规划 SMS 提供程序Plan for the SMS Provider

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

若要管理 Configuration Manager,可使用连接到 SMS 提供程序的实例的 Configuration Manager 控制台。To manage Configuration Manager, you use a Configuration Manager console that connects to an instance of the SMS Provider. 默认情况下,当安装管理中心站点或主站点时,SMS 提供程序会安装在站点服务器上。By default, an SMS Provider installs on the site server when you install a central administration site or primary site.

关于 SMS 提供程序About the SMS Provider

SMS 提供程序是 Windows Management Instrumentation (WMI) 提供程序,它分配对站点中 Configuration Manager 数据库的读取写入访问权限。The SMS Provider is a Windows Management Instrumentation (WMI) provider that assigns read and write access to the Configuration Manager database at a site.

  • 每个管理中心站点和主站点上都必须至少具有一个 SMS 提供程序。Each central administration site and primary site require at least one SMS Provider. 你可以根据需要安装其他提供程序。You can install additional providers as needed.

  • “SMS 管理员” 安全组提供对 SMS 提供程序的访问权限。The SMS Admins security group provides access to the SMS Provider. Configuration Manager 在站点服务器和安装了 SMS 提供程序实例的每台计算机上自动创建此组。Configuration Manager automatically creates this group on the site server, and on each computer where you install an instance of the SMS Provider. 有关详细信息,请参阅 SMS 管理员For more information, see SMS Admins.

  • 辅助站点不支持 SMS 提供程序角色。Secondary sites don't support the SMS Provider role.

Configuration Manager 管理用户使用 SMS 提供程序访问存储在数据库中的信息。Configuration Manager administrative users use an SMS Provider to access information that's stored in the database. 若要执行此操作,管理员可使用 Configuration Manager 控制台、资源浏览器、工具和自定义脚本。To do so, admins can use the Configuration Manager console, Resource Explorer, tools, and custom scripts. SMS 提供程序不与 Configuration Manager 客户端交互。The SMS Provider doesn't interact with Configuration Manager clients. 当 Configuration Manager 控制台连接至站点时,它会查询站点服务器上的 WMI,以查找要使用的 SMS 提供程序的实例。When a Configuration Manager console connects to a site, it queries WMI on the site server to locate an instance of the SMS Provider to use.

SMS 提供程序帮助强制实施 Configuration Manager 安全性。The SMS Provider helps enforce Configuration Manager security. 它仅返回控制台用户有权查看的信息。It returns only the information that the console user is authorized to view.

SMS 提供程序还通过 HTTPS 提供 API 互操作性访问权限,这称为管理服务The SMS Provider also provides API interoperability access over HTTPS, called the administration service. 此 REST API 可用于取代自定义 Web 服务访问站点信息。This REST API can be used in place of a custom web service to access information from the site. 有关详细信息,请参阅什么是管理服务?For more information, see What is the administration service?.

重要

当站点的 SMS 提供程序的每个实例都处于脱机状态时,Configuration Manager 控制台无法连接到该站点。When each instance of the SMS Provider for a site is offline, Configuration Manager consoles can't connect to the site.

有关如何管理 SMS 提供程序的详细信息,请参阅管理 SMS 提供程序For more information about how to manage the SMS Provider, see Manage the SMS Provider.

安装先决条件Installation prerequisites

若要支持 SMS 提供程序,目标服务器必须满足以下先决条件:To support the SMS Provider, the target server must meet the following prerequisites:

  • 与站点服务器和站点数据库站点系统位于同一域中In the same domain as the site server and the site database site systems

  • 不能具有不同站点中的站点系统角色Can't have a site system role from a different site

  • 不能已经拥有任何站点中的 SMS 提供程序Can't already have an SMS Provider from any site

  • 运行受支持的 OS 版本Run a supported OS version

  • 至少有 650 MB 可用磁盘空间用于支持 Windows ADK 组件。At least 650 MB of free disk space to support the Windows ADK components. 有关 Windows ADK 和 SMS 提供程序的详细信息,请参阅 OS 部署要求For more information about Windows ADK and the SMS Provider, see OS deployment requirements.

