Upload
buddy
View
124
Download
0
Embed Size (px)
DESCRIPTION
It gives basic understanding of SMS 2003 with gives a Overview of what it does and how SMS is beneficial.The copying of the file has been blocked due to misuse of the documents.All the SMS 2003 learners hope this document provides a good insight.Feel free to mail me for any suggestions or [email protected]
Citation preview
Microsoft Systems Management Server 2003Microsoft Systems Management Server 2003
AgendaAgenda What is SMS and its Capabilities SMS security Modes SMS 2003 Architecture Overview Advance Client and Legacy Clients Client Discovery Methods (AD) Inventory Capabilities Software Metering Reporting SMS 2003 Advantages over 2.0 SUS update installation process
What is SMS?What is SMS? Centralized Systems Management Server Supports Microsoft Enterprise OS’s and most
third party applications Configuration control tool for OS, applications, and
hardware Remote Management (Hardware & Software) Remotely install software on computers – Distributing
Software Check what kind of hardware (network card, graphics
card etc.) is currently used on the computer – Hardware Inventory
Check what kind of application are installed or what latest pathes are missing – Software Inventory
Check how many applications is used by clients – what amount of licenses we need – Software Metering
What can you do with SMS?
Remotely diagnose / troubleshoot desktops and servers
Install applications or remotely run commands
Patch management Manage existing software Asset / inventory / resource management
SMS 2003 Capabilities SMS 2003 Capabilities
Application Application DeploymentDeployment
HW/SW HW/SW InventoryInventory
SecuritySecurityPatchPatch
ManagementManagement
Software Software MeteringMetering
Remote Remote ControlControl
SMS Security ModesSMS Security Modes
SMS runs in one of two security modes standard security mode advanced security mode.
The security mode that you enable affects the type and number of accounts used for SMS security. Before you can enable advanced security certain prerequisites must be met on the SMS site server. Each security mode has its advantages, so you must choose the mode that is appropriate for your SMS sites.
Standard Security ModeStandard Security Mode
SMS 2003 standard security is very similar to SMS 2.0 security. Standard security relies on user (not computer) accounts to run services, to make changes to computers, and to connect between computers.
Advanced security is the recommended security mode. However, you must use standard security if your site does not meet the requirements for installing advanced security.
Use standard security if you are upgrading directly from an existing SMS 2.0 site. Upgrading from SMS 2.0 is relatively straightforward because standard security is nearly the same as SMS 2.0 security.
Advanced Security ModeAdvanced Security Mode
SMS 2003 advanced security uses the local system account on SMS servers to run SMS services and make changes on the server. Advanced security uses computer accounts (rather than user accounts) to connect to other computers and to make changes on other computers. Computer accounts can be used only by services running in the local system account context, and only administrators can configure services. Therefore, advanced security is a very secure mode.
The local system account and computer accounts have several advantages over user accounts:
The local system account is local to the computer itself so the jurisdiction of the account is very limited.
Only the operating system knows the password for a computer account so network users cannot use computer accounts to access network resources.
The local system account does not have a password or require one. Local system and computer accounts do not require any manual maintenance, even in organizations that require that all passwords be changed on a regular basis because the computer regularly and automatically changes computer account passwords.
Domain-level privileges are not required. Privileges are required only on the SMS servers themselves.
