What's New in SMS 2003 Service Pack 1

Published : August 31, 2004

On This Page

System Requirements
Deployment
Platform Support
Inventory
Software Distribution
Software Updates
Discovery
SMS Administrator Console and Reporting
Scalability and Performance
Site Maintenance
Security
Tools

System Requirements

The following sections provide information about new or updated features in this Microsoft® Systems Management Server 2003 service pack.

SMS Site Server System Requirements

Software Requirements
  • Operating systems

    • Microsoft® Windows® 2000 Server

    • Windows 2000 Advanced Server

    • Windows 2000 Datacenter Server

    • Windows Server™ 2003, Standard Edition

    • Windows Server 2003, Enterprise Edition

    • Windows Server 2003, Datacenter Edition

      note.gif  Notes
      Microsoft’s SMS 2003 support for server operating systems requires that the most current server operating system or the immediately preceding operating system service pack is installed. Microsoft will provide support for products that have installed the immediately preceding service pack for a period up to twelve months from the release of the current service pack. Depending upon service pack release scheduled, the immediately preceding service pack could be supported for less than 12 months. To verify the service pack support dates, visit the Lifecycle Supported Service Packs Web site.
      For additional information about Microsoft’s support lifecycle policy, visit the Microsoft’s Support Lifecycle Support Policy FAQ Web site.

  • Internet Information Services (IIS) must be installed as part of the Windows Server installation for certain SMS site system roles. For specific details, see the "Getting Started" chapter in the Microsoft Systems Management Server 2003 Concepts, Planning, and Deployment Guide.

  • Microsoft Internet Explorer 5.0, or later.

  • Microsoft SQL Server™ 7.0 with Service Pack 3 or later, or SQL Server 2000 with Service Pack 3a, or later.

    note.gif  Notes
    It is recommended that all server computers with SMS site server roles have only NTFS partitions.
    SMS 2003 has been extensively tested with the supported operating system versions listed above. Although SMS 2003 is supported on all of the platforms listed, it is strongly recommended that you upgrade to the latest operating system service pack at your earliest opportunity so that you can take advantage of the included security fixes. If an issue that is exhibited only on an earlier operating system revision is reported to Microsoft, and the root cause of the issue is determined to be an operating system component, the recommended solution to that issue may be to upgrade to a more recent operating system service pack.

Hardware Requirements

Table 1.1

Hardware component

Requirement

Microprocessor

550 MHz or faster; Intel Pentium/Celeron family, or compatible processor recommended

Memory

256 MB of RAM (maximum 4 GB of RAM)

Hard disk

2 GB of available hard disk space on an NTFS partition

Drive

CD-ROM or DVD-ROM drive

Display

Windows 2000-compatible video graphics adapter

Peripheral

Keyboard and Microsoft Mouse or compatible pointing device, or hardware that supports console redirection

Network

Network adapter

SMS Client System Requirements

Software Requirements
  • Operating systems

    • Microsoft Windows 98

    • Windows NT Server 4.0

    • Windows NT Server 4.0, Enterprise Edition

    • Windows 2000 Professional

    • Windows 2000 Server

    • Windows 2000 Advanced Server

    • Windows 2000 Datacenter Server

    • Windows XP Professional

    • Windows XP Embedded

    • Windows Server 2003, Standard Edition

    • Windows Server 2003, Enterprise Edition

    • Windows Server 2003, Web Edition

    • Windows Server 2003, Datacenter Edition

      note.gif   Note
      Microsoft’s SMS 2003 support for client operating systems requires that one of the three most current operating system versions, including service pack, is installed. To verify service pack support dates, visit the Lifecycle Supported Service Packs Web site.
      For additional information about Microsoft’s support lifecycle policy, visit the Microsoft’s Support Lifecycle Support Policy FAQ Web site.

  • Internet Explorer 5.0 or later

    note.gif  Notes
    SMS client support for the Windows XP Embedded platform requires the SMS 2003 Advanced Client for Windows XP Embedded.
    Installing the Legacy Client or the MSI form of the Advanced Client on a computer running Windows XP Embedded is not supported. For this platform, a specific Windows XP Embedded image must be built with XP Embedded Target Designer, in which the XP Embedded form of the Advanced Client is included. This method ensures that all operating system components that are necessary for a valid SMS 2003 Advanced Client installation are included.

