Appendix C - Client Deployment Planning

SMS client deployment consists of the following phases:

  • Discovering resources

  • Installing core SMS software components on potential clients

  • Assigning clients to SMS sites

  • Installing client agents (on the Legacy Client only)

Be familiar with the SMS discovery and installation methods that are described in Chapter 4: “Understanding SMS Clients.”

This section includes:

  • Determining Which Client Type to Deploy

  • Developing Strategies for Discovery and Client Installation

Determining Which Client Type to Deploy

For each site in your hierarchy, you should carefully consider which SMS 2003 client to deploy.

In general, plan to deploy the Advanced Client at each SMS site, especially on computers with slow or inconsistent connections to SMS site systems. The Advanced Client is easier to administer and is the future direction of the SMS client. It is strongly recommended that you install the Advanced Client as the preferred client on all your SMS client computers running Windows 2000 or later, to take advantage of the enhanced security and other benefits the Advanced Client provides on these platforms.

There is an exception to this recommendation. Deploy the Legacy Client to computers that are running Microsoft® Windows® 98 or Microsoft Windows NT® 4.0. See the “Getting Started” chapter in the Microsoft Systems Management Server 2003 Concepts, Planning, and Deployment Guide for client system requirements.

To assist you in determining which client to deploy, you should closely examine the differences between the two clients. Although the two clients are almost identical in features, they have subtle differences, which are described in Chapter 4: “Understanding SMS Clients.” For information about how SMS 2003 features are implemented on each client, see Chapter 3: “Understanding SMS Features.”

Other considerations when choosing which client to deploy are:

  • Your state of readiness for deploying and supporting two different clients in SMS, and whether it is important that you standardize to just one type of client.

  • Your organization’s need for mobile computer support. The need to have and support clients roaming from one SMS site to another can hasten your transition to the Advanced Client.

  • The state of your SMS client deployment readiness. If you have a reference image of client systems or a similar computer operating system deployment mechanism, plan to update the reference image to include the Advanced Client. Similarly, if you are deploying system images from Windows shared folders at various sites, plan to update those shared folders with the appropriate SMS client software.

  • Whether or not your Advanced Client requirements are met. You can transition to the Advanced Client only after clients are running a supported operating system, management points are set up, and the appropriate SMS security changes have been completed. For more information, see Chapter 4: “Understanding SMS Clients.”

Important

If you have installed the Legacy Client on a computer running the Windows 98 or Windows NT 4.0 operating system, and you upgrade those computers to the Microsoft Windows 2000 or later operating system, the Legacy Client agent is removed from the client as part of the upgrade process. It is recommended that you install the Advanced Client on that computer after you upgrade the operating system to Windows 2000 or later.

Developing Strategies for Discovery and Client Installation

Because organizations are diverse, SMS provides a number of discovery and installation methods. Depending on your schedule and whether all prerequisites for the Advanced Client are in place, you might deploy the Advanced Client site-wide as soon as you deploy the SMS site. Or, you might deploy the Legacy Client and then migrate to the Advanced Client as soon as your plan allows.

Overview

You can choose different combinations of discovery methods to locate resources. The discovery method you use determines the type of resources discovered and which SMS services and agents are used in the discovery process. A computer does not automatically become an SMS client through discovery. Depending on how you plan to use SMS, you can choose to perform discovery without performing installation, or vice versa.

There are advantages to initiating discovery but not client installation, or vice-versa. For example, if you run discovery while all client installation methods are disabled, SMS discovers resources on your network. Then, when you enable a client installation method in SMS, discovered computers that are running a Windows operating system, are also installed as SMS clients.

Initiating Discovery Without Initiating Client Installation

The purpose of initiating discovery but not initiating client installation is to gather information about resources in your organization for planning purposes. For example, to refine your plan for SMS site boundaries, you can perform resource discovery to determine the number of computers on each subnet in your network. You can then use this information to determine the best way to install the clients. When you have configured the site boundaries, you can install SMS on client computers. The clients are assigned appropriately, and the client agents are installed.

You can accomplish this by using Network Discovery or Active Directory System Discovery to discover information about system resources on your entire network.

Important

You should notify network administrators if you plan to use Network Discovery. This method can contact devices that other administrators might not expect or want to be contacted. You should let the administrators know that those activities are planned and ask whether they are acceptable.

Initiating Client Installation Without Initiating Discovery

In other situations, the advantage is in initiating client installation but not discovery. You run an SMS client installation method without first running a client discovery method. This is advantageous to SMS administrators who do not want to discover resources that they do not want SMS to manage. This type of installation without discovery can be done by using Group Policy or by initiating client installation in the logon script.

For the Advanced Client, you can install the SMS Advanced Client software on the computer without assigning the client to a site. In this scenario, discovery is not run at all. For more information, see “Developing Strategies for Client Discovering and Installation” in Appendix C: “Appendix C - Client Deployment Planning.”

Monitoring Discovery and Client Deployment

When you enable discovery and client installation methods, you must monitor their progress to ensure that:

  • Discovery and client installation methods are proceeding successfully.

  • Discovery and client installation methods are not proceeding too rapidly, possibly causing an excessive load on your network or servers.

  • Clients are being assigned to the appropriate SMS sites.

  • The correct client type is being installed on the appropriate computers.

  • The correct client agents are being installed on Legacy Clients.

The easiest way to monitor the success of the discovery and client installation methods is to examine the collections in the SMS Administrator console. Over time, the collections should become populated with SMS clients. By checking the properties for individual clients, you can ensure that they have the correct site assignment, client type, and client agents.

Collections are automatically updated on a routine schedule, but if you do not want to wait for the next automatic update, you should select a collection in the SMS Administrator console, click All Tasks in the Action menu, and then click Update Collection Membership. You should then click Refresh from the Action menu. You can obtain a count of the resources in a collection by clicking Show Count from the Action menu.

You can also monitor the progress of discovery and client installation methods by examining the status messages for relevant components under the Site Status node in the SMS Administrator console.

Choosing a Discovery Method

When you are ready for SMS to locate potential SMS clients, you run discovery in SMS. The discovery method you choose depends on whether or not you have Active Directory, and which resource types you want to find based on the objectives you defined in the preplanning phase.