All SMS site systems should be windows 2000 SP1 or higher
Remote Management in SMSRemote Management in SMS
Remote Reboot utility, administrators can restart the selected client
Run an application or batch file on a remote Windows based client
When a user is present at the remote machine (98 or 2000), a remote control session of that client may be initiated
Remote Assistance feature is used for remotely troubleshooting XP clients directly from the Systems Management Server 2003 Administrator Console when a user is present at the remote machine
Client software is automatically installed on Windows based computers within the site boundaries
SMS 2003 SMS 2003 Architecture Architecture OverOverviewview
SMS 2003 SMS 2003 Architecture Architecture OverOverviewview
Site Systems RolesSite Systems Roles
Management Point
Server LocatorPoint
DistributionPoint
ReportingPointClient
AccessPoint
SiteServer
SMS SiteDatabase
Site HierarchiesSite Hierarchies
Primary Site(Child andParent Site)
SecondarySite
(Child Site)
Primary (Central) Site(Parent Site)
Primary or Secondary Site(Child Site)
SQL
SQL
SQL
SQL
The Advanced Client is a newly developed SMS client, and is the preferred client type for all computers running Windows 2000 or later in your organization. The Advanced Client is especially recommended for mobile and remote computers because its architecture is optimized for enhanced support for those types of computers.
Advanced Clients use management points to send and receive data from the site server. To receive configuration and advertised program details, Advanced Clients use policies, which are sent from management points. The Advanced Client policies are unique to SMS and are not related to policies associated with Active Directory®.
Advanced Clients cannot be assigned to secondary sites. However, they can use proxy management points at secondary sites to upload data and to download Advanced Client policies.
Legacy ClientLegacy Client
Advance ClientAdvance Client
Although it is recommended that you deploy the Advanced Client on all the computers in your organization running Windows 2000 or later, there are two reasons for deploying the Legacy Client.
You must deploy the Legacy Client when the client computer is running Windows 98 or Windows NT 4.0.
When you upgrade your SMS sites from SMS 2.0 to SMS 2003, the Legacy Client is automatically installed on SMS 2.0 clients running Windows 2000 or later to assist you with migrating these clients to Advanced Client. It is strongly recommended that you upgrade these clients to Advanced Client as soon as possible after you upgrade your SMS site.
Advance ClientAdvance Client Better support for mobile computers and remote computers. Enhanced security. Use of Background Intelligent Transfer Service (BITS) to transfer data
such as package source files and inventory data. The Advanced Client can download the package source files to the local
computer before running an advertised program. Access to SMS package source files on local distribution points at a site, which the Advanced Client is
temporarily roaming to, without being assigned to that site. This includes access to distribution points at SMS 2.0 secondary sites, whose parent site is an SMS 2003 site.
The site server sends to the Advanced Client data that contains only changes to such items as configurations, advertisements, or software metering rules. This reduces the amount of data that is transferred on the network.
The Advanced Client is highly scriptable, which allows for the automation of Advanced Client configuration and operations.
The client agents, such as the Hardware Inventory Client Agent, are installed when the core SMS client components are installed. This ensures that the Advanced Client always has the client agents. This also eliminates the need for the extra bandwidth that would be necessary to download the client agents when enabling a feature.
When downloading the Advanced Client software during installation, the Advanced Client installation programs continue to run even if the network connection occasionally becomes unavailable.
When deploying Advanced Clients, you can complete the installation of the Advanced Client software without assigning the client to any site. This allows you to complete the installation of a large number of computers in a staging area, and then transport the installed computers to their destination in the production environment. Those computers can then be assigned to a site and become fully deployed SMS clients.