For more information about availability of the SMS 2003 Advanced Client for Windows XP Embedded, see the Systems Management Server Web site.

Hardware Requirements

Hardware component

Requirement

Microprocessor

300 MHz or faster recommended, 133 MHz minimum; Intel Pentium/Celeron family, or compatible processor recommended

Memory

128 MB or higher recommended (64 MB supported, but can limit performance and some features)

Hard disk

80 MB of available hard disk space

Display

Super VGA (800×600) or higher-resolution video adapter and monitor

Peripheral

Keyboard and Microsoft Mouse, or compatible pointing device

Network

Network adapter

Deployment

Changes in Supported Client Operating Systems

SMS 2003 SP1 introduces changes that affect the operating systems that clients support.

SMS 2.0 and Legacy Clients running on Microsoft Windows® 2000, Microsoft Windows XP, and Microsoft Windows Server® 2003 will not upgrade to SMS 2003 SP1.

Microsoft Windows 98 and Microsoft Windows NTTM 4.0 SP6a are the only supported operating systems for Legacy Clients.

When SMS 2.0 clients or SMS 2003 Legacy Clients (no SMS service pack) are members of an SMS 2003 SP1 site, you cannot apply SMS hotfixes to them. SMS 2.0 clients cannot report software inventory. The clients do not upgrade if:

  • The client’s Client Configuration Installation Manager (CCIM) cycle has not yet run. This cycle runs when the computer is restarted, and then every 25 hours for SMS 2003 clients, or every 23 hours for SMS 2.0 clients.

  • The client has run cliupgrade /disable, which stops the CCIM cycle from running.

  • The client’s operating system is Windows 2000, Windows XP, or Windows Server 2003.

Windows 2000 SP2 is the earliest supported version of a Windows operating system for Advanced Clients.

Microsoft recommends the following best practices.

Upgrading from SMS 2.0

Before upgrading an SMS 2.0 site, use software distribution to distribute the Advanced Client software to clients running Windows 2000 SP2 and later. During this process:

  • Assign new Advanced Clients to the site. These clients wait to communicate with the management point of the site after the site upgrades to SMS 2003 and a management point is designated.

    -Or-

  • Assign clients to a different SMS 2003 site that has a management point.

Upgrading From SMS 2003

You can upgrade or replace all clients that have supported operating systems to the SMS 2003 SP1 Advanced Client before you upgrade the site to SMS 2003 SP1 by ensuring that a management point is available, and then using software distribution to predeploy SMS 2003 SP1 Advanced Client software to the clients. This is possible because SMS 2003 SP1 Advanced Clients can communicate with a management point that is running SMS 2003 (no service pack).

When you predeploy the SMS 2003 SP1 Advanced Client, the Advanced Client functions without affecting an upgrade of your server infrastructure. In other words, Advanced Client predeployment can occur independently of server upgrades. After you become familiar with the SMS 2003 SP1 Advanced Client, you can continue upgrading the remaining clients of the site.

note.gif  Note
As discussed in Appendix I, "Installing and Configuring SMS Clients" of Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment, Advanced Clients, unlike Legacy Clients, do not automatically update when a newer version of the Advanced Client software is available at the SMS site. You must manually upgrade existing Advanced Clients.

Valid Product Keys Are Required

A valid product key is required to install SMS 2003 SP1 primary sites. You can find your product key on the SMS 2003 product CD case. For information about volume licensing programs and product keys obtained through those programs, see the Microsoft Volume Licensing Web site.

Platform Support

Virtual PC 2004 and Virtual Server 2005 Support

Managing Host Operating Systems

SMS 2003 SP1 supports the Advanced Client running on the host operating system. SMS offers unrestricted support for computers acting as a host operating system. Computers running Microsoft Virtual PC 2004 or Microsoft Virtual Server 2005 can fill any SMS client or server role.

Virtual PC requires Windows 2000 Professional or Window XP. Therefore, the host operating system supports the Advanced Client. The host operating system can support the SMS 2003 Administrator console.

