Site Systems Frequently Asked Questions

SMS 2003 does not require any computers to be domain controllers. In fact, it is more secure not to install any site systems on a domain controller, though it is still possible if necessary. Domain membership in SMS is required, but none of the site systems require domain controller functionality or installation in the domain controller.

For more information about security considerations for site and hierarchy design, see Scenarios and Procedures for Microsoft Systems Management Server 2003: Security on Microsoft TechNet.

Table 1 Site System Requirements

It is strongly recommended that all server computers with an SMS site server role have only NTFS partitions, and no FAT partitions. You should not assign any SMS server role to servers which have non-NTFS partitions.

When IIS is required for an SMS site system role, SMS 2003 uses the default website.

For more information about system requirements and supported platforms, see the "Getting Started" section in the Microsoft Systems Management Server 2003 Concepts, Planning, and Deployment Guide.

Yes. There is no technical restriction from doing so, but perform testing to ensure acceptable performance.

For more information on SMS 2003 sites and hierarchy, see "Appendix F: Capacity Planning for SMS Component Servers" inScenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet

Client access points (CAPs) are for SMS 2.0 or SMS 2003 Legacy Clients, and management points are only used by SMS 2003 Advanced Clients. They both function as the primary contact point for clients. Clients retrieve configuration information and report information like inventory and status. The biggest difference is how data is delivered to the client.

The site server replicates a set of files down to the CAP. The client then reads and copies down those files from the CAP and processes them. If the CAP is offline, the site server cannot update the CAP, so the clients that access that CAP could potentially be out of date.

Advanced Clients request policy from a management point. The management point does not store any data locally. When a client makes a request for policy, the management point retrieves any applicable policies from the SMS site database and transfers those policies to the client. The management point caches policies locally to improve performance. If a client requests a more recent version of the policy, the management point retrieves the newer version.

Management points require IIS. CAPs do not require IIS; they perform file transfers through SMB.

For more information about SMS site and hierarchy design, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

Each SMS site must have at least one site system enabled as a CAP, even if the site does not contain any Legacy Clients. SMS does not allow you to remove the last CAP from a site unless a new CAP is specified. The statement to the contrary in Chapter 12, "Planning Your SMS Security Strategy," in the Microsoft Systems Management Server 2003 Concepts, Planning, and Deployment Guide, is in error.

Instead of eliminating the CAP, you can manually remove rights to the CAP share for non-administrative accounts. For more information, see Scenarios and Procedures for Microsoft Systems Management Server on Microsoft TechNet.

This is documented in the SMS 2003 Operations Release Notes. Search on "Site configuration and maintenance."

Verify that Microsoft SQL Server™ has named pipes enabled. If you are running advanced security, verify that the management point computer account has been added to the SMS_SiteSystemToSQLConnection_7<site_code> group, and verify that the site database server is running SQL Server 2000 SP3.

For more information about troubleshooting connectivity between a management point and the SMS site database, see article 832109 or article 829868 in the Microsoft Knowledge Base.

There are several reasons the management point installation might fail. The MPMSI.log file will log management point installation errors. If you have problems installing the management point, search on "return value 3" for errors in this log file. Here is a list of configurations to verify:

• If your management point is a computer running Windows Server 2003, verify that IIS and BITS Server Extensions are installed. IIS is not installed by default as it is in Windows 2000. When you install IIS the BITS Server Extensions must be manually added to the installation.
• If your management point is Windows 2000 and you are using the IIS Lockdown tool on the IIS 5 server, apply the SMS server template from the SMS 2003 toolkit available at the Microsoft Download center
• Verify that the server has an NTFS partition.
• DTS Service is enabled.
• Verify that the Task Scheduler service is enabled. On Windows Server 2003 Domain controllers, the Task Scheduler service is disabled by default.
• Verify that the Windows Management Instrumentation service is running.
• Verify that the World Wide Web Publishing Service is running.
• Verify that the Default Web site is started and running.
• Verify that the Default Web site is using Port 80.
• Verify that the virtual directories (ccm_incoming and vdir) are created on the IIS Server
• Verify that the SMS Agent Host service is installed, running, and can be started and stopped in a timely manner.

