In-Depth
Take Inventory of SMS 2003
This rev of Microsoft’s desktop management tool has been in the machine shop for three years. Now that it’s nearly here, let’s look under the hood.
- By Mark Wingard
- 11/01/2003
IT professionals are used to waiting for Microsoft products, but the three-plus years it’s taken to move from Systems Management Server (SMS) 2.0 to SMS 2.5, now called SMS 2003, is pushing it. After countless late nights, Jolt binges, and multiple metric tons of M&Ms, SMS 2003 is scheduled to touch down at about the same time you read these words.
SMS 2003 may have been a long time in the making, but it isn’t even considered a major revision over SMS 2.0. This is good news for SMS administrators, because while SMS 2003 has a number of new capabilities and benefits, it still looks like—and more or less behaves like—SMS 2.0.
Nonetheless, SMS 2003 is a versatile, multifaceted desktop management tool that performs the challenging task of remotely managing large numbers of Windows PCs with efficiency and power.
Poof! What’s Gone
Let’s start with what is no longer part of the product, as it’s a smaller
category than what’s new.
Crystal Reports. (I don’t hear any wailing over this omission).
The obtuse, add-on reporting solution has been replaced by the robust
and much easier to use SMS Web Reporting.
NetWare support. Sorry, Provo, but you just don’t have enough
marketshare anymore. (This also means no more IPX site boundaries.)
Logon points on domain controllers (DC). If you use only the
Advanced Client in an Active Directory environment, SMS will leave your
DCs alone.
WINS and network browsing. If you have an all Advanced Client,
AD network, and if you choose to extend the AD schema, you can kiss WINS
goodbye and disable browsing as far as SMS is concerned.
Support for Alpha, SQL 6.5, SQL 7.0 pre-SP3, Windows 95, NT Server
3.51 and older. In contrast to the rest of Microsoft, at least SMS
2003 will continue to support NT 4.0!
80 zillion SMS accounts. With the Advanced Client in AD, SMS
2003 only needs to use computer accounts and local system accounts.
License enforcement/real-time application monitoring. Software
Metering, as you’ve known it before, is dead. No more separate Software
Metering servers and database. The new Software Metering is an offline
application monitor that actually works.
SMS Installer. Actually, the SMS Installer still lives on. It’s
just no longer included with SMS itself; but it can be downloaded separately.
Network Monitor. NetMon is still included on the SMS 2003 CD;
it’s just no longer an integrated installation option.
SMS Administrators Guide. This has been replaced by Online Library,
including the “Concepts, Planning and Installation Guide.”
Advertised Programs Manager/ Monitor Control Panels. Look for
advertisements under Add/Remove Programs.
Mobile Client Management
Perhaps the most significant change to SMS is the Advanced Client. At
one time called the Mobile Client, the Advanced Client is a leaner (but
kinder) SMS client that addresses the mobile workforce and runs only on
Windows 2000 or above. While it’s optimized for an AD environment, it
doesn’t require AD. Developed for roaming users with unpredictable connectivity,
it’s also a much improved SMS client solution for desktops. In fact, the
Advanced Client is the recommended client for SMS 2003 deployments.
The Advanced Client uses HTTP and XML for communication across the network,
consuming less bandwidth. It also takes advantage of BITS (Background
Intelligent Transfer Service), a bandwidth-aware protocol that provides
byte-level checkpoint restart. Let’s say the Advanced Client gets interrupted
during a download or installation of a software package. Instead of having
to start all over again when network connectivity resumes, the client
picks up where it left off and finishes the processing. Advanced Clients
have the option of either running a package from the Distribution Point
as SMS clients have always done, or downloading the entire package into
cache and executing it locally. Administrators can also designate what
percentage of bandwidth should be used for SMS client processes.
Advanced Clients
A new server role called a Management Point (MP) is built to enable Advanced
Client communications. A Management Point is analogous to the SMS 2.0
Client Access Point (CAP). Discovery data, inventory data, status messages
and advertisement retrieval in the form of SMS “policies” for Advanced
Clients are all handled by Management Points. Management Points are only
supported on primary sites and require direct access to the SQL Server
database. Because Advanced Clients communicate with Management Points
via HTTP and XML, MPs require that IIS 5.0 or later to be installed on
the machines hosting them. Similarly, Distribution Points will also require
IIS 5.0 or higher to support BITS on package distributions.
