This article is a reproduced version of the “Talking Points” article I wrote for Server Management Magazine back in October 2007. Thumbnails of the actual pages from the magazine are included at the end of the article which can be clicked to view the full sized versions.
Site Servers are busy machines so how can your advanced clients get a word in? The answer is to provide them with an assistant.
BY CLIFF HOBBS
Many of the tasks faced by the Systems Management Server (SMS) Administrator are reasonably straightforward because they solve specific problems. One thing that can cause rather more confusion is management points, a concept introduced in SMS 2003. Because of the complexity of management points, this article is split into two parts. This part runs through basics and discusses design issues. In Part II we look at installation, administration and troubleshooting.
I’m assuming you understand SMS basic terminology such as site, site server, advanced client, etc. If you’re unsure about any of these terms, check the product documentation or visit FAQShop (where you can also post questions).
Management points use Microsoft’s Internet Information Services (IIS), something we as SMS Administrators haven’t had to deal with in the past. It’s taken many SMS Admins a while to get to know enough about SQL just to get by and get their SMS Site up and running. Now that management points and IIS have been added to the mix it is only inevitable that problems will arise.
Let’s start with the most obvious question: Why do I need a Management Point?
The answer is simple. Without a management point, any advanced clients wanting to ‘talk’ to your SMS site server are unable to.
So why can’t advanced clients talk directly to the site server you might ask. Well think of your site server as the chairman of your company, who doesn’t have time to talk to all of their employees, customers and suppliers directly. Instead they rely heavily on their Personal Assistant (PA), to manage their diaries, screen calls and feed through only the important information. Think of the PA as the management point in your SMS site, and the chairman as the site server, and you won’t go far wrong.
In SMS terms, the site server sends policy changes and advertisements to the management point from where they are retrieved by advanced clients. These in turn upload discovery data, inventory data, and status messages to the management point, which communicates with the site server. In addition, management points provide advanced clients with a list of distribution points, from which they can run the programs advertised to them.
You also have to remember that the site server is also doing a lot of other jobs, such as managing information that needs to sent/ received from any child sites, provide remote control and running maintenance tasks. Without some sort of intermediary the site server would never achieve these tasks as it would be constantly bombarded with advanced clients wanting to talk to it.
Management points come in three types:
- Assigned/ default management point
- Proxy management point
- Resident management point
Assigned/ default management point – These are the management points within the SMS site that advanced clients connect to by default.
Proxy management point – Advanced clients can only be assigned to primary sites (for a client to be managed by SMS it has to be assigned (i.e. belong), to a SMS site from which it receives it’s settings such as how often it runs inventory scans, how often it checks for new adverts and who can remote control the client).
However, in those cases where you have advanced clients at the same physical location as a secondary site, or when an advanced client roams to a location covered by a secondary site, by default the clients communicate with the management point on the primary (for example to obtain policy information, lists of available distribution points for assigned packages, or upload inventory and status messages).
As Figure 1 shows, this is done on a per client basis, totally randomly, and the data isn’t compressed in anyway, all of which can lead to network performance problems.
Figure 1 – Behaviour of advanced clients without a proxy management point
To help reduce some of the traffic a proxy management point can be created on the secondary site as shown in Figure 2.
Figure 2 – Behaviour of advanced clients with a proxy management point
Once the proxy management point has been created, advanced clients retrieve policy information from the proxy management point, which in turn queries the SQL database on the primary directly on the client’s behalf. Advanced clients upload their data to the proxy management point rather than the management point on the primary.
In this way the proxy management point can bundle up the data it receives from the clients and then using the secondary site’s sender (which automatically compresses the data and let’s you control the amount of bandwidth SMS can use for the WAN link, and if necessary the times SMS can use it), to forward it onto the primary. In the majority of cases, configuring a secondary site as a proxy management point is highly recommended.
Resident management point – This is the management point the client connects to in the site the client has roamed to. When an advanced client roams, rather than connecting back to it’s assigned management point in it’s ‘home’ SMS site (which may be across one or more WAN links), the client connects to the management point in the boundaries being managed by the SMS site it has roamed to. The client will use this management point (the resident management point), to send and receive information such as status messages and inventory.
Microsoft recommends one management point for every 25,000 clients. The number that’s ‘right’ for you depends on many factors.
Remember that you only need management points for advanced clients, so if you are only managing legacy clients you don’t need to worry about them. However, if you are managing advanced clients or a mixture of advanced and legacy clients, you’ll need to configure a management point on every primary site to which advanced clients are assigned to and could roam. Typically all of your site servers (apart from your central site, assuming it isn’t managing any directly assigned clients), will be configured as management points.
