Skip to main content

Site Systems Frequently Asked Questions

On This Page

Site System Requirements
Client Access Points and Management Points
Server Locator Points
Distribution Points
SMS Site Database Server
IIS
Windows Server 2003 SP1



Site System Requirements

Q. Which site systems are required to be domain controllers?
A.

SMS 2003 does not require any computers to be domain controllers. In fact, it is more secure not to install any site systems on a domain controller, though it is still possible if necessary. Domain membership in SMS is required, but none of the site systems require domain controller functionality or installation in the domain controller.

For more information about security considerations for site and hierarchy design, see Scenarios and Procedures for Microsoft Systems Management Server 2003: Security on Microsoft TechNet.

Q. What are the requirements for each site system? (Updated May 31, 2006) (Updated March 31, 2004)
A.

Table 1 Site System Requirements

Site SystemRequirements

Client Access Point

To be a client access point (CAP), the site system that you want to configure as a CAP must have at least one NTFS partition available. SMS 2003 does not support CAPs on non-NTFS partitions.

Distribution point

To use the Background Intelligent Transfer Service (BITS), the site server and distribution point must have Microsoft Internet Information Services (IIS) installed and enabled. You must also enable WebDAV extensions for IIS for Windows Server 2003. IIS is not required if the distribution point will not be BITS-enabled.

Management point

To be a management point, the system must have IIS installed and enabled, and run at least Windows 2000 SP3. A management point on Windows Server 2003 must also have BITS enabled. If you do not enable IIS and BITS in Windows first, enabling a Windows Server 2003 as a management point fails. The Task Scheduler and Distributed Transaction Coordinator (DTC) services must be enabled. On Windows Server 2003 domain controllers, the Task Scheduler service is disabled by default. Management points require NTFS partitions.

Reporting point

To be a reporting point, the site system server must have IIS installed and enabled. Microsoft Internet Explorer 5.01 SP2 or later must be installed on any server or client that uses Report Viewer. To use graphs in the reports, Office Web Components (Microsoft Office 2000 SP2 or Microsoft Office XP) must be installed. The reporting point also requires that Active Server Pages be enabled. Note: ASP is not enabled by default on IIS in Windows Server 2003.

Server locator point

To be a server locator point, the site system server must have IIS installed and enabled.


It is strongly recommended that all server computers with an SMS site server role have only NTFS partitions, and no FAT partitions. You should not assign any SMS server role to servers which have non-NTFS partitions.

When IIS is required for an SMS site system role, SMS 2003 uses the default website.

For more information about system requirements and supported platforms, see the "Getting Started" section in the Microsoft Systems Management Server 2003 Concepts, Planning, and Deployment Guide.

 

Q. Can I install all of my site systems (client access point, management point, reporting point, etc.) on my site server?
A.

Yes. There is no technical restriction from doing so, but perform testing to ensure acceptable performance.

For more information on SMS 2003 sites and hierarchy, see "Appendix F: Capacity Planning for SMS Component Servers" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet

Client Access Points and Management Points

Q. What's the difference between client access points and management points?
A.

Client access points (CAPs) are for SMS 2.0 or SMS 2003 Legacy Clients, and management points are only used by SMS 2003 Advanced Clients. They both function as the primary contact point for clients. Clients retrieve configuration information and report information like inventory and status. The biggest difference is how data is delivered to the client.

The site server replicates a set of files down to the CAP. The client then reads and copies down those files from the CAP and processes them. If the CAP is offline, the site server cannot update the CAP, so the clients that access that CAP could potentially be out of date.

Advanced Clients request policy from a management point. The management point does not store any data locally. When a client makes a request for policy, the management point retrieves any applicable policies from the SMS site database and transfers those policies to the client. The management point caches policies locally to improve performance. If a client requests a more recent version of the policy, the management point retrieves the newer version.

Management points require IIS. CAPs do not require IIS; they perform file transfers through SMB.

