How To Upgrade To SMS 2003 SP2 And Windows 2003 SP1
This contains information that I complied in June of 2006 to plan, test, and complete the upgrades of my SMS servers from Windows 2003 and SMS 2003 SP1 to Windows 2003 SP1 and SMS 2003 SP2. The information is not my own, it is the hard work of several individuals in the Microsoft Systems Management Server Documentation team as well as SMS Engineers that work in the field. I complied this information into Microsoft Office OneNote for my own reading and execution but I am not the author. This is provided to help anyone who needs this information to upgrade their own servers. Some or all parts of this documentation may be copyright protected. And finally, this information is provided “AS IS” I, nor my employer, can be held liable for any damages, wrong information, misleading information, and no warranties or guarantees are implied. That being said, if you have any questions regarding this process or document feel free to email me.
SMS 2003 SP2 Upgrade Checklist
This document outlines the steps you should take to upgrade from Microsoft Systems Management Server (SMS) 2003 to Microsoft Systems Management Server 2003 Service Pack 2 (SP2). This document is intended to provide a high-level checklist of items to consider when upgrading to SMS 2003 SP2. This document is not intended to provide support for a new installation of SMS 2003 SP2 or for upgrading from SMS 2.0.
For a complete discussion about planning for an implementation or upgrade of SMS, especially if you are deploying a new installation of SMS 2003 SP2 rather than an upgrade, review the Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment guide, which is available for download from the SMS Product Documentation Web page at http://go.microsoft.com/fwlink/?LinkId=9502.
In this document:
Changes in SMS 2003 SP2
Preparing to Upgrade to SMS 2003 SP2
Upgrading the SMS 2003 Site to SP2
Upgrading Legacy Clients
Upgrading Advanced Clients
Changes in SMS 2003 SP2
Microsoft introduced several changes with SMS 2003 SP2. These changes have been outlined in detail in the What's New in SMS 2003 Service Pack 2 document included with the SMS 2003 SP2 source files, and can be downloaded from the SMS Product Documentation Web page at http://go.microsoft.com/fwlink/?LinkId=9502. It is recommended that you read that document before you upgrade your SMS 2003 site.
This section describes the changes in SMS 2003 SP2 that affect the upgrade process.
New Updated.exe Upgrade Method
There are now two methods to upgrade from SMS 2003 RTM or SMS 2003 SP1 to SMS 2003 SP2. Interactive setup ran from the installation CD, which is the same as upgrading to a newer SMS 2.0 or previous SMS 2003 service pack, and the new Update.exe upgrade method from extracted installation files or the update folder on the service pack CD.
SMS 2003 SP2 can be downloaded from the Microsoft website as a file named SMS2003SP2.exe. To manually extract the installation files to a folder use the /X:path parameter where path is the location where you want to extract the files. Update.exe can be run with the /passive or /quiet switches to upgrade your site. The /quiet switch is completely unattended and hidden, while the /passive switch displays a progress bar during the upgrade process. These switches can also be placed on the command line for SMS2003SP2.exe, and will launch Update.exe with the appropriate switches after automatic extraction to a temporary folder has completed.
Platform Changes in SP2: Site System Operating System Support
Before upgrading your site to SMS 2003 SP2, ensure that all of your site system Operating Systems are at least Windows 2000, Service Pack 4. SMS 2003 SP2 site systems roles are only supported on systems running Windows 2000, Service Pack 4, or later.
Platform Changes in SP2: Advanced Client Support
SMS 2003 SP2 no longer supports SMS Advanced Client installation on workstations running Windows 2000, Service Pack 3 or earlier or Windows XP with no service pack installed. Before attempting to upgrade your SMS site, you should install Windows 2000 Service Pack 4 and at least Service Pack 1 for Windows XP systems if possible.
Alternatively, if you upgrade the site to SMS 2003 SP2, the computers running unsupported operating systems will not install the SMS 2003 SP2 client. These clients will have reduced SMS functionality while in this state, and should be upgraded to a supported operating system, or service pack, and then upgraded to SMS 2003 SP2, to receive full SMS client functionality.
SMS 2003 SP2 provides support for 64-bit server platforms as SMS Advanced Clients. It also offers limited support for Vista and Longhorn clients as an SMS 2003 Advanced Client. Full product support for Vista and Longhorn clients will be provided in SMS 2003 SP3.