Virtual Server requires a Windows Server 2003 operating system. Therefore, Virtual Server can host operating systems that support the Advanced Client. The host operating system can also support:

  • An SMS site server

  • The SMS site database, stored in Microsoft SQL ServerTM

  • A management point

  • A client access point (CAP)

  • Distribution points, with or without Background Intelligent Transfer Service (BITS)

  • A reporting point

No interaction occurs between the Virtual PC host operating system and other applications running on the same computer. Similarly, no interaction occurs between the Virtual Server host operating system and other applications running on the same computer.

Managing Guest Operating Systems

SMS 2003 SP1 supports the Legacy Client or Advanced Client running on the guest operating system, provided that the guest operating system meets the operating system and dependency requirements for the particular SMS client. SMS server roles are not supported on guest operating systems. SMS supports the following client operating systems as guest operating systems on both Virtual PC and Virtual Server:

  • Legacy Client

    • Windows 98

    • Windows NT 4.0 SP6a

  • Advanced Client

    • Windows 2000 Professional with SP2, SP3, or SP4

    • Windows 2000 Server with SP2, SP3, or SP4

    • Windows 2000 Advanced Server with SP2, SP3, or SP4

    • Windows 2000 Enterprise Server with SP2, SP3, or SP4

    • Windows XP Professional with no service pack or SP1

    • Windows XP Tablet Edition with no service pack or SP1

    • Windows Server 2003, Standard Edition

    • Windows Server 2003, Enterprise Edition

Distinguishing Guest vs. Host Operating Systems

SMS distinguishes the guest operating system from the host operating system through hardware inventory on Virtual Server and Virtual PC. SMS looks for registry key information gathered from inventory to distinguish a virtual operating system by identifying its host machine. Though SMS 2003 SP1 does not include specific reports to expose a virtual operating system, you can still determine actual and virtual machines from the gathered inventory information.

In SMS 2003 SP1, the SMS_Def.mof file has been updated to collect information from the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Virtual Machine\Guest\Parameters|PhysicalHostName

HKEY_LOCAL_MACHINE\\Software\\Microsoft\Virtual Machine\Guest\Parameters|PhysicalHostNameFullyQualified

By collecting this data, it is available in the SMS Resource Explorer.

important.gif  Important
In order for SMS to collect information from the registry keys above, either Microsoft Virtual PC 2004 SP1 or Microsoft Virtual Server 2005 with Virtual Machine Additions must be installed.

Support Limitations

No Direct Support for Virtual Computers Images

SMS supports only virtual computers that are running. It does not support virtual computers images. For example, SMS cannot patch a virtual machine image unless it is running. If a virtual machine has been patched with a software update and the updated machine image has not been saved, that virtual machine needs to be re-patched after it is restarted. A virtual computer that is targeted for a patch that causes the computer to reboot might enter a continuous reboot cycle.

No Support for Virtual PC for Mac

SMS 2003 SP1 does not support virtual operating systems that are hosted on Virtual PC for Mac.

Read-Only Virtual Machines

SMS cannot distinguish a read-only from a write-enabled virtual machine. A read-only virtual machine loses any changes made to it when it is restarted. For example, if the client receives a patch, receives software, or sends a hardware inventory delta file, a disparity between the actual state of the client and the status of that machine as recorded in the SMS site database after the machine is restarted results. This occurs because SMS is not aware of changes lost on the client.

Unsupported SMS Versions

Only SMS 2003 SP1 supports clients and server roles running on virtual machines. Earlier versions of SMS running on virtual machines are not supported. Accordingly, SMS 2003 SP1 does not support clients that have been upgraded from unsupported earlier versions running on virtual machines. For example, upgrading a client from SMS 2.0 or SMS 2003 without a service pack is not supported.

Support for Computers in a Workgroup

SMS 2003 SP1 provides limited support for computers in a workgroup, with the following conditions and exceptions.

  • Workgroup support is for Advanced Clients only.

  • Clients must use NetBIOS for name resolution.

  • Administrative user rights on the computer are required to installing the SMS client software.

  • Active Directory discovery and user targeting is not supported.

  • Advertisements targeted to Active Directory objects, users, or user groups is not supported.

  • Global roaming is not supported.

    note.gif  Note
    You can utilize trusted and encrypted discovery and inventory data, if your site is configured appropriately.