For more information about SMS site and hierarchy design, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

 

Q. Why won’t SMS let me remove my last client access point?
A.

Each SMS site must have at least one site system enabled as a CAP, even if the site does not contain any Legacy Clients. SMS does not allow you to remove the last CAP from a site unless a new CAP is specified. The statement to the contrary in Chapter 12, "Planning Your SMS Security Strategy," in the Microsoft Systems Management Server 2003 Concepts, Planning, and Deployment Guide, is in error.

Instead of eliminating the CAP, you can manually remove rights to the CAP share for non-administrative accounts. For more information, see Scenarios and Procedures for Microsoft Systems Management Server on Microsoft TechNet.

This is documented in the SMS 2003 Operations Release Notes. Search on "Site configuration and maintenance."

Q. Why can’t my remote management point communicate with the Microsoft SQL Server™ database? (Updated February 27, 2004)?
A.

Verify that Microsoft SQL Server™ has named pipes enabled. If you are running advanced security, verify that the management point computer account has been added to the SMS_SiteSystemToSQLConnection_7<site_code> group, and verify that the site database server is running SQL Server 2000 SP3.

For more information about troubleshooting connectivity between a management point and the SMS site database, see article 832109 or article 829868 in the Microsoft Knowledge Base.

Q. Why won’t my management point install? (Updated May 31, 2006)
A.

There are several reasons the management point installation might fail. The MPMSI.log file will log management point installation errors. If you have problems installing the management point, search on "return value 3" for errors in this log file. Here is a list of configurations to verify:

  • If your management point is a computer running Windows Server 2003, verify that IIS and BITS Server Extensions are installed. IIS is not installed by default as it is in Windows 2000. When you install IIS the BITS Server Extensions must be manually added to the installation.
  • If your management point is Windows 2000 and you are using the IIS Lockdown tool on the IIS 5 server, apply the SMS server t emplate from the SMS 2003 toolkit available at the Microsoft Download center
  • Verify that the server has an NTFS partition.
  • DTS Service is enabled.
  • Verify that the Task Scheduler service is enabled. On Windows Server 2003 Domain controllers, the Task Scheduler service is disabled by default.
  • Verify that the Windows Management Instrumentation service is running.
  • Verify that the World Wide Web Publishing Service is running.
  • Verify that the Default Web site is started and running.
  • Verify that the Default Web site is using Port 80.
  • Verify that the virtual directories (ccm_incoming and vdir) are created on the IIS Server
  • Verify that the SMS Agent Host service is installed, running, and can be started and stopped in a timely manner.

If all of these configurations are verified, try updating the MDAC version on the management point to 2.8. For more information, see article 820761, "INFO: List of Significant Fixes That Are Included in MDAC 2.8," in the Microsoft Knowledge Base.

Q. My management point installed correctly, but now I’m getting the following error: "Http verification .sms_aut (port 80) failed with the status code 401, Unauthorized." What should I do? (Added May 5, 2005)
A.Verify that the IUSR_<computername> and IWAM_<computername> effective user rights do not include any Deny entries. Verify that the local or domain group policy does not specify any Deny user rights for the IUSR_<computername> and IWAM_<computername> accounts or groups to which they belong. For example, if you enable the security policy Deny access to this computer from the network for the Guests group, IUSR_<computername> will be denied access to the network based on it’s membership in Guests.

Q. How do I verify that my clients can access the management point?
A.From the client's Web browser, connect to http://<ServerName>/sms_mp/.sms_aut?MPLIST, where ServerName is the name of the management point. If you get a blank page with no errors in the Windows header, then the client can access the management point.

Q. What is a proxy management point used for?
A.

A proxy management point is used by roaming Advanced Clients to retrieve policy at remote locations. The proxy management point receives inventory data and status messages and sends them to the secondary site server to be forwarded to the parent site, increasing bandwidth usage efficiency for roaming clients. A proxy management point also services the Advanced Clients that are in its roaming boundaries and are assigned to its primary site. A proxy management point can only be installed in a secondary site, not in a primary site.