If all of these configurations are verified, try updating the MDAC version on the management point to 2.8. For more information, see article 820761, "INFO: List of Significant Fixes That Are Included in MDAC 2.8," in the Microsoft Knowledge Base.

A proxy management point is used by roaming Advanced Clients to retrieve policy at remote locations. The proxy management point receives inventory data and status messages and sends them to the secondary site server to be forwarded to the parent site, increasing bandwidth usage efficiency for roaming clients. A proxy management point also services the Advanced Clients that are in its roaming boundaries and are assigned to its primary site. A proxy management point can only be installed in a secondary site, not in a primary site.

For more information about proxy management points, see "Appendix F: Capacity Planning for SMS Component Servers" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

No. This is not supported. Windows Server 2003 Web Edition does meet the requirements for SMS clients but not SMS site servers.

For more information about system requirements and supported platforms, see the "System Requirements" section in What’s New in SMS 2003 Service Pack 1 available from the SMS 2003 Product Documentation page.

Each site can only have one default management point at a time. Advanced Clients only communicate with the default management point. If you need additional management points for performance reasons, combine multiple management points of one site into a Network Load Balancing cluster and configure the virtual IP address of the cluster as the default management point for that site.

If you configure additional management points but do not combine them into a Network Load Balancing cluster, those additional management points will not be used by the Advanced Clients. There is no automatic failover to additional management points. If the default management point goes offline, the SMS administrator must manually designate a different computer to be the default management point.

If you don't have a default management point, Advanced Clients cannot download any policies or report any data to the site.

For more information about site configuration, see "Appendix E: Designing Your SMS Sites and Hierarchy," in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

The server locator point locates CAPs for Legacy Clients and management points for Advanced Clients. The server locator point is mostly used in client installation. The server locator point:

• Locates a management point for the Advanced Client if the Advanced Client is configured for automatic SMS site assignment.
• Provides Advanced Clients with the location of the management point during Logon Script-initiated Client Installation and insufficient-rights installation.
• Provides SMS site assignment for the Legacy Client and locates CAPs during Logon Script-initiated Client Installation.


Note If the Active Directory schema is not extended for SMS, you must register the server locator point in WINS.

Plan for a server locator point in your SMS hierarchy when any of the following are true:

• You use Logon Script-initiated Client Installation to deploy Legacy Clients or Advanced Clients
• You want to automatically assign Advanced Clients to sites without extending the Active Directory schema for SMS

For more information about assigning site system roles, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

Yes, but it probably isn’t necessary. If you are running Capinst.exe, your Legacy Clients access the server locator points at logon time and produce minimal network traffic. Advanced Clients query the server locator point once on installation when running Capinst.exe. They can also query the server locator point for automatic discovery of the assigned site code if the Active Directory schema has not been extended. You can only register one server locator point entry in WINS, so if you have not extended your Active Directory schema, you only have one effective server locator point in a WINS infrastructure. However, you can have up to 1,000 server locator points published in a single Active Directory environment.

For more information about server locator points, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deploymenton Microsoft TechNet.

A protected distribution point has special boundaries that control which Advanced Clients can use that distribution point. If an Advanced Client falls within the protected boundary of a distribution point, and if the package is on that distribution point, then the Advanced Client will only attempt to retrieve the package from that protected distribution point. Advanced Clients that fall outside the boundaries of the protected distribution point can never retrieve packages from that distribution point. Configure protected distribution points when you want to prevent clients from crossing a slow network link to retrieve a package from a distribution point.

For more information about assigning distribution points, see "Appendix E: Designing Your SMS Sites and Hierarchy," and "Appendix H: Upgrading to SMS 2003" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deploymenton Microsoft TechNet.