  • 对于管理服务 REST API:For the administration service REST API:

    • .NET 4.5 或更高版本.NET 4.5 or later

    • 启用 Windows 服务器角色“Web 服务器 (IIS)” Enable Windows server role Web Server (IIS)

      备注

      每个 SMS 提供程序都会尝试安装需要证书的管理服务。Every SMS Provider attempts to install the administration service, which requires a certificate. 此服务具有对 IIS 的依赖,以便将该证书绑定到 HTTPS 端口 443。This service has a dependency on IIS to bind that certificate to HTTPS port 443. 如果启用增强型 HTTP,那么此站点将使用 IIS API 绑定该证书。If you enable Enhanced HTTP, then the site binds that certificate using IIS APIs. 如果站点使用 PKI,那么你需要在 SMS 提供程序上将 PKI 证书手动绑定到 IIS 中。If your site uses PKI, you need to manually bind a PKI certificate in IIS on the SMS Provider. 从版本 2002 开始,站点会自动使用站点的自签名证书。Starting in version 2002, the site automatically uses the site's self-signed certificate.

位置Locations

安装站点时,会为站点自动安装第一个 SMS 提供程序。When you install a site, you automatically install the first SMS Provider for the site. 你可以为 SMS 提供程序指定以下任何支持的位置:You can specify any of the following supported locations for the SMS Provider:

若要查看站点的每个 SMS 提供程序的位置,请执行以下操作:To view the locations of each SMS Provider for a site:

  1. 在 Configuration Manager 控制台中,转到“管理”工作区,展开“站点配置”,然后选择“站点”节点 。In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and then select the Sites node.

  2. 从列表中选择所需的站点,然后选择功能区中的“属性” 。Select the desired site from the list, and then choose Properties in the ribbon.

  3. 在站点“属性”的“常规”选项卡中,查看“SMS 提供程序位置”字段 。On the General tab of the site Properties, view the SMS Provider location field.

每个 SMS 提供程序支持多个请求中的同时连接。Each SMS Provider supports simultaneous connections from multiple requests. 对这些连接仅有的限制是 Windows 可用的服务器连接数量,以及服务器上满足连接请求的可用资源。The only limitations on these connections are the number of server connections that are available to Windows, and the available resources on the server to service the connection requests.

安装站点后,可再次在站点服务器上运行 Configuration Manager 安装程序。After you install a site, you can run Configuration Manager setup on the site server again. 使用安装程序更改现有 SMS 提供程序的位置,或者在该站点上安装其他 SMS 提供程序。Use setup to change the location of an existing SMS Provider, or to install additional SMS Providers at that site. 在一台计算机上仅安装一个 SMS 提供程序。Install only one SMS Provider on a computer. 一台计算机不能托管多个站点的 SMS 提供程序。A computer can't host an SMS Provider from more than one site.

选择位置Choosing a location

以下各部分介绍在每个支持的位置上安装 SMS 提供程序的优缺点:The following sections describe the advantages and disadvantages of installing an SMS Provider on each supported location:

Configuration Manager 站点服务器Configuration Manager site server

  • 优点:Advantages:

    • SMS 提供程序不使用站点数据库计算机的系统资源。The SMS Provider doesn't use the system resources of the site database computer.

    • 与位于除站点服务器或站点数据库计算机之外的其他计算机上的 SMS 提供程序相比,此位置提供的性能更佳。This location can provide better performance than an SMS Provider located on a computer other than the site server or site database computer.

  • 缺点:Disadvantages:

    • SMS 提供程序使用可以专门用于站点服务器操作的系统和网络资源。The SMS Provider uses system and network resources that could be dedicated to site server operations.

托管站点数据库的 SQL ServerSQL Server that hosts the site database

  • 优点:Advantages:

    • SMS 提供程序不使用站点服务器上的系统资源。The SMS Provider doesn't use system resources on the site server.

    • 如果有足够的服务器资源可用,则在这三个位置当中,此位置可以提供最佳性能。This location can provide the best performance of the three locations, if sufficient server resources are available.

  • 缺点:Disadvantages:

    • SMS 提供程序使用可以专门用于站点数据库操作的系统和网络资源。The SMS Provider uses system and network resources that could be dedicated to site database operations.

    • 当站点数据库托管于 SQL Server 的群集实例上时,不能使用此位置。When the site database is hosted on a clustered instance of SQL Server, you can't use this location.

非站点服务器或站点数据库服务器的计算机Computer other than the site server or site database server

  • 优点:Advantages:

    • SMS 提供程序不使用站点服务器或站点数据库系统资源。SMS Provider doesn't use site server or site database system resources.