Platform Changes in SP2: Legacy Client Support
SMS 2003 SP2 no longer supports the SMS Legacy Client on computers that are capable of running the SMS Advanced Client, such as computers running the Windows 2000 or later operating system. If you have SMS Legacy Clients that fall into this category, you must upgrade them to the SMS Advanced Client when you upgrade their assigned site to SMS 2003 SP2. Until you upgrade those Legacy Clients to the Advanced Client, they cannot receive client agent hotfixes, although they will continue to be managed by SMS. (For example, Legacy Clients can receive a package that upgrades them to the SMS Advanced Client.) Where possible, upgrade these clients before you upgrade your SMS site, and refer to the “Upgrade Legacy Clients” section of this document for more information.
For Legacy Client installation on systems running Windows 98 Internet Explorer 5.5, or above, must be installed.
Inventory Tool for Microsoft Updates
SMS 2003 SP2 includes an updated version of the Inventory Tool for Microsoft Updates (ITMU), with hotfixes and updates to the product since its initial release. Installation of the ITMU is an optional installation choice from the setup.exe splash screen. This version of the ITMU requires no updates to the SMS environment before installation can occur. However, you must upgrade your site and clients to SMS 2003 SP2 before upgrading or installing the new version of Inventory Tool for Microsoft Updates. An upgrade using the Update.exe upgrade method would not install the Inventory Tool for Microsoft Updates automatically. To manually install the Inventory Tool for Microsoft Updates you must run Autorun.exe and choose the Inventory Tool for Microsoft Updates option from the SMS Setup splash screen or run SMSITMU.msi directly from the Scantools folder of the extracted files.
Advanced Security Implementation
During an upgrade to SMS 2003 SP2, if the site being upgraded is running in standard security, and the requirements for an advanced security implementation are met, setup will state the site will be migrated to advanced security. This migration is optional and can be cancelled during the upgrade process.
Preparing to Upgrade to SMS 2003 SP2
Plan for your upgrade to SMS 2003 SP2 as you would plan for a new installation of SMS 2003, and read the planning recommendations presented in Scenarios and Procedures for Systems Management Server 2003: Planning and Deployment.
This section is intended to highlight some of the most significant content from that guide, which you might want to consider before you upgrade from SMS 2003 to SMS 2003 SP2.
As you plan your upgrade strategy, consider the following:
- You can upgrade your SMS sites first, or you can upgrade your SMS clients first, depending on the needs of your organization—provided that both clients and sites are running SMS 2003. However, you will not be able to take advantage of the new features in SP2 until the clients and sites are upgraded.
- Upgrade the SMS sites in your hierarchy, beginning with the central site, followed by the SMS sites in each subsequent level.
- As discussed in the section “Platform Changes in SP2 (Legacy Client)” earlier in this document, before you upgrade your SMS site, upgrade Legacy Clients deployed to computers running the Windows 2000 operating system or later.
- Every site and Advanced Client in the SMS site hierarchy needs to be configured to use the same HTTP port. Although SMS 2003 SP1 and SP2 allow you to change the default HTTP port, do not do this until all sites and clients in the SMS hierarchy have been successfully upgraded to SMS 2003 SP2 or, at a minimum, are running SMS 2003 SP1.
- Do not reassign an Advanced Client from a site that uses client authentication and data encryption to a site that does not, because Heartbeat Discovery and inventory data will be rejected.
- Upgrade each remote SMS Administrator console to the SMS 2003 SP2 version. You cannot access an SMS 2003 SP2 site by using an SMS 2003 Administrator console.
Before you can upgrade your SMS site, you must first perform the following steps:
- Ensure your site meets all support prerequisites.
- Determine readiness for SMS 2003 SP2 upgrade.
- Disable Microsoft® SQL Server™ replication of the SMS site database, if you enabled it.
- Test the database upgrade process.
Ensure Your Site Meets All Support Prerequisites
For detailed information about operating systems that are supported for SMS servers and clients, see SMS 2003Supported Configurations. This document can be downloaded from the SMS Product Documentation Web page at http://go.microsoft.com/fwlink/?LinkId=9502.
The SMS site server and site system roles must be installed on computers running any of the following operating systems:
- Microsoft Windows® 2000 Server, Service Pack 4 or later.
- Windows 2000 Advanced Server, Service Pack 4 or later.
- Windows 2000 Datacenter Server, Service Pack 4 or later.
- Windows Server™ 2003, Standard Edition.
- Windows Server 2003, Enterprise Edition.
