Step 1. Make sure the System Management container in Active Directory has the correct permissions for SMS.
In other words we will make sure the local computer (the server SMS is running on, in this case WINDOWS-DOBMTWV) has full access to this particular area in Active Directory. Normally we wouldn't grant Full Access but this is just for the purposes of getting SMS running. For more info on Creating and configuring the AD system management container For SMS see here.
Start up the Active Directory Users and Computers console.
Make sure that Advanced Features is selected under the View option.
Once it is, in the left pane select System, and then scroll down to the System Management Container.
Right-click it and choose properties, then select the Security tab (should be the third TAB in Windows 2003 Server SP1, it may be different in SP2.) Verify your SMS server computer account is listed ini the Group or user names, scroll down to check, if it is not there then add it by clicking on Add.
Click on Object types as in the screenshot below
then select computers (by default it's not selected).
Click on OK and then click on Advanced to expand the view, then Find now.
When you see your computer listed, highlight it and click OK. click ok again to add it to the Security tab.
Now that we have added it, we need to edit it's security permissions to make sure that the permissions apply to both the Container and child objects. So let's click on Advanced.
At this point you should see your computername listed but with read permissions that apply only to This object only. We are going to change that to Full access to This object and all Child objects. to do so highlight our computername and click on Edit.
In the window that appears click the drop down menu called Apply onto: and select This object and all Child objects.
Once done, click on Full Control for the Allow permissions plus select 'Apply these permissions to onjects and /or containers within this container only.' Click ok when done. In an enterprise, please verify the correct AD permissions for this container and set them accordingly, for advice on this please visit technet.
Step 2. Configure Client Agents
Now that we have attended to the 'gotcha' above, open the SMS administrator console and expand the site hierarchy/site name/site settings, then select the Client Agents as below:
Double click on hardware Inventory client Agent on the right side and enable it.
Set the inventory schedule to 1 day. Click ok to close.
For Software Inventory agent, set the schedule to 1 week.
Click on the inventory collection tab, and delete the default scan listed.
Click on the yellow start and add files of type *.exe
then click on Set beside location, and enter %ProgramFiles%\ as the location so that it only scans that area for EXE files.
Make sure to remove the tick from the windows directory
Next you can enable the Advertised programs client agent , and under the General tab, select Enable software distribution to clients and that the New Program notification icon opens Add or Remove Programs.
Now click on the notification tab and set it accordingly
Next we have the Software Metering Client agent, enable it if you wish and set your schedule.
Step 3. Client Installation Methods
In the left pane, select Client installation methods and double click on Client Push Installation Properties.
Enable it and take note of the warning.
adjust your settings removing Servers and domain controllers from your choice of installing onto...
Set your accounts to install software, in this example i used the domain administrator, but you should really setup a separate account and give it the appropriate permissions for SMS in AD by creating a user in your domain called SMSInstall and adding it to the domain admins group, and then adding it to the accounts Tab in the screenshot below.
Next click on the Advanced client tab and set your Installation Properties string to something like this
SMSSITECODE=WIN SMSCACHESIZE=8000
the above sets our SMS site code to WIN and the SMS cache size on the client to approx 8GB.
Step 4. Configure Discovery methods
In the Discovery section, you'll see 8 possibilities, of which we only need to configure 5, the first 2 are NT related (not needed), we do however need the Heartbeat Discovery setup and enabled, the next option is also not needed (Network discovery).
The final 4 options are all required (AD) so we'll set them accordingly.
Set the discovery methods to the following values:-
* Heartbeat Discovery every 1 hour
* Active Directory System Discovery 1 hour
* Active Directory User Discovery 1 hour
* Active Directory Security Group Discovery 1 hour
* Active Directory System Group Discovery 1 hour
Note: You may want to set these values to 1 minute in a lab environment.
We also need to tell SMS where to look for these computers and that is done in each of the 4 AD options above,
So bring up the Active Directory System Discovery properties and click on the Yellow star to add an Active Directory container
In the Browse for Active Directory window, make sure Local Domain is selected and click ok.
when the Select New Container window comes up, click ok.
now your container is selected click ok to exit and do the same actions for each of the 3 remaining AD discovery methods.
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
This guide assumes that you have first installed and configured IIS and then installed SMS as outlined here. In addition, you should have configured SMS as described here.
