Вы находитесь на странице: 1из 49

Microsoft Systems

Management Server 2003

 What is SMS and its Capabilities
 SMS security Modes
 SMS 2003 Architecture Overview
 Advance Client and Legacy Clients
 Client Discovery Methods (AD)
 Inventory Capabilities
 Software Metering
 Reporting
 SMS 2003 Advantages over 2.0
 SUS update installation process
What is SMS?
 Centralized Systems Management Server
 Supports Microsoft Enterprise OS’s and most
third party applications
 Configuration control tool for OS, applications, and
 Remote Management (Hardware & Software)
 Remotely install software on computers – Distributing
 Check what kind of hardware (network card, graphics
card etc.) is currently used on the computer – Hardware
 Check what kind of application are installed or what
latest pathes are missing – Software Inventory
 Check how many applications is used by clients – what
amount of licenses we need – Software Metering

What can you do with
 Remotely diagnose / troubleshoot
desktops and servers
 Install applications or remotely run
 Patch management
 Manage existing software
 Asset / inventory / resource management

SMS 2003 Capabilities


Application Remote
Deployment Control


SMS Security Modes

 SMS runs in one of two security modes

 standard security mode
 advanced security mode.
 The security mode that you enable affects the type and
number of accounts used for SMS security. Before you can
enable advanced security certain prerequisites must be met
on the SMS site server. Each security mode has its
advantages, so you must choose the mode that is appropriate
for your SMS sites.

Standard Security Mode

 SMS 2003 standard security is very similar to SMS 2.0

security. Standard security relies on user (not computer)
accounts to run services, to make changes to computers,
and to connect between computers.

 Advanced security is the recommended security mode.

However, you must use standard security if your site does
not meet the requirements for installing advanced security.
 Use standard security if you are upgrading directly from an
existing SMS 2.0 site. Upgrading from SMS 2.0 is relatively
straightforward because standard security is nearly the
same as SMS 2.0 security.

Advanced Security Mode

 SMS 2003 advanced security uses the local system account on SMS servers to
run SMS services and make changes on the server. Advanced security uses computer
accounts (rather than user accounts) to connect to other computers and to make
changes on other computers. Computer accounts can be used only by services
running in the local system account context, and only administrators can configure
services. Therefore, advanced security is a very secure mode.
 The local system account and computer accounts have several advantages over user
 The local system account is local to the computer itself so the jurisdiction of the
account is very limited.
 Only the operating system knows the password for a computer account so network
users cannot use computer accounts to access network resources.
 The local system account does not have a password or require one. Local system and
computer accounts do not require any manual maintenance, even in organizations that
require that all passwords be changed on a regular basis because the computer
regularly and automatically changes computer account passwords.
 Domain-level privileges are not required. Privileges are required only on the SMS
servers themselves.

 All SMS site systems should be windows 2000 SP1 or higher

Remote Management in SMS
 Remote Reboot utility, administrators can
restart the selected client
 Run an application or batch file on a remote Windows
based client
 When a user is present at the remote machine (98 or
2000), a remote control session of that client may be
 Remote Assistance feature is used for remotely
troubleshooting XP clients directly from the Systems
Management Server 2003 Administrator Console when
a user is present at the remote machine
 Client software is automatically installed on
Windows based computers within the site boundaries

SMS 2003
Architecture Overview

Site Systems Roles
Server Locator Management
Point SMS Site


Client Point
Site Hierarchies

Primary (Central) Site

(Parent Site)


Primary Site
(Child and
SQL Parent Site)

(Child Site) Primary or
Secondary Site
(Child Site)
Advance Client
 The Advanced Client is a newly developed SMS client, and is the preferred client type for
all computers running Windows 2000 or later in your organization. The Advanced Client is
especially recommended for mobile and remote computers because its architecture is
optimized for enhanced support for those types of computers.
 Advanced Clients use management points to send and receive data from the site server.
To receive configuration and advertised program details, Advanced Clients use policies,
which are sent from management points. The Advanced Client policies are unique to SMS
and are not related to policies associated with Active Directory®.
 Advanced Clients cannot be assigned to secondary sites. However, they can use proxy
management points at secondary sites to upload data and to download Advanced Client

