Previous Section
 < Day Day Up > 
Next Section


Chapter 3: Configuring Site Server Properties and Site Systems

Now that you have successfully installed your Microsoft Systems Management Server (SMS) primary site server, the next step in your deployment strategy is to begin configuring your site. This configuration might consist of two parts. Certainly, you’ll need to configure the single SMS site. This means identifying which components should be enabled, what the SMS site boundaries should be, and what additional servers should be enabled as component or site systems for the site. You might also need to establish an SMS site hierarchy for your organization. This means, among other things, identifying parent-child relationships, establishing a reporting and administration path, configuring communication mechanisms, and identifying primary and secondary sites.

This chapter concentrates on the first part of the configuration process—that is, configuring the single SMS site, including setting site boundaries, monitoring status and flow, and identifying site systems. In Chapter 4, “Multiple-Site Structures,” you’ll learn how to implement a site hierarchy.

Defining and Configuring the SMS Site

The first step in configuring your new SMS 2003 site is to identify which clients should become members of the site. SMS 2003 determines which clients should be assigned to the site according to the site boundaries you configure. You can assign SMS clients to only one site. SMS 2003 site boundaries are defined by either IP subnet or Active Directory site. A subnet is a segment of a network whose members share the same network address and is distinguished from other subnets by a subnet number and subnet mask. An Active Directory directory service site defines a physical relationship among domain controllers based on their IP subnets and represents a unit of optimum network performance for Active Directory replication and authentication.

More Info 

For a more thorough examination of the purpose and configuration of Active Directory sites, please attend Microsoft Certified Course 2154, Implementing and Administering Microsoft Windows 2000 Directory Services or read The Microsoft Windows 2000 Server Administrator’s Companion (Microsoft Press, 2000). Also see Chapter 8, “Designing Your SMS Sites and Hierarchy,” in the Microsoft Systems Management Server 2003 Concepts, Planning, and Deployment Guide part of the SMS 2003 documentation set, as well as the online help included with SMS 2003.

Don’t confuse site assignment with the discovery process. SMS uses any of several configurable discovery processes to “look for” and record an instance of a resource. A resource might be a client computer. However, it might also be a user; a global group; an Active Directory user, group or system; or an IP-addressable device such as a switch or a network printer. Discovering a resource doesn’t make it an SMS client. A client computer can’t become an SMS client until it has been assigned to an SMS site based on the IP subnet or the Active Directory site with which it’s associated. Once it has been assigned, it can then be installed with the SMS client software. To sum up, the SMS site server can discover clients as a site resource, but does not necessarily have to install them immediately. Likewise, it can install them as SMS clients without discovering them first. But in all cases, a client must be assigned to an SMS site before it can be installed. The discovery process is explored in detail in Chapter 7, “Resource Discovery.”

Site systems, on the other hand, do not need to be located within the boundaries of the site with which they’re associated—unless, of course, they will also become clients of that site. In some cases, site system roles can be shared across sites, or SMS clients can reference site systems that are members of another SMS site in the site hierarchy.

You can configure two kinds of boundaries: site boundaries and roaming boundaries. The main difference between the two has to do with the kind of SMS client support that will be provided. Recall from Chapter 1, “Overview,” that SMS 2003 supports two kinds of clients: Legacy Client and Advanced Client. Legacy Clients are SMS 2.0-type clients and may include Microsoft Windows NT 4.0 SP6 and Windows 98 Second Edition computers. Advanced Clients are Windows 2000 and higher computers that participate fully in Active Directory. Site boundaries are used to assign Legacy Clients to the site based on their IP subnet or Active Directory site association. Using Active Directory sites to define site assignment provides you with the easiest way to assign new clients that join the network regardless of their IP address.

Note 

The Advanced Client software is actually installed on a potential SMS client using SMS package distribution, Client Push Installation, or by manually installing the client.

For example, if you use only IP subnets, every time a new client or set of clients joins the network, in addition to associating them with an appropriate Active Directory site, you must ensure that the IP subnets of those clients is represented in the site boundary for the appropriate site. However, if you’ve defined the site boundary based on Active Directory sites, you need only associate the new clients with the appropriate Active Directory site. The SMS site will already “know” that the SMS client should be assigned to it.