For more information about proxy management points, see "Appendix F: Capacity Planning for SMS Component Servers" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

Q. Can I install a management point on a computer running Windows Server 2003 Web Edition?
A.

No. This is not supported. Windows Server 2003 Web Edition does meet the requirements for SMS clients but not SMS site servers.

For more information about system requirements and supported platforms, see the "System Requirements" section in What’s New in SMS 2003 Service Pack 1 available from the SMS 2003 Product Documentation page.

Q. Why do I have to set a default management point? (Added August 31, 2004)
A.

Each site can only have one default management point at a time. Advanced Clients only communicate with the default management point. If you need additional management points for performance reasons, combine multiple management points of one site into a Network Load Balancing cluster and configure the virtual IP address of the cluster as the default management point for that site.

If you configure additional management points but do not combine them into a Network Load Balancing cluster, those additional management points will not be used by the Advanced Clients. There is no automatic failover to additional management points. If the default management point goes offline, the SMS administrator must manually designate a different computer to be the default management point.

If you don't have a default management point, Advanced Clients cannot download any policies or report any data to the site.

For more information about site configuration, see "Appendix E: Designing Your SMS Sites and Hierarchy," in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

Server Locator Points

Q. What is a server locator point and when do I need one?
A.

The server locator point locates CAPs for Legacy Clients and management points for Advanced Clients. The server locator point is mostly used in client installation. The server locator point:

  • Locates a management point for the Advanced Client if the Advanced Client is configured for automatic SMS site assignment.
  • Provides Advanced Clients with the location of the management point during Logon Script-initiated Client Installation and insufficient-rights installation.
  • Provides SMS site assignment for the Legacy Client and locates CAPs during Logon Script-initiated Client Installation.


  • Note If the Active Directory schema is not extended for SMS, you must register the server locator point in WINS.

Plan for a server locator point in your SMS hierarchy when any of the following are true:

  • You use Logon Script-initiated Client Installation to deploy Legacy Clients or Advanced Clients
  • You want to automatically assign Advanced Clients to sites without extending the Active Directory schema for SMS

For more information about assigning site system roles, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

Q. In a site hierarchy, do I have to specify a server locator point on every site? (Updated February 27, 2004)
A.No, one server locator point is usually enough. Server locator points can direct clients to any site at or below their level in the hierarchy, so the server locator point is usually placed at the central site. For more information about hierarchy design, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet

Q. In a site hierarchy, can I have more than one server locator point? (Added February 27, 2004)
A.

Yes, but it probably isn’t necessary. If you are running Capinst.exe, your Legacy Clients access the server locator points at logon time and produce minimal network traffic. Advanced Clients query the server locator point once on installation when running Capinst.exe. They can also query the server locator point for automatic discovery of the assigned site code if the Active Directory schema has not been extended. You can only register one server locator point entry in WINS, so if you have not extended your Active Directory schema, you only have one effective server locator point in a WINS infrastructure. However, you can have up to 1,000 server locator points published in a single Active Directory environment.

For more information about server locator points, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deploymenton Microsoft TechNet.

Q. Is there any way to verify whether or not a server locator point is published in Active Directory?
A.If you see "LSGetAssignedSiteFromSLP: Unable to get the list of SLPs" when you check the ClientLocation.log file, verify the registration in Active Directory using Active Directory Users and Computers. In Active Directory Users and Computers, on the View menu, enable Advanced Features. Expand the domain, expand System, and then Click System Management. In the details window, you should see a registration record that for SMS-SLP-sitecode-computername. That is your server locator point registration in Active Directory. This does require the SMS Active Directory schema extensions. You can also check the Sitecomp.log file to see if Site Component Manager was able to publish the server locator point in Active Directory after installation. SMS does not automatically publish the server locator point in WINS; you would have to do that manually.

Distribution Points

Q. What is a protected distribution point? (Added March 31, 2004)
A.

A protected distribution point has special boundaries that control which Advanced Clients can use that distribution point. If an Advanced Client falls within the protected boundary of a distribution point, and if the package is on that distribution point, then the Advanced Client will only attempt to retrieve the package from that protected distribution point. Advanced Clients that fall outside the boundaries of the protected distribution point can never retrieve packages from that distribution point. Configure protected distribution points when you want to prevent clients from crossing a slow network link to retrieve a package from a distribution point.