- Windows Server 2003, Datacenter Edition.
- Windows Virtual Server 2005 SP1 or later
- All SMS 2003 SP2 site system roles are only supported on systems running Windows 2000, Service Pack 4 or later.
To verify the service pack support dates, visit the Lifecycle Supported Service Packs Web site at http://go.microsoft.com/fwlink/?LinkID=31975. For additional information about Microsoft’s support lifecycle policy, visit the Microsoft Support Lifestyle Support Policy FAQ Web site at http://go.microsoft.com/fwlink/?LinkId=31976.
The SMS 2003 SP2 site database can be hosted by any of the following Microsoft SQL® Server versions:
- Microsoft SQL® Server 7.0, Service Pack 3 or later.
- Microsoft SQL® Server 2000, Service Pack 3a or later.
- Microsoft SQL® Server 2005 (Yukon)
Determine Readiness for SMS 2003 SP2 Upgrade
If the site being upgraded is already running SMS 2003 SP1 you are not required to run the Deployment Readiness Wizard (DRW) to validate that the site is ready to upgrade to SP2. DRW is only required when upgrading from SMS 2003 RTM to SMS 2003 SP2. The DRW has been updated to support SMS 2003 SP2, and specifically for the new client operating system requirements.
If you are upgrading a site other than SMS 2003 SP1 using the /quiet switch, setup will fail unless you first run the DRW manually. When using the /passive switch on a site other than SMS 2003 SP1, the DRW setup wizard page will appear during the upgrade process. You must select Run Now and continue. If you cancel the wizard at this point, setup will abort.
You can run the DRW.exe file manually from the following folder on the SMS 2003 SP2 product CD: SMSSETUP\BIN\I386\.
To run the SMS 2003 SP2 Deployment Readiness Wizard on a Primary Site
- Start DRW.exe on the primary site.
- On the Welcome page, click Next.
- If you have child secondary sites, you will see a Site Selection page. Select a site to analyze, select Analyze this primary site, and then click Next. You must complete this step for every child secondary site you want to upgrade.
- On the Tests page, select the tests that you want to run and then click Next.
- On the Completing the Systems Management Server 2003 Deployment Readiness Wizard page, click Finish.
The SMS 2003 Deployment Readiness Wizard runs the selected tests. After completion, you can view the detailed test results by selecting the site and clicking Details.
To run the SMS 2003 SP2 Deployment Readiness Wizard on a Secondary Site
1. On the parent primary site for the secondary site, start DRW.exe.
2. On the Welcome page, click Next.
3. On the Site Selection page, select the secondary sites to analyze and then click Next.
4. On the Tests page, select the tests that you want to run and then click Next.
5. On the Completing the Systems Management Server 2003 Deployment Readiness Wizard page, click Finish.
Disable SQL Replication of the SMS Site Database If You Enabled It
You must disable SQL Server database replication before you upgrade and then reconfigure it when the upgrade is complete.
To disable SQL Server replication:
1. In the SQL Server Enterprise Manager, select the SMS site database server (the publisher).
2. On the menu bar, select Tools, select Replication, and then select Disable Publishing.
3. On the Welcome to the Disable Publishing and Distribution Wizard page, click Next.
4. On the Disable Publishing page, select Yes, disable publishing and then click Next.
5. On the Confirm Dropping of Publications page, click Next.
6. On the Completing the Disable Publishing and Distribution Wizard page, click Finish. If the wizard displays a message that the database is in use, click OK and then click Cancel on the Completing the Disable Publishing and Distribution Wizard page. Refresh the SQL Server Enterprise Manager to verify that the publication has been removed.
Replication is now disabled, and you can upgrade your site. After the site has successfully upgraded, you can reconfigure SQL Server database replication.
To confirm that the upgrade has completed, refer to the “Determining that SMS Setup Has Completed” section, later in this document. For detailed information about configuring SQL Server database replication for SMS management points, see the white paper, Configuring Microsoft SQL Server 2000 Replication for a System Management Server (SMS) 2003 Management Point, located at http://go.microsoft.com/fwlink/?LinkId=41116.