Legacy Client
 Although it is recommended that you deploy the Advanced Client on all the computers in
your organization running Windows 2000 or later, there are two reasons for deploying the
Legacy Client.
 You must deploy the Legacy Client when the client computer is running Windows 98 or
Windows NT 4.0.
 When you upgrade your SMS sites from SMS 2.0 to SMS 2003, the Legacy Client is
automatically installed on SMS 2.0 clients running Windows 2000 or later to assist you
with migrating these clients to Advanced Client. It is strongly recommended that you
upgrade these clients to Advanced Client as soon as possible after you upgrade your
SMS site. Pradeep.chandrasekharan@hotmail.com
Advance Client
 Better support for mobile computers and remote computers.
 Enhanced security.
 Use of Background Intelligent Transfer Service (BITS) to transfer data
such as package source files and inventory data.
 The Advanced Client can download the package source files to the local
computer before running an advertised program.
 Access to SMS package source files on local distribution points at a site, which the Advanced Client is
temporarily roaming to, without being assigned to that site. This includes access to distribution points at SMS
2.0 secondary sites, whose parent site is an SMS 2003 site.
 The site server sends to the Advanced Client data that contains only changes to such items as configurations,
advertisements, or software metering rules. This reduces the amount of data that is transferred on the network.
 The Advanced Client is highly scriptable, which allows for the automation of Advanced Client configuration and
 The client agents, such as the Hardware Inventory Client Agent, are installed when the core SMS client
components are installed. This ensures that the Advanced Client always has the client agents. This also
eliminates the need for the extra bandwidth that would be necessary to download the client agents when
enabling a feature.
 When downloading the Advanced Client software during installation, the Advanced Client installation programs
continue to run even if the network connection occasionally becomes unavailable.
 When deploying Advanced Clients, you can complete the installation of the Advanced Client software without
assigning the client to any site. This allows you to complete the installation of a large number of computers in a
staging area, and then transport the installed computers to their destination in the production environment.
Those computers can then be assigned to a site and become fully deployed SMS clients.

Advanced Client Download
And Execute

Distribution Management
Bangalore Point Point
SMS 2003
Primary Site
SMS 2003 Primary Site

Local Client

SMS 2003 Advanced Client
Managed by Bangalore Pradeep.chandrasekharan@hotmail.com
Mobile / Roaming / Remote Users

 Bandwidth aware Advanced Client, using standard

Internet technologies to deliver support to mobile users
and systems with unreliable or varying connections
 Uses the Background Intelligent Transfer Service (BITS)
technology to automatically detect the capacity of the client
network connection and to adjust transfer rates
 Can also be configured to download an entire package,
running the installation at a later time, even when no network
access is available

Discovery Methods

Active Directory Site Boundary
 SMS 2003 allows definition of SMS site
boundaries from Active Directory site names
 IP subnets need only be defined in one place
and leveraged by SMS
 Mixed IP subnets and Active Directory site
boundaries can be used to define an
SMS site
 Supports gradual migration- existing IP-based
subnet boundaries still supported

Active Directory Site Boundary

Active Directory Discovery

 Active Directory system discovery enables

discovery of new systems for
site assignment and installation
 Generally more effective than Network
 Collects Active Directory container
 Active Directory User Discovery
 Active Directory System Group Discovery
 Collects Active Directory site name
(for systems)
Active Directory Container

Active Directory Targeting

 Collects the following containers

 Organizational unit membership (OU)
 Universal, global, domain local, security and
distribution group membership
 Supports nested groups
 Includes Built-in users and computers
 Target software distribution to Active
Directory organizational units and groups
 Including distribution groups

 WMI-Based Inventory
 Allows improved client-side performance
during inventory scans
 Provides a richer set of inventory data,
including BIOS and chassis enclosure data
 Based on the Common Information
Model standard
 Allows information from multiple sources

Inventory Capabilities
 Increase scale
 100,000+ systems on single primary site
 5-7X scale over SMS 2.0
 More control over software inventory
 Better selection criteria
 Wildcards, directories, and environment variables
 Highlight different inventory permutations, like *.exe, m*.exe,etc.
 Exclude encrypted and compressed volumes (critical for servers)
 Ability to just get file properties improving system performance
 Better reporting on installed applications
 WMI provider to inventory Add/Remove Programs data
 Both the UI and Registry Information
 Easier to track suite of applications
 Enterprise Agreement True-Up report
 WMI provider to inventory Windows Installer component status
 Reduced inventory traffic
 Deltas generated on clients, advanced clients use compressed
XML files Pradeep.chandrasekharan@hotmail.com
Software Metering


Windows Media
MS Word
Internet Explorer


SMS Server

Software Metering
 Metering provides application
usage tracking
 Enables informed purchasing decisions
 Allows you to track concurrent licensing
 Reduces complexity in enterprise
 Administrators have control
 Specify what applications to meter
 Multi-site configuration tool allow replication of rules
 Summarization tasks reduces data store
 Tracks user, machine, time, frequency, usage
 Usage data can be blocked from flowing up
hierarchy to reduce traffic
 Extensible web-based reporting tool
 Based on automatically maintained, high performance
SQL Views
 Schema based on SMS Provider
 Documented and supported,
 Improvements from original web version
 120 pre-built reports
 Dashboard functionality makes it easier to customize reports
 Multiple reports in a single view
 Integrated security support
 Internationalized versions
 Exporting Reports
 Can export/import report properties into other SMS environments