For more information about assigning distribution points, see "Appendix E: Designing Your SMS Sites and Hierarchy," and "Appendix H: Upgrading to SMS 2003" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deploymenton Microsoft TechNet.

Q. How do my clients choose a distribution point? How do protected distribution points affect the choice of distribution point? (Updated January 31, 2005)
A.

Advanced Clients and Legacy Clients choose distribution points differently. When a Legacy Client receives an advertisement, it gets a list, from the client access point, of all distribution points containing that package. Unless the Legacy Client has been configured with a preferred distribution point by using the prefserv.exe tool, the Legacy Client will randomly choose any distribution point in the site that has the package. Even if you use prefserv.exe, you are only configuring a preferred distribution point. If the preferred distribution point is unavailable or does not have the requested content, the Legacy Client will randomly select any distribution point in the site. Legacy Clients do not recognize the boundaries of protected distribution points, and they treat them like any other distribution point in the site.

Advanced Clients use more complex algorithms when selecting a distribution point. The Advanced Client sends a content location request to the management point. If the Advanced Client is in the boundary of a protected distribution point, then the management point returns only the name of the protected distribution point. If the Advanced Client is in the local roaming boundaries for a site, then the management point returns the list of all available distribution points with that content. The Advanced Client sorts the list in this order:

  1. Active Directory site
  2. Local subnet
  3. SMS site

If the Advanced client is in the local roaming boundaries and more than one distribution point is available, the Advanced Client randomly chooses any distribution point from the list. For example, if there are three distribution points in the Active Directory site, the client chooses randomly.

If the Advanced Client is in the remote roaming boundaries for a site, it randomly selects any distribution point in the site.

Q. Can I use Microsoft Virtual Server or Virtual PC with SMS? (Updated May 31, 2006)
A.

Yes. If the host computer is running Microsoft Virtual Server 2005 R2 and SMS 2003 SP2, all site system roles are supported on the guest operating system.

If the host computer is running Microsoft Virtual Server 2005 or Microsoft Virtual PC 2004 it can fill any SMS SP2 server role, but SMS server roles are not supported on the guest operating system.

SMS 2003 SP2 supports the Legacy Client or Advanced Client running on the guest operating system, provided that the guest operating system meets the operating system and dependency requirements for the particular SMS client.

For more information about Virtual Server 2005 and Virtual PC 2004 support, see Microsoft Systems Management Server 2003 Supported Configurations for Service Pack 2 on the Microsoft web site.

SMS Site Database Server

Q. How do I move my SMS site database to a different computer running SQL Server? (Updated May 31, 2006)
A.

You can move a local SMS site database to a remote server or move the SMS site database from one remote server to another remote server. Moving a remote SMS site database from a remote computer running SQL Server to the site server back to the site server is not supported. When moving the SMS site database server, SMS moves the SMS Provider to the same server that the SMS site database is moving to.

The basic steps involve backing up the SMS site database, restoring it to the new computer running SQL Server, running the SMS Setup Wizard on the primary site server, and then running a site upgrade from the SMS CD. For detailed steps, see the section "Changes to Site Configuration, Hardware, and Infrastructure" in Scenarios and Procedures for Microsoft Systems Management Server on the Microsoft Download site.

Q. Can I use SQL 2005 with SMS 2003? (Added May 31, 2006)
A.

Yes. SMS 2003 SP2 is supported for use with SQL 2005. Prior versions of SMS do not support the use of SQL 2005.

The following list describes the sequence for upgrading an existing SMS 2003 site to SQL 2005:

Upgrade Sequence:

  1. Install SQL Server 2000 Service Pack 3a or 4 (SP3a or SP4).
  2. Install SMS 2003 Service Pack 1 (SP1).
  3. Upgrade SMS 2003 Site Server to Service Pack 2 (SP2).
  4. Upgrade SQL Server 2000 to SQL Server 2005.