|
Note |
|
You should also manually delete any subscription information on remote subscribers. For more detailed information about how to manually disable SQL Server database replication, see the Microsoft Knowledge Base article number 324401 located at http://go.microsoft.com/fwlink/?LinkId=39603. In addition, refer to the information contained in your Microsoft SQL Server 2000 documentation. |
Test the Database Upgrade Process
With the /testdbupgrade setup switch, you should test the SMS site database upgrade on a backup copy of the SMS site database, as in the following example:
|
|
Copy Code |
|
Setup.exe /testdbupgrade SMS_<sitecode> |
|
After successfully running the database upgrade test, you are assured that the database portion of the upgrade process will be successful. You can review the results of the test in SMSsetup.log, which is in the root of the system drive.
|
Caution |
|
After running the /testdbupgrade setup switch, your SMS site database will not be compatible with earlier versions of SMS if you do not complete the upgrade, so make sure to run this on a copy of your SMS site database rather than on the original. |
Due to changes in how SMS inventories data, the SMS upgrade process needs to move significant amounts of data within the SMS site database. Depending primarily on how many computers and how much inventory data is in the SMS site database, the SQL Server data and/or log files can grow significantly.
Record the size of the SQL Server data and log files, both before and after, using setup with the testdbupgrade switch to determine the amount of disk space required for the upgrade to succeed. Before upgrading your site, ensure that SQL Server is configured to autogrow and that sufficient disk space is available on the computer running SQL Server, for both the upgrade activity and the subsequent storage of software inventory that is reported from clients.
To test the SMS 2003 site database by using /testdbupgrade
1. Back up your SMS site database.
2. Obtain a copy of the SMS site database backup created by a recent SMS backup task.
- OR –
Stop all SMS services on the SMS site server and SQL Server, and then use SQL Server Enterprise Manager to back up the SMS site database.
|
Note |
|
Setup /testdbupgrade fails on SMS site databases that are restored from an SMS 2003 site database with SQL Server database replication enabled. |
Disable publishing on the SMS 2003 site database before you back up the SMS site database.
1. On another computer running the same version of SQL Server, restore the database you just backed up as follows:
1. Manually create a new database with the same name as the one you backed up. Default data/log file sizes of 1 MB are adequate.
Or detach the db if testing on the same server and then create the db and restore.
2. Copy the database backup file from the SQL Server database to a local drive on the test computer running SQL Server.
3. Restore the database using SQL Server Enterprise Manager. Because the drive letters might be different on your test computer that is running SQL Server, you might need to modify the destination drive and file properties during the restore operation.
4. On the restored SQL Server database, type the following at the command prompt: setup.exe /testdbupgrade <database name>.
5. Review test results in SMSSETUP.log on the root of the C drive.
Setup.exe in the command line above should be run from an upgrade CD or extracted SP2 files from the service pack download. Any problems you encounter during the test upgrade must be corrected before you upgrade your production site. You can review the results of the test in SMSsetup.log, which is in the root of the system drive.
Upgrading the SMS 2003 Site to SP2
After you have completed the planning requirements listed earlier in this document, you can upgrade your SMS 2003 site to SMS 2003 SP2. You must begin your upgrade with the central site in your SMS site hierarchy and then upgrade child sites using a top-down approach. SMS Setup does not provide an automated upgrade for secondary sites, so you must manually upgrade each secondary site. For a detailed discussion about upgrading your site and running setup, see Appendix H, “Upgrading to SMS 2003,” in Scenarios and Procedures for Systems Management Server 2003: Planning and Deployment.
Any non-SMS files or folders that are in the SMS 2003 folder structure will be deleted when SMS 2003 is upgraded or removed. To avoid removing non-SMS data when SMS is upgraded or removed, install SMS in a folder that does not contain other application or data files. Also, do not install other applications into SMS folders.
|
Note |
|
If you have previously used the automated Backup SMS Site Server database maintenance task, copies of all files in the SMS site server folder tree are included in your SMS backup. |
To start the upgrade process:
- Run Autorun.exe from the SMS 2003 SP2 Upgrade CD. Alternatively, you can download SMS 2003 SP2 from the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkID=6108, or you can order an SMS 2003 SP2 upgrade CD from Microsoft.
- If the upgrade site is not already running at least SMS 2003 SP1, setup prompts you to run the Deployment Readiness Wizard. If the Deployment Readiness Wizard completes with no errors, the upgrade continues. If there are any errors, you must first correct the errors before you can complete the upgrade.
- All SMS services are uninstalled and then reinstalled on all SMS site systems.
- Complete this process for every primary site in your SMS site hierarchy.
Upgrade Secondary Sites to SMS 2003 SP2
1. Run the SMS 2003 SP2 Setup.exe on each primary site in the hierarchy. The parent primary site must be upgraded to SMS 2003 SP2 before upgrading secondary sites that report to it.
