work assisting me with some additional thoughts and directions, and Rod Trent for getting me started writing this book and helping me find a clear direction on where to take it. You are truly a great person, and I’m honored to be able to call you a friend. I would also like to thank the many people that are active on myITforum.com. Without you, SMS would not be the great product it is today. Microsoft has listened and continues to listen to what we say. We all benefit from the dedication each of you shows by posting, emailing, and simply being active on the forum. I also want to thank Jesus, my Lord and Savior. Without You, I am nothing.
49508ffirs.qxd:WroxBeg
10/4/06
12:59 PM
Page xii
49508ftoc.qxd:WroxBeg
10/4/06
12:38 AM
Page xiii
Contents Acknowledgments Introduction
Chapter 1: Setting Up Your Site Hierarchy Overview Site Hierarchy SMS Server Roles
xi xxi
1 2 3 3
Connecting Child Sites to Parent Sites
4
Installing a Secondary Site Attaching a Child Site to a Parent Site
4 11
Site Boundary Management Roaming Boundaries Active Directory Summary
Chapter 2: Specifying and Managing Site System Roles Management Point Client Access Point Distribution Point Distribution Point Groups Protected Distribution Points
Configuring Connection Accounts Client Connection Accounts Site System Connection Accounts
Managing Object/Class Level Security Rights Summary
Chapter 4: Configuring Site Settings Addresses Senders Component Configuration Software Distribution Status Reporting Management Point Site Maintenance SQL Commands
Summary
41 41 42
42 51
53 53 59 60 60 61 62 63 65
66
Chapter 5: Specifying Discovery Methods
67
Windows User Account Discovery Windows User Group Discovery Method Heartbeat Discovery Method Network Discovery Method Active Directory System Discovery Active Directory User Discovery Active Directory System Group Discovery Third-Party Discovery Tools
68 70 72 73 77 79 81 83
Enhanced System Discovery Enhanced AD User Discovery
Summary
Chapter 6: Enabling Client Agent Settings What Is an Agent? The Hardware Inventory Agent The Software Inventory Agent
xiv
83 83
83
85 85 86 89
49508ftoc.qxd:WroxBeg
10/4/06
12:38 AM
Page xv
Contents The Remote Tools Client Agent Advertised Programs Client Agent Software Metering Client Agent Site Maintenance Software Metering tasks
Summary
Chapter 7: Client Installation Methods Client Push Installation Client Installation through Group Policy Manually Installing the Client Using CCMSetup.exe Command-Line Switches Installation Properties
Prestaging the SMS Client on a Desktop Image Additional Client Deployment Using ORCA to Customize client.msi
Summary
Chapter 8: Managing Collections Creating a New Collection Creating a Direct Membership Rule Query-Based Membership Rules Query-Based Membership Rule Criteria Limiting Queries
93 98 100 102
102
103 103 107 108 108 109
111 111 112
115
117 117 118 120 122 125
Updating Collections Replicating Collections Between Hierarchies
126 127
Moving a Collection Deleting Objects from a Collection Viewing Advertisements Targeted to a Collection
129 130 131
SMS Collection Structure and Management Summary
Chapter 9: Creating and Distributing Packages Creating a New Package from a Definition File or an MSI General Package Information Specifying a Data Source
Configuring Programs Tricks Summary
132 133
135 136 136 137
140 143 144
xv
49508ftoc.qxd:WroxBeg
10/4/06
12:38 AM
Page xvi
Contents Chapter 10: Creating Advertisements
145
Stop! Consider Change Management Creating a Basic Advertisement
145 146
The Include Members of Subcollections Checkbox Scheduling Advertisements Expiring an Advertisement Setting the Priority of an Advertisement
Contents Chapter 13: Managing Software Updates Installing the ITMU Synchronizing the WSUSScan.cab Distribute Software Updates Wizard Verifying the Results of the ITMU Reports Status Messages
Summary
Chapter 14: Troubleshooting Preventing Problems Do I Really Need to Do All That?
Understand the Structure of the SMS Client and Server The SMS Client Folder Structure The Folder Structure for the SMS Site Server Other Site System Folders
SMS Status Messages Drilling into a Problem in the Site Status View Viewing Status Messages with SMS 2003 Web Reports Client Status Messages
SMS 2003 Logs, Where Troubleshooting Begins SMS Site Server Logs Management Point Logs The Legacy Client Logs The Advanced Client Logs Monitoring Client Health
Repairing Client Issues Intersite Communication Issues Summary
Chapter 15: Using Third-Party Solutions www.myITforum.com www.FAQshop.com www.sms-alliance.com 1E Macrovision Corporation Intrinsic Technologies PS’SOFT Vintela iAnywhere
177 178 187 187 193 193 193
194
197 197 200
200 200 200 202
202 203 206 208
214 215 218 219 220 223
224 224 226
227 227 228 228 228 229 229 229 229 229
xvii
49508ftoc.qxd:WroxBeg
10/4/06
12:38 AM
Page xviii
Contents SMSView SMS 2003 Monster MOF SMS 2003 Web Remote Tools Corey Becht’s Right Click Tools myITforum Code Repository Microsoft SMS Toolkit 2 The IIS Lockdown 2.1 Template URLScan 2.5 Template Policy Spy SMS Trace Advanced Client and Management Point Cleaner Advanced Client Spy Policy Verifier Send Schedule Management Point Spy Set Preferred Distribution Point and CAP Delete Certificate Patch Management Evaluation Delete Group Class Transfer SMS ID Package Loader Management Point Troubleshooter Client Site Assignment Verifier Site Boundary Tool Create Secondary Site Tool Create SMS Address Tool
Microsoft SMS SDK Summary
Chapter 16: Scripting SMS 2003 Tools Needed to Script SMS 2003 Where to Start Scripting Creating Collections Creating Sub-Collections Adding a System to a Collection Removing a System from a Collection AddColl Code
Updating the Distribution Points Refreshing Distribution Points
277 278
xviii
49508ftoc.qxd:WroxBeg
10/4/06
12:38 AM
Page xix
Contents Advanced Client Scripting Software Inventory Hardware Inventory Finding the Assigned Site Setting the Assigned Site Refreshing Machine Policies 1E Client Health Script
Building Right-Click Tools Summary
Chapter 17: Where Is SMS Going? SMS 2003 R2 SMS 2003 R2 Features SMS 2003 R2 Setup Inventory Tool For Custom Updates Custom Updates Publishing Tool Scan Tool For Vulnerability Assessment Device Management Feature Pack OS Deployment Feature Pack
Systems Center Configuration Manager 2007 Operating System Deployment Network Access Protection Software Distribution Software Update Management Desired Configuration Management Device Management Software Inventory and Metering Hardware Inventory Remote Control Wake on LAN Vulnerability Assessment Software Development Kit Backup and Recovery Other Key SCCM 2007 Points
Introduction Microsoft has really come a long way with management of systems within the corporate world. Microsoft Systems Management 2003 delivers a centralized management tool to support all of your computers, workstations, servers, and other devices with the help of third-party solutions. This book is designed to help the average SMS administrator manage the ever-increasing demands for operation excellence at the desktop and server levels by leveraging the highly extensive nature of the SMS product.
Whom This Book Is For This book is intended for any SMS administrator and will provide information that is relevant and timely for administrators of nearly all levels. In the book, I assume you have a planned or pre-existing SMS environment and will not cover common architecture and design concepts that are found in many other titles and from Microsoft.
What This Book Covers This book is based on Systems Management Server 2003 with Service Pack 1 installed. Microsoft has since released Service Pack 2 for SMS 2003, and these new changes are discussed within this book.
How This Book Is Str uctured The approach for this title is simple: Features and tasks are broken down into 17 separate chapters, and each chapter includes an outline for what is to be accomplished. These items are covered with information provided about all tasks or functionality required, tools, and scripts needed to accomplish the task and the results. A common programming and testing environment is used through the text and examples to allow users to familiarize themselves more quickly as they advance through the chapters.
What You Need to Use This Book You will need a Windows 2000 Server or greater with SMS 2003 SP1 installed. Everything else needed is discussed in the book. It is recommended that you have all the latest security patches installed on the server operating system.
49508flast.qxd:WroxPro
10/4/06
1:01 PM
Page xxii
Introduction
Conventions To help you get the most from the text and keep track of what’s happening, I’ve used a number of conventions throughout the book. Tips, hints, tricks, and asides to the current discussion are offset and placed in italics like this. As for styles in the text: ❑
I italicize new terms and important words when I introduce them.
❑
I show keyboard strokes like this: Ctrl+A.
❑
I show filenames, URLs, and code within the text like so: persistence.properties.
❑
I present code in two different ways:
In code examples I highlight new and important code with a gray background. The gray highlighting is not used for code that’s less important in the present context, or has been shown before.
Source Code As you work through the examples in this book, you may choose either to type in all the code manually or to use the source code files that accompany the book. All of the source code used in this book is available for download at http://www.wrox.com. Once at the site, simply locate the book’s title (either by using the Search box or by using one of the title lists) and click the Download Code link on the book’s detail page to obtain all the source code for the book. Because many books have similar titles, you may find it easiest to search by ISBN; this book’s ISBN is 0471749508. Once you download the code, just decompress it with your favorite compression tool. Alternately, you can go to the main Wrox code download page at http://www.wrox.com/dynamic/books/download .aspx to see the code available for this book and all other Wrox books.
Errata We make every effort to ensure that there are no errors in the text or in the code. However, no one is perfect, and mistakes do occur. If you find an error in one of our books, like a spelling mistake or faulty piece of code, we would be very grateful for your feedback. By sending in errata you may save another reader hours of frustration and at the same time you will be helping us provide even higher quality information. To find the errata page for this book, go to http://www.wrox.com and locate the title using the Search box or one of the title lists. Then, on the book details page, click the Book Errata link. On this page you can view all errata that has been submitted for this book and posted by Wrox editors. A complete book
xxii
49508flast.qxd:WroxPro
10/4/06
1:01 PM
Page xxiii
Introduction list including links to each book’s errata is also available at www.wrox.com/misc-pages/ booklist.shtml. If you don’t spot “your” error on the Book Errata page, go to www.wrox.com/contact/ techsupport.shtml and complete the form there to send us the error you have found. We’ll check the information and, if appropriate, post a message to the book’s errata page and fix the problem in subsequent editions of the book.
p2p.wrox.com For author and peer discussion, join the P2P forums at p2p.wrox.com. The forums are a Web-based system for you to post messages relating to Wrox books and related technologies and interact with other readers and technology users. The forums offer a subscription feature to e-mail you topics of interest of your choosing when new posts are made to the forums. Wrox authors, editors, other industry experts, and your fellow readers are present on these forums. At http://p2p.wrox.com you will find a number of different forums that will help you not only as you read this book, but also as you develop your own applications. To join the forums, just follow these steps:
1. 2. 3.
Go to p2p.wrox.com and click the Register link.
4.
You will receive an e-mail with information describing how to verify your account and complete the joining process.
Read the terms of use and click Agree. Complete the required information to join as well as any optional information you wish to provide and click Submit.
You can read messages in the forums without joining P2P but in order to post your own messages, you must join. Once you join, you can post new messages and respond to messages other users post. You can read messages at any time on the Web. If you would like to have new messages from a particular forum e-mailed to you, click the Subscribe to this Forum icon by the forum name in the forum listing. For more information about how to use the Wrox P2P, be sure to read the P2P FAQs for answers to questions about how the forum software works as well as many common questions specific to P2P and Wrox books. To read the FAQs, click the FAQ link on any P2P page.
xxiii
49508flast.qxd:WroxPro
10/4/06
1:01 PM
Page xxiv
49508flast.qxd:WroxPro
10/4/06
1:01 PM
Page xxv
SMS 2003 Administrator’s Reference Systems Management Server 2003
49508flast.qxd:WroxPro
10/4/06
1:01 PM
Page xxvi
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 1
Setting Up Your Site Hierarchy In this book, I’ll discuss the steps you need to take to ensure that Systems Management Server (SMS) 2003 is administrated successfully to provide powerful management across the enterprise. My main focus will be SMS 2003 with Service Pack 1, but I will cover SP2 features as well. I’ll guide you through the inner workings of SMS 2003 and help you gain control of all aspects of systems management. This book organizes SMS 2003 into sections that are paired with each SMS feature and administrative task. Each section includes a brief description of the feature or reason for the administrative task and explains where SMS 2003 can be used to fill the void. I will discuss ways to improve SMS 2003 by site reconfigurations, the use of scripts, SMS Admin Console extensions, and thirdparty tools to extend SMS 2003 and enhance your ability to administer an SMS 2003 site hierarchy. Desktop management has improved considerably over the past few years, and with SMS 2003 Microsoft has risen to the challenge. Although SMS 2003 has many features that help it deliver an end-to-end solution for desktop management, some standard practices are required to ensure that it is utilized to its fullest potential. This book will help you discover these techniques so you can successfully administer an SMS 2003 environment. SMS 2003 Administrator’s Reference is designed to provide a comprehensive introduction and overview of administrating SMS 2003. By using real-world examples, this book will help you become more competent in the basic skills necessary for administrating SMS 2003 and it will show you how to use advanced SMS functions to administer your SMS environment. SMS 2003 offers solutions for key issues in management throughout the enterprise, including: ❑
Hardware/software inventory
❑
Software distribution
❑
Software metering
❑
Remote tools
❑
Microsoft update management
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 2
Chapter 1: Setting Up Your Site Hierarchy
Over view SMS 2003 is a packaged solution that offers powerful desktop administration tools for managing computer hardware and software, distributing software, and troubleshooting remotely. In this chapter, I briefly introduce you to the key features of SMS 2003 and describe the components that make up an SMS 2003 hierarchy. SMS 2003 provides various components and tools to help organizations monitor asset management, distribute software to clients within the network, track hardware and software changes, conduct remote administration, and create reports and queries based on the information collected within the SMS environment. Software distribution, remote tools, software metering, security update distribution, hardware inventory, and software inventory are key features of SMS 2003. SMS 2003 can generate reports quickly and easily so you can monitor your environment and perform software updates, ensure licensing compliance, and schedule hardware replacement. SMS 2003 provides administrators the ability to quickly distribute software to every client within the SMS hierarchy or to a single client. Software distribution can be distributed based on a schedule, or it can be set to install during log in. SMS 2003 has software metering that actually works. It allows administrators to track when a program was last used and how long it was open. By tracking software usage, administrators can make sure they have only the software packages that are actually needed so they won’t overbudget. With SMS Remote Tools, the SMS 2003 administrator or help desk personnel can troubleshoot and remotely support clients across the SMS hierarchy. With remote support, the administrator can provide assistance without physically going to a client’s location, just as if he were sitting at the client’s location. The latest viruses and software flaws have made the ability to easily administer extremely important. With SMS 2003, you can use the built-in tools to install software updates so that your clients’ Microsoft security and third-party software is always up-to-date. With the release of the Inventory tool for Microsoft updates, you can quickly manage critical updates for Microsoft Windows, Microsoft Office, Microsoft SQL Server, Microsoft Exchange Server, Microsoft Internet Information Services, and many other Microsoft software packages. Dell provides a tool to allow Dell system administrators to keep drivers and BIOSs up-to-date. Other computer manufacturers are working with Microsoft to provide tools for their systems as well. SMS 2003 provides rich reporting through default queries and reports or through customized queries and reports. Many reports and queries are built into SMS 2003 by default, but SMS 2003 provides a simple way to add customized reports and queries. SMS 2003 can deploy Microsoft operating system upgrades using the OS Deployment tool, which is provided as an add-on to SMS 2003. The OS Deployment tool allows you to quickly and easily upgrade your client’s OS without losing any of the customizations the clients had on their workstations. These and many other SMS 2003 features are discussed in the following chapters.
2
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 3
Chapter 1: Setting Up Your Site Hierarchy
Site Hierarchy When you install SMS 2003, you create an SMS site. An SMS site is identified by its three-character site code. This site code, which must be unique for your organization, is used to identify SMS clients. The site code can be numerical, alphabetical, or alphanumerical. The SMS site defines the resources that will be managed, including computers, users, groups, and other resources. An SMS site consists of an SMS site server, SMS clients, and site systems. Throughout this book, I will use 000 as the site code and SRV-Z28 as the SMS server. With any luck, someone at General Motors will see the publicity I’m giving their Camaro and give me a new 2008 Camaro. If you aren’t a Chevy Camaro fan, you are really missing out. If you don’t appreciate the power and beauty of the Chevrolet Camaro, you will have to feign an interest in American muscle cars or imagine a Ferrari instead. SMS has two types of site servers — primary site and secondary site. The first site you install is a primary site. A primary site stores the SMS information in the SMS site database, which is a SQL Server database. SMS stores client data, client configuration, and status information about the enterprise within the site database. A secondary site has no site database; it sends all its collected information to the primary site server. The primary site server processes all the collected data and stores it within the site database. For an overview of the steps required to install an SMS primary server, refer to Appendix A. When your organization has multiple sites, you must decide which site will be the parent and which sites will be the child sites in the organization’s hierarchy. An SMS hierarchy has a central site that acts as the parent site with no other sites above it. (A secondary site attaches to and reports to the primary site. A secondary site is always a child site to a primary site. A primary site can be either a child site or a parent site.) The central site is the highest-level primary site within an organization, and all the SMS sites within the organization report to the central site.
SMS Server Roles An SMS site server’s functionality defines the role of the site system. SMS 2003 provides five site roles that can be installed in any combination on a Windows 2000 server or a Windows Server 2003 server. A site system server can be a management point, client access point (CAP), server locator point (SLP), reporting point, and/or a distribution point. These site server systems do not require an SMS server license. A management point provides the primary contact for the advanced clients to communicate to the site servers. Advanced clients use the management point to obtain information about advertisements and distribution points; they send data to the management points, which in return, send that information to the SMS site server. A client access point (CAP) is very similar to a management point, except that a CAP is specifically used for the legacy client(s). The CAP processes all the data collected from the legacy client. The server locator point (SLP) provides the location of the client access point (CAP) for the legacy clients, along with the assigned site details for the advanced clients.
3
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 4
Chapter 1: Setting Up Your Site Hierarchy The reporting point is the server that houses the code used for web-based reporting. The reporting point also provides web-based querying to the site database. Distribution points hold the package source files for the advertisements within the site. Whenever you install SMS on a system, you create an SMS site; any SMS server that performs any of the roles of a SMS server is a site system. The central site server can manage all the sites within the hierarchy. Configuration changes made from the central site server will be moved down the hierarchy to the sites below it. A central site server collects all of the information from any client within your organization. I’ll discuss the various roles later. For now, I’ll concentrate on connecting a child site to a parent site.
Connecting Child Sites to Parent Sites Any site that reports to a parent site is a child site. A child site can be another primary site or secondary site, but connecting a child site to a parent site is the same no matter what. A child site does not have a local SQL server database. Instead, it points to its parent server for access to the SMS site database. Child sites send all the data they collect to their assigned parent site. This data includes inventory data, software and hardware information, discovery data, and site status messages. A child site can receive collection information, packages, and advertisements from any of the primary sites directly above it in the hierarchy. It can send data up to only its immediate parent site. You can install a secondary site using the SMS Administrator console or using the SMS 2003 CD. There are many reasons why you would need to install a secondary site using a particular setup option. I’ll explain these options so you will be able to use the one that best fits your hierarchy’s requirements. In an SMS environment that has a parent site with a connected child site, information is passed among the various sites based on their individual roles. Parent sites send data relating to management instructions down to the child sites, but the child sites send resources and client data to the parent sites. Basically, management and configuration data flows from the top to the bottom, and the child sites report their data up to the parent. As I stated earlier, the steps for installing a primary site server are discussed in Appendix A of this book.
Installing a Secondary Site Installing a secondary site from a CD is very similar to installing a primary site. To do so, follow these steps:
4
1.
Run Setup.exe. The Systems Management Server Setup Wizard Welcome page, as shown in Figure 1-1, will appear.
2.
Click Next. The Setup option will appear. (This is the same screen that appears when you install a primary site.) Choose Install An SMS Secondary Site and click Next. This will take you to the Systems Management Server License Agreement page, as shown in Figure 1-2.
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 5
Chapter 1: Setting Up Your Site Hierarchy
Figure 1-1
Figure 1-2
3. 4.
Read the agreement. If you agree to the terms, click the I Agree radio button and then click Next.
5.
The Systems Management Site Information page, as shown in Figure 1-3, allows you to configure the Site Code, Site Name, and Site Domain. Carefully enter the information and then choose Next.
6.
You will be asked which type of security mode you want to use to run SMS 2003 within your environment. For now, use the Advanced Mode. (I discuss the various security modes in Chapter 3.)
The Product Registration page will appear. Enter the appropriate information for your environment and click Next.
5
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 6
Chapter 1: Setting Up Your Site Hierarchy
Figure 1-3
7.
The Installation Options page, as shown in Figure 1-4, will appear. You can use these options to customize the server environment you install on your SMS secondary site. Configure these setup parameters and then click Next.
Figure 1-4
8.
6
Configure the Parent Site Identification when you are prompted. On the Parent Site Information/ Identification page, you will need to set up the Parent Site Code, Parent Site Server name, and the initial Network Connection Type of LAN Sender. Click Finish to finish installing your secondary site.
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 7
Chapter 1: Setting Up Your Site Hierarchy 9.
To install a secondary site from within the SMS Administrator console, expand the site hierarchy and then right-click Site Code and choose New, as shown in Figure 1-5.
Figure 1-5
The Welcome To The Create Secondary Site Wizard, as shown in Figure 1-6, will appear.
Figure 1-6
7
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 8
Chapter 1: Setting Up Your Site Hierarchy 10.
Click Next to create a new secondary site; this will bring up the Secondary Site Creation Wizard, as shown in Figure 1-7. The wizard will ask for the Site Code and Site Name. Use the Comment section to document any comments you might have.
Figure 1-7
11.
After you complete the Wizard, click Next. The Secondary Site Wizard will appear. Enter the necessary information for your environment and choose Next. You’ll be prompted for the Installation Source Files page, as shown in Figure 1-8.
Figure 1-8
12.
8
There are two options for getting the installation files to the secondary site — transferring installation files to the secondary site or using the installation files at the secondary site. Using the installation files at the secondary site can help reduce network traffic during the installation phase. Select the appropriate option to indicate where the installation files are located, and then click Next. The SMS Security Information page will appear, as shown in Figure 1-9.
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 9
Chapter 1: Setting Up Your Site Hierarchy
Figure 1-9
13.
Select the Advanced Security Mode if your system can use it. If the environment is not capable of using the Advanced Security Mode, select the Standard Security Mode and fill out the Service Account Name and Password information. Click Next. In Chapter 2, I will discuss the two modes you can use to run your SMS 2003 environment.
14.
The Addresses To Secondary Site page, as shown in Figure 1-10, appears. Use this window to configure the type of address you’ll use to connect the secondary site to the parent site. Choose the address type based on the connection between the secondary site and the parent site. If there is a LAN or WAN connection, choose the Standard Sender as the address type. However, if there is a dial-up connection between the two sites, then you might need to choose Asynchronous RAS Sender.
Figure 1-10
9
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 10
Chapter 1: Setting Up Your Site Hierarchy 15.
If you choose Yes to create a new address, the New Address To Secondary Site page will appear, as shown in Figure 1-11. You will be prompted for the Address Type, Destination Site Server, and the Account on the secondary site server. If you are using the Advanced Security Mode, you will not have the option to change these settings. Enter the appropriate data in the fields. I will discuss the various addresses available within SMS 2003 in Chapter 4.
Figure 1-11
16.
The New Address To Parent Site page will appear. The information for this part of the Secondary Site Creation Wizard is basically the same information as in Figure 1-10. After you enter this information, a list of your selections will appear in the New Secondary Site Characteristics box (see Figure 1-12). Verify your settings by selecting New Secondary Site from the Primary Site in the drop-down list and click Finish to begin the installation process. See Figure 1-13.
Figure 1-12
10
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 11
Chapter 1: Setting Up Your Site Hierarchy
Figure 1-13
Attaching a Child Site to a Parent Site To attach a child site to a parent site, you will need to open the SMS Administrator console, navigate to the site, right-click the site code, and choose Properties. In the Site Properties dialog box, on the General tab, click Set Parent Site, as shown in Figure 1-14.
Figure 1-14
11
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 12
Chapter 1: Setting Up Your Site Hierarchy On the Set Parent Site dialog box, specify the parent site information and click OK to close. After your child site is attached, data will flow from the parent site to the child site and vice versa. The child will report information about the clients before the parent site sends any specific site information to the child site. Collection, advertisements, and packages at the parent sites will replicate down to the child sites. Collected data from the child sites will flow up to the parent sites.
Site Boundar y Management Site boundaries and roaming boundaries are key components you need to consider when you design and plan your SMS hierarchy. An SMS site is defined by the site boundary. A site is a collection of clients based on boundaries defined by IP subnets, Active Directory sites, or both. When you plan your SMS hierarchy, you will need to decide which type of boundary you will be using. IP subnets, Active Directory sites, or a configuration of both, make up the SMS site boundaries. You need to carefully plan these options prior to installing your SMS site; you can modify them at any time after the initial site has been set up. Site boundaries cannot overlap any other SMS sites. They must be unique. An advanced client can move around various site boundaries and from one organization to the next, even when the client is still installed. In version 2.0, legacy clients uninstalled on their own. The ability to move across boundaries is called roaming. Because of the way an advanced client handles site boundaries, roaming is available only with an advanced client. Advanced clients are assigned only to primary sites. This advanced feature allows clients to roam from site to site. This site boundary gives the client the ability to roam from primary sites to secondary sites while still being managed by SMS. Legacy clients can be installed only to a primary site or a secondary site, but not both. If a legacy client roams out of its site, the client will be uninstalled. With the advanced client, you can set up roaming boundaries so the SMS site can still distribute software to the advanced client no matter where the client is within the SMS hierarchy. To manage your site boundaries, use the Site Boundaries tab, as shown in Figure 1-14. The Site Boundaries tab is located on the Site Properties dialog box. You must add the IP subnet or Active Directory site to the New Site Boundary dialog box. The site boundaries must be defined accurately according to the IP subnets and/or the AD sites in which this site will be managed.
Roaming Boundaries Roaming boundaries are a little different from site boundaries. They allow you to specify which site an advanced client can use to obtain information from a distribution point. These Roaming Boundaries settings tell the advanced client which sites they are allowed to connect to so that they can obtain site configuration data and software distribution when they are roaming. Roaming boundaries are used to
12
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 13
Chapter 1: Setting Up Your Site Hierarchy enable advanced clients to move from their original, installed IP subnet or Active Directory–based site to another site or subnet. Roaming boundaries allow clients to travel between sites within the hierarchy without uninstalling the client. Roaming boundaries ensure that the client can still communicate with a distribution point. Advanced clients use their roaming boundaries to access any distribution point within the site hierarchy. They will connect to any distribution point within the site, and they can use that distribution as a local distribution point or as a remote distribution point. Roaming boundaries define how an advanced client interacts with and locates distribution points. If an advanced client is set to use a remote distribution point, it will use the settings when no local distribution point is available. The settings for the various distribution points are discussed in Chapter 2. Roaming boundaries provide access to any distribution point for the advanced client within the site hierarchy. Roaming boundaries allow clients to move between sites while the client software is still installed, and they can still be managed from within the SMS hierarchy. When a distribution point is set up as a local distribution point, the advanced client will have two options when it runs advertisements. The advanced client can use the distribution point as if it were locally available, and it can run the advertisement from the distribution point or download the program from the distribution point. However, if the distribution point is set up as a remote distribution point, the advanced client will have three options when it runs advertisements. The advanced client can be forced to download the program from a remote distribution point, to run the program from a remote distribution point, or to not run the program. These settings are shown in Figure 1-15.
Figure 1-15
13
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 14
Chapter 1: Setting Up Your Site Hierarchy
Active Director y Extending the Active Directory schema improves the client’s ability to locate site systems and roaming boundaries. SMS 2003 does not require Active Directory; however, its use is highly recommended. Extending the Active Directory schema allows SMS objects to be published into Active Directory, which utilizes Global Client Roaming. This feature lets an advanced client roam to sites that are above its installed site within the hierarchy. To utilize this feature, the client does not need to be uninstalled and reinstalled each time it roams to a different site. Extending the schema for Active Directory requires a domain account that specifically has rights to extend the schema as a member of the Schema Admin group. As such, you’ll need to work with your Active Directory administrator in order to extend the scheme. Most Active Directory administrators will need to know why you want to extend the scheme. When the schema is extended, SMS 2003 does not require WINS and computer browsing services, which are huge bandwidth hogs. To extend the schema, you can either use the SMS Setup Wizard or use the EXTADSCH.EXE Command Line tool, which is included on the SMS 2003 CD. You can extend the schema when you the install SMS 2003, as shown in Figure 1-16, or after you have already set up SMS 2003.
Figure 1-16
Integration with Active Directory (AD) allows you to identify users and computers within your network that you can manage from within SMS 2003. If you use organizational units within your Active Directory, you will be able to manage SMS clients based on these organizational units within your AD structure. Active Directory allows SMS site boundaries to be defined based on AD rather than IP subnets, which provides more control over your environment. SMS clients can use AD to discover resources specific to SMS. SMS will poll the Active Directory server to identify computer accounts, security groups, or users within the Active Directory. You can specify which containers in the Active Directory SMS will gather information and set up polling intervals so you can adjust the amount of time that SMS spends gathering information from AD.
14
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 15
Chapter 1: Setting Up Your Site Hierarchy Three methods are used for Active Directory Discovery. The Active Directory User Discovery method queries an Active Directory server to determine users and the user groups to which they belong within Active Directory. The Active Directory System Discovery method queries an Active Directory to retrieve Active Directory container information, such as computers and servers. The System Discovery method gathers information, such as the computer name, IP address, and Active Directory container name. The Active Directory System Group Discovery method gathers information about organizational units, global groups, universal groups, and other groups from the Active Directory. I will discuss the Active Directory Discovery methods in more detail in Chapter 5.
Summar y SMS 2003 includes many systems management advances, and it has many features to help administrators manage systems within an organization. This chapter covered how to set up site hierarchies and the steps needed to set up secondary sites. Now that you’ve been introduced to the terminology and learned how to set up a secondary site within SMS 2003, it’s time to turn to roles. In Chapter 2, I’ll focus on site system roles and how to manage them. You’ll learn about the various roles that SMS 2003 offers and how SMS 2003 installations use these roles. I will discuss each of the system roles and give examples of how to assign them to various servers within the organization.
15
49508c01.qxd:WroxPro
10/4/06
12:38 AM
Page 16
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 17
Specifying and Managing Site System Roles In this chapter, I discuss the various site system roles that make up your Systems Management Server infrastructure. Almost every SMS 2003 installation will utilize all of these roles in one way or another, making the information in this chapter vital to successful implementation. As in the previous chapter, I discuss how to set up an SMS 2003 hierarchy, the steps needed to configure a parent site server and site boundaries, and how to install secondary sites. In this chapter, I explain how to specify and manage site system roles and discuss the various roles on an SMS 2003 site system. The following pages cover how to identify, implement, configure, and manage each of the following five roles: ❑
Management point
❑
Client access point
❑
Distribution point
❑
Server locator point
❑
Reporting point
I discuss the system requirements for each site system, how to identify existing site systems, and how to implement, configure, and manage new site systems. Consider this chapter your crash course in Microsoft SMS 2003 site systems.
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 18
Chapter 2: Specifying and Managing Site System Roles
Management Point The success (or failure) of any SMS 2003 environment begins and ends with the Management Point (MP) role. It is the communication gateway for each and every advanced client in your site — and you get only one of them! The Management Point role can be configured to utilize multiple systems via Network Load Balanced clustering. Yes, you read that right. Each and every advanced client in your site will use this role for any and all communication with the site server, including retrieving new client policies (client agent settings, advertisements, package locations, and so on) and uploading all inventory and discovery records. This role automatically publishes itself within Active Directory (provided the AD schema has been successfully extended) and the WINS database. For those of you familiar with SMS 2.0, each of these tasks was originally handled by the Client Access Point (CAP) role. In order to “spread the load,” you could specify as many servers for it as you wanted. Because you can have only one management point per SMS 2003 site, you might be thinking the same thing I did when I first learned of this particular limitation: “How is a single system going to act as a gateway for each one of my advanced clients?” Lucky for us, this particular role is very efficient at its job. Although there is no physical limitation to the number of clients, reports indicate that a single management point is capable of supporting nearly 25,000 advanced clients, provided the AD schema has been successfully extended. It can scale so effectively because this role, for all intents and purposes, is merely a website maintained by the site server that all the clients use to obtain information about the SMS site in which they currently reside. Now that I have briefly described the function of the Management Point role, I will describe the system prerequisites and the process of configuring this role in your existing SMS 2003 environment. Requirement
Note
Windows 2000 Server SP3 and above, or Windows 2003 Server
Windows 2003 Web Edition is not supported.
NTFS partition
18
IIS installed
Default installation of IIS is recommended. May use IISLockdown or URLScan tools if appropriate SMS template is applied.
BITS extensions
Subcomponent of IIS installation required for management point to install successfully. Used for hardware/software inventory uploads from clients.
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 19
Chapter 2: Specifying and Managing Site System Roles Requirement
Note
Task Scheduler and Distributed Transaction Coordinator (DTC) services required to be running
Task scheduler disabled by default on Win2k3 Domain Controllers.
SMS 2003 client not installed
Although not a requirement, I recommend that the Management Point role be installed prior to installing the SMS client on the same server. MP and client files will be located in the \SMS_CCM folder if MP is installed first.
Microsoft offers a tool in the SMS 2003 Toolkit 2 package that allows you to check the health of your management point and ensure that all the requirements are met before you designate a site system as a management point. The MPTroubleshooter, which is discussed in Chapter 15, is a great tool to ensure that your site is ready to become a management point. After you identify the system you want to configure as a management point and verify that it meets all the requirements listed previously, you can proceed with the installation. Because this Site System role is not configured or enabled by default, you must do so within the SMS 2003 Administrators Console Site Systems container located in the Site Settings folder of your SMS site (Figure 2-1).
Figure 2-1
19
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 20
Chapter 2: Specifying and Managing Site System Roles By default, the site server itself will be the only server in this container. To identify the existing Site System roles held by a server, right-click on the server in the Administrator console and choose Properties (Figure 2-2).
Figure 2-2
After you click Properties, a dialog box will display an individual tab for each Site System role that can be held by the server you chose. Choose the Management Point tab to display the screen shown in Figure 2-3. From here, enabling this role is a very simple task; simply check the box and choose Apply to trigger the site server to configure the server (itself in this example) as a management point. In most instances, you should leave the default setting (Use The Site Database) selected. However, you might choose Use A Different Database if you have configured a replicated copy of your existing site database. I have also found that choosing Use A Different Database, specifying the original site database, and supplying the appropriate credentials is an excellent workaround when I’ve encountered MP to SQL communication issues.
20
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 21
Chapter 2: Specifying and Managing Site System Roles
Figure 2-3
After you configure this tab accordingly and click OK, the dialog box shown in Figure 2-4 will appear.
Figure 2-4
In almost all cases, you should choose Yes; doing so will automatically configure the SMS site to use this system as the default management point for all advanced clients in the site. Choosing Yes on this tab automatically configures the tab within the Component Configuration container shown in Figure 2-5, which is also accessible under Site Settings.
21
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 22
Chapter 2: Specifying and Managing Site System Roles
Figure 2-5
If you choose No, you will have to manually select one of the bottom two radio buttons so that the management point will function properly in the site. When the configuration is complete, you can follow the installation of the management point using the following log files on the SMS site server: ❑
MPSetup.log
❑
MPMSI.log
❑
MPControl.log
❑
Sitecomp.log
Client Access Point The Client Access Point (CAP) role is a leftover from the SMS 2.0 days. It serves the same function in SMS 2003 as it did back in 2.0; it acts as a communications gateway between SMS clients and the SMS site server itself. Although this may sound exactly like the description of the management point, there is one large difference. Only server SMS 2003 legacy clients are aware of CAP. Advanced clients are not aware of nor do they reference the CAP in any way. So, technically, if you have no SMS 2003 legacy clients, you can skip this section. However, the following information should be useful to you if you do continue reading. As mentioned, the CAP role acts as a proxy between legacy clients and the site server; it is installed by default on the site server itself and cannot be removed unless at least one other CAP is configured within the SMS site. Best practice is to offload the CAP role onto a separate server and remove the default role from the site server itself. However, this applies only if you have a significant number of legacy clients.
22
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 23
Chapter 2: Specifying and Managing Site System Roles CAP performs exactly the same functions as the management point; it just does them in a much different way. It uses shared directories to provide the following to their legacy clients: ❑
Installation source files
❑
All of the client agent settings
❑
Advertisement information
❑
Distribution point locations
The CAP role share is always installed on the NTFS partition that has the most available space in a folder of the same name: CAP_XXX (where xxx is the site code). In Figure 2-6, you can see the folder structure within the CAP share.
Figure 2-6
These folders act as source files used during client installation (cli*.box) and as repositories for copying inventory (hinv/sinv.box) and discovery (ddr.box) records from clients. The Inbox Manager and the Inbox Manager Assistant are two components that relate to all CAP activity. The Inbox Manager is a thread of the SMS Executive service running on the site server itself; it is responsible for populating each of the folders in the CAP_XXX share with information that clients will read (that is, package and advertisement information and client agent settings). The Inbox Manager Assistant is a thread of the SMS Executive service running on the CAP itself (if on a separate box) and is responsible for copying data from the CAP to the appropriate site server inboxes to be processed accordingly. Just as a simple example of the process, SMSclient1 after completing a hardware inventory cycle will copy the inventory data file to the CAP_XXX\inventry.box folder where the Inbox Manager Assistant will then copy the file to the site server SMS\inboxes\inventry.box folder to be further processed by the site server and eventually written to the site database. Even if a single server hosts multiple Site System roles, they are all treated as individual components and are completely independent of each other.
23
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 24
Chapter 2: Specifying and Managing Site System Roles As for sizing and CAP utilization numbers, again there is no default or specified number of clients that each CAP can manage. The number is greatly determined by the hardware and network environment, as well as the number of legacy clients. You can use the built-in performance monitoring functionality of the Windows Operating System to determine the need for additional CAPs in your environment. The interaction between a client and a CAP is far more process-intensive than the same interaction between a client and an MP. Most CAP utilization estimates are in the hundreds of clients versus the thousands for an MP. Now that I’ve briefly described the function of the Client Access Point role, I’ll describe the system prerequisites and the process of configuring this role in your existing SMS 2003 environment. I mentioned earlier that the site server is already configured as a CAP upon installation; however, if you want to use additional servers as CAPs, you can check the requirements in the following table. Requirement
Note
Windows 2000 Server SP3 and above, or Windows 2003 Server NTFS partition The Client Access Point role is configured in the same Properties window as defined earlier in the management point discussion. Figure 2-7 displays the CAP tab. As you can see, only a little configuration is required to install or remove a CAP.