WINS Requirement Removed

An SMS 2003 SP1 site configured for advanced security does not require Windows Internet Name Service (WINS), provided that all clients are Advanced Clients residing in one forest. However, support for name resolution without WINS depends upon the TCP/IP settings of client computers. In order to use DNS for name resolution, you must append all DNS name suffixes in the DNS suffix list of the clients. In order to determine whether DNS is resolving computer names, you must ensure that the computer attempting to resolve names resides within a different routed subnet than the computer whose name is being resolved. Otherwise, NetBIOS broadcast resolution is used.

note.gif  Note
DNS name resolution cannot be used by clients in a workgroup. Computers in a workgroup require WINS.

SMS client and SMS sever components pass only NetBIOS names to the operating system for resolution. SMS never uses fully qualified domain names. If a computer’s common name is the same as its NetBIOS name, and DNS is configured appropriately, you can manually resolve the common name to an IP address with the Net Use command. In this case, SMS will operate properly without WINS.

important.gif  Important
Active Directory® schema extension is required when using DNS for name resolution. This enables Advanced Clients to find their default management point and also permits clients to roam.

Support for Windows XP SP2 with Limited Functionality

By default, security changes introduced in Windows XP SP2 limit the functionality of SMS 2003 SP1.

SMS Features Possibly Affected by Windows XP SP2

Feature

Issue

Workaround

Accessing SMS items in Control Panel

Because of restrictions imposed on Distributed Component Object Model (DCOM) with Windows XP SP2, users might not be able to access Run Advertised Programs or Program Download Monitor in Control Panel. Also, the Actions tab of Systems Management in Control Panel may not be accessible.

A hotfix is available to correct this problem. For more information, see article 832862 in the Microsoft Knowledge Base. To successfully deploy this hotfix to the clients using SMS software distribution, you must verify that the countdown feature is disabled on the Advertised Programs Client Agent.

Downloading packages by using BITS

An Advanced Client that is running Windows XP SP2 cannot properly download packages by using BITS. Downloading policy by using BITS is not affected.

A hotfix is available to apply to the BITS-enabled distribution points. For more information, see article 832860 in the Microsoft Knowledge Base .

Remote Control

SMS clients that are running Windows XP SP2 cannot be remotely managed by using SMS Remote Tools.

The recommended best practice is to use Remote Assistance on client computers that support it, such as clients running Windows XP.

Remote Assistance

Remote assistance sessions initiated from the SMS Administrator console fail, although remote assistance sessions requested by the client succeed.

Add both the custom application Helpsvc.exe and the custom port TCP 135 to the list of permitted programs and services in Windows Firewall on the Windows XP SP2 client.

Event Viewer, System Monitor, and Windows Diagnostics from the SMS Administrator console

The SMS Administrator console cannot access Event Viewer or System Monitor on computers running Windows XP SP2.

To enable remote access to these features, enable File and Printer Sharing for Microsoft Networks in the LAN configuration on the client running Windows XP. There is no workaround at this time to access Windows Diagnostics from the SMS Administrator console.

Client Push Installation

Client Push Installation fails on client computers running Windows XP SP2.

Enable File and Printer Sharing for Microsoft Networks in the LAN configuration on the client running Windows XP.

SMS Administrator console

If Windows Firewall is set to On with no exceptions, the SMS Administrator console cannot connect to any SMS site database from the client running Windows XP. If Windows Firewall is set to On (recommended), the SMS Administrator console cannot display all of the items in the console tree.

By design, if Windows Firewall is set to On with no exceptions, there is no workaround. If Windows Firewall is set to On (recommended), add Unsecapp.exe and TCP 135 to the list of programs and services on the Exceptions tab of Windows Firewall in Control Panel.

For the procedures to configure Windows Firewall for Windows XP SP2, read the "Remote Tools, Remote Assistance, and Remote Desktop Do Not Function Properly on Computers Running Windows XP SP2" topic in the SMS 2003 SP1 Operations Release Notes.

SMS 2003 SP1 Supports Advanced Clients and Distribution Points Running on Windows Storage Servers

SMS 2003 SP1 supports Advanced Clients and BITS enabled distribution points that are running on Microsoft Windows Storage Servers. This information supersedes what is documented in the Getting Started section of the Systems Management Server 2003 Concepts, Planning, and Deployment Guide.

