SMS 2003 is Microsoft's latest foray into the system management space. In my previous three articles, I have provided you with an overview of SMS, and gone over a couple of different installation scenarios with the product. In this, the last article in this series, I will exhibit some of SMS's common administrative tasks that you need to undertake to get SMS up and running and really useful.
All of the items I show you here are performed from the SMS Administrator console, available at Start | All Programs | Systems Management Server | SMS Administrator Console.
Make sure the BITS Server Extensions are loaded on your SMS server
You learned in a previous article that SMS relies heavily on BITS—Background Intelligent Transfer Service—to efficiently transfer files around your network. This is different from the BITS service that Windows uses to download updates. It's an additional Windows component that you need to install.
For Windows Server 2003 family, use Add/Remove Windows Components to install the BITS server extension. From the Control Panel, select Add or Remove Programs. Next, select Add/Remove Windows Components to display the Windows Components Wizard. Browse to and select Application Server | Internet Information Services (IIS) | Background Intelligent Transfer Service (BITS) Server Extensions. Make sure to have your Windows CD handy.
One of the first options under the Site Database selection gives you a way to manage collections in SMS. A collection is pretty much what it sounds like; through the use of collections, you can manage resources that have things in common. SMS comes with a number of predefined collections, all shown below in Figure A. In Figure A, I've selected the 'All Windows Server 2003 Systems' collection. In this collection, you see both of my lab servers, both running Windows Server 2003 R2.
|Create your own collections to be able to more easily manage groups of clients.|
Create a new collection
At some point, you'll probably want to create your own collection of resources so that you can more easily manage specific groups of clients. To create a new collection, right-click the Collections option and, from the resulting shortcut menu, select New | Collection. The Collections Properties window opens.
The Collections Properties window has four tabs: General, Membership Rules, Advertisements, and Security. For the creation of a new collection, just the first two tabs are important. On the first tab, the General tab, you're required to name your new collection and, optionally, provide a comment about the new collection. When you're done providing a name and description for your collection, choose the Membership Rules tab.
|On the general tab, give your new collection a name and description.|
If you don't provide any membership rules, your collection will remain empty until you do so. This screen has two primary sections: the membership rules section and the scheduling section. The scheduling part is pretty self-explanatory. It creates a schedule. "A schedule for what", you may ask? The schedule you create dictates how often the collection will be updated.
The whole purpose of a collection is to make administration easier and, by providing the ability to schedule automatic updates of collection membership based on specific criteria (the membership rules), that's one less thing you need to worry about as you add and remove systems to and from the network. To set up your own schedule, click the Schedule button, which gives you the screen shown in Figure C. I'm not going to go into more detail about the schedule since the process is pretty self-explanatory.
|Create a schedule to automatically update the contents of this collection.|
Now, for the membership rules. In Figure D below, notice the four buttons to the right of the "Membership rules" heading. For a new collection, two of the buttons are grayed out. They two grayed out buttons, the third and fourth from the left, are used to make changes to and delete existing collections, respectively.
The first two buttons provide you with different ways to create a new collection. The first button starts the Create Direct Membership Rule Wizard, enabling you to select specific SMS-managed resourced to include in the new collection. The second button opens the Query Rule Properties dialog box, which gives you the capability to add resources that match the query parameters you specify.
I'll start with the direct membership method. Click the first button to start this process. The wizard gives you a screen on which you can choose a resource class—system, user group, or user resource—and an associated resource class (Figure D). Now, specify the value that will limit what gets included in the group. In Figure E, I've directly type the beginning of the NetBIOS name for the machines I want to include in this collection. Click the Next button once you've made your selections.
|Choose the resource class and attribute that you want to use to define membership to the group.|
|You can use wildcards to define collection membership.|
The next screen, Collection Limiting, is useful if you've got a widely-distributed SMS infrastructure and have limited the access of certain administrators to specific resource groups, or if you want to limit the resource selection to a subgroup of an existing collection. If you want to limit the collections that are searched to create the new collection, click the Browse button and choose the collection that you want to start with. For this example, I'm leaving this field blank so I can search against the whole SMS database.
|Use this screen to limit the search to an existing collection.|
At this point, SMS has enough information to give you a list of resources that match the criteria you specified. On this screen, choose the resources you want to include in the new group, using the Select All and Clear All buttons as needed. In Figure G below, my sample search found a single system—SMS3 (remember, I have only two servers in my lab right now). Click the Next button to continue.
|Choose the resources to add to the new group.|
The final screen provides you with a summary of your selections. Click Finish to complete the wizard. After the wizard finishes, you're returned to the Collection Properties screen and the new membership rule shows up on the list.