Table C.1 lists the types of discovery methods that are found in the SMS Administrator console and whether or not the client computer must be turned on to be discovered by SMS, based on the discovery method running.

Table C.1   Planning for SMS Discovery Methods

Type of resources you want discovered

Discovery method

Client computer must be turned on to be discovered

Computers

Heartbeat Discovery

Yes

 

Network Discovery

No

 

Active Directory System Discovery

No

Windows computer users and groups

Windows User Account Discovery

No

 

Windows User Group Discovery

No

Active Directory computer users and groups

Active Directory User Discovery

No

 

Active Directory System Group Discovery

No

*SPActive Directory security groups

Active Directory Security Group Discovery

No *SP

For example, if you want to find users instead of computers, you would choose Windows User Account Discovery or Active Directory User Discovery. If you want to find computers to distribute software to, you might choose Active Directory System Discovery.

When you choose the discovery method to be used at an SMS site, remember that, for most discovery methods, the client computer does not have to be turned on to be discovered. The exceptions to this are Heartbeat Discovery and Active Directory System Discovery. Do not use either of these methods if you want all computers to be discovered whether or not they are turned on at discovery time.

Important

When you install SMS by using Custom Setup, no discovery or installation methods are enabled (except for Heartbeat Discovery and automatic discovery of site systems, which you cannot configure). If you install SMS by using Express Setup (which should only be done in an isolated test lab for evaluation purposes), all discovery and installation methods are enabled except for Network Discovery. For more information, see the “Setup Options” section earlier in this appendix.

Unlike SMS 2.0, SMS 2003 does not have Windows Networking Logon Discovery. However, you can still discover computers when users log on to them. For more information, see Appendix I: "Appendix I - Installing and Configuring SMS Clients."

This section describes planning for the following discovery tasks:

  • Discovering resources automatically

  • Discovering domain users and groups

  • Discovering resources that have an IP address

  • Discovering Active Directory objects

  • Using scripts for discovery

Note

Manual Client Installation can discover computers without installing the SMS client software on them. For more information, see the “Manual installation of the SMS client” section later in this appendix.

Discovering Resources Automatically

Some discovery tasks happen automatically in SMS, so you cannot plan for them. These include:

  • Discovery of SMS site systems.

  • Heartbeat Discovery.

  • Discovery performed by SMS during hardware inventory.

SMS site systems and site servers are discovered automatically. Site system discovery provides discovery data about site systems and can trigger their installation as SMS clients if Client Push Installation is enabled and configured to install the SMS client on servers. Because this discovery method is fully automated, you cannot configure it, you cannot disable it, and you do not see it in the SMS Administrator console.

Note

SMS Recovery Web sites are not site systems and therefore are not discovered with Site System Discovery. SMS Recovery Web site computers must be discovered by using other discovery methods.

Heartbeat Discovery is a method that is used to refresh SMS client computer discovery data in the SMS site database. If you enable Heartbeat Discovery, the discovery data is refreshed on a schedule that you determine. If you disable Heartbeat Discovery, the discovery data is refreshed only when another discovery method is invoked or run on a schedule. Heartbeat Discovery is useful for maintaining current discovery data on clients that are not usually affected by one of the other discovery methods, such as a server that users seldom log on to. By default, this discovery method is enabled.

Important

You can set a full schedule on heartbeat discovery so that clients report their discovery data at a specific time on a regular basis. You should avoid doing this on large sites or on many sites at the same time. Otherwise, you could generate a backlog of DDRs waiting for processing, and your network and SMS servers could be subject to a considerable load when heartbeat discovery runs on all the clients concurrently.

Also, if SMS hardware or software inventory loads computer details into the SMS site database before a DDR is received for that computer, SMS automatically creates a DDR for the computer by using the details that are included in the inventory. Because this discovery method is fully automated, you cannot configure it, you cannot disable it, and you do not see it in the SMS Administrator console.

Discovering Domain Users and Groups

If you want to discover domain user accounts and user groups in particular domains, plan to enable Windows User Account Discovery and Windows User Group Discovery. With this information, you can organize domain users and user groups into SMS collections.

You can use Windows User Account Discovery with Windows NT domains or mixed mode Active Directory domains. However, Active Directory User Discovery returns more information from Active Directory domains, and it continues to work with those domains when you switch them to native mode. You should only use Windows User Account Discovery with Windows NT 4.0 domains.

SMS must be able to access the domains that you specify for Windows User Account Discovery or Windows User Group Discovery by using the SMS Service account or by using the SMS site server’s computer account, depending on the security mode SMS is running in.

Windows User Group Discovery is useful for creating group-based collections for software distribution. For example, if you want to distribute software based on groups of users, you can use this discovery method to determine which groups are in your domains. If your organization has an Accountants user group, you can discover that group and then advertise software to a collection containing that group.

Important

When discovering Windows user account or group resources within a domain, you must provide SMS with administrative rights and permissions to each specified domain. Do this by granting the SMS Service account (if the site is in standard security mode) or the site server computer account (if the site is in advanced security mode) administrative rights and permissions to the destination domains.

Different SMS sites can discover user accounts in the same domain or in different domains. If you require user resources from a domain at a site and its child site, you should enable Windows User Account Discovery only at the child site. The child site automatically forwards the discovery data to the parent site, so both sites do not have to discover the same users.

You can also schedule how often you want SMS to poll the domain controllers. The discovery data for the accounts is refreshed every time SMS polls the domain controllers. Consider how often you want these discovery methods to poll each domain and generate a new DDR for all user accounts in each domain. This list of user and user group accounts can gradually become inaccurate as accounts are added and deleted in the domain, so set a schedule to keep the list as current as possible.

Discovering Resources That Have an IP Address

Plan to use Network Discovery if you want to find any device on your network that has an IP address. Use Network Discovery to search specific subnets, domains, SNMP devices, and Windows NT or Windows 2000 Dynamic Host Configuration Protocol (DHCP) servers for resources. Network Discovery can also use SNMP to discover resources that are recognized by routers. You can specify a list of SNMP community names and a number of hop counts within which to find routers.

The SMS site server must have user-level security access on the DHCP servers to retrieve database information from those servers. The SMS Service account must have domain user credentials in the same domain as the DHCP server.