    • 此类型的位置允许你部署其他 SMS 提供程序,以为连接提供高可用性。This type of location lets you deploy additional SMS Providers to provide high availability for connections.

  • 缺点:Disadvantages:

    • SMS 提供程序的性能可能会下降。The SMS Provider performance might be reduced. 此行为是因为与站点服务器和站点数据库计算机协调需要额外的网络活动。This behavior is due to the additional network activity that it requires to coordinate with the site server and the site database computer.

    • 此服务器必须始终可供站点数据库服务器以及安装了 Configuration Manager 控制台的所有计算机访问。This server must be always accessible to the site database server, and to all computers with the Configuration Manager console installed.

    • 此位置可以使用以其他方式专供其他服务使用的系统资源。This location can use system resources that would otherwise be dedicated to other services.

身份验证Authentication

从版本 1810 开始,可以为管理员指定访问 Configuration Manager 站点的最低身份验证级别。Starting in version 1810, you can specify the minimum authentication level for administrators to access Configuration Manager sites. 此功能强制管理员以要求的级别登录到 Windows。This feature enforces administrators to sign in to Windows with the required level. 它适用于访问 SMS 提供程序的所有组件。It applies to all components that access the SMS Provider. 例如,Configuration Manager 控制台、SDK 方法和 Windows PowerShell cmdlet。For example, the Configuration Manager console, SDK methods, and Windows PowerShell cmdlets.

配置身份验证Configure authentication

若要配置此设置,请首先使用预期的身份验证级别登录到 Windows。To configure this setting, first sign in to Windows with the intended authentication level.

重要

此配置是层次结构范围的设置。This configuration is a hierarchy-wide setting. 更改此设置前,请确保所有 Configuration Manager 管理员都能够使用所需的身份验证级别登录到 Windows。Before you change this setting, make sure that all Configuration Manager administrators can sign in to Windows with the required authentication level.

若要配置此设置,请使用以下步骤:To configure this setting, use the following steps:

  1. 在 Configuration Manager 控制台中,转到“管理” 工作区,展开“站点配置” ,然后选择“站点” 节点。In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node.

  2. 选择功能区中的“层次结构设置” 。Select Hierarchy Settings in the ribbon.

  3. 切换到“身份验证”选项卡 。选择所需的“身份验证级别”,然后选择“确定” 。Switch to the Authentication tab. Select the desired authentication level, and then select OK.

    • 仅在必要时选择“添加”以排除特定用户或组 。Only when necessary, select Add to exclude specific users or groups. 有关详细信息,请参阅排除For more information, see Exclusions.

身份验证级别Authentication levels

可用的级别如下:The following levels are available:

  • Windows 身份验证:要求使用 Active Directory 域凭据进行身份验证。Windows authentication: Require authentication with Active Directory domain credentials. 此设置是以前的行为,也是当前的默认设置。This setting is the previous behavior, and the current default setting. 更新站点时,身份验证级别没有更改。When you update the site, there's no change to the authentication level.

  • 证书身份验证:要求使用由受信任的 PKI 证书颁发机构颁发的有效证书进行身份验证。Certificate authentication: Require authentication with a valid certificate that's issued by a trusted PKI certificate authority. 你没有在 Configuration Manager 中配置此证书。You don't configure this certificate in Configuration Manager. Configuration Manager 要求管理员使用 PKI 登录到 Windows.Configuration Manager requires the administrator to be signed into Windows using PKI.

  • Windows Hello 企业版身份验证:要求使用与设备关联并采用生物识别或 PIN 的强双因素身份验证进行身份验证。Windows Hello for Business authentication: Require authentication with strong two-factor authentication that's tied to a device and uses biometrics or a PIN. 有关详细信息,请参阅 Windows Hello 企业版For more information, see Windows Hello for Business.

    重要

    选择此设置时,SMS 提供程序和管理服务要求用户的身份验证令牌包含来自 Windows Hello 企业版的多重身份验证 (MFA) 声明。When you select this setting, the SMS Provider and administration service require the user's authentication token to contain a multi-factor authentication (MFA) claim from Windows Hello for Business. 换句话说,控制台、SDK、PowerShell 或管理服务的用户必须使用其 Windows Hello 企业版 PIN 或生物识别对 Windows 进行身份验证。In other words, a user of the console, SDK, PowerShell, or administration service has to authenticate to Windows with their Windows Hello for Business PIN or biometric. 否则,站点将拒绝用户的操作。Otherwise the site rejects the user's action. 请注意,此行为适用于 Windows Hello 企业版,而不是 Windows Hello。Note, this behavior is for Windows Hello for Business, not Windows Hello.

