SMS Implementation Security

  • Article

For more detail about these tasks, see Securing SMS.

Migrating to Advanced Security

If you upgrade the site from SMS 2.0 to SMS 2003, you automatically install in standard security. You should migrate an SMS 2003 site from standard security to advanced security as soon as possible.

SMS 2003 sites can be set up to use standard security during installation, and then changed to advanced security, if they meet the requirements for advanced security.

Important

If a site is erroneously changed from standard security to advanced security, it can only be put back to standard security by using the recovery procedures. For information about the recovery procedures, see Scenarios and Procedures for Microsoft Systems Management Server 2003: Backup, Recovery and Maintenance (https://go.microsoft.com/fwlink/?LinkId=31434).

To change the security mode

  1. In the SMS Administrator console, navigate to the site’s node.

    Systems Management Server

        Site Database (site code - site name)

            Site Hierarchy

                (site code - site name)

  2. Right-click the site, and then click Properties.

  3. Click Yes on the warning message if you are certain the site is prepared to change to advanced security.

While the change to advanced security is taking effect, SMS components might fail and the error logs might contain error messages. You should give SMS some time to make the change to advanced security effective. The components automatically recover.

To verify which sites are using advanced security, check the properties of each site node in the SMS Administrator console.

After migrating to advanced security, you should remove any accounts that are no longer required. SMS will not remove these accounts automatically. Also, migrating to advanced security does not automatically create all necessary accounts or assign all necessary group memberships.

Note

The security option for a child secondary site might be unavailable after the parent site is changed to run in advanced security mode.

After configuring a parent site with advanced security, the Set Security button in the Site Properties dialog box for a child secondary site, which is configured with standard security, might be unavailable. This will prevent you from changing child secondary sites from standard security to advanced security.

Restart the SMS Executive service on the child secondary site. This enables Set Security in the SMS Administrator console.

Running the Installation Files from the Secondary Site Server

Installing the secondary site server from the product CD allows you to install without making the site server computer account a member of the local Administrators group of the secondary site server.

To install a secondary site from the SMS Setup product CD

  1. Insert the SMS 2003 product CD into the server’s drive. Click Set up SMS 2003.

  2. On the Welcome page, click Next.

  3. On the System Configuration page, click Next.

  4. On the Setup Options page, select Install an SMS secondary site, and then click Next.

  5. On the Product Registration page, fill in the fields, and then click Next. You must enter the Product Key value, which is located on the SMS 2003 product CD case.

  6. On the SMS Site Information page, type the unique three-digit site code, the site name, and the site domain of this site, and then click Next.

Caution

To change the domain name and the computer name after SMS is installed, you must remove the installation of SMS, change the names, and then reinstall SMS. To avoid this time-consuming task, consider this information carefully before you enter it.

  1. On the SMS Security Information page, choose your security mode:

    • If you choose standard security mode, proceed to step 8.

    • If you choose advanced security mode, proceed to step 9.

Note

You cannot install a secondary site in Advanced security mode if the parent site is in Standard security mode.

  1. On the SMS Service Account Information page, if you have not already created a service account, use the default account (SMSService) or enter an account name and password. SMS Setup creates the account. If you have already created an account, enter the account name and password. You specify a trusted domain account by typing the domain and account name separated by a backslash (\). The trusted domain must be trusted by all domains within the site.

  2. On the Setup Installation Options page, select the SMS components that you want to install, and then click Next. You can also change the folders that the components are installed into on your server.

  3. On the Parent Site Information/Identification page, enter the site code of the parent site and the name of the primary site server to which the secondary site will connect. Enter the type of network connection that this site will use to communicate with the parent site, and then click Next. This option is not available when installing in the advanced security mode.

  4. On the Connection Account Information page, specify the account information that the secondary site will use to connect to the parent site, and then click Next.

  5. On the Completing the Systems Management Server Setup Wizard, review the choices you have made throughout the setup process. To change any selection or specification, double-click the item that you want to change. Make the change, and then click Next until you return to the Completing the Systems Management Server Setup Wizard. When you are satisfied with your choices, click Finish. The SMS 2003 secondary site installation on your computer is complete.