twitter
facebook 
| Stronger Systems Management Server Worth A New Look |
| Oct. 20, 2003 |
Systems Management Server (SMS) 2003, available as a release candidate beta, features better support for roaming and mobile computers, a revamped system for tracking software usage, and integration with Active Directory (AD). It also has built-in support for software patch distribution and Web reports, features added to its predecessor SMS 2.0 through a feature pack. The most important factor for many customers, however, is not on the feature list: SMS 2003 has undergone much more testing than its predecessor. However, it still does not manage the actual software installation process or make target computers comply with a desired software configuration state. The Need for SMS Although small organizations can configure and track software configurations by physically visiting each computer and manually performing these tasks when necessary, this approach becomes problematic beyond a dozen or so computers, and even simple, repetitive tasks consume an inordinate amount of IT resources. A steady onslaught of viruses and worms aggravates the problem by mandating frequent patching. These tasks can become overwhelming for organizations with many geographic locations, many of which have no on-site IT personnel. Without software tools to help automate these tasks, these organizations cannot effectively manage changes to their computers, which ultimately affects business operations. Microsoft has no single product to solve these problems, but instead offers a variety of overlapping configuration management and software distribution technologies, some (such as AD’s Group Policy and its IntelliMirror replication technology) built into Windows, some (such as the Software Update Service) available as free add-ons, and some sold as separate products. (See "Resources" section of this page for a list of other Microsoft configuration management and software distribution technologies.) However, SMS is Microsoft's strongest technology for managing hardware and software assets, distributing software, applying patches, tracking licenses, and remotely diagnosing and fixing problems on a system. Asset tracking. SMS periodically inventories the hardware and software on each managed computer and places the data in a central database, where it can be used to create reports, help target software distribution packages, and provide support personnel with diagnostic information. Distribute and update software. SMS provides a mechanism to distribute software packages and software updates, then initiate installation of them on Windows client and server computers, even if their users do not have the rights needed to install software. SMS can also report where installation succeeded and where it failed. Inventory data help ensure that software is sent only to systems that meet both the software’s installation requirements and comply with the organization’s policies for which systems or users should get it. The inventory data also reveal systems that need patches, so that SMS can then distribute and install patches on those systems. License tracking and compliance. SMS can track not only the application software files that exist on each managed computer but also what software applications are installed, how often they are run, and by whom. These data are essential when determining whether the software is adequately licensed and are especially important to organizations that may have concerns regarding potential licensing audits and compliance issues. Support resources. SMS provides remote tools that let authorized individuals establish secure terminal sessions with computers running any supported Windows client OS. These tools also permit support personnel to transfer files to these computers, execute commands on them, reboot them, and hold text-based chats with users (useful when dial-up users can’t talk over the phone because the line is being used for remote access). These resources help support personnel assist users and perform other maintenance and troubleshooting tasks without physically visiting the computer. Although there are many competing products that perform these tasks, some to a more comprehensive degree, SMS has certain competitive advantages—many of which arise simply because it is a Microsoft product. (See the sidebar "Key Competitive Advantages".) What’s New in SMS 2003? Although SMS 2003’s core architecture has changed little from that of SMS 2.0 (see the illustration "SMS Architecture"), several components have been completely reworked. Significant new features include the Advanced Client, AD integration, software update management, Web reports, and a revamped software metering system, but the enhanced stability and reliability that comes from significantly better testing may be the most important change. Advanced Client All SMS-managed Windows computers require client-side SMS agent software to perform various tasks, such as collecting inventory, initiating software installs, and communicating with SMS servers. SMS 2003 includes a new Advanced Client agent that runs on Windows 2000 and later versions of Windows. This client