Inventory

SMS Client Inventory Performance Enhancements

A number of changes have been made to reduce the impact of taking Windows Management Instrumentation (WMI) inventory on the client’s CPU.

Software Inventory Skips File Collection in the Windows Directory

The amount of data collected by software inventory is reduced by excluding the Windows directory, by default, for each inventory rule. You can configure this option in the Software Inventory Client Agent Properties dialog box.

Upgrading from SMS 2.0 Causes Inventory Resynchronization on Clients

Due to differences in hardware inventory between SMS 2.0 and SMS 2003, clients in sites that are upgraded from SMS 2.0 to SMS 2003 SP1 perform an inventory resynchronization, sending full hardware inventory reports instead of delta reports. If many clients perform resynchronization at the same time, these inventory resynchronizations can cause an excessive load on the network and cause the site systems in your SMS hierarchy to take a long time to process hardware inventory data.

To reduce the load on your network and SMS site servers, consider performing a throttled site upgrade to prevent too many clients from resynchronizing at the same time. For more information about upgrading, see the Microsoft Systems Management Server 2003 Concepts, Planning, and Deployment Guide.

Software Distribution

Improvements to Software Distribution Fan-Out

The software distribution fan-out feature reduces the workload of the initiating site, which also reduces the load on the network link between the initiating site and other sites. However, in a hierarchy with three or more tiers are running SMS 2003 without a service pack, source packages are resent from the central site, even when the middle tier sites already have a copy. SMS 2003 SP1 improves the fan-out feature in the following ways:

  • When compressed package source files with the correct version are available at a site that is near the requesting site, the source site instructs the closest site to send content to the requesting site. In such cases, this avoids repetitive network traffic.

  • When a site’s distribution point is targeted to receive a new package, the source files are retrieved from the closest higher-level site in the hierarchy.

  • When a new distribution point is created, the site where the package was originally created identifies which is the closest site to the target site that has the correct package contents and version. The closest site then updates the newly created distribution point.

  • SMS 2.0 child sites are updated by the closest parent SMS 2003 site that contains the updated package source files.

Software Updates

The following changes in SMS 2003 SP1 provide the capability to rapidly respond to the need for critical patch management in your enterprise.

Authorized Security Updates Without Inventory to Detect Missing Updates

Software Updates Services has been modified to parse the latest XML catalog upon download and insert any new updates directly into the SMS site database. This allows the updates to be immediately authorized by the Distribute Software Updates Wizard, resulting in no delay to wait for inventory scans to report the need for a new update.

Software Update Services Produces More Useful Reports

SMS 2003 SP1 provides more accurate and useful reports for tracking critical software updates. The following improvements have been made:

  • You can determine whether a particular computer has run a scan tool with the catalog version that contained a particular update.

  • You can determine whether a scan tool's results were sent though hardware inventory from a particular computer, based on a particular catalog version.

  • Software update installation status messages for Advanced Clients are linked to software distribution advertisements.

  • You can track a software update to the version of the update catalog it belongs.

  • You can track a software update to the package and advertisement used for its installation.

Package version is used by SMS 2003 SP1 instead of catalog version. Because there is currently no consistent versioning mechanism for different sets of catalogs, SMS uses a source version that corresponds to a package. Changes to a package source version correspond to a change in catalog version. This provides a consistent mechanism to track changes across any kind of catalog.

Software updates depend on expedited inventory. In order to provide full accountability for an update, SMS depends on hardware inventory results to determine whether a patch is installed, or still applicable. This dependency requires scan tools to run with expedited inventory. If scan tools are not running with expedited inventory, the results in the update reports can be as old as the last hardware inventory cycle.

note.gif  Notes
All reports that provide accurate and useful information about a particular update are fully functional only at the site where the update was approved, and will be available only for approved updates after the site upgrades to SMS 2003 2003.
Because there is no way to obtain the information from the Legacy Clients, the catalog version data sent through hardware inventory is generated on Advanced Clients only.