For more information about system requirements and supported platforms, see the "Server Software Requirements" in the Supported Configurations Guide SMS 2003 SP2 at the Microsoft Download center.

IIS

Q. Which site systems require IIS?
A.

Management points, server locator points, and reporting points. Reporting points also require that Active Server Pages be enabled. Distribution points can use BITS to manage downloads to the Advanced Client. BITS enabled distribution points require IIS and WebDAV. Windows Server 2003 does not install IIS by default. If you install IIS on Windows Server 2003, then BITS, ASP, and WebDAV are not enabled by default.

For more information about site systems, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

Q. Can I change my SMS roles to use something other than the default IIS web site? (Added July 30, 2004)
A.No. SMS requires the default web site for all its IIS roles. If you have another application which also uses the default web site, but uses a port other than 80, you should be able to allow the sites to co-exist.

Q. How do I make sure the IIS installation on my SMS site systems is secure? (Updated August 31, 2004)
A.

If your site system is running Windows 2000 Server and IIS 5.0, run the IIS Lockdown Wizard with the SMS IISLockd.ini. IIS Lockdown works by turning off unnecessary features, which reduces potential attacks. The IIS Lockdown Wizard includes the URLScan Security tool, which restricts the types of HTTP requests that IIS processes.

If your site system is running Windows Server 2003 and IIS 6.0, the IIS Lockdown feature is integrated into IIS. You should still run URLScan 2.5 to apply UrlScan_SMS.ini file.

Download the SMS IISLockd.ini and UrlScan_SMS.ini as part of the SMS Toolkit from the Microsoft Download site. For the procedure to apply these templates, see the documentation that comes with the SMS Toolkit.

Important

Running the IIS Lockdown or URLScan tools without the SMS templates can cause SMS operations to fail.

For more information about Internet Information Services security, see Scenarios and Procedures for Microsoft Systems Management Server.

Q. Are there log files for IIS?
A.Yes. By default, they are located in the %systemroot%\system32\LogFiles\W3SVC1 folder. These can be useful in verifying that client is contacting the management point, server locator point, or reporting point.

Windows Server 2003 SP1

Q. I would like to upgrade my site systems to Windows Server 2003 SP1. Are there any compatibility issues with SMS 2003 that I should know about first? (Updated May 31, 2006)
A.

Yes. If you run your site systems on Windows Server 2003 SP1, you might need to perform some workarounds to restore full SMS functionality. The following sections of this FAQ provide information about issues that might arise and suggested workarounds you can perform:

  • Resetting the DCOM permissions to pre-Windows Server 2003 SP1 levels
  • Additional Configuration Tasks if you Run the Security Configuration Wizard
  • Identifying Ports and Services Required If Windows Firewall Is Enabled

Resetting the DCOM permissions to pre- Windows Server 2003 SP1 levels

Server locator points and reporting points require the same level of DCOM permissions they had prior to Windows Server 2003 SP1. Windows Server 2003 SP1 splits the previous Launch permission into Local Launch and Remote Launch and splits the Activation permission into Local Activation and Remote Activation. In addition, the activation permissions are being moved from the Access Permission ACL to the Launch Permission ACL. For more information about the new COM permissions, see Granular COM Permissions on MSDN.

If you upgrade your server locator point to Windows Server 2003 SP1, you must reset the COM permissions so that the Internet Guest Account (IUSR_<servername>) has Local Launch permissions as it did prior to SP1, as shown in the following procedure.

To grant Local Launch permission to the Internet Guest Account:

  1. On the site system, from the Start menu, Click Run and type Dcomcnfg.exe.
  2. In Component Services, Click Console root, Click Component Services, Click Computers, Click My Computer, Click DCOM Config, and then Click SMS_SERVER_LOCATOR POINT.
  3. On the Action menu, Click Properties.
  4. In the Launch and Activation Properties dialog box, on the Security tab, in the Launch and Activation Permissions section, Click Edit.
  5. In the Launch and Activation Permissions dialog box, select the check box to allow both Launch Localand Local Activation for Internet Guest Account (IUSR_servername).