SMS 2003

 SMS 2003 provides a new Advanced
Security mode
 Reduces number of service accounts
 Less administrative overhead
 Leverages Local System account
 Domain Admin rights not required
 Advanced client platform is recommended
 Uses no accounts unlike legacy client
 SMS 2003 provides security rights
Package Delta Replication
 SMS 2003 provides file-level delta
 Only new or modified files are replicated.
 Down to appropriate child sites.
 Out to assigned distribution points (DPs).

 Provides self-healing to DPs.

 Downstream site/DP will be repaired if out of
sync with the originating site.

Delta Replication
SMS 2003 Central Site Point

Distribution Distribution
Point Point

SMS 2003 Secondary Site SMS 2003 Primary Site

Feature Packs
 Mobile Device Management Feature Pack
 Add-on to SMS 2003 to manage Windows
based devices
 Delivers an integrated solution for servers, desktops,

and devices

 OS Deployment Feature Pack

 Ability to deploy industry recognized images to
existing desktops
 Integrated process for planning, state, and data
migration, OS deployment, and post
deployment changes

SMS – Benefits in
Patch management
 Gives administrators control over patch management
 Allows staging and testing of updates before installation
 Fine-grained control of patch management options
 Automates key aspects of the patch management process
 Can update a broad range of Microsoft products
(not limited to Windows and Office)
 Can also be used to update third-party software and deploy
and install any software update or application
 High level of flexibility via use of scripting

SMS – What It Does
1. Setup: Download Security Update
Inventory and Office Inventory Microsoft
Tools; run inventory tool installer Download Center

2. Scan components replicate

to SMS clients Firewall

3. Clients scanned; scan results

merged into SMS hardware
SMS Distribution
inventory data
4. Administrator uses Distribute
Software Updates Wizard to
authorize updates
SMS Clients
5. Update files downloaded;
packages, programs, and
created/updated; packages
replicated and programs SMS
advertised to SMS clients Site Server

6. Software Update Installation Agent SMS Clients

on clients deploy updates

7. Periodically: Sync component checks for new updates, scans

clients, and deploys necessary updates SMS Clients
SMS – MBSA Integration
 Scans SMS clients for missing security updates using MBSA CLI
 Pushes mbsacli.exe to each client to do local scan (mbsacli.exe/hf)
 Parses textual output of patch numbers
 SMS administrators can centrally distribute security updates to clients
 SMS 2.0 and SMS 2003 use MBSA 1.1.1

How to Use SMS
1. Open the SMS Administrator Console
2. Expand the site database
3. Right-click ON Any required collection and select All Tasks > Distribute Software
4. Create a new package and program
5. Browse to the patch to be deployed
6. Configure options for how and when the patch should be deployed on the client

Software Update Services: Update Installation
1. SMS Client—Software Update Advertisement
1. Runs the software updates advertisement generated by the Distribute Software
Updates Wizard.
1. command line: PatchInstall.exe /g:0 /n /z:s /f /c:5 /t:30/m:”PatchAuthorize.xml”.

• SMS Client—Software Update Scan

• Runs the scan component (ScanWrapper.exe).
• Scans the computer, comparing results against the software updates catalog
• Writes the results of the scan to the WMI Win32_Patchstate class.

• SMS Client—Software Update Installation

• Runs the software updates component (PatchInstall.exe).
• Reads the authorization list (PatchAuthorize.XML) from the package source directory.
• Identifies the authorized and missing software updates for the client.
• Runs the software updates and Manages reboots.

• SMS Client—Software Update Post-Installation Scan

• Runs the scan component (ScanWrapper.exe).
• Scans the computer, comparing results against the software updates catalog.
• Writes the results of the scan to the WMI Win32_Patchstate class.
• Generates hardware inventory, as needed.

