Huntland Services Ltd

Tel: +44 (0)1392-490518
Fax: +44 (0)1392-428003
Enquiries@huntland.co.uk

Digest of Active Directory Integration in SMS 2003

 Based on Microsoft Webcast 12th Dec '01
Back Download This Article

SMS 2003 is not dependent on AD but some features are enhanced by using it

  1. Active Directory Site Boundaries
    SMS 2003 boundaries can be defined in terms of IP subnets (as per 2.0) or AD Site name.  This allows control of SMS sites via AD sites giving access to features such as finer subnet tuning.  SMS 2.0 could only subnet to whole octet value such as 255.255.255.0, whereas AD can use 255.255.255.242 etc.  AD can also combine subnets into one supernet.

  2. Active Directory Discovery Methods
    Three AD discovery mechanisms that replace and enhance basic functionality provided by SMS 2.0 tool Adsync.exe.
     SMS AD System Discovery Agent -  obtains list of all systems (regardless of site affiliation).  Connects to each one in turn to learn the site name (if any).  Approximately 5k (22 frames) per system.
    SMS AD User Discovery Agent -  all users and AD security groups they are members of as well as Domain and OU information.
    SMS AD System Update Agent - runs like a heartbeat process automatically scanning AD for systems that are assigned to your site.  Returns information beyond ordinary System discovery (above) such as DNS name, System Group name and OU information.  Has the advantage of not having to make a network query to each system as all the data comes from AD once the site name is known.  This only runs on a Primary site but DDRs for systems discovered belonging to a secondary site are automatically pushed down.
    Discovery paths are expressed as LDAP:// or GC:// syntax strings e.g. LDAP://CN = Users, DC = MyDom.com, DC = Test, DC = MyDom.
    Discovery traverses all sub containers from the start point downwards.
    SMS access account is ordinary domain user.

  3. Active Directory Software Distribution Targeting
    Systems - Domain, OU, AD Site & AD system security groups e.g. 'Domain Controllers'
    Users - Domain, OU, & AD security groups for users
    Supports Global, universal, nested and non-security groups.
    Any of these properties can be combined with Hinv or Sinv data in building collections e.g. 'All systems in the Servers OU, belonging to the Redmond site, in the SMS Servers universal group and having at least 512MB of RAM'.

  4. Active Directory Advanced Security Model
    SMS 2003 does not create multiple accounts on different systems for different tasks.  There are no more accounts and passwords managed exclusively by SMS. 
    Either Standard (SMS 2.0 ) and Advanced Security models supported but not both.  Can switch to AD Advanced Security at install or anytime afterwards (e.g. after upgrading from SMS 2.0) but cannot revert to standard security.
    Site Server services run using the Local System account.  For network connections these services use the computer account of the Site Server (e.g. myServer$) which must have local administrator privileges on site system servers.
    Each Site System communicates back to the Site Server using its own computer account which is automatically made a member of the new SMS Site Server Access Group security group when the site system is created (e.g. Caps, DPs, MPs, SLPs).
    Administrator configures intersite accounts and makes them a member of the new SMS Site Address Access Group to facilitate Parent\Child connectivity.
    The SMS Database Access Group contains accounts used by Management Points and Server Location Points to connect directly with SQL Server.

  5. Active Directory Schema Extensions
    SMS can optionally be configured to extend the AD Schema to improve the functionality for Desktop Clients when discovering their Server Location Points and Mobile clients their Management Points.
    This is done by creating the  System\ System Management container in the Active Directory.  Inside this container are the SMS_Site_S00, SMS_SLP_S00_slpName and SMS_MP_S00_mpName containers. (S00 is a site code).
    Mobile clients will use AD to discover their nearest MP servers in order to learn about local DPs.  This is useful for roaming and software distribution
    Without these extensions Desktop clients must run CAPINST.EXE /SLP <name> to find their SLP servers and Mobile clients must scan a WINS server (or other NetBIOS name resolution mechanism) to find owners of 'MP_S00[1A]' registered name.

  6. Incidentals
    Three character site code will persist
    Cannot combine user information with hardware information when targeting. e.g. user name = Jo and cpu = intel.
    An updated Application Management pack for MOM will integrate MOM management of SMS Severs.
    Development of  SMS 2.0's 'Site Copy Manager'  Resource Kit tool to provide easy replication of a primary site's configuration settings to any/all child sites. e.g. for ease of setting up SMS Hinv and Sinv settings, they can be configured once and then replicated.