You can use Network Discovery to collect resource discovery data so that SMS can perform Client Push Installation. Plan how you will configure Network Discovery options, based on the amount of discovered resource information you want it to provide and when you want Network Discovery to run, before you enable Network Discovery.

For discovery type, choose from the three levels of details:

  • Topology

  • Topology and client

  • Topology, client, and client operating system

Note

If you select the Topology, Client, and Client Operating System level of detail, and if the discovered resource runs the Windows 98 or Windows Millennium Edition operating systems, Network Discovery discovers the client operating system only if the computer is configured to share resources. Users at the clients can specify whether to share resources when they are setting up Windows during the installation process or by using Network in Control Panel.

Network Discovery runs according to the schedule you define in the SMS Administrator console. You must schedule and configure the scope of Network Discovery when you are ready to use it in your organization. Be very careful when you enable Network Discovery. Using Network Discovery increases the amount of traffic on your network. As a result, you should schedule Network Discovery so it does not interfere with other uses of your network. If you plan to run Network Discovery over any slow links, plan to make allowances for network speed and available bandwidth when you configure Network Discovery.

For more information, see the “Controlling Discovery and Client Installation” section later in this appendix.

Discovering Active Directory Objects

Active Directory discovery methods poll the nearest Active Directory domain controller to discover Active Directory computers, users, user groups, and containers. To use an Active Directory method of discovery, your Active Directory domain can be in either mixed mode or native mode. Plan to specify the containers you want polled, such as specific domains, sites, organizational units, or user groups. Also, plan to specify the polling schedule.

Note

Do not browse for an Active Directory container. When you browse for an Active Directory container, SMS enumerates all objects in the container. For large numbers of objects, this can take a significant amount of time to complete.

SMS polls Active Directory when it is using one of the Active Directory discovery methods. The SMS resources that are obtained from Active Directory do not necessarily reflect the current Active Directory resources at all times; objects might have been added, removed, or changed in Active Directory since the most recent poll.

SMS must have read access to the containers that you specify for Active Directory System Discovery, Active Directory User Discovery, *SPActive Directory Security Group Discovery*SP, or Active Directory System Group Discovery by using the SMS Service account or the site server computer account, depending on the security mode SMS is running in. When the SMS Service account or site server computer account is used by these discovery methods in domains other than the domain the site server is in, the account must have domain user credentials on those domains. The account must at least be a member of the Domain Users group or local Users group on the domains.

Active Directory User Discovery

Use Active Directory User Discovery to discover the following:

  • User name

  • Unique user name (includes domain name)

  • Active Directory domain

  • Active Directory container name

  • User groups (except empty groups)

You can run Active Directory User Discovery only on primary sites. If you must discover users or groups in domains that only a secondary site is in, configure the secondary site’s parent primary site to discover those domains.

Use Active Directory User Discovery to discover accounts that you want to categorize into SMS collections. For example, if you want to distribute software to collections of users, use this discovery method to determine which users are in your Active Directory domains. If your organization has users to whom you want to distribute a specific software package, you can discover those user accounts and create a collection containing them. You can then advertise the software package to only that collection, so only the appropriate users receive it.

Polling performed by Active Directory User Discovery can generate significant network traffic, although it generates less traffic per resource than Active Directory System Discovery. Plan to schedule the discovery to occur at times when this network traffic does not adversely affect network use.

Also, because SMS polls Active Directory, the SMS resources that are obtained from Active Directory do not necessarily reflect the current Active Directory resources at all times. Users might have been added, removed, or changed in Active Directory since the most recent poll.

Active Directory System Discovery

Use Active Directory System Discovery to discover the following:

  • Computer name

  • Active Directory container name

  • IP address

  • Assigned Active Directory site

Polling performed by Active Directory System Discovery can generate significant network traffic (approximately 5 KB per client computer). Plan to schedule the discovery to occur at times when this network traffic does not adversely affect network.

Also, because SMS polls Active Directory, instead of being notified of Active Directory changes, the SMS resources that are obtained from Active Directory do not necessarily reflect the current Active Directory resources at all times. Computers might have been added, removed, or changed in Active Directory since the most recent poll.

Note

In Active Directory forests with only one Active Directory site, SMS Active Directory System Discovery fails to get the subnet information from the domain controller. This is because of a limitation in the operating system. This issue does not apply to Windows Server 2003; it only applies to Windows 2000. To get the subnet information you must create a second Active Directory site and assign to it one subnet.

*SPActive Directory Security Group Discovery

Active Directory Security Group Discovery data is an enhancement of the discovery data of other discovery methods. Use Active Directory Security Group Discovery to discover the following:

  • Domain Local Security groups

  • Domain Global Security groups

  • Universal Security groups

You can run Active Directory Security Group Discovery only on primary sites. It polls Active Directory for all system resources in its database, including those discovered at child sites, and including secondary sites. Because Active Directory Security Group Discovery does not contact the computers directly, the computers do not have to be turned on to be discovered.

Polling performed by Active Directory Security Group Discovery can generate significant network traffic, so you should schedule the discovery to occur at times when this network traffic does not adversely affect network use. *SP

Active Directory System Group Discovery

Active Directory System Group Discovery data is an enhancement of the discovery data of other discovery methods. Use Active Directory System Group Discovery to discover the following:

  • Organizational units

  • Global groups

  • Universal groups

  • Nested groups

  • Non-security groups

You can run Active Directory System Group Discovery only on primary sites. It polls Active Directory for all system resources in its database, including those discovered at child sites, and including secondary sites. Because Active Directory System Group Discovery does not contact the computers directly, the computers do not have to be turned on to be discovered.

Polling performed by Active Directory System Group Discovery can generate significant network traffic, so you should schedule the discovery to occur at times when this network traffic does not adversely affect network use.

Using Scripts for Discovery

You can employ scripts to discover clients during network logon. Scripted discovery is beneficial to SMS administrators who want to completely control the discovery process. It is useful if you are including a wide variety of computers in your SMS pilot project but you do not want to discover too many of those computers, and you do not want to take the time to manually discover them.

Scripted discovery is also appropriate if you have special reporting needs. For example, you can create DDRs for computer lease agreements and then generate reports that provide lease details with the computer details that SMS usually collects.