排除项Exclusions

从层次结构设置的“身份验证”**** 选项卡中,也可以排除某些用户或组。From the Authentication tab of Hierarchy Settings, you can also exclude certain users or groups. 请谨慎使用此选项。Use this option sparingly. 例如,当特定用户要求访问 Configuration Manager 控制台但无法使用要求的级别对 Windows 进行身份验证时。For example, when specific users require access to the Configuration Manager console, but can't authenticate to Windows at the required level. 对于在系统帐户的上下文下运行的自动化或服务,它可能也是必需的。It may also be necessary for automation or services that run under the context of a system account.

关于 SMS 提供程序语言About SMS Provider languages

SMS 提供程序的运行与安装它的服务器的显示语言无关。The SMS Provider operates independently of the display language of the server where you install it.

当管理用户或 Configuration Manager 使用 SMS 提供程序处理请求数据时,它会尝试返回格式与请求计算机的 OS 语言格式匹配的数据。When an administrative user or Configuration Manager process requests data by using the SMS Provider, it attempts to return that data in a format that matches the OS language of the requesting computer.

它通过间接方式尝试匹配语言。The way it attempts to match the language is indirect. SMS 提供程序不会将信息从一种语言翻译成另一种语言。The SMS Provider doesn't translate information from one language to another. 当它返回要在 Configuration Manager 控制台中显示的数据时,数据的显示语言取决于对象的源和存储类型。When it returns data for display in the Configuration Manager console, the display language of the data depends on the source of the object and type of storage.

当 Configuration Manager 在数据库中存储某个对象的数据时,可用的语言取决于以下因素:When Configuration Manager stores data for an object in the database, the available languages depend on the following factors:

  • Configuration Manager 使用多语言支持存储其创建的对象。Configuration Manager stores objects that it creates by using support for multiple languages. 它以运行安装程序时为站点配置的语言在站点数据库中存储对象。It stores the object in the site database by using the languages that you configure for the site when you run setup. 如果请求计算机的显示语言可用于对象,则 Configuration Manager 控制台以该语言显示这些对象。The Configuration Manager console displays these objects in the display language of the requesting computer, when that language is available for the object. 如果控制台无法以请求计算机的显示语言来显示对象,它会以默认语言(英语)显示该对象。If the console can't display the object in the display language of the requesting computer, it displays the object in the default language, which is English.

  • Configuration Manager 使用用于创建对象的语言存储管理用户创建的对象。Configuration Manager stores objects that an administrative user creates by using the language that was used to create the object. 这些对象以此相同的语言在 Configuration Manager 控制台中显示。These objects display in the Configuration Manager console in this same language. SMS 提供程序无法翻译这些对象,并且它们不具有多个语言选项。The SMS Provider can't translate them, and they don't have multiple language options.

使用多个 SMS 提供程序Use multiple SMS Providers

站点完成安装后,你可以为站点安装其他 SMS 提供程序。After a site completes installation, you can install additional SMS Providers for the site. 若要安装其他 SMS 提供程序,请在站点服务器上运行 Configuration Manager 安装程序。To install additional SMS Providers, run Configuration Manager setup on the site server.

如果满足以下任意条件,请考虑安装其他 SMS 提供程序:Consider installing additional SMS Providers when any of the following are true:

  • 许多管理用户需要在使用 Configuration Manager 控制台的同时连接到站点。Many administrative users need to use the Configuration Manager console and connect to a site at the same time.

  • 使用可能会带来对 SMS 提供程序的频繁调用的 Configuration Manager SDK 或其他产品。You use the Configuration Manager SDK, or other products, that might introduce frequent calls to the SMS Provider.

  • 对 SMS 提供程序的高可用性存在业务要求。You have a business requirement for high availability of the SMS Provider.

在站点上安装多个 SMS 提供程序并发出连接请求时,站点会对每个新连接请求使用的已安装 SMS 提供程序进行随机分配。When you install multiple SMS Providers at a site, and a connection request is made, the site randomly assigns each new connection request to use an installed SMS Provider. 无法指定要用于特定连接会话的 SMS 提供程序。You can't specify the SMS Provider to use with a specific connection session.

