SMS 2003 is Microsoft’s latest foray into the system
management space. In my previous three articles, I have provided you with an
overview of SMS, and gone over a couple of different installation scenarios
with the product. In this, the last article in this series, I will exhibit some
of SMS’s common administrative tasks that you need to undertake to get SMS up
and running and really useful.

Author’s Note

All of the items I show you here are performed from the SMS
Administrator console, available at Start | All Programs | Systems Management
Server | SMS Administrator Console.

Make sure the BITS Server Extensions are loaded on
your SMS server

You learned in a previous article that SMS relies heavily on
BITS–Background Intelligent Transfer Service–to efficiently transfer files
around your network. This is different from the BITS service that Windows uses
to download updates. It’s an additional Windows component that you need to
install.

For Windows Server 2003 family, use Add/Remove Windows
Components to install the BITS server extension. From the Control Panel, select
Add or Remove Programs. Next, select Add/Remove Windows Components to display
the Windows Components Wizard. Browse to and select Application Server |
Internet Information Services (IIS) | Background Intelligent Transfer Service
(BITS) Server Extensions. Make sure to have your Windows CD handy.

Managing collections

One of the first options under the Site Database selection
gives you a way to manage collections in SMS. A collection is pretty much what
it sounds like; through the use of collections, you can manage resources that
have things in common. SMS comes with a number of predefined collections, all
shown below in Figure A. In Figure A, I’ve selected the ‘All Windows Server
2003 Systems’ collection. In this collection, you see both of my lab servers,
both running Windows Server 2003 R2.

Figure A

Create your own
collections to be able to more easily manage groups of clients.

Create a new collection

At some point, you’ll probably want to create your own
collection of resources so that you can more easily manage specific groups of
clients. To create a new collection, right-click the Collections option and,
from the resulting shortcut menu, select New | Collection. The Collections
Properties window opens.

The Collections Properties window has four tabs: General,
Membership Rules, Advertisements, and Security. For the creation of a new
collection, just the first two tabs are important. On the first tab, the
General tab, you’re required to name your new collection and, optionally,
provide a comment about the new collection. When you’re done providing a name
and description for your collection, choose the Membership Rules tab.

Figure B

On the general tab,
give your new collection a name and description.

If you don’t provide any membership rules, your collection
will remain empty until you do so. This screen has two primary sections: the
membership rules section and the scheduling section. The scheduling part is
pretty self-explanatory. It creates a schedule. “A schedule for what”,
you may ask? The schedule you create
dictates how often the collection will be updated.

The whole purpose of a collection is to make administration
easier and, by providing the ability to schedule automatic updates of
collection membership based on specific criteria (the membership rules), that’s
one less thing you need to worry about as you add and remove systems to and
from the network. To set up your own schedule, click the Schedule button, which
gives you the screen shown in Figure C. I’m not going to go into more detail
about the schedule since the process is pretty self-explanatory.

Figure C

Create a
schedule to automatically update the contents of this collection.

Now, for the membership rules. In Figure D below, notice the
four buttons to the right of the “Membership rules” heading. For a
new collection, two of the buttons are grayed out. They two grayed out buttons,
the third and fourth from the left, are used to make changes to and delete
existing collections, respectively.

The first two buttons provide you with different ways to
create a new collection. The first button starts the Create Direct Membership
Rule Wizard, enabling you to select specific SMS-managed resourced to include
in the new collection. The second button opens the Query Rule Properties dialog
box, which gives you the capability to add resources that match the query
parameters you specify.

I’ll start with the direct membership method. Click the
first button to start this process. The wizard gives you a screen on which you
can choose a resource class–system, user group, or user resource–and an
associated resource class (Figure D). Now, specify the value that will limit
what gets included in the group. In Figure E, I’ve directly type the beginning
of the NetBIOS name for the machines I want to include in this collection. Click
the Next button once you’ve made your selections.

Figure D

Choose the
resource class and attribute that you want to use to define membership to the
group.

Figure E

You can use
wildcards to define collection membership.

The next screen, Collection Limiting, is useful if you’ve
got a widely-distributed SMS infrastructure and have limited the access of
certain administrators to specific resource groups, or if you want to limit the
resource selection to a subgroup of an existing collection. If you want to
limit the collections that are searched to create the new collection, click the
Browse button and choose the collection that you want to start with. For this
example, I’m leaving this field blank so I can search against the whole SMS
database.

Figure F

Use this screen
to limit the search to an existing collection.