Use the Software Update Sync tool to download a newer version of a catalog from the Web. Afterward, it updates the corresponding scan tool package with the catalog. When the Scan Wrapper tool successfully completes a scan cycle, it always updates the root\cimv2 WMI namespace with the package ID and source version information. The package ID and source version is used to represent the catalog version for software updates. The Win32_ScanPackageVersion WMI class is used to store this information, which is later collected through hardware inventory.

Use the Distribute Software Update Wizard on the site server to approve software updates for installation on targeted systems. Each time an update is approved, the wizard stores information in the SMS site database with SMS scan package and installation package information used for the update. This includes the installation package ID, the current package source version, the program that is used to install the update, and the program that is used to detect the update. This information is then used to determine which version of the scan package update it belonged to and the advertisement that it used to install the update.

Information about an update to a particular scan or installation package is stored only at the site where the update was approved. This information does not replicate to parent or child sites. For example, if an update is approved at a central site, this information is available at the central site only.

The Office and Security Sync Tools update corresponding scan tool package folders only if one detects an actual change in a catalog. A change is determined by comparing previous and newer hash values of the catalog. If the hash values are the same, the catalog has not changed and the package source is not updated. If the hash values are different, the package source is updated because the catalog has changed.

Discovery

New Search Option and Default Behavior for Active Directory Discovery Methods

The new include groups search option is available when you specify an Active Directory location to search. By default, Active Directory discovery methods no longer discover objects within groups. The consequence of discovering objects within groups is that the likelihood of discovering the same object more than once is increased. Also, when include groups is selected, you can discover objects in other domains.

The behavior of recursive searches has also been changed. By default, this option is enabled, however recursive searches no longer discover objects within groups, unless the include groups option is also selected. When include groups is not selected, duplicate objects and objects in other domains are less likely to be found. This results in the discovery process completing more quickly.

SMS Administrator Console and Reporting

SMS Administrator Console Folders

In SMS 2003 SP1, you can create folders in the SMS Administrator console to manage queries, packages, advertisements, reports, and software metering rules. By using folders, you can categorize and reduce the amount of objects displayed at one time, preventing possibly thousands of items from being displayed. For more information about folders, see SMS Administrator Console Help.

Accessibility Fixes

SMS 2003 SP1 has been updated with 100 fixes that improve accessibility to help government and private industry meet their needs.

SMS 2003 SP1 Site Server Supported on Certain Localized Operating Systems

You can install English SMS 2003 SP1 site server software on supported server operating systems for the following localized languages:

  • English

  • Chinese (Simplified)

  • Chinese (Traditional)

  • Chinese (Hong Kong)

  • French

  • German

  • Italian

  • Japanese

  • Korean

  • Spanish

  • Brazilian

  • Czech

  • Dutch

  • Hungarian

  • Polish

  • Portuguese

  • Russian

  • Swedish

  • Turkish

    note.gif  Note
    If you have changed the system default font in the registry on the computer running the SMS 2003 SP1 Administrator console, SMS uses the font specified to display information. This also applies to remote SMS Administrator consoles.

Scalability and Performance

Distribution Point Improvements

In SMS 2003 without a service pack, the number of distribution points that could be effectively managed by a site server is small because SMS allocates a single thread per package. This results in SMS copying content to one particular distribution point, and when successful, moving to the next distribution point. SMS 2003 SP1 now copies content to multiple distribution points in parallel. Because of this change, the failure of a single distribution point does not halt software distribution. This change improves both reliability and response time for package deployment, and effectively allows a single site to support a much larger number of distribution points.

The following improvements and benefits have resulted from this change:

  • Reduced elapsed time for package distribution to all distribution points of the site

  • A single site can support more distribution points

  • An opportunity to simplify your site hierarchy because it might be possible to replace some secondary sites with distribution points

    • Faster software deployment, which is key for patch deployment

    • Lower hierarchy deployment costs, which results in fewer site servers

    • Lower maintenance costs, because it is easier to manage a distribution point than a site

Configure the number of parallel packages that SMS processes concurrently per SMS 2003 SP1 site, in the Software Distribution Properties dialog box, under the Component Configuration item in the SMS Administrator console. When your site hierarchy includes SMS 2.0 or SMS 2003 without a service pack sites, concurrent software distribution settings of those sites cannot be configured or are limited from an SMS 2003 SP1 Administrator console.