Figure 2-7
24
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 25
Chapter 2: Specifying and Managing Site System Roles After you check the box to enable a system as a CAP, you can view the following logs to verify the cap is installed and functioning properly: ❑
Inboxmgr.log (site server)
❑
Inboxast.log (CAP)
In SMS 2003 Toolkit 2, Microsoft offers another tool that allows you to set the preferred distribution point and CAP. This command-line tool, prefserv.exe, allows you to set the preferred distribution and/or CAP for a legacy client. I’ll discuss it in more detail in Chapter 15.
Distribution Point The Distribution Point (DP) role acts as a repository for any and all source files used during software distribution. The Distribution Point role allows clients to access these source files using two methods. The first of these methods, which utilizes the default Distribution Point configuration, operates via regular Windows file sharing using a hidden share on the NTFS partition with the most available space. This share is always called SMSPKGX$ (where X is the drive letter). The second method, which utilizes a BITSenabled distribution point (DP), operates via an Internet Information Services (IIS) website using HTTP. Although the default Distribution Point configuration is available to either SMS 2003 client version, the BITS-enabled distribution point can be accessed only by advanced clients. When you first install an SMS 2003 site server, it is configured automatically with the Distribution Point role. However, I usually recommended that you configure additional systems to run this role and remove it from the site server itself, as you did with the CAP role mentioned earlier. As with the CAP role, the number of clients that determine the need for additional distribution points is not hard coded; the number is completely dependent on network speed, hardware specifications, and the software you plan to distribute. For example, you might have no problem using a single distribution point to run a simple batch file on a specific set of systems and that same set of systems could choke a single DP when you try to simultaneously install Office 2003 on them. Monitoring your distribution points during software distribution will be critical in determining the need for additional DPs in your environment. Now that I’ve briefly described the function of the Distribution Point role, I’ll describe the system prerequisites and the process of configuring this role in your existing SMS 2003 environment. The site server was configured as a distribution point during installation; however, you might want to use additional servers as DPs. The following table lists the requirements. Requirement
Note
Windows 2000 Server SP3 and above, or Windows 2003 Server NTFS partition IIS installed
Default configuration recommended.
BITS extensions (Win2k3 only)
Required only if DP is going to be configured as BITS-enabled.
WebDAV extensions (Win2k3 only)
Required only if DP is going to be configured as BITS-enabled.
25
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 26
Chapter 2: Specifying and Managing Site System Roles The Distribution Point role is configured using the same Properties window (see Figure 2-8) you used for the previous roles.
Figure 2-8
To configure a server as a distribution point for a site server, simply check the Use This Site System As A Distribution Point box. To remove the role, clear the box. When the box is checked to configure the specified server as a DP, the Enable Background Intelligent Transfer Service (BITS) check box will be available. When the server in question meets the requirements listed, it will be ready to use as a distribution point in the SMS site.
Distribution Point Groups Some very large sites have a lot of distribution points. Keeping track of all of them during software distribution can be difficult and even nerve-wracking. Using the Group Membership window (see Figure 2-8), you can create as many groups as you like to organize your many DPs into more manageable categories. The process is similar to creating organizational units (OUs) or security groups within Active Directory. This functionality does not impact the DP in any way. The DP won’t even realize that it is in a Distribution Point group. Grouping the points merely allows you to better organize a large number of distribution points for easier administration during software distribution. To create a Distribution Point group, simply check the Starburst (see Figure 2-8) and specify the name of the new group, as shown in Figure 2-9. You also have the option (checked by default) to make the current distribution point a member of this new group. You can change its status at any time. When you’re done, you can see your list of Distribution Point groups in the window, as shown in Figure 2-10.
26
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 27
Chapter 2: Specifying and Managing Site System Roles
Figure 2-9
Figure 2-10
A distribution point can be a member of as many Distribution Point groups as you choose. The number of groups it belongs to will not impact software distribution or the way the client chooses a DP.
Protected Distribution Points When it comes down to properly configuring your SMS 2003 infrastructure, no single component can impact your environment more than poorly managed distribution points. Understanding how a client
27
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 28
Chapter 2: Specifying and Managing Site System Roles chooses which distribution point to access during software distribution when more than one is available is extremely important. The default order for accessing advanced clients is as follows:
1. 2. 3.
A distribution point hosting the package in the client’s same Active Directory site A distribution point hosting the package in the client’s same IP subnet A distribution point hosting the package in the client’s same SMS site
When more than one DP is hosting the package in the same SMS site, legacy clients choose distribution points at random. As you can see, the default selection criteria can be limiting in some environments where a single AD site spans multiple locations. In these instances, you can configure various distribution points as protected distribution points (PDPs). When you configure a PDP, you are basically linking that distribution point to a particular AD site(s) and or IP subnet(s) that you want it to manage exclusively. The limiting factor is that you can add only an AD site or IP subnet that is currently an existing site, local, or roaming boundary for the SMS site. As an example, say you want a distribution point in a remote field office to service only the clients in that particular field office. More importantly, you don’t want clients in other offices utilizing that DP across the wide area network (WAN). If that remote field office has its own AD site, the default DP selection process will correctly choose that DP each and every time it makes a selection (provided it has a copy of the package). However, if that is not the case, you might be surprised to discover unnecessary WAN utilization from clients selecting other DPs in the same AD site. In this case, you should specify the particular IP subnet covering that remote field office as a protected boundary for the local distribution point. You do this by checking the bottom box in the Distribution Point Properties tab and choosing the Configure Boundaries button, as seen in Figure 2-11.
Figure 2-11
28
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 29
Chapter 2: Specifying and Managing Site System Roles The next window shows the currently configured protected boundaries for the distribution point in question (none are selected by default). From there, you must click the Starburst and select the appropriate site/local/roaming boundaries (Figure 2-12).
Figure 2-12
The distribution point itself is not aware of the configuration you choose here. This setting impacts which distribution points are provided to the clients by the management point during the software distribution process. In this example, any client in the IP subnet 192.168.1.0 will utilize this distribution point to access packages — and more importantly, this distribution point will not be available for software distribution to any system outside that subnet. After the distribution point is configured via the SMS Administrator console, the distribution point itself will not be impacted until you make at least one SMS package available on that DP. To view the process of creating the DP and package replication to the DP, you can view the distmgr.log file on the site server itself. See Chapter 15 for more on prefserv.exe, the command-line tool that allows you to set the preferred distribution and/or CAP for a legacy client.
Ser ver Locator Point The server locator point (SLP) is used during SMS client installations (both advanced and legacy). The SLP’s only job is to locate an appropriate management point (advanced client) or CAP (legacy client) during logon script or low-rights client installations initiated via capinst.exe. The other important function of the SLP is to locate the appropriate management point for advanced clients configured for automatic site assignment. Only one SLP is required per hierarchy, and it should always be implemented at the central site, thereby allowing it to provide the location of any and all MPs and CAPs in the environment, including those of all the child sites. This role will automatically publish itself into Active Directory if available; however, if
29
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 30
Chapter 2: Specifying and Managing Site System Roles AD is not available, the role must be manually registered within the WINS database in order to function properly. Let’s look at the system prerequisites and the process of configuring this role in your existing SMS 2003 environment. By default, no SLP role is configured. The system requirements are listed in the following table. Requirement
Note
Windows 2000 Server SP3 and above, or Windows 2003 Server NTFS partition IIS installed
Default configuration recommended.
To enable a server as an SLP, browse to the Server Locator Point tab of the site system you want to use, as seen in Figure 2-13.
Figure 2-13
This tab is identical to the one for the Management Point role, and you should configure it the same way in your site. After the SLP is enabled, you can verify the installation of the SLP by viewing the following log files on the site server:
30
❑
Slpsetup.log
❑
Sitecomp.log
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 31
Chapter 2: Specifying and Managing Site System Roles
Repor ting Point Because the reporting point does not affect the functionality of the site, this role is by far the simplest of all the roles. The reporting point merely provides easy access to any of the more than 160 built-in and custom reports available within SMS. The Reporting Point (RP) role uses IIS to host built-in web-based reporting functionality. It uses IIS to access the generated reports via a web browser. Once configured, anyone can be given access to any number of SMS reports without loading the SMS Administrator console on their workstation. Although this role can exist on any server, it can only be configured to point to the local site database and it will query the SQL server directly. You might find it useful to configure a reporting point for each primary site in the hierarchy to allow more granular access to reporting on a site-by-site basis. Now that I’ve described the function of the Reporting Point role, I’ll discuss the system prerequisites and the process of configuring this role in your existing SMS 2003 environment. By default, no Reporting Point roles are configured, and the built-in reports are not accessible. The system requirements are listed in the following table. Requirement
Note
Windows 2000 Server SP3 and above, or Windows 2003 Server NTFS partition IIS installed
Default configuration recommended.
Active Server Pages subcomponent Office web components
Needed to display charts/graphs.
IE 5.01 sp2 or above
Required to view reports.
To configure the Reporting Point role, simply navigate to the Reporting Point tab and check the Use This Site System As A Reporting Point box to enable this feature (Figure 2-14). When it is first enabled, you use this window to configure the folder, the URL, and the port to be used for each reporting point. Once they are set, you can’t change these options without uninstalling and reinstalling the Reporting Point role. When you install the reporting point, the SMSReporting_Sitecode folder will be configured under the default website on the server being configured with this role. (You can assign the folder any custom name you choose.) There is no supported way to use any website other than the default. Access to this URL is limited to users and groups specified within the SMS_Reporting_Users local group on the primary site server. Class or Instance rights for each report are also required within the SMS Administrator console. Reporting points are uninstalled using the same procedures as any other roles. Simply uncheck the Use This System As A Reporting Point box and click Apply to initiate the process. You’ll need to install and uninstall them when you’re troubleshooting.
31
49508c02.qxd:WroxPro
10/4/06
12:38 AM
Page 32
Chapter 2: Specifying and Managing Site System Roles
Figure 2-14
To validate the installation of the Reporting Point role, you can view the log files on the site server at Smsreporting.log. The reporting point is used in conjunction with the Web Remote tools, which are discussed in Chapter 15, as a lookup for programs listed under Add/Remove Programs for the SMS client.
Summar y In this chapter, I defined each of the five SMS Site System roles and their requirements, and I explained how to enable or disable them in your environment. In many sites, most if not all of these roles will reside on the site server itself; however, these roles are completely independent from each other regardless of the physical hardware on which they are running. Many of these roles were designed to function as a collective unit (CAP/DP) with multiple systems, thereby spreading the load to provide a much more efficient SMS 2003 infrastructure. Make sure you design your system so that the environment is configured properly; a carefully configured environment will make your experience with Microsoft Systems Management Server 2003 a more pleasant one. In Chapter 3, we continue our journey deep into SMS 2003. I discuss how to manage security within SMS 2003 and the advantages of the Advanced Security Mode along with Standard Security Mode. I also discuss some best practices to ensure that your environment is secure.
32
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 33
Managing SMS Security In this chapter, I discuss basic security fundamentals in relation to SMS 2003. I discuss ways to secure SMS 2003 and how to maintain a secure SMS infrastructure. I focus on some of the accounts that SMS 2003 uses, how to ensure that they are secure, and how to maintain them. I discuss securing the SMS 2003 hierarchy along with securing communication among the various sites and site servers. Security is a major concern today in every environment. Administrators need to define security principles and practices to ensure that the environment is as secure as possible without halting or interrupting day-to-day business operations. Security has to be looked at as a whole puzzle, not just a single piece. With that thought, you will want to consider all the levels of your environment from the server as a whole down to the individual files. Each hierarchy will have its own security requirements, and you will need to evaluate the level of security risks carefully and plan accordingly. If the environment requires the highest level of security possible in regard to SMS 2003, make sure that all the site servers are running at least SMS 2003 SP1 along with all the SMS 2003 clients. The security mode will need to be set for advanced security. The clients will need to be running the advanced client instead of the legacy client. Also, to ensure the greatest level of security, the Active Directory schema will need to be extended, and you will need to enable publishing of SMS objects to Active Directory. In the previous chapters, I discussed the various types of security modes available in SMS 2003. In this chapter, I dive into the reasons you should consider using the Advanced Security Mode over the Standard Security Mode. However, both modes should be considered and your evaluation should be based on how your domain controllers are set up and configured. If you do not have Active Directory in Native Mode or if you are upgrading an existing SMS 2.0 site to SMS 2003, you might not be able to use the Advanced Security Mode. Most of the security aspects found within SMS 2003 Standard Security Mode are carried over from SMS 2.0. However, SMS 2003 has another level of security you can choose by running SMS 2003 in the Advanced Security Mode. This mode does not need all of the user accounts required in SMS 2.0,
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 34
Chapter 3: Managing SMS Security so it has many security-related advantages and it is more manageable. SMS 2003 uses only two accounts: the Local System account on the SMS server and the Computer account. These two accounts are easier to manage because there are fewer of them to work with when you perform administrative tasks when changing passwords. Because these accounts are local to the individual systems, they do not need to have domain rights. The computer accounts are managed by the local operating system (OS) and, therefore, the passwords are secure.
Security Modes As I stated previously, SMS 2003 offers two security modes to run SMS environments. The Advanced Security Mode and the Standard Security Mode each have their own requirements, which will help determine which mode to use in your SMS environment.
Advanced Security Mode In the Advanced Security Mode, the SMS Service account runs under the context of the local computer accounts; because it does, you will not see the option to change the password or reset the account under the SMS Administrator console. You can, however, use the Active Directory Users and Computers snapin to reset the account. To reset the account, open the Active Directory Users and Computers snap-in and find the SMS Service account. Right-click the account and choose Reset Account. This is a very nice security feature. Because you can’t configure the passwords on your own, the passwords are difficult to crack, which is yet another benefit to using the Advanced Security Mode. Before you run SMS 2003 in Advanced Security Mode, you’ll need to consider its requirements. The Advanced Security Mode uses Active Directory heavily, so AD is required. All site systems and site servers must be at least Windows 2000 or higher. You will have to manually create accounts for standard client collection and manually create the Client Push account.
Standard Security Mode To change an SMS Service account or password, you have two options. You can open the SMS Administrator console, browse to the site in question, and right-click on the site name. This will bring up the Site Properties dialog box. Click the Accounts tab; from there, you can specify the new account and/or passwords. Alternatively, you can run Setup from the SMS 2003 CD and choose to modify or reset the current installation. Standard Security Mode is a direct migration path from SMS 2.0, which allows you time to plan and implement both Advanced Security Mode and Active Directory. The Standard Security Mode can be upgraded to Advanced Security Mode at any time after the installation has been completed, as long as the site meets all the requirements for Advanced Security Mode. When you are determining which security mode to use, you will need to weigh certain factors. If your site does not meet the requirements for Advanced Security Mode, you must run in Standard Security Mode. With the Standard Security Mode, you have a lot of internal accounts to manage; by default the SMS Service is a domain admin; remote service accounts are created as local accounts on all the site systems. Remember that site resets will change server and client connection accounts, which can create a huge potential for SMS accounts lockout issues.
34
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 35
Chapter 3: Managing SMS Security Some of the following security issues are merely common sense, and I’ll just briefly discuss them. Others are less obvious, and you should seriously consider them to ensure that your environment is as secure as possible. For example, having security on the server boxes themselves is a common-sense practice that is often overlooked when an infrastructure is designed.
Security Levels SMS 2003 has many levels of security: SQL security, WMI security, OS security, IIS security, object and instances security, and, of course, the physical security of the servers themselves. As I stated earlier, SMS 2003 offers two security modes to run your SMS environments. You can choose between the Advanced Security Mode and the Standard Security Mode. Each has its own requirements, and those requirements will help determine which mode you should use within your SMS environment.
SQL Security SQL Server has two levels of security built into the security environment: ❑
Windows Authentication
❑
SQL Server Authentication
Windows Authentication is the most commonly used type of SQL authentication in SMS. Because it uses Windows Authentication to grant or deny access to the SMS database within the SQL server, it is the easiest to use.
WMI Security Windows Management Instrumentation (WMI) security is used in SMS when it runs hardware inventory. The WMI permissions will be used for clients to connect to the SMS site. For the most part, granting the users permissions to the SMS Admin group is all that is required to grant WMI permissions on the site server.
IIS Security Internet Information Services (IIS) security is used to grant access to the reporting point in SMS 2003.
Standard Security Mode As we have discussed, the Standard Security Mode is very similar to the security found in SMS 2.0. This mode requires numerous user accounts that you will have to deal with at some point during your administration of SMS 2003. Standard Security Mode is the only mode available if you still have NT 4.0 domain controllers as site servers. If you still have some site servers that are managing NT 4.0 sites and you have started your migration to Active Directory and you have implemented SMS 2003 in other sites that are Windows 2000 Active Directory or better sites, the Standard Security Mode sites can still report up to Advanced Security sites. Standard Security Mode can report to other Standard Security Modes or to other Advanced Security Mode sites. However, this is true only for child sites reporting up to Advanced Security Mode sites. Advanced Security Mode sites cannot report to a Standard Security Mode site.
35
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 36
Chapter 3: Managing SMS Security
Advanced Security Mode The Advanced Security Mode relies on only two accounts: the Local System account and the Computer account. Active Directory is required to run SMS 2003 with the Advanced Security Mode. As I will explain later in the chapter, SMS 2003 does not have to be installed with the Advanced Security Mode activated; the site can be upgraded at any time after the installation if all the requirements for Advanced Security Mode are met. Advanced Security Mode sites can report only to other Advanced Security Mode sites.
SMS Accounts SMS 2003 creates several accounts that are common to both the Standard Security Mode and the Advanced Security Mode, as well as accounts that are mode specific.
Common Accounts for Both Modes The Local System, the Client Push Installation, the Site Address accounts, and six groups are common to both the Standard Security Mode and the Advanced Security Modes. These accounts have various functions within the SMS environment.
Local System The Local System account is used to run SMS server and client services and processes.
Client Push Installation The Client Push Installation account is an optional account that is used to install SMS components on legacy clients when the SMS Service account doesn’t have the required rights on the client computer.
Site Address The Site Address account is another optional account. It is used for site-to-site communications.
Common Groups for Both Modes Like the common accounts that are available for both security modes, SMS has common groups that are created independently of the security mode in which you have chosen to run SMS.
SMS Administrator The SMS Admins group is used to provide access to the SMS Provider through WMI to connect to the SMS site server or via the SMS Administrator console.
Internal Client Group The SMSInternalCliGrp contains the client token and Client Service accounts on the domain controller.
36
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 37
Chapter 3: Managing SMS Security Reporting Users The SMS Reporting Users group is used to delegate access to the SMS reporting point.
Site System to Site Server Connection The SMS_SiteSystemToSiteServerConnection_sitecode account provides site systems access to site server resources.
Site System to SQL Server Connection The SMS_SiteSystemToSQLConnection_sitecode account provides management points, server locator points, and reporting points access to the SMS site database.
Site to Site Connection The SMS_SiteToSiteConnection_sitecode account provides communications amongst sites in an SMS hierarchy.
Accounts Specific to Standard Security As I stated earlier, SMS 2003 running under standard security is a lot like SMS 2.0 in that SMS uses many accounts to perform various SMS tasks.
SMS Service The SMS Service account is used to run SMS site server processes and services.
Server Connection The SMSServer_sitecode account is used to provide access for the CAPs to the site server.
Site System Connection The Site System Connection account is an optional account used to provide access for site servers to site systems.
Remote Service The SMSSvc_sitecode_xxx account is used to run the SMS Executive service on remote CAPs and the SQL monitor service on an SMS database server that isn’t the site server.
Accounts Specific to Advanced Security As I stated earlier, two accounts are used for the Advanced Security Mode.
Local System The Local System account runs SMS client and server services. It processes and runs SMS advanced client and server processes under the Advanced Security Mode.
Computer Account SMS systems use the Computername$ account to communicate with other SMS systems.
37
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 38
Chapter 3: Managing SMS Security SMS 2003 Service Account There are countless reasons why you might need to change the SMS Service account or the password associated with it. Depending on which security mode your SMS environment is running in, there are two different ways to change the service account or passwords associated with these accounts. The SMS Service account is the primary account created under Standard Security Mode in which site server services use this account to create shares and directories on the site systems, permissions, files, and installation components. Many services use this account. By default, it is a domain admin under the Standard Security Mode.
SQL Server Account If you are running Advanced Security, SMS will use the SMS site server’s local account to connect to the SQL database; however, you can create a SQL Server account to connect with the SQL database. There are two basic types of security in respect to SQL — you can choose to use Windows Authentication only or Windows and SQL Server. The SQL Server account is used to connect SMS to the SQL database. Because all the SMS data is stored within the site database, you need to carefully evaluate the security level you are using. When using Windows and SQL Server accounts, SQL by default uses the SA account. However, this is extremely unsecure because most people use the default password, which is blank. Weak passwords allow anyone to use this system administrator login account and access to the data. If you decide to use Mixed Mode, make sure you set a strong password for the SA account. Using this mode will provide the same functionality as using only Windows authentication.
Setting Advanced Security Mode One of the major new features of SMS 2003 is that you can run it in the Advanced Security Mode. This mode allows all of the SMS services to run under the context of the local system, using the Host Computer account during network-related requests. This alleviates the need to maintain multiple accounts on every site. Advanced Security is the recommended mode; however, in order to use it, your system must meet the requirements shown in the following table. Network Type
Security Mode
Active Directory
Advanced/Standard
NT Domain
Standard
SMS Advanced Client
Advanced/Standard
Instead of using the user accounts to run the SMS services, the Advanced Security Mode uses the Local System account to run the SMS services. This makes the Advanced Security Mode much easier to manage and more secure. The Advanced Security Mode uses Local Computer accounts to connect to other computers on the domain.
38
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 39
Chapter 3: Managing SMS Security You can upgrade the security mode during the installation of your site server or after the site has been configured and set up. To do so, go to the site server under the SMS Administrator console, right-click on the site code, select Properties, and then click Set Security, which is located under the General tab. After your site is set to Advanced Security Mode, the site must be reinstalled in order to return to Standard Security Mode. If your Windows network contains any NT 4.0 domain controllers, or if you have not implemented Active Directory, then your SMS 2003 environment must use the Standard Security Mode. When an SMS 2003 site is being installed using Standard Security Mode, SMS creates many user accounts. These accounts will perform various SMS functions and tasks on the servers, and they will also perform functions on the clients. If you are running Active Directory, you can choose which security mode to implement. The Advanced Security Mode is much more secure than the Standard Security Mode, and the Advanced Security Mode does not require all the user accounts that are needed with the Standard Security Mode. The Standard Security Mode creates four accounts for use by SMS: the SMS Service account, the SMS Server_Sitecode account, the Site System Connection account, and the SMS Service SiteCode account. The Advanced Security Mode uses only two accounts: the Local System account and the Computer System account. The Advanced Security Mode uses the Local System account to run SMS-related tasks on the site servers, and the Advanced Security Mode uses the Computer System account to connect to the clients. As I said earlier, the Advanced Security Mode can be implemented during the installation of SMS 2003, or you can upgrade after SMS 2003 is installed. Although the Advanced Security Mode is the recommended security mode, you must use the Standard Security Mode if you are not running Active Directory or if you have upgraded SMS 2003 from a SMS 2.0 site. By default, any SMS 2.0 site upgraded to SMS 2003 will be initially set up in the Standard Security Mode. If the site is upgraded from Standard Security Mode to Advanced Security Mode, you must manually delete the accounts used by the Standard Security Mode. Some of the standard security accounts should always be deleted, some are sometimes deleted, and some are never deleted. Before you delete any of these accounts, you must make sure they are not being used in any other sites or by old clients. A list of all the various Standard Security SMS accounts that are no longer needed is shown in the following table. Account Name
Action
SMS Service Account
Always delete.
CCM Boot Loader (DC) (SMS#_DC)
Always delete.
CCM Boot Loader (NON-DC) (SMSCCMBOOTAcct&)
Always delete.
Client Services (DC) (SMSM&_dc)
Always delete.
Client Services (NON-DC) (SMSCliSvcAcct&)
Always delete. Continued
39
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 40
Chapter 3: Managing SMS Security Account Name
Action
Client User Token (DC) (SMSCliSvcAcc&)
Always delete.
Client User Token (NON-DC) (SMSCliToknLocalAcct&)
Always delete.
Client Connection (SMSClient_SiteCode)
Always delete.
Legacy Client Software Installation
Always delete.
Internal Client Group (SMSInternalCliGrp)
Always delete.
Site System Database (SMS_SQL_RX_SiteCode)
Do not delete this account if all of the following are true: Secondary site is still running in Standard Security Mode. Secondary site uses a proxy MP. No alternate account is set up to access the parent site’s SMS site database.
Server Connection (SMSServer_SiteCode)
Delete this only if the SMS site database is running on the site server.
SMS Administrator Group (SMS Admins)
Do not delete.
Reporting Users Group (SMS Reporting Users)
Do not delete.
Site System To Site Server Connection Group (SMS_SiteSystemtoSiteServerConnection_SiteCode)
Do not delete.
Site System To Site Server Connection Group (SMS_SiteSystemtoSQLConnection_SiteCode)
Do not delete.
Site to Site Connection Group (SMS_SitetoSiteConnection_Sitecode)
Do not delete.
Client Push Installation account
Do not delete.
Advanced Client Network Access account
Do not delete.
Any Site Address accounts you have added
Do not delete these accounts unless you have replaced them with computer accounts.
Courtesy of the SMS Operational and Deployment Guide on Microsoft.com.
40
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 41
Chapter 3: Managing SMS Security Your site hierarchy security mode is determined by what type of security mode each site is running. If any site within the hierarchy is running Advanced Security Mode, then the central site must run the Advanced Security Mode. As discussed previously, you should use the Advanced Security Mode whenever possible. Not only is it more secure, but it does not require all the additional accounts, which means less security maintenance work. However, the SMS site must meet the requirements prior to moving to Advanced Security Mode. If you use SMS Standard Security Mode, you will have more user accounts and groups to maintain when a security maintenance need arises. The SMS hierarchy can have a mixture of advanced security sites and standard security sites, but advanced security sites can report to only advanced security sites.
Providing a Secure Infrastr ucture To secure an infrastructure, you should start with careful planning. Ideally, you should begin to secure the infrastructure when you install SMS sites or as early in the SMS 2003 deployment as possible. If for some reason you can’t implement the Advanced Security Mode during SMS 2003 installation, you can upgrade to the advanced mode after you meet all the requirements needed for advanced security. There is an old saying that your team is only as good as the weakest player; well, this is also true with security measures. Your infrastructure is only as secure as the least-secure device on the network. You should use Windows 2000 or above for your client operating systems because of the security improvements they offer the older systems. However, SMS 2003 does support Windows 98 or Windows NT 4.0 clients. Use the NTFS file format for all of your SMS client systems that run Microsoft Windows 2000 and above. The NTFS format has security enhancements that the FAT format lacks. SMS 2003 depends heavily on the Windows security features built into the NTFS file format. All site systems should run on Microsoft Windows 2003 Server, because it is currently the most secure operating system. Windows 2003 was designed with security as one of its major focuses, but Windows 2003 Server is not required.
Configuring Connection Accounts SMS 2003 uses Connection accounts to communicate between the systems and the site system. Site system servers use these accounts to connect to the systems to perform SMS-related tasks. Also, the clients will use an account to connect to site systems to transfer client inventory and data discovery records. These accounts vary based on the security mode you are running.
Client Connection Accounts Client Connection accounts are used by legacy clients to connect to client access points (CAPs). If you are using the Standard Security Mode, the Client Connection accounts are automatically created as local accounts on the CAP.
41
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 42
Chapter 3: Managing SMS Security If you are running Advanced Security Mode and legacy clients report to the site, the Client Connection accounts must be manually created.
Site System Connection Accounts The Site System Connection account allows site systems to read and write resources on the site server. No matter which security mode you are running, SMS 2003 uses accounts to communicate amongst the site servers and the site systems to collect hardware inventory, software inventory, and other data the site systems have collected.
Managing Object/Class Level Security Rights You don’t have to rely on security modes, SQL accounts, and Windows Operating Systems to improve your site security. SMS 2003 offers rich object-level and class-level security rights. With SMS 2003, you can customize security on all the SMS objects, including collections, packages, advertisements, reports, query, site, software metering, and status messages. SMS 2003 security is very similar to the NTFS security foundation. As with NTFS, folders and individual files offer some degree of security control. SMS 2003 offers class-level and instance-level security similar to the folder security found in NTFS. Class level dictates what permissions are assigned to all members of that class, including the class itself. For example, any permission applied to the query object will be replicated to every query. Instance security is similar to NTFS file security. Instance security is extremely helpful when individuals or groups need to access only certain reports or queries. For example, if the Chief Information Officer needs to see a particular report about computer equipment, but she doesn’t need to see any other reports, then the security can be set on the instance of that report so that she can’t access anything else, and no one else can access it. SMS 2003 offers 16 permissions that you can customize to your security requirements. These permissions are outlined in the following table.
42
Permission
Object Type
Description
Administrator
All objects
Ability to assign rights and administration on all objects.
Advertise
Collections
Ability to create advertisements.
Create
All objects
Ability to create an instance.
Delegate
All objects except Status messaging
Grant rights to any object that was created by that user.
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 43
Chapter 3: Managing SMS Security Permission
Object Type
Description
Delete
All objects except Status messaging
Delete objects.
Delete Resource
Collections
Ability to delete an instance.
Distribute
Packages
Ability to send out packages.
Manage SQL Commands
Sites
Ability to create and modify SQL Commands.
Manage Status Filters
Sites
Ability to create and manage status filters.
Meter
Sites
Ability to create software metering rules.
Modify
All objects except Status messaging
Ability to make changes to an object.
Modify Resource
Collection
Ability to make changes to a resource in a collection.
Read
All objects except Status messaging
Ability to view the object and properties.
Read Resource
Collections
Ability to view resources in a collection.
Use Remote Tools
Collections
Ability to run a Remote Tools session.
View Collected Files
Collections
Ability to view files collected from SMS 2003.
To view all the Security rights assignments within SMS 2003, open your SMS Administrator console, go to the Security Rights folder. You will see all the Security Rights assigned within your organization; your screen should be similar to Figure 3-1. To view a filtered list of the object classes, right-click the Security Rights folder. You can specify which object classes to view by selecting the appropriate properties, as shown in Figure 3-2.
43
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 44
Chapter 3: Managing SMS Security
Figure 3-1
Figure 3-2
44
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 45
Chapter 3: Managing SMS Security After you select the items you want to filter, click OK. You will see a list of the filtered items. In Figure 3-3, I selected to view only Metered Software security rights.
Figure 3-3
You can assign and modify permissions through the Security Rights node, or you can assign or modify rights at the individual object class or instance level. To assign rights at the class or instance level, navigate to the object or instance to which you want to grant rights. Right-click and choose Properties. For the following example, use the Collections object. You will be prompted with the Collection Properties screen, as shown in Figure 3-4.
1. 2.
Select the Security tab, which is displayed in Figure 3-5.
3.
Check the boxes for the permissions you want to enable, and click OK.
Click the New button to add a new user or group. The Object Class Security Right Properties dialog box will appear, as shown in Figure 3-6.
45
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 46
Chapter 3: Managing SMS Security
Figure 3-4
Figure 3-5
46
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 47
Chapter 3: Managing SMS Security
Figure 3-6
SMS 2003 offers three other ways to add or modify security rights. SMS has a Security Rights node you can use to assign rights to any of the object class or instances. You can use the SMS User Wizard to modify rights or you can clone any existing account. To clone an existing user, in the Security Rights folder find the user you want to clone and right-click that user. Under the All Tasks menu, click Clone SMS User. The Clone SMS User dialog box will appear, as shown in Figure 3-7.
Figure 3-7
Enter the New User information using the syntax Domain\Username, check the security rights you want to clone, and then click OK.
47
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 48
Chapter 3: Managing SMS Security To use the SMS User Wizard, right-click the Security Rights folder, click All Tasks, and then click Manage SMS Users. This will open the SMS User Wizard dialog box, as shown in Figure 3-8.
Figure 3-8
Click Next to continue. Now you have three choices to make: you can Modify an existing user, Add a new user, or Remove an existing user, as shown in Figure 3-9.
Figure 3-9
If you want to modify an existing user, click the Modify An Existing User radio button and select the username you want to modify. Click Next. This will bring up the Rights dialog box, as shown in Figure 3-10.
48
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 49
Chapter 3: Managing SMS Security
Figure 3-10
From this dialog box, you have three options: The Listed Rights Are Sufficient, Add Another Right Or Modify An Existing One, and Copy Rights From An Existing SMS User Or User Group. If you select the Copy Rights From An Existing SMS User Or User Group radio button and select Next, the Copy Rights dialog box will appear, as shown in Figure 3-11.
Figure 3-11
In this dialog box, you can select the source user whose rights you want to copy. If you select the Add Another Right Or Modify An Existing One radio button from the dialog box, you will have the option to grant a new right to this user, as shown in Figure 3-12.
49
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 50
Chapter 3: Managing SMS Security
Figure 3-12
Select the Class to which you want to add the right, select the instance, select the permissions you want to assign to this user, and then click Next. After you click Next on the Add A Right dialog box, you will be taken back to the SMS User Wizard Rights dialog box, as shown in Figure 3-10. You can select another option or you can click The Listed Rights Are Sufficient radio button if you are finished. Then click Next. You will be given a summary list of the proposed user modifications you are about to make, as shown in Figure 3-13. If you are satisfied with the new rights, click Finish to implement the new security rights for those users. SMS 2003 offers a lot when it comes to security. However, rogue SMS administrators can still pose security risks, and having a security initiative is one of the easiest ways to keep from compromising the SMS hierarchy. Creating a security plan based on your environment and testing this plan on a routine basis will help ensure a safe environment.
Figure 3-13
50
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 51
Chapter 3: Managing SMS Security As I discuss in Chapter 15, free third-party tools, such as the SMS 2003 Web Remote Tools, are available to customize user functions based on the security permissions assigned to each user. Using them will help ensure that the environment is secure and customized to fit within the security level of the hierarchy for which SMS 2003 is administered.
Summar y You can customize the security of your SMS environment. You have many choices and options that need to be carefully configured based on the hierarchy and network security policies. Security is a critical part of any business, and you want to ensure your SMS 2003 environment is as secure as possible. SMS 2003 security is very granular. You can grant or deny access to virtually any part of SMS 2003, from the whole class down to the single instance. In the next chapter, I discuss the options to configure the site settings. I cover address configuration, senders, individual component configuration, site maintenance, and status summarizing. I will explain the importance of site maintenance and the various tasks to ensure that you can recover from a disaster, if the need arises.
51
49508c03.qxd:WroxPro
10/4/06
12:39 AM
Page 52
49508c04.qxd:WroxPro
10/4/06
12:39 AM
Page 53
Configuring Site Settings In this chapter, I discuss how to configure the site settings. I discuss address configurations and how they help configure senders. I discuss how to configure other components, such as software distribution, status reporting, and management points. I also discuss various SQL commands and tasks that can aid site maintenance. Communication between the sites within a hierarchy is a necessity. Each parent site must communicate to the child sites that are within the site, and it must communicate with any other sites in the organization.
Addresses Addresses by definition indicate the location of destination sites. They provide the location of site servers to other site servers, and they provide the parent and the child sites with each other’s location. As I discussed in the previous chapters, the parent site has to communicate to each of the child sites so the child sites are aware of packages, collections, advertisements, and other information. The parent site uses addresses to send information to and receive information from other sites within the hierarchy. Six different types of addresses are available in SMS 2003. They correspond to the type of sender: Standard Sender address, Asynchronous RAS Sender address, ISDN RAS Sender address, X25 RAS Sender address, SNA RAS Sender address, and Courier Sender address. These addresses are mechanisms that allow connected sites to communicate to the various SMS 2003 sites within the hierarchy. The addresses you choose should be determined by the type of connections you have between sites and senders. When you create the appropriate address from a new secondary site to the parent site, a corresponding sender is also created on the new secondary site.
49508c04.qxd:WroxPro
10/4/06
12:39 AM
Page 54
Chapter 4: Configuring Site Settings The connections between the sites determine the address options you have for communication between the senders. If you have a high-speed connection between sites, you will need to use a Standard Sender address. By default, when an SMS site is created, it installs a Standard Sender and a Courier Sender at the primary sites and it creates either a Standard Sender or an Asynchronous RAS Sender and a Courier Sender at the secondary sites. If you are using a Remote Access Server (RAS) connection between sites, you will have to choose an Asynchronous RAS Sender address, an ISDN RAS Sender address, an X25 RAS Sender address, or a RAS over SNA Sender address. An Asynchronous RAS Sender address is used for RAS communication over an asynchronous line, and an ISDN RAS Sender address is used for communication over an ISDN Line. An X25 RAS Sender address is used if you have an X.25 Line between your sites. If you are using a System Network Architecture (SNA) link, you will want to choose the SNA RAS Sender address. I haven’t discussed the Courier Sender address yet. It allows communication between sites to be sent via removable media instead of network bandwidth. You can think of a Courier Sender address as one that uses a third-party courier to deliver CDs from one place to another. To create an address, you will need to open the SMS Administrator console. Under Site Hierarchy, the site code from which you want to create an address, and the Site Settings folder, you will find the Address folder. From there, you can right-click an address and choose New from the menu. A list of sender address types will display, as shown in Figure 4-1.
Figure 4-1
54
49508c04.qxd:WroxPro
10/4/06
12:39 AM
Page 55
Chapter 4: Configuring Site Settings Depending on which type of Sender address you choose, a Sender Address Properties dialog box will appear. The Standard Sender Address Properties dialog box, as shown in Figure 4-2, allows you to specify the Destination Site Code and the Site Server Name. There is also the option to enter a specific account if you do not want to use the default computer account.
Figure 4-2
The Schedule tab and Rate Limits tab are the same for all types of sender addresses in SMS 2003. Figures 4-3 and 4-4 show the settings available. These settings will help you ensure that network traffic between senders occurs only during the hours you specify so that it does not impact your environment during peak hours.
Figure 4-3
55
49508c04.qxd:WroxPro
10/4/06
12:39 AM
Page 56
Chapter 4: Configuring Site Settings
Figure 4-4
In the Asynchronous RAS Sender Address Properties dialog box, which is shown in Figure 4-5, you will need to choose the Destination Site Code from the drop-down list. You also have to fill in the Phone Book Entry number, along with the Server Name and Domain of the SMS Destination server. If you are not running Advanced Security Mode, then you will have to specify an account name. This account will need to have at least change permission for the SMS_Sitecode share on the target site. If you are running in Advanced Security Mode, then you will not be able to change the account, which will be Local System.