2. Run the Deployment Readiness Wizard against the secondary site by starting it on the primary site server, as outlined in the section “Determine Readiness for SMS 2003 SP2 Upgrade” earlier in this document.
3. Upgrade the secondary site by running the SMS 2003 SP2 Autorun.exe or Update.exe on the secondary site server, or initiate the upgrade from the parent primary site of the secondary site server by using the SMS Administrator console.
Determining That SMS Setup Has Completed
After you apply SP2, wait at least 30 minutes before opening the SMS Administrator console, running a site reset, or performing any other site configuration change or operation. This waiting period allows the initial SMS configuration processes, carried out by the SMS Executive and SMS Site Component Manager services, to complete. You can verify whether these processes are completed by checking the level of CPU activity on your computer or Task Manager for running upgrade processes during the SMS service installation. When the activity level returns to normal, you can open the SMS Administrator console.
You can check the C:\SMSSetup log for the SMS Setup completed successfully entry. This entry indicates that SMS Setup.exe has completed its tasks. However, this does not always mean that other SMS processes have completed their own tasks associated with setup or site reset. In addition, you can check the following logs in SMS/logs for specific activity.
SMS Site Component Manager log (SMSSitecomp.log)
This log verifies that SMS components have been reinstalled.
· Search for Processing site shutdown transaction.
In the case of a site reset, this entry represents the first occurrence of the site being shut down. Subsequent lines in the log indicate that other individual services were stopped and that status messages were generated to indicate that the service stopped.
· Search for Site shutdown complete.
This entry represents the first occurrence of the site shut down having completed. This occurred when the update installation signaled SMS to perform the site reset. Subsequent lines in the log indicate that other individual services were being reinstalled. This might take several minutes to complete.
· Search for Waiting for changes to the “C:\SMS\Inboxes\Sitectrl.box” or “C:\SMS\Inboxes\Sitecomp.box” directories.
This entry indicates that the Site Component Manager has completed its work for the site upgrade.
Hierarchy Manager log (Hman.log)
This log verifies that SMS site information is published in Active Directory (in an extended Active Directory schema environment).
· Search for Wait for site control changes for maximum 3600 seconds.
This entry indicates that Hierarchy Manager has completed its work for the site upgrade. In the lines prior to this entry, you will see entries related to publishing SMS site data to Active Directory.
SMS Inbox Manager log (Inboxmgr.log)
This log verifies that inboxes have been successfully created on the SMS site server and the SMS client access point (CAP).
· Search for Waiting for changes inbox definition, inbox rules and inbox replication files, max wait = 3600 seconds.
This entry indicates that SMS Inbox Manager has completed its work for the site upgrade. In the lines prior to this entry, you will see entries indicating that files were copied to the client access point and that some inboxes were updated. In general, the last inbox to be created on the client access point is CAP_xxx\Clicomp.box.
Upgrading Legacy Clients
SMS 2.0 clients and Legacy Clients running the Windows 2000, Windows XP, and Windows Server 2003 operating systems cannot upgrade to the SMS 2003 SP2 version of the Legacy Client.
When SMS 2.0 clients or SMS 2003 Legacy Clients running the Windows 2000, Windows XP, and Windows Server 2003 operating systems are members of an SMS 2003 SP2 site, you cannot apply client agent hotfixes to them. In addition, SMS 2.0 clients running the Windows 2000, Windows XP, and Windows Server 2003 operating systems cannot report software inventory to an SMS 2003 SP2 site server.
Consequently, you should upgrade these clients to the SMS 2003 SP2 Advanced Client as soon as possible. You can upgrade these clients before you upgrade your SMS site servers. SMS 2003 SP2 Advanced Clients will communicate successfully with an SMS 2003 site.
On supported Legacy Client platforms for SMS 2003 SP2, Legacy Clients will automatically upgrade to SMS 2003 SP2 when any of the following occur after upgrading the site to SMS 2003 SP2:
· On the next Client Configuration Installation Manager (CCIM) maintenance cycle, which is every 25 hours for SMS 2003 clients, or every 23 hours for SMS 2.0 clients.
· When the SMS Client Service is restarted.
· When forced by clicking Update Configuration on the Sites tab on the client’s Systems Management Properties page.
The clients do not upgrade if any of the following is true:
· The client’s CCIM cycle has not yet run.