If you upgrade your reporting point to Windows Server 2003 SP1, you must reset the COM permissions so that the SMS Reporting Users Group has Local Launch permissions as it did prior to SP1, as shown in the following procedure.

To grant Local Launch permission to the SMS Reporting Users Group:

  1. On the site system, from the Start menu, Click Run and type Dcomcnfg.exe.
  2. In Component Services, Click Console root, Click Component Services, Click Computers, Click My Computer, Click DCOM Config, and then Click SMS_REPORTING_POINT.
  3. On the Action menu, Click Properties.
  4. In the SMS Reporting Point Properties dialog box, on the Security tab, in the Launch and Activation Permissions section, Click Edit.
  5. In the Launch and Activation Permissions dialog box, select the check box to allow Local Activation for SMS Reporting Users Group.

If your site server is running Windows Server 2003 SP1 and you want to run the SMS Administrator console on a computer that does not contain the SMS Provider, you must reset the COM permissions so that the user running the SMS Administrators console has remote launch and remote activation on the computer running the SMS Provider. Because everyone running the SMS Admin console should be a member of SMS Administrators, you can also grant the remote launch and remote activation to the SMS Administrators group on the SMS Provider.

Additional Configuration Tasks if you Run the Security Configuration Wizard

Introduced in Windows Server 2003 SP1, the Security Configuration Wizard helps you create a security policy that you can apply to any server on your network. The wizard recognizes SMS server roles, services, ports, and applications, but might not recognize all of the required configurations. The following section details which configurations are not automatically configured by the Security Configuration Wizard and the additional configurations required to keep SMS functioning properly.

Note For more information about the roles and features recognized by the Security Configuration Wizard, view the configuration database while running the wizard.

Enable Remote WMI in the Security Configuration Wizard for Remote Site Database Servers When using the Security Configuration Wizard in Windows Server 2003 SP1, the Remote WMI service is not selected by default. The Security Configuration wizard is unable to recognize the SMS Provider. If you run the wizard on the server that has the SMS Provider installed, you must enable the Remote WMI service on the Select Administration and Other Options page of the Security Configuration Wizard. Unless Remote WMI is enabled, the SMS Administrator consoles on the site server and any other remote consoles will fail to connect to the SMS namespace in WMI.

Enable the SMS Database Monitor Ports on Remote SMS Site Database Servers. If your SMS site database server is not on the same computer as the SMS site server, the Security Configuration wizard correctly enables the SMS Database Monitor service (SMS_SQL_Monitor_<ServerName>) but it does not enable the ports used by the SMS Database Monitor service. On the Open Ports and Approve Applications page of the wizard, select Ports used by SMS_SQL_MONITOR_<ServerName<. If the SMS site database server is on the same computer as the SMS site server, no ports are required.

Enable Remote Administration for IIS and Related Components on BITS-enabled distribution points. When you run the Security Configuration wizard on a BITS-enabled distribution point, you must select Remote administration for IIS and related components on the Installed Options page. If Remote administration for IIS and related components is not enabled, the wizard blocks the SMS Distribution Manager service from creating virtual directories on the distribution point.

Deselect the CAP Role if it is not on the Site Server. The Security Configuration Wizard always identifies a site server as having a Client Access Point, whether or not the site server is actually assigned that role. If the CAP role is incorrectly selected, deselect it on the Select Administration and Other Options page of the Security Configuration Wizard.

Re-run the Wizard after Changing Site System Roles. If you run the Security Configuration Wizard on a server and then configure a site role on that server, you should re-run the wizard to ensure the site system roles functions properly.

Identifying Ports and Services Required If Windows Firewall Is Enabled

Windows Server 2003 SP1 also includes the Windows Firewall feature first released in Windows XP SP2. The firewall can interfere with some SMS features. Windows Firewall is not enabled by default on servers. If you enable the Windows Firewall on a Windows Server 2003 SP1 server, either by using Control Panel or by running the Network Security section Security Configuration Wizard, you must verify that the following ports and applications are permitted to pass through the Windows Firewall.

