You are browsing the archive for 2007 May.

Sccm 2007 client agent deployment using Software updates

9:21 pm in SCCM 2007 by The WMI guy

Sccm 2007 has a new client deployment method called Software update point based client installation. The idea behind Software update point based client installation is to publish the Sccm 2007 client as a critical update, and hence its name is installed from the Software update point. Most of you will probably now that Software Update management in Sccm 2007 integrates with Wsus 3.0 Sccm 2007 relies on Wsus to synchronize the catalog and to scan clients, but that’s food for another post.


Why does sccm 2007 require a new installation method? What was wrong with the previous installation methods we had in sms 2003? To be honest, not much, but they all had their drawbacks. Let’s just have a look at each of the installation methods and their drawbacks before we continue and see what Software update point based installation has in store for us.

Manual installation: This installation method lacks automation and requires the end-user to be a local administrator on the machine which is obviously a big NONO security wise.

Login script installation: Lacks from the same security issue as manual installation and is by consequence a NOGO.

Software Distribution based installation: Good installation method but this is often a chicken or egg kinda problem, you already need to have a software distribution mechanism out there for this to work.

Client Push Installation (Wizard): Great installation method but it has some requirements that could prove to be problematic in a real secure environment. It requires remote local admin privileges which is usually fine. But it also requires remote registry and access to the admin$ share. A secure environment should have file and print sharing disabled on desktops or laptops, or at the very least have them blocked by a personal firewall.

GPO based installation: Nice installation method with very modest requirements on the machine to be installed, but it suffers from its own drawbacks. The main problem with GPO based installation is that it is end-user driven. GPO’s software installation only happens at logon or after a restart. Both events normally only happen after the end-user gave their user name and password or powered on the machine. If you have pesky users that just close their laptop lid in the evening and open it back up the next morning then your out of luck with gpo’s. With todays more stable os’s like Windows XP and Windows Vista It could take a pretty long time before the machine actually needs to be rebooted on the lan.

Software update based client installation: Superb installation method that mixes the benefits of GPO based installation with those of software distribution based installation. In other words it has pretty low requirements on the target machine, even lower as software distribution based installation as it does not require a software distribution solution in place and doesn’t require the target machine to be in active directory. (You’ll need a different way than adm templates to set the registry keys though). On top of that it offers a Schedule based installation which eliminates the end-user initiated drawback of gpo’s. By the way if you install a newer version of the SCCM 2007 beta or install a Service pack after RTM you will be able to update your publication so that you can use this method to easily upgrade your existed install base to the new version.


How do you get this to work? Remarkably easy actually.


 STEP 1 Configure the Windows Update agent GPO:

  1. Open a GPO

  2. Go to Computer configuration\Windows Components\Windows Update

  3. Configure the Configure automatic updates option, Set it to auto download and shedule the install

  4. Choose your own schedule

  5. Configure the Specify intranet microsoft update service location

  6. Configure both options with the value http://Wsusserver

STEP 2 Import the SCCM-2007 adm template:

Download the adm template to configure SCCM 2007 client installation command line parameters

  1. Open a GPO

  2. In Computer Configuration Right-click on Administrative templates

  3. Browse to the SCCM-2007  and add the template.

  4. Go to Computer configuration\Windows Components\SCCM 2007\Software Update point client installation

  5. Configure the command line with the parameters you want.

STEP 3 Publish the SCCM 2007 client (As documented in the SCCM 2007 help file)

To publish the Configuration Manager 2007 client to the WSUS server:

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site code> – <site name> / Site Settings / Client Installation Methods.

  2. Right-click Software Update Point Client Installation, and click Properties.

  3. To enable client installation, select the Enable Software Update Point Client Installation check box.

  4. If the client software on the Configuration Manager 2007 site server is newer than that stored on the software update point, the Upgrade Client Package Version dialog box will open. You should click Yes in this dialog box to publish the most recent version of the client software to he software update point.

  5. To finish configuring the software update point client installation, click OK.



“Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS


Prepare your Environment for Running sms 2003 – Active Directory Part1

11:15 am in Sms 2003 by The WMI guy

Today we’ll continue preparing or start cleaning up our Active Directory environment to make implementing/running Sms 2003 as smooth as possible. Sms 2003 introduced a bit of Active Directory integration. Not as much as some people hoped, but there is a certain degree of interaction. In other words having your Active Directory environment sanitized can help a long way in managing SMS 2003. Today we are going to start cleaning up the Active Directory environment to make our Sms 2003 discovery process as happy as a fish in the water.