· The client has run cliupgrade /disable, which stops the CCIM cycle from running.
· The client’s operating system is Windows 2000, Windows XP, or Windows Server 2003.
Upgrading Advanced Clients
Unlike the Legacy Client, SMS Advanced Clients do not automatically upgrade to a newer version. Consequently, you must determine how to upgrade existing SMS 2003 Advanced Clients to SMS 2003 SP2. One way is for the SMS administrator to use the Client Push Installation Wizard, by selecting the option Always install (repair or upgrade existing client) on the Client Installation Options Wizard page. The SMS Administrator can also use SMS software distribution to advertise the upgrade to clients in a collection.
Windows 2000, Service Pack 4 and Windows XP, Service Pack 1 are the earliest supported version of a Windows operating system for the SMS 2003 SP2 Advanced Client. For more information about installing and upgrading Advanced Clients, refer to Appendix 1, “Installing and Configuring SMS Clients,” in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment.
Copyright Information
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2004 Microsoft Corporation. All rights reserved. Microsoft, BackOffice, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Other product and company names mentioned herein may be the trademarks of their respective owners.
Microsoft Corporation • One Microsoft Way • Redmond, WA 98052-6399 • USA
1/06
Inserted from <http://download.microsoft.com/download/8/f/4/8f45ecb5-0f85-45bf-bbc2-744d69a88b4e/SMS%202003%20SP2%20Upgrade%20Checklist.htm>
Windows 2003 SP1 Upgrade Notes
Windows Server 2003 SP1
|
Q. |
I would like to upgrade my site systems to Windows Server 2003 SP1. Are there any compatibility issues with SMS 2003 that I should know about first? (Updated May 15, 2005) |
|
A. |
Yes. If you run your site systems on Windows Server 2003 SP1, you might need to perform some workarounds to restore full SMS functionality. The following sections of this FAQ provide information about issues that might arise and suggested workarounds you can perform:
Resetting the DCOM permissions to pre- Windows Server 2003 SP1 levels
Additional Configuration Tasks if you Run the Security Configuration Wizard
Identifying Ports and Services Required If Windows Firewall Is Enabled
Resetting the DCOM permissions to pre- Windows Server 2003 SP1 levels
Server locator points and reporting points require the same level of DCOM permissions they had prior to Windows Server 2003 SP1. Windows Server 2003 SP1 splits the previous Launch permission into Local Launch and Remote Launch and splits the Activation permission into Local Activation and Remote Activation. In addition, the activation permissions are being moved from the Access Permission ACL to the Launch Permission ACL. For more information about the new COM permissions, see Granular COM Permissions on MSDN.
If you upgrade your server locator point to Windows Server 2003 SP1, you must reset the COM permissions so that the Internet Guest Account (IUSR_<servername>) has Local Launch permissions as it did prior to SP1, as shown in the following procedure.
To grant Local Launch permission to the Internet Guest Account:
|
1. |
On the site system, from the Start menu, click Run and type Dcomcnfg.exe. |
|
2. |
In Component Services, click Console root, click Component Services, click Computers, click My Computer, click DCOM Config, and then click SMS_SERVER_LOCATOR POINT. On the Action menu, click Properties. |
|
3. |
In the Launch and Activation Properties dialog box, on the Security tab, in the Launch and Activation Permissions section, click Edit. |
|
4. |
In the Launch and Activation Permissions dialog box, select the check box to allow Local Activation for Internet Guest Account (IUSR_servername). |
If you upgrade your reporting point to Windows Server 2003 SP1, you must reset the COM permissions so that the SMS Reporting Users Group has Local Launch permissions as it did prior to SP1, as shown in the following procedure.
To grant Local Launch permission to the SMS Reporting Users Group:
|
1. |
On the site system, from the Start menu, click Run and type Dcomcnfg.exe. |
|
2. |
In Component Services, click Console root, click Component Services, click Computers, click My Computer, click DCOM Config, and then click SMS_REPORTING_POINT. On the Action menu, click Properties. |
|
3. |
In the SMS Reporting Point Properties dialog box, on the Security tab, in the Launch and Activation Permissions section, click Edit. |
|
4. |
In the Launch and Activation Permissions dialog box, select the check box to allow Local Activation for SMS Reporting Users Group. |
Additional Configuration Tasks if you Run the Security Configuration Wizard
Introduced in Windows Server 2003 SPI, the Security Configuration Wizard helps you create a security policy that you can apply to any server on your network. The wizard recognizes SMS server roles, services, ports, and applications, but might not recognize all of the required configurations. The following section details which configurations are not automatically configured by the Security Configuration Wizard and the additional configurations required to keep SMS functioning properly.