was originally designed to improve SMS’s support for laptop users, who connect intermittently from different points on the network or via a virtual private network (VPN). However, the Advanced Client also benefits servers and fixed desktops. Features and benefits of the Advanced Client include the following: Download and execute. Installation packages can now be advertised to the clients in such a way that all of the files in the package get transferred to a cache on the client before beginning the install. This allows the download to proceed at a pace commensurate with the network speed, yet once the install process begins, it can finish as fast as if the install were being run locally. This feature also allows mobile clients to disconnect from the network after the files have been downloaded and install the software later. Uses BITS/HTTP to download files. Instead of using the traditional Server Message Block (SMB) network file system protocol to transfer installation packages from an SMS distribution server, the Advanced Client uses HTTP in conjunction with a technology called "Background Intelligent Transfer Service," or BITS. First introduced as part of Microsoft’s Automatic Update client, BITS has built-in checkpoint/restart and bandwidth-throttling features, which allow downloads to use available bandwidth and intermittent connectivity more efficiently—a feature that is especially important when users connect over wireless LANs or limited-bandwidth VPNs, or when they frequently disconnect from the network while downloads might be under way. Intelligent roaming. SMS 2003’s Advanced Client can locate an appropriate SMS server for any network connection point, even when the user normally connects from a different SMS site. Furthermore, clients can run properly when disconnected; package and inventory files simply queue up until the user is reconnected. This capability improves performance and reliability over SMS 2.0, which responds to clients attaching from a new location in one of two ways as configured by the administrator. The clients either reassign themselves to the new site and begin using that site’s policies in place of their "home" policies (not ideal for a short visit) or they continue to pull all data and packages across the WAN from their home site location, which can reduce client performance and has an adverse impact on the WAN. An interesting characteristic of the SMS 2003 Advanced Client is that it uses XML-based policy files to get configuration instructions from an SMS server, rather than using AD Group Policy to adjust the SMS client’s Registry settings. Microsoft claims that it did this so that SMS customers would not need AD to use the Advanced Client, but this could also be a precursor of a more general replacement of the Windows Registry with XML configuration files. Active Directory Integration Although SMS 2000 does not require AD, it runs better in AD environments and takes advantage of several AD features. However, this integration does require SMS to make a few additions to the AD schema. Some of the most significant features are as follows: AD site boundaries. In both SMS and AD, a "site" encompasses a set of Windows systems that have high-bandwidth connectivity among themselves and is defined by specific ranges of IP network addresses. SMS clients use site information to locate an SMS site server to which they have a high-bandwidth connection. If AD is present, SMS 2003 will read the AD site boundary definitions and add them to the SMS site configuration database. This allows administrators to define and maintain site boundaries in one place (AD), and any site definition changes are available to both AD and SMS without doing manual synchronization. AD discovery and targeting. When AD is present, SMS 2003 can discover the AD groups and organizational units (OUs) those computers and users belong to, and administrators can use that membership information to target software installation and maintenance. Because membership in these containers is not a direct function of other information stored in AD or SMS (and therefore must be hand-maintained), administrators need only maintain the groupings in a single place, AD. Advanced security. Previous versions of SMS required maintaining a large number of service accounts with elevated rights. These accounts were used by SMS to install the client software, install software applications on target computers, and authenticate communications among the various SMS servers. When SMS 2003 runs in an AD environment, no special service accounts are normally needed. The local system accounts on the clients and SMS servers take the place of the service accounts in most cases. The reason the local system accounts (which are not AD domain accounts) have permission to connect to other computers is because of an architectural breakthrough in Windows 2000 and AD that gave the computer (machine) account a full security context (just like a user account). This allows computers to be members of domain groups just like users, and when each computer is joined to an AD domain, the computer account is added to AD’s Domain Computers group. Because the local system account has the ability to use the credentials of the computer account, it gets the rights and permissions needed to communicate with other systems. Ordinary user accounts, on the other hand, cannot gain access to the local system account, so this does not inherently reduce the security of the system. Software Update Management SMS 2003 makes it easier to determine which computers lack up-to-date patches and install any missing ones. Although SMS has always had the raw capability to do this, it was a complex and difficult procedure: an SMS 2.0 administrator had to determine which files or Registry entries identified the need for a patch on a computer, build a package that extracted the information so that it could be picked up in the next inventory cycle, run that package on each computer, build a query that targeted the computers missing the patch, download the patch from Microsoft, build and test an SMS installation package that would install it, and then configure SMS to distribute the package to the computers needing it. At the rate Microsoft issues patches, this process was too cumbersome to be feasible. With the introduction of the SMS 2.0 Update Services Feature Pack, this process became considerably easier. Fortunately, SMS 2003 includes built-in support for the same patch management tools. These tools use the Windows and Office security scanners and their associated patch databases to spot vulnerabilities on managed systems. SMS 2003 also contains a wizard and installation tool that makes it easy for administrators to obtain the needed patches issued by Windows Update and Office Update and to create an installation package that patches the vulnerable systems. (For more on how this feature works, see the illustrations "Update Distribution Flowchart" and "The Distribute Software Updates Wizard".) Although both Microsoft's Software Update Service (SUS) and SMS update features provide centralized control over software patch management, SMS gives administrators much greater control over the process. (For more on how SMS compares with SUS, see the chart "SMS Advantages over SUS".) Web Reports SMS 2003 replaces the current reporting system, based on Crystal Reports, with the Web Reporting feature first introduced in the SMS 2.0 Administration Feature Pack, which allows authorized users to use a Web browser to view current SMS inventory and status information. SMS 2003 ships 120 prebuilt report templates and customers can further customize these reports or build their own. (For an illustration of the new reporting system, see "SMS Web Reports".) Users of SMS 2003 Web reports will no longer require a separate viewer to view Crystal Reports documents, and administrators are no longer limited to static reports that must be distributed through e-mail or file shares. The reports are built dynamically directly from SMS’s live SQL Server data (exposed through published SQL Server "views"). This new reporting system has two major benefits:
In fact, Web reports can take the place of the SMS administration console for performing support tasks that only require retrieving information from the SMS database. For instance, Help Desk personnel can use a Web report that lists the hardware and software inventory on the PC of someone calling in for support. Note that this reporting system does not use the SQL Server Reporting Service, which is still in beta. New Metering System The metering system in all previous releases of SMS was designed to allow organizations to actively limit the number of copies of an application that could run concurrently, but this system scaled poorly and did not work reliably. Furthermore, the metering system was incompatible with computers working offline, a common scenario for laptops. Microsoft completely rewrote the metering system for SMS 2003. By abandoning the design goal of active concurrent usage metering, it was able to make SMS’s other metering capabilities scale better and work much more reliably. The new metering system can still passively monitor the use of any program an SMS administrator configures it to track in several ways: Usage monitoring. SMS tracks the times each metered program starts and stops on any SMS-managed system, along with the name of the user account that launched it. This information is useful in determining how often programs are used and who’s using them, and for comparing this information with the number of licenses purchased for each program. SMS can aggregate and summarize metered program usage so managers can see the big picture without wading though the details of each monitored computer. Offline metering. A local SMS agent can, by policy, track usage of an application without a live connection to an SMS server. The next time it connects, it uploads metering data to the appropriate SMS server. Terminal Server usage. When a Windows 2000 or Windows 2003 server runs in Terminal Services Application mode to simultaneously serve applications to networked users, SMS 2003 metering can track application use for all users of that server, something earlier versions were not capable of doing. The decision to abandon active concurrent use metering was reasonable since very few software products use that licensing model any more (nearly all are licensed per-user or per-device). For the few (often expensive) software products that still use that model but don’t provide a built-in means of enforcing the number of simultaneously running copies, Microsoft recommends that organizations host these applications on a server running Terminal Services and limit the number of sessions that can run simultaneously. Other Improvements SMS 2003 contains several other noteworthy features. Remote control integration with Terminal Services and Remote Assistance. Like the Remote Desktop for Administration (formerly called Terminal Services Remote Administration Mode) feature introduced on Windows 2000 Server, SMS 2003’s remote control functionality allows administrators to remotely open a console session to any managed client. This can eliminate the need to physically visit the machine to perform maintenance that can otherwise only be done through a console. However, the remote control support goes beyond the remote console feature, and essentially gives authorized IT support staff the same capabilities available with Windows XP’s Remote Assistance function (for instance, they can remotely view exactly what a local user sees on their desktop, and either individual can interact with the system). This is especially valuable to help desk personnel, who can work together with users to rectify problems. Like previous versions of SMS, SMS 2003’s remote control gives organizations still supporting Windows 2000 Professional and Windows 9x desktops similar capabilities to Windows XP’s Remote Assistance. However, in SMS 2003, administrators can set policy to install the remote tools only on Windows computers that don’t already support Remote Desktop for Administration or Remote Assistance. Furthermore, the SMS 2003 management console interface makes it easy for IT support staff to initiate Remote Assistance or Remote Desktop sessions with managed devices that support any of the three remote control methods. Delta distribution. In SMS 2003, when an administrator changes one or more files in the master source folder for a SMS installation package, only files that have changed need to be replicated to all of the SMS distribution point servers on the network. This is in contrast with earlier versions of SMS, which had to recopy the entire package to the distribution servers. This imposed a large and unnecessary load on the network and became particularly troublesome when the distribution servers resided on the other side of a low bandwidth WAN link. SMS MOM Management Pack. A Microsoft Operations Manager (MOM) Management Pack will be available for SMS 2003 within 30 days of general availability. This pack will allow administrators to centrally manage the health of the SMS server infrastructure on the MOM console. Better Testing, Stability, and Scalability The most important factor for many customers, however, is not on the feature list: when SMS 2003 ships, it will have undergone much more testing than its predecessor. In addition to extensive internal production testing (called "dogfooding") by Microsoft’s own IT department, many large Early Adopter Program customers are already using SMS 2003 to manage thousands of production computers, helping Microsoft eliminate many problems that don’t show up in small test environments. Limitations Remain Even though SMS 2003 is a substantial improvement over its predecessor, it still has important shortcomings that prospective buyers should understand. Some are limitations on the product’s scope, while others are related to its implementation. Design Scope Limitations Many important asset management and change and configuration management tasks remain outside the scope of SMS. Managing the software installation process is not SMS’s job. SMS launches software installations on clients and supplies the files and command-line switches the installer program needs, but from that point on the installation task falls to the installer technology used by the software’s developer. Once all the files of a software distribution package are copied to a target computer or made available on a server file share, SMS can do no more than could a local administrator issuing a simple command-line command. This creates several problems. First, the installation process can be inconsistent from one application to another. Administrators need to understand the idiosyncrasies of each installer technology and know how to control installations so they run silently yet install exactly as intended, which can be especially difficult when the target computers are not uniform. (Microsoft provides a downloadable tool called the "SMS Installer" that can be used by administrators to make software installation routines that do not natively use the Windows Installer install silently and with a particular set of configuration options, but the resulting installation files still run independently of SMS.) Although Microsoft is gradually standardizing on the Windows Installer service to install applications, it still ships products that use many other installers, particularly