Figure 4-5
56
49508c04.qxd:WroxPro
10/4/06
12:39 AM
Page 57
Chapter 4: Configuring Site Settings In the ISDN RAS Sender Address Properties dialog box, which is shown in Figure 4-6, you will need to choose the Destination Site Code from the drop-down list. You also have to enter the Phone Book Entry number, along with the Server Name and Domain of the SMS Destination server. If you are not running Advanced Security Mode, you will have to specify an account name. This account will need to have at least Change permission for the SMS_Sitecode share on the target site. If you are running in Advanced Security Mode, you will not be able to change the account, which will be Local System.
Figure 4-6
In the SNA RAS Sender Address Properties dialog box, which is shown in Figure 4-7, you will need to choose the Destination Site Code from the drop-down list. You also have to fill in the Phone Book Entry number, along with the Server Name and Domain of the SMS destination server. If you are not running Advanced Security Mode, you will have to specify an account name. This account will need to have at least Change permission for the SMS_Sitecode share on the target site. If you are running in Advanced Security Mode, you will not be able to change the account, which will be Local System. In the X25 RAS Sender Address Properties dialog box, which is shown in Figure 4-8, you will need to choose the Destination Site Code from the drop-down list. You also have to fill in the Phone Book Entry number, along with the Server Name and Domain of the SMS destination server. If you are not running Advanced Security Mode, you will have to specify an account name. This account will need to have at least Change permission for the SMS_Sitecode share on the target site. If you are running in Advanced Security Mode, you will not be able to change the account, which will be Local System.
57
49508c04.qxd:WroxPro
10/4/06
12:39 AM
Page 58
Chapter 4: Configuring Site Settings
Figure 4-7
Figure 4-8
In the Courier Sender Address Properties dialog box, which is shown in Figure 4-9, you will need to choose the Destination Site Code from the drop-down list.
58
49508c04.qxd:WroxPro
10/4/06
12:39 AM
Page 59
Chapter 4: Configuring Site Settings
Figure 4-9
Microsoft offers another tool in the SMS 2003 Toolkit 2 package that will allow you to create or modify addresses. This tool, which is discussed in Chapter 15, is a command-line tool called CrAddr.exe. It allows you to create or modify addresses in SMS 2003.
Senders Senders are the instruments that sites use to transmit information to and from other sites. They communicate using the available addresses that were set up between the sites, as I discussed earlier. These addresses are the Standard Sender address, Asynchronous RAS Sender address, ISDN RAS Sender address, X25 RAS Sender address, SNA RAS Sender address, and the Courier Sender address. During an SMS 2003 installation, both a standard sender and courier sender are created; however, you can choose to install other senders as required. To add senders, you will need to go through the SMS 2003 Administrator console. You can find the senders under Site Hierarchy, under the site code from which you want to create an address, and finally under the Site Settings folder. A list of the available senders, similar to the one shown in Figure 4-10, will appear. As with the available addresses, the sender you should choose depends on the type of connection that exists between the sites. The settings are relatively the same for each of the senders. You will need to enter the name of the server on which you want to create a sender and the maximum number of simultaneous transmissions and retries that can occur. The courier sender is somewhat different. Using it allows you to send large amounts of data that can not be transmitted on any of the other addresses available in SMS 2003.
59
49508c04.qxd:WroxPro
10/4/06
12:39 AM
Page 60
Chapter 4: Configuring Site Settings
Figure 4-10
Component Configuration Within SMS 2003, there are a few components that need to be configured so that SMS administrators can manage their systems and hierarchy. Typically, these settings don’t require much customization, but some administrators might choose to tweak these settings to fit their specific environments. These components are Software Distribution, Status Reporting, Data Processing and Storage, and Management Point. I’ll discuss them in more detail after we start to use the individual components.
Software Distribution To configure Software Distribution, you will need to go through the SMS 2003 Administrator console. Under the Site Hierarchy, under the site code, and finally under Component Configuration, you will see
60
49508c04.qxd:WroxPro
10/4/06
12:39 AM
Page 61
Chapter 4: Configuring Site Settings Software Distribution. To access the Software Distribution Properties dialog box (see Figure 4-11), rightclick on Software Distribution and click Properties.
Figure 4-11
In the Software Distribution Properties dialog box, you can configure the number of threads SMS uses to process packages. The higher the number, the more packages SMS can process at one time. By default, this is set to three threads. The Software Distribution dialog box also allows you to specify the location where SMS will store the compressed package files for software distribution. As I discuss in Chapter 9, SMS will create a compressed version of the software package if during the creation of the package you select to create a compressed package. Also, SMS will create a compressed package if you are creating a package for another site. This will better utilize network transfer of information amongst sites.
Status Reporting SMS 2003 events create numerous status messages to help you diagnose errors and resolve issues you might encounter on your SMS 2003 site. However, just as with everything else in life, too much of a good thing can be bad. Having the ability to choose the type of status messages that are reported can prevent you from being bombarded with alerts. To configure Status Reporting in SMS 2003, you need to open the SMS Administrator console and go to Site Settings. Then select the Component Configuration node. Double-click Status Reporting. The Status Reporting Properties dialog box, as shown in Figure 4-12, will appear. Server Component Status Reporting and Client Component Status Reporting are enabled by default when All Milestones is selected.
61
49508c04.qxd:WroxPro
10/4/06
12:39 AM
Page 62
Chapter 4: Configuring Site Settings
Figure 4-12
Four types of messages are available in the drop-down list for Status Reporting: ❑
All Milestones
❑
All Milestones and All Details
❑
Error and Warning Milestones
❑
Error Milestones
You can control the amount of status reporting you want by selecting the choice that best fits your needs. Two sources of status reporting are offered: server and client. You can set these items based on the logging requirements in your organization. I prefer to have All Milestones set on both the server and the client. These settings seem to help when I troubleshoot.
Management Point As I discussed in Chapter 2, you must configure the management point to a site system, but you also need to specify the Default Management Point under Component Configuration. Figure 4-13 shows the Management Point Properties dialog box. To open this dialog box, right-click Management Point, which can be found under Component Configuration, and click Properties. As you can see, everything is pretty self-explanatory. However, if there is no Default Management Point and you don’t want one, select None. If you want to specify a default server to be your management point, select it from the drop-down list. If you want the server to be a virtual Network Load Balancing (NLB) cluster, enter the cluster’s IP address.
62
49508c04.qxd:WroxPro
10/4/06
12:39 AM
Page 63
Chapter 4: Configuring Site Settings
Figure 4-13
Site Maintenance Site Maintenance allows you to assign tasks to run operations such as backing up, deleting old information, rebuilding SQL indexes, and many other SQL functions. Site Maintenance is where you will go to configure your site backup, which is the most important routine you will need to configure. No one wants to have to recover from a disaster, but everyone should be prepared for one — just in case. The single most important step in any disaster recovery is planning. Your plan should include backup procedures to ensure your data is protected. There are many theories about how often you should run a backup on your SMS database. Some experts believe nightly backups are best, and others say that a weekly full backup is enough. I advise you to back up only as frequently as you need to — just make sure you do back up. The decision for how often basically boils down to a simple question: How important is this data and how important is your time needed to perform a restore? To configure a backup of an SMS site server, follow these steps:
1.
Under the SMS Administrator console, go to Site Databases, then to Site Hierarchy, then to the site code, and then to Site Settings. Finally, you will see Site Maintenance.
2. 3.
Select Backup SMS Site Server. Right-click on the Backup SMS Site Server and choose Properties, as shown in Figure 4-14.
63
49508c04.qxd:WroxPro
10/4/06
12:39 AM
Page 64
Chapter 4: Configuring Site Settings
Figure 4-14
4. 5. 6. 7.
Check Enable This Task. Select the destination for the files, so they will be backed up. Select the schedule you want; I recommend daily. Click OK to save your settings.
If you ever need to remove an old SMS backup without using the SMS Administrator console, you can use a VBScript to remove the old SMS or SQL backups. The following script is available on www.myITforum.com as an article by Don Hite. This script will delete all files older than seven days (or whatever you configure it to be) from your SMS or SQL backup directory. Dim Dim Dim Dim
FSO Directory Modified Files
Set FSO = CreateObject(“Scripting.FileSystemObject”) Set Directory = FSO.GetFolder(“C:\SMSBackup”) Set Files = Directory.Files For Each Modified in Files If DateDiff(“D”, Modified.DateLastModified, Now) > 7 Then Modified.Delete Next
Be careful when you use this script. You could accidentally delete valid backups.
64
49508c04.qxd:WroxPro
10/4/06
12:39 AM
Page 65
Chapter 4: Configuring Site Settings
SQL Commands SMS 2003 does not come with any default or canned SQL commands. However, that doesn’t mean that Microsoft believes they are unimportant. SMS 2003 allows you to create custom SQL commands to fit your organizational needs and plans. To add SQL Commands use the following commands:
1.
Under the SMS Administrator console, go to Site Databases, then to Site Hierarchy, then to the site code, and then to Site Settings.
2. 3. 4. 5.
Under Site Maintenance, you will see SQL Commands.
6. 7. 8.
Specify the command and log filename.
Right-click on SQL Commands and choose New. Select SQL Command. In the SQL Command Properties dialog box, as shown in Figure 4-15, enter a descriptive name for your command.
Choose the schedule you want the command to follow. Click OK.
Figure 4-15
Here are some of the basic commands I have found to be very helpful, especially when I’m troubleshooting a SQL database: ❑
Sp_who: Determines the number of connections in use by SMS
❑
Sp_spaceused: Displays the number of rows and disk space used by a table
❑
Sp_monitor: Displays SQL Server statistics
65
49508c04.qxd:WroxPro
10/4/06
12:39 AM
Page 66
Chapter 4: Configuring Site Settings
Summar y In this chapter, I discussed configuring the site settings for SMS 2003. I talked about addresses and senders and how they work together to ensure that data is transmitted amongst sites. I talked about configuring the various components, distributing software, reporting status, and using the management point. Then I briefly discussed the site maintenance steps needed to ensure that your data is protected. In Chapter 5, I discuss the various discovery methods in SMS 2003. Microsoft provides seven discovery methods to help us discover potential clients. I will discuss these methods in detail, with the pros and cons of each. I will also discuss why and when you should consider using one method over another.
66
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 67
Specifying Discover y Methods In this chapter, I discuss the numerous methods for resource discovery offered in SMS 2003. I briefly describe these discovery methods and discuss the pros and cons of each. As I said in earlier chapters, SMS 2003 has features that are built for the advanced client and features that are enabled for the legacy client. The various methods for discovery are based on how your site hierarchy is set up. In this chapter, I also discuss the data that is unique for each type of discovery and the guidelines associated with each of the seven discovery methods. I discuss when to use each method and explain the rules for using these methods. As I discussed in Chapter 4, “Configuring Site Settings,” the site settings you choose are dependent on your system hierarchy. In that chapter, I discussed the various types of addresses SMS 2003 offers, along with ways to configure and optimize the standard sender. I briefly discussed the various options for site management through the SQL commands and task plug-ins for the SMS Administrator console. SMS 2003 has seven discovery methods to help administrators detect and inventory information across their networks. These discovery methods can be used alone or in any combination because Microsoft realizes how complex and unique each environment can be and how diverse the environments are within different organizations. System Discovery is the first step in deploying the client for SMS 2003. Depending on your environment, you might need to meet specific requirements in order to deploy clients throughout your organization. Make sure that you notify your Active Directory team, your network team, and of course your manager before you begin your deployment. They need to be aware of what you are doing. SMS 2003 gathers information about the systems, but the computer does not become a client through System Discovery. Only information about the resources on the network are collected and stored within SMS 2003. You can install the client during the System Discovery phase, but doing so is not required.
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 68
Chapter 5: Specifying Discovery Methods SMS 2003 System Discovery can be used to gather limited information such as the name of the discovered resource, the operating system (OS), and the IP address — just to name a few. However, the data collected during the System Discovery phase is not as rich as the data that the Inventory Agents collect. The information collected during the discovery phase merely helps you determine the best SMS 2003 hierarchy plan. SMS 2003 offers the following System Discovery methods: ❑
Windows User Account Discovery
❑
Windows User Group Discovery
❑
Heartbeat Discovery
❑
Network Discovery
❑
Active Directory System Discovery
❑
Active Directory User Discovery
❑
Active Directory System Group Discovery
Microsoft introduced a new discovery mechanism with Service Pack 2 for SMS 2003. This new group is called Active Directory Security Group Discovery. SMS offers several discovery methods that can be chosen based primarily on your schedule and the resources within your hierarchy. Each discovery method creates a Discovery Data Record (DDR), which is the collected information about each resource that is sent to the SMS site database. The type of discovery method you choose depends highly on what type of resources you want to find within your environment and whether or not Active Directory has been implemented.
Windows User Account Discover y The Windows User Account Discovery method discovers domain user accounts within the domain you specify. The corresponding DDR is sent to the SMS site database. This method should be used on any NT 4.0 domain or whenever your environment does not have an available Active Directory. To enable Windows User Account Discovery, you will need to perform these steps:
68
1. 2. 3. 4. 5.
Navigate to the Site Settings folder under the SMS Administrator console.
6. 7.
Check the Enable Windows User Account Discovery box.
Open the Discovery Methods folder. Right-click Windows User Account Discovery. Choose Properties from the menu. The Windows User Account Discovery Properties dialog box will appear, as shown in Figure 5-1.
Click the Starburst to create a new Windows domain and list the available domains.
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 69
Chapter 5: Specifying Discovery Methods
Figure 5-1
8.
In the New Domain dialog box, enter the name for the domain about which you want to discover user information. Click OK.
9.
In the Windows User Account Discovery Properties dialog box, click the Polling Schedule tab, as shown in Figure 5-2. You can use this tab to configure the SMS 2003 polling schedule.
10.
Click the Schedule button and specify a specific time to run Windows User Account Discovery.
You can run Windows User Account Discovery as soon as possible by clicking the Run Discovery As Soon As Possible checkbox.
Figure 5-2
69
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 70
Chapter 5: Specifying Discovery Methods 11.
Use the drop-down lists to select the Time and Recurrence Pattern, as shown in Figure 5-3. Click OK.
Figure 5-3
Windows User Group Discover y Method The Windows User Group Discovery method is very similar to the Windows User Account Discovery method except that it finds Windows Domain User groups in the specified domains and creates a DDR for each group discovered. The Windows User Group Discovery method is best utilized to create user group–based collections and queries. Enabling Windows User Group Discovery is basically the same as enabling Windows User Account Discovery. To enable it, you will need to perform the following steps:
70
1. 2. 3. 4. 5. 6. 7. 8.
Navigate to the Site Settings folder under the SMS Administrator Console.
9.
To configure the SMS 2003 polling schedule for this domain, click the Polling Schedule tab on the Windows User Group Discovery Properties dialog box, as shown in Figure 5-5.
Open the Discovery Methods folder. Right-click on Windows User Group Discovery. Choose Properties from the menu. The Windows User Group Discovery Properties dialog box will appear, as shown in Figure 5-4. Check the Enable Windows User Group Discovery box. Click the Starburst to create a new Windows domain and to list the available domains. In the New Domain dialog box, enter the name of the domain about which you want to discover user information. Click OK.
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 71
Chapter 5: Specifying Discovery Methods
Figure 5-4
Figure 5-5
10.
You can specify a polling time to run Windows User Group Discovery by clicking the Schedule button on the Polling Schedule tab.
You can run Windows User Group Discovery as soon as possible by clicking the Run Discovery As Soon As Possible checkbox.
11.
Select the Time and Recurrence Pattern, as shown in Figure 5-6. Click OK.
71
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 72
Chapter 5: Specifying Discovery Methods
Figure 5-6
With the information you’ve discovered, you can organize domain users and groups into SMS collections. With these SMS collections, SMS can send software packages to users or groups of users. Windows User Account Discovery and Windows User Group Discovery can be used with Windows NT domains or mixed-mode domains. However, if you are running Active Directory Native Mode, I highly recommend that you use one of the Active Directory Discovery methods because SMS will gather more information.
Hear tbeat Discover y Method The Heartbeat Discovery method is not just for discovery. It can also refresh the SMS client computer discovery data in the SMS site database. Heartbeat Discovery is used to keep up-to-date discovery data about clients that are not maintained by any other discovery method, such as systems that are not logged on to very often. The Heartbeat Discovery method is used to maintain current discovery data on SMS clients. This discovery method is different from the ones I discussed earlier because by default the Heartbeat Discovery method is enabled. It is set to run once a week by default; however, the settings are configurable. To configure Heartbeat Discovery, you need to perform these steps:
72
1. 2. 3.
Navigate to the Site Settings folder under the SMS Administrator console.
4.
Use the drop-down lists to specify how often you want Heartbeat Discovery to refresh DDRs on SMS clients.
5.
Click OK.
Open the Discovery Methods folder. Right-click Heartbeat Discovery and choose Properties. There is no Polling Scheduling tab, as you can see in Figure 5-7.
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 73
Chapter 5: Specifying Discovery Methods
Figure 5-7
Heartbeat Discovery is active only on installed SMS clients, and it runs a refresh according to the schedule you specify in the Heartbeat Discovery Properties dialog box. You should avoid setting up a full schedule for Heartbeat Discovery on large sites because all of the clients will report their data at a specific time on a routine basis. You should not disable Heartbeat Discovery because it continually refreshes the clients and keeps them from being deleted from the SMS site database.
Networ k Discover y Method The Network Discovery method will find any device on the network that has an IP address. Network Discovery gathers information about the network you specify. This information can be used to determine clients, their operating systems, and their network topology. In addition to finding computers, Network Discovery can also be used to find printers, routers, and other network devices. Network Discovery is the most customizable discovery method that SMS 2003 offers. You can specify specific subnets, domains, Dynamic Host Configuration Protocol (DHCP) servers, and Simple Network Management Protocol (SNMP) servers. In order to generate a DDR network, Network Discovery needs to find an IP address and subnet. Network Discovery, as well as all the other discovery methods, creates a DDR for any resource that it discovers. Because Network Discovery is highly customizable, you can specify the discovery type, schedule, subnets, domains, SNMP devices, and SNMP communities. Doing so allows you to customize your settings so you can gather environmental information you want to include in your SMS hierarchy.
73
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 74
Chapter 5: Specifying Discovery Methods The steps to enable Network Discovery are similar to the ones for the other discovery methods. To do so, just follow these steps:
1. 2. 3. 4.
Navigate to the Site Settings folder under the SMS Administrator console. Open the Discovery Methods folder. Right-click Network Discovery. Choose Properties. You will be prompted with the Network Discovery Properties dialog box, as shown in Figure 5-8.
Figure 5-8
74
5. 6.
Check the Enable Network Discovery box.
7.
In the Network Discovery Properties dialog box, you can determine whether or not the SMS site will use a slow network connection. I recommend the Slow Network option if the network speed is less than 64Kbps.
8.
You can enable and configure a combination of discovery options by using the other tabs on the Network Discovery Properties dialog box. Click the Subnets tab, which is shown in Figure 5-9, to add or enable subnets for which you want Network Discovery to discover resources. This tab can also be used to disable the various subnets. The local subnet, by default, will be searched. If you
Specify Type Of Discovery. As shown in Figure 5-8, you have three choices for the type of discovery. Select the options you need in order to collect the information you want. To enable SMS 2003 to discover network devices, subnets, and any other devices that use SNMP, select Topology. Select the Topology And Client option to allow discovery of computers, printers, and other devices that use DHCP, SNMP, or a Windows browser. Specify Topology, Client, And Client Operating System to gather the operating system name and version of any device that uses DHCP, SNMP, or a Windows browser. This option is the most comprehensive type of network discovery.
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 75
Chapter 5: Specifying Discovery Methods want to remove the local subnet from discovery, uncheck the Search Local Subnets checkbox. Check the Starburst to add a new subnet, then add the new subnet information, and click OK.
Figure 5-9
9.
The Domains tab, which is shown in Figure 5-10, enables you search the domains you add to the list. This option tab will not appear when you select the Topology discovery type on the General tab. The local Windows domain to which the site server belongs is enabled by default, just as the local subnet was. To remove the local domain from discovery, uncheck the Search Local Domain checkbox. Click the Starburst to add a new domain, enter the new domain name, and click OK.
Figure 5-10
75
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 76
Chapter 5: Specifying Discovery Methods 10.
To configure the SNMP settings, click the SNMP tab, which is shown in Figure 5-11. This tab allows you to specify the SNMP settings for which Network Discovery will search. To add SNMP communities, click the Starburst. Enter the name of the SNMP community, and click OK.
Figure 5-11
11.
To identify specific SNMP devices, click the SNMP Devices tab, which is shown in Figure 5-12. This tab allows you to specify specific devices, such as routers, hubs, and other SNMP devices.
Figure 5-12
76
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 77
Chapter 5: Specifying Discovery Methods 12.
To specify the schedule on which Network Discovery will run, click the Schedule tab, as shown in Figure 5-13. To add a new schedule, click the Starburst. Specify the start time, recurrence pattern, and the duration.
Figure 5-13
Network Discovery runs on a schedule you define, and the amount of data that Network Discovery discovers is based on how you configured Network Discovery. Be very careful when you enable Network Discovery; the amount of traffic generated through Network Discovery can be tremendous. Network Discovery can find many devices on your network, and network traffic will increase during discovery time.
Active Director y System Discover y The Active Directory System Discovery method queries the local Active Directory Domain controller to discover systems. Active Directory System Discovery collects computer names, Active Directory Container names, IP addresses, and Active Directory site information on the local Active Directory. To enable Active Directory System Discovery, follow these steps:
1. 2. 3.
Navigate to the Site Settings folder under the SMS Administrator console. Open the Discovery Methods folder. Right-click Active Directory System Discovery and choose Properties. The Active Directory System Discovery Properties dialog box, as shown in Figure 5-14, will appear.
77
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 78
Chapter 5: Specifying Discovery Methods
Figure 5-14
4. 5.
Check the Enable Active Directory System Discovery checkbox. Click the Starburst to add a new Active Directory container, as shown in Figure 5-15.
Figure 5-15
6.
78
To specify the Active Directory System Discovery schedule you want to run, click the Polling Schedule tab, as shown in Figure 5-16. You can run Active Directory System Discovery as soon as possible by checking the Run Discovery As Soon As Possible box.
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 79
Chapter 5: Specifying Discovery Methods
Figure 5-16
7. 8.
Specify the schedule to run the discovery. Click OK.
You do not want to use the Active Directory System Discovery method to discover the operating system of clients. There are better discovery methods, such as Network Discovery, that can gather OS information and generate less network traffic.
Active Director y User Discover y The Active Directory User Discovery method queries the local Active Directory domain controller to discover computer users. Active Directory User Discovery collects information such as usernames, domain names, Active Directory container names, user group memberships, and Active Directory site information on the local Active Directory. To enable Active Directory User Discovery, follow these steps:
1. 2. 3.
Navigate to the Site Settings folder under the SMS Administrator console. Open the Discovery Methods folder. Right-click Active Directory User Discovery and choose Properties. The Active Directory User Discovery Properties dialog box will appear, as shown in Figure 5-17.
79
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 80
Chapter 5: Specifying Discovery Methods
Figure 5-17
4. 5.
Check the Enable Active Directory User Discovery checkbox. Click the Starburst to add a new Active Directory container, as shown in Figure 5-18.
Figure 5-18
80
6.
To specify the schedule to run Active Directory User Discovery, click the Polling Schedule tab, as shown in Figure 5-19. You can run Active Directory User Discovery as soon as possible by checking the Run Discovery As Soon As Possible checkbox.
7. 8.
Specify the schedule to run the discovery. Click OK.
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 81
Chapter 5: Specifying Discovery Methods
Figure 5-19
Active Director y System Group Discover y The Active Directory System Group Discovery method queries the local Active Directory Domain controller to discover computer system groups. It collects information about organization units, global and universal groups, nested groups, and Windows distribution groups. To enable Active Directory System Group Discovery, follow these steps:
1. 2. 3.
Navigate to the Site Settings folder under the SMS Administrator console. Open the Discovery Methods folder. Right-click Active Directory System Group Discovery and select Properties. The Active Directory System Group Discovery Properties dialog box will appear, as shown in Figure 5-20.
Figure 5-20
81
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 82
Chapter 5: Specifying Discovery Methods 4. 5.
Check the Enable Active Directory System Group Discovery checkbox. Click the Starburst to add a new Active Directory container, as shown in Figure 5-21.
Figure 5-21
6.
To specify the schedule to run Active Directory System Group Discovery, click the Polling Schedule tab, as shown in Figure 5-22. You can run Active Directory System Group Discovery as soon as possible by checking the Run Discovery As Soon As Possible checkbox.
7. 8.
Specify the schedule to run the discovery. Click OK.
Figure 5-22
82
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 83
Chapter 5: Specifying Discovery Methods
Third-Par ty Discover y Tools Steve Bobosky wrote the Enhanced AD System Discovery and Enhanced AD User Discovery tools. These tools are available as extensions for SMS 2003, and they should be used in addition to the out-of-thebox tools provided with SMS 2003.
Enhanced System Discovery The Enhanced System Discovery tool can be downloaded from http://www.centerlogic.com/sms/ tools.asp. It fills the gaps left by the built-in System Discovery tools. It doesn’t just discover machines that match a specified criteria (such as machines that are not pingable); this tool queries your Active Directory using an LDAP query to find the data that you specify. It uses an XML file that you edit to specify the options you want to discover. The XML file is extremely granular in that you can change the values to ensure that the systems added to your SMS database are valid. For example, you can specify that the tool return only computers that have accessed AD in the last 30 days or less. This will help you to determine which machines’ names in AD are valid machines.
Enhanced AD User Discovery The Enhanced AD User Discovery tool can also be downloaded at http://www.centerlogic.com/ sms/tools.asp. It works basically the same as the Enhanced System Discovery tool, except it deals with Active Directory users instead of systems. It has the same type of granular functions as the Enhanced System Discovery tool. The aduserattribs.xml file is very easy to customize so you can discover the information you want to return to your SMS database. This data will allow you to build collections, reports, and queries based on the criteria you specify. One of this tool’s really nice features is its ability to copy the user email addresses into the SMS database, so you can view them from a web report or query. Both of these tools are very easy to implement: Just run the respective MSI files for them, modify the Config files to match your environment, run the EXE file for each program, and then watch the log files as your data is retrieved.
Summar y All of the SMS 2003 discovery methods can be used independently or run in any combination. They can be used to help gather information about your site so you can plan client rollout, site boundaries, and collection setup for software distribution. You should employ discovery methods as your first steps toward deploying clients within an SMS 2003 hierarchy. System discoveries can be used at the same time as client distribution, or they can be enabled prior to client distribution. The information obtained from these discovery methods can be used to plan any SMS 2003 hierarchy. For the most part, the client computer does not need to be turned on. However, the Heartbeat Discovery and Active Directory System Discovery methods are exceptions.
83
49508c05.qxd:WroxPro
10/4/06
12:39 AM
Page 84
Chapter 5: Specifying Discovery Methods Any client computer or user that is discovered with any of these discovery methods will cause Collections to populate with the collected data. In the next chapter, I discuss client agent settings and how they help maintain assets within an organization. I discuss software and hardware inventory, Remote Tools, advertised programs, and software metering. These tools can help ensure that SMS 2003 delivers management capabilities to each of the resources it discovers.
84
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 85
Enabling Client Agent Settings In this chapter, I emphasize how to create policies for client configuration. These policies are used to enable or disable “agents” on assigned SMS 2003 clients. Administrators can change agent properties with policies configurable on a site-by-site basis. In this chapter I will explain how to define, enable, and configure agents. In later chapters, I examine the products of agents, such as inventory and status messages.
What Is an Agent? SMS 2003 clients use agents to perform tasks. The core client provides universal capabilities such as scheduling and communication. Agents take advantage of these technologies to communicate and perform their assigned jobs. SMS 2003 clients have five different agents that can be enabled by administrators: ❑
Hardware Inventory: Something of a misnomer, this agent actually can report on any value in the Windows Management Instrumentation (WMI) repository.
❑
Software Inventory: Searches system drives for details on specified files. The agent can also collect specific files from client file systems.
❑
Remote Tools: Allows remote control, reboot, and file transfer.
❑
Advertised Programs: Allows administrators to execute applications on clients. Although their primary purpose is for software installs, advertised programs can perform other actions such as script execution or package uninstall.
❑
Software Metering: Watches application start and stop events. Administrators can set rules to inventory the starting and stopping of specific executables through the Software Metering agent.
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 86
Chapter 6: Enabling Client Agent Settings Client agents are configured on a site-by-site basis. It is possible for administrators to have different client agent settings for clients assigned to each site in the hierarchy. However, it is typically a best practice to standardize client agent settings. Administrators will have fewer problems troubleshooting client issues in a hierarchy with standardized agent settings. Still, the capability to turn on and off agents on a site can help prevent problems as well. For example, if a hierarchy includes a site that is bounded by the IP subnets of a datacenter where advertised programs should never run, the Advertised Programs agent can be disabled. Only the clients assigned to site would be affected by the change. They would not run any advertisement until the agent was re-enabled. By default, clients check for policy updates hourly. Only legacy clients will be configured by agent settings configured at a secondary site. Finally, these settings can cause serious problems on client computers. Older computers, in particular, can be affected by extensive software inventories, improperly configured remote control drivers, and large software packages. I strongly recommend that any client changes be tested first to identify how client computers will react.
The Hardware Inventor y Agent Describing this agent’s function as “hardware inventory” is reminiscent of early versions of SMS when the agent returned only hardware information. In these versions, administrators could inventory items such as the computer’s disk drives, memory, processors, keyboards, and modems. Beginning with SMS 2.0, administrators began to modify the .mof file that manages the collection of hardware inventory. WMI can contain many kinds of objects in its repository. One of the most common modifications in SMS 2.0 was to add the Add/Remove Programs registry key to inventory. Suddenly administrators could report software-like information provided from hardware inventory. In SMS 2003, Microsoft included many of the most common SMS 2.0 .mof modifications by default. This means that the default hardware inventory returns more than just hardware out-of-the-box. Beginning administrators will have excellent reporting options available with no customization. This book does not cover .mof editing in great detail. An Internet search for how to edit the SMS_def.mof file should turn up sufficient results to explain the process. In addition to the sms_def.mof file, the Hardware Inventory agent can collect and process specific files with the .mif extension. These files (usually created by a script) can be placed within folders under the SMS 2003 client’s folder structure. Creation of these files (known as IDMIFs and NOIDMIFs) is a legacy method for creating new objects in inventory or extending the properties of existing inventory objects. Creation of IDMIFs and NOIDMIFs is not recommended as they increase inventory times and sizes. In addition, these are legacy methods for changing inventory that might not be supported in future versions of System Center Configuration Manager. In short, hardware inventory collects specific properties as specified in the sms_def.mof file from WMI on a client. When first installed, the Hardware Inventory agent forwards a complete inventory report to its management point. After the initial report, the agent forwards only a delta report unless otherwise directed by its assigned site. A site requests a full report from inventory when a previous inventory report seems to have been corrupted.
86
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 87
Chapter 6: Enabling Client Agent Settings The Hardware Inventory agent can be configured to run either on a simple or full schedule. With a simple schedule, the client can run hardware inventory once in a specified number of hours, days, or weeks. The administrator does not control what time the inventory will be run, which means that inventory will run at a randomized time for all clients assigned to the site. Alternatively, the hardware inventory can be run on a full schedule. The administrator configures all clients assigned to the site to run inventory on a specific date and time. A reoccurrence can be set so that inventory will rerun. Follow these steps to configure the Hardware Inventory agent:
1. 2. 3. 4. 5.
Under the SMS Administrator console, expand the Site Hierarchy folder.
6.
Configure the General tab, shown in Figure 6-1, as follows:
Expand the site to be configured. Expand the Site Settings folder. Select the Client Agents folder. In the Details pane, double-click the Hardware Inventory agent to open the Hardware Inventory Client Agent Properties dialog box, which has two tabs.
❑
Click the checkbox for Enable Hardware Inventory On Clients, if it is not already checked. (Note: Clearing this checkbox and then applying the change will reset the policy to disable the agent on clients.)
❑
Confirm that the Simple Schedule checkbox is selected.
❑
Select the interval (hours/days/weeks) to be used.
❑
Specify the number of intervals to pass before inventory should run again.
❑
If custom MIF files are being used, consider changing the size in the Maximum Custom MIF File Size field.
Figure 6-1
87
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 88
Chapter 6: Enabling Client Agent Settings 7.
If IDMIFs or NOIDMIFs are being used, select the MIF Collection tab (see Figure 6-2) and configure as follows: ❑
Check the boxes for the MIF types you would like legacy clients to collect.
❑
Check the boxes for the MIF types you would like advanced clients to collect.
❑
Click OK to save policy changes.
Figure 6-2
To set a full schedule on an enabled Hardware Inventory agent, perform the following steps:
1. 2. 3. 4. 5.
Under the SMS Administrator console, expand the Site Hierarchy folder.
6.
On the General tab, clear the checkbox for Simple Schedule and click the checkbox for Full Schedule.
7. 8. 9. 10. 11.
88
Expand the site to be configured. Expand the Site Settings folder. Select the Client Agents folder. In the Details pane, double-click Hardware Inventory Client Agent. The Hardware Inventory Client Agent Properties dialog box appears.
Click the Schedule button to open the Schedule dialog box, as shown in Figure 6-3. Specify the date and time that inventory should be run. Set a reoccurring schedule, if required. Click OK to return to the Hardware Inventory agent’s property sheet. Click OK to close the Hardware Inventory agent’s property sheet and save the new policy.
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 89
Chapter 6: Enabling Client Agent Settings
Figure 6-3
The Software Inventor y Agent As discussed previously, the Software Inventory agent searches client drives for details on administratorspecified files. In addition, Software Inventory can collect files from a client and save them in the site database. SMS 2003 searches local drives only. Network drive mappings are excluded. By default, the Software Inventory agent is configured to collect information about all .exe files. The agent will inventory the header of .exe files to provide information about the file such as the creator, version, and description. Unfortunately, not all .exe files have their header information completed. Administrators can specify other file types or specific names to be inventoried. In addition, you can search for files not only on all hard drives, but in specific folders. Remember that the more files there are to search for, the longer the inventory will affect the client’s hard drive. For example, searching clients for all .exe and .dll files would result in a serious slowdown to most clients. The file collection ability should be used even more sparingly. This process is most effective if configured to look for one or two specific files only. Files are saved on the site server, so disk space should be considered. The Software Inventory agent can be configured with the same scheduling options as hardware inventory. Both simple and full schedules are available. The same rules also apply to inventory collection methods. Upon first installation, the Software Inventory agent sends a full report to its assigned site. Subsequently, only a delta report is transferred unless otherwise requested by the site. To enable and schedule the Software Inventory agent, perform the following steps:
1. 2.
Under the SMS Administrator console, expand the Site Hierarchy folder. Expand the site to be configured.
Configure the General tab, shown in Figure 6-4, as follows:
Select the Client Agents folder. In the Details pane, double-click Software Inventory Client Agent to open the Software Inventory Client Agent Properties dialog box.
❑
Click the Enable Software Inventory On Clients checkbox, if it is not already checked.
❑
Schedule the agent. Software inventory does not have a major effect on most computers so frequent scheduling is not a client resource concern.
Figure 6-4
To configure the Software Inventory agent to search for a new file type or name, perform the following steps:
1. 2. 3. 4. 5. 6.
90
Under the SMS Administrator Console, expand the Site Hierarchy folder. Expand the site to be configured. Expand the Site Settings folder. Select the Client Agents folder. In the Details pane, double-click the Software Inventory Client Agent. Configure the Inventory Collection tab, shown in Figure 6-5, as follows: ❑
To add a new rule, click the Starburst.
❑
In the Inventoried File Properties dialog box that appears, specify the name of the file to be inventoried. Standard Windows wildcards (* and ?) are usable. Do not specify a file path in this field.
❑
If not all hard disks on a client are to be searched, click the Set button to specify a path.
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 91
Chapter 6: Enabling Client Agent Settings
Figure 6-5
The Inventoried File Properties dialog box is displayed in Figure 6-6.
Figure 6-6
7. 8. 9.
Enter the path where the file might be located into the edit box. Clear the Search Subdirectories field if subdirectories should not be checked for the file. Click OK to close the Path Properties dialog box.
You are now back on the Inventory Collection tab, which you should continue to configure:
1.
Clear the Exclude Encrypted And Compressed Files checkbox if the search should not examine these files.
2.
Clear the Exclude Files In The Windows Directory checkbox if the Windows folder (%windir%) should not be searched.
91
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 92
Chapter 6: Enabling Client Agent Settings 3.
Click OK to close the Inventoried File Properties dialog box. The new rule will be displayed in the Inventory Collection tab of the Software Inventory agent’s property sheet.
4.
Click OK to close the Software Inventory agent’s property sheet and save the policy.
To configure a file collection rule, follow these steps:
1. 2. 3. 4. 5. 6. 7.
Under the SMS Administrator Console, expand the Site Hierarchy folder. Expand the site to be configured. Expand the Site Settings folder. Select the Client Agents folder. In the Details pane, double-click the Software Inventory Client Agent. Click the File Collection tab. Click the Starburst to create a new file collection rule. The Collected File Properties dialog box, as shown in Figure 6-7, appears.
Figure 6-7
92
8.
Specify the name of the file to be collected. Standard Windows wildcards (* and ?) are usable to collect multiple files with one rule.
9.
If all hard disks should not be searched for the file, click the Set button. ❑
In the resulting Path Properties dialog box, shown in Figure 6-8, clear the All Client Hard Disks checkbox and click the Variable Or Path Name checkbox.
❑
In the text box, specify the path to be searched for the file.
❑
Clear the Search Subdirectories checkbox if subdirectories should not be examined.
❑
Click OK to close the Path Properties dialog box.
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 93
Chapter 6: Enabling Client Agent Settings
Figure 6-8
10.
Clear the Exclude Encrypted And Compressed Files checkbox if the specified file should not be collected if encrypted or within a compressed file.
11.
Set the maximum size (in kilobytes) allowed for the collected file. If the file is larger than this limit, it will not be collected.
12. 13.
Click OK to close the Collected File dialog box. Click OK to close the Software Inventory Agent dialog box, and save the policy.
The Remote Tools Client Agent In SMS 2003, the Remote Tools client agent provides an integrated remote control option for administrators to configure and access via the Administrator console. Remote Tools and, for newer operating systems, Remote Assistance can be used from the Administrator console by right-clicking a system resource, and clicking the appropriate option under the All Tasks submenu. Both Remote Tools and Remote Assistance can be managed with agent policies. The remote tools use legacy technologies to allow remote control capabilities for all SMS client operating systems. Remote Tools requires several ports to function through firewalls, is notoriously slower than other remote control solutions, and requires the installation of a virtual video adapter, mouse, and keyboard. These virtual drivers can cause problems on some hardware. The Remote Assistance option is available for Windows XP, Windows Server 2003, and later operating systems. It requires a single firewall port (3389) to function through firewalls, and is relatively quick and efficient, especially when compared to Remote Tools. Best of all, Remote Assistance is built into the client operating system, requiring no virtual hardware installation. The Remote Tools agent policy offers many configuration options that allow the administrator to change both Remote Tools and Remote Assistance. Fortunately, changing these settings is not a common event. For most sites, the administrator configures the agent policy when the site is installed, and then never opens the property sheet again. To configure the Remote Tools client agent, perform the following steps:
1.