You may not need to install proxy management points on all of your secondaries; the decision depends on the number of clients managed by the secondary and the speed and utilisation of the WAN link between the secondary and its parent primary. If you don’t configure a secondary as a proxy management point, all management point-related traffic will cross your WAN between your advanced clients and their management point with little or no control. One of the easiest ways to determine your management point requirements (and indeed other SMS requirements), is to use Microsoft’s SMS 2003 Capacity Planner tool.
Although the proxy management point does query the primary directly, it is also capable of caching some policy information locally. In this way, if an advanced client requests policy data that’s already in the proxy management point’s cache, the proxy management point doesn’t need to query the management point on the primary. And the proxy can act as a ‘funnel’ for all of the advanced client data, such as inventory and status messages, that need to go to the primary; and it uses the secondary’s sender to achieve this.
So what happens if you have advanced clients located on a boundary managed by a secondary with a proxy management point, and that proxy management point fails? Will the advanced clients automatically failover to their assigned site’s management point? The answer is no. This may seem strange but the reason you installed a proxy management point in the first place was to regulate the flow of traffic from your advanced clients at the secondary to prevent them crossing the WAN to talk to their assigned site’s management point. If the proxy management point fails, your advanced clients will simply wait for it to become available again.
The communication between the proxy management point and the SQL database on the parent primary doesn’t use Background Intelligent Transfer Service (BITS) to query the parent primary’s database, so it cannot be controlled in same way that BITS traffic can. Note that site servers are not assigned the management point role by default.
Before you start… Before you can install a management point the server you plan to configure as the management point has to:
- Be running Windows 2000 Server, Advanced Server, Datacenter Server with SP4, or a later OS installed (such as Windows 2003 Server).
- Have at least one NTFS partition.
- Have IIS 5.0 or 6.0 installed and enabled.
- Have SQL Server named pipes enabled (not required for SQL 2005).
- Have Microsoft Data Access Components (MDAC), 2.6 SP2 installed at a minimum although Microsoft recommends MDAC 2.8 SP1 as a minimum.
In addition you need to ensure that SMS has administrative access to the machine you plan to make a management point. You do this by adding either the site server’s machine account (for Advanced security), or the ‘SMS Service’ (or equivalent account, if you’re using Standard security), to the local ‘Administrators’ group on the machine that will be hosting the management point.
If you’re using standard security, make sure the values for the ‘Temp’ and ‘TMP’ variables don’t contain spaces otherwise the installation will fail as detailed in Microsoft Knowledge Base article 838437 (see the ‘Useful links’ table at the end of this article for the links to this and other resources mentioned throughout this article).
Finally, ensure that the following services are started:
- Distributed Transaction Coordinator
- Task Scheduler
- Windows Management Instrumentation (WMI)
- World Wide Web Publishing Service
SMS requires the following user rights both for installation and day-to-day use for the ‘IWAM_<MP_computer>’, ‘IUSR_<MP_computer>’, ‘Local System’, and ‘Network’ accounts:
- Access this computer from the network
- Allow log on locally
- Bypass traverse checking
- Impersonate a client after authentication
- Log on as a batch job
- Log on as a service
- Replace a process level token
You also need to ensure that group policies or your security settings don’t disable any of the services mentioned above. There’s an easy way to check that the server you plan to use as a management point meets these requirements. You simply use the MPTroubleshooter tool (Figure 3), which is included as part of the free SMS 2003 Toolkit 2. This tool can also help in troubleshooting management point-related issues.
Figure 3 – The Management Point Troubleshooter Tool
You can define more than one management point per site, but as advanced clients can only use the default management point and there can only be one, you have to use Network Load Balancing (NLB) in order to support more than one management point at a time and to provide fault tolerance.
NLB allows you to combine up to four management points and allocate a virtual IP address. The management points in the NLB cluster need to be on the same subnet.
You should only need to use an NLB cluster in very large environments (such as where you have more than 25,000 advanced clients to be serviced by a management point), or if you want to provide load balancing/ fault tolerance for your management point.
To the clients, the clustered management point is just like any other management point as it has a single IP address. The load balancing and clever part is performed on the cluster that distributes the client requests between the servers in the cluster; it redirects any of their requests only to servers in the cluster that are up and running at the time of the request. You can learn more about NLB in the ‘Network Load Balancing: Frequently Asked Questions for Windows 2000 and Windows Server 2003’ document.
Note that Windows Clustering is not supported for management point failover. NLB is the only supported clustering method for management point failover.
You can configure a SQL replica of the site database on a machine that is local to the management point. This way, rather than the management point having to cross the WAN each time it needs to query the site database it can query the local copy of the database, which is updated on the schedule you define when you create the replica.