Roaming boundaries are used to support Advanced Clients that can—and do— move from site to site and might not have access to a distribution point in the site to which they’re assigned. Advanced Clients use roaming boundaries to locate distribution points in other sites in the SMS hierarchy that can provide them with distributed programs. Like site boundaries, roaming boundaries can be defined by IP subnet, Active Directory sites, or both. However, because Advanced Clients can access the network by a variety of connection methods, such as a RAS server or a VPN, you can also use IP address ranges to define a roaming boundary.

When you configure the site boundaries for a site, all the client agent settings that you define will be applied to all the assigned clients when the SMS software is installed. In other words, agent and component settings are site-wide settings and apply equally to all members of the site. If different sets of clients require different client components, you might need to create a separate site for those clients. For example, if 100 out of 1000 clients require Software Metering to be enabled, and the remaining clients do not, you need to segment these clients into their own subnet, create an SMS site for that subnet, assign those 100 clients to that site, and enable Software Metering for that site. There are ways to get around this limitation, of course, both supported and unsupported. Nevertheless, your goal as an administrator should not be how to “get around” a product’s boundaries. This is one of the reasons a well-conceived deployment strategy will be extremely valuable to you as you construct your SMS site hierarchy.Site Boundaries and Subnet Masks

When you use IP subnets to determine site assignment, SMS 2003 checks the client’s discovery record to see whether the client’s IP address falls within the IP boundaries set by the SMS administrator. It does so by checking the client’s subnet mask. (The subnet mask determines the subnet address for that segment of the network.) Checking the client’s subnet mask is significant because most companies don’t use a subnet mask of 255.255.0.0 or something similar to define their network segments. In fact, they likely will use a mask such as 255.255.248.0 to segment the network into different subnets for organizational reasons, network routing considerations, security, localization of resources, and so on.

Using a subnet mask such as 255.255.0.0 makes it easy for us to identify the subnet address. With this particular mask, every number in the third and fourth octets will constitute a host device address. Every number in the first and second octets will constitute a different IP subnet address. For example, consider these two IP addresses: 172.16.20.50 and 172.16.10.50. Using subnet mask 255.255.0.0, it’s easy to see that they’re both in the same subnet. If you set the SMS site boundary to 172.16.0.0, you’ll be sure to discover and assign both clients.

Now take the same two IP addresses, but use subnet mask 255.255.248.0 instead. This subnet mask places each client address into a different subnet. If your site boundary is 172.16.8.0, it will discover and assign clients whose IP addresses fall within the range 172.16.8.1 through 172.16.15.254. Thus the client with address 172.16.10.50 would be assigned and the client with address 172.16.20.50 would not. To include the latter client, you would need to add its subnet address—172.16.16.0— to the site boundaries.

You might need to refresh your IP addressing skills to fully appreciate the significance of subnet masking and SMS 2003. But rest assured, the subnet mask does make a difference.

Now consider using Active Directory sites as your SMS site boundary. Without going into a lengthy discussion about Active Directory sites, suffice it to say that they also depend in part on subnet objects. These subnet objects consist of both subnet addresses and masks. This makes it easier to associate computer objects with a particular Active Directory site and so makes it easier for the SMS administrator to assign those clients to an SMS site.

Configuring Site Properties

In SMS 2003 you can configure other site properties besides site boundaries, including site accounts and security. In this section you’ll learn how to configure all these properties.

To display the site properties for an SMS site, follow these steps:

  1. Open the SMS Administrator Console.

  2. Under the Systems Management Server group, expand the Site Database node, and then expand the Site Hierarchy node to display the site object (in the form, sitecode—sitename).

  3. Right-click the site object and choose Properties from the context menu. Or, highlight the site object, and from the Action menu choose Properties to display the Site Properties dialog box for the site, as shown in Figure 3.1. Let’s start with the General tab.

    Click To expand
    Figure 3.1: The General tab of the Site Properties dialog box.

The General Tab

The General tab displays some descriptive information about your site server. For example, in Figure 3.1 we can see that the site server is a primary site. We can identify its version and build numbers, the server name, the SMS installation directory, and the current security mode. We can also see whether this site participates in a site hierarchy as a child site to another site. Since in Figure 3.1 the Parent Site label is set to “None,” we can conclude that this site is either a stand-alone site, since it has no parent site, or that it might be the central or topmost site in an SMS site hierarchy. You use the Set Parent Site button to identify the parent site that this site should communicate with in an SMS site hierarchy. We’ll talk about creating parent-child relationships in Chapter 4.