Under the SMS Administrator console, expand the Site Hierarchy folder.
On the General tab, shown in Figure 6-9, check the box Enable Remote Tools On Clients, if it not already checked, and then configure the following:
Expand the Site Settings folder. Select the Client Agents folder. In the Details pane, double-click the Remote Tools agent to bring up the Remote Tools Client Agent Properties dialog box, which has five tabs.
Figure 6-9
7.
❑
Users Cannot Change Policy Or Notification Settings For SMS Remote Tools: Check this setting to prevent users from making changes to policy on individual clients.
❑
Do Not Install Remote Control Components For Advanced Clients Running Windows XP, Windows Server 2003, Or Later: This setting prevents installation of the Remote Control components on operating systems that have Remote Assistance built-in.
❑
Manage Remote Assistance Settings: The agent takes control of the Remote Assistance settings on a client.
❑
Override Remote Assistance User Settings: The agent settings will override existing settings on the client.
Click OK to close the dialog box and save the policy.
The Security tab of the Remote Tools Agent property sheet is slightly different from all of the other tabs. This tab allows administrators to specify the “permitted viewers” of Remote Tools — in other words, the groups and users capable of launching a remote Tools or Assistance session to a client. Figure 6-10 displays the Security tab of the Remote Tools properties sheet.
94
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 95
Chapter 6: Enabling Client Agent Settings
Figure 6-10
To allow a group or user to view Remote Tools or Remote Assistance, perform these steps while viewing the Security tab:
1.
Click the Starburst to create a new permitted viewer. The New Viewer dialog box is displayed, as shown in Figure 6-11.
2.
Enter the name of the user or group in the format <domain>\.
Figure 6-11
3.
Click OK to close the New Viewer dialog box. The new entry is entered in the list of permitted viewers.
On the Policy tab (see Figure 6-12), configure the following settings, which are available to users to change on clients, if the settings on the General tab to prevent this are disabled: ❑
Level Of Remote Access Allowed: Administrators can specify that starting a remote session with a client allows a technician certain levels of access. Full permission allows no restrictions. Limited permission allows administrators to click the Settings button to specify exactly what should be available. Setting the level of access to None is essentially the same as disabling the agent.
❑
Display A Message To Ask For Permission: A box is displayed on clients when remote control is initialized. Users must accept the prompt for the session to continue. If the
95
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 96
Chapter 6: Enabling Client Agent Settings option is checked, administrators can additionally specify that permission should be requested only on Windows 98. ❑
Remote Assistance/Level Of Access Allowed: Remote Assistance allows administrators to specify that technicians will have Full, View-Only, or No Control.
Figure 6-12
The Notification tab, shown in Figure 6-13, sets policy about how users are notified that their machine is being remotely accessed. These settings affect Remote Tools only. Remote Assistance has its own notification methods built in.
Figure 6-13
96
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 97
Chapter 6: Enabling Client Agent Settings Configure the following options: ❑
Display A Visual Indicator: Puts an indication on the monitor when a remote control session is active. The indication can either be an icon on the task bar or a small window.
❑
Play A Sound: Plays a sound either when a session begins and ends, or continuously throughout.
The Advanced tab, shown in Figure 6-14, includes settings for the Remote Tools components. These settings shouldn’t require modification. Test the hardware in your environment to see if Remote Tools loads and works before deploying to production clients.
Figure 6-14
The Remote Tools client agent is one of the featured tools found within the Web Remote tools, discussed in Chapter 15. This tool uses custom-built ASP pages and scripts to build Web pages by using Remote Tools, Remote Desktop, and Remote Assistance. The following script allows you to turn off the requirement to prompt you for permission for remote control. You can run this on individual machines on which you might want to turn off prompting for permissions. ‘ Created by Steve Thompson ‘ 02-2005 ‘ version 1.0 OPTION EXPLICIT const HKEY_LOCAL_MACHINE = &H80000002 dim strKeyPathRoot dim strKeyPath dim strComputer dim strESXHost dim strValueName dim oReg
97
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 98
Chapter 6: Enabling Client Agent Settings dim strValue dim strUpdateMode dim dwValue Dim objWMIService Dim colServiceList DIM objService ‘ turn off error handling, if it fails, it fails silently... On Error Resume Next ‘ to automate via SMS distribution, remark next line and enable the one after that. strComputer = INPUTBOX(“Enter Computer Name:”) ‘ strComputer = “.” Set oReg=GetObject(“winmgmts:{impersonationLevel=impersonate}!\\“ & _ strComputer & “\root\default:StdRegProv”) strKeyPathRoot = “SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control” ‘ set key path (if necessary) strKeyPath = strKeyPathRoot & “” strValue = “NO” strValueName = “UpdateEnabled” oReg.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, strValue ‘ set location information strValueName = “Permission Required” dwValue = 0 oReg.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, dwValue
Adver tised Programs Client Agent The Advertised Programs client agent is used to enable software distribution to clients. This agent allows you to set the frequency with which the clients check for updated or new advertisements. It determines which advertisements are appropriate to which clients and allows those advertisements to reach the necessary clients. The Advertised Programs client agent is installed on the advanced clients by default, so the advanced clients are just waiting for the next policy refresh (about once every hour or during startup). However, the legacy clients require the components to be installed during the client’s update cycle, which normally is about 25 hours by default. Configuration of the Advertised Programs client agent is done in the Advertised Programs Client Agent Properties dialog box. Perform the following steps to configure:
1. 2. 3. 4.
98
Under the SMS Administrator console, expand the Site Hierarchy folder. Expand the site to be configured. Expand the Site Settings folder. Select the Client Agents folder.
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 99
Chapter 6: Enabling Client Agent Settings 5.
In the Details pane, double-click the Advertised Programs client agent to open the Advertised Programs Client Agent Properties dialog box, which has two tabs.
6.
Configure the General tab, shown in Figure 6-15, as follows: ❑
Click the checkbox for Enable Software Distribution To Clients, if it is not already checked.
Figure 6-15
7.
❑
In the Legacy Client Settings area, click the checkbox for Clients Cannot Change Agent Settings to ensure that all your clients are set per your wishes.
❑
By default, the client agent will check for new programs or policies every 60 minutes.
❑
In the Advanced Client Settings area you can specify whether the New program notification icon opens Add or Remove Programs. If you leave this option unchecked, new advertisements will open under the Run Advertised Programs.
Configure the Notification tab to customize how the end user receives notification that a new Advertised Program is ready for installation (see Figure 6-16): ❑
To have a notification message displayed when a new advertised program is available, click the Display A Notification Message checkbox.
❑
To have a sound played when a new advertised program is available, click the Play A Sound check box.
❑
In the When A Scheduled Program Is About To Run area you can provide a countdown and specify its duration as well as play countdown sounds.
❑
Click the Show Advertised Program Notification Icons In The Notification Area checkbox to have notification icons appear in the notification area (sometimes called the system tray) at the right of the Windows task bar.
99
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 100
Chapter 6: Enabling Client Agent Settings
Figure 6-16
8.
Click OK to save your settings and exit the Advertised Programs Client Agent Properties dialog box.
Software Metering Client Agent To enable software metering, you must enable the Software Metering client agent. Just like all the previous agents I have discussed, once you enable the Software Metering client agent, it is a site-wide setting. Software metering allows you to monitor (meter) software usage throughout your organization. However, each software executable needs to be configured before you can view any data about that application. The data is easily obtainable, because it displays the reports using the Reporting functions that come with SMS 2003. Software metering can be used to ensure that you are paying only for software that your company is using. It is also helpful in finding out how many people waste time playing Solitaire during working hours. Software metering monitors only what you configure it to monitor. Configuring software metering rules is discussed in Chapter 11. Software metering enables you to create rich and customizable reports by using the reporting point. To configure the Software Metering client agent, perform the following steps:
1. 2. 3. 4.
100
Under the SMS Administrator console, expand the Site Hierarchy folder. Expand the site to be configured. Expand the Site Settings folder. Select the Client Agents folder.
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 101
Chapter 6: Enabling Client Agent Settings 5.
In the Details pane, double-click the Software Metering client agent to open the Software Metering Client Agent Properties dialog box, which has two tabs.
6.
On the General tab, shown in Figure 6-17, click the Enable Software Metering On Clients checkbox, if it is not already checked.
Figure 6-17
7.
On the Schedule tab, shown in Figure 6-18, configure the frequency to send collected data from the clients back to the SMS Server and how often to download the new metering rules.
8.
Click OK to save your settings.
Figure 6-18
101
49508c06.qxd:WroxPro
10/4/06
12:39 AM
Page 102
Chapter 6: Enabling Client Agent Settings Software metering relies on the fact that you have enabled your Software Metering client agent by configuring the intervals. On the schedule tab (refer to Figure 6-18), the Data Collection Schedule allows you to configure how frequently the client reports usage data it has generated over a period of time, up to the CAP or Management Point. The default value is every 7 days on Friday. The Metering Rules Download Schedule is for legacy clients and how often they download metering rules from the CAP. Advanced clients download the policies automatically during the Advanced Client Machine Policy Retrieval and Evaluation Cycle.
Site Maintenance Software Metering Tasks Software metering has four tasks associated with it under the Site Maintenance tasks within SMS 2003 that are enabled by default. Two of these tasks are for summarizing data, and the other two tasks are for deleting aged metering data from the database. These tasks are used to compress the amount of data kept in the database for metering purposes. ❑
Summarize Software Metering Monthly Usage Data Task: This task takes software metering data older than a month and summarizes it into a single record, per application, per user.
❑
Summarize Software Metering File Usage Data Task: This task summarizes the number of concurrent uses and the number of times the application has been run over a period of time.
❑
Delete Aged Software Metering Data: This task, by default, runs daily and deletes metering information from the database that is older than 5 days. This deletes the raw data that has already been summarized and reduces the number of records in the database.
❑
Delete Aged Software Metering Summary Data: This task is similar to the Delete Aged Software Metering Data, except the default for this is set to 270 days.
Other Site Maintenance items are discussed in Chapter 14.
Summar y In this chapter I discussed how to enable each of the five client agents found in SMS 2003. I also discussed the various concerns represented by these clients agents. You looked at how to ensure you have only the agents you want information about enabled. I discussed how to configure each of these agents to ensure that you activate only the ones you will be using within your organization. As I discuss in Chapter 15, there are tools that will initiate these actions remotely, but for these tools to work, you must have the agent turned on within your organization. In the next chapter, I discuss the various methods for client installations. Microsoft provides many techniques to get either the advanced client or the legacy client installed on the systems within your organization. Some of these techniques work very well, while some require a little “tweaking” to get the result you expect. I discuss the various installation methods and how to ensure you are using the best installation method for your organization.
102
49508c07.qxd:WroxPro
10/4/06
12:39 AM
Page 103
Client Installation Methods In this chapter, I discuss the client installation methods offered in System Management Server 2003 and the benefits each method provides. I also discuss issues that could arise while deploying clients. This chapter describes the different techniques for deploying advanced clients and legacy clients. I discuss using the Client Push Installation method for both advanced clients and legacy clients, deploying clients using Group Policy, utilizing manual installation options, and prestaging the SMS client on desktop images. As I explained in previous chapters, many SMS 2003 components need to be in place prior to client installation. In Chapter 5, I illustrate the various discovery methods and how those methods are the first steps in client installation. There are many methods in which SMS 2003 clients can be deployed. Some of those methods can deploy either the advanced client or the legacy client, and others can be used only to deploy the advanced client. I will discuss each installation method and which client is best suited for each. As I explained previously, you should install the advanced client whenever possible.
Client Push Installation The Client Push Installation method allows remote installation of either the legacy client or the advanced client on designated machines from within the SMS Administrator console. You can initiate the Client Push Installation Wizard by right-clicking on a collection, query, or an individual computer in a collection or query from within the SMS Administrator console. Then click All Tasks and select Install Client from the menu. In order to use the Client Push Installation method, you must configure specific items depending on the type of client you are deploying. If you are deploying the advanced client using the Client Push Installation method, you must have at least one management point in place and set up as the default management point. As I discussed in Chapter 4, management points are used for client management and client deployment. If you are
49508c07.qxd:WroxPro
10/4/06
12:39 AM
Page 104
Chapter 7: Client Installation Methods installing advanced clients in a Windows NT domain, you must specify the Advanced Client Network Access account. You will also need to configure a Client Push Installation account. The Client Push Installation account is needed with advanced client deployment and legacy client deployment through the client push. For legacy client deployment, you will need to specify the Client Connection account. Configuring the client push installation will allow the advanced client and the legacy client to be deployed via the client push installation. From the SMS Administrator console, expand Site Database, Site Hierarchy, and then expand the site in which you want to enable and configure the client push installation by clicking site code and site name. Then expand Site Settings and select Client Installation Methods. Double-click Client Push Installation. The Client Push Installation Properties dialog box, as shown in Figure 7-1, will appear.
Figure 7-1
On the General tab, check the Enable Client Push Installation box to assigned resources. To enable client installation on site systems, you must also check the Enable Client Push Installation To Site Systems box, which is also found on the Client Push Installation Properties dialog box. You can configure the system types when you install the SMS client software; based on your environment, you can choose Servers, Workstations, and Domain Controllers separately or in any combination. You also can configure the type of client you want to deploy. If you have any client that is not supported by the advanced client, choose Platform Dependent. This option will allow the advanced client, which is the preferred client, to be installed whenever the operating system supports the advanced client. On the Accounts tab, which is shown in Figure 7-2, you can specify the account that SMS 2003 will use to install either the advanced client or the legacy client. You can specify multiple accounts, and SMS will try each account in the order listed until it succeeds. These accounts must have administrative rights on the client computers. You can specify %machinename%\AccountName on the Accounts tab if you want to use local administrator accounts for every machine.
104
49508c07.qxd:WroxPro
10/4/06
12:39 AM
Page 105
Chapter 7: Client Installation Methods
Figure 7-2
On the Advanced Client tab, shown in Figure 7-3, you can configure the Installation Properties for installing the advanced client software. Microsoft recommends using the default value of SMSSITECODE=AUTO.
Figure 7-3
105
49508c07.qxd:WroxPro
10/4/06
12:39 AM
Page 106
Chapter 7: Client Installation Methods You can use the Client Push Installation Wizard method by right-clicking a collection, query, or an individual machine from the SMS Administrator console and choosing Install Client from the menu. This will allow you to install the various client types to computers, workstations, and servers you choose collectively or independently. The difference between using the Client Push Installation Wizard and the Client Push Installation method is that when the Client Push Installation method is used and the client is already installed on a machine, the client will not be reinstalled. When you use the Client Push Installation Wizard, you will be prompted with the Client Push Installation Wizard welcome screen, as shown in Figure 7-4.
Figure 7-4
Click Next to configure the installation options. You can specify Collect System Status Without Installing The SMS Client or Install The SMS Client, as shown in Figure 7-5.
Figure 7-5
106
49508c07.qxd:WroxPro
10/4/06
12:39 AM
Page 107
Chapter 7: Client Installation Methods On this Client Push Installation Wizard Installation Options dialog box, you can specify the type of client you want to push to the collection, query, or individual machine. You can choose the Legacy Client, Advanced Client, Platform Dependent, or Site Default settings. If you choose Platform Dependent, SMS will install the advanced client if the operating system will support it; if not, it will install the legacy client. After your settings are set for your environment, click Next. The Client Push Installation Wizard Client Installation Options dialog box will appear, as shown in Figure 7-6.
Figure 7-6
Depending on your selections from the previous screen, certain options will be grayed out. If you want to upgrade existing clients, check the Include Only Clients Assigned To This Site box. If you want to include all clients in this collection and all subcollections, check the Include Subcollections box. If you want to always install (repair or upgrade existing client), then you will need to choose the appropriate check box. If clients that are not assigned to a site appear under Collections, you will want to uncheck the Include Only Clients Assigned To This Site box so the client push will install the client onto those machines. After you have made your selection, click Next and then Finish. The SMS 2003 server will begin installing the client to the various machines.
Client Installation through Group Policy SMS 2003 allows advanced clients to be pushed out through Active Directory Group Policy. Group Policy allows the client.msi file to be assigned to an organization unit. This method of installing an advanced client by using the client.msi file does not allow some of the customization features, such as installing the advanced client by using CCMSetup.exe. Because you are using the client.msi file to install the advanced client using Group Policy, you will not be able to uninstall the client using the CCMclean utility,
107
49508c07.qxd:WroxPro
10/4/06
12:39 AM
Page 108
Chapter 7: Client Installation Methods but you will have to configure the policy to uninstall the advanced client. Using the CCMclean utility will not remove all the Registry keys that are created by using Group Policy for the installation. In Chapter 16, I discuss a free tool called Client Health. This tool will help you install your clients and ensure that they are healthy. This tool is deployable using Group Policy as well.
Manually Installing the Client Using CCMSetup.exe Manually installing the SMS 2003 client can give administrators the greatest amount of flexibility when they custom-install the advanced client onto the workstations. This installation method is known as the Advanced Client Installer method. It installs the advanced client by pulling the client.msi and language-specific files from the management point and copying those files into the CCMsetup folder located under the %windir%\system32 folder on the client. After the client has obtained these files, the client will install the client components. The only requirement is that the user running CCMsetup has to be a local administrator on the computer in which the Advanced Client Installer was installed. If a user without administrator rights needs to install the advanced client, he will need to use Capinst.exe. As noted previously, the CCMSetup.exe installation offers the most customizing options for installing the advanced client. You can see these options by looking at the various command-line switches available for CCMSetup.exe. These switches modify the way the setup installs the advanced client. These switches can be used alone or in any combination following CCMSetup.exe execution. CCMSetup.exe has both switches and installation properties that can be configured. The following is a list of the various switches and installation properties available for CCMSetup.exe. Ccmsetup.exe /[command line switches] [installation properties]
Using /source tells the workstation where to find the client.msi and any additional files.
/mp Ccmsetup.exe /mp:<server mp>
The /mp tells the workstation which management point to use as an installation source.
/useronly Ccmsetup.exe /useronly
Using /useronly forces the setup to run using the logged-on user’s security context. If the user does not have Administrator rights, then the installation will fail, so use this switch carefully.
This property must be run with the ccmenablelogging=TRUE property. This installation property enables debug logging. Values can be 0 (off) or 1 (on). This will cause the client to log low-level information to help troubleshoot client installation problems. The default value is 0. You should avoid using this switch outside a test-lab environment because of the excessive number of logs that are generated.
Ccmenablelogging Ccmsetup ccmenablelogging=TRUE
This enables logging if ccmenablelogging=TRUE The default value is FALSE. By default, the log files are stored in the %Windir%\System32\ccm\logs folder.
This property specifies where the advanced client is installed. By default the folder is the %windir%\System32\CCM folder.
Ccmlogmaxhistory Ccmsetup ccmlogmaxhistory=1
This specifies the maximum number of previous versions of the log file to keep. Set it to ccmlogmaxhistory=0 if you don’t want to keep any previous versions.
Ccmlogmaxsize Ccmsetup ccmlogmaxsize=20000
This property specifies the maximum log size in bytes. When a log file grows to the specified size, it will be renamed and stored as a history file. The default value is 250000, but the value cannot be less than 10000.
This property sets the logging level. Level 0 is the most verbose logging, and level 3 only logs errors. The default level is 1.
Disablecacheopt Ccmsetup disablecacheopt=true
This property disables the local administrator’s ability to change the cache size on that machine.
Smscachesize Ccmsetup smscachesize=250
This property specifies the cache size in megabytes (MB) or as a percentage. The default value is 250.
Smsfullremotetools Ccmsetup smsfullremotetools=1
Instead of waiting for the client to obtain policies from the server telling it which tools are to be enabled, this property forces the installation of all the SMS Remote Control tools during the client installation.
Smsnowinslookup Ccmsetup smsnowinslookup=true
If smsnowinslookup is set to TRUE, the advanced client will not fail over from Active Directory to WINs to look up management points.
Smsperferredclient Ccmsetup smsperferredclient=[keyword] REMOTE or ANY are the available keywords. If the property is set to ANY, the advanced client will be
installed only if the legacy client is not already installed on the system.
Smssitecode Ccmsetup smssitecode=[keyword or Sitecode]
This property specifies the site code to which the advanced client is to be assigned. This keyword can be AUTO or the three-character SMS site code. If AUTO is used, the advanced client will search Active Directory or the server locator points to determine the site to which it is assigned.
110
49508c07.qxd:WroxPro
10/4/06
12:39 AM
Page 111
Chapter 7: Client Installation Methods
Prestaging the SMS Client on a Desktop Image The SMS advanced client provides additional features not found in the legacy client when you are prestaging your client on an image. When deploying your client on prestaged installations, the best solution is to use the CCMSetup.exe command to invoke the client.msi file. CCMSetup.exe will pass command-line parameters to modify the installation of the advanced client using any combination of command-line arguments for CCMSetup.exe, as I discussed earlier in this chapter.
Additional Client Deployment You can use login scripts to push the client to any computer when the user logs on to that system. This procedure requires the use of Capinst.Exe. Capinst.exe [Command line switches]
This option installs the advanced client. The advanced client files are downloaded from the management point that the server location point determines is best for the client. If /AdvCli is not specified, the legacy client is installed. If /AdvCli is specified and the client operating system is not supported, the legacy client is installed. CCMSetup.exe, client.msi, and any additional files must be in the same folder as Capinst.exe.
Anything following the /AdvCliCmd is passed directly to CCMSetup.exe.
/AutoDetect Capinst.exe /AutoDetect=[Script]
This option calls a program file or script that is specified after the /AutoDetect= keyword. This script or program file must be in the same folder as Capinst.exe.
/DC Capinst.exe /DC
This option installs the advanced client on the computer even if the computer is a domain controller.
/SLP Capinst.exe /slp=[Server Locator Point]
111
49508c07.qxd:WroxPro
10/4/06
12:39 AM
Page 112
Chapter 7: Client Installation Methods This option specifies which server locator point to use during the installation. This must be the server locator point name, not the path.
/slpport Capinst.exe /slpport=[port number]
This option specifies the port to use when communicating with the server locator point.
Using ORCA to Customize client.msi You can use ORCA to edit any MSI file directly. This free tool is available in the Microsoft Windows Software Development Kit (SDK) (http://go.microsoft.com/fwlink?LinkID=55774). ORCA.MSI is included in the SDK, and you will need to run it after you install the SDK. After ORCA is installed, you can modify the MSI file. I highly recommend creating a backup of the client.msi file before you modify this file. Microsoft does not support modifying the MSI file directly. When you right-click an MSI file, the Edit With Orca option will be available in the context of the rightclick menu, as shown in Figure 7-7.
Figure 7-7
Orca will allow you to remove some of the dialog boxes within the client.msi installation. It will also let you configure some of the settings, such as SMS Site Code and Client Cache Size. Each time you run client.msi, it will have fewer dialog boxes for you to click and preconfigure for your environment. When you right-click client.msi and choose Edit With Orca, Orca will display the structure of client.msi, as shown in Figure 7-8. So that you don’t have to type the site code every time you run the client.msi file, you can add the property value SMSSiteCode = AUTO to the client.msi file. To do this, you will want to browse the table list until you see the table property, as shown in Figure 7-9.
112
49508c07.qxd:WroxPro
10/4/06
12:39 AM
Page 113
Chapter 7: Client Installation Methods
Figure 7-8
Figure 7-9
113
49508c07.qxd:WroxPro
10/4/06
12:39 AM
Page 114
Chapter 7: Client Installation Methods To add a row under the Property table, go to the Tables menu and click Add Row. The Add Row dialog box, as shown in Figure 7-10, will appear.
Figure 7-10
Add a Property Value of SMSSITECODE with a Value of AUTO. Next, modify the SMSCACHESIZE to 1000 instead of the default 250. While still using the Property table, scroll up until you see the SMSCACHESIZE shown in Figure 7-11.
Figure 7-11
114
49508c07.qxd:WroxPro
10/4/06
12:39 AM
Page 115
Chapter 7: Client Installation Methods Now you can double-click on the Value and change it to 1000 or whatever value you want. Just enter your new value and press Enter. Save your file. When you run client.msi, those values will already be configured for you. The website http://blogcastrepository.com/blogcasts/37/sms/entry369.aspx has a great blogcast about how to use Orca to modify the client.msi file. The website http:// www.blogcastrepository.com has some really great videos on SMS and other software packages.
Summar y In this chapter, I discussed how you can deploy the SMS client by using various methods built into SMS 2003 or by using methods that are easily installed through scripts and computer images. I discussed options for deploying the client using Group Policy and prestaging the client on images. I discussed various command-line options for deploying the client. I also explained how to modify the client.msi using a tool provided by Microsoft. In the next chapter, I discuss what to do with the clients after you install them and assign them to the site. I discuss managing collections and how to create new ones. I also discuss the collection membership rules and how to import and export client memberships.
115
49508c07.qxd:WroxPro
10/4/06
12:39 AM
Page 116
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 117
Managing Collections In this chapter, I discuss the creation and management of collections. Collections are groups of machines based on dynamic or static rule sets that can be targeted for software distribution. In Chapter 6, I discussed the Software Distribution agent and the fact that it allows clients to receive advertisement data from management points. In this chapter I explain the two methods of adding machines to collections and the different functions that can be performed on collection members. Collection members can be added statically (direct membership rules specified by an administrator manually or via a script) or dynamically (query-based rules). Queries are created by administrators, and then can be configured to automatically run against the local SMS site database to add or remove members on a schedule. Both types of rules can be created in a single collection, allowing very powerful software distribution targeting. As I discuss in Chapter 16, most of the management of collections can be scripted. In this chapter, I demonstrate how to create some basic scripts that will allow you to create collections, add direct memberships, and perform other scripting activities.
Creating a New Collection When installation completes, SMS 2003 by default creates several collections. Collections such as All Systems, All Windows 2000 Systems, and All Windows 2003 Server Systems are helpful when trying to evaluate the success of an SMS implementation or when targeting OS patches/upgrades. However, these default collections will soon not be enough for most hierarchies to target software distributions. To create your own collections of machines and/or users, follow these steps:
1. 2.
Under the SMS Administrator console, right-click the Collections folder. Expand the New submenu and click Collection. The property sheet for a new collection opens, as displayed in Figure 8-1. On the General tab, name the new collection, and enter a comment that describes the collection. All collections within a hierarchy must be uniquely named.
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 118
Chapter 8: Managing Collections
Figure 8-1
3. 4.
Click OK. The new collection will be listed in the Details pane. Expand the Collections folder and select the new collection. Note that it currently contains no members. (If an hourglass icon is exhibited next to the collection’s name, right-click the collection and select Refresh.)
It is not necessary to close the new collection’s property sheet before adding membership rules. However, collections may be nested to provide a very organized view for administrators. Collections with no membership rules are often used as containers for other collections. Be aware that collection information flows down an SMS hierarchy. Creating a collection at a central site results in the collection being created and evaluated at all sites in the hierarchy.
Creating a Direct Membership Rule Direct membership rules should be created when you want to target a very specific user or SMS client. Direct membership rules are not automatically updatable; therefore, any change of targeted resources is a manual process. If a targeted resource is removed from the site database, the associated direct membership rules will be deleted from all collections. For example, if the user jsmith is a resource, and jsmith ages out of the site database for any reason, all direct membership rules referring to jsmith will also be deleted. If jsmith is later rediscovered or inventoried, the direct membership rules must be recreated. For this reason, static membership rules should be used for focused, short-term distribution efforts only. You can reduce the effort involved in creating direct membership rules by specifying broad criteria that will return many results. Wildcards (% and _) can be used to find multiple resources with similar attributes. On the other hand, you can limit results by restricting the resource search to a pre-existing collection. The Direct Membership Rule Wizard will return a list of results that match your criteria and restrictions. You can select multiple resources on this list. A direct membership rule will be created for each resource checked in the results list.
118
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 119
Chapter 8: Managing Collections To create a direct membership rule, perform the following steps:
1. 2. 3. 4.
In the SMS Administrator console, expand the Collections folder. Right-click the desired collection. Choose Properties from this menu. Click the Membership Rules tab. With no rules, the tab looks like Figure 8-2.
Figure 8-2
5. 6.
Click the star icon to create a new direct membership rule. Click Next on the Welcome screen, shown in Figure 8-3.
Figure 8-3
119
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 120
Chapter 8: Managing Collections 7.
Select the class, type, and specific criteria that will identify the desired resources in the site database. In this example, I am searching for the System Resource with the name computer1.
8. 9.
Click Next. Click Next again to bypass the option to specify a collection that contains the resource already. In the list of results, select the desired resources.
10. 11.
Click Next.
12.
Click Finish to create the requested rules. Note that clicking Cancel on the final screen of the wizard results in no rules being created.
On the final screen of the wizard, confirm that direct membership rules will be created only for those machines specified with checkmarks on the previous screen.
Query-Based Membership Rules Static rule sets created by direct membership rules require constant administrative overhead. Particularly in large hierarchies, the cost of maintaining collection trees based solely on direct membership rules would be completely uneconomical. Collections need to dynamically update in order to lessen administrative overhead. In SMS 2003, dynamic rules are known as query-based rules. A properly configured querybased rule, with a timely schedule, can completely manage the deployment of many SMS packages with no involvement by administrators. Query-based rules use a proprietary language known as WQL to pull information from the SMS Administrator console’s site database connection into a readable format. WQL is a subset of the SQL database language that allows for basic operations only through the SMS Administrator console. It supports select statements with the where and from clauses, as well as basic joins. Please note that WQL is used for queries from the SMS Administrators console only. Reports (discussed in Chapter 12) are written in the native SQL language. The SMS Administrator console handles conversion of WQL to SQL when contacting the site database, and returns formatted results. In the case of query-based membership rules, the goal of the query is to add and remove resources (users or SMS client machines) from a specific collection. SMS does allow for the creation of queries that are not part of a collection. You can find more information about these queries in Chapter 12. In fact, if a query exists in SMS, it can be imported into any collection. This reduces the number of queries required. Queries, like collections, must be uniquely named. In short, queries specifically for collections must return, at a minimum, six values about a resource. The criteria used to find those values are limited only to the extent that the query editor is limited. This limit is typically reached only when pasting large lists of resources. If a query contains more criteria than is possible with the editor, multiple queries might be able to be created within a collection. The administrator has two options for creating queries. A graphical interface allows all but the most advanced features of the WQL language to be accessed. Results, criteria, and even joins can be specified with clicks of the mouse. A query editor allows administrators to write WQL code themselves for advanced operations. Finally, queries should dynamically update to take full advantage of their capabilities. A component called Collection Evaluator runs as part of the SMS service on site servers. This component updates col-
120
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 121
Chapter 8: Managing Collections lection membership on a schedule specified by administrators (daily by default). Because collections with only direct membership rules do not require dynamic updates, they should not be scheduled for reevaluation. Collections with query-based rules should be scheduled to update on an interval appropriate for their purpose. For example, it might be desirable to have a collection responsible for deploying security patches to newly created machines updated on a very frequent basis. Alternatively, a one-time distribution of an advertisement might require only manual updates. To create a query-based membership rule based on a previously built query, perform the following steps:
1. 2. 3. 4. 5. 6.
Under the SMS Administrator console, expand the Collections folder. Right-click the desired collection. Choose Properties from this menu. Select the Membership Rules tab. Click the star icon to begin creating a query-based membership rule. In the Query Rule Properties dialog box, as shown in Figure 8-4, enter the name of the query. Be descriptive so you know what the query represents if you look at it at a later date.
Figure 8-4
7.
Click the Import Query Statement button. In the list of possible queries, select the query to be imported.
8. 9. 10.
Click OK. Click the Edit Query Statement button and confirm that the General, Criteria, and Joins tabs are correctly configured. If no changes were made, cancel the Query Statement Properties dialog box; otherwise click OK. Click OK and confirm that the new query is displayed in the list of membership rules for the collection.
121
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 122
Chapter 8: Managing Collections
Query-Based Membership Rule Criteria In order to become a member of a collection with only query-based membership rules, an SMS client must have a discovery record or inventory results in which a specific attribute’s value matches an administrator-supplied entry. For example, searching for systems with names such as computer% could return machines with the names computer, computer1, and computer12. Administrators can create criteria based on any value collected by inventory from any resource in the site database. In addition, administrators can combine criteria with standard logical operators (and, or, not). Logical operators follow the precedence and, or, then not. Administrators can group different criteria with parentheses to affect the order of precedence. In SMS 2003, several types of criteria are provided to allow administrators powerful query capabilities: ❑
Simple value criteria items evaluate an administrator-supplied entry against the same attribute on all resources.
❑
Null value criteria items allow administrators to evaluate whether a specific attribute is empty or populated on all resources.
❑
Attribute reference criteria items compare two attributes on the same resource.
❑
Subselected values criteria items allow administrators to create queries based on the results of other queries (i.e., nested queries). Administrators can specify that resources should be in or not in the original query’s results.
❑
List of values criteria items check a specific attribute against a list of entries on all resources.
❑
Simple, attribute reference, and listed values allow advanced comparison operations such as less than or greater than, like, and uppercase/lowercase evaluation.
To create a new query rule without importing a query statement, perform the following steps:
1. 2. 3. 4. 5. 6. 7. 8.
Under the SMS Administrator console, expand the Collections folder.
9.
Click the Criteria tab.
Right-click the desired collection. Choose Properties from this menu. Select the Membership Rules tab. Click the star icon to begin creating a query-based membership rule. In the Query Rules Properties dialog box, as shown previously in Figure 8-4, name the query. Click the Edit Query Statement button. By default, the General tab will display, as in Figure 8-5. This tab should not be altered in queries created within a collection. When the query is first created, this tab is blank. SMS adds required information later.
The Criteria tab shown in Figure 8-6 contains no criteria. Click the yellow star to add a new item.
122
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 123
Chapter 8: Managing Collections
Figure 8-5
Figure 8-6
The default Criterion Properties dialog box is displayed in Figure 8-7. Click the Select button to select the attribute to be compared against. The attribute classes and attributes available in the Select Attribute dialog box depend on the results of inventory and discovery. Figure 8-8 shows an example of the Select Attribute dialog box.
123
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 124
Chapter 8: Managing Collections
Figure 8-7
Figure 8-8
10. 11. 12. 13. 14.
Select an attribute class. Note that the attributes change based on the class specified.
15. 16.
Click OK to close the Criterion Properties dialog box.
17.
Once all items are added, click OK.
124
Select an attribute. Click OK. By default, the operator is set to “is equal to.” Set the operator to the desired function. Enter a value or click the Values button to select from a list of options as provided by the site database. Note that the values list is limited to only two-thousand items.
Add other items as needed. Note that the default logical operator is “and.” This can be changed by selecting the specific item, and clicking the and/or button.
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 125
Chapter 8: Managing Collections
Limiting Queries It is not always necessary to search the entire database for resources that match the criteria of a query. Often it is better to search pre-existing collections for resources. However, be aware that results of the limited query rely on the update schedule of the referred-to collection in order to find new members. If, for instance, the collection ABC uses a query-based rule that is limited to the resources in 123, first 123 then ABC must update membership. To limit the results of a query to the resources in an existing collection, perform the following steps:
1. 2. 3. 4. 5. 6. 7. 8.
Under the SMS Administrator console, expand the Collections folder.
9.
Click OK from the Query Rule Properties dialog box to accept the changes.
Right-click the collection to be modified. Choose Properties from the menu. Click the Membership Rules tab. Right-click the query-based membership rule to be modified. Choose Properties from the menu. Click the checkbox for Limit To Collection. Either type the collection name into the edit box, or click the Browse button to search for a collection name. Figure 8-9 shows the Query Rule Properties dialog box configured to limit results to resources in the Test collection.
Figure 8-9
125
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 126
Chapter 8: Managing Collections
Updating Collections All query-based rules on a collection are evaluated by Collection Evaluator on a specific schedule. Each primary site evaluates collections independently, so collection results are specific to their individual branches of the hierarchy. Collections with only direct membership rules should not be set to update on a schedule. Each collection can have a specific schedule. To specify the update schedule for a collection, perform the following steps:
1. 2. 3. 4. 5. 6.
Under the SMS Administrator console, expand the Collections folder. Right-click the collection to be scheduled. Choose Properties from the menu. Click the Membership Rules tab. Confirm that the Update This Collection On A Schedule checkbox is selected. By default the schedule is set to daily updates. Click the Schedule button to change the schedule. Figure 8-10 shows the Schedule dialog box. The time and date are defaulted to the current system time. If the collection should start automatically updating in the future, change the time and date to an appropriate value.
Figure 8-10
7.
Most collections should continually update. To provide this functionality, set the schedule to reoccur and change the reoccurrence to the correct value. Beware of changing collection schedules to less than thirty-minute intervals in medium or large hierarchies.
Alternatively, administrators can manually update collection membership, no matter what the schedule. This is particularly beneficial when working with client rollout and health issues. To force Collection Evaluator to immediately process the query-based rules for a collection at a single site, perform the following steps:
1.
126
Under the SMS Administrator console, expand the Collections folder.
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 127
Chapter 8: Managing Collections 2. 3. 4.
Right-click the collection to be updated. Expand the All Tasks submenu. Choose Update Collection Membership from the All Tasks menu. The All Systems window is displayed in Figure 8-11. Note that you can update all subcollections by checking the box.
Figure 8-11
5.
Click OK to start the collection evaluation. This could take several seconds, depending on how many resources match the query criteria, and how many subcollections were also designated to be evaluated.
6.
After you allow a few moments for Collection Evaluator to finish updating membership, the SMS Administrator console must be refreshed. Right-click the collection.
7.
Choose Refresh from the menu. The hourglass icon next to the collection name should disappear, and the new collection results will be displayed in the Details pane.
Replicating Collections Between Hierarchies In many enterprises, several SMS hierarchies exist to support political and technical requirements. For example, many enterprises test software distributions in a completely separate hierarchy to ensure that test packages do not affect production systems. However, lab hierarchies should reflect the production environment as much as possible. With SMS 2003, administrators can export any number of collections, and then import them into a completely separate hierarchy. So an administrator can test the query logic for a collection in a lab environment and then move the collection to the production hierarchy. To export collections, follow these steps:
1. 2.
Under the SMS Administrator console, expand the Collections folder.
3.
Expand the All Tasks menu.
Right-click the collection to be exported. Note that you can export the entire Collections folder if necessary.
127
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 128
Chapter 8: Managing Collections 4. 5.
Choose the Export Objects option from the All Tasks menu. Click Next on the Welcome screen in the Export Object Wizard. A list of possible objects to export is presented. Figure 8-12 displays the Objects To Export screen. Select the objects to be exported and click Next.
Figure 8-12
6.
Specify a file path and name for the MOF file that will contain the collection information in the MOF Path And File Name edit field. Use the Browse button to search for previously created files to be overwritten.