Controlling Discovery and Client Installation

When you install the SMS client core software automatically in a large SMS site, many computers attempt to install the client in a small period of time, such as an hour or two. The load on your network and SMS site systems might be excessive, causing adverse effects on network usage or client computers. For this reason, you should carefully control SMS client installation at large sites.

Note

When you enable SMS software or hardware inventory, the default simple schedule invokes inventory at midnight on the day of client installation. By default, SMS schedules these computers to conduct another inventory seven days later. By staggering client installation times over a longer period of time, you preserve network bandwidth because the number of clients taking and reporting inventory information about subsequent inventory days will also be staggered.

To predict whether the SMS client deployment will adversely affect your site, multiply the number of potential clients by the size of the SMS client software in megabits. Then divide this number by the time period in seconds during which the clients will be installed, presuming the client installation requests are at an evenly distributed rate. Compare the resulting number with the speed of the slowest point in your network. If the network use seems excessive — for example, you might consider more than 25 percent as excessive — then you must control the client installation.

Controlling client deployment can be done by using a variety of techniques that enable the client discovery or installation technique in such a way that only a limited number of clients are installed at one time. For example, you might not want to use logon scripts to discover or install too many clients over a short period of time. This is especially important if you have many users running a common logon script.

Discovery methods are designed to automatically find SMS resources. If your organization has many resources, and you configure the discovery methods inappropriately, SMS might discover many resources simultaneously. This can impose a significant workload on your network and some SMS component servers. To avoid this, you must control discovery.

Network Discovery

You control the rate at which Network Discovery discovers resources by incrementally enabling and configuring Network Discovery options. For example, if you configure Network Discovery to search specific IP subnets to discover resources, you can control discovery by adding only one subnet to the configuration each time Network Discovery is run. Watch the impact of Network Discovery using that one subnet, and add subnets more rapidly if the load is not excessive. Add subnets one at a time, in a similarly controlled manner.

You can specify several schedules if you want Network Discovery to run at specific times, including a recurrence pattern that causes Network Discovery to run at regular intervals. New schedules and schedule changes go into effect as soon as they are written to the SMS site control file. When you run Network Discovery on a primary site server, there is a brief delay of about one minute in writing to the site control file. The delay is longer if you are configuring Network Discovery for a child site from the parent site, because the update to the child site control file depends on the schedule for intersite communication to the child site address.

If the scheduled time has passed when the data is written to the site control file, the first Network Discovery does not begin until the next scheduled time. For example, if you set Network Discovery to run every Monday at 5:00 P.M., but the schedule is not written to the site control file until Monday at 5:01 P.M., then Network Discovery does not run until the following Monday at 5:00 P.M. To initiate Network Discovery as soon as possible, allow sufficient time for the schedule to be written to the site control file before the scheduled start time.

Other Discovery Methods

You can control the follow discovery methods by configuring their schedules:

  • Heartbeat Discovery

  • Windows User Account Discovery

  • Windows User Group Discovery

  • Active Directory System Discovery

  • Active Directory User Discovery

  • Active Directory System Group Discovery

  • *SPActive Directory Security Group Discovery *SP

With Heartbeat Discovery’s interaction with the client refresh cycle, you cannot precisely control the time of day that Heartbeat Discovery DDRs are created. However, you can control how frequently they are created over a specified period of time, such as a week or month.

For the rest of the discovery methods that are listed, you can control the time of day or the day of the week that they are run. By setting these methods to perform at non-peak times when few people are using the network, you can ensure that these methods do not cause an adverse effect on your servers or on available network bandwidth.

Important

If you change a discovery method schedule to run more frequently, the discovery method might run immediately. For example, if the discovery method is originally set to run weekly, and you change it to run daily, it might run as soon as you make the change, even if it is configured to run at midnight. This is because it might have been more than one day since the discovery method last ran.

Deploying SMS Clients

You can deploy the SMS client by using methods that are built into SMS 2003, or you can use other means to distribute the core SMS client components. For example, some organizations might use a software distribution method. Others might install the SMS client on a master computer image that is applied to computers when they are prepared for use in the production environment. The technique you use depends on a number of factors that are specific to your environment.

SMS client installation techniques include:

  • Installing the SMS client by using a push installation method in the SMS Administrator console.

  • Initiating a program file at the client with one of the following:

    • Logon script

    • Manually running program file

    • Windows Group Policy

    • SMS software distribution or other software distribution mechanism

  • Installing the Advanced Client on a computer master image.

Do not enable any features in your SMS site, such as discovery method, installation method, inventory, or software metering, until you have a thorough client deployment plan in place.

Overview

For each site in the SMS hierarchy, determine and document which technique you plan to use to deploy SMS client software components to client computers.

See Table C.2 for the available methods for deploying the Advanced Client software by using the SMS Administrator console or by initiating a program file at the client computer. For more information about other techniques for deploying the Advanced Client software, including using Windows Group Policy, see the “Software distribution of the Advanced Client” section later in this appendix. If your IT department plans to install the Advanced Client on a computer master image, see the “Installing the Advanced Client on a computer master image” section later in this appendix.

See Table C.3 for the available methods for deploying the Legacy Client software by using the SMS Administrator console or by initiating a program file at the client computer.

Note

SMS does not support installing the Legacy Client over a slow network link. Such computers should be installed on a network that is well connected to a CAP.

Table C.2   Planning for SMS 2003 Advanced Client Installation

Automated installation using SMS Administrator console

Logon script1

Manual1

Windows Group Policy1

Other software distribution mechanism1

Client Push Installation method

Logon Script-initiated Client Installation (Capinst.exe)

Advanced Client Installer (Ccmsetup.exe)

Client.msi

Ccmsetup.exe

1. Installation by initiating program file at the client.

Table C.3   Planning for SMS 2003 Legacy Client Installation

Automated installation using SMS Administrator console

Logon script1

Manual1

Windows Group Policy1

Other software distribution mechanism1

Client Push Installation method

Logon Script-initiated Client Installation (Capinst.exe)

Manual Client Installation (Smsman.exe)

N/A

N/A

1. Installation by initiating program file at the client.

If you want to install SMS clients automatically, use Client Push Installation. If you have run a discovery method and want to deploy the SMS client to the discovered resources, use the Client Push Installation Wizard. If you want to install clients without discovering them, you can run a program file on the client through logon scripts, Windows Group Policy, manually at the client workstation, or by using another software distribution mechanism.

Installing the SMS client by using the SMS Administrator console

SMS 2003 provides support for installing the SMS Advanced Client remotely from the SMS site server by using Client Push Installation. Client Push Installation (or the Client Push Installation Wizard) must be used with an SMS discovery method because it requires clients to be discovered before the SMS client software is installed.

Client Push Installation

Client Push Installation is useful for installing the Advanced Client or Legacy Client software on computers that:

  • Have been discovered by SMS but do not have the SMS client software.

  • Rarely log on to the network because the users lock their Windows sessions instead of logging out.

  • Log on with a user account that does not run a logon script or does not have administrative permissions on the computer.

  • Are servers that users might not log on to for a long period of time.

Important

If you enable site-wide Client Push Installation, any compatible resource that is discovered within the site boundaries or roaming boundaries of the site is installed as an SMS client.

Use Client Push Installation to install the SMS client on SMS site systems. Site systems are automatically discovered by using site system discovery. By default, when site systems are discovered, SMS does not trigger Client Push Installation, even if it is enabled. However, you can configure the Client Push Installation Properties to install the SMS client on site systems.

If you want to install the SMS client automatically to specific groups of computers, or to computers that have been discovered but not yet installed as SMS 2003 clients, use the Client Push Installation Wizard.

If you have many computers in one SMS site, you might choose to use Client Push Installation to install the SMS client automatically. If SMS installs many clients at the same time, your network or SMS site systems might become overloaded. To avoid this, plan to throttle the client installation using the resource-based or collection-based Client Push Installation Wizard.

SMS site preparation for Client Push Installation

Client Push Installation requires that you grant to all chosen client computers, administrator rights and permissions to either the SMS Service account (if the site is running in standard security mode) or Client Push Installation accounts that you create in the Client Push Installation Properties dialog box in the SMS Administrator console. For more information, see Scenarios and Procedures for Microsoft Systems Management Server 2003: Security.

To prepare the SMS site to deploy the SMS client software by using Client Push Installation, you must do the following:

  • Depending on whether you are installing the Advanced Client or the Legacy Client, ensure that you do the following:

    • For Advanced Client installation, from Component Configuration, specify an Advanced Client Network Access Account on the General tab in the Software Distribution Properties dialog box.

    • For Legacy Client installation, from Connection Accounts, specify a Windows User Account for the client connection.

  • Specify a valid account on the Accounts tab of the Client Push Installation Properties dialog box, accessible from Client Installation Methods in the SMS Administrator console. This account must have administrative credentials on the client computers that you want to install the Advanced Client on.

  • Configure an SMS site system as a management point, from Site Systems, and ensure that a default management point is specified for the site.

To troubleshoot Client Push Installation problems during Advanced Client installation, review the Ccm.log file on the SMS site server, which is located in the SMS\Logs folder. On the client, review the Ccmsetup.log and Client.msi.log file, which is located in %Windir%\System32\Ccmsetup.

If you want to install the SMS client on specific resources or collections in SMS, you can do this through the SMS Administrator console by using the Client Push Installation Wizard. Client Push Installation must be configured for the Client Push Installation Wizard to work, but it does not have to be enabled.

The SMS Advanced Client Installer (Ccmsetup.exe) supports the ability to report status to an SMS management point, allowing an administrator to check for installation failures at a central location. Whenever an error occurs while installing an Advanced Client, Ccmsetup.exe sends information about the error to a specified management point through HTTP. The management point then logs this information to the MP_Status.log file, which is located in the management point's log directory.

If you are using the Client Push Installation method, this is the default behavior, and status is sent to the site's default management point. However, if you are using software distribution, logon installation, or another deployment mechanism, you must add the /statusmp switch to the Ccmsetup.exe command line tool to allow this behavior. The switch must be followed by a colon (:), as well as the NetBIOS name or IP address of the management point you want to use. You can use the switch multiple times for failover support.

Here are three examples using the /statusmp switch:

ccmsetup.exe /statusmp:MYMPNAME [other arguments]
ccmsetup.exe /statusmp:123.456.7.89 [other arguments]
ccmsetup.exe /statusmp:MYMP1 /statusmp:MYMP2 [other arguments]
Initiating a program file at the client

You can initiate a program file at the client through

  • Logon Script-initiated Client Installation.

  • Manual installation of the SMS client.

  • Software distribution of the Advanced Client.

Logon Script-initiated Client Installation

If you choose to deploy the SMS client by using logon scripts, plan to use Logon Script-initiated Client Installation.

If a logon script is run when your users log on to their computers, one of the easiest ways to discover their computers and install the SMS client is to set up the logon script to include SMS client installation. You do this by using Logon Script-initiated Client Installation (Capinst.exe) and copying the program file (Capinst.exe) to a shared folder from which you run the installation.

If your logon scripts are shared across the organization or multiple business units, consider how you will organize the changes to the scripts. SMS administrators at multiple sites might require changes to the logon scripts to enable client installation, but to avoid confusion, you should plan and perform this task in a coordinated manner. For more information about modifying logon scripts to support client installation, see Appendix I: "Appendix I - Installing and Configuring SMS Clients."

To use Logon Script-initiated Client Installation, you must have a server locator point available, and you must have access to the program file Capinst.exe. When using Logon Script-initiated Client Installation to install Advanced Clients, a management point is also required. When you use Logon Script-initiated Client Installation to install Legacy Clients, a CAP is also required.

Capinst.exe is included with SMS 2003. By default, Capinst.exe does not install the SMS client software on domain controllers. For more information, see Appendix I: "Appendix I - Installing and Configuring SMS Clients."

Important

As a best practice, avoid installing the Legacy Client on domain controllers, especially domain controllers on slow network links.

If your environment does not have Active Directory, or if it does not have multiple server locator points registered in Active Directory, you should always specify the server locator point when you run Capinst.exe. You should specify the server locator point every time you use Logon Script-initiated Client Installation, and you should avoid the excess network traffic that is required to find the server locator point. Similarly, if your clients cannot use Active Directory, you should specify the server locator point when you use Capinst.exe.