Descriptive comments always add value to objects in SMS 2003, as they help provide additional information that might otherwise not be available. In this case we can use the Comment text box to indicate the name of the company (Contoso Corporation), its site hierarchy role (Primary Site), and its location (Corporate Headquarters—USA).

If you installed your site using standard security mode, you can switch to advanced security mode by clicking the Set Security button. When you do, the Set Security Mode dialog box shown in Figure 3.2 is displayed. Note the requirements for switching to advanced security as outlined in this dialog box. Be sure that these requirements are set before you change security modes. Note too that this is a one-time option. Once you change to advanced security mode you cannot change back to standard security. The Set Security button becomes disabled (as displayed in Figure 3.1).

Click To expand
Figure 3.2: The Set Security Mode dialog box.

The Site Boundaries Tab

To configure the site boundaries, complete the following steps:

  1. Click the Site Boundaries tab in the Site Properties dialog box, as shown in Figure 3.3. The IP subnet of the segment in which the site server was installed will be displayed by default.

    Click To expand
    Figure 3.3: The Site Boundaries tab of the Site Properties dialog box.

  2. To add a new IP subnet or Active Directory site, click the yellow star button on the right to open the New Site Boundary dialog box, as shown in Figure 3.4. Select a Boundary type from the drop-down list and enter either the subnet ID or the Active Directory Site name (shown in Figure 3.4) as appropriate. Then click OK.

    Click To expand
    Figure 3.4: The New Site Boundary dialog box.

  3. The new boundary will be displayed in the Site Boundaries list in the Site Boundaries tab. Click OK or Apply to save your changes.

The Accounts Tab

SMS 2003 in standard security mode makes use of several accounts to access other sites, install clients, install packages, access the database, generate reports, and so on. The Accounts tab, shown in Figure 3.5, provides the SMS administrator with the means of modifying two accounts specific to the site itself: the SMS Service account and the SQL Server account.

Click To expand
Figure 3.5: The Accounts tab in the Site Properties dialog box.

SMS Service Account

SMS creates the SMS Service account during setup, and it’s the primary service account for the SMS site. It provides the site server with access to most SMS services running on the site server as well as on other site systems, including the SMS Executive, SMS Site Component Manager, and the SMS SQL Monitor services.

If you chose to install SMS in standard security mode, SMS can create the account for you, and it calls it SMSService by default, as described in Chapter 2, “Primary Site Installation.” This account is made a member of the local Administrators group on the site server and the domain’s Domain Users global group, and it’s granted the Log On As A Service and Act As Part Of The Operating System user rights for the site server as well.

However, if your site is running in advanced security mode, the SMS site server uses the Local System account to provide access to the same SMS services rather than create a separate SMSService account.

If you’re running in standard security mode and need to modify the SMS Service account name or password that you or SMS created, follow these steps:

  1. Create the new account or modify the existing account using Active Directory Users And Computers. Be sure that any new account is a member of the local Administrators group on the site server and the domain’s Domain Users global group. Also be sure that you have given the account the Logon As A Service and Act As Part Of The Operating System user rights on the site server.

  2. In the Site Properties’ Accounts tab, click the Set button in the SMS Service Account frame to display the Windows User Account dialog box, as shown in Figure 3.6.

    Click To expand
    Figure 3.6: The Windows User Account dialog box.

  3. Enter the new account name in the form domainname\username, and then enter and confirm a password. Click OK to save your changes and then click OK again to close the Site Properties dialog box.

Alternatively, you can let SMS create the new account for you or specify the new account for SMS to use by running the SMS Setup program in the Systems Management Server program group. To do so, follow these steps:

  1. From the Systems Management Server program group, on the Start menu, choose SMS Setup.

  2. From the Setup Wizard Welcome page, click Next twice to get to the Setup Options page. Select the Modify Or Reset The Current Installation option, as shown in Figure 3.7.

    Click To expand
    Figure 3.7: The Setup Options page of the Setup Wizard.

  3. Click Next to display the SMS Security Information page, as shown in Figure 3.8. Enter the new account and password that you have created and want SMS to now use or that you want SMS to create for you.