7. 8. 9.
Add a descriptive comment in the Comments Edit field to help identify the MOF file. Click Next to display the final screen of the wizard. Confirm that all intended objects to be exported are included in the list, and click Finish.
Note that importing collections requires more forethought than exporting. The importing administrator must consider the organization of the collection folders, the names of currently existing collections, and the dependence of the imported collections on other collections’ memberships. Follow the following steps to import a MOF file containing collection information into an SMS hierarchy:
128
1. 2. 3.
Under the SMS Administrator console, right-click the Collections folder.
4. 5. 6.
Click Next to bypass the Welcome screen of the Import Object Wizard.
Expand the All Tasks submenu. Choose Import Objects from the All Tasks submenu. Note that collection objects can be imported into the top-level folder only.
Enter the name of the MOF file to be imported, or use the Browse button to find it. Click Next. SMS displays the Import Object Wizard dialog box, as shown in Figure 8-13.
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 129
Chapter 8: Managing Collections
Figure 8-13
7.
Confirm that you have permissions required to create collections, and that none of the objects to be imported have the same name as a currently existing object. There is no provision for changing the name of an importing object within the wizard. You can either edit the MOF file directly prior to importing, or change the name of the existing object. This import function should not be used to overwrite existing objects. To edit the MOF file directly, use your favorite text writing program — Notepad works great — and edit the Rulename of the MOF file.
8. 9.
Click Next. Review the comment (if any) and then click Next to perform the import function.
SMS will display the status of the import function. Confirm that all collections were created successfully, and then click Finish.
Moving a Collection One of the most overlooked architectural tasks when designing an SMS hierarchy is the organization of collections. Furthermore, as the SMS hierarchy ages, the collection organization will need maintenance. Especially after importing several objects, it is often necessary to reorganize the Collections folder. Collections can be linked or completely moved from one location to another. Link To Collection creates a new collection wherever you choose that links or copies the collection properties and advertisements. Once you link a collection, the original can be deleted because the link is an exact replica that includes all properties and advertisements. To link a collection to another point in the collection folder structure, follow these steps:
1. 2. 3. 4.
Under the SMS Administrator console, expand the Collections folder. Right-click the collection that is the target of the link. Expand the New menu. Choose the Link To Collection option from the New submenu.
129
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 130
Chapter 8: Managing Collections 5.
SMS 2003 displays a list of all collections. Choose the collection to be linked from the list in the Browse Collection screen (see Figure 8-14).
6.
Click OK. The collection that’s linked from will be displayed under the collection that’s linked to.
Figure 8-14
After linking a collection to another collection, you can delete the original instance without affecting any other collection properties. This process effectively moves the collection from one point in the folder structure to another. To delete a collection link, follow these steps:
1. 2. 3. 4. 5. 6.
Under the SMS Administrator console, expand the Collections folder. Right-click the instance of the linked collection to be deleted. Choose Delete from the menu. Click Next to bypass the Welcome screen of the Delete Collection Wizard. By default, the Yes, Delete This Instance Of The Collection button is checked. Click Next. Review the Finishing dialog box to confirm that the correct action is being taken and then click Finish to delete the link to the collection.
Deleting an entire collection is a similar process. After removing all but one link to a collection, the Delete Collection Wizard changes to reflect the fact that you are now completely removing the collection. Because this is a potentially destructive act for other objects (that is, advertisements targeted to that collection), SMS 2003 offers to show more information about the effects of the deletion.
Deleting Objects from a Collection SMS 2003 collections are not just for software distribution. Administrators can perform rudimentary database cleanup functions using collections. Resources can be deleted individually by simply highlighting the resource and pressing the Delete key. However, to completely delete a list of resources from the site, database administrators should use the Delete Special function. Note that although machines can be
130
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 131
Chapter 8: Managing Collections deleted from the site database, they might be rediscovered later. To delete all resources in a collection from the site database, perform the following steps:
1. 2. 3. 4.
Under the SMS Administrator console, expand the Collections folder. Right-click the collection that contains the deletable resources. Choose the Delete Special option from the menu. SMS 2003 presents a warning that all resources in the collection will be removed from the database. Click OK only if you are certain that these objects should be completely removed from the site database.
Viewing Advertisements Targeted to a Collection A full description of advertisements is available in Chapter 10. In this section, I discuss a quick way to view what advertisements are targeted to a particular collection and to confirm that advertisements are targeted to the correct collections. To view the advertisements targeted to a collection, perform the following steps:
1. 2. 3. 4.
Under the SMS Administrator console, expand the Collections folder. Right-click the desired collection. Choose Properties from the menu. Click the Advertisements tab.
The Advertisements tab is displayed in Figure 8-15. This is a read-only view; advertisement changes must be performed through the Advertisements folder.
Figure 8-15
131
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 132
Chapter 8: Managing Collections
SMS Collection Str ucture and Management Managing collections should be approached with common sense — it will make your life easier in the long run. A well-managed collection structure enables you to achieve a clean look with ease of administration. It will help to have a policy in place for naming collections consistently. You can use many techniques to ensure that your collections are structured neatly and are easy to manage. Some use the site code in the collection name to achieve a simplified look and to easily distinguish which computers belong to which collection. This naming convention is simple and organized: ❑
Z28: Systems ❑
Z28: All Sites
❑
Z28: Applications
❑
Z28: Operating Systems
❑
Z28: Patch Management
Where Z28 is your site code. I don’t remember who got me hooked on this structure, but it works wonderfully. The Z28 Systems collection contains all the systems within your organization, whereas all the other collections are just toplevel collections with only subcollections under them. This helps you organize your sites into one common collection structure. Also, having subcollections helps when you are using the Web Remote tools, discussed in Chapter 15, for deploying software packages to the clients. Another technique is to use special characters for the beginning of the collections to set the collections apart from each other and have them at the top of the SMS Admin console. This naming convention is simple and organized as well: ❑
# Site A Collections
❑
# Systems in Site A
❑
# Programs for Site A
❑
% Site B Collections
❑
% Systems in Site B
❑
% Programs for Site B
Although this structure is not as organized as the other example, it is easy and simple. For the most part, having subcollections as part of your collection structure is the way to go. It helps you organize your collections so they are appealing to the eye and makes it easier to navigate your collection. However, no matter how you organize your collection, you should have a policy in place to help you maintain and ensure that all collections are named in a consistent manner. You can never have too much documentation. Even though most of us hate to write it, documentation does come in handy.
132
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 133
Chapter 8: Managing Collections
Summar y In this chapter I have discussed the use of collections to contain resources for software distribution targeting. I created a new collection, added direct and query-based membership rules to a collection, and set a schedule for automatic membership updates. In addition, I described the possibility of exporting and importing collections, as well as collection folder structure organization. Finally, I displayed an easily accessed interface for administrators to see what advertisements are targeted to a collection. I discussed how to organize and manage your collection structure to make administration of your SMS environment easier. In Chapter 9, I begin discussing the processes to create and distribute software packages using SMS 2003. I will again look at the rich reporting features within SMS 2003 to ensure the packages are successfully being deployed within your organization. I will also discuss how you can specify distribution points to handle software requests.
133
49508c08.qxd:WroxPro
10/4/06
12:39 AM
Page 134
49508c09.qxd:WroxPro
10/4/06
12:39 AM
Page 135
Creating and Distributing Packages In this chapter, I discuss one of the main features of Systems Management Server 2003 and how you can configure and maintain this feature through the various SMS 2003 tools. I discuss the options to create and distribute packages to the various collections. I look at the steps needed to create a new package from a definition file or a Microsoft Installer file (MSI file). I also discuss the various options used to create software packages and configure the programs associated with them. In the last chapter, I discussed how to create, manage, and update collection memberships based on the needs of the organization; however, in this chapter I discuss how to create packages and install software onto systems in certain collections. As I explained, collections can be used to group similar devices into groups to help manage these systems. You can use these management techniques for collections when you specify packages and advertisements within SMS 2003. I focus on the various ways to create and distribute software packages. By definition, a package is a collection of things wrapped or boxed together. This is exactly the way a software package should be viewed in SMS 2003. An SMS 2003 software package is basically a software application that needs to be collected, grouped together, and sent to be installed by an SMS 2003 client. These packages can be simple software updates or complex groups of software suites bundled together. However, the package can also be just a set of instructions to run files that are already installed on the SMS client. Sending software packages to clients helps eliminate the inconsistencies that arise when various software packages are installed on different machines by different individuals. Using packages ensures the software is executed in the same fashion, with the same command-line switches, and from the same location. Packages ensure that the applications are run the way the administrator wants the packages executed. The end user doesn’t need to manage the software package. Successful software distribution consists of four main components that need to be in place in an SMS 2003 environment. They are collection management, package management, program management, and advertisement management. I explain package management and program management in this chapter.
49508c09.qxd:WroxPro
10/4/06
12:39 AM
Page 136
Chapter 9: Creating and Distributing Packages
Creating a New Package from a Definition F ile or an MSI Creating packages can seem like a tall task because of the various options in the Package Property dialog box, but the only required field is Package Name. A package does not become useful until the SMS program is assigned for the package. The SMS program tells the client what should happen after the package has been processed on the client. The package basically tells the client what is going to happen on the client. There are various ways to create a package in SMS 2003. I will concentrate on creating a package from scratch, from a definition file, and from an MSI file in this chapter. However, in Chapter 16, I will discuss various scripts you can use to create these packages as well. For now, I will stick with using the SMS Administrator console. A package definition file (.pdf or .sms) is a file that describes a package and at least one program. A package definition file can be used as an alternative to manually creating packages in the SMS Administrator console. The package definition files contain all the information SMS 2003 needs to create the package. SMS 2003 allows you to import package definition files by using the SMS Package Wizard. From this wizard, SMS will create the package information and the program(s) associated with the package. Many manufacturers include package definition files with their applications. You should use these package definition files when they are supplied; they contain information supplied by the manufacturers that you’ll need to deploy their programs. MSI files can be imported into SMS 2003 and used to create packages. The data in the installer file contains the name, version, and other information needed for SMS 2003.
General Package Information To create a package, you need to navigate to the Packages folder in the SMS Administrator console. Right-click, and choose New from the menu. The Package Properties dialog box will appear, as shown in Figure 9-1.
Figure 9-1
136
49508c09.qxd:WroxPro
10/4/06
12:39 AM
Page 137
Chapter 9: Creating and Distributing Packages As stated earlier, the only required field is Name; however, you should fill out all the fields so you’ll know exactly what this package is deploying.
Specifying a Data Source Select the Data Source tab, which is shown in Figure 9-2. The Data Source tab is used to specify where, if any, the source files are located. You can use the browse feature to search for the files.
Figure 9-2
If a package contains source files, check the This Package Contains Source Files box. This will allow you to specify the location of the source files. These files can be a local drive path or a UNC path to another share on a remote system. If you are using source files that are located on a CD-ROM or some location that will not change frequently, you should click the Use A Compressed Copy Of The Source Directory radio button. This will allow SMS to uncompress the files and them to the distribution points. If your source files are frequently updated or changed, click the Always Obtain Files From Source Directory radio button. This will ensure the latest version of the source reaches the clients. On the Data Access tab, which is shown in Figure 9-3, you can specify the package to be accessed through the SMS share, or you can use a non-SMS shared folder to access the data. The Data Access tab specifies where SMS stores the package files on the distribution points. The default setting is Access Distribution Folder Through Common SMS Package Share. You can specify your own distribution folder share names by selecting the Share Distribution Folder and entering the UNC path of the share name.
137
49508c09.qxd:WroxPro
10/4/06
12:39 AM
Page 138
Chapter 9: Creating and Distributing Packages
Figure 9-3
Under the Distribution Settings tab, which is shown in Figure 9-4, you can set the priority at which the package should be sent. The higher the priority, the higher the bandwidth the distribution will use. If you have no child sites, this setting has no value to your site.
Figure 9-4
In the Reporting tab, which is shown in Figure 9-5, you can specify whether SMS should use a Management Information Format (MIF) file for installation status by the client.
138
49508c09.qxd:WroxPro
10/4/06
12:39 AM
Page 139
Chapter 9: Creating and Distributing Packages
Figure 9-5
The Security tab, which is shown in Figure 9-6, allows you to specify the users’ rights to this specific package.
Figure 9-6
If you expand the Packages folder under the SMS Administrator console, you will see three new subobjects, as shown in Figure 9-7.
139
49508c09.qxd:WroxPro
10/4/06
12:39 AM
Page 140
Chapter 9: Creating and Distributing Packages
Figure 9-7
The Access Accounts folder is where you can specify the type of accounts that will have access to the package source files. By default, SMS 2003 creates a share called SMSPKGx$, where x is the drive letter of the drive with the most available space, and it grants Read Access to the local user and Full Control to the Administrator group. The Distribution Points folder allows you to specify where the packages will be located for user access. You must identify at least one distribution point for every package that is created. The Programs folder allows you to configure command-line program options to run on the target machines.
Configuring Programs After you have configured the package information, you must create a program. To create a program, you need to navigate to the package you want the program associated with and you need to expand that
140
49508c09.qxd:WroxPro
10/4/06
12:39 AM
Page 141
Chapter 9: Creating and Distributing Packages package. You will see the three subobjects. Right-click the program’s object, select New, and then select Program. The Program Properties dialog box, as shown in Figure 9-8, will appear.
Figure 9-8
On the General tab, you will see a list of fields that need to be completed. The program Name and Command Line fields must be completed when you create a program. Enter a descriptive name in the Name field. Enter a brief description in the Comment section so you can document what you want to accomplish with this program. In the Command Line field, you can enter the command line, including the various switches that will need to run on the client. For example, you can enter SETUP.EXE or SETUP.EXE /s /r. The command line needs to be completed with all the command-line switches in order to successfully run the program. The Start In field is optional, but you can use it to specify the name and path of the directory in which you want the program to start. The Run drop-down list allows you to specify how the program will be executed on the client. You can choose Normal, Minimized, Maximized, or Hidden. The After Running drop-down list allows you specify the action to be performed after the program completes. You can choose No Action Required, SMS Restarts Computer, Program Restarts Computer, or SMS Logs User Off. The Requirements tab allows you to configure optional components. You can specify the estimated disk space, maximum allowed runtime, client platforms, and additional requirements. The Requirements tab is shown in Figure 9-9.
141
49508c09.qxd:WroxPro
10/4/06
12:39 AM
Page 142
Chapter 9: Creating and Distributing Packages
Figure 9-9
The Environment tab, which is shown in Figure 9-10, allows you to specify the way the program runs. The Environment tab allows you to configure whether the program can run only when a user is logged on, only when no user is logged on, or regardless of whether any user is logged on.
Figure 9-10
142
49508c09.qxd:WroxPro
10/4/06
12:39 AM
Page 143
Chapter 9: Creating and Distributing Packages You can also specify whether the program should run with user’s rights or with administrative rights. You also have the ability to configure the drive mode or the type of connection that will be used to access the distribution points. Most programs understand UNC paths, but some do not and they require drive letter mapping. The Advanced tab, which is shown in Figure 9-11, allows you to configure additional options such as the ability to run another program before running this program. The Run Another Program First option requires another package containing the program that you want to run prior to executing this program.
Figure 9-11
When this program is assigned to a computer, you can choose to run it once on the computer or run it for every user that logs in to the computer.
Tricks When a site systems acts as a distribution point, the SMS 2003 default is to use the drive with the least amount of available drive space for the packaging folder. If you have a distribution point with multiple drives and/or partitions, this might not be the best location for your folders due to security policies or just general preferences. If this is the case, you can add the filename NOSMSDB.DAT in the root of the partition you do not want SMS 2003 to use as its package repository. After SMS sees this file, it will go to the next available drive partition to create the package repository.
143
49508c09.qxd:WroxPro
10/4/06
12:39 AM
Page 144
Chapter 9: Creating and Distributing Packages
Summar y In this chapter, I explained how to create a package, how to create a program, and how to distribute the packages to the various clients. I discussed how to specify which distribution points can host packages. I discussed how to configure programs so they run only on particular versions of the operating systems. I briefly discussed using scripts to help set up packages. I discuss scripting in greater detail in Chapter 16. In Chapter 15, I introduce the Package Loader, which is used to manually load a package on a site. In Chapter 10, I discuss how use advertisements to send these program packages to the clients. I discuss the advantages of using subcollections with advertisements and how to schedule package installation on the clients. I discuss the options related to advertising packages to the clients and ensuring that packages are delivered and executed successfully within the time frame specified by the administrator.
144
49508c10.qxd:WroxPro
10/4/06
12:39 AM
Page 145
Creating Adver tisements In this chapter, you finish the process of distributing software by distributing a package to a collection with an advertisement. Advertisements in SMS 2003, although they have the fewest configuration steps, are the most important piece of the software distribution process. Advertisements tie packages to collections, as they instruct targeted clients how and when to execute programs. In order to make this connection, I explain the creation of a basic advertisement. Then I add some advanced capabilities to an advertisement such as a rudimentary scheduling window and support for clients with intermittent connectivity. Finally, I cover some best practices for managing and configuring advertisements. In Chapter 15, I discuss some third-party tools that help you manipulate advertisements and force them to be re-run on clients. Also, in Chapter 16, I discuss how to manually create advertisements through scripts.
Stop! Consider Change Management In Chapters 8 and 9 I discussed the creation of collections and packages. These objects affect only the SMS hierarchy and (in the case of packages) potentially WAN links. Even in the largest SMS 2003 collection of hierarchies, creation is not a major undertaking, as the infrastructures should include separate site database servers capable of returning large numbers of query results. Package distribution is highly configurable with the support of sender rate limits, package distribution thread restrictions, and the prioritization of package data. In short, distributing 3-gigabyte packages or evaluating 200,000 or more resources to be collection members is not a significant enough load to warrant a request for change in most enterprises. However, creating and scheduling an advertisement results in a change to at least one resource. This change could be as insignificant as running a script to copy a file to a server from a specific PC. However, it could be as significant as forcing all machines in an enterprise to install Windows XP
49508c10.qxd:WroxPro
10/4/06
12:39 AM
Page 146
Chapter 10: Creating Advertisements Service Pack 2 at noon on a Thursday. The creation of an advertisement should be prefaced with an examination of the three components of software distribution: ❑
Does the package execute correctly? Special care should be taken to evaluate the execution in the context of the Software Installation account or the local System account.
❑
Are the correct machines targeted in the collection? If necessary, is the collection updated on a proper schedule?
❑
Is the advertisement configured properly to interact with legacy and advanced clients? Are schedules configured properly? Is a request for change required to initiate this advertisement?
After everything has been confirmed, the enterprise’s change management process should be followed. Many organizations have a process for managing change on servers, but nothing is required for documenting changes to the workstation environment. The SMS administrator has the capability to change every discovered resource with a few mouse clicks. I strongly recommend that you adopt a method for documenting and authorizing these changes. In hierarchies that include workstation systems, notifications to the end-user population are critical for many distributions.
Creating a Basic Adver tisement For the purposes of this book, I define an advertisement as basic if its start time is the time of creation and the advanced client settings are left as the default. This sort of advertisement requires user intervention to run, as it has no mandatory schedule. Clients can run nonmandatory advertisements via Run Advertised Programs in the local system’s control panel. Optionally, the Add/Remove Programs applet can be configured on advanced client systems to display SMS 2003 advertisements. In addition, advanced clients will not take advantage of download and execute functions (described later). This sort of advertisement is typically used to publish applications to workstations. Users can access the control panel to self-install desired software. Follow these steps to create a basic advertisement:
1. 2.
Under the SMS Administrator console, right-click the Advertisements folder. Expand the New submenu and choose Advertisement. The General tab of the Advertisement Properties window is shown in Figure 10-1. Note that four fields on this tab are required in order to proceed with the creation of an advertisement. These fields just happen to be all that is required to create a basic advertisement — Name, Package, Program, and Collection.
3.
Enter a name for the new advertisement. For example, the name of the advertisement in Figure 10-1 is Basic Test. Consider entering a comment describing what this advertisement executes. In Figure 10-1, the comment has been set to This Is A Basic Advertisement For Test Purposes Only.
4. 5.
146
Click the down arrow next to the Package drop-down box and select the package to be executed. Click the down arrow next to the Program drop-down box and select the program to be executed. Only programs specified within the designated packages are displayed.
49508c10.qxd:WroxPro
10/4/06
12:39 AM
Page 147
Chapter 10: Creating Advertisements
Figure 10-1
This completes the first half of an advertisement. You have designated a package and program to be executed. In the final steps you designate the target:
1.
Type the name of a collection in the edit box, or click the Browse button to select the collection from a list.
2.
Clear the Include Members Of Subcollections checkbox. This checkbox is discussed further in the following section.
3.
Click OK to create the advertisement.
The new advertisement is displayed at the bottom of the advertisements list in the Details pane. Note that the columns include the targeted collection as well as the targeted package and program name for at-a-glance advertisement management.
The Include Members of Subcollections Checkbox As I just discussed, in the process of creating a basic advertisement, I unchecked the option to target the advertisement to members of subcollections. SMS 2003 includes this option so that administrators can create a folder structure of collections, or target an advertisement to a more open set of resources. It is generally not a best practice to leave this box checked. Many administrators like to maintain a tight target with advertisements. If this box is checked, and a subcollection is created beneath the target, resources could unintentionally receive the advertisement. This becomes even more important when you add mandatory schedules to advertisements, as packages will automatically execute. Enterprises that insist upon using the Include Members Of Subcollections checkbox should test query logic in a lab environment first. Alternatively, administrators can create a collection without membership rules, and examine the Advertisements tab of the collection. Membership rules can be added when the
147
49508c10.qxd:WroxPro
10/4/06
12:39 AM
Page 148
Chapter 10: Creating Advertisements administrator is sure that intended resources should receive the advertisements targeted to the new collection. Although this option is less safe than testing query logic in another environment, it could show some political pitfalls that could result.
Scheduling Advertisements In creating a basic advertisement, you didn’t even view the Schedule tab in the new advertisement’s property sheet. This tab allows configuration of everything from the time that clients will receive or automatically run the package to the prioritization SMS 2003 will use in scheduling the advertisement policy for distribution to management and client access points. The following sections describe each of these functions.
Scheduling the Start Time of an Advertisement As explained previously, clients must receive an advertisement policy to execute package data. Administrators can prevent clients from receiving advertisements before a specific date and time by extending the Start Time for the advertisement. Clients will not download post-dated policy from management or client access points. Note that this option is the first setting that will make up your rudimentary maintenance window. To set the scheduled start time of an advertisement, follow these steps:
1. 2. 3. 4. 5. 6.
Under the SMS Administrator console, select the Advertisements folder. Right-click the advertisement to be scheduled in the Details pane. Choose Properties from the menu. Select the Schedule tab. Change the Advertisement Start Time fields to the desired values. Click OK to save the schedule change.
The specified date and time are evaluated as the local time of the machine. Administrators of hierarchies spanning multiple time zones should be aware that advertisements may run early or later than expected if time zones are not accounted for. To minimize this problem, you can use the Greenwich Mean Time checkbox. Checking the box tells SMS that all machines should ignore their own time zones, and download the advertisement policy at the specified time in the GMT time zone. This means that all machines will receive the policy at the same time.
Mandatory Scheduling In the previous section you specified the start time for the advertisement. This start time designated when clients should download the advertisement policy. I discussed the fact that this option alone would essentially “publish” the advertisement. SMS 2003 also provides scheduling-enforced advertisements. Setting a mandatory schedule allows administrators to forcibly run advertisements on targeted resources. Only resources that have already run the advertisement manually will be exempt from the mandatory schedule.
148
49508c10.qxd:WroxPro
10/4/06
12:39 AM
Page 149
Chapter 10: Creating Advertisements SMS 2003 allows for two types of mandatory scheduling. Administrators can choose to schedule at a specific time, or after an event. Administrators should be aware that scheduling for a particular time will run not only on the specified time, but will automatically run on new resources that receive the advertisement policy. Scheduling to run after an event is more complex. SMS 2003 provides three different events to schedule against: ❑
Scheduling As Soon As Possible: Runs the policy immediately on resources when the advertisement policy is downloaded. This setting should be used in emergency deployments only. The administrator has no control over when machines will run the advertisement.
❑
Scheduling At Logon: Runs the advertisement when a user logs onto a machine. This setting should be used sparingly. Newer operating systems allow users to log on before all services have been started. It is possible that a user could log onto a workstation before the SMS 2003 client service has started. If this happens, SMS 2003 will not run the advertisement, as it has not recognized a login event.
❑
Scheduling At Logoff: Runs the advertisement when a user logs off the workstation. Again, I recommend that this scheduling option be used infrequently. Extended logoff and shutdown times can be frustrating to the user.
Administrators can also set a mandatory schedule. Reoccurring schedules can be set for every interval from 1 minute (not recommended) to once a month. Reoccurring schedules allow administrators to update packages (software update packages, for example), and the updated item automatically runs on resources. Finally, after setting a mandatory schedule, the administrator can choose two more options. The first option (set by default) prevents legacy clients from running mandatory advertisements across a slow link. Advanced clients have powerful capabilities that I discuss in the text that follows, but legacy clients could easily saturate a slow network link if mandatory advertisements were enforced. The second option allows administrators to display mandatory advertisements in the Run Advertised Programs or under Add New Programs found under the Add or Remove Programs applets in the control panel. By default, when a mandatory schedule is set, the advertisement is not shown in these two applets. To set a reoccurring mandatory schedule for a specific time, follow these steps:
1. 2. 3. 4.
Under the SMS Administrator console, select the Advertisements folder.
5.
Click the Schedule button to specify the date and time of the mandatory schedule. The Schedule dialog box is shown in Figure 10-3.
In the Details pane, double-click the advertisement to be scheduled. Click the Schedule tab. Click the Starburst to create a new mandatory schedule. The Assignment Schedule dialog box is displayed, as shown in Figure 10-2.
149
49508c10.qxd:WroxPro
10/4/06
12:39 AM
Page 150
Chapter 10: Creating Advertisements
Figure 10-2
Figure 10-3
6.
Specify the date and time that the advertisement should forcibly run. If all machines should run the advertisement at the same time, check the box for Greenwich Mean Time.
7. 8. 9.
Change the reoccurring schedule interval to the desired value. Click OK to close the Schedule dialog box. Click OK to close the Assignment Schedule dialog box. Figure 10-4 shows the advertisement’s property sheet on the Schedule tab with a mandatory schedule specified. Consider unchecking the Assignments Are Not Mandatory Over Slow Links checkbox to force legacy clients to run the advertisement even when across a slow connection.
150
49508c10.qxd:WroxPro
10/4/06
12:39 AM
Page 151
Chapter 10: Creating Advertisements
Figure 10-4
Consider checking the Allow Users To Run the Program Independently Of Assignments checkbox. Checking this box displays the advertisement in the Run Advertised Programs and under Add New Programs found under the Add or Remove Programs applets in the control panel, despite the mandatory schedule.
10.
Click OK to close the Advertisements property sheet.
To configure an advertisement to run on an event, follow these steps:
1. 2. 3. 4.
Under the SMS Administrator console, select the Advertisements folder.
5. 6. 7.
Select the option Assign Immediately After This Event.
Double-click the advertisement to be scheduled. Click the Schedule tab. Click the Starburst to create a new mandatory schedule. See Figure 10-3 for an example of the Assignment Schedule dialog box.
Select the desired event from the drop-down list. Click OK to close the Assignment Schedule dialog box. Consider unchecking the Assignments Are Not Mandatory Over Slow Links checkbox to force legacy clients to run the advertisement even when across a slow connection. Consider checking the box Allow Users To Run the Program Independently Of Assignments. Checking this box will display the advertisement in the Run Advertised Programs and Advertised Programs applets in the control panel, despite the mandatory schedule.
8.
Click OK to close the advertisement’s property sheet.
151
49508c10.qxd:WroxPro
10/4/06
12:39 AM
Page 152
Chapter 10: Creating Advertisements
Expiring an Advertisement So far I have specified an advertisement to be available to clients at a specific time and enforced a mandatory run time. Finally, SMS 2003 allows administrators to expire advertisements from resources. These three items combined form a rudimentary maintenance window. However, advertisement expiration has limitations. If an advertisement is running when the expiration time is reached, SMS 2003 does not kill the running process. The expiration of advertisements will only remove the advertisement from the available programs. To set an advertisement to expire, perform the following steps:
1. 2. 3. 4. 5.
Under the SMS Administrator console, select the Advertisements folder. In the Details pane, double-click the advertisement to be expired. Click the Schedule tab. Check the Advertisement Will Expire checkbox. Set the date and time when the advertisement will expire. Consider configuring the expiration to happen at the specified time in Greenwich Mean Time. This will bypass the machine’s time zone setting, and will cause the advertisement to expire on all machines at the same time. If other scheduling options do not use this option, I don’t recommend that GMT be used for expiration scheduling.
6.
Click OK to close the advertisement’s property sheet.
Now that you have specified the advertisement’s expiration, you will want to set the priority of the advertisement. For some advertisements, you’ll want to set a high priority.
Setting the Priority of an Advertisement Some advertisements are more or less important than other SMS 2003 intersite transactions. For example, an advertisement for a critical patch package might need to reach all management and client access points as soon as possible, whereas a general software package might not need to be available everywhere for a day or two. SMS 2003 allows administrators to specify the priority of advertisement distribution. To specify the priority of an advertisement’s distribution throughout the hierarchy, follow these steps:
1. 2. 3. 4.
Under the SMS Administrator console, select the Advertisements folder.
5.
Click OK to close the advertisement’s property sheet.
In the Details pane, double-click the advertisement to be prioritized. Click the Schedule tab. Set the priority of the advertisement by changing the Priority drop-down. Note that the default priority is Medium.
Once you have the priority set for the type of advertisement being pushed out, SMS allows you to configure some more advanced options. These options are found on the Advanced Client tab.
152
49508c10.qxd:WroxPro
10/4/06
12:39 AM
Page 153
Chapter 10: Creating Advertisements
Advanced Client Options SMS 2003 advanced clients have the ability to download package data to a local cache. As I discussed in Chapter 7, it is a good idea to increase the cache size to something larger than the default 250MB. This will allow your advanced clients the ability to download more package data to their local cache. Administrators can specify that individual packages should download to this cache through the advertisement’s property sheet. By default, advanced clients run packages from a local distribution point (if one is available). Alternatively, if no local distribution point is available, the advanced client can optionally download from remote distribution points. To specify how advanced clients should interact with distribution points, follow these steps:
1. 2. 3.
Under the SMS Administrator console, select the Advertisements folder. In the Details pane, double-click the advertisement to be modified. Click the Advanced Client tab. This tab is shown in Figure 10-5 with the default options selected.
Figure 10-5
4. 5.
Choose the desired option for how the advanced client will handle local distribution points.
6.
Click OK to close the advertisement’s property sheet.
Choose the desired option for how the advanced client will interact with remote distribution points.
Creating all the advertisements can make the administrator console for SMS 2003 all cluttered and unorganized. However, SMS 2003 allows the organization of these advertisements into folders.
153
49508c10.qxd:WroxPro
10/4/06
12:39 AM
Page 154
Chapter 10: Creating Advertisements
Organizing Adver tisements In larger enterprises in particular, the number of advertisements can quickly become unmanageable. SMS 2003 advertisements can be organized into folders, which can help administrators find individual advertisements more easily. To create an advertisements folder, perform the following steps:
1. 2. 3. 4. 5.
Under the SMS Administrator console, right-click the Advertisements folder. Expand the New submenu. Choose Folder from the New submenu. Specify the name of the new folder. Click OK. The new folder is created under the advertisements folder.
To move advertisements into the new folder, follow these steps:
1. 2.
Under the SMS Administrator console, right-click the Advertisements folder. Choose Move Folder Items from the menu. The Move Folder Items dialog box is displayed, as shown in Figure 10-6. Specify the source folder to copy items from.
3. 4. 5. 6.
Select the item(s) to be moved.
7.
Click OK to close the Move Folder Items dialog box. The items are moved to the destination folder.
Click Browse to select the destination folder. In the Destination Folder dialog box that appears, select the destination folder. Click OK to close the Destination Folder dialog box. Note that the folder name is now entered into the Destination Folder field.
Figure 10-6
154
49508c10.qxd:WroxPro
10/4/06
12:39 AM
Page 155
Chapter 10: Creating Advertisements
Summar y In this chapter, you finished the process of distributing software with SMS 2003. Advertisements target packages to collection members. I discussed the scheduling options available with SMS 2003 advertisements, both for clients and site-to-site transmission of advertisement policy. I also discussed the opportunity for administrators to interact with the advanced client’s cache with the ability to specify which packages will download to the cache and which will run from a distribution point. Finally, and most important, I discussed the fact that enterprises should have a change management process in place for servers and workstations before advertisements are scheduled. The next chapter covers software metering rules and how, through software metering, you can ensure that you are paying only for the software that is being used at your organization. I discuss how to set up rules for each software package you want to meter and how to view the results of these through the web reporting console of SMS 2003.
155
49508c10.qxd:WroxPro
10/4/06
12:39 AM
Page 156
49508c11.qxd:WroxPro
10/4/06
12:39 AM
Page 157
Configuring Software Metering Rules In this chapter, I discuss what is needed to configure software metering. I discuss how to create a new rule for software metering and how to specify the filename, version, and language details for the specific software you want to monitor. Software metering gives SMS administrators the ability to obtain information on program usage from both the advanced clients and legacy clients. The information collected with software metering can include program usage, username, file description, execution time, and exiting time of the metered software. In this chapter, I discuss how to configure these rules and explain some techniques to ensure you get the information you desire. Software meter results can be summarized to provide rich useful reports that can help you budget for software assurance renewals, software purchases, or software upgrades. Software assurance will help you keep track of who has what software installed and who is using what software.
Software Metering Rules Proper ties Dialog Box Software metering rules are created from the SMS Administrator console and are downloaded to the client so the client agent knows what programs to monitor. Software metering must be enabled prior to the process of collecting program usage data on any client. As I discussed in Chapter 6, you need to ensure that software metering is enabled before SMS 2003 will start reporting and collecting data on software usage.
49508c11.qxd:WroxPro
10/4/06
12:39 AM
Page 158
Chapter 11: Configuring Software Metering Rules Using the SMS Administrator console, you must indicate which software usage you want to report. The rules you specify apply to the entire site. In the SMS Administrator console, expand Site Database and click Software Metering Rules. To create a new Software Metering Rule, you need to right-click Software Metering Rules, choose New, and click Software Metering Rule. The Software Metering Rule Properties dialog box will appear, as shown in Figure 11-1.
Figure 11-1
On the Software Metering Rule Properties dialog box, select the General tab. Enter a descriptive name to call the software metering rule. Browse for the executable file for the application you want to meter and select it. This will populate the remaining fields with the information obtained from the header of the file. If you do not have access to browse for this file from your local workstation, you can manually enter the information that is required on the Software Metering Rule Properties dialog box. All of the information is required except Version and Comment. The Original File Name field is very useful because if the executable file is renamed, this field will help the software metering agent read the application name from the header information so the software metering rules will still be applicable. The Version field allows you to enter the exact version you want to report on. You can also enter all versions or any combination of versions. This field allows wildcards. An asterisk (*) can be used to find any version, or you can use a question mark (?) to replace any character of the field. You can search for all versions that are 1.0, 1.1, and so on by using 1.? in the field version. To find any version of software beginning with 1.0, use 1.0*. In the Language field, you can select the appropriate language of the file you want to monitor. This field has caused problems for many administrators trying to report on metered software. If you are browsing
158
49508c11.qxd:WroxPro
10/4/06
12:39 AM
Page 159
Chapter 11: Configuring Software Metering Rules for a file to be metered and a default language appears, I recommend that you do not change the Language field to the language you want to monitor. If you want to meter multiple-language software, use -Any- as the language. SMS 2003 supports creating multiple software metering rules with the same name to allow you to monitor software packages such as Microsoft Office Professional. You can create rules for each of the core executables in the Office Professional Package (WinWord.exe, Excel.exe, Outlook.exe, MSAccess.exe, and PowerPnt.exe) and have five different rules. All of them can be called Microsoft Office Professional. This will allow you to monitor the software packages, such as Microsoft Office Professional, as a whole, rather than the individual files. Software metering is very handy when you are evaluating possible purchases. For example, if an end user wants you to buy Microsoft Office Professional because she needs Microsoft Access, you can examine prior usage. If you have been monitoring the Microsoft Access executable and know that it has not been used for six months, you can save some money when you order your software renewals. You can uninstall Microsoft Office Professional on all the workstations that have not used Microsoft Access for a given amount of time and install Microsoft Office Standard. With SMS 2003 collection rules and advertisements, you can automatically do this with a nice query-based collection and an advertisement to uninstall Microsoft Office Professional and another advertisement to install Microsoft Office Standard.
Disabling a Software Metering Rule After you create a software metering rule, it is enabled by default. However, you might need to disable a software metering rule without completely removing it because you want to keep the data you have already collected. To disable any single report, you need to go to the SMS Administrator console, go to the software metering rule you want to disable, right-click on the rule, and choose Disable.
V iewing Software Usage Repor ts After you create your software metering rules, you can use the SMS web reports to view the data that is collected from the clients and stored in the SMS database. As I discuss in Chapter 12, the web reports can be very handy when you need to provide software usage reports to management. Figure 11-2 shows a list of all the SMS 2003 Software Metering Reports built into SMS 2003 by default.
Figure 11-2
159
49508c11.qxd:WroxPro
10/4/06
12:39 AM
Page 160
Chapter 11: Configuring Software Metering Rules
Default Reports for Software Metering As I stated earlier, 13 default software metering reports are built into SMS out of the box.
All Software Metering Rules At This Site This report displays a list of all software metering rules defined at the site.
Computers That Have A Metered Program Installed, But Have Not Run the Program Since A Specified Date This report displays all computers that have a specified program installed as reported by software inventory, but that have not run the program since the specified date. This report requires that software inventory be collected on the metered computers. This report has two prompts you must answer: Last Usage Date and Rule Name. The Last Usage Date is the date against which to run your report. The Rule Name specifies the metered software rule against which to run the report.
Computers That Have Run A Specific Metered Software Program This report displays a list of computers that have run programs matching the selected software metering rule within the specified month and year. This report has three prompted values you must enter: Rule Name, Month (1–12), and Year. The Rule Name specifies the metered software rule. The Month is the month in which the computer ran the specific program. The Year is the year in which the computer ran the specific program.
Concurrent Usage For All Metered Software Programs This report displays the maximum and average numbers of users who concurrently ran each metered software program during the specified month and year. This report has two prompted values you must enter: Month (1–12) and Year. These values are the same as the ones previously explained.
Concurrent Usage Trend Analysis Of A Specified Metered Software Program This report displays the maximum and average number of users who concurrently ran the selected metered software program during each month of the past year. This report has one prompted value you must enter. The Rule Name field is the same as previously explained.