  • Remote Control If the SMS Remote Control ports are disabled, an SMS client running Windows Server 2003 SP1 cannot be remotely managed by using SMS Remote Tools. The recommended best practice is to use Remote Assistance or Remote Desktop on operating systems that support it, such as Windows Server 2003. To enable SMS Remote Tools, permit the appropriate port to pass through Windows Firewall for each necessary remote tool, as described in the following table.

Remote Control Port

Remote Control Function

TCP port 2701

Allows general contact, reboot, and ping

TCP port 2702

Remote Control

TCP port 2703

Chat

TCP port 2704

File Transfer

  • For more information about ports used by SMS remote control, see article 256884 in the Microsoft Knowledge Base.
  • Remote Assistance If the remote assistance ports are disabled, remote assistance sessions initiated from the SMS Administrator console to a computer running Windows Server 2003 SP1 will fail, although remote assistance sessions requested by the Windows Server 2003 SP1 client will succeed. To enable Remote Assistance to be initiated from the SMS Administrator console, permit helpsvc.exe and port TCP 135 to pass through Windows Firewall.
  • Windows Event Viewer, System Monitor, and Windows Diagnostics The SMS Administrator console cannot access Windows Event Viewer or System Monitor on computers running Windows Server 2003 SP1 unless File and Printer Sharing is enabled. There is no workaround at this time to access Windows Diagnostics from the SMS Administrator console.
  • Client Push Installation   Client Push Installation fails on client computers running Windows Server 2003 SP1 unless File and Printer Sharing is enabled.
  • Queries If you run a query from an SMS Administrator console on a Windows Server 2003 SP1 computer, you must permit statview.exe to pass through the Windows Firewall or the queries will fail the first time they run. After failing to run the first time, the Windows Firewall displays a dialog box asking if you want to unblock statview.exe.
  • SMS Administrator Console If you run the SMS Administrator console on a Windows Server 2003 SP1 computer, you must permit unsecapp.exe and TCP port 135 to pass through the Windows Firewall. The Unsecapp.exe application is used to send results back to a client in a process that might not have permissions to be a DCOM service. SMS relies on the Unsecapp.exe application to receive the results of asynchronous operations in the SMS Administrator console. TCP 135 is the DCOM port. For more information about DCOM and unsecapp.exe, see article 875605 in the Microsoft Knowledge Base.

 

Q. I permitted unsecapp.exe and TCP port 135 through my firewall, but my SMS Administrator console running on Windows Server 2003 SP1 still cannot connect to the SMS site database. What should I do next? (Added January 31, 2005)
A.

Some customers have reported this issue, but at this time, Microsoft has not been able to reproduce this condition. If you run the SMS Administrator console only from computers that belong to the same domain as the SMS Provider, permitting unsecapp.exe and port TCP 135 to pass through the Windows Firewall should be sufficient. However, some customers have reported that even after permitting these two exceptions, the SMS Administrator console still cannot connect to an SMS site database from the Windows Server 2003 SP1 client, even when both computers are in the same domain. As a last resort, adding anonymous remote access rights in DCOM resolves the issue but increases your security risk.

If you grant anonymous remote access rights, you disable a layer of protection for the system. An attacker no longer needs to circumvent user authentication to discover and exploit potential vulnerabilities in the system. To avoid potential attacks related to granting anonymous remote access rights, you can use Remote Desktop to connect to the computer running the SMS Provider and run the SMS Administrator console remotely.

To allow anonymous remote access in DCOM:

  1. From the Start menu, Click Run and type Dcomcnfg.exe.
  2. In Component Services, Click Console Root, Click Component Services, Click Computers, and then Click My Computer. On the Action menu, Click Properties.
  3. In the My Computer Properties dialog box, on the COM Security tab, in the Access Permissions section, Click Edit Limits.
  4. In the Access Permission dialog box, select the check box to allow Remote Access for Anonymous Logon.
  5. Restart the computer.




For More Information

Did you find this information useful? Send your suggestions and comments about the FAQ to   smsdocs@microsoft.com.