Microsoft has published the ‘Configuring Microsoft SQL Server 2000 Replication for a System Management Server (SMS) 2003 Management Point’ whitepaper, which contains details of setting up SQL replication for your management points should you wish to do so.
Management points need to be configured in IIS. The SMS-specific IIS lockdown tools included with the SMS Toolkit 2 are designed to configure IIS in such a way that any unnecessary IIS functions for SMS are disabled. Although these tools aren’t mandatory I recommend you always use them on servers dedicated to SMS. Two lockdown tools included in the SMS 2003 Toolkit 2:
- IIS Lockdown – Use this for servers running Windows 2000/ IIS 5.0 that will be running site systems that use IIS such as management points, BITS-enabled distribution points, reporting points and server locator points.
- URLScan – This is the same as IIS Lockdown but for servers running Windows 2003/ IIS 6.0.
If you are hosting other applications/ web sites on the same server on which you have installed SMS and IIS, take care when using the Lockdown tools as they have the potential to ‘break’ other applications. This doesn’t mean you shouldn’t use the SMS Lockdown tools; you just need to test that by implementing them they don’t break something else. I recommend installing SMS site servers on dedicated hardware wherever possible to avoid problems like this.
Any site systems that need IIS have to use the IIS default web site. If you disable anonymous access in IIS to the default web site you’ll break your management point. The advanced client uses the following two accounts to communicate with IIS/ the management point:
You can change the accounts that advanced clients use to communicate with the management point, but it’s better not to. If you really want to change accounts make sure you create the accounts in IIS and configure them for the default web site first. You can then carry on and install the management point. The same technique is required for any other site system that relies on IIS such as a distribution point with BITS enabled or a reporting point.
How to avoid problems
As the management point acts as the intermediary between advanced clients and the SMS site server, any failure or malfunction on its part can have a severe impact on the operational effectiveness of SMS. Below is a summary of how to avoid this happening:
- Configure management points only if you are managing advanced clients.
- Install management points (and indeed all SMS components), on dedicated hardware wherever possible.
- Use the SMS 2003 Capacity Planner tool to determine whether you would benefit from configuring your secondary site(s) as a proxy management point to introduce a degree of control over communications between advanced clients and their management point and to reduce the impact on WAN links.
- Understand that a single management point can handle up to 25,000 clients.
- Understand the pre-requisites in terms of OS, software, security and services to ensure successful installation and operation of the management point.
- Using the IIS Lockdown Tools from the SMS Toolkit 2 to ensure that only the IIS functions required by SMS are enabled.
- Using the MPTroubleshooter from the SMS 2003 Toolkit 2 to ensure a server proposed as a management point meets the requirements.
- Only using the Default IIS web site and not restricting anonymous access.
|Configuring Microsoft SQL Server 2000 Replication for a SMS 2003 Management Point whitepaper||http://www.microsoft.com/downloads/details.aspx?familyid=51ecb794-d25f-46b6-aa8e-072d91069e1c&displaylang=en|
|Microsoft KB article 838437||http://support.microsoft.com/kb/838437/en-us|
|NLB FAQs for Windows 2000 and Windows Server 2003||http://technet.microsoft.com/en-us/library/cc758834(v=ws.10).aspx|
|SMS 2003 Capacity Planner||http://www.microsoft.com/downloads/details.aspx?familyid=009e0c30-bded-4b95-a8f9-06037de85c57&displaylang=en|
|SMS 2003 Toolkit 2||http://www.microsoft.com/downloads/details.aspx?FamilyID=61E4E21F-2652-42DD-A04D-B67F0573751D&displaylang=en|
|SMS Home Page|
|Windows Management User Group (WMUG)||http://www.wmug.co.uk|
Table 1 – Useful Resources
About the Author
Cliff Hobbs is a 9 times Microsoft Most Valuable Professional (MVP), the first to be awarded in the UK for Microsoft System Center Configuration Manager (ConfigMgr) and Systems Management Server (SMS).
He has worked as a Consultant with SMS since version 2.0 (over 13 years) and ConfigMgr/ SCCM during which time he has gained extensive experience of designing, deploying, and supporting large enterprise-wide systems management solutions on behalf of many companies such as Microsoft, HP, EDS, Getronics, 1E and Abbey across multiple industry sectors.
He has the ability to quickly learn and understand new concepts and is equally comfortable working alone, as part of a team, or in a management role in technically demanding environments to deliver quality solutions that meet customer requirements.
As well as running FAQShop.com in his spare time Cliff enjoys travel and photography with his wife and son.
Click on a thumbnail to display the full sized version.