Install Base For All Metered Software Programs This report shows the number of computers that have metered software programs installed, as reported by software inventory. This report requires that software inventory be collected on the metered computer.
160
49508c11.qxd:WroxPro
10/4/06
12:39 AM
Page 161
Chapter 11: Configuring Software Metering Rules Software Metering Summarization Progress This report displays the time at which the most recently summarized metering data was processed on the site server. Only metering data processed before these dates will be reflected in the software metering reports.
Time Of Day Usage Summary For A Specific Metered Software Program This report displays the average number of usages, broken down by hour and day, of a particular program for the past 90 days. This report has one prompted value you must enter. The Rule Name field is the same as previously explained.
Total Usage For All Metered Software Programs This report displays the number of users who ran programs matching any software metering rule locally or using Terminal Services within the specified month and year. This report has two prompted values you must enter: Month (1–12) and Year. Both fields were described earlier.
Total Usage For All Metered Software Programs On Windows Terminal Servers This report displays the number of users who ran programs matching any software metering rule using Terminal Services within the specified month and year. This report has two prompted values you must enter: Month (1–12) and Year. Both of these fields were described earlier.
Total Usage Trend Analysis For A Specific Metered Software Program This report displays the number of users who ran programs matching the selected software metering rule locally or using Terminal Services during each month for the past year. This report has one prompted value you must enter: Rule Name, which was described earlier.
Total Usage Trend Analysis For A Specific Metered Software Program On Windows Terminal Servers This report displays the number of users who ran programs matching the selected software metering rule using Terminal Services during each month for the past year. This report has one prompted value you must enter: Rule Name, which was described earlier.
Users That Have Run A Specific Metered Software Program This report displays a list of users who ran programs matching the selected software metering rule within the specified month and year.
161
49508c11.qxd:WroxPro
10/4/06
12:39 AM
Page 162
Chapter 11: Configuring Software Metering Rules This report has three prompted values you must enter: Rule Name, Month (1–12), and Year. These fields were discussed earlier. As you can see, out-of-the-box SMS 2003 has rich reporting capabilities for software metering. If used properly, software metering can save your company a lot of money because you can provide software usage reports and make sure you pay for only what is being used within your organization.
Verify Software Metering Is Installed To verify that software metering has been installed successfully and is running properly, you can check the status of the Software Metering client agent. On the advanced client, you will need to monitor the SWMTRReportGen.log file found in the %windir%\system32\ccm\logs directory. In this log file, look for the entry that says the software metering report was successfully created. <MeterRule Enabled =”TRUE” ExplFileName=”WinWord.exe”
On the legacy client, you will need to monitor the smagent.log file in the %windir%\ms\sms\logs directory. In this log file, look for the entry indicating the Tracking Creation ID for the executable. Creation Event received for process xxx Process ID xxx is for process C:\Program Files\Microsoft Office\OFFICE11\WinWord.exe
To ensure that the software metering rules have been passed down to the clients, you will need to refresh the Machine Policy Retrieval and Evaluation Cycle policies on the advanced clients, or on the legacy client, and you will need to update the configuration. To verify that the Machine policy has been retrieved from the management point, you can look at the PolicyAgent log file on the client. This log file tracks policy requests and downloads on the client. It is updated hourly by default. You’ll want to verify any change made to the SMS site. You’ll also want to verify in this log file that the Machine Policy Retrieval & Evaluation policy has been successfully retrieved from the management point.
Summar y As you have seen, software metering can be used to report software usage and to verify that you have the correct number of licenses for specific software packages. SMS 2003 software metering allows you to report usages of individual software executables. It lets you group software executables by using the same rule name to track software suites. Software metering helps you create reports indicating how often, how long, and by whom an executable was opened. These reports can be given to management, licensing groups, or whoever might need access to them. In the next chapter, I discuss web-based reporting in more detail and I explain the steps needed to create rich, robust, and valuable reports. I discuss how to export reports so that you can share them with other sites in your organization and with administrators at other organizations. I explain how to import web reports from other sites. I discuss how to use the filtering capabilities in the reports to obtain the data you need from them. I also discuss the various security options you have to ensure that the appropriate people can access the reports.
162
49508c12.qxd:WroxPro
10/4/06
12:40 AM
Page 163
Providing Console and Web-Based Repor ting This chapter explores reporting and dashboards within SMS 2003. Key components of SMS are inventory and package distribution, but imagine how valuable this data can be to management and your helpdesk. Show the worth of SMS by creating a dashboard. The dashboards will allow your users and management to create visual reports, which in turn provide concrete evidence of how valuable SMS is to your company. As you discovered in the previous chapters, SMS has some rich reporting built in. In this chapter you discover how to tap into these reports and customize them to fit your needs so you can provide the details to those who need it when they need it.
Repor ts Given that dashboards are executing multiple reports simultaneously when you open the page, there are times when reporting might be the better alternative. A dashboard is not of much value if it is not able to present the data in a timely fashion. Because dashboards are really just the ability to display multiple reports on a page at one time, let’s discuss reports first and then I will talk about creating a dashboard to display reporting output. Dashboards and reports are created from within the SMS Administrator console. These reports are then viewable with any web browser, but Internet Explorer is the preferred choice of browsers.
49508c12.qxd:WroxPro
10/4/06
12:40 AM
Page 164
Chapter 12: Providing Console and Web-Based Reporting
The Report Viewer Report Viewer is a browser-based application that you can view from within the SMS console or by using a URL in Internet Explorer. SMS 2003 no longer uses Crystal Reports as it did in SMS 2.0, so creating and viewing the reports are much simpler. Richer reports can be created using the Web Reporting feature within SMS 2003. Before you begin, you will need at least one reporting point to be able to run reports. A reporting point does not require an SMS Server License but will require the following components for integrated use with a dashboard: ❑
IIS
❑
Internet Explorer 5.01 and SP2 or higher
❑
Active Server Pages (ASP)
❑
Office Web Components for Graph in Report Viewer
Create a Reporting Point As I discussed in Chapter 2, reporting points are created by selecting the server from Site Systems within the SMS console. Right-click and select Properties. From the Reporting Point tab, check the Use This Site System As A Reporting Point checkbox. A reporting point hosts the code for the Report Viewer and stores reports and dashboards along with any supplemental reports that you may add. Reporting points are not automatically enabled and can be installed on only Primary servers as they communicate only with their local site database. When you set up the reporting point, the URL that users access through the reporting point is created. Multiple reporting points may be created and the usage balanced by pointing different groups of users to different URLs for each reporting site. When you start Report Viewer from the SMS Administrator console, you select the specific reporting point that you want to use.
Creating and Running Reports SMS Web Reporting accesses SMS data in SQL Server through the SQL Server views. These SMS reports are SMS objects, and SMS objects require the proper credentials to access them. Setting the security on these reports was discussed in Chapter 3. You must have “Create permissions” for the Reports security object class to create or import reports. You must also have the appropriate permissions for the Reports security object class or instance to modify, delete, export, or run a report. Reports are not propagated up or down the SMS hierarchy; they run only against the database of the site in which they are created. However, because primary sites contain inventory data from child sites, when a report retrieves data from a primary site’s database, it might retrieve data that was forwarded from a child site. Any report that you create within your hierarchy can be exported and saved as an MOF file so you can ensure that all the reports are set up and shared within your hierarchy. I discuss exporting and importing
164
49508c12.qxd:WroxPro
10/4/06
12:40 AM
Page 165
Chapter 12: Providing Console and Web-Based Reporting reports later in this chapter. Many reports have been shared and can be found on www.myITforum.com and/or within the Code Repository Code Pack for SMS 2003, which is covered in Chapter 15.
Report Types There are four types of reporting in SMS: ❑
Pre-defined reports
❑
Custom reports
❑
Supplemental reports
❑
Dashboards
Now that you have your reporting point installed, you will see pre-defined reports contained within your reporting tab of the SMS Administrator console, or by connecting to the URL that you defined when you installed your SMS reporting point. The pre-defined reports are initially divided into ten categories: ❑
Hardware
❑
Software
❑
Software distribution
❑
Software metering
❑
Software updates
❑
Network
❑
Operating system
❑
SMS site
❑
Status messages
❑
Users
These categories make more sense when viewed via the Report Viewer as the reports are displayed within these categories. Initially when viewing reports from the SMS Administrator console, the reports are all listed in the first display field. If you were to move the category to the first column when viewing, you could sort by category and achieve the same “feel” as the Report Viewer. Keep in mind that you can also create your own categories to organize your report. You can even take reports out of certain categories and move them into others, all from the SMS 2003 Administrator console.
Filtering Using the Categories list, you can opt to hide or display various reports — otherwise known as filtering.
1.
From within the SMS Administrator console, right-click Reports, point to All Tasks, and then select Filter Reports.
165
49508c12.qxd:WroxPro
10/4/06
12:40 AM
Page 166
Chapter 12: Providing Console and Web-Based Reporting 2.
In the Filter Reports dialog box, select one or more categories, and then click the Display/Hide button above the Categories list.
3.
In the Categories box, the Display column value for the selected category or categories switches between Yes (Display) and No (Hide).
Running a Report To run a report from within the SMS Admin console, follow these steps:
1. 2.
Expand the Reporting tab. From the Reports node, select and right-click the desired report, select all Tasks, select Run, and then select the Reporting Point Server to run the report on.
When running a report from the URL interface you will need to expand a category, select the report to be run, and then click on the Display icon on the right side of the pane. The Report Results page will be launched in a separate IE window, regardless of which interface you used to run the report. Because the results are displayed using Internet Explorer, your IE interface controls offer many options for saving or pointing others to your result set: ❑
Copy report data to the clipboard
❑
Save data as a text (.csv) file
❑
View as an exported (.csv) file
❑
Save as a URL
❑
Save as HTML
❑
Save as a Favorite
❑
Print
❑
Find
All of Internet Explorer’s capabilities are now options you may choose to use with your SMS reporting results. SMS Reporting is a very powerful and user-friendly tool, much better than the ways of Crystal Reports.
Cloning a Report Cloning a report is the easiest way to create a new report based on an existing one. After cloning, you can modify the properties of the new copy to suit your needs.
166
1.
From the SMS Administrator console, right-click the name of the report you want to clone, point to All Tasks, and then click Clone.
2.
In the New Report Name box, type a name, and then click OK. Except for the name and ID, the clone will be identical to the original report.
49508c12.qxd:WroxPro
10/4/06
12:40 AM
Page 167
Chapter 12: Providing Console and Web-Based Reporting
Report Prompts A report can have prompts. Prompts allow you to manage the scope of the data that you are presenting. You can have more than one prompt per report and you can even have a default value or value list for the user to choose. Prompts can be added or modified; from within the report SQL Statement dialog box, click Prompts. The value that is entered in the Name box is the variable name used in the SQL statement for the report. The Prompt text box is used to display the text that will be displayed to inform the user of the value required for the prompt.
Exporting and Importing Reports Sharing reports is easy now with the capability to import and export reports. There is an export wizard to guide you through the steps to convert the report into a Managed Object Format (MOF) file. Read permissions to any object that you wish to export are required. By using the Export Object Wizard, you can export reports. When you export reports, SMS writes the object definitions to an MOF file, which is a text file that you can use to import report object instances into your SMS database, or import MOF files from another database. Now you can share or move reports from site to site, your site, or someone else’s site. Only the report object’s definitions are exported, not any report data. When you import and run a report that was created at another SMS site, the report runs against your site database, not the original site database. To export a report, you must have Read permission for the Reports security object class or instance. To import a report, you must have Create permission for the Reports se curity object class or instance. The report ID is unique for each report. When you export a report, the report ID is not written to the MOF file. This prevents you from accidentally replacing an existing report by importing a MOF file in which a report ID for an imported report matches that of an existing report. When you import reports, SMS assigns each imported report a new report ID. You can use the Import Object Wizard to import user-created MOF files that contain objects from multiple object classes. However, you must have Create permission for all object classes in a MOF file. Any objects for which you do not have permission are not imported. For example, if you import a MOF file that contains report and collection objects, but you have Create permission only for the Reports object class, the collection objects are not imported. Always check any report that you plan on importing into your environment. Existing reports will be overwritten without warning. Take the time to edit any MOF file prior to importing to ensure the object names are not already in use. At http://www.myITforum.com/articles/8/view.asp?id=6371, you can find reports that other administrators have exported and uploaded, and you can import them into your organization.
Reports on myITforum.com As described in the article on myITforum.com, the SMS Administrator console provides a great way to export/import reports, collections, and queries. The list of all the MOF files you can import from myITforum.com can be found on the web at http://www.myitforum.com/inc/upload/SMS2003MOFs/ SMS2003MOFs.htm. From this link, you can find reports already configured by other administrators.
167
49508c12.qxd:WroxPro
10/4/06
12:40 AM
Page 168
Chapter 12: Providing Console and Web-Based Reporting myITforum.com also provides a section to download/upload your SMS queries, reports, and MOFs. The download section is on the web at http://www.myitforum.com/downloads/default .asp?w=3&se=SMS+Queries%2C++Reports+and+MOFs. These reports will help you in creating your own custom reports — there is no reason to re-invent the wheel.
Report SQL Statement Dialog Box In the Report SQL Statement dialog box, you have the following options: ❑
Views: Displays SMS database views.
❑
Columns: Displays SMS view columns.
❑
Insert: Inserts the selected view or column name to the SQL statement at the current cursor position.
❑
Values: Click to open the Column Values dialog box and see a list of valid values for the selected view or column. You can select a single value to insert into the SQL statement at the current cursor position.
❑
SQL statement: Displays the SQL statement for the report.
❑
Prompts: Click to open the Prompts dialog box and add or edit one or more prompts for the report. Prompts allow report users to define values for variables used in the SQL statement each time that the report is run.
You then see the equivalent of a Query Builder. However, if you do not enter a valid statement, the error that is returned when you hit OK isn’t the easiest to read. As a result, most people design reports in Query Analyzer. You can also easily change some properties that determine how a report is displayed, such as automatic refresh and chart creation (you must have Office web components installed on the IIS server in order to do this). Specific returned values from your SQL statement can also be linked to other reports as prompts. For example, if you ran a report that returned a list of all advertisements targeted at one computer, it could be linked to drill down to the status message details for the distribution.
Creating Reports You can create new reports in several ways, the easiest of which is to get a MOF file from someone else and import the report that she created into your site. Right-click the Reports node in the SMS Administrator console, select All Tasks ➪ Import Objects, and walk through the Import Wizard. To export your own reports, right-click on a report, select All Tasks ➪ Export Objects, and walk through the Export Wizard.
168
49508c12.qxd:WroxPro
10/4/06
12:40 AM
Page 169
Chapter 12: Providing Console and Web-Based Reporting It’s All in a View… SMS reporting accesses SMS data in SQL Server through the SQL Server views. Schema information views are available to allow you to determine the names of all the views available and the schema for the inventory and discovery classes. The following table shows a list of these schema information views. View
Description
v_SchemaViews
Lists all the views in the view schema family.
v_ResourceMap
Lists the resource type views.
v_ResourceAttributeMap
Lists attributes for each resource type.
v_GroupMap
Lists inventory groups for each inventory architecture.
v_GroupAttributeMap
Lists attributes for each inventory group.
v_ReportViewSchema
Parallel to the SMS_ReportViewSchema class, this view lists all the classes and properties.
You should use the v_Resource views whenever it is possible as they will match the current resource (User, System, Group) to the data you want to report on. They contain the column that is most easily used to match with joins — the ResourceID. You can actually see how these map together by issuing the query.
Not Such a Great View… v_Collection views use a variable for the Collection instead of v_HS_ as these are matched to the HIST tables, which contain archive copies of old data. The v_GS_ views contain the most recent data. You can use SQL Query Analyzer, shown in Figure 12-1, to use a SELECT statement to get a better understanding of where all of your SMS data is being stored. Remember to use only SELECT and you will bring no harm. Also remember that Microsoft supports the use of views as opposed to direct queries to SQL tables. The great thing about using SQL is that you can just enter a wildcard character such as % to match all possible values or click the Values button to browse the values that are currently available for input. Once you have selected a value for the prompt, click the Display icon to view the report.
Scheduling Reports Report Viewer generates a unique URL for each report and dashboard that you run. The URL contains the report ID and the variable names that you used to run the report. You can use the URL to schedule a report or dashboard to run (or to run and export the data to a file) at a specified interval.
169
49508c12.qxd:WroxPro
10/4/06
12:40 AM
Page 170
Chapter 12: Providing Console and Web-Based Reporting
Figure 12-1
You do this by configuring the Scheduled Tasks feature of your operating system to start Internet Explorer with a URL.
Dashboards Reporting is really the major part of the dashboard. The dashboard merely presents selected reports in a grid pattern to the user. Savvy users can customize colors and add logos, charts, and so on. For the majority of users, most of the pre-defined reports should satisfy them. If not, then the material that follows should help. Like the instrument panel in a car, a “dashboard” displays critical info in easy-to-follow drill-down links, assembled from data pulled in real time from your SMS database via SMS views. Most reporting dashboards serve as a launch pad to access the underlying detail. The initial report often contains links to more reports for additional detail that, in turn, may link to even more reports.
170
49508c12.qxd:WroxPro
10/4/06
12:40 AM
Page 171
Chapter 12: Providing Console and Web-Based Reporting Spreadsheets and charts may be leveraged within the reports or as separately linked products/interfaces in the sequence.
Creating Dashboards Creating dashboards can be very easy; however, creating really good dashboards can be a talent that some administrators never master. Dashboards can be created to allow managers to check up on their department’s software usage as it compares to the installed software, or they can be simple queries to see how many versions of a software application are being used throughout your organization. There are no default dashboards, but plenty of preconfigured reports are supplied. It is from these reports that you can quite easily create your own dashboard, or you can be brave and create your own custom reports. To create a dashboard, right-click on the Dashboards folder shown in Figure 12-2 and select New and then Dashboard. On the General tab that appears, as shown in Figure 12-3, give your dashboard a name. Comments may be entered to further define your dashboard.
Figure 12-2
171
49508c12.qxd:WroxPro
10/4/06
12:40 AM
Page 172
Chapter 12: Providing Console and Web-Based Reporting
Figure 12-3
On the Reports tab, shown in Figure 12-4, you define the rows and columns that will be displayed when your dashboard is viewed. The default is 2 rows and 2 columns.
Figure 12-4
Determine the number of rows you would like and the number of columns. Then right-click to select the report that you want to have displayed in which row or column.
172
49508c12.qxd:WroxPro
10/4/06
12:40 AM
Page 173
Chapter 12: Providing Console and Web-Based Reporting
SQL Versus WQL When you create dynamic collections in SMS using query-based rules, you have to define the query using WQL. SQL allows so much more in its functionality, not to mention that you are far more likely to find a SQL expert within your company than a WQL one. When you create a Query Based Rule in the SMS Administrator console, SMS stores the WQL and also translates the WQL into a SQL query. The WQL and SQL are stored in the Collection_Rules_SQL table, which uses the CollectionID and query index as key. When SMS performs Collection Evaluation, it uses the SQL query in the SQL column of this table rather than the WQL. As broad as SQL is as a tool, I will not dive into the workings of SQL query building. However, I will briefly discuss how to link reports together so you can create reports with drill-down capabilities. Reports are very powerful, but they are only as powerful as you make them. If you want to offer the end user the ability to pick just a certain item to report on, then you will want to create a prompted report. As I discussed previously, there are many resources you can use to get examples of reports and you can use those examples to build your reports. Therefore, I will not go into detail on creating the reports. However, I do discuss linking reports for drill-down capabilities. In the Links tab of the All Collections Reports Properties dialog box, shown in Figure 12-5, you will have the ability to specify if you want to link to another report, to Computer Details, to Status Message Details, to a specific URL, or No linking at all.
Figure 12-5
If you choose to link to another report, you are prompted with the report to link to, as shown in Figure 12-6. This dialog box enables you to specify which report, and if that report has prompts, then you specify which column in the report contains the data for the prompt in the new report.
173
49508c12.qxd:WroxPro
10/4/06
12:40 AM
Page 174
Chapter 12: Providing Console and Web-Based Reporting
Figure 12-6
In the Link Type field shown in Figure 12-7, if you choose Link To Computer Details, you are prompted with Figure 12-8. This dialog box enables you to specify which column contains the Computer name.
Figure 12-7
If you choose Link To Status Message Details, you can specify which column contains the RecordID to return the status message. If you choose Link To URL as in Figure 12-9, you can specify a link to a URL that you determine. You can use this to link to a specific Microsoft KB Article or something internal, or something else.
174
49508c12.qxd:WroxPro
10/4/06
12:40 AM
Page 175
Chapter 12: Providing Console and Web-Based Reporting
Figure 12-8
Figure 12-9
Providing Custom Consoles One of the great things about SMS Web Reporting is that it is all done through ASP pages and HTML. These pages are highly customizable if you know ASP and HTML along with basic SQL. As I discuss in Chapter 15, free tools are out there that rely heavily on the work Microsoft put into these Web Reports. One of the tools discussed in Chapter 15, the SMS 2003 Web Remote tools, was written in ASP and is a
175
49508c12.qxd:WroxPro
10/4/06
12:40 AM
Page 176
Chapter 12: Providing Console and Web-Based Reporting highly customizable web-based SMS 2003 console. This tool allows you to provide a custom web application to your users so you provide them with only the functions you want them to have. The tool is very easy to customize and requires only basic HTML and ASP coding. Any questions or upgrade enhancements can be forwarded to the SMS email list on www.myITforum.com because the author of this tool (yours truly) subscribes to the email lists on www.myitforum.com.
Providing Access to Web Reports Access to the Web Reports requires only Read Access to the report you want others to view. Granting access, discussed in Chapter 3, can be for all reports or you can narrow it down to a single report. The only requirement for end users is to have access to the SMS Reporting point site address and for them to have at least Read access to the individual report.
Summar y As you have seen in this chapter, SMS 2003 has very rich and detailed reporting built into the SMS Administrator console. You have also seen that SMS 2003 provides non-SMS Administrators the ability to look at reports. SMS has really improved over the years with out-of-the-box experiences with webbased reporting, but there are many resources to help make the customizations that much richer and more detailed. This chapter provided information on finding custom reports on www.myITforum.com so that you do not have to re-invent the wheel and so you will have some examples to help build your own custom reports. In the next chapter, I discuss one of the most powerful features of SMS 2003: managing your software updates though the Inventory tool for Microsoft Updates. I will go over the importance of keeping your operating systems up to date and discuss how to create reports to ensure your updates are applying to the individual systems.
176
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 177
Managing Software Updates In this chapter, I discuss how SMS 2003 can help manage software updates, starting with downloading and installing the Inventory Tool for Microsoft Updates (ITMU) and ensuring you are using the latest MSSecure.cab file. I then discuss the process needed to distribute software updates to the client. SMS 2003 has built-in tools to help you accomplish software updates; however, Microsoft has released the ITMU, which will greatly improve the process of delivering not only Windows updates but also updates for Microsoft Office products and software. As you have learned, SMS 2003 has many reports to help you keep track of hardware and software installed on the clients, and the ITMU offers other objects to assist with Microsoft updates on each of the SMS clients. With the ever-increasing number of threats and viruses in the modern information environment, patch management has risen to the top of most administrators’ concerns. SMS 2003’s built-in tools provide an easy way to manage and distribute patches. Although software updates are included out of the box, Microsoft’s new Inventory Tool for Microsoft Updates combines the patching solutions in one familiar tool. The ITMU will scan for updates based on the Microsoft Updates Catalog on the new Microsoft Updates website. Download the SMS2003ITMU_ENU.exe file from Microsoft.com (http://go.microsoft.com/ fwlink/?linkid=50169). After you successfully download the file, you will need to run it. This process creates two folders and some files on your local hard drive. The extraction creates the HOTFIXES and WUA64 folders. The HOTFIXES folder has all the necessary hotfixes required on the clients prior to installing ITMU. The extraction also creates four files in the Root folder; these files include SMSITMU.msi, the deployment guide, the preinstallation guide, and a readme file.
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 178
Chapter 13: Managing Software Updates
Installing the ITMU Before installing ITMU, you should read the preinstallation guide and make sure you fully understand the material. I briefly discuss the steps you need to complete prior to installing the Microsoft ITMU, but I highly recommend reading the SMSITMUPreInstallationguide.doc included in the download. The SMS servers and clients have a few updates that need to be applied before the ITMU installation can take place. You should install the latest version of the SMS client; however, if you can’t deploy it for some reason, you can install the other hotfixes instead and you should still be able to use the ITMU. You should back up your SMS database before applying updates to the SMS servers. After you back up your SMS database and reread the preinstallation guide, you can apply the KB 900257 to all the site servers and SMS administrator consoles from which you want to deploy updates. Then you need to install the KB 900401. This SQL script needs to run on all site servers that return compliance information from queries or in reports. This KB update must run against the SMS site databases to return correct software update compliance information. The upgrade requires that you stop all SMS services prior to running the script. You can install only KB 901034 or both KB 899512 and KB 892044. KB 901034 contains a new SMS advanced client and updates to the site server management points. KB 901034 needs to be installed on all management points in the primary site, all proxy management points in secondary sites, and all advanced clients that will run the SMS ITMU. I recommend that you apply the KB 901034; however, if you can’t install a new client, you can apply both KB 899512 and KB 892044. KB 899512 is installed on all management points in the primary site, all proxy management points in the secondary sites, and all the advanced clients that will run the SMS ITMU. KB 892044 is applied to all the advanced clients that will run the SMS ITMU. It is important to ensure the KB updates have been applied successfully prior to installing the SMS ITMU. The preinstallation guide from Microsoft.com has a few queries to help identify clients that don’t have the KB updates. To query for SMS advanced clients that are not at the latest version of the client, use this code: Select * from SMS_R_System where ClientVersion < “2.50.3174.1152” and ClientType = 1
To query for SMS clients that do not have support for KB 899512 and should be upgraded to the newest client (KB 901034) or patched with KB 899512, use this code: Select * from SMS_R_System inner join SMS_G_System_SMS_ADVANCED_CLIENT_STATE on SMS_G_System_SMS_ADVANCED_CLIENT_STATE.ResourceID = SMS_R_System.ResourceID where SMS_R_System.ClientType = 1 and SMS_G_System_SMS_ADVANCED_CLIENT_STATE.Name = “smsCommon” and SMS_G_System_SMS_ADVANCED_CLIENT_STATE.Version < “2.50.3174.1147”
178
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 179
Chapter 13: Managing Software Updates You should query for SMS advanced clients that do not have support for KB 892044 and that should be updated either to the new client or should install KB 892044. Select * from SMS_R_System inner join SMS_G_System_SMS_ADVANCED_CLIENT_STATE on SMS_G_System_SMS_ADVANCED_CLIENT_STATE.ResourceID = SMS_R_System.ResourceID where SMS_R_System.ClientType = 1 and SMS_G_System_SMS_ADVANCED_CLIENT_STATE.Name = “SmsSoftwareUpdate” and SMS_G_System_SMS_ADVANCED_CLIENT_STATE.Version < “2.50.3174.1150”
When you are positive that all the preinstallation requirements are in place in your environment, you are ready to install the ITMU. To install it, you will need to run SMSITMU.msi on any of your SMS primary servers. The Inventory Tool for Microsoft Updates Setup Wizard will appear, as shown in Figure 13-1.
Figure 13-1
When prompted, click Next. The License Agreement dialog box will appear. After you have read the license agreement and agreed to its terms, click Next. You will be prompted to specify the folder where you want to install the ITMU. Then the Synchronization Host Computer dialog box will appear, as shown in Figure 13-2. In this dialog box, you will be required to enter the name of the SMS advanced client that will retrieve the latest Windows Update Catalog. You will have two options to retrieve it: You can download it from the Internet, or you can download the catalog from another system and the synchronization host will copy it from a local folder. If you download the catalog from another machine and use manual synchronization, the folder must contain the WSUSScan.cab file for the synchronization to be successful. You will be given the option to enter a name for the SMS objects; in this book, I use the default object name, which is Microsoft Updates Tool. You will also need to enter the name of the SMS advanced client computer that will be used as the test system for deploying updates with the ITMU.
179
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 180
Chapter 13: Managing Software Updates
Figure 13-2
If you choose to use a test system, the SMS objects for the ITMU will be created during setup. If you don’t use a test system, you will need to create the advertisements and collections, or modify any current objects. You will be prompted to create the SMS Objects to deploy Distribution Settings For the Inventory Tool, as shown in Figure 13-3.
Figure 13-3
180
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 181
Chapter 13: Managing Software Updates You will be prompted to create the Windows Update Agent SMS objects, as shown in Figure 13-4. If you choose the defaults, the SMS Inventory Tool for Microsoft Updates installation will create two packages for you called Windows Update Agent and Microsoft Updates Tools, as discussed earlier. You can change the name for these SMS objects so they will be different in your organization.
Figure 13-4
After setup completes, you will need to verify that the ITMU successfully installed. To do so, open the SMS Administrator console, expand Site Database, and click Collections. If you chose the defaults during installation, you will see three new collections: Microsoft Updates Tool, Microsoft Updates Tool (Pre-Production), and Microsoft Updates Tool Sync. Setup of the ITMU also creates two new packages: Microsoft Updates Tool and Windows Update Agent. Under the Advertisements section of the SMS Administrator console, you will need to verify that setup created two new advertisements as well, Microsoft Updates Tool and the Microsoft Updates Tool Sync advertisements. Do not rename the packages or move the packages after the ITMU installation has completed. The Inventory tool for Microsoft updates requires that the client computers be running at least Microsoft Windows 2000 Professional SP3 or later. If you need to scan older systems, you can still use SMS 2003 to deploy the updates; however, you will have to use the Security Update Inventory tool. I will discuss the Security Update Inventory tool later in this chapter. The ITMU automatically runs updates from the Pkgsource folder by obtaining the latest Windows Update Catalog from the Internet or from the local catalog location you specified during installation. You can obtain a copy of the Windows Update Catalog from the Microsoft Windows Update site (http://go.microsoft.com/fwlink/?linkid=40751). This file is updated at least once a month
181
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 182
Chapter 13: Managing Software Updates from Microsoft, with the normal “Patch Tuesday” updates that Microsoft releases. However, you should check the site frequently to ensure you have the latest version of the catalog. By default, the catalog synchronization takes place while a user is logged on and runs under the current user context. This can cause problems with some organizations because the synchronization host PC requires both an Internet connection and a user to be logged on during synchronization. However, you can configure the synchronization to run in Unattended Mode. The instructions are documented in the “Microsoft Systems Management Server 2003 Inventory Tool for Microsoft Updates Deployment Guide,” which is included with the download file or available on the Microsoft website. After ITMU has been configured, you will need to complete a hardware inventory before you can distribute software updates to the SMS clients. Once the hardware inventory has been completed, the ITMU is ready to distribute software updates. To begin distributing software updates to an SMS client, you will need to open the SMS Administrator console and browse to the Software Updates object. Right-clicking the Software Updates object will reveal the menu function for this object. From the menu, click Distribute Software Updates From All Tasks. The Distribute Software Updates Wizard will appear, as shown in Figure 13-5.
Figure 13-5
Click Next. The Specify A Software Update Type dialog box, as shown in Figure 13-6, will appear. Click Select An Update Type, click Microsoft Update, and then click Next. In the Create An SMS Package, Or Modify Packages And Updates dialog box, which is shown in Figure 13-7, select New and then click Next.
182
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 183
Chapter 13: Managing Software Updates
Figure 13-6
Figure 13-7
You will be presented with the Package Name box, where you can enter the name for the Microsoft Update package you are creating. Make sure the name is descriptive enough to indicate what updates this package contains. You will be presented with the Customize The Organization dialog box, as shown in Figure 13-8. When you fill out this option, try to be consistent with your packages, because your users will be familiar with them when you want to send packages for Microsoft Updates.
183
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 184
Chapter 13: Managing Software Updates
Figure 13-8
You can also import a rich text file to explain what is about to take place. This file, of course, will not be useful if you are using unattended installations. After you have made the necessary customizations, click Next. The Select An Inventory Scanning Program dialog box, as shown in Figure 13-9, will appear. This page will allow you to select the scanning program you want to use for this package. Make sure the Microsoft Update tool program is selected and select your package.
Figure 13-9
184
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 185
Chapter 13: Managing Software Updates The Add And Remove Updates dialog box, which is shown in Figure 13-10, appears next. This dialog box displays all the updates that are applicable at the site. You can use any of the filter buttons along the top of the window to help you narrow down the specific update you want to distribute. If the Information button is active after you have made your selections and updates, any additional updates that are related to your selection will be displayed. You can choose to have the additional updates automatically selected for you. This will help ensure that all the related updates for the particular update are distributed.
Figure 13-10
It is a best practice to group your installations. For example, if a group of updates needs to be installed on a lot of machines, you can group those updates into the same package. You will need to select the update for the specific product to which you want to apply the update, and then click Next. You will have the option to automatically download the update or find it on a local source. At this point, SMS 2003 ITMU will verify the software updates against the catalog to ensure you have the correct update. In Figure 13-11, notice the Yes under the Ready column. The Yes indicates that the software update is ready to be distributed to the clients. The files have been downloaded, and SMS 2003 ITMU has verified the file against the catalog file. This step gives you a chance to verify the update and make sure it is the one you want to send to your SMS clients. If you manually download the file, you will need to configure the settings for distributing the software update: however, if you let SMS automatically download the file, SMS will set the command-line parameters for you. Next, you will need to update your distribution points with the information about the new package. The wizard will prompt you to select the SMS distribution point you want to use for client access to the update.
185
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 186
Chapter 13: Managing Software Updates
Figure 13-11
After you click Next on the Update Distribution Points page, you will be asked to select the agent settings to perform after the installation. The first of three Configuring Installation Agent Setting wizards will appear. After you configure these settings, you will be prompted to select the reoccurrence interval of the update, as shown in Figure 13-12.
Figure 13-12
This wizard will allow you to automatically create an advertisement and configure the group or collection to which the update should be distributed. Click Finish when the Completing The Distribute Software Updates Wizard dialog box appears.
186
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 187
Chapter 13: Managing Software Updates
Synchronizing the WSUSScan.cab If it is configured to do so, the synchronization host will attempt to update the WSUSScan.cab on a daily basis. However, you might need to manually download the WSUSScan.cab file. You can download the catalog from the Microsoft update site at http://go.microsoft.com/fwlink/?linkid=40751. I recommend bookmarking this site as a favorite, so it will always be handy when you want to check the version of the local WSUSScan.cab file against the version on the Microsoft update site. By default, the synchronization host must be an advanced client, and the user must be logged on when the synchronization is scheduled to occur. You can configure the synchronization host to run in Unattended Mode. This will allow the tasks of synchronization to be run under the local system. To allow the local system to run the synchronization of the WSUSScan.cab file, you will need to configure some permissions and firewall settings on the host. If you want to change the synchronization host computer, you just need to modify the collection to include the new synchronization host. This collection should contain exactly one advanced client, no more and no less.
Distribute Software Updates Wizard As I discussed earlier in this chapter, the recommended way to distribute updates is to use the ITMU from Microsoft. Software updates can be distributed on individual clients or on a group of clients within a collection. To distribute software updates on a client or collection, right-click on the collection or the client, move down to and select All Tasks, and then click Distribute Software Updates. This will bring up the Distribute Software Updates Wizard shown in Figure 13-13.
Figure 13-13
187
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 188
Chapter 13: Managing Software Updates After you click Next, the Specify A Software Update Type dialog box, which is shown in Figure 13-14, will appear. Click Select An Update Type, select Microsoft Update from the drop-down list, and then click Next.
Figure 13-14
In the Create An SMS Package, Or Modify Packages And Updates dialog box, shown in Figure 13-15, select New and then click Next. All of the SMS packages created by the Inventory Tool For Microsoft Updates will be listed. You can use this list to choose a package you already have created. If you choose a package that has already been created, the Identify The SMS Package dialog box, shown in Figure 13-16, will appear.
Figure 13-15
188
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 189
Chapter 13: Managing Software Updates
Figure 13-16
As you can see, the Package Name field is already filled in and grayed out, along with the software update type. You can change the Program name or click the Advanced button. This button will allow you to import a custom authorization list file for the update. Next, the Customize The Organization dialog box, as shown in Figure 13-17, will appear. When you complete this dialog, try to keep your name consistent with your package names; your users will be familiar with them when you send packages for Microsoft updates. You can also import a rich text file for users to read. You can use this file to help explain the issue the software update is resolving, and you can give the user a list of changes they should see. I usually give my contact information so that users with questions or concerns about this update can contact me.
Figure 13-17
189
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 190
Chapter 13: Managing Software Updates Click Next. The Select An Inventory Scanning Program page, as shown in Figure 13-18, will appear. You can use this dialog box to specify which scanning tool package and program should be used to detect whether the updates in this package are needed on the client. The next dialog box that will appear is Add And Remove Updates, as shown in Figure 13-19. This dialog box allows you to specify any additional updates you want to apply along with this update. Using the dialog box, you will need to select the update for the specific product you want to update. Then click Next. If you added additional files, you will have the option to automatically download the update or find it on a local source.
Figure 13-18
Figure 13-19
190
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 191
Chapter 13: Managing Software Updates At this point, the SMS 2003 ITMU will verify the software updates against the catalog to make sure you have the correct update. The ITMU will show you what software updates are available in this package and if they are ready to distribute. Next, you will need to update the distribution points with the information about the new package. As shown in Figure 13-20, the Wizard will prompt you to select the SMS distribution point you want to use for client access to the update.
Figure 13-20
After you click Next on Specify A Source Directory For Files, you will be asked to select the agent settings to perform after the installation is complete. Figures 13-21, 13-22, and 13-23 show the Configure Installation Agent settings.
Figure 13-21
191
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 192
Chapter 13: Managing Software Updates
Figure 13-22
Figure 13-23
After you customize the Agent Settings, the Advertise Update dialog box will appear. This will allow you to distribute this software update package to a collection. When you are finished, you will have created a package and advertised an advertisement of that package to a collection. When the clients refresh their machine policies, the package will be distributed to the clients for them to apply the update. After you distribute the software updates, you need to verify that they were successful.
192
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 193
Chapter 13: Managing Software Updates
Verifying the Results of the ITMU The SMS 2003 Inventory tool has many ways to verify the results for Microsoft Update. SMS ITMU can be verified by looking at the reports, status messages, and from browsing the Resource Explorer entries for each computer.
Reports The ITMU setup installs some new reports to allow administrators to check the status of the Microsoft updates on the SMS clients. Setup creates the following new reports: ❑
A list of computers that have not scanned with latest synchronized catalog
❑
Compliance by Bulletin ID and QNumber
❑
All computers with a specific update advertisement state
By checking the current version of the catalog on the server and on the clients, you can use the List Of Computers That Have Not Scanned With The Latest Synchronized Catalog report to help determine which clients have not returned inventory results. The Compliance By Bulletin ID And QNumber report will display the compliance status of computers in a collection. You can run this report before or after you run the Distribute Software Update Wizard. You can run it before you run the Distribute Software Update Wizard to check how many computers need a particular update and what operating systems those clients have so that you can build your ITMU package properly. After you distribute the software, you can rerun this report to see how many of the clients successfully applied the updates. I recommend using the new reports or checking the Resource Explorer to check the status of updates applied by using the ITMU. However, you can use the status messages if you would like. The other tools are recommended because the status messages are generated for individual events: it can be difficult to narrow your searching down to find individual clients with the new software distribution status.