• SMS Client—Software Update Post-Installation Status

• Runs the software update component (PatchInstall.exe).
• Generates status messages, as needed Pradeep.chandrasekharan@hotmail.com
Comparing Microsoft Update, Windows
Update Services, and SMS 2003
Adopt the solution that best meets the needs of your organization
Capability Microsoft Update Windows Update Systems Management
Services Server 2003
Supported Software and Content
Supported Software for Same as Windows Update Win2K, WS2003, WinXP Pro, Same as Windows Update Services +
Content Services + WinXP Home Office 2003, Office XP, Exchange NT 4.0 & Win98 + can update any
2003, SQL Server 2000, MSDE other Windows based software
Supported Content All software updates, critical All software updates, critical driver All updates, SPs, & FPs + supports
Types for Supported driver updates, service packs updates, SPs, & FPs update & app installs for any
Software (SPs), and feature packs (FPs) Windows based software
Update Management Capabilities
Targeting Content N/A Simple Advanced
to Systems
Network Bandwidth Yes Yes Yes
Patch Distribution N/A Simple Advanced
Patch Installation & Manual & end user controlled Simple Advanced
Scheduling Flexibility
Patch Installation Status Install errors reported to user. Simple Advanced
Reporting Lists missing updates for
accessing computer
Deployment Planning N/A Simple Advanced
Inventory Management N/A No Yes
Compliance Checking N/A No – status reporting only Pradeep.chandrasekharan@hotmail.com
What’s New for Querying?
 Updated list of queries
 Queries for specific operating systems
 Only include supported operating systems
 Updated object type and attribute classes
for software metering data
 Permits querying on software metering data
 Not available in SMS 2.0 because the software
metering schema was not exposed
 Better facility for sharing queries between
SMS sites
 SMS Administrator Console import and export
Updated List of Queries
 All client systems, all non-client systems,
and all systems
 All systems reporting hardware inventory, specific
application, or file
 All users and all user groups
 Clients that have not been upgraded to SMS 2003
 Systems by last logged-on user name
 This site and all child sites
 Supported platforms:
 All products in the Microsoft Windows® Server 2003 Family, all
Windows 2000 Professional systems, all Windows 2000 Server
systems, all Windows 98 systems, all Windows NT® 4.0 systems,
all Windows NT 4.0 Servers, all Windows NT 4.0 Workstations, all
Windows XP systems

Exporting Queries
 Select Queries node
 On the Action menu, click All Tasks, and then
click Export Objects
 Export Object Wizard appears
 Select the queries to be exported (includes standard
 Specify file name and comment
 Creates a MOF file with query contents
 Comment
 Class (SMS_Query)
 Security
 Syntax
Importing Queries
 Select Queries node (or other nodes)
 Automatically adds imported objects to correct node
 On the Action menu, click All Tasks, and then
click Import Objects
 Import Object Wizard appears
 Specify MOF file to import
 Displays queries to be imported, and also displays
whether you have the Create security rights that you
 Displays the comment from the MOF file
 New queries are added to the appropriate node

What’s New for Reporting?
 Crystal Reports are no longer used
 Was resource intensive
 Was problematic to configure in certain scenarios
 Reports were not easily modified or created
 The new solution is SMS Reporting
 Integrated version of Web Reporting Tool
 Released to Web over a year ago
 Great response from customers
 Easy for users to access reports on the intranet
 Easy to create custom reports
 Can create custom dashboards

Report Categories
 Advertisement Status (6)
 Computers (with a specific file)
 Hardware (50)
 CD-ROM, Disk, General, Memory, Modem,
Network Adapter, Processor, SCSI, Sound
Card, Video Card
 Network (9)
 Operating System (9)
 SMS Site (17)
 Client Information, Discovery and Inventory
Information, General, Server Information
Report Categories (2)
 Software (16)
 Companies and Products, Files
 Software Metering (4)
 Status Messages (17)
 Status Messages – Audit ( 6)
 Users (4)
 Video Card (no longer supported) (4)

 ~150 Total
Using Dashboards
 Dashboards allow multiple reports to
be displayed in a single Internet Explorer
 Great for viewing multiple related reports
 Great way to monitor status
 By default, no dashboards are included
 You create what you feel is required
 Very easy to create a dashboard
 Supply title
 Specify specific report for specific row or column of
1. The SMS 2003 Legacy Client logs record the same information as the SMS 2.0 client. The
Legacy Client log files are located in the %Windir%\MS\SMS\Logs folder on the client
2. The SMS 2003 Advanced Client uses different log files than the Legacy Client to record
information. The Advanced Client logs are located in one of the following locations:
1. On computers that serve as management points, the Advanced Client logs are located in
the SMS_CCM\Logs folder.
2. On all other computers, the Advanced Client log files are located in the %Windir
%\System32\CCM\Logs folder

CcmExec.log –- Records activities of the client and the SMS Agent Host service.
Execmgr.log – Records advertisements that run.
InventoryAgent.log –- This component creates discovery data records (DDRs)
and hardware and software inventory records.
StatusAgent.log –- Logs status messages that are created by the client
LocationServices.log –- Finds management points and distribution points.
PolicyAgent.log –- Requests policies by using the Data Transfer service.
Scheduler.log –- Records schedule tasks for all client operations.

Questions ?