Advanced Clients and Legacy Clients choose distribution points differently. When a Legacy Client receives an advertisement, it gets a list, from the client access point, of all distribution points containing that package. Unless the Legacy Client has been configured with a preferred distribution point by using the prefserv.exe tool, the Legacy Client will randomly choose any distribution point in the site that has the package. Even if you use prefserv.exe, you are only configuring a preferred distribution point. If the preferred distribution point is unavailable or does not have the requested content, the Legacy Client will randomly select any distribution point in the site. Legacy Clients do not recognize the boundaries of protected distribution points, and they treat them like any other distribution point in the site.

Advanced Clients use more complex algorithms when selecting a distribution point. The Advanced Client sends a content location request to the management point. If the Advanced Client is in the boundary of a protected distribution point, then the management point returns only the name of the protected distribution point. If the Advanced Client is in the local roaming boundaries for a site, then the management point returns the list of all available distribution points with that content. The Advanced Client sorts the list in this order:

1. Active Directory site
2. Local subnet
3. SMS site

If the Advanced client is in the local roaming boundaries and more than one distribution point is available, the Advanced Client randomly chooses any distribution point from the list. For example, if there are three distribution points in the Active Directory site, the client chooses randomly.

If the Advanced Client is in the remote roaming boundaries for a site, it randomly selects any distribution point in the site.

Yes. If the host computer is running Microsoft Virtual Server 2005 R2 and SMS 2003 SP2, all site system roles are supported on the guest operating system.

If the host computer is running Microsoft Virtual Server 2005 or Microsoft Virtual PC 2004 it can fill any SMS SP2 server role, but SMS server roles are not supported on the guest operating system.

SMS 2003 SP2 supports the Legacy Client or Advanced Client running on the guest operating system, provided that the guest operating system meets the operating system and dependency requirements for the particular SMS client.

For more information about Virtual Server 2005 and Virtual PC 2004 support, see Microsoft Systems Management Server 2003 Supported Configurations for Service Pack 2 on the Microsoft web site.

You can move a local SMS site database to a remote server or move the SMS site database from one remote server to another remote server. Moving a remote SMS site database from a remote computer running SQL Server to the site server back to the site server is not supported. When moving the SMS site database server, SMS moves the SMS Provider to the same server that the SMS site database is moving to.

The basic steps involve backing up the SMS site database, restoring it to the new computer running SQL Server, running the SMS Setup Wizard on the primary site server, and then running a site upgrade from the SMS CD. For detailed steps, see the section "Changes to Site Configuration, Hardware, and Infrastructure" in Scenarios and Procedures for Microsoft Systems Management Server on the Microsoft Download site.

Yes. SMS 2003 SP2 is supported for use with SQL 2005. Prior versions of SMS do not support the use of SQL 2005.

The following list describes the sequence for upgrading an existing SMS 2003 site to SQL 2005:

Upgrade Sequence:

1. Install SQL Server 2000 Service Pack 3a or 4 (SP3a or SP4).
2. Install SMS 2003 Service Pack 1 (SP1).
3. Upgrade SMS 2003 Site Server to Service Pack 2 (SP2).
4. Upgrade SQL Server 2000 to SQL Server 2005.

For more information about system requirements and supported platforms, see the "Server Software Requirements" in the Supported Configurations Guide SMS 2003 SP2 at the Microsoft Download center.

Management points, server locator points, and reporting points. Reporting points also require that Active Server Pages be enabled. Distribution points can use BITS to manage downloads to the Advanced Client. BITS enabled distribution points require IIS and WebDAV. Windows Server 2003 does not install IIS by default. If you install IIS on Windows Server 2003, then BITS, ASP, and WebDAV are not enabled by default.

For more information about site systems, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

If your site system is running Windows 2000 Server and IIS 5.0, run the IIS Lockdown Wizard with the SMS IISLockd.ini. IIS Lockdown works by turning off unnecessary features, which reduces potential attacks. The IIS Lockdown Wizard includes the URLScan Security tool, which restricts the types of HTTP requests that IIS processes.

If your site system is running Windows Server 2003 and IIS 6.0, the IIS Lockdown feature is integrated into IIS. You should still run URLScan 2.5 to apply UrlScan_SMS.ini file.