Another new site system role with an IIS dependency is the Server Locator
Point (SLP). SMS 2003 does away with the need to use DCs. Administrators
can still choose to use DCs for logon client installation, but now they
can decide which DCs to use and can manually populate Netlogon shares
with the files to run SMS client installation logon scripts. In place
of the Logon Points on DCs, SMS 2003 uses SLPs. If you decide to extend
your AD schema, SLPs get published in AD. Otherwise, you must manually
configure WINS with SLP information.
 |
| Figure 1. This screen shows SMS 2003’s
built-in Report Viewer with a software inventory report for a single
computer. Note that the file path is now included as part of software
inventory, a small but priceless addition. (Click image to view larger
version.) |
Security via Active Directory
Many IT pros might consider SMS security an oxymoron. SMS lets administrators
know what’s installed on company desktops, remotely control them and more
or less force software to be installed. These are the features that give
certain manager types cold sweats and nightmares. To make sure that the
SMS environment is safe and secure, Microsoft designed SMS 2.0 with 28
different security account types for specific purposes, guarding against
the single point of failure that was in SMS 1.2 with its service-account-as-domain-administrator
set-up. In a large environment, this range of accounts types can translate
into hundreds of accounts SMS administrators need to track. In many cases,
however, only SMS controlled the passwords on these accounts, so account
lockouts were common.
In SMS 2003, this security model is still in place and is known as Standard Security. However, a new, improved approach is also available called Advanced Security. Advanced Security requires barely any domain user accounts—a key advantage. So how could SMS go from using hundreds of user accounts to hardly any? Active Directory. In an AD environment, SMS can use computer accounts instead of user accounts. Computer accounts are full security principles in AD. Therefore, you can add them to groups and set access control entries on them. (Tip: If you’re having problems getting a particular domain to work with SMS 2003 with Advanced Security installed, just give the site server’s computer account Administrator-level permissions where you’re having troubles, and odds are everything will magically start working.)
The only requirement for Advanced Security is AD. Because many organizations
haven’t migrated to AD, Microsoft designed it so the switch from Standard
to Advanced Security in SMS 2003 can be done any time. Just be aware that
there is no going back to Standard Security once you’ve upgraded your
site.
The Advantages of Tapping AD
While SMS 2003 runs perfectly well without AD, it fully exploits the directory
for those who have taken the AD plunge. For instance, site boundaries
can be based on AD sites. In an all-AD environment, IP subnet boundaries
aren’t even required. Another benefit of AD integration is the ability
to discover AD objects and base collections and perform queries and software
distributions on them.
SMS 2003 offers three new AD-only discovery methods:
Active Directory System Discovery, which finds all the computers in your
AD sites.
Active Directory User Discovery, which finds all the users and groups
in your AD sites.
Active Directory System Group Discovery, which finds everything else in
your sites that the other two discovery methods didn’t—Organizational
Units, containers, domain names and so on.
With this discovery data, SMS admins can query and target AD resources in a granular way (such as finding all the XP systems with IE 5.5 SP2 with less than 256MB of RAM in the Managers child OU of the Sales OU that have been logged onto in the last week by members of the Finance global group).
You may have heard that SMS 2003 requires extending the AD schema. As
with Advanced Security and the Advanced Client, extending AD is optional.
It provides certain advantages, so I’d heartily recommend extending the
schema. I’d also recommend doing so when you install SMS 2003, because
it’s a lot easier than extending it later on. The schema extensions allow
all clients to automatically find an SLP and allow roaming Advanced Clients
to find an MP. These can still be done without the schema extensions,
but it’s a manual process and you miss the automation that schema extensions
provide.
 |
| Figure 2. The Systems Management Control Panel
for an Advanced Client. The Advanced tab provides local configuration
options to accommodate downloading packages to be run locally. |
Better Reporting
SMS 2003’s reporting is major step forward. I’m sure there are people
who actually like Crystal Reports, which is so complex that it requires
its own training programs. (I’ve never met any of these people, but I’m
sure they’re out there.) These folks will be disappointed, but the rest
of us will be thrilled with SMS Reporting. This reporting tool uses direct
queries to the SQL Server databases via IIS, and the reports are viewable
with Internet Explorer (5.01 SP2 or higher). SMS Reporting isn’t entirely
new. The Web Reporting utility has been a downloadable add-on for more
than a year. However, with SMS 2003, the reporting functionality is fully
integrated with the SMS Administrator Console, and reports can be launched
without having to leave the comfort of the MMC. Nearly 160 reports come
pre-installed, but crafting custom reports is a snap. Reports can also
be filtered, scheduled, imported and/or exported, and multiple reports
can be combined into “dashboards.”
Another benefit of full integration is that reports, like everything else in the SMS Admin Console, have object-level security. This way admins can tweak access to individual reports without having to mess with SQL security. (SMS 2003 administrators will have to bone up on their Transact-SQL skills to take full advantage of the reporting options, but get this: Microsoft is finally publishing and documenting the SMS schema!) And speaking of SQL Server security, a big plus for the SMS 2003 reporting over the Web Reporting utility is that SQL Server can run in integrated security mode.