Be aware of the requirements for Logon Script-initiated Client Installation on clients that are running Windows NT 4.0 and Windows 98. Also, if the SMS site has only Active Directory site boundaries, then computers that cannot use Active Directory cannot become SMS clients with this method.

Manual installation of the SMS client

There are two manual installation methods:

  • Manual Client Installation (Smsman.exe)

  • Advanced Client Installer (Ccmsetup.exe)

Manual Client Installation uses CAPs to install the Legacy Client. Plan for the user or administrator to initiate Manual Client Installation at the computer. Use this method when you do not want to use an automated client installation method, for example, when you are testing SMS in your test lab environment. You can run Smsman.exe from a hard disk, a shared folder, a Web page, an e-mail message, or a floppy disk. Manual Client Installation can be run silently, and you can use it only to discover, not to install, clients.

Advanced Clients can be manually installed by using Advanced Client Installer (Ccmsetup.exe). Advanced Client Installer is useful on computers that might not have a network session connected long enough to download the Advanced Client files. If the computer can download the small program file (Ccmsetup.exe) in one session, then the computer can download the remainder of the required Advanced Client Installer files over several network sessions.

The advantages of using Advanced Client Installer are:

  • If the network connection becomes unavailable while Advanced Client Installer is downloading the Advanced Client files to the client computer, the Advanced Client Installer resumes the file download where it was stopped before the network connection was restored.

  • When you apply an international client pack (ICP) to the SMS site server, the Advanced Client Installer applies the correct localization transform to Client.msi before the Advanced Client is installed.

  • Because Client.msi is available on the destination computer’s hard disk, you can repair the SMS client installation or apply patches to the Advanced Client software efficiently and completely.

Note

Efficient completion of repair is not guaranteed for a mobile computer performing a repair while it is offline and unable to connect to the Netlogon folder, the management point, or the distribution point if Client.msi is not local.

Software distribution of the Advanced Client

You can install the Advanced Client by using the same software distribution techniques that you use when you install any application software. You advertise Advanced Client components to collections that contain SMS Legacy Clients that you want to replace with the Advanced Client. Or, software distribution techniques other than SMS can be used, such as distribution of CDs containing the installation program, or Windows Group Policy using the Client.msi file that is installed on the site server during SMS Setup.

For more information about using this technique, Appendix I: "Appendix I - Installing and Configuring SMS Clients."

Installing the Advanced Client on a computer master image

You can load Advanced Client software components on the computer when it is originally prepared for service in your organization. Typically, computer preparation work is done by an IT team in a staging area. The Advanced Client is installed on a client computer master image by installing core SMS client components without specifying an SMS site code for assignment. The computer is ready to be assigned to a site when it arrives at the location where it is used in production.

The master image with the SMS Advanced Client is automatically configured with an SMS GUID when SMS is installed. The Advanced Client detects that the computer has been prepared from a master image and creates a new GUID. This prevents duplication of SMS GUIDs on client computers when the Advanced Client software is loaded on computers before the computers are put into service in your organization.

To duplicate computers with the SMS Advanced Client

  1. Designate a master computer, which is the computer that will be duplicated to destination computers.

  2. Ensure that the SMS Agent Host service is not running. At the command prompt, type:

    net stop ccmexec
  3. On the original computer, run the Ccmdelcert.exe tool from the Systems Management Server 2003 Toolkit 1 available from the SMS downloads Web site. The tool deletes any certificates from a previous client.

  4. Create the image of the master computer using your imaging software.

  5. Restore the image on the destination computer.

Important

Because a Legacy Client installation to a master image cannot detect that the computer was prepared from a master image, the SMS GUID must be removed from the Legacy Client before the computer is removed from the staging area and placed in service. This can be done manually, preferably in the master image, or it can be done by the Windows System Preparation tool (Sysprep.exe).

For information about computer imaging and Advanced Client installation, see “Using Computer Imaging” in Appendix I: "Appendix I - Installing and Configuring SMS Clients."

Installing the SMS Client on International Clients

When you install an SMS site, the site software includes interface elements in the language that you have purchased. This includes the client components whose interface elements are in the same language. If you have some users at the site that use a different language, you can apply an ICP to the site.

ICPs are usually available at http://www.microsoft.com/smserver/default.asp, through TechNet, and other channels.

Installing Legacy Clients on Computers Running Terminal Services

Computers that are running Terminal Services require an additional procedure to install the SMS Legacy Client software. Client Push Installation cannot be used with computers that are running Terminal Services because the installation method does not configure Terminal Services clients for Installation mode before it attempts to install the SMS client software. You must install the Legacy Client manually on computers that are running Terminal Services, or you must use a script that runs the procedure. For more information, see Appendix I: "Appendix I - Installing and Configuring SMS Clients."

Installing Legacy Clients on Domain Controllers in Active Directory Domains

When installing the Legacy Client, the SMS Client Services and Client User Token accounts are created in the local account database. Domain controllers do not have local account databases. So, when you install the Legacy Client on domain controllers, these accounts must be created in the domain’s account database. In large Active Directory domains, the replication that is incurred when you create accounts can take an extended period time. Large replications can consume substantial network bandwidth. The Legacy Client installation might not wait long enough for the accounts to replicate, and then the installation can fail. Client Push Installation repeatedly retries the installation, potentially resulting in additional replication traffic.

If you have these issues in your environment, here are some options to eliminate or minimize them:

  • Install the Advanced Client, not the Legacy Client, on domain controllers. This reduces the potential for problems, because the Advanced Client software does not use user accounts. By default, Logon Script-initiated Client Installation does not install an SMS client on domain controllers. Client Push Installation does not install an SMS client on domain controllers if you have cleared the Domain controllers option in the Client Push Installation Properties dialog box.

  • If you install SMS site systems on domain controllers, Client Push Installation does not install the Advanced Client or the Legacy Client on domain controllers when you have not selected the Enable Client Push Installation to site systems option and the Domain controllers option in the Client Push Installation Properties dialog box.

  • On the primary domain controller (or primary domain controller emulator), create a REG_DWORD registry value named Enable Domain User Group Membership under the subkey HKLM\SOFTWARE\Microsoft\SMS\Client\Configuration\Domain Controllers. Set it to a non-zero value. SMS does not attempt to remove the client accounts from the Domain Users group, which reduces network traffic.

  • On the primary domain controller (or primary domain controller emulator), create a REG_DWORD registry value named Account Synchronization Max Wait (minutes) under HKLM\SOFTWARE\Microsoft\SMS\Client\Configuration\Domain Controller. Set it to a value larger than the default of 60. The SMS client installation waits this period of time for the account replication to complete.

Assigning Clients to SMS Sites

Each SMS client is assigned to only one SMS site. The Legacy Client site assignment process operates differently than the Advanced Client site assignment. Table C.4 shows how you can assign clients to SMS sites based on the client installation technique or method that you use. For information about specific techniques used to assign clients to SMS sites, see Appendix I: "Appendix I - Installing and Configuring SMS Clients."

Note

If a client has multiple network cards (possibly a LAN network card and a dial-up modem), and therefore has multiple IP addresses, the network card that is bound first is used for evaluating Advanced Client site assignment.

Table C.4   Planning for Assignment Techniques or Methods

Client installation method or technique

How client is assigned

Logon Script-initiated Client Installation

(Capinst.exe used without switches)

The installation method attempts to find a server locator point, which attempts to locate an SMS site that is appropriate for the client.

Logon Script-initiated Client Installation

(Capinst.exe used with the /SLP= switch)

The specified server locator point attempts to locate an SMS site that is appropriate for the client.

Manual Client Installation

(SMSman.exe)

The Legacy Client is assigned to the site of the CAP that is specified by SMSman.exe (or the Systems Management Installation Wizard) if the client is within the site boundaries.

Client Push Installation

The client is already assigned by the discovery method.

Advanced Client Installer

(Ccmsetup.exe)

The Advanced Client uses Active Directory or server locator points to locate an SMS site that is appropriate for the client, or a site is specified on the Advanced Client Installer command line using SMSSITECODE.

Software distribution

Use the Systems Management icon in Control Panel to set the site to a valid site code or automatically detect the site by clicking Discover.

Software distribution (site specified for assignment)

Use the SMSSITECODE property to specify the site code.

Software distribution (automatic assignment)

Use the SMSSITECODE property to specify the site code as AUTO. The Advanced Client uses Active Directory or the server locator point to locate an SMS site that is appropriate for the client.

Advanced Client installation on a master computer image

Use the Systems Management icon in Control Panel to set the site to a valid site code or automatically detect the site by clicking Discover.

Assigning Advanced Clients

The Advanced Client is assigned to an SMS site when the core SMS software components are installed, or it is assigned after installation. Its assignment is based on the roaming boundary that the client is in. You can install the SMS software components on the Advanced Client without assigning the client to an SMS site. After it is assigned to an SMS site, the Advanced Client does not change its site assignment.

Advanced Client installation is controlled through different means. Advanced Clients can be assigned to an SMS site or they can automatically determine a site to be assigned to at installation time. You can also later manually assign an Advanced Client’s site to a different site, set it to automatically determine a site to be assigned to, or assign it to no site. When an Advanced Client is assigned to a site, it maintains that site assignment unless an SMS administrator changes the assignment.

For Advanced Clients, determine whether you want to assign the Advanced Client to an SMS site when the Advanced Client software is installed. If you want automatic assignment of Advanced Clients to occur, plan to configure the client to automatically determine a site. If you are not sure which SMS site the Advanced Client computer will eventually belong to, then plan to manually assign the client to an SMS site later.

With manual site assignment, even if the Advanced Client does not currently reside within roaming boundaries, it is still assigned to the site you specify. If the Advanced Client is not configured to automatically determine a site, and it is not set to a specific site, it is not assigned to a site and remains dormant, but its installation continues.

Assigning Legacy Clients

Legacy Client site assignment is controlled by SMS site boundary configuration. The Legacy Client is automatically assigned to an SMS site based on the site boundary it is in when the core SMS software components are installed. To ensure proper site assignment when you are using Active Directory site boundaries, be sure that your clients can use Active Directory. For example, clients that are running Windows 98 cannot be assigned to an SMS site based on Active Directory site boundaries.

Remember that if the site boundaries that a Legacy Client is in are removed, or if the Legacy Client moves out of the boundaries of its assigned site, the SMS client software is automatically removed from the computer. The exceptions to this are if Travel Mode is enabled on the Legacy Client or if the Forced Sites tool (Site4c.exe) has been used. If the Legacy Client is no longer assigned to an SMS site, it removes the SMS client software.

Important

Computers that are not running Windows XP or operating systems in the Windows 2000 and Windows Server 2003 families cannot belong to Active Directory sites. Those computers cannot be assigned to SMS sites based on membership in Active Directory sites. They can be assigned based only on IP address.

If an individual computer runs an SMS discovery or installation method and then installs the Legacy Client, then it cannot be specifically included or excluded in the assignment process; it is assigned just like all the computers in that subnet or Active Directory site. If you do not want a particular computer to be an SMS Legacy Client, you must ensure that all SMS discovery and installation methods are configured in such a way that they do not run on the computer.

When the core Legacy Client software components are installed, you can specify a CAP or a list of CAPs. If the Legacy Client is in the site boundaries of one or more of those CAPs, it is assigned to the first site associated with those CAPs. If the client does not match the boundaries of any site, it is unassigned and its software is removed.

Forcing Client Assignment

If some of your Legacy Clients do not fall within SMS site boundaries, but you want to assign them to a site, you can force them to report to a site by using the Forced Sites tool (Site4c.exe). For information about using this tool, run the Forced Sites tool with the /? switch. The Forced Sites tool is available for download with the SMS 2.0 Support Tools at http://go.microsoft.com/smserver/downloads/20/default.asp.

Note

You can force Advanced Client assignment during client installation or by using the Systems Management icon in Control Panel. The Forced Sites tool is not applicable to Advanced Clients.