Download the SMS IISLockd.ini and UrlScan_SMS.ini as part of the SMS Toolkit from the Microsoft Download site. For the procedure to apply these templates, see the documentation that comes with the SMS Toolkit.

Important

Running the IIS Lockdown or URLScan tools without the SMS templates can cause SMS operations to fail.

For more information about Internet Information Services security, see Scenarios and Procedures for Microsoft Systems Management Server.

Yes. If you run your site systems on Windows Server 2003 SP1, you might need to perform some workarounds to restore full SMS functionality. The following sections of this FAQ provide information about issues that might arise and suggested workarounds you can perform:

• Resetting the DCOM permissions to pre-Windows Server 2003 SP1 levels
• Additional Configuration Tasks if you Run the Security Configuration Wizard
• Identifying Ports and Services Required If Windows Firewall Is Enabled

Resetting the DCOM permissions to pre- Windows Server 2003 SP1 levels

Server locator points and reporting points require the same level of DCOM permissions they had prior to Windows Server 2003 SP1. Windows Server 2003 SP1 splits the previous Launch permission into Local Launch and Remote Launch and splits the Activation permission into Local Activation and Remote Activation. In addition, the activation permissions are being moved from the Access Permission ACL to the Launch Permission ACL. For more information about the new COM permissions, see Granular COM Permissions on MSDN.

If you upgrade your server locator point to Windows Server 2003 SP1, you must reset the COM permissions so that the Internet Guest Account (IUSR_<servername>) has Local Launch permissions as it did prior to SP1, as shown in the following procedure.

To grant Local Launch permission to the Internet Guest Account:

1. On the site system, from the Start menu, Click Run and type Dcomcnfg.exe.
2. In Component Services, Click Console root, Click Component Services, Click Computers, Click My Computer, Click DCOM Config, and then Click SMS_SERVER_LOCATOR POINT.
3. On the Action menu, Click Properties.
4. In the Launch and Activation Properties dialog box, on the Security tab, in the Launch and Activation Permissions section, Click Edit.
5. In the Launch and Activation Permissions dialog box, select the check box to allow both Launch Localand Local Activation for Internet Guest Account (IUSR_servername).

If you upgrade your reporting point to Windows Server 2003 SP1, you must reset the COM permissions so that the SMS Reporting Users Group has Local Launch permissions as it did prior to SP1, as shown in the following procedure.

To grant Local Launch permission to the SMS Reporting Users Group:

1. On the site system, from the Start menu, Click Run and type Dcomcnfg.exe.
2. In Component Services, Click Console root, Click Component Services, Click Computers, Click My Computer, Click DCOM Config, and then Click SMS_REPORTING_POINT.
3. On the Action menu, Click Properties.
4. In the SMS Reporting Point Properties dialog box, on the Security tab, in the Launch and Activation Permissions section, Click Edit.
5. In the Launch and Activation Permissions dialog box, select the check box to allow Local Activation for SMS Reporting Users Group.

If your site server is running Windows Server 2003 SP1 and you want to run the SMS Administrator console on a computer that does not contain the SMS Provider, you must reset the COM permissions so that the user running the SMS Administrators console has remote launch and remote activation on the computer running the SMS Provider. Because everyone running the SMS Admin console should be a member of SMS Administrators, you can also grant the remote launch and remote activation to the SMS Administrators group on the SMS Provider.

Additional Configuration Tasks if you Run the Security Configuration Wizard

Introduced in Windows Server 2003 SP1, the Security Configuration Wizard helps you create a security policy that you can apply to any server on your network. The wizard recognizes SMS server roles, services, ports, and applications, but might not recognize all of the required configurations. The following section details which configurations are not automatically configured by the Security Configuration Wizard and the additional configurations required to keep SMS functioning properly.

Note For more information about the roles and features recognized by the Security Configuration Wizard, view the configuration database while running the wizard.