Pulse Mode for Senders and Addresses

In SMS 2003 SP1, you can limit the amount of data sent between sites to a fine level of granularity. This allows you to specify the size of the data blocks that the data is subdivided into, and also to specify a time delay between the sending of each data block. This is called pulse mode.

Pulse mode is useful when you have a very low available network bandwidth between sites. For example, you might have constraints to send 1 KB every five seconds, but not 1 KB every three seconds, regardless of the speed of the link or its usage at a given time.

You configure settings for pulse mode in the properties of an address on the Rate Limits tab. This directly affects the amount and frequency of data transmission by each sender.

Site Maintenance

New Site Maintenance Task Added to SMS 2003 SP1

The following site maintenance task is new in SMS 2003 SP1.

Delete Obsolete Client Discovery Data

This task deletes clients' obsolete records. Data Discovery Manager tags records in the SMS site database as obsolete, by setting the Obsolete bit to 1. A record that is marked obsolete, typically was superseded by a newer record for the same client. The newer record becomes the client's current record, and the older record becomes obsolete. Clients' obsolete records usually result from a computer image being restored. When you enable this task, you should configure the schedule to run at an interval greater than the Heartbeat Discovery schedule. This allows clients to send Discovery Data Records (DDRs) so that Data Discovery Manager sets the obsolete bit correctly.

Security

Advanced Client Authentication and Encryption

SMS 2003 SP1 has been updated to make it more difficult to tamper with client data as it crosses the network, providing privacy for client inventory data as it crosses the network.

Message Signing

An SMS 2003 SP1 Advanced client does not sign or encrypt any messages by default. Sign inventory messages by selecting the Sign data before sending to Management Point option in the Advanced tab of the Site Properties dialog box in the SMS Administrator console.

The flow of signed messages from the Advanced Client to its management point is as follows:

  1. The client retrieves the trusted root key and management point keys from the site server and management point.

  2. The client sends its identity key in a discovery data record.

  3. The Discovery Data Manager on the site server inserts the key as Client Identity in the SMS site database.

  4. The SMS 2003 SP1 client signs only inventory messages.

  5. When a signed message arrives from the client, the management point determines whether the public key of the client is in the SMS site database.

    • If the key cannot be found, the message is marked as not verified.

    • If the client's public key is found in the database, the signature of the message is validated.

    • If the signature is valid, the message is marked as verified and the message is processed.

If the signature is not valid, the message is discarded and an error message is logged.

Message Encryption

By default, the Advanced Client does not encrypt any messages. The SMS administrator must ensure that the site and its clients have upgraded successfully to SMS 2003 SP1 before enabling encryption for inventory messages. Encryption is recommended for software, hardware, and DDR messages. Enable data encryption by selecting the Encrypt data before sending to Management Point option in the Advanced tab of the Site Properties dialog box in the SMS Administrator console.

The flow of encrypted messages from the Advanced Client to its management point is as follows:

  1. The client generates inventory and encrypts it using its symmetrical encryption key. The client also signs the inventory by using the client identity key.

  2. The inventory contains the encryption key signed by using the management point key.

  3. The management point retrieves the encryption key from the inventory message by using its own key.

  4. The management point decrypts the message.

    • If the management point fails to decrypt the message, the message is discarded and a status message is generated.

    • If the decryption succeeds, the message is sent to the site server for client identity verification and message processing.

Configuring Advanced Clients to Use a TCP Port Other Than Port 80

In SMS 2003 SP1, you can change the TCP port used to communicate with management points, server locator points, and BITS-enabled distribution points. Many organizations change the default HTTP port to provide enhanced security.

You can specify the TCP ports used by Advanced Clients on the Ports tab in the properties of your SMS site.

If you are installing new Advanced Clients, they can be configured to use the new port by default. If you have existing Advanced Clients, you can use software distribution to distribute a script that can change their port configuration. For more information, see "Appendix E: Changing the Advanced Client Default HTTP Port" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Security.

note.gif  Note
SMS 2003 Advanced Clients without a service pack normally use only TCP port 80 for communication with management points, server locator points, and BITS-enabled distribution points.

Ports Used to Communicate Through a Firewall or Proxy Server

SMS 2003 uses new ports to access the Active Directory directory service. The following list includes the ports that SMS uses for communication.