Evaluating Subnet Membership

SMS can use IP subnets as SMS site boundaries and roaming boundaries. If you use IP subnets as a means to determine SMS site assignment, you must add the appropriate IP subnets as boundaries to relevant SMS sites. Usually, each SMS site has a unique collection of subnets. Subnets should not be specified as boundaries in more than one SMS site. This allows each site to have a unique set of SMS clients. This section helps you evaluate which subnets your computers are in.

IP Subnets

Network equipment uses IP subnets to determine which logical network segment a computer is in on a TCP/IP network. Any computers with the same subnet ID are logically close to each other and can communicate directly. Computers on the same subnet do not need intermediate network equipment to assist with the communication.

Computers on different subnets might be distant from each other. For example, they might be across slow network links, like a WAN link. Subnets are an effective way to map computers to physical locations.

For many organizations, a single subnet is not large enough to serve all the computers in a single physical location. Therefore, multiple subnets are used for a single location, even though the computers are physically close to each other. In this situation, multiple subnets are used to map computers to a physical location.

In the preplanning phase, you obtained a list of subnets for your SMS sites from the network administrators who set up your computer network. If you need to confirm this information, you can determine an IP subnet ID by applying the client computer’s IP subnet mask to its IP address. The subnet is the portion of the client’s address that is masked off by the subnet mask. The remaining portion of the IP address is the computer’s IP address. To obtain the subnet ID, apply the subnet mask to the IP address by converting the IP address and subnet mask to binary numbers, and by keeping the bits in the IP address that have bits set in the subnet mask, and then converting the result back to decimal. The result is the subnet ID.

Alternatively, you can use the script in Listing C.1 to determine the subnet ID for a computer’s given IP address and subnet mask. You can use the resulting subnet as a site boundary or roaming boundary for the SMS site.

If the computer has multiple network adapters, the script in Listing 10.1 displays the subnet IDs for each network adapter.

Network adapters that have multiple addresses are called “multihomed.” The script in Listing C.1 does not display the subnet IDs for multi-homed network adapters.

Listing C.1   Script (Subnet.vbs), used to display the subnet ID for the computer’s given IP addresses and subnet mask

'subnet.vbs - displays the subnet for the computer's (or given) IP
'             addresses and subnet masks

Set Arguments = Wscript.Arguments
If Wscript.Arguments.Count=2 Then 
       SubNetIT Arguments(0), Arguments(1)
       Wscript.Echo ""
Else
       Set loc = CreateObject( "WbemScripting.SWbemLocator" )
       Set WbemServices = loc.ConnectServer( ,"root\cimv2" )

       Set Adapters=WbemServices.ExecQuery( "Select * FROM" & _
" Win32_NetworkAdapterConfiguration" )
       For Each Adapter in Adapters
              If NOT IsNull( Adapter.IPAddress) Then 
                     WScript.Echo "Description: ", Adapter.Description
                     SubNetIt Adapter.IPAddress(0), Adapter.IPSubnet(0)
                     WScript.Echo ""
              End If
       Next

       WScript.Echo "You can also specify an address and subnet mask as " & _
"parameters to this script."
       WScript.Echo ""

End If

WScript.Echo "At least one subnet must be a site's boundary for this computer"
WScript.Echo "to be assigned as a client."

Sub SubNetIt( Address, Subnet )

       WScript.Echo "IP address:  ", Address
       WScript.Echo "subnet mask: ", Subnet

       dim addressbytes(4)
       dim subnetmaskbytes(4)

       i=0
       period = 1
       while period<>len( address ) + 2
              prevperiod=period
              period = instr( period+1, address, "." ) + 1
              if period = 1 then period = len( address ) + 2
                 addressbyte = mid( address, prevperiod, period-prevperiod-1 )
                 addressbytes(i)=addressbyte
              i=i+1
       wend

       i=0
       period = 1
       while period<>len( subnet ) + 2
              prevperiod=period
              period = instr( period+1, subnet, "." ) + 1
              if period = 1 then period = len( subnet ) + 2
                 subnetmaskbyte = mid( subnet, prevperiod, period-prevperiod-1 )
                 subnetmaskbytes(i)=subnetmaskbyte
              i=i+1
       wend

       subnet=""
       for i=0 to 3
              subnet = subnet & (addressbytes(i) AND subnetmaskbytes(i)) & "."
       next
       subnet = left( subnet, len(subnet)-1 )
       WScript.Echo "subnet:      ", subnet

End Sub
Evaluating Active Directory Site Membership

SMS can use Active Directory site names as SMS site boundaries and roaming boundaries. One advantage to using Active Directory sites as SMS site boundaries or roaming boundaries is that when subnets are added to an Active Directory site that is contained in SMS boundaries, you do not have to add the subnets to your SMS site configuration. If the Active Directory site is added as a boundary, no further configuration in SMS is required. SMS clients in the newly added subnet are assigned to the Active Directory site, which is already equated to the SMS site, and the clients are assigned to the SMS site. If you use Active Directory site names to determine SMS site assignment, you must add the appropriate Active Directory site names as boundaries to relevant SMS sites.

You use IP subnets to evaluate Active Directory site assignment. This assignment is evaluated during logon by the operating system, not by the SMS client software.

Active Directory sites and site assignment are described in Chapter 3: “Name Resolution in Active Directory,” in the Microsoft Windows 2000 Server Distributed Systems Guide in the Microsoft Windows 2000 Server Resource Kit.

You can determine which Active Directory site a client is assigned to by examining the following registry key: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DynamicSite

The site assignment process can be overridden by using the following registry key: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\SiteName

Listing C.2 is a script that displays which Active Directory site is assigned to the computer that you run the script on.

Listing C.2   Script (Site.vbs), used to display which Active Directory the computer belongs to

Set WshShell = Wscript.CreateObject("Wscript.Shell")
On Error Resume Next
Site = "Not Assigned"
Site =  WshShell.RegRead( "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\" & _ 
                           "Services\Netlogon\Parameters\SiteName" )
If Err.Number=-2147024894 Then
       Site = WshShell.RegRead( "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\" & _
                           "Services\Netlogon\Parameters\DynamicSiteName" )
End If

If Site = "Not Assigned" Then
       WScript.Echo "This computer is not assigned to an Active Directory site."
Else
       WScript.Echo "This computer is assigned to Active Directory site: " & site
End If