Enable Remote WMI in the Security Configuration Wizard for Remote Site Database Servers When using the Security Configuration Wizard in Windows Server 2003 SP1, the Remote WMI service is not selected by default. The Security Configuration wizard is unable to recognize the SMS Provider. If you run the wizard on the server that has the SMS Provider installed, you must enable the Remote WMI service on the Select Administration and Other Options page of the Security Configuration Wizard. Unless Remote WMI is enabled, the SMS Administrator consoles on the site server and any other remote consoles will fail to connect to the SMS namespace in WMI.

Enable the SMS Database Monitor Ports on Remote SMS Site Database Servers. If your SMS site database server is not on the same computer as the SMS site server, the Security Configuration wizard correctly enables the SMS Database Monitor service (SMS_SQL_Monitor_<ServerName>) but it does not enable the ports used by the SMS Database Monitor service. On the Open Ports and Approve Applications page of the wizard, select Ports used by SMS_SQL_MONITOR_<ServerName<. If the SMS site database server is on the same computer as the SMS site server, no ports are required.

Enable Remote Administration for IIS and Related Components on BITS-enabled distribution points. When you run the Security Configuration wizard on a BITS-enabled distribution point, you must select Remote administration for IIS and related components on the Installed Options page. If Remote administration for IIS and related components is not enabled, the wizard blocks the SMS Distribution Manager service from creating virtual directories on the distribution point.

Deselect the CAP Role if it is not on the Site Server. The Security Configuration Wizard always identifies a site server as having a Client Access Point, whether or not the site server is actually assigned that role. If the CAP role is incorrectly selected, deselect it on the Select Administration and Other Options page of the Security Configuration Wizard.

Re-run the Wizard after Changing Site System Roles. If you run the Security Configuration Wizard on a server and then configure a site role on that server, you should re-run the wizard to ensure the site system roles functions properly.

Identifying Ports and Services Required If Windows Firewall Is Enabled

Windows Server 2003 SP1 also includes the Windows Firewall feature first released in Windows XP SP2. The firewall can interfere with some SMS features. Windows Firewall is not enabled by default on servers. If you enable the Windows Firewall on a Windows Server 2003 SP1 server, either by using Control Panel or by running the Network Security section Security Configuration Wizard, you must verify that the following ports and applications are permitted to pass through the Windows Firewall.

• Remote Control If the SMS Remote Control ports are disabled, an SMS client running Windows Server 2003 SP1 cannot be remotely managed by using SMS Remote Tools. The recommended best practice is to use Remote Assistance or Remote Desktop on operating systems that support it, such as Windows Server 2003. To enable SMS Remote Tools, permit the appropriate port to pass through Windows Firewall for each necessary remote tool, as described in the following table.

Some customers have reported this issue, but at this time, Microsoft has not been able to reproduce this condition. If you run the SMS Administrator console only from computers that belong to the same domain as the SMS Provider, permitting unsecapp.exe and port TCP 135 to pass through the Windows Firewall should be sufficient. However, some customers have reported that even after permitting these two exceptions, the SMS Administrator console still cannot connect to an SMS site database from the Windows Server 2003 SP1 client, even when both computers are in the same domain. As a last resort, adding anonymous remote access rights in DCOM resolves the issue but increases your security risk.

If you grant anonymous remote access rights, you disable a layer of protection for the system. An attacker no longer needs to circumvent user authentication to discover and exploit potential vulnerabilities in the system. To avoid potential attacks related to granting anonymous remote access rights, you can use Remote Desktop to connect to the computer running the SMS Provider and run the SMS Administrator console remotely.

To allow anonymous remote access in DCOM:

1. From the Start menu, Click Run and type Dcomcnfg.exe.
2. In Component Services, Click Console Root, Click Component Services, Click Computers, and then Click My Computer. On the Action menu, Click Properties.
3. In the My Computer Properties dialog box, on the COM Security tab, in the Access Permissions section, Click Edit Limits.
4. In the Access Permission dialog box, select the check box to allow Remote Access for Anonymous Logon.
5. Restart the computer.