Status Messages If you want to view status messages, look for the message IDs shown in the following table. Message
Meaning
10002
Advertisement was received.
10005
Program was started.
10009
Program was completed by MIF.
11255
Software Updates Installation Agent returned the results of 1 authorized, 1 attempt, and 0 failed.
11266
Software Updates Installation Agent completed the installation and suppressed the reboot required.
193
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 194
Chapter 13: Managing Software Updates Message
Meaning
11267
Software Updates Installation Agent completed the installation and suppressed the reboot required for servers.
11270
Reboot is required.
Even though Microsoft has put a lot of work into the new Inventory Tool for Microsoft Updates, your organizations could encounter some problems. In the following sections, I talk about some of the major issues that have appeared on myITforum.com email distribution lists.
ITMU Updates Fail When Scan Tool Fails to Run In some cases, the SMS clients failed to run the new update because the scan tool failed. The following batch file will help you resolve this issue. cd %windir%\system32 regsrv32 wuapi.dll /s regsrv32 wuaeng.dll /s regsrv32 wuaeng1.dll /s regsrv32 wucltui.dll /s regsrv32 wups.dll /s regsrv32 wups2.dll /s regsrv32 wuweb.dll /s net stop wuasuserv net stop bits rmdir /S /Q %windir%\softwaredistribution net start wuasuserv net start bits exit /B 0
Error 11411 in the Status Messages This error typically occurs because all the requirements are not met on the clients. When clients fail with this error code, you need to look at the status message and drill down through the message details to find out which component is missing or not up-to-date. These requirements are discussed briefly at the beginning of this chapter and in the SMS 2003 Inventory Tool for Microsoft Updates Preinstallation Guide. You need to complete these steps before you use the Inventory Tool for Microsoft Updates. All of the KB updates needed to use the Inventory Tool for Microsoft Updates are included with the download of the tool.
Summar y In this chapter, I discussed how to install and use the Inventory Tool for Microsoft Updates. Along with this tool, you learned how to configure the synchronization host, how to verify that you are using the correct cabinet file, and how to send out updates to various collections and individual clients. You should always distribute new created packages on a test collection to verify that the package installed
194
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 195
Chapter 13: Managing Software Updates properly on the clients. Make sure the test collection represents the variety of clients installed in your organization. Because of the ever-increasing threat of security breaches, patch management has become the number one concern for most information technology administrators. SMS 2003 delivers a very robust and thorough way to apply patches, and it supplies very rich reporting tools to help track the patches as they are applied throughout an organization. This tool allows SMS administrators to quickly build packages that contain Microsoft software updates and to deploy those packages to clients in a timely manner. Each organization should evaluate their patch management deployment system regularly and ensure that their method effectively applies the patches to the various clients. In Chapter 17, I discuss the new features found in SMS 2003 R2 and the Inventory Tool for Custom Updates. I also explain how you can use this tool to patch your in-house applications and other third-party applications. In the next chapter, I discuss the various troubleshooting techniques offered for SMS 2003. I explain how to monitor software distribution, client health, and various log files. I also explain how to configure firewalls so that SMS 2003 can communicate across various organizations.
195
49508c13.qxd:WroxPro
10/4/06
12:40 AM
Page 196
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 197
Troubleshooting In previous chapters I discussed SMS 2003 site configuration, client installation, and the methods of performing inventory and software distribution. I have assumed that all functions are working perfectly. Unfortunately, SMS 2003 is so dependent on other software (IIS, SQL, and so on) that many times implementations need administrative assistance to complete. In addition, SMS depends heavily on network connectivity, disk resources, and (in large sites) load balancers. A problem with any of these can cause problems with your hierarchy. In this chapter, I provide some basic troubleshooting and maintenance tips. After reading this chapter, you should have an idea of how to implement a maintenance plan that will minimize problems. Problems that do occur should become apparent rather quickly, allowing administrators to shorten downtimes. This chapter also includes some basic troubleshooting techniques for use when working with SMS 2003 sites and clients. Please be aware that this chapter is not by any means a comprehensive SMS 2003 troubleshooting guide. The topic could easily fill a second book. The goal of this chapter is to act as a reference and starting guide for administrators attempting to resolve problems with SMS 2003 sites and clients. That being said, this chapter, above all others, should be the one with the page corners folded down.
Preventing Problems The best way to prevent problems in SMS 2003 is to build and stick to a standard maintenance plan. A properly executed maintenance plan (even if it is not complete per best practice) will keep administrators in touch with their hierarchies, and offer a better chance of finding issues proactively. SMS 2003 offers several automated tasks out-of-the-box that can help with reducing future issues. However, for many administrators, identifying the key points to maintain is still difficult. To help with this effort, I have provided a sample maintenance plan. In the following table, I have estimated intervals for a medium-sized hierarchy of five thousand clients. These intervals may not be appropriate for your particular situation; they are meant as guidelines only.
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 198
Chapter 14: Troubleshooting
198
Task
Interval
Comments
Check status messages for warnings and errors
Daily
Available in SMS 2003 Web Reports and the Administrator console.
Check primary site event logs for warnings or errors
Daily
Check SQL Error log
Daily
This log rarely shows a problem, but when it does, the problem would have a major impact.
Monitor SMS Inbox folders
Daily
Watch for unusual file build-up.
Check SMS log folders for crash dumps
Daily
Did the site system fail in the past 24 hours?
Monitor server performance
Daily
Watch for unusual activity.
Clean out old machine and user accounts
Daily
Very important for identifying client health problems. Remove resources from SMS and accounts from discovered domains.
Incremental backup of SMS site server to removable media
Daily
Backup SMS site servera
Daily
Delete aged status messagesa
Daily
Heartbeat discoverya
Daily
Important for other maintenance tasks.
Delete unnecessary objects
Weekly
Get rid of those no longer needed collections, packages, programs, advertisements, and queries.
Delete old files
Weekly
Delete files that SMS is no longer paying attention to (see the Schedule.box folder).
Check available disk space on all site systems
Weekly
Check advertisement status reports
Weekly
Are any older advertisements suddenly failing?
Check patch deployments
Weekly
Are any older patches suddenly failing to install?
Rebuild indexesa
Weekly
Improves performance of your SMS 2003 Site Databases.
Monitor keysa
Weekly
Reduces corruption of the primary keys in SMS 2003 site database tables.
Delete aged inventory history older than 90 daysa
Weekly
Cleans old historical data out of the database.
This is an automated task in SMS 2003.
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 199
Chapter 14: Troubleshooting Task
Interval
Comments
Delete aged status messages older Weekly than 70 daysa
Status messages make up the largest percentage of an SMS 2003 site database, and many of them are not necessary past seven days.
Delete aged discovery data older than 21 daysa
Weekly
This is an automated Delete Special for resources that have not been discovered.
Delete aged collected filesa
Weekly
Turn this on even if files are not collected via software inventory so that orphan data will be cleared.
Summarize software metering usage dataa
Weekly
Delete aged software metering dataa
Weekly
You’re summarizing it, so remove the full data.
Delete aged software metering dataa
Weekly
You don’t need the summaries forever; set this to a value appropriate for your enterprise.
Delete inactive client discovery dataa
Weekly
Only if AD System Discovery is used.
Delete obsolete client discovery dataa
Weekly
Cleans up after reimaged or renamed machines discover or report inventory.
Defragment all site systems
Monthly
Very important for SMS 2003 performance.
Review patch packages
Quarterly
Are patches being distributed that are no longer requested in the enterprise?
Review site boundaries
Quarterly
Especially important in hierarchies where sites are built and retired frequently.
Change service account passwords
Semiannual
Not as important in hierarchies using advanced security, but should still be considered.
Perform DR test
Semiannual
Do your backups actually work?
Review architecture
Semiannual
Does the design of your SMS 2003 hierarchy still make sense? Examine folder structure under Collections, Packages, Advertisements, and Queries as well.
Review documentation
Semiannual
Confirm that all SMS 2003 hierarchy operational documentation is updated.
Review maintenance plan
Semiannual
Are there any tasks to be added, deleted, or changed?
aThis is an available automated task in SMS 2003.
199
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 200
Chapter 14: Troubleshooting
Do I Really Need to Do All That? The preceding maintenance plan is actually a stripped-down version of one used at several companies. In fact, some of the automated tasks available within SMS 2003 have been excluded from the preceding plan. After approving a similar maintenance plan for your hierarchy, the next step is to automate many of the tasks. Monitoring Inbox folders, for example, can be scripted to check all folders on all site servers, and return a number of files to a central dashboard for administrators to view. Site system defragmentation can be set as a scheduled task. In short, administrators should look for the most efficient way to complete these tasks without sacrificing the results. A maintenance plan is only as strong as the people implementing it. Some of the items in the table require more definition than the space available allows. Read through the following sections for further explanations.
Understand the Str ucture of the SMS Client and Ser ver Most of the time, the SMS troubleshooting tools listed in the table under “The Folder Structure for the SMS Site Server” provide good references for where to find problems. A status message, for example, may give the exact path to a log file that will contain more information. However, it is still important for the SMS 2003 administrator to understand the basic structure of the SMS installation, as she will be interacting with it frequently.
The SMS Client Folder Structure The SMS client folder is quite simple. Both advanced and legacy clients install under a specific folder, and, with a few minor exceptions, do not write anywhere else. For the most part, the only part of the client folders of interest to administrators is the logs folder created under each client. By default, advanced clients install to %windir%\system32\ccm. Legacy clients install to %windir%\ms\sms. Both clients write a file to %windir%\ named smscfg.ini, which contains basic information about the SMS client such as its unique identifier.
The Folder Structure for the SMS Site Server By default, the SMS site server installs to C:\sms. Most of the contents of the subfolders of C:\sms should not be changed in any way by administrators. On the other hand, changing some files (the sms_def.mof file under C:\ SMS\inboxes\clifiles.src\hinv, for example) can be the only way to repair or modify your SMS hierarchy. In short, do not modify a file under the SMS folder of a production site server without thorough testing! Don’t write, but feel free to read. The folders under SMS contain information that is critical in monitoring and troubleshooting site server problems. The following table provides a list of the most common folders to be checked. In the table, %installdrive% = The drive to which SMS was installed. By default this is C:.
200
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 201
Chapter 14: Troubleshooting Folder
Location
Description
CCM
%installdrive%\sms\ccm
Incoming and outgoing queues for management points.
Client
%installdrive%\sms\client
Client installation executables, utilities, and the all important client.msi.
Logs
%installdrive%\sms\logs
SMS Site Server logs; see below for a comprehensive list.
License.txt
%installdrive%\sms\license.txt
The supplemental license agreement, in case you didn’t read it during setup.
Auth
%installdrive%\sms\inboxes\auth
Includes folders containing bad DDR, software inventory, and hardware inventory files from advanced clients.
Ccr.box
%installdrive%\sms\inboxes\ccr.box
Active CCR files.
Ccrretry.box
%installdrive%\sms\inboxes\ccrretry.box
CCR files that will be retried. (Tip: Open .ccr files with a text editor.)
Hinv
%installdrive%\sms\inboxes\clifiles.src\hinv
The home of the sms_def.mof file, which can be modified to change hardware inventory. Open the .mof file with a text editor.
Dataldr.box
%installdrive%\sms\inboxes\dataldr.box
Holds failed .mif files.
Ddm.box
%installdrive%\sms\inboxes\ddm.box
Holds failed DDR files.
Despool.box
%installdrive%\sms\inboxes\despool.box
Holds the Receive folder, where files received from other sites are stored before processing.
Hman.box
%installdrive%\sms\inboxes\hman.box
Contains key information for site-tosite communication.
Offerinf.box
%installdrive%\sms\inboxes\offerinf.box
Contains advertisement data.
Pkginfo.box
%installdrive%\sms\inboxes.pkginfo.box
Contains package data.
Schedule.box
%installdrive%\sms\inboxes\schedule.box
Contains all the jobs pending, to be sent, and queued for the sender to process. This is a very important folder when troubleshooting intersite communication.
Sinv.box
%installdrive%\sms\inboxes\sinv.box
Contains bad software inventory files and any files collected from clients.
Sitecrtl.box
%installdrive%\sms\inboxes\sitectrl.box
Contains the site control file, and its historical references. Very important when restoring from backup.
Swmproc.box
%installdrive%\sms\inboxes\swmproc.box
Contains corrupted software metering reports.
201
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 202
Chapter 14: Troubleshooting
Other Site System Folders You saw previously that the SMS Site Server creates a folder named SMS on the C: drive by default. Other site systems create their own folders. The following table provides a list of these, and their roles. Folder
Site System
Description
Cap_<sitecode>
Client Access Point (CAP)
This folder contains all of the in/outboxes associated with a CAP.
Sms_ccm
Management Point
This folder contains most of the management point’s installation files. The logs for the management point can be found here.
Smspkg
Distribution Point
Contains compressed package data.
Smspkg$
Distribution Point
Contains uncompressed package data. This is where clients are directed to execute or download packages. This folder is shared with the “everyone” group having Read permissions.
SMS Status Messages Many of the site maintenance tasks can be performed by examining the status messages returned by clients and site systems. SMS 2003 allows administrators the option of viewing summarized status messages in a dashboard with drill-down capability for problem identification. For example, SMS 2003 provides a Site Status view that shows whether sites are in a red, yellow, or green status. Administrators can check the Site Status view to quickly identify if a problem is being reported on a specific site. However, status messages have limitations. Sites must be able to communicate for status messages to be transferred. An SMS 2003 site might not be reporting because of a failed network link, but it might still show as green in the Site Status view. Administrators can prevent status messages from flowing up the hierarchy, so viewing status from an upstream parent could be inaccurate. And finally, most client messages are transferred at a low priority by default. Especially in times of high utilization, client messages could be delayed. All of this does not mean that status messages should not be used; it simply means that they should not be the only method of detecting problems. To view the Site Status dashboard view, follow these steps:
1. 2. 3.
202
Under the SMS Administrator console, expand the System Status folder. Select the Site Status folder. The Site Status view is displayed in the Details pane. Figure 14-1 is an example of what you might see in this view.
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 203
Chapter 14: Troubleshooting
Figure 14-1
Drilling into a Problem in the Site Status View If a problem is identified in the Site Status dashboard, the administrator needs to take further steps to isolate the problem before resolution can be effective. The summary on the Site Status dashboard can be expanded to show more detail about a problem. To do this, follow these steps:
1. 2. 3. 4.
Under the SMS Administrator Console, expand the System Status folder. Select the Site Status folder. In the Details pane, double-click the site system to be investigated. SMS 2003 allows a choice between viewing the status messages about the components running in that site, or about the servers supporting the site. Figure 14-2 displays these choices.
203
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 204
Chapter 14: Troubleshooting
Figure 14-2
204
5.
To view the status of SMS 2003 site components running in a specific site, double-click the Component Status option.
6.
Figure 14-3 shows the Component Status view for a specific site. Scan the list of components for a problem component. After a problem is identified with a component, you can view the status messages returned by that specific item. Right-click the component.
7. 8.
Expand the Show Status Messages submenu.
9.
SMS 2003 opens a new window containing the Status Message viewer. An example of this window is displayed in Figure 14-4. Scan through the messages to identify the problem. You can double-click a message to see more information. Figure 14-5 shows an expanded message.
Choose the option to see All status messages, or to filter the returned messages to Info, Warning, or Error messages.
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 205
Chapter 14: Troubleshooting
Figure 14-3
Figure 14-4
205
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 206
Chapter 14: Troubleshooting
Figure 14-5
Viewing Status Messages with SMS 2003 Web Reports Perhaps you want to limit access to the SMS Administrator console, or perhaps you have nontechnical users that need to view the status of your SMS 2003 hierarchy. In either case, status messages can also be accessed via the SMS 2003 Web Reports. Web Reports allow administrators to provide focused views of an SMS 2003 site database via a web browser. Managers, for example, can be provided a dashboard that displays an at-a-glance overview of the current activity within the hierarchy. Remember from the maintenance list that status messages make up the largest percentage of data in the SMS 2003 site database. With all of this data, a plethora of reporting options is available. Out-of-the-box, SMS 2003 provides several canned reports that take advantage of status messages to display the health of a site or an entire hierarchy. For example, the Sites By Hierarchy With Time Of Last Site Status Update report comes with SMS 2003. Its output is displayed in Figure 14-6. Note the similarity to the Site Status view from the Administrator console, as shown in Figure 14-1. The preceding report does not have the ability to drill-down into a problem like the Site Status view. It can be reconfigured to allow drill-downs, or you can manually view a different report such as the Count Errors In The Last 12 Hours report. This report, displayed in Figure 14-7, can quickly show administrators where a problem might be occurring. In addition to seeing the status of a site, Web Reports can show the status of a process. Software distribution, for example, is very well reported in SMS 2003 because of the relationship between status messages and Web Reports. The All Active Package Distributions report shows the power of this combination. Administrators can very quickly see what software distribution is happening within their hierarchy almost in real time. To use the Web Reports, you must have configured a reporting point. The reporting point will access the site database only for the site to which it is designated. Typically, this site is the central site, so that reporting includes the entire hierarchy. Remember that status messages can be prioritized lower than other traffic, so the reports may not be updated as quickly as you wish.
206
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 207
Chapter 14: Troubleshooting
Figure 14-6
Figure 14-7
207
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 208
Chapter 14: Troubleshooting
Client Status Messages Clients send status messages about their activity just like site systems. The most useful of these for the SMS administrator relate to software distribution. Clients report status messages related to receiving, downloading, starting, failing, and succeeding to run a software distribution package. Like the status messages for site status, these advertisement status messages are summarized into a view for administrators. To view software distribution status from the SMS Administrator console, perform the following steps:
1. 2.
Under the SMS Administrator console, expand the System Status folder.
3.
Double-click one of the advertisements listed to see a site-by-site breakdown of advertisement distribution. Figure 14-9 displays the site-specific advertisement status.
Select the Advertisement Status folder. This display, shown in Figure 14-8, is an overview of the status of all advertisements.
Figure 14-8
208
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 209
Chapter 14: Troubleshooting
Figure 14-9
To see the status messages returned for a specific advertisement from a specific site, perform these steps:
1. 2. 3.
Right-click the site to be investigated. Expand the Show Status Messages submenu. Choose the desired filter from the Show Status Messages submenu.
If you choose to show all status messages for an advertisement at a large site, it could take quite a while to display fully.
4.
SMS 2003 opens a new window displaying the Status Message viewer. Figure 14-10 shows the status messages for an advertisement at a specific site in the Status Message viewer.
5.
To fully display an individual status message, double-click its summary in the Status Message viewer window. Figure 14-11 shows an advertisement status message.
209
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 210
Chapter 14: Troubleshooting
Figure 14-10
Figure 14-11
Alternatively, advertisement status can be viewed from a Web Report. Figure 14-12 shows the All Advertisements SMS 2003 Web Report. This report is a quick way to find the status of any advertisement. From the All Advertisements report, administrators can access the status of an individual advertisement. Figure 14-13 displays the summary report for a specific advertisement.
210
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 211
Chapter 14: Troubleshooting
Figure 14-12
Figure 14-13
211
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 212
Chapter 14: Troubleshooting From the summary report, clicking the drill-down link next to one of the status summaries displays a list of machines that have returned a status message with the specific status. Using this report, administrators can see the names of machines that have not yet run an advertisement, for example. Figure 14-14 shows a report page with machines that returned a specific status for an advertisement.
Figure 14-14
Clicking a drill-down link from the specific status report displays a new report with all activity by a specific workstation on the advertisement. Using this report, administrators can see if a workstation has failed, and subsequently successfully retried, an advertisement. Figure 14-15 shows the advertisement status for a specific computer report. Finally, clicking the drill-down link next to one of the statuses reported by a machine for an advertisement will open a new browser window or tab with the exact status message returned by the machine. Using this status message, administrators can see the actual error message returned by a workstation that failed to run an advertisement. Figure 14-16 shows a status message displayed in the browser.
212
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 213
Chapter 14: Troubleshooting
Figure 14-15
Figure 14-16
213
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 214
Chapter 14: Troubleshooting
SMS 2003 Logs, Where Troubleshooting Begins Long-time SMS administrators are often not satisfied with the replication speed of status messages. When troubleshooting a problem, it is often much better to go straight to the source. In these times, the fact that SMS 2003 logs every action comes in very handy. All clients and most site systems have the capability to log actions. CAPs and distribution points, being only shares, do not log for themselves. In addition, all of the software applications that SMS 2003 relies upon have extensive logging capabilities. IIS, for example, logs all HTTP transactions, both successes and failures. By default the SMS 2003 site logs will grow to 3 megabytes. They will then roll over once to a history file. SMS 2003 advanced client logs will grow to 250 kilobytes and then will roll once to a history file. History logs will either be renamed to include the date they were rolled, or will have an LO_ extension. In fact, there are so many logs to investigate, and they update so often, that the SMS 2003 administrator needs two tools to make log investigation easier. The first tool is available within a free download from Microsoft. The SMS Toolkit 2, http://www.microsoft.com/smserver/downloads/2003/tools/ toolkit.mspx, is a collection of tools that are very handy for the SMS administrator. All the tools are discussed in Chapter 15, but for now one of the most often used is SMS Trace, a log viewer that constantly monitors the opened file for updates. SMS Trace provides real-time updates of any log file, allowing administrators to see exactly what is happening on a client or site system. In addition, SMS Trace includes highlighting and filtering features that allow at-a-glance log viewing. Finally, the tool includes an error code dictionary. Most of Microsoft’s decimal error codes can be translated into a common language very quickly. For example, entering 5 into the error lookup utility returns Access Denied. Figure 14-17 displays the SMS Trace window with a log open and errors highlighted.
Figure 14-17
214
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 215
Chapter 14: Troubleshooting Figure 14-18 shows the Error Lookup utility in SMS Trace, available from the Tools menu. The second tool needed by administrators to work with SMS 2003 logs is a reference to all of the files. Fortunately, I have included one in this chapter in the following section.
Figure 14-18
SMS Site Server Logs In the following tables I provide the name of the file, its default location, and a brief synopsis of what thread or component is logged. Filename
Location
Description
Adminui.log
%installdrive%\sms\logs
Records actions taken with the SMS Administrator console.
ccm.log
%installdrive%\sms\logs
Logs attempts to remotely install clients on resources (i.e., a CCR is generated).
Cidm.log
%installdrive%\sms\logs
Logs updates by the Client Install data manager, such as the clidata.src box.
Colleval.log
%installdrive%\sms\logs
Logs the creation, modification, update, and deletion of collections.
Compsumm.log
%installdrive%\sms\logs
Logs component status summarizer tasks (i.e., the green, yellow, and red indicators in the Site Status view discussed previously).
Cscnfsvc.log
%installdrive%\sms\logs
Logs communication via the courier sender method.
Dataldr.log
%installdrive%\sms\logs
Logs the processing of .mif files into a site database.
Ddm.log
%installdrive%\sms\logs
Logs the insertion of discovery records into a site database.
215
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 216
Chapter 14: Troubleshooting
216
Filename
Location
Description
Despool.log
%installdrive%\sms\logs
Logs incoming communications in site-to-site connections. Use this log to make sure that files are being received.
Distmgr.log
%installdrive%\sms\logs
Logs the creation, distribution, and update of software distribution packages. Use this log to watch packages flow to distribution points.
Hman.log
%installdrive%\sms\logs
Logs hierarchy management tasks such as site configuration changes.
Inboxast.log
%installdrive%\sms\logs
Logs copying files from CAPs to the SMS site inboxes.
Inboxmgr.log
%installdrive%\sms\logs
Logs CAP maintenance tasks.
Invproc.log
%installdrive%\sms\logs
Logs conversion of client inventory into .mif files (.nhm-to-.mif) for insertion into the site database.
Mpcontrol.log
%installdrive%\sms\logs
Logs MP registration and self-checks. A good start for identifying MP problems.
Mpfdm.log
%installdrive%\sms\logs
Logs the movement of files from the MP boxes to the SMS site inboxes. Equivalent to the Inbox Assistant for CAPs.
Mpmsi.log
%installdrive%\sms\logs
Verbose Windows Installer log of management point installation.
Mpsetup.log
%installdrive%\sms\logs
Logs basic management point installation.
Ntsvrdis.log
%installdrive%\sms\logs
Logs SMS server discovery (the one discovery method not changeable by administrators).
Offermgr.log
%installdrive%\sms\logs
Logs updates to advertisements.
Offersum.log
%installdrive%\sms\logs
Logs summarization of status messages related to advertisement status.
Policypv.log
%installdrive%\sms\logs
Logs all changes to advanced client policies.
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 217
Chapter 14: Troubleshooting Filename
Location
Description
Replmgr.log
%installdrive%\sms\logs
Logs movement of files from other boxes to the scheduler box.
Rsetup.log
%installdrive%\sms\logs
Logs installation of a reporting point. Also watch the IIS logs for errors.
Sched.log
%installdrive%\sms\logs
Logs scheduler job actions. Scheduler prepares jobs for distribution to other sites in the hierarchy.
Sender.log
%installdrive%\sms\logs
Logs transmission of data between SMS sites. Watch this log closely; it can roll quickly in large hierarchies.
Sinvproc.log
%installdrive%\sms\logs
Logs processing of software inventory reports.
Sitecomp.log
%installdrive%\sms\logs
Logs actions of the Site Component Manager service. A good place to find management point publication problems or SMS service corruption.
Sitectrl.log
%installdrive%\sms\logs
Logs site control file changes.
Smsdbmon.log
%installdrive%\sms\logs
Logs changes to the site database (i.e., actual insertion of a discovery record).
Smsexec.log
%installdrive%\sms\logs
Logs management tasks of all other SMS service threads.
Smsprov.log
%installdrive%\sms\logs
Logs access through the SMS WMI provider into the site database.
Smsreportinginstall.log
%installdrive%\sms\logs
Logs installation of a reporting point.
Srvacct.log
%installdrive%\sms\logs
Logs account maintenance; only for use in sites that use standard security.
Statmgr.log
%installdrive%\sms\logs
Logs insertion of status messages into the site database.
Swmproc.log
%installdrive%\sms\logs
Inserts software metering data into the site database.
In the table, %installdrive% = The drive to which SMS is installed, by default C:.
217
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 218
Chapter 14: Troubleshooting
Management Point Logs Filename
Location
Description
Mp_ddr.log
%installdrive%\sms_ccm\logs
Logs conversion of advanced client XML-based discovery records into standard discovery records.
Mp_getauth.log
%installdrive%\sms_ccm\logs
Logs status of managements points. Also see the IIS logs.
Mp_getpolicy.log
%installdrive%\sms_ccm\logs
Logs policy requests and management. Also see WMI logs.
Mp_hinv.log
%installdrive%\sms_ccm\logs
Logs conversion of advanced client XML-based hardware inventory reports into standard hardware inventory formats.
Mp_location.log
%installdrive%\sms_ccm\logs
Logs location service requests.
Mp_policy.log
%installdrive%\sms_ccm\logs
Logs MP communication to a site database.
Mp_relay.log
%installdrive%\sms_ccm\logs
Logs movement of files copied from clients.
Mp_retry.log
%installdrive%\sms_ccm\logs
Logs requests to retry hardware inventory on clients.
Mp_sinv.log
%installdrive%\sms_ccm\logs
Logs conversion of advanced client XML-based software inventory reports into standard formats.
Mp_status.log
%installdrive%\sms_ccm\logs
Logs conversion of advanced client XML-based status messages into SMS standard formats.
In the table, %installdrive% = The drive to which SMS was installed, by default C:.
218
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 219
Chapter 14: Troubleshooting
The Legacy Client Logs Filename
Location
Description
Apasetup.log
%windir%\ms\sms\logs
Logs installation of the advertised programs agent.
Ccim32.log
%windir%\ms\sms\logs
Logs client installation.
Clicore.log
%windir%\ms\sms\logs
Logs client installation.
Clisvc.log
%windir%\ms\sms\logs
Actions taken by the SMS service.
Cqmgr32.log
%windir%\ms\sms\logs
Logs communication to client access points.
Hinv32.log
%windir%\ms\sms\logs
Logs hardware inventory actions.
Inhinv32.log
%windir%\ms\sms\logs
Logs installation of the hardware inventory client agent.
Insinv32.log
%windir%\ms\sms\logs
Logs installation of the software inventory client agent.
Launch32.log
%windir%\ms\sms\logs
Logs user logon and logoff events for software distribution that requires these events.
Odpsys32.log
%windir%\ms\sms\logs
Logs receipt of advertisement data for the machine.
Odpusr32.log
%windir%\ms\sms\logs
Logs receipt of advertisement data for a user.
Odpwnt32.log
%windir%\ms\sms\logs
Logs receipt of advertisement data for a Windows NT user group.
Remcontrol.log
%windir%\ms\sms\logs
Logs installation of the SMS 2003 Remote Control client agent.
Sinv32.log
%windir%\ms\sms\logs
Logs software inventory actions.
Smsapm32.log
%windir%\ms\sms\logs
Logs advertisement processing. Can be used to find failure codes of advertisements.
Smscli.log
%windir%\ms\sms\logs
Execution of the Systems Management applet.
Smsclreg.log
%windir%\ms\sms\logs
Logs Registry configuration when the client installs.
Smsmon32.log
%windir%\ms\sms\logs
Logs use of the Advertisement Programs Monitor applet.
Swdist.log
%windir%\ms\sms\logs
Logs installation of software distribution components; should be checked if problems are identified in apasetup.log.
Wnlogon.log
%windir%\ms\sms\logs
Logs client installation initiated by a logon script.
Logs installation of a client initiated with a CCR.
219
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 220
Chapter 14: Troubleshooting
The Advanced Client Logs
220
Filename
Default Location
Description
Cas.log
%windir%\system32\ccm\logs
Content Access Service, logs connections to distribution points.
Ccmexec.log
%windir%\system32\ccm\logs
SMS Agent Host Service log.
Certificatemaintenance.log
%windir%\system32\ccm\logs
Logs certificate retrieval and renewal from management points.
Clientidstartupmanager.log
%windir%\system32\ccm\logs
Logs creation and renewal of the client’s unique identifier.
Clientlocation.log
%windir%\system32\ccm\logs
Logs client location requests (i.e., site assignment).
Contenttransfermanager.log
%windir%\system32\ccm\logs
Logs data entering and expiring from the client’s cache.
Datatransferservice.log
%windir%\system32\ccm\logs
Logs policy transfer from management points.
Execmgr.log
%windir%\system32\ccm\logs
Logs arrival, download, and execution of software packages. Check this log first for software distribution issues.
Filebits.log
%windir%\system32\ccm\logs
Logs SMB copies from distribution points. Can indicate that BITS is not enabled on DPs.
Filesystemfile.log
%windir%\system32\ccm\logs
Logs software inventory functions.
Fsinvprovider.log
%windir%\system32\ccm\logs
Logs software inventory functions.
Inventoryagent.log
%windir%\system32\ccm\logs
The main log for all things inventory. Discovery, hardware inventory, and software inventory all log events to this file.
Locationservices.log
%windir%\system32\ccm\logs
Logs what management and distribution points are being used by an advanced client.
Mtrmgr.log
%windir%\system32\ccm\logs
Logs software metering data when a rule is accessed.
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 221
Chapter 14: Troubleshooting Filename
Default Location
Description
Officesyncxml.log
%windir%\system32\ccm\logs
Logs synchronization of the Microsoft Office Updates catalog and inventory engine; should exist only on the Office sync host.
Patchinstall.log
%windir%\system32\ccm\logs
Logs patch installation and scanning.
Patchuimanager.log
%windir%\system32\ccm\logs
Logs actions taken from the SMS 2003 software updates user interface.
Policyagent.log
%windir%\system32\ccm\logs
Logs requests and downloads of policy from management points.
Policyagentprovider.log
%windir%\system32\ccm\logs
Logs a subset of the actions taken by the policy agent.
Policyevaluator.log
%windir%\system32\ccm\logs
Logs evaluation of downloaded policy. (Hint: Policy evaluation is triggered two minutes after download.)
Remcontrol.log
%windir%\system32\ccm\logs
Logs installation of the SMS 2003 Remote Control client agent.
Scanwrapper.log
%windir%\system32\ccm\logs
Logs scanning by the SMS 2003 MBSA scanner.
Scheduler.log
%windir%\system32\ccm\logs
Logs each event triggered by the scheduler.
Securitysyncxlm.log
%windir%\system32\ccm\logs
Logs synchronization of the MBSA scanner catalog. Should exist only on the sync host.
Setuppolicyevaluator.log
%windir%\system32\ccm\logs
Initial configuration of policy on a new client.
Smscliui.log
%windir%\system32\ccm\logs
Logs actions taken in the Systems Management applet.
Srcupdatemgr.log
%windir%\system32\ccm\logs
Logs actions taken by the Windows Installer Source Update Manager, usually indicating when an application has self-healed by accessing a distribution point.
221
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 222
Chapter 14: Troubleshooting Filename
Default Location
Description
Statusagent.log
%windir%\system32\ccm\logs
Logs the creation and forwarding of status messages.
Swmtrreportgen.log
%windir%\system32\ccm\logs
Reports the packaging and uploading of the (by default) weekly software metering report.
Updatescan.log
%windir%\system32\ccm\logs
Logs scanning by the Enterprise Scan tool or Extended MBSA Scanner.
Ccmsetuip.log
%windir%\system32\ccmsetup
Logs the installation of an SMS Advanced client.
Clientmsi.log
%windir%\system32\ccmsetup
Verbose Windows Installer log of client installation.
Cliunins.log
%windir%\temp
Logs uninstallation of the advanced client.
Note that machines that are both clients and management points will have the logs for both functions located together under %installdrive%\sms_ccm\logs, where %installdrive% is the drive on which SMS 2003 was installed. Logs for other software used by SMS can be found in these locations:
222
❑
IIS: By default, IIS logs to %windir%\system32\logfiles. Also examine the event log of the IIS server for events with the source of IIS.
❑
SQL: The best way to view SQL logs is through SQL Enterprise Manager. These logs are not typically helpful for an SMS administrator, but can sometimes indicate the source of a major problem.
❑
WMI: In SMS 2003, everything from the Administrator console to hardware inventory on clients depends on the Windows Management Instrumentation repository. WMI logs can be found in %windir%\system32\wbem\logs. It is a good idea for SMS 2003 administrators to become familiar with these logs.
❑
Microsoft security updates: Most security updates will write to a log named %windir%\%q or kb + article#%.log. However, some patches (service packs in particular) write to logs named differently. Windows XP SP2, for example, logs to %windir%\svpack.log. Because the patch installer will give only the return code of the patch, these are good logs to investigate.
❑
Microsoft Office patches: Unlike security updates, Microsoft Office patches installed in one session all write to the same log. In addition, you can configure ohotfix.ini to create a Windows Installer verbose log that can provide more information. Microsoft Office updates log to %windir%\temp\ohotfix.
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 223
Chapter 14: Troubleshooting
Monitoring Client Health With all of the logs, status messages, and reports at our disposal, one would think that keeping clients healthy in an SMS 2003 hierarchy is easy. Although clients in SMS 2003 are more stable than in previous versions, they still can require some maintenance. For example, clients rely very heavily on WMI. Should the WMI repository become corrupted, a client might simply stop reporting discovery, inventory, and status messages, even though the client service is functioning. A maintenance plan for clients is just as important as one for site systems. Fortunately, the activities on this maintenance plan can be mostly automated. First, a script should be run against all machines in the enterprise that should have an SMS client. This script, run either at system start or user logon, should perform the following steps: ❑
Check WMI: Can the script connect to the WMI namespace root\cimv2? If not, rebuild the WMI repository.
❑
Check for the CCMSetup service: If this service is running, it means that SMS 2003 is already trying to reinstall the client.
❑
Check for the CCMExec service: This is the actual service that runs clients. Warning, this service also runs management points.
❑
Check log file dates: Oft updated logs (i.e., policyevaluator.log on advanced clients and cqmgr32.log for legacy clients) can be examined to make sure that the client service is trying to work. A problem is indicated if these files aren’t updating frequently.
❑
Check DCOM: Look for the SMS agent host DCOM object.
With these items being searched for, the work of the administrator monitoring client health should be greatly reduced. In many of these cases, the script can automatically taken action to fix the problem (for example, if the CCMExec service is stopped, start it and send an alert to administrators). However, this script does not cure all problems that can befall the SMS client. On a standard interval, administrators should perform the following to examine the health of their clients. I recommend that these checks be performed daily in hierarchies of medium to large size. ❑
Examine the report entitled “Clients that have not reported recently (in a specified number of days).” Check this report for any machines that have not reported inventory or been discovered in at least one-and-a-half times the inventory interval. For example, if software inventory runs weekly, check for machines that have not reported within ten days. This report will help administrators identify which clients either have been off the network, or might be having problems.
❑
Examine the report entitled “Computer that may share the same SMS unique ID.” In an imaging scenario, if a master computer has ever had an SMS client, and if that master computer’s image is distributed to other machines, a unique identifier problem could arise. Duplicate unique identifiers will cause inaccurate inventory and software distribution. Use this report to find machines that may have duplicate unique identifiers.
❑
In the SMS Administrator console, create a collection that displays all machine resources without a client. All noncliented machines should be investigated. The WQL code provided here, if pasted into a blank query editor, will display all nonclients: select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System where Client = NULL
223
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 224
Chapter 14: Troubleshooting ❑
Use the SMS Client Health tool: This tool, yet another free Microsoft download, runs as a service on a site server. It polls management and client access points either manually or on a schedule to find out when clients last connected. This can give administrators a real-time view of exactly how many clients are on the network at once. In addition, however, the Client Health tool also displays information about clients that have connected, but may be having problems such as duplicate unique identifiers.
Repairing Client Issues All of the problems detected in the preceding sections should be reparable. Administrators can take advantage of a wealth of tools to fix SMS 2003 client issues. The following should be found in the toolkit of any SMS 2003 administrator. ❑
WMIDiag.exe: A free download from Microsoft, this tool diagnoses and repairs WMI issues.
❑
The SMS 2003 Toolkit: This is another free Microsoft download. It contains client-specific utilities such as tranguid.exe. Tranguid helps to fix problems with duplicate unique identifiers. The SMS Toolkit also includes the irreplaceable SMS Trace.
❑
PSTools: A toolkit unto itself, this free download from www.sysinternals.com has many utilities geared toward remote management.
❑
CCMClean: Another tool in the SMS Toolkit, this one deserves a separate note of its own. CCMClean is the best way to remove the SMS client from a resource. (Warning! CCMClean will also remove management points. Read the accompanying documentation closely.)