Note
For more information about the roles and features recognized by the Security Configuration Wizard, view the configuration database while running the wizard.
Enable Remote WMI in the Security Configuration Wizard for Remote Site Database Servers
The Security Configuration wizard is unable to recognize the SMS Provider. If you run the wizard on the server that has the SMS Provider installed, you must enable the Remote WMI service on the Select Administration and Other Options page of the Security Configuration Wizard. Unless Remote WMI is enabled, the SMS Administrator consoles on the site server and any other remote consoles will fail to connect to the SMS namespace in WMI.
Enable the SMS Database Monitor Ports on Remote SMS Site Database Servers
If your SMS site database server is not on the same computer as the SMS site server, the Security Configuration wizard correctly enables the SMS Database Monitor service (SMS_SQL_Monitor_<ServerName>) but it does not enable the ports used by the SMS Database Monitor service. On the Open Ports and Approve Applications page of the wizard, select Ports used by SMS_SQL_MONITOR_<ServerName>. If the SMS site database server is on the same computer as the SMS site server, no ports are required.
Enable Remote Administration for IIS and Related Components on BITS-enabled distribution points
When you run the Security Configuration wizard on a BITS-enabled distribution point, you must select Remote administration for IIS and related components on the Installed Options page. If Remote administration for IIS and related components is not enabled, the wizard blocks the SMS Distribution Manager service from creating virtual directories on the distribution point.
Deselect the CAP Role if it is not on the Site Server
The Security Configuration Wizard always identifies a site server as having a Client Access Point, whether or not the site server is actually assigned that role. If the CAP role is incorrectly selected, deselect it on the Select Administration and Other Options page of the Security Configuration Wizard.
Re-run the Wizard after Changing Site System Roles
If you run the Security Configuration Wizard on a server and then configure a site role on that server, you should re-run the wizard to ensure the site system roles functions properly.
Identifying Ports and Services Required If Windows Firewall Is Enabled
Windows Server 2003 SP1 also includes the Windows Firewall feature first released in Windows XP SP2. The firewall can interfere with some SMS features. Windows Firewall is not enabled by default on servers. If you enable the Windows Firewall on a Windows Server 2003 SP1 server, either by using Control Panel or by running the Network Security section Security Configuration Wizard, you must verify that the following ports and applications are permitted to pass through the Windows Firewall.
|
• |
Remote Control If the SMS Remote Control ports are disabled, an SMS client running Windows Server 2003 SP1 cannot be remotely managed by using SMS Remote Tools. The recommended best practice is to use Remote Assistance or Remote Desktop on operating systems that support it, such as Windows Server 2003. To enable SMS Remote Tools, permit the appropriate port to pass through Windows Firewall for each necessary remote tool, as described in the following table. |
|
Remote Control Port |
Remote Control Function |
|
TCP port 2701 |
Allows general contact, reboot, and ping |
|
TCP port 2702 |
Remote control |
|
TCP port 2703 |
Chat |
|
TCP port 2704 |
File transfer |
For more information about ports used by SMS remote control, see article 256884 in the Microsoft Knowledge Base.
|
• |
Remote Assistance If the remote assistance ports are disabled, remote assistance sessions initiated from the SMS Administrator console to a computer running Windows Server 2003 SP1 will fail, although remote assistance sessions requested by the Windows Server 2003 SP1 client will succeed. To enable Remote Assistance to be initiated from the SMS Administrator console, permit helpsvc.exe and port TCP 135 to pass through Windows Firewall. |
|
• |
Windows Event Viewer, System Monitor, and Windows Diagnostics The SMS Administrator console cannot access Windows Event Viewer or System Monitor on computers running Windows Server 2003 SP1 unless File and Printer Sharing is enabled. There is no workaround at this time to access Windows Diagnostics from the SMS Administrator console. |
|
• |
Client Push Installation Client Push Installation fails on client computers running Windows Server 2003 SP1 unless File and Printer Sharing is enabled. |
|
• |
Queries If you run a query from an SMS Administrator console on a Windows Server 2003 SP1 computer, you must permit statview.exe to pass through the Windows Firewall or the queries will fail the first time they run. After failing to run the first time, the Windows Firewall displays a dialog box asking if you want to unblock statview.exe. |
|
• |
SMS Administrator Console If you run the SMS Administrator console on a Windows Server 2003 SP1 computer, you must permit unsecapp.exe and TCP port 135 to pass through the Windows Firewall. The Unsecapp.exe application is used to send results back to a client in a process that might not have permissions to be a DCOM service. SMS relies on the Unsecapp.exe application to receive the results of asynchronous operations in the SMS Administrator console. TCP 135 is the DCOM port. For more information about DCOM and unsecapp.exe, see article 875605 in the Microsoft Knowledge Base. |
Real World Problems and Solutions to Upgrading |
Pasted from <http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/tfaq02.mspx>
After upgrading Windows Server 2003 SP1, Mike Creech reported the following issues:
“We found two additional problems. 1) The admin console would not connect to the site for users that were not administrators on the server. 2) Users with “read only rights” on a collection could install clients.