If you don't want to use the direct method to create a new rule, you can, by, from the Collection Properties window, clicking the second button from the left. This opens the Query Rule Properties dialog box. In this box are three area to which you need to pay attention. The first one is a name. The last option is the same collection limiting option you saw with the direct method.
The middle section has the meat with three options for your collection needs. By way of example, I'm going show you a typical query. This query will choose all systems from your SMS database that start with the NetBIOS name "SMS". The best way to create a new query is to first import a query statement that defines another collection and then make adjustments as necessary. Use the "Import Query Statement" button to import a query from an existing collection (queries exist for most of your default collections) and the "Edit Query Statement" button to make adjustments.
This query is used for my sample collection to find machines with a NetBIOS name that starts with SMS and that have at least 128MB of RAM.
Select the "Edit Query Statement" window's Show Query Language button and type the query directly into the query statement window (Figure H).
|This probably isn't the most convenient way to accomplish your goal.|
Ok. The query language window probably isn't your first choice for a way to build your query. It's not all that user-friendly. Fortunately, SMS provides you with a much easier method. On the main query statement properties window, click the Criteria tab. In Figure I, you can see that I have selected two criteria for my collection. Click the '*' button to add more criteria.
|Click the '*' button to add more criteria to the list.|
When you click the '*' button, you're presented with windows similar to the ones shown in Figure J. Using the fields provided in these windows to choose any system attribute you want to use to narrow the scope of your new collection.
|Use these windows to create a narrowly focused collection.|
Regardless of how you go about it, creating a new collection will help you perform other common administrative tasks using SMS.
Designate a site Management Point
In order for many administrative tasks to function, you need to designate at least one SMS server to act as a management point (see previous articles in this series for more information about management points).
I'm going to designate my primary SMS server to act in this role. Open the Site Database and choose Site Hierarchy | Your site here | Site Settings. Under Site Settings | Site Systems. This opens up, in the right-hand pane, a list of SMS systems. Right-click the primary systems (or whichever should get this role) and choose Properties. On the Properties page, choose the Management Point tab. Enable the checkbox next to "use this site system as a management point." Click either OK or Apply. If you get a message asking if you want to make this system the site's default management point, choose Yes.
|This will allow you to perform tasks such as installing the Advanced Client.|
Installing the SMS client
One of your first SMS administrative tasks will probably be installing the SMS client on the servers and workstations you want to place under SMS' administrative control. You can do this on a system-by-system basis, or you can install the client to all systems in a collection.
Enable client push and provide client accounts
In order to be able to push the client out to resources, you need to enable client push installation. From the SMS management console, choose Site Database | Site Hierarchy | Your site | Site Settings | Client Installation Methods. In the right-hand pane, choose Client Push Installation. This opens a properties page with three tab for this service. On the first tab marked General, enable the checkbox next to "Enable Client Push Installation to assigned resources". Further, select the types of systems to which you want to be able to push an SMS client.
|Select the checkbox and move to the Accounts tab.|
On the accounts tab, click the '*' button and provide an account that has administrative access to the machines in the domain. The SMS client will be installed using this account's credentials. This way, you don't need to provide users with elevated rights to perform the installation.
|Provide an account that has administrative access to the machines in the domain.|
Likewise, you should also provide the software distribution portion of SMS with credentials. Choose Site Database | Site Hierarchy | Your Site | Site Settings | Component Configuration, and right-click Software Distribution in the right pane, and then click Properties. Under the Advanced Client Network Access Account option, click the Set button and provide a domain account that can be used to install software.
|Provide Software Distribution credentials.|
Client Push Wizard
To start the wizard, select the appropriate resource, either an individual system from within one of your collections, or a collection itself, right-click the resource and choose All Tasks | Install Client - This starts the Client Push Installation Wizard.