Dns Scavenging

Before we dive into our cleaning process there is something you should know about active directory system discovery. Cathy Moya from the Sms Product documentation team describes it quite well in Cathy’s Fine Faq:

“Active Directory System Discovery will create a DDR for a resource only if it can resolve the name to the IP address by using DNS. If a valid DNS entry does not exist for a computer, SMS does not discover the computer but does create a status message stating there were errors for that computer. You might see these computers referred to as bogus in adsysdis.log.”

We are going to take advantage of this little fact to avoid dead weight in Active Directory from making it into our Sms database. What does dns scavenging do? Well it deletes stale resource records. Ever since Windows 2000 the Windows operating systems have supported a feature called Dynamic DNS. Which means the clients dynamically register themselves in dns. Unfortunately unregistering doesn’t always work that well. (Because of clients leaving the network without shutting down, amongst other things. (Don’t you hate those bad behaving end-users?)).

So by enabling dns scavenging you will delete those stale resource records. Net result: Sms 2003 will no longer discover these resources so they will no longer clog your sms 2003 database, not to mention that they will no longer bring your software distribution success rates down in your reports. 

For those of you looking to get started, you enable dns scavenging in the properties of your dns zone. Right-Click the Zone and on the aging tab enable the Scavenge stale resource records option, and while your at it configure the scavenging process to run daily instead of weekly by executing dnscmd /config /scavenginginterval 24.

 My next post will be about eliminating those dreaded 5503 status messages in Active Directory user and Active Directory System group discovery.


“Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS

Prepare your environment for running SMS 2003 – Schema

11:13 am in SCCM 2007, Sms 2003 by The WMI guy



It is advised to follow the procedure below, before any schema modifications are made, not just sms 2003 schema extentions. There are no known issues in making the SMS 2003 schema extensions.

This being said, keep in mind that

1) Every forest only has 1 Schema partition.

2) There is no such thing as an AUTHORITATIVE RESTORE for the schema partition.

These 2 things combined spell disaster if something did go wrong. If something does go wrong with the schema extension process and the schema gets replicated to all dc’s.

If this happens you have two options

1) Hire a Microsoft PSS consoltant to help clean up your Active Directory Schema mess

2) Restore a backup of the Active Directory on All domain controllers in the Forest. All domain controllers have to be disconnected from the network during this recovery.

Neither of these seem to really appealing to me.


Proper Procedure

  1. Locate the server that is the schema master

    1. In a command prompt type regsvr32 schmmgmt.dll (You should get a message that the dll was registered succesfully)

    2. Type mmc, and add the Active Directory Schema snap-in

    3. Right Click Active Directory Schema and select Operations Masters

    4. Take note of the current Schema master

  2. Back up the schema master.

  3. Disconnect the schema master from the network and do not reestablish the connection until the end of this procedure. (This means fysically removing the cable, do not just disable the network interface since some of the tools used later in the procedure require a functional tcp/ip stack.

  4. On the schema master, insert the SMS 2003 SP2 Setup CD in the CD-ROM drive.

  5. Open a command prompt, change to the CD-ROM drive, and change to the \SMSSETUP\BIN\I386 folder on the CD.

  6. On the schema master, at the command prompt, type Extadsch.exe

  7. After the preceding command has finished on the schema master, confirm that the preparation of the forest was successful.  Review %SystemDrive%\ExtAdSch.log

  8. Evaluate the information you gathered in the previous step and choose accordingly:

    1. If extadsch.exe ran without errors, reconnect the schema master to the network and continue with the next step of this procedure.

    2. If extadsch.exe ran but error messages provided instructions for additional steps to take, follow the instructions and then return to the confirmation process described in the previous step.

    3. If extadsch.exe did not run successfully, restore the schema master from backup and investigate the corrective steps necessary so that extadsch.exe can be run successfully.

Important Note: Extending the Schema will trigger a FULL Global Catalog Synchronization between Windows 2000 Global catalog servers. Windows 2003 Global Catalog servers will use delta replication.


“Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS