This article is a reproduced version of the “Point to point” article I wrote for Server Management Magazine back in November 2007. Thumbnails of the actual pages from the magazine are included at the end of the article which can be clicked to view the full sized versions.
Point to point
Now we’ve established why we need them, getting management points up and running is just a case of following the instructions.
BY CLIFF HOBBS
Last month we looked at the basics of management points in Systems Management Server (SMS) 2003 and issues relating to Design. In Part II, this month we move on to look at installation, configuration and troubleshooting.
Before you configure a management point you need to decide which server will host the management point role. Although it is possible to host a management point on a server other than the SMS site server, my preference is to always host management points on the site server because it avoids potential problems with permissions, the IIS configuration on the server, and so on. It also makes applying SMS Service Packs easier if you do this, and let’s face it given that the site server is there anyway, you may as well use it.
Before you go diving into the SMS Administrator Console to configure your management point, there are a few things worth checking out. As I mentioned in Part I, it’s a good idea to run the pre-installation checks using the MP Troubleshooter tool, which is part of the free SMS 2003 Toolkit 2. This will highlight any potential issues, which you can resolve before attempting the installation.
If you’ve installed URLScan to lockdown IIS (which I’d strongly recommend), make sure that you’re using the version of the Urlscan.ini included with the SMS 2003 Toolkit 2, which has been amended for SMS, rather than the default one.
A quick and simple check is the date and time stamp of the file. The original version (kept in C:\%windir%\system32\inetsrv\urlscan), is 7 Kb created on the date you installed URLScan.
The SMS 2003 Toolkit 2 version (which you’ll find in the C:\Program Files\SMS 2003 Toolkit 2\Urlscan 2.5 directory by default), is 5 Kb and dated the 14 June 2004 at the time of writing.
You need to ensure that the version in the C:\%windir%\system32\inetsrv\urlscan directory is the SMS Toolkit version and not the original.
Another check is to open the Urlscan.ini file and go to the [AllowVerbs] section. This section in the standard file only contains the following three entries:
However, the SMS specific version of the file contains the following eight entries:
Next consider removing the Internet Information Services (IIS), anonymous access account (IUSR_<server_name>), from the local Guests group on the server that will be hosting the management point. This will make your life a lot easier as we’ll see in the Troubleshooting section, p31.
Let’s now look at how we install a management point (the installation of a proxy management point differs slightly and is covered later in the article so if you need to install one go to p30 now).
A management point is installed and configured in the same way as any other SMS site system (within the SMS Administrator Console navigate to Systems Management Server | Site Database (<site_code> – <description>) | Site Hierarchy | <site_code – site_name> | Site Settings | Site Systems.)
If you plan to assign the management point role to the SMS server, double-click the server to host the management point in the right-hand window, which will display the Site System Properties page.
However, if you want to assign the role to a different server, right click on Site Systems and choose New | Server. Supply the server name by using the Set button.
Then in the right-hand windows double-click the server, which will display the Site System Properties page.
On the Site System Properties page click on the Management Point tab shown in Figure 1.
Figure 1 – The “Management Point” tab of the “Site System Properties” screen
Check the Use this site system as a management point checkbox then click OK (I discuss the Database: dropdown in the section on proxy management points later in the article (see p30), if you’re curious about this).
When you click the OK button you’ll be asked whether you want to use this as the default management point for the site (assuming this is the first management point you’ve configured for the site, which 99 per cent of the time will be the case). Then it’s a case of waiting for SMS to work its magic.
One important thing to note is that although SMS uses the MP.msi as part of the management point installation process, Microsoft does not support the installation of a management point other than through the Admin Console (so don’t be tempted to go off and try to run the MSI file).
Verified and satisfied
Once you’ve completed the installation, a quick way of checking to see if the management point has been installed correctly is to check for the Status Message ‘1015’ for the SMS_management point_CONTROL_MANAGER component which should state:
“SMS Site Component Manager successfully installed this component on this site system.”
You could check for the presence of the SMS Agent Host service, but this service is also installed on all advanced clients so it’s not foolproof.
A more thorough way of checking it’s been installed correctly is to open the Site Component log file (sitecomp.log) in SMS Trace and do a search for SMS_management point_CONTROL_MANAGER which should display lines similar to the following:
Component SMS_management point_CONTROL_MANAGER flagged for installation.
Component SMS_management point_FILE_DISPATCH_MANAGER flagged for installation.
Starting service SMS_SERVER_BOOTSTRAP_<site_server_name> with command-line arguments "<site_code> D:\SMS /install <drive_containing_sms_source_files>:\SMS\bin\i386\management pointsetup.exe"...
Installing component SMS_management point_FILE_DISPATCH_MANAGER...
Publish Servers in Active Directory.
Site System <site_server_name> is the Default Management Point.
<site_server_name> is the Default management point.
Publishing <site_server_name> as a Management Point into Active Directory.
SMS-management point-<site_code>-<site_server_name> successfully created.
(Because of space constraints not all of the lines from sitecomp.log are shown).
So now your management point should be installed, but how do you check it can actually communicate with the site server? I’m assuming you’re running in Advanced Security mode and if not why not?
To check that a management point running in Advanced Security mode can communicate with its site server you need to use the interactive Command Prompt, which is a Command Prompt that runs under the context of the Local System account so you don’t know the password.
To start an interactive Command Prompt and verify the management point connection to your Site Database:
- On the computer hosting your management point start a Command Prompt.
At <time> /interactive cmd
where <time> is a couple of minutes in the future. You will see the message:
Added a new job with job ID = <a number>
When the time you specified is reached a new Command Prompt is started – this is the interactive Command Prompt which you should use for the remainder of this process.
- Change to the \Program Files\Microsoft SQL Server\80\Tools\Binn directory.
osql /S <site_database_server_name> /D SMS_<site_code> –E
where <site_database_server_name> is the name of the Site Database server and SMS_<site_code> is the name of your Site Database for example:
osql /S SMS2003AP /D SMS_C00 –E
A 1> should appear on the screen if you are able to successfully connect to the Site Database.
- Next type select * from sites and press RETURN which should give you a 2> prompt.
- Type go and press RETURN.
- If your management point can communicate with your Site Database server, various information about your SMS hierarchy will be displayed (such as the Site names, the directory SMS is installed in, the version, amongst others). A 1> will then be returned.
- Type exit and press RETURN to exit osql.
- Close the Command Prompt.
If you have previously extended the Active Directory Schema to include the SMS extensions, you need to check that your management point has been successfully published to Active Directory. (If you’ve not extended Active Directory, then entries for your management point(s) need to be verified in Windows Internet Name Service (WINS), discussed later in the article).
To check a management point has been published to Active Directory:
- Load up the Microsoft Management Console with the ADSIEdit snap-in enabled.
- Connect to the domain containing the site server whose management point entry you want to check (if you’re not connected to any domain or need to connect to a different one simply right-click the “ADSI Edit” snap-in and from the context menu select “Connect to”, select the domain and click “OK” on the “Connection Settings” dialog box.
- Navigate to “Domain <computer fully qualified domain name> | <distinguished name> | CN=System | CN=System Management”.
- Check that there is a “CN=SMS-management point-<site_code>-<management point computer name>” object under the “System Management” container for each management point, an example of which is shown in Figure 2.
Figure 2 – ADSI Edit showing the list of Management Points published to Active Directory
- Right-click the first “CN=SMS-management point-<site_code>-<management point computer name>” entry and from the context menu select “Properties”.
- Scroll down the “CN=SMS-management point-<site_code>-<management point computer name> Properties” screen check that the attributes listed in Table 1 are listed with the correct settings.
|msSMSMPName||Case Insensitive String||<mp_computer name>|
|msSMSSiteCode||Case Insensitive String||<site_code>|
Table 1 – Management Point Attributes
- If there isn’t an object published for each management point or the default management point information is wrong, look in the “sitecomp.log” file in the “\SMS\Logs\” directory which should give you a clue as to why the publishing process failed.
A new feature introduced in SMS 2003 Service Pack (SP) 2 was the ability to allow advanced clients to locate management points and distribution points through Domain Name Service (DNS), rather than NetBIOS. This is achieved by re-extending the Active Directory Schema for SMS to include this attribute (the SP2 and later process actually applies all of the SMS Schema extensions, not just the DNS one, although this is nothing to worry about. If the SMS Schema extensions have already been applied SMS just ignores them).
Once you’ve extended the AD Schema (assuming you have the rights to do so or have approval from the group responsible for Active Directory), you need to configure the Fully Qualified Host Name (FQHN), for the management point/ distribution point. To do this you simply check the “Specify a Fully Qualified Host Name” checkbox on the “General” tab of the “Site System Properties” screen (shown in Figure 3). Then type the name you want the clients to use in the “Specify a Fully Qualified Host Name:” field and click “OK”.
Figure 3 – The “General” tab of the “Site System Properties” screen
If for any reason an advanced client is unable to contact a management point/ distribution point using DNS, it automatically falls back to using NetBIOS.
By default management points are automatically registered in WINS if you are using Advanced Security. However, if you need to manually register one, either because you are either using Standard Security or because you haven’t extended the Active Directory Schema, see Microsoft Knowledge Base article 883620 “You cannot install Advanced Client when your Systems Management Server 2003 does not use Active Directory or when the schema for Active Directory has not been extended” which provides full details on how to do this.
To verify that an entry for a management point has been successfully added to WINS simply use the following command on the WINS server:
netsh wins server show Name name=management point_<SMS_sitecode> endchar=1A
You should see lines similar to the following if the management point has been registered correctly:
Name : mp_C00 [1Ah]
NodeType : 1
State : ACTIVE
Expiration Date : Infinite
Type of Rec : UNIQUE
Version No : 0 29c
RecordType : STATIC
IP Address : 10.5.1.2
Command completed successfully.
Proxy Management Points
Although the configuration process for a proxy management point on a secondary site is almost identical to a normal management point, there are some special steps you need to take both before and after you configure the management point, especially if you’re planning on using a local SQL Replica of the parent primary’s site database. To configure a proxy management point:
- Ensure the computer account of the Secondary Site is a member of the “SMS_SiteSystemToSQLConnection_<site_code>” group on the primary the secondary reports to.
- Start a Command Prompt.
- Type “cliconfg” and press return which will display the “SQL Server Client Network Utility” shown in Figure 4.
Figure 4 – SQL Server Client Network Utility
- Ensure that both “TCP/IP” and “Named Pipes” are present in the “Enabled protocols by order” column with TCP/IP being at the top. If either or both of these are shown in the “Disabled protocols” column highlight each in turn and click the “Enable >>” button to move them over to the “Enabled protocols by order” column.
- If either protocol has been enabled you will need to reboot the server to implement the changes.
- From within the SMS Administrator Console navigate to “Systems Management Server | Site Database (<site_code> – <description>) | Site Hierarchy | <site_code – site_name> | Site Settings | Site Systems”.
- Double-click on the server that will host the proxy management point in the right hand window.
- Click the “Management Point” tab.
- Check the “Use this site system as a management point” checkbox on the “Site System Properties” screen shown in Figure 1.
- If the proxy management point is to use the site database server click the “OK” button, at which point you’ll be asked if you want to set this as the default management point (in which case you should click “Yes” on the “Site System” dialog box).
However, if the proxy management point is to use a different database, such as a SQL replica that is local to the proxy management point, select the “Use a different database” option from the “Database:” dropdown. This will display the additional options shown in Figure 5 (such as the name of the SQL Server, database name, authentication type, etc.)
Complete these fields then click “OK” at which point you’ll be asked if you want to set this as the default management point (in which case you should click “Yes” on the “Site System” dialog box).
Figure 5 – Specifying a different database other than the Site database for a proxy management point to use
Once installed (and you’ve left things to settle down for a bit), you’ll probably want to verify that the proxy management point is working. Probably the easiest way of doing this is to use the Management Point Spy (“MPGetPolicy.exe”) tool from the SMS Toolkit 2 as follows:
- From the “Start” menu select “All Programs | SMS 2003 Toolkit 2 | management point Spy”.
- From the “File” menu select “Connect” which will display the “MP Connection” screen.
- Complete the fields on this screen as follows:
- Management point server – The server on which the Proxy management point is running.
- Database Server – The name of the server running the instance of SQL the proxy management point uses.
- Database Name – The name of the SMS database (“SMS_<site_code>” by default).
- Database Authentication Type – Integrated (or Windows), or if you’re using SQL Server authentication you’ll need enter the relevant user ID and password.
After a short delay the “Policy” window should populate with smiley faces and numerical strings as shown in Figure 6 if the proxy management point is working correctly.
Figure 6 – Populated Policy window showing the proxy management point is working
Once you have finished testing your proxy management point, from the “File” menu select “Exit” then click “Yes” on the “Exit” dialog box.
Looking for trouble
Troubleshooting management points doesn’t have to be difficult, because you have plenty of tools and resources to help you. The first place I normally start is the MPTroubleshooter tool. Here’s how to use it to troubleshoot management point-related problems:
- From the “Start” menu select “All Programs | SMS Toolkit 2 | MPTroubleshooter”, which loads the MPTroubleshooter.
- Click the “Post-Installation” tab which will display the “Connect to SQL” dialog box in which you’ll need to enter the name of the SQL Server containing the SQL database the management point uses and the authentication method before you click the “Connect” button.
- Click the “Post-Installation” tab as shown in Figure 7.
Figure 7 – Post-Installation tab of the MPTroubleshooter
- Select the Site Database (“SMS_<site_code>”), from the “SMS Database Name” dropdown list.
- Select the relevant Site Code from the “Site Code” dropdown list.
- Select the relevant management point from the “Management Point” dropdown list.
- If you’ve changed the TCP port the management point runs under change the port in the “Http Port Number” field.
- Uncheck the “Active Directory is extended” checkbox if you haven’t extended the Schema (doing this removes the “Active Directory FQDN” field).
- Type the FQDN of the management point in the “Active Directory FQDN” field if you’ve left the “Active Directory is extended” checkbox ticked.
- Select “Standard Security” if relevant. If you do, you’ll need to provide the SMS Service account and password in the relevant boxes that appear.
- Once all fields have been completed, click the “Run” button. The tool will run through the checks listed and at the end and generate a summary dialog showing how many tasks passed as well as highlighting any Warning, Failures and tasks that weren’t applicable.
- Click the “OK” button on the “MPTroubleshooter” dialog box.
- If any Warning or Failure messages are generated, the only way you can view the reasons for these is to click the “Export Results” button.
- When you click the “Export Results” button the “MPTroubleshooter” dialog box is displayed with details of the filename and path containing the export results. Don’t worry about writing this down because as soon as you click the “OK” button Windows Explorer opens in the directory containing the file.
- Double click the “PostInstResults.xml” file to open it.
- Scroll down the file to the relevant test that generated the Warning or Failure where you will see explanatory text.
- Close the XML file, resolve any issues and then re-run the tests to verify the management point meets the post-installation requirements, which in effect means it is functioning.
- Then go into the SMS Admin Console and reset the counts for any management point-related Errors and Warnings under “Site Status”.
In most cases the MPTroubleshooter tool will highlight any issues. If you use this in conjunction with the “Management Point Troubleshooting Checklist” I’ve compiled (which you can find on FAQShop), you should be able to resolve the majority of your management point-related issues.
Chopping up logs
As with other SMS components, management points generate log files. These can be split into two categories and are kept in different locations:
- Setup-related log files (“MPMSI.log”, “MPSetup.log”, “mpcontrol.log” and “SMSExec.log”) which are kept in the “\SMS\Logs” directory on the site server. These are used at the time the management point is created, maintained and uninstalled.
- Functional-related log files (“Ccmexec.log”, MP_Framework.log”, “MP_GetAuth.log”, “MP_Retry.log” and “MP_Status.log”) which are kept in the “\SMS_CCM\Logs” directory on the management point itself. These are created and written to as the management point performs various functions.
If when you go looking for the logs on your management point you find they’re not in the “\SMS_CCM\Logs” directory you’ll probably find them in the “%windir%\system32\ccm\Logs” directory. This is because if the advanced client is already installed on a machine which later becomes a management point, SMS decides to keep all the logs together.
A quick tip when looking through management point log files for errors is to search on “Return value 3” and the error will be above any lines containing this string.
In addition to the logs mentioned above, you’ll also probably want to check out the Management Point File Dispatch Manager log (“mpfdm.log”), on the site server which is written to as the management point and site server communicate with each other.
It’s also worth checking out the IIS Log file “%windir%\system32\LogFiles\W3SVC1\<date>.log” when troubleshooting management point issues (one log file is generated for each day in the format “exYYMMDD.log”).
Microsoft Knowledge Base article 867490 “A list of log files that are created in Systems Management Server 2003” contains a list of SMS Log files including those for management points so it’s worth checking this out to help you understand the management point log files and other SMS-related logs.
In this article we looked at installation and configuration of Management Points as well as troubleshooting.
On the installation front consider installing your management points on the site server wherever possible. You should run the MPTroubleshooter’s pre-installation checks before installing your management point to ensure the server you plan to become a management point is capable of hosting the role.
Installing a management point is easily achieved through the SMS Administrator Console. You can verify the installation through the presence of the Status Message “1015” and/ or through the Site Component log file.
Use the interactive Command Prompt to verify that your management point can communicate with the site server. Also verify the management point entry can be published to Active Directory using ADSIEdit.
Configure your management point to allow advanced clients to locate it using DNS rather than NetBIOS by specifying a FQHN.
Installing a proxy management point is almost identical to installing a normal management point except you need to ensure both TCP/IP and Named Pipes are enabled. Once installed you can verify the installation using the Management Point Spy utility from the SMS 2003 Toolkit 2.
Using the MPTroubleshooter in conjunction with the Management Point Troubleshooting Checklist on FAQShop should allow you to resolve the majority of your management point-related issues.
Table 2 includes links to all of the resources mentioned throughout this article in alphabetical order
|Management Point Troubleshooting Checklist||http://www.faqshop.com/wp/sms/sms2003/sms2003trobshoot/sms2003mps/management-point-troubleshooting-checklist|
|Microsoft KB article 867490||http://support.microsoft.com/default.aspx?scid=kb;en-us;867490|
|Microsoft KB article 883620||http://support.microsoft.com/kb/883620/en-us|
|SMS 2003 Toolkit 2||http://www.microsoft.com/downloads/details.aspx?FamilyID=61E4E21F-2652-42DD-A04D-B67F0573751D&displaylang=en|
|SMS Home Page||http://www.microsoft.com/smserver/default.mspx|
|Windows Management User Group (WMUG)||http://www.wmug.co.uk|
Table 2 – Useful Resources
About the Author
Cliff Hobbs is a 9 times Microsoft Most Valuable Professional (MVP), the first to be awarded in the UK for Microsoft System Center Configuration Manager (ConfigMgr) and Systems Management Server (SMS).
He has worked as a Consultant with SMS since version 2.0 (over 13 years) and ConfigMgr/ SCCM during which time he has gained extensive experience of designing, deploying, and supporting large enterprise-wide systems management solutions on behalf of many companies such as Microsoft, HP, EDS, Getronics, 1E and Abbey across multiple industry sectors.
As well as running FAQShop.com in his spare time Cliff enjoys travel and photography with his wife and son.
Click on a thumbnail to display the full sized version.