The first screen of the Client Push Installation Wizard asks you how (and whether) you want to handle the SMS client installation. First, you can choose install the SMS client, or to just gather system information without using the client. If you choose to install the client, you can choose the install the old legacy client, the new advanced client, or a combination of the two depending on the client OS. Or, you can opt to install your site's default client. Click Next to continue.
|Choose your installation options.|
Screen two of the wizard asks you to specify some client installation options, which are pertinent generally if you have selected to install the client to a collection of computers rather than a single system. For example, do you wish to install the client to domain controllers. Should the installation always proceed? This will allow you to repair or upgrade an existing client. Should clients from other SMS sites be included?
|Choose your client installation options.|
After this screen, you're provided with a summary window on which you should click the Finish button. If everything is working and the planets are aligned, the SMS client should be pushed out to your selected systems. If you're using collections to push out the client, make sure to update your collection membership (right-click collection, choose All Tasks | Update collection membership), or you will not see the updated status of your clients' client status (and, you'll spend three hours troubleshooting why the client isn't installing, which is what I did the first time I used SMS). Now, when you view the status of a collection, the clients inside that collection to which you pushed the SMS client now reflect their new status.
|The SMS Advanced client is installed on these machines.|
SMS is nothing if not extremely flexible. To that end, in order to use SMS to reliably scan client workstations for missing patches, you need to install a scanner provided by Microsoft that shares similar traits to WSUS. Named the SMS 2003 Inventory Tool for Microsoft Updates, in order to install this scanner into your SMS 2003 system, you need to be running SMS 2003 SP1 and have installed a number of hotfixes and updates.
The SMS 2003 Inventory Tool for Microsoft Updates uses version 5.8 of the Windows Update Agent, which provides update support for the following Microsoft products:
- Microsoft Windows XP Embedded
- Microsoft Windows 64-bit edition
- Microsoft Office XP and Office 2003
- Microsoft Exchange 2000 and Exchange 2003
- Microsoft Windows 2000 Service Pack 4 and later
- All Windows components (such as MSXML, MDAC, and Microsoft Virtual Machine)
- Microsoft SQL Server 2000 SP4 and SQL Server 2005
- Additional products as published to the Windows Updates catalog
To get started using the scanner, download and install the SMS 2003 Inventory Tool for Microsoft Updates. After downloading completes, extract the contents of the file to a folder. Before you actually install the scanner, you need to address some hotfix prerequisites. All of the hotfixes are available in the SMS2003ITMU_ENU\HOTFIXES folder of the download.
Specifically, make sure you have address the following four points before you continue.
- Onto machines that are site servers or clients onto which you have deployed the SMS administration console, install the hotfix outlined in Microsoft knowledgebase article 900257. This hotfix is available in the SMS2003ITMU_ENU\HOTFIXES\KB900257\ENU folder of the downloaded file. From that location, run SMS2003-SP1-KB900257-X86-ENU.exe.
- Install an update for the SMS Administrator that corrects a display problem with SMS reports. Note that, in order to install this update, you must exit the SMS Administrator and stop the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services. Next, from SQL Server Enterprise Manager (SQL Server 7, 2000) or the SQL Server Management Studio (SQL Server 2005), run the update.sql script located in the download. Find this file at SMS2003ITMU_ENU\HOTFIXES\KB900401\update.sql.
- Install a more recent version of the Advanced Client that supports the SMS 2003 Inventory Tool for Microsoft Updates. Note that this installation will stop and restart all SMS services. After installation of this update completed, you will need to push the client back out to workstations to enable this update. This can be accomplished by pushing the client out to an appropriate collection, making sure that the checkbox next to "Always install (repair of upgrade existing client)" is selected. In my lab, my systems were originally running version 2.50.3174.1018 of the client. This update upgraded my clients to 2.50.3174.1152. Locate the client version on your managed systems by, from a collection, right-clicking a system and choosing Properties.
|Make sure that, when using a collection to update the client, you select this option.|
- Install the latest Microsoft Windows Installer and install it on all of your managed clients. As of this writing, the latest version for currently supported operating systems is Windows Installer 3.1 (v2). This version of the installer supports Windows 2000 SP3+, Windows XP, and Windows Server 2003. Windows Server 2003 SP1 and Windows Server R2 include this version of the installer, so you don't need t update it. Windows Vista and Longhorn Server will use version 4.0 of the Windows Installer. You can see which version of the Windows Installer you're running by executing 'msiexec' from the command line.