    Click To expand
    Figure 3.8: The SMS Security Information page of the Setup Wizard.

  4. Click Next to pass through the rest of the pages (unless you need to make other modifications), and then click Finish on the final page. SMS will prompt you to confirm the creation of the new account. Click Yes.

SMS will create the account, make it a member of the appropriate groups, grant it the appropriate rights, and reset the service account for the site server and its services. The new account will then be displayed in the SMS Service Account field when you open the Site Properties’ Account tab.

Caution 

Microsoft recommends using Site Reset to notify the site server of any changes to either the SMS Service account or the SQL Server account rather than making the changes through the Accounts tab Set buttons. See Chapter 17, “Security,” for more information about using Site Reset and its implications for your site, and for more information about the SMS Service account and other SMS accounts.

Tip 

If you’re using advanced security, SMS will use the Local Security account as its service account. However, if you must run SMS in standard security, be sure to exercise appropriate security with the SMS Service account. It does, after all, have administrative access across the domain as well as in the SMS site. Use an identifiable name as well as a complex password, preferably using some combination of alphanumeric and special characters (for example, gle43kaz$) In addition, consider making the SMS Service account a direct member of the local Administrators group on each site system (client access point, server locator point, and so on). By doing this, you can remove the account from the Domain Admins global group for the domain so that this account won’t affect the security of other systems in the domain.

When SMS attempts to access a site system in another Windows domain, SMS uses the SMS Service account you specified to complete its tasks. If your site server and site systems are in separate Windows domains, particularly in a mixed mode Windows environment (supporting both Windows NT 4 and Windows 2000 servers and domains), the SMS Service account you specify must have access to the other Windows domains. This access can be accomplished by using Windows trust relationships or pass-through authentication.

If the Windows domain that contains the site system trusts the site server Windows domain, you can use the same SMS Service account you (or SMS) created in the site server Windows domain to access the site system. All the rules apply, of course. Be sure that the SMS Service account from the trusted domain is a member of the trusted domain’s Domain Admins global group, or make it an explicit member of the local Administrators groups on the site system in the trusting domain and grant it the appropriate user rights.

Note 

Recall that all Active Directory domains in the same forest automatically maintain two-way transitive trusts.

If no trust relationship exists between the two Windows domains, you must duplicate the SMS Service account in the site system’s Windows domain, giving it the appropriate group access and user rights. Duplicating the account means creating an account with the same name and password so that SMS can use pass-through authentication to access the site system.

Running SMS in advanced security presupposes that all your SMS servers have been upgraded to Windows 2000 or higher and participate in a native mode Active Directory forest structure. In this case, SMS will use the directory to locate and connect to site systems in different domains.

SQL Server Account

The SMS 2003 site server uses the SQL Server account to gain access to the SMS database and this account is created during setup. The SQL Server account varies depending on the type of SQL Server security implemented during the setup. If SQL Server is using SQL Server authentication, you could specify the default sa account or another SQL login ID that you create and configure. If SQL Server is using Windows authentication, SMS will use whatever account the SMS administrator logs on with to access the database.

Note 

If SMS 2003 is installed using the Express Setup, SMS uses the SQL sa login ID as the SQL Server account by default.

There should be little need to modify this account. However, if you must change the account that SMS uses, you should follow the same basic steps and cautions as you would for changing the SMS Service account above. After you’ve created or modified the account, you can inform SMS to use it by following these steps:

  1. In the Accounts tab, click the Set button in the SQL Server Account frame to display the SQL Server Account dialog box, which resembles the one shown in Figure 3.6.

  2. Enter the new SQL account user name, and then enter and confirm a password. Click OK to save your changes and then click OK again to close the Site Properties dialog box.

Alternately, run a Site Reset from SMS Setup and provide the updated SQL Account information when prompted.

More Info 

If your working knowledge of creating the SQL Server account falls short, you might want to attend a training class on SQL Server, as mentioned in Chapter 2.

The Roaming Boundaries Tab

The Roaming Boundaries tab, shown in Figure 3.9, allows you to configure boundaries for roaming Advanced Clients that will allow those clients to access the site’s distribution points. Use the action buttons to add a new roaming boundary, view and edit the properties of a selected roaming boundary, or to delete a roaming boundary.

Click To expand
Figure 3.9: The Roaming Boundaries tab in the Site Properties dialog box.