for OS components and server applications. (For more details, see the sidebar "Software Installation Still Tricky".) A least one SMS competitor, Novadigm’s Radia, ignores the application’s installer programs and instead monitors each client’s Registry and file system to see if it has the appropriate keys and files to comply with the "desired state" set by an administrator. If not, Radia sets keys and copies files as needed to comply. Although the Windows Installer also takes a "desired state" approach, it does so on a per-application basis rather than a per-computer basis, which means that each application must be managed separately. Furthermore, not all application software (and no system software) uses the Windows Installer. Second, the trend in software installation is to move away from rigid, one-time installation processes to more dynamic techniques that enable functions such as self-healing of damaged or inadvertently deleted files, automatically configuring per-user settings for new users, and auto-updating the application with patches and new data files. This often requires regular access to file servers or Web servers, and a system that is healthy one day could break the next even if the user or SMS did nothing to it. SMS has no means to track changes to the state of these dynamic installations. However, SMS 2003 does have a new feature that makes self-healing applications work better: for each Windows Installer application it installs, it is able to set the Windows Installer source path to the nearest SMS distribution point server rather than the path of the original file share or the local CD drive. This reduces network traffic and eases maintenance of multiple replicas of the application source files. Third, application installers have no uniform way to report installation status. SMS can report on installation success or failure only if the application’s developer made the installation program write status information to Windows Management Instrumentation (WMI) or to the file system in a special format that SMS can collect and interpret. Even when developers do provide status reporting, it is often just a simple success or failure flag, rather than the detailed information needed to troubleshoot a failure or partial success. Not a complete CCM solution. Although Microsoft bills SMS as a change and configuration management (CCM) system, it is only one piece of a complete CCM solution. For example, SMS does not track the "who changed what, when?" information that is vital to troubleshooting. It is also not a substitute for AD Group Policy, which helps organizations centrally manage the configuration of the OS and some applications running on its computers. Furthermore, it cannot detect certain types of changes. For example, replacement of a monitor could go unnoticed by SMS. Not a complete asset management solution. Although SMS does a good job of tracking Windows computers, SMS is also not a complete IT asset management product. For example, it cannot do the following:
Implementation Limitations SMS 2003 also has limitations that stem from the way Microsoft implemented it. Still very complex. Although the new Advanced Client, AD security model, and reporting and metering systems make SMS 2003 simpler and easier to manage than previous versions, it is still a tremendously complex product that makes AD seem simple in comparison. SMS 2003 typically involves nearly every Windows-based system in an organization, performs many different tasks, makes extensive and at times heavy use of the network, and could do tremendous damage if used incorrectly. For this reason it requires extensive knowledge, experience, and training to design, install, and operate; IT support personnel who use it must thoroughly understand networking, security, application installation, PC hardware, database operations, Web server operations, and more. Although the product’s mission may make this complexity unavoidable, it is the biggest factor that limits SMS’s suitability for smaller organizations. Because SMS moves so much file data across the network, designers must carefully plan the server architecture around the constraints of the network. Even though SMS 2003 is a better network citizen than earlier versions and makes more efficient use of limited bandwidth, poor design will impact other network traffic or result in SMS lagging in completing its tasks. Its complexity also limits Microsoft’s options for the future. Expanding the product’s scope to address some design limitations could make the product even more complex and expensive, which could in turn hurt its adoption. Backups don’t exploit volume shadow copy. Backup and restore of SMS is especially challenging, since important data is continually moving between various SMS servers and databases. Although Microsoft gave far more attention to backup and recovery of SMS 2003 than it did with previous releases, these tasks are still difficult. Strangely, even though SMS 2003 can run on Windows Server 2003, its backup utilities do not make use of Windows 2003’s new Volume Shadow Copy Service to back up the file system, Registry, and SQL Server databases. This