At this point, SMS has enough information to give you a list
of resources that match the criteria you specified. On this screen, choose the
resources you want to include in the new group, using the Select All and Clear
All buttons as needed. In Figure G below, my sample search found a single
system–SMS3 (remember, I have only two servers in my lab right now). Click the
Next button to continue.

Figure G

Choose the
resources to add to the new group.

The final screen provides you with a summary of your
selections. Click Finish to complete the wizard. After the wizard finishes, you’re
returned to the Collection Properties screen and the new membership rule shows
up on the list.

If you don’t want to use the direct method to create a new
rule, you can, by, from the Collection Properties window, clicking the second
button from the left. This opens the Query Rule Properties dialog box. In this
box are three area to which you need to pay attention. The first one is a name.
The last option is the same collection limiting option you saw with the direct
method.

The middle section has the meat with three options for your
collection needs. By way of example, I’m going show you a typical query. This
query will choose all systems from your SMS database that start with the
NetBIOS name “SMS”. The best way to create a new query is to first
import a query statement that defines another collection and then make
adjustments as necessary. Use the “Import Query Statement” button to
import a query from an existing collection (queries exist for most of your
default collections) and the “Edit Query Statement” button to make
adjustments.

This query is used for my sample collection to find
machines with a NetBIOS name that starts with SMS and that have at least 128MB
of RAM.

Select the “Edit Query Statement” window’s Show
Query Language button and type the query directly into the query statement
window (Figure H).

Figure H

This probably
isn’t the most convenient way to accomplish your goal.

Ok. The query language window probably isn’t your first
choice for a way to build your query. It’s not all that user-friendly. Fortunately,
SMS provides you with a much easier method. On the main query statement
properties window, click the Criteria tab. In Figure I, you can see that I have
selected two criteria for my collection. Click the ‘*’ button to add more criteria.

Figure I

Click the ‘*’
button to add more criteria to the list.

When you click the ‘*’ button, you’re presented with windows
similar to the ones shown in Figure J. Using the fields provided in these
windows to choose any system attribute you want to use to narrow the scope of
your new collection.

Figure J

Use these
windows to create a narrowly focused collection.

Regardless of how you go about it, creating a new collection
will help you perform other common administrative tasks using SMS.

Designate a site Management Point

In order for many administrative tasks to function, you need
to designate at least one SMS server to act as a management point (see previous
articles in this series for more information about management points).

I’m going to designate my primary SMS server to act in this
role. Open the Site Database and choose Site Hierarchy | Your site here | Site
Settings. Under Site Settings | Site Systems. This opens up, in the right-hand
pane, a list of SMS systems. Right-click the primary systems (or whichever
should get this role) and choose Properties. On the Properties page, choose the
Management Point tab. Enable the checkbox next to “use this site system as
a management point.” Click either
OK or Apply. If you get a message asking if you want to make this system the
site’s default management point, choose Yes.

Figure K

This will allow
you to perform tasks such as installing the Advanced Client.

Installing the SMS client

One of your first SMS administrative tasks will probably be
installing the SMS client on the servers and workstations you want to place
under SMS’ administrative control. You can do this on a system-by-system basis,
or you can install the client to all systems in a collection.

Enable client
push and provide client accounts

In order to be able to push the client out to resources, you
need to enable client push installation. From the SMS management console,
choose Site Database | Site Hierarchy | Your site | Site Settings | Client
Installation Methods. In the right-hand pane, choose Client Push Installation. This
opens a properties page with three tab for this service. On the first tab
marked General, enable the checkbox next to “Enable Client Push
Installation to assigned resources”. Further, select the types of systems
to which you want to be able to push an SMS client.

Figure L

Select the
checkbox and move to the Accounts tab.

On the accounts tab, click the ‘*’ button and provide an
account that has administrative access to the machines in the domain. The SMS
client will be installed using this account’s credentials. This way, you don’t
need to provide users with elevated rights to perform the installation.

Figure M

Provide an
account that has administrative access to the machines in the domain.

Likewise, you should also provide the software distribution
portion of SMS with credentials. Choose Site Database | Site Hierarchy | Your
Site | Site Settings | Component Configuration, and right-click Software
Distribution in the right pane, and then click Properties. Under the Advanced
Client Network Access Account option, click the Set button and provide a domain
account that can be used to install software.

Figure N

Provide Software
Distribution credentials.

Client Push
Wizard

To start the wizard, select the appropriate resource, either
an individual system from within one of your collections, or a collection
itself, right-click the resource and choose All Tasks | Install Client – This
starts the Client Push Installation Wizard.

The first screen of the Client Push Installation Wizard asks
you how (and whether) you want to handle the SMS client installation. First,
you can choose install the SMS client, or to just gather system information
without using the client. If you choose to install the client, you can choose
the install the old legacy client, the new advanced client, or a combination of
the two depending on the client OS. Or, you can opt to install your site’s
default client. Click Next to continue.

Figure O

Choose your
installation options.

Screen two of the wizard asks you to specify some client
installation options, which are pertinent generally if you have selected to
install the client to a collection of computers rather than a single system. For
example, do you wish to install the client to domain controllers. Should the
installation always proceed? This will
allow you to repair or upgrade an existing client. Should clients from other
SMS sites be included?

Figure P

Choose your
client installation options.

After this screen, you’re provided with a summary window on
which you should click the Finish button. If everything is working and the
planets are aligned, the SMS client should be pushed out to your selected
systems. If you’re using collections to push out the client, make sure to
update your collection membership (right-click collection, choose All Tasks |
Update collection membership), or you will not see the updated status of your
clients’ client status (and, you’ll spend three hours troubleshooting why the
client isn’t installing, which is what I did the first time I used SMS). Now,
when you view the status of a collection, the clients inside that collection to
which you pushed the SMS client now reflect their new status.

Figure Q

The SMS Advanced
client is installed on these machines.

Managing patches

SMS is nothing if not extremely flexible. To that end, in
order to use SMS to reliably scan client workstations for missing patches, you
need to install a scanner provided by Microsoft that shares similar traits to
WSUS. Named the SMS 2003 Inventory Tool for Microsoft Updates, in order to
install this scanner into your SMS 2003 system, you need to be running SMS 2003
SP1 and have installed a number of hotfixes and updates.

The SMS 2003 Inventory Tool for Microsoft Updates uses
version 5.8 of the Windows Update Agent, which provides update support for the
following Microsoft products:

  • Microsoft
    Windows XP Embedded
  • Microsoft
    Windows 64-bit edition
  • Microsoft
    Office XP and Office 2003
  • Microsoft
    Exchange 2000 and Exchange 2003
  • Microsoft
    Windows 2000 Service Pack 4 and later
  • All
    Windows components (such as MSXML, MDAC, and Microsoft Virtual Machine)
  • Microsoft
    SQL Server 2000 SP4 and SQL Server 2005
  • Additional
    products as published to the Windows Updates catalog

To get started using the scanner, download
and install the SMS 2003 Inventory Tool for Microsoft Updates. After
downloading completes, extract the contents of the file to a folder. Before you
actually install the scanner, you need to address some hotfix prerequisites. All
of the hotfixes are available in the SMS2003ITMU_ENU\HOTFIXES folder of the
download.

Specifically, make sure you have address the following four
points before you continue.

  • Onto
    machines that are site servers or clients onto which you have deployed the
    SMS administration console, install the hotfix outlined in Microsoft
    knowledgebase article 900257.
    This hotfix is available in the SMS2003ITMU_ENU\HOTFIXES\KB900257\ENU
    folder of the downloaded file. From that location, run
    SMS2003-SP1-KB900257-X86-ENU.exe.
  • Install
    an update
    for the SMS Administrator that corrects a display problem with SMS
    reports. Note that, in order to install this update, you must exit the SMS
    Administrator and stop the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE
    services. Next, from SQL Server Enterprise Manager (SQL Server 7, 2000) or
    the SQL Server Management Studio (SQL Server 2005), run the update.sql
    script located in the download. Find this file at
    SMS2003ITMU_ENU\HOTFIXES\KB900401\update.sql.
  • Install
    a more recent version
    of the Advanced Client that supports the SMS 2003 Inventory Tool for
    Microsoft Updates. Note that this installation will stop and restart all
    SMS services. After installation of this update completed, you will need
    to push the client back out to workstations to enable this update. This
    can be accomplished by pushing the client out to an appropriate
    collection, making sure that the checkbox next to “Always install
    (repair of upgrade existing client)” is selected. In my lab, my
    systems were originally running version 2.50.3174.1018 of the client. This
    update upgraded my clients to 2.50.3174.1152. Locate the client version on
    your managed systems by, from a collection, right-clicking a system and
    choosing Properties.

Figure R

Make sure that,
when using a collection to update the client, you select this option.

  • Install
    the latest
    Microsoft Windows Installer and install it on all of your managed clients. As of this writing, the latest version for currently supported operating
    systems is Windows Installer 3.1 (v2). This version of the installer
    supports Windows 2000 SP3+, Windows XP, and Windows Server 2003. Windows
    Server 2003 SP1 and Windows Server R2 include this version of the
    installer, so you don’t need t update it. Windows Vista and Longhorn
    Server will use version 4.0 of the Windows Installer. You can see which
    version of the Windows Installer you’re running by executing ‘msiexec’
    from the command line.

Now, with the prerequisites out of the way, from the
download location, execute the SMSITMU.msi file to begin installation of the
scanner itself. The first screen in the installer is a license screen while the
second asks you for a destination folder. I accepted the default location of C:\Program
Files\Microsoft Updates Inventory Tool.

Next, you have to define a synchronization host computer,
which will be responsible for keeping the Windows Update catalog current. I’ve
opted to use my other lab server for this purpose. Further, since my lab
systems have access to the Internet, they will automatically download the
catalog as needed.

Figure S

Which system
will act as the synchronization host

The next screen of the installer asks you to define some
distribution settings for the scanner. Specifically, do you want to copy the
inventory tools package to your distribution points and, second, do you want to
advertise the tool to your default collection. Finally, what computer will be
used for testing of the tool.

Figure T

Inventory tool
distribution settings.

SMS clients managed by this tool use the Windows Update
Agent. Do you want to create an SMS distribution object to automatically
distribute the Windows Update Agent to your managed clients? If so, how should the distribution be
handled? See Figure U.

Figure U

Windows Update
Agent distribution settings.

That’s it. After making these selections, the update scanner
installs and creates the SMS objects you defined during the installation. The installation
takes quite some time since the initial load of the update catalog takes place.

The actual patching process could be a whole article in
itself. In a nutshell, right-click a collection or system and choose All Tasks |
Distribute Software Updates. This starts the Distribute Software Updates
Wizard.

The first screen of the wizard asks you to choose an update
type. You just went through the process of installing a scanner to support this
process. If everything went well, you will see an update type of “Microsoft
Update” available. Click Next to continue.

Figure V

Choose an update
type.

Next, choose a “New” package type since you want
to create a new update package (no screenshot since there is only a single
selection).

Provide a name for your package. I’ve used the ever-original
“Sample update package” here. The program name field is automatically
updated to reflect this name.

Figure W

Provide a name
for your package.

I’m almost out of letters for figures, so I’m going to skip
the next screen shot. The step in the wizard asks you to provide a name for the
organization responsible for software update policies. I entered “Information
Technology”.

On the next screen, you need to tell SMS how to scan client
machines to determine which updates are required. The Windows Update Agent is
good for this purpose.

Figure X

Tell SMS which
inventory scan tool package you want to use. Windows Update Agent is good for
system updates.

The next screen of the wizard is, by far, among the worst
interfaces I’ve ever seen. On this screen, choose the updates that should be
available for deployment to your managed systems. This interface is really,
really bad.

Figure Y

Choose the
updates you want to install.

On this last screen before updates are downloaded (only the
catalog was downloaded earlier), you can usually just take the defaults. The
information on this screen defines a directory to which updates will be stored
and sent to distribution points.

Each shot in Figure Z below corresponds to the bullet points
below.

  • After
    the updates are downloaded, you’re provided with a summary window
    indicating whether updates are ready for use.
  • After
    viewing the update summary, choose which distribution points should
    receive the updated package files. If you want to limit bandwidth, or
    update certain sites separately, this is a good way to accomplish these
    goals.
  • Installation
    agent settings allow you to decide if you want to collect the client
    inventory immediately or create templates regarding system state. Further,
    you can opt to postpone system restarts so users are not adversely affected
    by updates.
  • Also
    regarding the installation agent, you can tell SMS to perform an
    unattended installation of the updates and
    decide whether or not you want to notify users that an update is about to
    take place. In some situations, you can also allow the user to postpone
    the installation for a period of time.
  • Finally,
    should this set of updates be advertised to a collection. This way, if you
    missed a client, you might be able to catch it during the next window. A
    patch won’t be installed if a system doesn’t need it.

Figure Z

That was the fast and furious patch update explanation! Unfortunately, patching is a fairly complex
process and I really wanted to introduce you to it in this article.

That’s it

With SMS installed and running, some steps still need to be
taken to make it a truly useful product. Creating collections, making sure the
BITS server service is running, installing the advanced client, and getting a
client scanner up and running are critical tasks to make SMS do its job. One
thing to keep in mind is that, while SMS is touted as a complete management
tool, it’s very much a framework that you can extend to meet your needs. Microsoft
does make other scanner available for SMS, however, and third party companies
make their own SMS clients available for purchase that may have additional
capability.