备注

请考虑每个 SMS 提供程序位置的优缺点。Consider the advantages and disadvantages of each SMS Provider location. 有关详细信息,请参阅位置For more information, see Locations. 由于无法控制用于每个新连接的 SMS 提供程序,请就这些注意事项进行权衡。Balance these considerations with the information that you can't control which SMS Provider is used for each new connection.

首次将 Configuration Manager 控制台连接到站点时,连接会查询站点服务器上的 WMI。When you first connect a Configuration Manager console to a site, the connection queries WMI on the site server. 此查询可确定控制台使用的 SMS 提供程序的实例。This query identifies an instance of the SMS Provider that the console uses. 在会话结束前,控制台会一直使用 SMS 提供程序的此特定实例。This specific instance of the SMS Provider remains in use by the console until the session ends. 如果会话因为 SMS 提供程序服务器在网络上不可用而结束,则将控制台重新连接到站点时,它会重复初始查询。If the session ends because the SMS Provider server is unavailable on the network, when you reconnect the console to the site, it repeats the initial query. 站点有可能分配同一不可用的 SMS 提供程序实例。It's possible the site assigns the same SMS Provider instance that's not available. 如果出现此行为,请尝试重新连接控制台,直到站点返回可用的 SMS 提供程序。If this behavior occurs, attempt to reconnect the console until the site returns an available SMS Provider.

关于 SMS 提供程序命名空间About the SMS Provider namespace

Configuration Manager WMI 架构定义 SMS 提供程序的结构。The Configuration Manager WMI schema defines the structure of the SMS Provider. 架构命名空间描述 SMS 提供程序架构内 Configuration Manager 数据的位置。Schema namespaces describe the location of Configuration Manager data within the SMS Provider schema. 下表包含 SMS 提供程序使用的一些常见命名空间:The following table contains some of the common namespaces that the SMS Provider uses:

命名空间Namespace 说明Description
Root\SMS\site_<site code> Configuration Manager 控制台、资源浏览器、Configuration Manager 工具和脚本广泛使用的 SMS 提供程序。The SMS Provider, which is extensively used by the Configuration Manager console, Resource Explorer, Configuration Manager tools, and scripts.
Root\SMS\SMS_ProviderLocation 站点的 SMS 提供程序计算机的位置。The location of the SMS Provider computers for a site.
Root\CIMv2 清点硬件和软件期间针对 WMI 命名空间信息清点的位置。The location inventoried for WMI namespace information during hardware and software inventory.
Root\CCM Configuration Manager 客户端配置策略和客户端数据。Configuration Manager client configuration policies and client data.
Root\CIMv2\SMS 清单客户端代理收集的清单报告类的位置。The location of inventory reporting classes that the inventory client agent collects. 客户端在计算机策略评估期间编译这些设置。Clients compile these settings during computer policy evaluation. 这些设置基于计算机的客户端设置配置。These settings are based on the client settings configuration for the computer.

OS 部署要求OS deployment requirements

安装 SMS 提供程序实例的计算机需要 Windows ADK 的受支持版本。The computer where you install an instance of the SMS Provider requires a supported version of the Windows ADK.

有关此要求的详细信息,请参阅 OS 部署的基础架构要求Windows 10 支持For more information about this requirement, see Infrastructure requirements for OS deployment and Support for Windows 10.

在管理 OS 部署时,Windows ADK 允许 SMS 提供程序完成各种任务,例如:When you manage OS deployments, the Windows ADK allows the SMS Provider to complete various tasks, such as:

  • 查看 WIM 文件详细信息View WIM file details

  • 将驱动程序文件添加到现有的启动映像中Add driver files to existing boot images

  • 创建启动 ISO 文件Create boot ISO files

在安装 SMS 提供程序的每台计算机上,安装 Windows ADK 可能需要最多 650 MB 的可用磁盘空间。The Windows ADK installation can require up to 650 MB of free disk space on each computer that installs the SMS Provider. Configuration Manager 需要如此高的磁盘空间来安装 Windows PE 启动映像。This high disk space requirement is necessary for Configuration Manager to install the Windows PE boot images.

管理服务Administration service

SMS 提供程序通过 HTTPS OData 连接提供 API 互操作性访问权限,这称为管理服务The SMS Provider provides API interoperability access over an HTTPS OData connection, called the administration service. 此 REST API 可用于取代自定义 Web 服务访问站点信息。This REST API can be used in place of a custom web service to access information from the site.

有关详细信息,请参阅什么是管理服务?For more information, see What is the administration service?