A new requirement for the reporting functionality is yet another, IIS-based
server role—the Reporting Point. A Reporting Point is a server running
IIS 5.0 or later where all of the SMS reports are accessed.
Rebuilt Software Metering
Software metering was the least exploited feature of SMS 2.0. It was complicated,
cumbersome, processor-and-bandwidth intensive, and in a word, lame. Microsoft
threw out the software metering code from SMS 2.0 and rebuilt it for SMS
2003 from the ground up. This feature can now be more aptly called Software
Usage Monitoring. The Software Metering is now an off-line recording of
what applications are launched on what computers and for how long they’re
run. The results of the monitoring are then periodically reported to the
site server and stored in the same database as the rest of the SMS data.
No separate servers or SQL databases are required. Software Metering data
is closely tied to software inventory and reporting. SMS 2003 will even
monitor application usage via Terminal Server sessions.
SMS
and MOM:
The Road to System Center |
Microsoft has two major management products:
SMS and Microsoft Operations Manager (MOM). SMS is designed
for change and configuration management and targets
clients, whereas MOM performs operations management
and targets servers. At the moment, SMS relates to Microsoft
Operations Manager as if it were “Step Mom”; in other
words, there’s not much communication between the two.
While MOM can be used to monitor SMS servers, presently
there’s not even a MOM Management Pack for SMS. The
only thing the two products have in common is the word
“manage” as part of their names. All of that will be
changing in the next few years as Microsoft intends
to merge the two management products, first into System
Center Suite, and later into a single offering called
System Center.
The first step will be a release of a MOM Application
Management Pack for SMS. Next begins the love-in between
MOM 2004 and SMS 2003 as part of System Center Suite.
The suite will feature:
SMS and MOM sharing the same, Yukon-based SQL Server
database
Cooperative MMCs or Web-based management consoles
SMS deployment status forwarded as MOM alerts
Shared Web-reporting capabilities
Integrated packaging and licensing
Finally, as System Center, SMS and MOM will become
a single product, leveraging additional management capabilities
built into the future generation of Microsoft’s server
OS, code-named “Longhorn.” It’s all part of a long-range
strategy to remain competitive by bringing simplicity,
automation and flexibility to IT operations, which,
of course, has a name that can be reduced to a three-letter
acronym: DSI (Dynamic Systems Initiative). But Microsoft
may be missing the boat with DSI. They should consider
changing the name of SMS to SIS (Systems Integration
Suite) and adding a new product to work with MOM called
DAD (Dynamic Administration Dashboard) to have a true
family of management products.
—Mark Wingard |
|
|
Smarter Inventory
While the basic approach to hardware and software inventory hasn’t changed
in SMS 2003, some long asked-for enhancements are included. My personal
favorite is that the software inventory now includes the path, or location,
of the files inventoried. In this same vein, administrators can now direct
specific file types to be inventoried in specific locations (for instance,
.vbs files in the System 32 folder.) If an organization has conventions
about where certain files or applications are stored on desktop systems,
SMS 2003 can be directed to search in only those locations instead of
the entire hard disk or disks. Compressed and/or encrypted folders can
be skipped at the administrator’s discretion. This makes software inventory
faster and less processor intensive. Also included is inventorying of
Add/ Remove Programs as a default function.
Remote Control
The old, dog-slow, remote control performance has been noticeably improved—but
could stand another boost. And for Win2K Server, XP and Windows 2003 clients,
there are new remote control options: Terminal Services, Remote Assistance
and Remote Desktop. Depending on what the target desktop supports, one
or more of these choices will appear as a remote control option in the
SMS Admin Console. SMS 2003 remote control security has been modified
so remote controllers don’t have to have local accounts on the desktops
they’re accessing; they just have to be listed in the Permitted Viewers.
And the Administrators group, no matter what it’s called, “Administradores”
or “Jrjestelmnvalvojat”, is given default access to the Permitted Viewers.
Ready for the Enterprise
Many other improvements surface in the areas of security, performance
(for instance, queries are much faster) and general functionality (the
Backup Recovery Wizard is built-in, as is the Software Update Services
and Administrator Feature Packs). There are multiple upgrade options (including
the Deployment Readiness Wizard, designed to make upgrading bulletproof)
and some great new client installation options, as well.
SMS 2003 has something every SMS 2.0 administrator is bound to love.
Not only is SMS 2003 feature-rich and robust, it’ll actually work out
of the box. It’s been well-tested already. Counting the 30 Rapid Deployment
and Early Adopter Program partners, and Microsoft itself, SMS 2003 is
already running in production on approximately 125,000 to 150,000 desktops.
Due to the long development and beta cycle for this product, SMS 2003
should be one of the most stable new releases Microsoft has ever shipped.
For a product once considered dead and buried by Win2K and IntelliMirror,
SMS 2003 is remarkably alive and seriously kicking.