Management Point
Distribution Point
Local Client Cache
Advanced Client Download And Execute
Advanced Client Download And Execute
Distribution Point
BangaloreSMS 2003
Primary SiteChennai
SMS 2003 Primary Site
SMS 2003 Advanced Client Managed by Bangalore
New New Program Program InstalledInstalled
Mobile / Roaming / Remote UsersMobile / Roaming / Remote Users
Bandwidth aware Advanced Client, using standard Internet technologies to deliver support to mobile usersand systems with unreliable or varying connections
Uses the Background Intelligent Transfer Service (BITS) technology to automatically detect the capacity of the client network connection and to adjust transfer rates
Can also be configured to download an entire package, running the installation at a later time, even when no network access is available
Discovery MethodsDiscovery Methods
Active Directory Site Boundary IntegrationActive Directory Site Boundary Integration
SMS 2003 allows definition of SMS site boundaries from Active Directory site names
IP subnets need only be defined in one place and leveraged by SMS
Mixed IP subnets and Active Directory site boundaries can be used to define an SMS site
Supports gradual migration- existing IP-based subnet boundaries still supported
Active Directory Site Boundary IntegrationActive Directory Site Boundary Integration
Active Directory DiscoveryActive Directory Discovery
Active Directory system discovery enables discovery of new systems forsite assignment and installation Generally more effective than Network
Discovery Collects Active Directory container
information Active Directory User Discovery Active Directory System Group Discovery
Collects Active Directory site name (for systems)
Active Directory ContainerInformationActive Directory ContainerInformation
Active Directory TargetingActive Directory Targeting
Collects the following containers Organizational unit membership (OU) Universal, global, domain local, security and
distribution group membership Supports nested groups Includes Built-in users and computers
Target software distribution to Active Directory organizational units and groups Including distribution groups
WMIWMI
WMI-Based Inventory Allows improved client-side performance
during inventory scans Provides a richer set of inventory data,
including BIOS and chassis enclosure data Based on the Common Information
Model standard Allows information from multiple sources
Inventory CapabilitiesInventory Capabilities
Increase scale 100,000+ systems on single primary site 5-7X scale over SMS 2.0
More control over software inventory Better selection criteria
Wildcards, directories, and environment variables Highlight different inventory permutations, like *.exe, m*.exe,etc. Exclude encrypted and compressed volumes (critical for servers) Ability to just get file properties improving system performance
Better reporting on installed applications WMI provider to inventory Add/Remove Programs data
Both the UI and Registry Information Easier to track suite of applications Enterprise Agreement True-Up report
WMI provider to inventory Windows Installer component status Reduced inventory traffic
Deltas generated on clients, advanced clients use compressedXML files
Software MeteringSoftware Metering
SMS Server
Client
Client
Client
Windows Media Windows Media MS WordMS WordInternet ExplorerInternet Explorer
Software MeteringSoftware Metering
Metering provides application usage tracking Enables informed purchasing decisions
Allows you to track concurrent licensing Reduces complexity in enterprise
Administrators have control Specify what applications to meter Multi-site configuration tool allow replication of rules Summarization tasks reduces data store Tracks user, machine, time, frequency, usage Usage data can be blocked from flowing up
hierarchy to reduce traffic
ReportingReporting
Extensible web-based reporting tool Based on automatically maintained, high performance
SQL Views Schema based on SMS Provider
Documented and supported, Improvements from original web version
120 pre-built reports Dashboard functionality makes it easier to customize reports
Multiple reports in a single view Integrated security support Internationalized versions
Exporting Reports Can export/import report properties into other SMS environments
ReportingReporting
SMS 2003Advantages
SecuritySecurity
SMS 2003 provides a new Advanced Security mode Reduces number of service accounts
Less administrative overhead Leverages Local System account Domain Admin rights not required Advanced client platform is recommended
Uses no accounts unlike legacy client
SMS 2003 provides security rights delegation
Package Delta ReplicationPackage Delta ReplicationSMS 2003 provides file-level delta
replication.Only new or modified files are replicated.
Down to appropriate child sites. Out to assigned distribution points (DPs).
Provides self-healing to DPs. Downstream site/DP will be repaired if out of
sync with the originating site.
Delta ReplicationDelta Replication
Distribution Distribution PointPointSMS 2003 Central Site
Distribution Distribution PointPoint
SMS 2003 Secondary Site
Distribution Distribution PointPoint
SMS 2003 Primary Site
Feature PacksFeature Packs
Mobile Device Management Feature Pack Add-on to SMS 2003 to manage Windows
CE/PPC based devices
Delivers an integrated solution for servers, desktops,and devices
OS Deployment Feature Pack Ability to deploy industry recognized images to
existing desktops Integrated process for planning, state, and data
migration, OS deployment, and post deployment changes
SMS – Benefits in Patch management
Gives administrators control over patch management Allows staging and testing of updates before installation Fine-grained control of patch management options
Automates key aspects of the patch management process Can update a broad range of Microsoft products
(not limited to Windows and Office) Can also be used to update third-party software and deploy
and install any software update or application High level of flexibility via use of scripting
SMS – What It Does
2. Scan components replicate to SMS clients
1. Setup: Download Security Update Inventory and Office Inventory Tools; run inventory tool installer
3. Clients scanned; scan results merged into SMS hardware inventory data
4. Administrator uses Distribute Software Updates Wizard to authorize updates
6. Software Update Installation Agent on clients deploy updates
7. Periodically: Sync component checks for new updates, scans clients, and deploys necessary updates
5. Update files downloaded; packages, programs, and advertisements created/updated; packages replicated and programs advertised to SMS clients
Microsoft Download Center
Firewall
SMS Site Server
SMS DistributionPoint
SMS Clients
SMS Clients
SMS Clients
SMS – MBSA Integration
Scans SMS clients for missing security updates using MBSA CLI Pushes mbsacli.exe to each client to do local scan (mbsacli.exe/hf) Parses textual output of patch numbers
SMS administrators can centrally distribute security updates to clients
SMS 2.0 and SMS 2003 use MBSA 1.1.1
How to Use SMS
1. Open the SMS Administrator Console2. Expand the site database3. Right-click ON Any required collection and select All Tasks > Distribute
Software4. Create a new package and program5. Browse to the patch to be deployed6. Configure options for how and when the patch should be deployed on the client
Software Update Services: Update Installation
1. SMS Client—Software Update Advertisement1. Runs the software updates advertisement generated by the Distribute Software
Updates Wizard.1. command line: PatchInstall.exe /g:0 /n /z:s /f /c:5 /t:30/m:”PatchAuthorize.xml”.
• SMS Client—Software Update Scan• Runs the scan component (ScanWrapper.exe).• Scans the computer, comparing results against the software updates catalog• Writes the results of the scan to the WMI Win32_Patchstate class.
• SMS Client—Software Update Installation• Runs the software updates component (PatchInstall.exe).• Reads the authorization list (PatchAuthorize.XML) from the package source directory.• Identifies the authorized and missing software updates for the client.• Runs the software updates and Manages reboots.
• SMS Client—Software Update Post-Installation Scan• Runs the scan component (ScanWrapper.exe).• Scans the computer, comparing results against the software updates catalog.• Writes the results of the scan to the WMI Win32_Patchstate class.• Generates hardware inventory, as needed.
• SMS Client—Software Update Post-Installation Status• Runs the software update component (PatchInstall.exe).• Generates status messages, as needed
Adopt the solution that best meets the needs of your organization
Comparing Microsoft Update, Windows Update Services, and SMS 2003
Capability Microsoft Update Windows Update Services
Systems Management Server 2003
Supported Software and Content
Supported Software for Content
Same as Windows Update Services + WinXP Home
Win2K, WS2003, WinXP Pro, Office 2003, Office XP, Exchange 2003, SQL Server 2000, MSDE
Same as Windows Update Services + NT 4.0 & Win98 + can update any other Windows based software
Supported Content Types for Supported Software
All software updates, critical driver updates, service packs (SPs), and feature packs (FPs)
All software updates, critical driver updates, SPs, & FPs
All updates, SPs, & FPs + supports update & app installs for any Windows based software
Update Management CapabilitiesTargeting Content to Systems N/A Simple Advanced
Network Bandwidth Optimization Yes Yes Yes
Patch Distribution Control N/A Simple Advanced
Patch Installation & Scheduling Flexibility Manual & end user controlled Simple Advanced
Patch Installation Status Reporting
Install errors reported to user. Lists missing updates for accessing computer
Simple Advanced
Deployment Planning N/A Simple AdvancedInventory Management N/A No YesCompliance Checking N/A No – status reporting only Advanced
What’s New for Querying?What’s New for Querying? Updated list of queries
Queries for specific operating systems Only include supported operating systems
Updated object type and attribute classes for software metering data Permits querying on software metering data Not available in SMS 2.0 because the
software metering schema was not exposed Better facility for sharing queries between
SMS sites SMS Administrator Console import and export
capabilities
Updated List of QueriesUpdated List of Queries All client systems, all non-client systems,
and all systems All systems reporting hardware inventory, specific
application, or file All users and all user groups Clients that have not been upgraded to SMS 2003 Systems by last logged-on user name This site and all child sites Supported platforms:
All products in the Microsoft Windows® Server 2003 Family, all Windows 2000 Professional systems, all Windows 2000 Server systems, all Windows 98 systems, all Windows NT® 4.0 systems, all Windows NT 4.0 Servers, all Windows NT 4.0 Workstations, all Windows XP systems
Exporting QueriesExporting Queries Select Queries node On the Action menu, click All Tasks, and then
click Export Objects Export Object Wizard appears
Select the queries to be exported (includes standard queries)
Specify file name and comment Creates a MOF file with query contents
Comment Class (SMS_Query) Security Syntax
Importing QueriesImporting Queries Select Queries node (or other nodes)
Automatically adds imported objects to correct node On the Action menu, click All Tasks, and then
click Import Objects Import Object Wizard appears
Specify MOF file to import Displays queries to be imported, and also displays
whether you have the Create security rights that you need
Displays the comment from the MOF file New queries are added to the appropriate node
What’s New for Reporting?What’s New for Reporting?
Crystal Reports are no longer used Was resource intensive Was problematic to configure in certain scenarios Reports were not easily modified or created
The new solution is SMS Reporting Integrated version of Web Reporting Tool
Released to Web over a year ago Great response from customers
Easy for users to access reports on the intranet Easy to create custom reports Can create custom dashboards
Report CategoriesReport Categories Advertisement Status (6) Computers (with a specific file) Hardware (50)
CD-ROM, Disk, General, Memory, Modem, Network Adapter, Processor, SCSI, Sound Card, Video Card
Network (9) Operating System (9) SMS Site (17)
Client Information, Discovery and Inventory Information, General, Server Information
Report Categories (2)Report Categories (2)
Software (16) Companies and Products, Files
Software Metering (4) Status Messages (17) Status Messages – Audit ( 6) Users (4) Video Card (no longer supported) (4)
~150 Total
Using DashboardsUsing Dashboards Dashboards allow multiple reports to
be displayed in a single Internet Explorer window Great for viewing multiple related reports
simultaneously Great way to monitor status
By default, no dashboards are included You create what you feel is required
Very easy to create a dashboard Supply title Specify specific report for specific row or column of
dashboard
Logs
1. The SMS 2003 Legacy Client logs record the same information as the SMS 2.0 client. The Legacy Client log files are located in the %Windir%\MS\SMS\Logs folder on the client computer.
2. The SMS 2003 Advanced Client uses different log files than the Legacy Client to record information. The Advanced Client logs are located in one of the following locations:
1. On computers that serve as management points, the Advanced Client logs are located in the SMS_CCM\Logs folder.
2. On all other computers, the Advanced Client log files are located in the %Windir%\System32\CCM\Logs folder
CcmExec.log –- Records activities of the client and the SMS Agent Host service.
Execmgr.log – Records advertisements that run.
InventoryAgent.log –- This component creates discovery data records (DDRs) and hardware and software inventory records.
StatusAgent.log –- Logs status messages that are created by the client components.
LocationServices.log –- Finds management points and distribution points.
PolicyAgent.log –- Requests policies by using the Data Transfer service. Scheduler.log –- Records schedule tasks for all client operations.
Questions ?