means that parts of the SMS system must go offline for much longer periods of time to obtain complete backup protection. Upgrade Considerations Because SMS 2.0 is a complex product that may involve all of the Windows computers in an organization’s network, upgrading to SMS 2003 must be carefully planned. However, because SMS 2003 does not require AD or make use of any specific Windows Server 2003 features, the decision to upgrade is not as difficult as with some other Microsoft server products (such as migrating from Exchange 5.5). Client considerations. The major factor that affects an SMS 2.0 organization’s upgrade path is the type of client OSs it wants to manage. SMS 2003 no longer supports Windows 95, Windows Me, and Windows NT 4.0 running Service Pack (SP) 5 or earlier. SMS 2003 also includes a "legacy" client (in addition to the default Advanced Client) that has the same capabilities as the SMS 2.0 client and will still run on Windows NT 4.0 SP6 and Windows 98 systems. Server considerations. SMS 2003 will run only on Windows 2000 Server SP2 (or later), so organizations hosting SMS 2.0 on an older OS will have to decide whether to upgrade the OS first or replace the server. Other considerations. Two major features dropped in SMS 2003 are support for Netware and active concurrent license metering. SMS 2.0 organizations that depend on these features may find that a complete upgrade is not a practical option, although they may be able to upgrade parts of their organization. Upgrade Options Given the above considerations, organizations running SMS 2.0 have three basic upgrade options. Fresh install. If the organization wants to upgrade SMS servers to new hardware, upgrade their client OSs to Windows 2000 Professional or higher (which can run the Advanced Client), radically restructure their network, or migrate from the NT 4.0 directory to AD, it may be simplest to set up a new SMS 2003 server infrastructure as part of the upgrade and then gradually cut over clients from the old system to the new one without ever connecting the two. Mixed. If the organization must still support older OSs not supported by SMS 2003 or if it needs some of the dropped features, it can make its SMS 2.0 infrastructure a child site to a new SMS 2003 parent site. SMS 2.0 inventory information rolls up into the parent site, and software can be assigned from the parent site to computers residing in the SMS 2.0 child site. Over time, as the organization upgrades its clients to a supported OS, it can migrate them to be members of the SMS 2003 sites. In-place upgrades. If existing SMS 2.0 clients and SMS servers meet the SMS 2003 system requirements, organizations can upgrade them in place to their SMS 2003 equivalents. SMS can even automatically upgrade Standard clients to the new Advanced Clients (on computers meeting the OS requirements). Availability, Pricing, and Resources SMS 2003 will be available to volume customers in Nov. 2003 and the packaged product will be available before the end of the year. Pricing for SMS 2003 client access licenses (CALs) will remain the same as with SMS 2.0 (US$48 MSRP), but the MSRP for SMS server licenses has gone up, from approximately US$650 to US$740. However, SMS server licenses will no longer be needed for "secondary site servers" (SMS child servers that do not have an associated SQL Server database, but instead forward their collected data to a parent site). This will be a cost savings for organizations that use SMS to manage many small, remote sites connected by low bandwidth WANs. A new "SMS 2003 with SQL Server 2000 Technology" bundle will be introduced in December 2003 exclusively for customers participating in volume licensing programs. This bundle essentially duplicates the special SQL Server licensing arrangements offered for SMS 2.0, which gave customers the right to install SQL Server 2000 on a single server, without the need to purchase SQL Server 2000 CALs. (The lack of the need for SQL Server CALs is the predominant source of cost savings compared to licensing SQL Server 2000 separately.) This bundle allows the customer to run SQL Server 2000 on either the same machine as the SMS 2003 primary site server, or a separate physical machine. The SQL Server 2000 software acquired through this bundle can only be used with SMS 2003—it may not be used for any other purpose or with any other application. This bundle will cost approximately US$1,307. Microsoft has not made clear whether customers upgrading from SMS 2.0 will have to purchase the bundle in order to keep using their SQL Server 2000 servers without having to purchase new SQL Server CALs for each managed device. In addition, Microsoft plans to release two important Feature Packs for SMS 2003 in mid-2004—for details, see the sidebar "SMS 2003 Feature Packs". For more on SMS 2003, see www.microsoft.com/smserver/evaluation/future. For more on Group Policy, Windows Installer, and IntelliMirror, see the Apr. 2003 Research Report, "Improving PC Management with Windows Server 2003." For more on the Remote Installation Service, see "Deployment Improvements Yield Secure Servers Faster" on page 3 of the Sept. 2003 Update. |