To add a new roaming boundary, follow these steps:

  1. In the Roaming Boundaries tab, click the yellow star button to display the New Roaming Boundary dialog box.

  2. Select the boundary type you wish to add from the Boundary Type drop-down list: IP Subnet, Active Directory Site, and IP Address Range.

  3. Enter the appropriate information for the boundary type you selected. Figure 3.10 shows the entries for an IP address range.

    Click To expand
    Figure 3.10: The New Roaming Boundary dialog box displaying an IP address range.

  4. The Designate This Boundary As A Local Roaming Boundary and Designate This Boundary As A Remote Roaming Boundary options let you specify whether the roaming Advanced Client should treat this site’s distribution as local or remote. If the local option is selected, the distribution points will be designated as local, and the Advanced Clients will use the When A Distribution Point Is Available Locally setting you choose in the Advanced Client tab of the Advertisement Properties shown in Figure 3.11 when it receives an advertisement. If this local option is not is not selected, the Advanced Client will use the When No Distribution Point Is Available Locally setting you choose in the Advanced Client tab of the Advertisement Properties. This option can be useful when the roaming boundaries you specify represent slow or unstable links to the network.

    Click To expand
    Figure 3.11: The Advertisement Properties dialog box showing the Advanced Client tab options.

  5. Click OK to save your changes.

The Advanced Tab

The Advanced tab, shown in Figure 3.12, allows you to specify two options for dealing with child sites. By default, all new SMS 2003 sites use private/public key pairs to sign data that’s sent between sites. The option Publish Identity Data To Active Directory, enabled by default, ensures that this SMS data is published in the Active Directory. Using private/public key pairs helps to ensure that potentially harmful data is rejected when sent between sites within your SMS hierarchy. However, this data signing is not enabled for SMS 2.0 sites that haven’t been upgraded to SP 5 or higher. If you haven’t disabled signed communications between SMS 2003 sites, select the option Do Not Accept Unsigned Data From Sites Running SMS 2.0 SP 4 And Earlier to ensure that those sites don’t send unencrypted data to their parent sites. If you need to maintain down-level SMS 2.0 sites within your site hierarchy, and you want those sites to continue to report data, such as inventory, discovery information, and status messages, to your SMS 2003 site, you’ll need to disable signing of data between that site and its SMS 2003 parent; in this case, disable the previous option.

Click To expand
Figure 3.12: The Advanced tab of the Site Properties dialog box.

Select the option Require Secure Key Exchange Between Sites to ensure that communication is allowed only when keys can be securely exchanged between sites. If you wish to enable data to be sent without this data signing process, leave this option cleared. Chapter 4 discusses the encryption of site-to-site data communications in more detail.

The Security Tab

The Security tab, shown in Figure 3.13, displays the current security rights for the Site Properties object. Every object in the SMS database has both class and instance security that can be applied. Applying security to SMS objects is similar to creating an access control list (ACL) for Windows files, folders, or shares. To set object class security rights, click the yellow star button in the Class Security Rights frame to display the Object Class Security Right Properties dialog box. You can specify permissions such as Administer, Create, or Delete by selecting the boxes in the Permissions list. To set object instance security rights, click the yellow star button in the Instance Security Rights frame and follow the same procedure for setting the class security rights.

Click To expand
Figure 3.13: The Security tab of the Site Properties dialog box, showing the two default accounts granted permissions to manage the Site Properties class of object.

Site Settings

Typically, you’ll think of SMS site settings and component attributes such as client agent settings, site addresses, site systems and their roles, and so on, as properties of the site, and rightly so since these settings are indeed specific to each site. However, as you’ve seen, these other settings aren’t part of the Site Properties dialog box for an SMS 2003 site. The SMS 2003 Site Properties dialog box might better be thought of as relating to the site object properties than to settings and attributes of components within that site.

To access the component settings, expand the Site object in the console tree and then expand the Site Settings object. Under the Site Settings object, you’ll find SMS 2003 component settings, as we discussed above. Each of these site settings will be discussed in detail in later chapters. Remember that these site settings are integral and unique to each specific SMS site and can rightly be termed properties of the site.



Previous Section
 < Day Day Up > 
Next Section
500 Internal Server Error

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at webmaster@systemmanager.forsenergy.ru to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.