Port Requirements: SMS 2003 Site Server to Child Site or to SQL Server

Port Number

Description

445

Server Message Block (SMB)

389

Lightweight Directory Access Protocol (LDAP)

636

LDAP (Secure Sockets Layer [SSL] connection)

Port Requirements: SMS 2003 Proxy Management Point to SQL Server

Port Number

Description

1433

TCP (SMS Site Server to SQL Server)

389

LDAP

636

LDAP (SSL Connection)

Port Requirements: SMS 2003 Advanced Client to Management Point

Port Number

Description

80

Hypertext Transfer Protocol (HTTP)

389

LDAP

636

LDAP (SSL Connection)

When you use NetBIOS over TCP/IP for SMS Remote Control, the following ports are used.

SMS Remote Control UDP

Port Number

Description

137

Name resolution

138

Messaging

139

Client sessions

note.gif  Note
When you use NetBIOS over Novell NWLink, you must configure the router to forward type 20 packets. Type 20 packets provide NetBIOS support.

The following list lists the core User Datagram Protocol (UDP) ports that Windows NT uses, and their respective functions.

Microsoft Windows NT UDP

Description

Protocol

Port Number

Domain Name System (DNS)

UDP

53

Dynamic Host Configuration Protocol (DHCP)

UDP

67

Remote procedure call (RPC)

TCP

135

Windows Internet Name Service (WINS)

UDP

138

NetBIOS datagrams

UDP

138

NetBIOS datagrams

TCP

139

Note  Note
The SMS Administrator console must have TCP port 135 open for communication. Otherwise, the console cannot display all the items in the console tree.

Microsoft SQL Server Ports

If you use the TCP/IP Net-Library, enable port 1433 on the firewall. Use the Hosts file or an advanced connection string for host name resolution.

If you use named pipes over TCP/IP, enable port 139 for NetBIOS functions.

Microsoft does not recommend that you enable UDP ports 137 and 138 for NetBIOS name resolution by using B-node broadcasts. Instead, you can use a WINS server or an Lmhosts file for name resolution.

By default, SQL Server uses TCP (not UDP) port 1433 to listen on TCP/IP. To change the port, run SQL Server Setup on the server, and then click Change Network Support. If SQL Server uses port 1433, the client Net-Library works. If SQL Server uses a custom port number, the client must specify that port in the Data Source Name (DSN).

SMS RAS Sender

SMS can also use the SMS RAS Sender with Point to Point Tunneling Protocol (PPTP) to send and receive SMS site, client, and administrative information through a firewall. Under these circumstances, the PPTP TCP 1723 port information is used:

Security

To help improve the security of your computer, you can configure your firewall to use Internet Protocol (IP) filters that permit only registered addresses to pass through the firewall.

If you enable specific ports on a proxy server or on a firewall, this can affect the security of your computer. For more information about security issues, see the Microsoft Security Web site.

TCP Ports Used by Advanced Clients

In SMS 2003 SP1, you can configure the default port that Advanced Clients use to communicate to their management point with. Configure the default port in Site Properties in the Ports tab. This is a per-site setting.

Certificate Friendly Names Simplify Troubleshooting

An Advanced Client uses two certificates, one for encryption and one for authentication. A management point also uses two certificates, one for encryption and one for authentication. There are four similar certificates on a computer that is hosting the management point that also has an Advanced Client. At a glance, friendly names help identify the purpose of each certificate.

Because friendly names are assigned to Advanced Client and management point certificates during SMS 2003 SP1 installation, troubleshooting authentication and encryption problems on a computer that is hosting the management point and that has an Advanced Client has been simplified. However, when a site is upgraded to SMS SP1, existing certificates are not modified to add new friendly names.

You can view the properties of a certificate by opening the Certificates MMC snap-in, selecting the local computer, and then opening the SMS folder.

Tools

SMS 2003 Administration Feature Pack Tools Updated for SMS 2003 SP1

The SMS 2003 Administration Feature Pack Tools have been updated for SMS 2003 SP1. Changes include the ability to transfer site settings for the Device Management Feature Pack, as well as new site settings introduced in SMS 2003 SP1 with the Transfer Site Settings Wizard.