Step 1. Make sure the System Management container in Active Directory has the correct permissions for SMS.
In other words we will make sure the local computer (the server SMS is running on, in this case WINDOWS-DOBMTWV) has full access to this particular area in Active Directory. Normally we wouldn't grant Full Access but this is just for the purposes of getting SMS running. For more info on Creating and configuring the AD system management container For SMS see here.
Start up the Active Directory Users and Computers console.
Make sure that Advanced Features is selected under the View option.
Once it is, in the left pane select System, and then scroll down to the System Management Container.
Right-click it and choose properties, then select the Security tab (should be the third TAB in Windows 2003 Server SP1, it may be different in SP2.) Verify your SMS server computer account is listed ini the Group or user names, scroll down to check, if it is not there then add it by clicking on Add.
Click on Object types as in the screenshot below
then select computers (by default it's not selected).
Click on OK and then click on Advanced to expand the view, then Find now.
When you see your computer listed, highlight it and click OK. click ok again to add it to the Security tab.
Now that we have added it, we need to edit it's security permissions to make sure that the permissions apply to both the Container and child objects. So let's click on Advanced.
At this point you should see your computername listed but with read permissions that apply only to This object only. We are going to change that to Full access to This object and all Child objects. to do so highlight our computername and click on Edit.
In the window that appears click the drop down menu called Apply onto: and select This object and all Child objects.
Once done, click on Full Control for the Allow permissions plus select 'Apply these permissions to onjects and /or containers within this container only.' Click ok when done. In an enterprise, please verify the correct AD permissions for this container and set them accordingly, for advice on this please visit technet.
Step 2. Configure Client Agents
Now that we have attended to the 'gotcha' above, open the SMS administrator console and expand the site hierarchy/site name/site settings, then select the Client Agents as below:
Double click on hardware Inventory client Agent on the right side and enable it.
Set the inventory schedule to 1 day. Click ok to close.
For Software Inventory agent, set the schedule to 1 week.
Click on the inventory collection tab, and delete the default scan listed.
Click on the yellow start and add files of type *.exe
then click on Set beside location, and enter %ProgramFiles%\ as the location so that it only scans that area for EXE files.
Make sure to remove the tick from the windows directory
Next you can enable the Advertised programs client agent , and under the General tab, select Enable software distribution to clients and that the New Program notification icon opens Add or Remove Programs.
Now click on the notification tab and set it accordingly
Next we have the Software Metering Client agent, enable it if you wish and set your schedule.
Step 3. Client Installation Methods
In the left pane, select Client installation methods and double click on Client Push Installation Properties.
Enable it and take note of the warning.
adjust your settings removing Servers and domain controllers from your choice of installing onto...
Set your accounts to install software, in this example i used the domain administrator, but you should really setup a separate account and give it the appropriate permissions for SMS in AD by creating a user in your domain called SMSInstall and adding it to the domain admins group, and then adding it to the accounts Tab in the screenshot below.
Next click on the Advanced client tab and set your Installation Properties string to something like this
SMSSITECODE=WIN SMSCACHESIZE=8000
the above sets our SMS site code to WIN and the SMS cache size on the client to approx 8GB.
Step 4. Configure Discovery methods
In the Discovery section, you'll see 8 possibilities, of which we only need to configure 5, the first 2 are NT related (not needed), we do however need the Heartbeat Discovery setup and enabled, the next option is also not needed (Network discovery).
The final 4 options are all required (AD) so we'll set them accordingly.
Set the discovery methods to the following values:-
* Heartbeat Discovery every 1 hour
* Active Directory System Discovery 1 hour
* Active Directory User Discovery 1 hour
* Active Directory Security Group Discovery 1 hour
* Active Directory System Group Discovery 1 hour
Note: You may want to set these values to 1 minute in a lab environment.
We also need to tell SMS where to look for these computers and that is done in each of the 4 AD options above,
So bring up the Active Directory System Discovery properties and click on the Yellow star to add an Active Directory container
In the Browse for Active Directory window, make sure Local Domain is selected and click ok.
when the Select New Container window comes up, click ok.
now your container is selected click ok to exit and do the same actions for each of the 3 remaining AD discovery methods.
that's it you are done, next we will create a package and advertise it to a collection and then distribute it !
cool !!
Share this post
Link to post
Share on other sites