Now, with the prerequisites out of the way, from the download location, execute the SMSITMU.msi file to begin installation of the scanner itself. The first screen in the installer is a license screen while the second asks you for a destination folder. I accepted the default location of C:\Program Files\Microsoft Updates Inventory Tool.
Next, you have to define a synchronization host computer, which will be responsible for keeping the Windows Update catalog current. I've opted to use my other lab server for this purpose. Further, since my lab systems have access to the Internet, they will automatically download the catalog as needed.
|Which system will act as the synchronization host|
The next screen of the installer asks you to define some distribution settings for the scanner. Specifically, do you want to copy the inventory tools package to your distribution points and, second, do you want to advertise the tool to your default collection. Finally, what computer will be used for testing of the tool.
|Inventory tool distribution settings.|
SMS clients managed by this tool use the Windows Update Agent. Do you want to create an SMS distribution object to automatically distribute the Windows Update Agent to your managed clients? If so, how should the distribution be handled? See Figure U.
|Windows Update Agent distribution settings.|
That's it. After making these selections, the update scanner installs and creates the SMS objects you defined during the installation. The installation takes quite some time since the initial load of the update catalog takes place.
The actual patching process could be a whole article in itself. In a nutshell, right-click a collection or system and choose All Tasks | Distribute Software Updates. This starts the Distribute Software Updates Wizard.
The first screen of the wizard asks you to choose an update type. You just went through the process of installing a scanner to support this process. If everything went well, you will see an update type of "Microsoft Update" available. Click Next to continue.
|Choose an update type.|
Next, choose a "New" package type since you want to create a new update package (no screenshot since there is only a single selection).
Provide a name for your package. I've used the ever-original "Sample update package" here. The program name field is automatically updated to reflect this name.
|Provide a name for your package.|
I'm almost out of letters for figures, so I'm going to skip the next screen shot. The step in the wizard asks you to provide a name for the organization responsible for software update policies. I entered "Information Technology".
On the next screen, you need to tell SMS how to scan client machines to determine which updates are required. The Windows Update Agent is good for this purpose.
|Tell SMS which inventory scan tool package you want to use. Windows Update Agent is good for system updates.|
The next screen of the wizard is, by far, among the worst interfaces I've ever seen. On this screen, choose the updates that should be available for deployment to your managed systems. This interface is really, really bad.
|Choose the updates you want to install.|
On this last screen before updates are downloaded (only the catalog was downloaded earlier), you can usually just take the defaults. The information on this screen defines a directory to which updates will be stored and sent to distribution points.
Each shot in Figure Z below corresponds to the bullet points below.
- After the updates are downloaded, you're provided with a summary window indicating whether updates are ready for use.
- After viewing the update summary, choose which distribution points should receive the updated package files. If you want to limit bandwidth, or update certain sites separately, this is a good way to accomplish these goals.
- Installation agent settings allow you to decide if you want to collect the client inventory immediately or create templates regarding system state. Further, you can opt to postpone system restarts so users are not adversely affected by updates.
- Also regarding the installation agent, you can tell SMS to perform an unattended installation of the updates and decide whether or not you want to notify users that an update is about to take place. In some situations, you can also allow the user to postpone the installation for a period of time.
- Finally, should this set of updates be advertised to a collection. This way, if you missed a client, you might be able to catch it during the next window. A patch won't be installed if a system doesn't need it.
That was the fast and furious patch update explanation! Unfortunately, patching is a fairly complex process and I really wanted to introduce you to it in this article.
With SMS installed and running, some steps still need to be taken to make it a truly useful product. Creating collections, making sure the BITS server service is running, installing the advanced client, and getting a client scanner up and running are critical tasks to make SMS do its job. One thing to keep in mind is that, while SMS is touted as a complete management tool, it's very much a framework that you can extend to meet your needs. Microsoft does make other scanner available for SMS, however, and third party companies make their own SMS clients available for purchase that may have additional capability.