❑
CCRMan 2004: Once you have removed a client with CCMClean, you will typically want to reinstall it. Use CCRMan 2004 or a similar utility to create CCR files. CCRMan 2004 has the added benefit that it will automatically copy CCR files to a specified CAP.
Intersite Communication Issues Finally, connectivity issues can (in locked-down networks) plague SMS administrators. Connectivity issues typically result from access problems or firewall port configurations. Access permission issues are generally easy to troubleshoot, once identified. Both log files and status messages provide a good indication of where the problem lies. In advanced security, for example, the most common problem is not providing a site systems machine’s account access to write to a SQL database. In this instance, log entries quickly direct the administrator to add the site system machine’s account to the site server’s sms_sitesystemtosqlconnection_<sitecode> group. Firewall issues can be a bit more troublesome. However, configuring ports before SMS 2003 is deployed can greatly reduce later problems. When in doubt, monitor firewall logs while a connection is being attempted in order to identify what port is blocked. The list of ports in the following table should be implemented before SMS 2003 is installed to provide the greatest success.
224
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 225
Chapter 14: Troubleshooting Source
Destination
Port
Protocol
All
DNS Server or Domain Controller
53
UDP
All
DHCP Server
67
UDP
All
All
135
UDP
Remote Control Initiator
Client
137
UDP
Remote Control Initiator
Client
138
UDP
All
WINS Server
138
UDP
All
All
138
UDP
Remote Control Initiator
Client
139
UDP
All
All
139
TCP
Parent Site
Child Site
389
TCP
Proxy MP
SQL Server
389
TCP
Advanced Client
Management Point
389
Both
Parent Site
Child Site
445
TCP
Parent Site
Child Site
636
TCP
Proxy MP
SQL Server
636
TCP
Advanced Client
Management Point
636
TCP
Proxy MP
SQL Server
1433
TCP
Remote Control Initiator
Client
1761
TCP
Remote Control Initiator
Client
1762
TCP
Remote Control Initiator
Client
1763
TCP
Remote Control Initiator
Client
1764
TCP
Remote Control Initiator
Client
2701
TCP
Remote Control Initiator
Client
2702
TCP
Remote Control Initiator
Client
2703
TCP
Remote Control Initiator
Client
2704
TCP
Advanced Client
Management Point
3268
TCP
Advanced Client
Management Point
80a
TCP
Remote Control Initiator
Client
aNote that the default port can be changed from 80 on a site-by-site basis.
225
49508c14.qxd:WroxPro
10/4/06
12:40 AM
Page 226
Chapter 14: Troubleshooting
Summar y In this chapter, I have discussed several methods of identifying problems with an SMS 2003 hierarchy and its clients. Status messages, logs, and Web Reports provide the administrator a very full view when troubleshooting. In addition, I provided a sample maintenance plan. Implementation of such a plan will greatly improve the long-term health of an SMS 2003 hierarchy. I realize that the preceding is not a comprehensive SMS 2003 troubleshooting guide. However, it should be enough to start most administrators down the right road when troubleshooting. An SMS 2003 hierarchy can be broken. My recommendation is to build a lab that mimics your production hierarchy and find out how many ways you can break it. The troubleshooting tools and tips discussed in this chapter should help you put it back together again and prepare you for when it happens on a more critical site. In Chapter 15, I discuss some of the third-party offerings that you can install within your SMS 2003 environment and take SMS 2003 to the next level. I discuss a few websites that are favorites for many SMS administrators. The tools I discuss are mostly free tools available from various SMS administrators that are must-haves for any SMS administrator. These administrators created tools to do certain tasks within their organizations and they have provided them as downloads for you to use within your organization.
226
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 227
Using Third-Par ty Solutions In this chapter, I discuss how SMS 2003 can be extended by using third-party solutions to administer various aspects of SMS without using the SMS Administrator console. These tools are not supported by Microsoft; they were developed because of the lack of functionality of the SMS Administrator console or because the authors needed certain expanded functions for their environments. This chapter discusses the various tools and websites that should be in every SMS administrator’s toolbox. These tools provide administrators with more control, better management, and/or solutions not included with SMS 2003. Again, the tools covered in this chapter are not supported by Microsoft.
www.myITfor um.com myITforum.com, Inc. is the premier online destination for IT professionals responsible for managing their corporations’ Microsoft Windows systems; it is especially useful for IT professionals working with Microsoft Systems Management Server. The centerpiece of myITforum.com, Inc. is a collection of member forums where IT professionals actively exchange technical tips, share their expertise, and download utilities that help them better manage their Windows environments. myITforum.com also includes email discussion lists and web blogs. myITforum.com, Inc. is owned and managed by Rod Trent, CEO and President. He is also the author of the best-selling books Microsoft SMS Installer, Admin911: SMS, and IIS 5.0: A Beginner’s Guide. Rod is also a Microsoft Most Valuable Professional (MVP), an honor awarded by Microsoft to “standouts in technical communities who share a passion for technology and spirit of community.” The site has two other corporate officers, Megan Trent, Vice President, and Ron Crumbaker, Chief Technical Officer. The email discussion lists on myITforum.com are valuable to the SMS beginner and to the seasoned professional. The discussion lists are a necessity for any windows management administrator. Microsoft employees are very active on these lists, and they provide solutions and feedback about issues the community is having with SMS.
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 228
Chapter 15: Using Third-Party Solutions
www.FAQshop.com By housing everything under one roof, FAQShop.com endeavors to provide a “one-stop-shop” for systems management questions, answers, and utilities. Its prime goal is to help administrators use systems management technology to make their lives easier; its goal is not for technology to control people’s lives. Their goal is reflected in the site’s mission statement — Ensuring you get the best of IT. FAQShop was founded by Cliff Hobbs, a United Kingdom–based systems management consultant who specializes in the various systems management tools covered by this site, including Microsoft Systems Management Server (SMS). In recognition of his knowledge of SMS and his willingness to share his information and help others, Microsoft awarded Cliff an MVP award in January 2004.
www.sms-alliance.com The SMS alliance is a consortium of companies that leverage joint resources to strengthen the capabilities and benefits of SMS. Their mission is to provide organizations with the best-of-breed solutions and services to enhance and extend SMS 2003. The SMS Alliance consists of 1E, Macrovision, Intrinsic, PS’Soft, Quest, and iAnywhere. Together they offer an overall solution for extending SMS 2003. The SMS Alliance created a huge resource of SMS tools and products that strengthen the capabilities of SMS 2003. The SMS Alliance provides a one-stop shop of great SMS 2003 extenders to help you manage your environment. They provide SMS management of a variety of devices within mixed-platform environments. The SMS Alliance mission statement sums up what they offer the SMS community: “The SMS Alliance mission is to provide organizations with best-of-breed solutions and services to enhance and extend the capabilities and benefits of SMS, enabling organizations to reduce operational costs and simplify systems management.”
1E One of the founding members of the SMS Alliance, 1E (www.1e.com) is a company on the cutting edge of systems management. It enhances and extends Microsoft management and deployment technologies, delivering advanced automation and reporting across the enterprise. They work closely with Microsoft and continue to build on that association to provide business agility. In fact, Microsoft is a 1E customer. The tools that 1E offers can fit any infrastructure; some of them, such as Shopping and NightWatchman, are “must haves” for most SMS organizations. As the pioneer for SMS and Wake-On-Lan technology with SMSWakeUp, 1E further enhances environments by offering NightWatchman, which can automatically save user data and shut down systems to increase software distribution and patching success rates and significantly reduce energy costs across an enterprise. The OSD Plus Pack with SMSNomad integration allows operating systems and software to be distributed to any sites without the need of server hardware while still being network efficient with the use of peer distribution methodology and multicast
228
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 229
Chapter 15: Using Third-Party Solutions integration. Shopping from 1E is also a great tool to empower the user community and integrate them with the SMS process while eliminating manual processes by providing a shopping cart interface for software deployment that can both meet individual requests as well as site-specific needs. Additionally, DeskMon from 1E is becoming the go-to tool for companies with point-of-sale or kiosk systems. In Chapter 16, I discuss Client Health Script, a script created by Richard Threlkheld from 1E. This tool was originally scripted by Richard and enhanced through the SMS community with feedback and testing. This script is a great way to ensure that your clients are healthy and up-to-date with the latest client build. 1E will include the Client Health features in the next version of their SMSWakeUp tool, which will allow automatic resolutions of any client health problems.
Macrovision Corporation Another founding member of the SMS Alliance, Macrovision Corporation (www.macrovision.com) is a recognized leader in software deployment packaging, software installation, and software updating solutions. They offer one of the best software packaging tools with AdminStudio. This tool provides a rich set of automated tools needed to package and prepare today’s complex programs for deployment. Macrovision has released a free version of their AdminStudio called the FLEXnet AdminStudio SMS Edition.
Intrinsic Technologies As a founding member of the SMS Alliance, Intrinsic Technologies (www.intrinsic.net) offers consulting services to integrate SMS 2003 into any environment. They work closely with other members of the SMS Alliance to provide services for successful migrations or new installations of SMS 2003.
PS’SOFT As a founding member of the SMS Alliance, PS’SOFT (www.pssoft.com) offers extenders for SMS 2003 that focus on IT asset management. They offer a web-based software cataloging system called SMS Software Requests. The system allows users to order software, and in return, SMS distributes the software to the desktops.
Vintela Another founding member of the SMS Alliance, Vintela (www.vintela.com) offers a seamless solution to extend security and compliance of Microsoft Active Directory to Unix, Linux, and other platforms and applications. They offer solutions that help IT administrators manage Unix, Linux, and MAC systems using SMS 2003. Vintela is now part of Quest Software.
iAnywhere The last founding member of the SMS Alliance, iAnywhere (www.iAnywhere.com) offers frontline security and management to SMS and provides extensions to manage your enterprise’s mobile and wireless devices through SMS.
229
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 230
Chapter 15: Using Third-Party Solutions
SMSV iew SMSView is a utility that is used to extend the functionality of the Microsoft Systems Management Server 2003 advanced client (see Figure 15-1). SMSView allows you to perform the following actions on an SMS advanced client: ❑
All nonadmin users to view current mandatory assignments and advertisement status
❑
View advertisement history (past 60 days)
❑
View current mandatory assignments
❑
Rerun advertisements
❑
Remote operations (remotely view and manage the SMS client)
❑
Display hardware/software inventory status
❑
Display management point/proxy management point
❑
Repair the SMS advanced client
SMSView can be used as a command-line tool to view these properties on a local or remote client. The SMS Administrator console can also be extended so you can launch SMSView when you right-click on a computer resource in a collection. Currently works only for weekly recurring and simple schedules Machine or User Advert
Logoff Required?
Updated as the advert executes Error returned from Advert
Click the >>>'s to re-run a program Displays last 60 days of advert history for client Shows current MP or Proxy MP if available Shows last start time for each
Computer Name (Screen refresh will query whatever is in here)
Figure 15-1
230
Refreshes Forces client Machine repair (several Policy Only minutes to complete)
Check this box to prevent Auto-Refresh (every 30 seconds)
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 231
Chapter 15: Using Third-Party Solutions SMSView can be downloaded from www.smsview.com. The author, Greg Ramsey, is very active on the email lists and forums found at www.myITforum.com. Greg is also a Microsoft MVP for SMS.
SMS 2003 Monster MOF The experts at www.SMSExpert.com have created many great tools for SMS 2003. They also offer the Monster MOF, which is a MOF file that contains several new classes of MOF that will improve SMS hardware inventory capabilities. The Monster MOF will enhance inventory data without requiring intimate knowledge of the SMS_DEF.MOF file. It is extremely easy to implement. To use the Monster MOF file, you will need to download it from www.smsexpert.com and then simply copy the text in full and paste it to the end of your existing sms_def.mof file. Many new classes are included in the Monster MOF file; some are enabled by default and others are disabled. The items can be enabled or disabled by commenting or commenting out each section. If you do not want a class in this file, you can comment out the entire block of code for that class with /* and */, or you can simply delete the entire block of code. Commenting out the sections is usually the best idea; you might need the sections later. You can disable some classes within the Monster MOF; however, if you think you need them, simply remove the /* and */ for the entire block of code. Here is a brief look at some of the code within the Monster MOF from SMS Expert: //
Watch for word-wrap when viewing this file. I recommend downloading the file from www.smsexpert .com if you need a newer revision. To download the Monster MOF, go to www.smsexpert.com/mof/MOFRepository/ CompleteMonsterMof.zip.
The advanced client handles SMS_DEF.MOF differently than the legacy client. The advanced client never sees a copy of SMS_DEF.MOF. During the installation of the advanced client, it modifies and creates the SMS 2003 default WMI classes needed to work with the default SMS 2003 SMS_DEF.MOF file. Any changes to any of the classes in SMS_DEF.MOF will not be inventoried, and changes to classes defined in the default SMS 2003 SMS_DEF.MOF file will not report back during the inventory processes. To get the information in WMI so the inventory process will pick up the changes to the classes, you will need to do the following:
232
❑
Leave the classes defined in the default SMS 2003 SMS_DEF.MOF alone.
❑
Do not replace the SMS 2003 SMS_DEF.MOF file.
❑
Copy and paste the code from the Monster MOF to the end of the default SMS_DEF.MOF file.
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 233
Chapter 15: Using Third-Party Solutions ❑
Create a package to run MOFCOMP on all the advanced clients. This package will need to contain the updated SMS_DEF.MOF file so it can copy it to the clients and then run %windir%\ system32\wbem\mofcomp %temp%\sms_def.mof. This will update the local SMI class definitions.
❑
Launch hardware inventory.
SMS Expert offers other tools to help the SMS administrator. The SMS Companion adds highly manageable real-time capabilities to SMS. It is a deeply integrated add-on for SMS 2003 with the advanced client. SMS Expert provides server push capabilities, load leveling and excluded hours, administrative control, Wake-on-LAN, and other real-time operations. The server push capabilities allow instant client actions so that you can perform important operations quickly. The Wake-on-LAN feature allows you to “wake up” machines that are powered off, so you do not miss any systems. This feature saves energy because the PCs do not need to be on all the time. The feature also means you won’t have to perform any make-up software installations because you missed a machine that was powered off.
SMS 2003 Web Remote Tools The SMS 2003 Web Remote Tools were created and modified by Ron Crumbaker, author of this book. I created Remote Tools to assist SMS administrators and allow client administration from a web page. You can find the tools on www.myITforum.com. Many people have emailed me to express their appreciation for Remote Tools. Many users have customized it to fit their own organizational needs and demands. One of those end users, Sherry Kissinger, showed me what she has done to Web Remote Tools. Sherry said the following about the Web Remote Tools: In mid-2005, our company began using Ron Crumbaker’s Web Remote Tools page. It was first used by the small desktop management team, within a few weeks, all of the technology (~70 people) were given rights and a brief tutorial. Since then, the web page is almost always launched for Helpdesk personnel (internally known as the Technology Assistance Center or TAC). The ability to get a call from a user, and within less than a minute, lookup their computer (Lookup User), input the computer name, and from that launch multiple tools to help the user with their issue; has increased response time and has contributed to increasing user confidence in the TAC. For example, from a username; lookup user — get the computer name. Computer name; get to “Manage,” and look at event logs. Being able to tell the user something like “I see xyz application reported an error 80003332a in the Application log, according to our internal documentation, there is a known fix, let me remote into your computer, and fix that for you.” Being able to diagnose a problem before remoting in is always impressive to the user. It seems, though, that the users are not impressed with knowing their computer name before they tell it to us. Over the past year, at the request of TAC and other technicians, we’ve added additional buttons to the original Web Remote Tools page. With a little scripting knowledge, modifying the .asp wasn’t too difficult. Because it was customizable to our environment, it helped propel the tool to indispensable.
233
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 234
Chapter 15: Using Third-Party Solutions Sherry has been instrumental in helping me develop the next release of the Web Remote Tools; much of the customization she has made at Foley will be incorporated into the next release. The Web Remote Tools page, which is shown in Figure 15-2, can be easily customized by editing the underlying ASP pages. Basic knowledge of HTML and ASP is required to edit these pages.
Figure 15-2
You can find the instruction and download files online at http://www.myitforum.com/articles/ 19/view.asp?id=8662. The machrest.asp code is listed here. The machrest.asp page is the main part of the website. It contains the majority of the functions used within the Web Remote Tools. To use it, Corey Becht’s Right Click tools, which I will discuss later in this chapter, must be loaded; the SMS Administrator console must be on any workstations that will be using this tool; and the subcollections must be set up for the push package to work properly.
234
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 235
Chapter 15: Using Third-Party Solutions Web Remote Tools Code Navigator <meta content=”False” name=”vs_snapToGrid”> <meta content=”True” name=”vs_showGrid”> <meta content=”Client (IE 4.0 DHTML)“ name=”VI60_DTCScriptingPlatform”> <meta content=”JavaScript” name=”VI60_defaultClientScript”> <style> .node { MARGIN-TOP: 5px; FONT-WEIGHT: normal; FONT-SIZE: 8pt; MARGIN-LEFT: 14px; CURSOR: hand; COLOR: black; FONT-FAMILY: Arial; text-ident: -14 } .tree { FONT-WEIGHT: bold; FONT-SIZE: 8pt; CURSOR: help; COLOR: black; FONT-FAMILY: Arial } <script language=”vbscript”> <Script language=”VBScript”> ‘Code for populating the Drop down menu with the Sub-Collections. This was taken from Michael Shultz’s example on myITforum.com Modified ‘slightly to work with SMS 2003. Sub FillInCollections dim oCollection ‘ SMS_Collection object dim oCollectionSet ‘ Collection of SMS_Collection objects dim strQuery ‘ String for the Query dim lLocator ‘ SWbemLocator object dim gService ‘ SWbemServices object dim strSiteServer, strSiteCode, strStandingAdvertID strSiteServer = “SMSServer” strSiteCode = “SMSSiteCode” strStandingAdvertID = “SMS0001B” ‘For Example: “XR10001c” this is the topmost collectionID of the collections tree that you want in the drop down set lLocator = CreateObject(“WbemScripting.SWbemLocator”) set gService = lLocator.ConnectServer(strSiteServer, “root/sms/site_“ & strSiteCode) ‘ Build the query and execute it - Get all of the SubCollections under Standing Adverts Collection strQuery=”Select SMS_Collection.Name, SMS_Collection.CollectionID “ & _ “From SMS_CollectToSubCollect INNER JOIN SMS_Collection “ & _ “On SMS_CollectToSubCollect.SubCollectionID = SMS_Collection.CollectionID “ & _ “Where SMS_CollectToSubCollect.parentCollectionID=” & Chr(34) & strStandingAdvertID & Chr(34) & _ “Order By SMS_Collection.Name” set oCollectionSet = gService.ExecQuery(strQuery) (continued)
235
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 236
Chapter 15: Using Third-Party Solutions Web Remote Tools Code (continued) ‘ Check to see if returned No Records if oCollectionSet.Count = 0 then msgbox “Query returned 0 records” else ‘ Write each one to an ”) for each oCollection in oCollectionSet document.write(“”) next end if end Sub <% Set myReporting = Server.CreateObject(“SMSComponent.SMSReporting”) %> <SCRIPT language=”vbScript”> dim ServerName dim DataBase <SCRIPT language=”VBScript”> ‘Remote Control Button...This will ping the computername first to ensure it is online, then open the Remote connection. Sub Btnl_OnClick Dim CompName,oWshShell CompName = document.frmMain.txtValue.value if len(Trim(CompName)) = 0 then MsgBox “Please type a Machine Name.”,,”SMS 2003 Remote Control” Else set oWshShell = CreateObject(“WScript.Shell”) ‘The following lines will need to be edited for your location Set objPing = GetObject(“winmgmts://SMSServer/root/default:PingPoller”) (continued)
238
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 239
Chapter 15: Using Third-Party Solutions Web Remote Tools Code (continued) path = “\\SMSServer\remote$\remote.exe” objPing.Trace CompName, “30”, “1000”, “1”, TraceResult, Addresses if TraceResult <> 0 then MsgBox “Machine did not respond to ping.”,,”SMS 2003 Remote Control” Else ‘You will need to edit the following line to fit your environment. oWshShell.run path & “ 2 “ & addresses(ubound(addresses)) & “ \\SMSServer\“,0,false end If end If End Sub ‘This is the System Resources button. It will open up ReportID 1 from the SMS Reporting point. It will grab the ‘computername from the Text box and pass the name along to the ReportID 1. Sub Btnl2_OnClick on Error resume Next Dim CompName CompName = document.frmMain.txtValue.value ‘You will need to edit the following line to fit your environment. parent.frames.output.location.href “/SMSReporting_sms/Report.asp?ReportID=1&variable=” & CompName End Sub ‘This button is not being used. ‘Sub Btnl11_OnClick ‘ Dim CompName,oWshShell ‘ CompName = document.frmMain.txtValue.value ‘ if len(Trim(CompName)) = 0 then ‘ MsgBox “Please type a Machine Name.”,,”System Resources” ‘ Else ‘ Dim cn ‘ set cn=CreateObject(“ADODB.Connection”) ‘ ConnectString = “Provider=SQLOLEDB;Data Source=yourserver;Initial Catalog=sms_yoursite code;Integrated Security=’SSPI’“ ‘ ‘ cn.Connectionstring = ConnectString ‘ cn.open ‘ Set rs=CreateObject(“ADODB.Recordset”) ‘ rs.activeconnection = cn ‘ ‘ rs.open “Select CPU.name0,MEM.TotalPhysicalMemory0,LDISK.freespace0 from v_GS_PROCESSOR CPU,v_GS_X86_PC_MEMORY MEM,v_GS_LOGICAL_DISK LDISK where CPU.resourceid = MEM.resourceid And CPU.resourceid = LDISK.resourceid And LDISK.Name0 = ‘C:’ And LDISK.SystemName0 = ‘“ & CompName &“‘“ ‘ ‘ If Not rs.eof Then ‘ line = “CPU: “ & rs.fields(0) & vbCr & “MEM: “ & round(rs.fields(1) / 1000) & “Mb” & vbCr & “Free Space: “ & rs.fields(2) & “Mb” ‘ msgbox line,,”System Resources” ‘ Else (continued)
239
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 240
Chapter 15: Using Third-Party Solutions Web Remote Tools Code (continued) ‘ ‘ ‘ ‘ ‘ end ‘End Sub
MsgBox “Machine Name not found.”,,”System Resources” end If rs.close cn.close If
‘This button will find the Current User of the Computer found in the Textbox. Sub Btnl3_OnClick on error resume Next dim CompName,oWshShell CompName = document.frmMain.txtValue.value if len(trim(CompName)) = 0 Then msgbox “Please type a Machine Name.”,,”Current Loggod on User” Else Set objPing = GetObject(“winmgmts://“ & ServerName & “/root/default:PingPoller”) objPing.Ping CompName, “100”, “1”, PingResult if PingResult <> 0 then msgbox “Machine did not respond to ping.”,,”Current Logged on User” else Set objSWbemServices = GetObject(“winmgmts:\\“ & CompName & “\root\cimv2”) err.clear Set colSWbemObjectSet = objSWbemServices.ExecQuery(“SELECT * FROM Win32_ComputerSystem”) For Each objSWbemObject In colSWbemObjectSet msgbox “User Name: “ & objSWbemObject.UserName,,”Current Logged on User” Next end if end if End Sub ‘This will open ReportID 97 from the SMS Reporting point. This will open the Add/Remove Programs Report and lists it sorted by ‘Software Name. Sub Btnl4_OnClick on error resume next dim CompName CompName = document.frmMain.txtValue.value if len(trim(CompName)) = 0 then msgbox “Please type a Machine Name.”,,”Add-Remove Programs” else ‘You will need to edit the following line to fit your environment. parent.frames.output.location.href “/SMSReporting_SMS/Report.asp?ReportID=97&computername=” & CompName & “&SortRs1Col=1&SortRs1Dir=1” end If End Sub (continued)
240
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 241
Chapter 15: Using Third-Party Solutions Web Remote Tools Code (continued) ‘This will open ReportID 12 from the SMS Reporting point. This will find the Systems the user in the UserText box has logged onto. Sub Btnl5_OnClick on error Resume Next Dim CompUser Compuser = document.frmMain.LLUValue.value parent.frames.output.location.href “/SMSReporting_SMS/Report.asp?ReportID=12&variable=” & CompUser End Sub ‘This will open the Admin Account Page so you can unlock and reset passwords and accounts. Sub Btnl6_OnClick ‘You will need to edit the following line to fit your environment. parent.frames.output.location.href “/smsremote/Admin.asp” End Sub ‘This button will open the Resource Explorer for the Computer in question Sub Btnl7_OnClick Dim WShell, i7, strName7, Name7, CompName CompName = document.frmMain.txtValue.value Set WShell = CreateObject(“WScript.Shell”) ‘You will need to edit the following line to fit your environment. i=WShell.run (“mmc C:\smsadmin\bin\i386\explore.msc -s -sms:ResExplrQuery=” & Chr(34) & “Select ResourceID From SMS_R_SYSTEM Where Name = ‘“ & CompName & “‘“ & Chr(34) & “ -sms:connection=\\SMSServer\root\sms\site_sitecode”) End Sub ‘This button will open the Manage Desktop feature of Windows sub BtnManger_onclick() on error resume next Dim Wshell, CompName, ipath CompName = document.frmMain.txtValue.value Set WShell = CreateObject(“WScript.Shell”) Set objPing = GetObject(“winmgmts://“ & ServerName & “/root/default:PingPoller”) objPing.Ping CompName, “100”, “1”, PingResult if PingResult <> 0 then msgbox “Machine did not respond to ping.”,,”SMS 2003 Manage” else ipath = “mmc %SystemRoot%\system32\compmgmt.msc -s /computer:” & CompName WShell.run ipath end if end sub ‘This button adds the system indicated to the selected collection Sub SndBtn_OnClick dim i ‘ Index into the dropdown list dim strCollID ‘ CollectionID of the selected Collection (continued)
241
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 242
Chapter 15: Using Third-Party Solutions Web Remote Tools Code (continued) Dim dim dim dim dim dim dim dim dim dim
ResID ‘ ResourceID of the System CompName ‘ ComputerName of the System lLocator ‘ SWbemLocator object gService ‘ SWbemServices object oSystem ‘ SMS_R_System object oSystemSet ‘ Collection of SMS_R_System objects oCollRule ‘ SMS_CollectionRuleDirect object oCollection ‘ SMS_Collection object oCollSet ‘ Collection of SMS_Collection objects oElement ‘ Screen element on the page
‘ Retrieve the collection ID from the dropdown list i = document.frmMain.select1.selectedIndex strCollID = document.frmMain.select1.options(i).Value if strCollID = “-1” then return end if ‘ Change the cursor to an hour glass for each oElement in document.all oElement.style.cursor = “wait” next ‘ Connect to the SMS namespace on the SMS server Dim StrSiteServer Dim strSiteCode ‘You will need to edit the following line to fit your environment. strsiteserver = “SMSServer” strSiteCode = “sitecode” set lLocator = CreateObject(“WbemScripting.SWbemLocator”) set gService = lLocator.ConnectServer(strSiteServer, “root/sms/site_“ & strSiteCode) ‘ Get the SMS record for the selected computer CompName = document.frmMain.txtValue.value set oSystemSet = gService.ExecQuery(“Select * From SMS_R_System Where Name = “ & chr(34) & CompName & chr(34)) if oSystemSet.count = 1 then for each oSystem in oSystemSet ResID = oSystem.ResourceID next else msgbox “Error: Duplicate system name.” ‘ Change the cursor back for each oElement in document.all oElement.style.cursor = “auto” next return end If (continued)
242
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 243
Chapter 15: Using Third-Party Solutions Web Remote Tools Code (continued) ‘ Create the Rule to add the System to the Collection Set oCollRule = gService.Get(“SMS_CollectionRuleDirect”).SpawnInstance_() oCollRule.ResourceClassName = “SMS_R_System” oCollRule.RuleName = CompName oCollRule.ResourceID = ResID ‘ Query to retrieve the desired collection set oCollSet = gService.ExecQuery(“Select * From SMS_Collection Where CollectionID = “ & Chr(34) & strCollID & Chr(34)) if oCollSet.Count = 0 then msgbox “Error: Query returned 0 records” else for each oCollection in oCollSet ‘ Then add the Rule (add the System) to the collection oCollection.AddMembershipRule oCollRule msgbox oCollection.Name & “ will be advertised to “ & CompName ‘runs Refresh Policy routine. Refreshbtn_onClick() next end if ‘ Change the cursor back for each oElement in document.all oElement.style.cursor = “auto” next end sub
Sub txtValue_OnClick If document.frmMain.txtValue.value = “<>” Then document.frmMain.txtValue.value = “” End If End Sub ‘Opens the Remote Assistant for XP Sub Btnl9_OnClick dim CompName,oWshShell dim ipath CompName = document.frmMain.txtValue.value Set WShell = CreateObject(“WScript.Shell”) ipath = “MSTSC /v:” & CompName & “ /Console” WShell.run ipath End Sub ‘Opens the Remote Desktop Feature. Grabs the ComputerName from the Textbox. Sub Btnl10_OnClick dim CompName set wshshell = createobject(“wscript.shell”) CompName = document.frmMain.txtValue.value (continued)
243
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 244
Chapter 15: Using Third-Party Solutions Web Remote Tools Code (continued) WshShell.Run “%windir%\pchealth\helpctr\binaries\helpctr.exe -FromStartHelp “ & _ “-url hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Es calation/unsolicited/SMSUnsolicitedRCUI.htm “ & _ “-ExtraArgument “ & “NOVICECOMPUTER=” & CompName & “”“” End Sub ‘Sends Refresh policy to the computer from the textbox. Sub Refreshbtn_onClick dim CompName DIM vbsPath CompName = document.frmMain.txtValue.value Set WShell = CreateObject(“WScript.Shell”) vbspath = “%SystemRoot%\system32\wscript.exe C:\WINDOWS\smssend.vbs {00000000-0000-0000-0000-000000000021} “ & CompName & “ 1” wShell.run vbspath End Sub Sub BtnRepairClient_OnClick DIM CompName CompName = document.frmMain.txtValue.value if len(Trim(CompName)) = 0 then MsgBox “Please type a Machine Name.”,,”SMS 2003 Repair Client” Else set oWshShell = CreateObject(“WScript.Shell”) ‘The following lines will need to be edited for your location Set objPing = GetObject(“winmgmts://SMSServer/root/default:PingPoller”) if PingResult <> 0 then msgbox “Machine did not respond to ping.”,,”SMS Client Repair” wscript.quit else err.clear Set smsClient = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\“ &_ CompName & “\root\ccm:SMS_Client”) if err.number <> 0 then msgbox “Unable to access “ & CompName & vbcr &_ “Error: “ & err.description,,”SMS Client Repair” wscript.quit end if smsClient.RepairClient msgbox “Executed Remote SMS Client Repair Request.”,,”SMS Client Repair” end if end if
End Sub Sub Btn29_OnClick on error resume next dim CompUser (continued)
244
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 245
Chapter 15: Using Third-Party Solutions Web Remote Tools Code (continued) Compuser = document.frmMain.LLUValue.value if len(trim(Compuser)) = 0 then msgbox “Please type a Part of the User’s First or Last Name.”,,”Lookup UserName” else parent.frames.output.location.href “/SMSReporting_SMS/Report.asp?ReportID=215&variable=%25” & CompUser & “%25” end if End Sub
sub setupvars(sqlname,sqldb) ServerName = SMSSERVER DataBase = sms_sitecode End Sub <% response.write “<script> setupvars “”“ & Session(“SQLDatabase”) & “”“ ” %>
Session(“SQLMachine”) &
“”“,”“” &
Since the initial release of the SMS Web Remote Tools version 3.21, I have been gathering information from users, such as Sherry, and developing a new version of this tool. As I discuss in Chapter 16, this type of tool is easily customizable by writing your own VBScripts or by using code found on www.myITforum.com email lists, forums, and articles. I will continually post all updates to the Web Remote Tool on my blog (www.myITforum.com/cs2/blogs/rcrumbaker).
Corey Becht’s Right-Click Tools Corey Becht created one of the best set of tools for all SMS administrators. This tool allows you to rightclick on any collection or individual PC within the SMS Administrator console and initiate hardware inventory, reassign the site code, restart the SMS Agent Host service, rerun advertisements without modifying the advertisement, perform discovery, initiate software inventory, create file collections, monitor software metering usage, refresh machine policies, evaluate policies, update Windows installer sources, change port number, and change cache size. These tools can run per computer resource or for all the members of a collection. They are used by the SMS Web Remote Tool, which was discussed in the last section. You can download these tools from www.myITforum.com. In Chapter 16, I discuss how you can create your own right-click tools. A few other great right-click tools are available on www.myITforum.com. To download Corey’s Right-Click Tools, go to www.myitforum.com/ articles/8/view.asp?id=7099.
245
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 246
Chapter 15: Using Third-Party Solutions
myITfor um Code Repositor y The myITforum Code Repository is a Microsoft Access database that contains batch files, command scripts, HTML applications, HTML documents, SMS Installer scripts, Jscripts, Kixstart scripts, Perl scripts, SQL scripts, VBScripts, Windows Script Component scripts, Wise files, Windows Script files, SMS queries, and various SMS objects such as custom reports, collections, and queries. The database also allows the user to add additional item types as desired. The Code Repository, which is shown in Figure 15-3, also has Code Packs and updates that are geared to specific areas and contain only items that pertain to that area of interest. As you can see from the figure, a lot of information is stored in the Code Repository. The database is fully searchable by author, name, type, description, source, and keywords. You can also “build your own search” by going into the Advanced tab.
Figure 15-3
From the Main tab, you can run the code you are viewing, save the code to the default folder, import another script(s) from a drive or folder, and delete the script. The Code Repository database is a onestop shop for all your scripting needs; if the script is not in there, you can add it with some simple steps. The full version, which is available online, contains about 4,000 scripts ready to use, study, and enhance.
246
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 247
Chapter 15: Using Third-Party Solutions
Microsoft SMS Toolkit 2 Microsoft released a very nice set of tools for SMS called the SMS Toolkit version 2 (http:// www.microsoft.com/smserver/downloads/2003/tools/toolkit.mspx). It contains the following tools: ❑
IIS Lockdown 2.1 Template
❑
URLScan 2.5 Template
❑
Policy Spy
❑
SMS Trace
❑
Advanced Client and Management Point Cleaner
❑
Advanced Client Spy
❑
Policy Verifier
❑
Send Schedule
❑
Management Point Spy
❑
Set Preferred Distribution Point and CAP
❑
Delete Certificate
❑
Patch Management Evaluation
❑
Delete Group Class
❑
Transfer SMS ID
❑
Package Loader
❑
Management Point Troubleshooter
❑
Client Site Assignment Verifier
❑
Site Boundary Tool
❑
Create Secondary Site Tool
❑
Create SMS Address Tool
The IIS Lockdown 2.1 Template This template is used on Windows 2000 servers running Internet Information Systems (IIS) that are SMS 2003 site systems. This template locks down unnecessary features of IIS, thereby reducing the possibility of attacks. The template locks down IIS server by not allowing certain verbs (commands) and file extensions to be processed by Windows 2000 server running IIS 5.0.
247
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 248
Chapter 15: Using Third-Party Solutions
URLScan 2.5 Template This template is basically the same as the IIS Lockdown 2.1 template discussed earlier, except it is used on Windows Server 2003 machines that are SMS 2003 site systems. This template locks down the IIS server by not allowing certain verbs and file extensions to be processed by Windows Server 2003 machines running IIS 6.0.
Policy Spy Policy Spy allows you to view and troubleshoot the policy system on SMS 2003 advanced clients. Policy Spy allows you to connect to the policy on a remote computer. Policy Spy, which is shown in Figure 15-4, displays the policies for the current selection in the details pane. The tool also shows you the name of the client computer, unique SMS ID, client version, assigned management point, local management point, proxy management point, and the state of the client’s management point.
Figure 15-4
The tool can open policies from a remote computer, open an exported policy file (.xml), trigger requests for machine policies, trigger evaluations of policies, trigger user policies, reset the policies for the site, and export policies.
SMS Trace SMS Trace is probably the most frequently used component of the SMS 2003 Toolkit 2. It is a log viewer that provides an easy way to view and monitor all SMS logging activities.
248
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 249
Chapter 15: Using Third-Party Solutions SMS Trace, which is shown in Figure 15-5, allows you to view SMS server and SMS client log files in real time. If you are viewing a log file and information is added to that log file, SMS Trace will automatically refresh the page. This is much nicer than using Notepad.exe to view the log files, because Notepad will not auto-refresh.
Figure 15-5
Because it has drag-and-drop, SMS Trace is easy to use. (Yes, Microsoft created something for SMS 2003 that has drag-and-drop!) All kidding aside, this is a great log file viewer. You can also use the file menu to open log files. SMS Trace is not just for SMS log files; it can be used for any .log file. The first time you open SMS Trace, you will be prompted to make SMS Trace the default for .log files. Making it the default is very handy; when you double-click on any .log or .lo_ file, SMS Trace will open it automatically.
Advanced Client and Management Point Cleaner This tool lets you remove advanced client and management points. The Advance Client and Management Point Cleaner, CCMCLEAN.EXE, is a command-line-only program. To run it remotely on an advanced client, use the /client switch.
Syntax ccmclean.exe
The following table shows the command-line switches for ccmclean.exe.
249
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 250
Chapter 15: Using Third-Party Solutions Option
Description
/?
Displays Help.
/client
Removes the advanced client only. The default switch.
/mp
Removes the management point.
/all
Removes both advanced client and management point.
/logdir:<path>
Specifies where the CCMclean log files are stored. By default, the log files for CCMclean are stored in the temporary folder for the logged-on user.
/logbackup:<path>
Specifies where to create backup log files.
/keephistory
Preserves software distribution history.
/q
Runs in Quiet Mode.
/retry:,
If Windows Installer is busy, CCMclean will retry times, waiting seconds between retries.
Advanced Client Spy This troubleshooter is used to troubleshoot issues relating to advanced client software distribution, inventory, and software metering data. This SMS Advanced Client Troubleshooting tool, which is shown in Figure 15-6, is also known as CliSpy or Advanced Client Spy. The tool allows you to connect to local or remote computers and retrieve information about the advanced client’s software distribution, inventory, and/or software metering.
Figure 15-6
250
49508c15.qxd:WroxPro
10/4/06
12:40 AM
Page 251
Chapter 15: Using Third-Party Solutions
Policy Verifier The Policy Verifier is used to troubleshoot advertisement targeting issues and issues related to connecting the site database and SMS management points. Policy Verifier is a command-line tool that helps verify advertisement problems, SQL Server replication issues, management point connectivity issues, and policy generation problems.
Syntax PolicyVerifier.exe
The following table shows the command-line switches for PolicyVerifier.exe. Option
Description
/p=
Sets the port number on which to listen. By default, port 80 will be used.