The first problem was fixed by one of my colleagues, Brian Anderson. We determined that WMI or DCOM was the source of the access problem. Through research and experimentation, Brian found the solution – it is a DCOM configuration.
a) Run the DCOM configuration tool, dcomcnfg.exe from the command line.
b) Under Component Services-Computers, locate My Computer.
c) Right click and choose Properties.
d) Select the COM Security tab.
e) Click “Edit Limits” in the Launch and Activation Permissions box.
f) Add the local SMS Admins group, then allow this group permissions to “Remote Activation”.
The second problem is discussed in Microsoft’s KB article 843362. The hotfix must be obtained from your PSS and you should specify RTM or SP1 of SMS 2003.”
Rob Stack reported the following issue; he installed an SMS remote child site and the Management Point (MP) failed to initialize:
“I've recently installed a remote child site (which is W2K3 SP1) and am receiving an error when the MP tries to install (whether manually or remotely). I have set the server roles (I think) correctly, and the rest of the site is functioning OK. There seems to be very little on the web regarding this error and uninstalling/reinstalling IIS does not solve the problem.
Finally, the MP troubleshooter shows no problems.”
Note: mpsetup.log returned error code 1603
Jan Burke reported that:
“When I had this error the problem was the SMS client installed on the server prior to the MP install and registry entries were preventing the MP from installing.”
Jan summarized her solution (which solved Rob’s reported issue BTW) as:
“This happened to four of my 28 secondary’s. It actually started with a bad IIS install on 4 new remote servers with bad IIS user accounts. The entire event involved uninstalling IIS and deleting the IIS accounts IUSR & IWAM from the machine then reinstalling IIS which created good accounts. However at that point still no MP would install.
That is where the SMS client came into play. The client had installed fine but it had installed prior to installing my MP. As it turns out the installation of the client prevented the MP from installing.
The steps were taken as I wrote them to finally resolve the issue.
Uninstalled MP from Secondary in console (wasn't working anyway)
Ran ccmclean /MP
Ran ccmclean /ALL
Installed MP back
Shazam..............they started smokin........
This was a 4 week drama with PM intervention; nothing I care to repeat but I searched lists and the net and never found this resolution posted anywhere.
My MP Troubleshooter indicated errors "can not create Active X component" and one other which I can't remember right now (still trying to forget that nightmare)
I do not see how the MP requires a SMS client as I don't have clients installed on my Domain Controllers and they are still MPs for my sites.
I concluded that the client cannot install before the MP role is assigned or there will (or maybe 'could') be issues. I actually tested this on two servers waiting to be deployed and found the same issue with the client. In those two cases IIS was fine on those servers but the client had installed prior to installing the secondary site and a MP. They were in the holding area being configured and, of course, SMS client found them and installed. I installed a secondary (went fine) but my MP would not install until I ran the above sequence.
To get the advanced client to install back on the servers I did a push from the console. None of them installed automatically after the manual removal. But they are all fine now.”
~~ Update 8/31/05 ~~
From Richard Wright -- Reporting Users having failures in connecting to web reports:
“I discovered another SMS issue after upgrading to W2K3 SP1. A lot of my PC support people starting complaining that they couldn't view sms reports anymore. After doing some research, I found the following solution.
1. Go to Start | Run and type dcomcnfg.exe
2. Drill down to Component Services | Computers | My Computer |
DCOM Config
3. Right click SMS_REPORTING_POINT and click properties.
4. Click on the security tab and choose Customize under the Launch and Activation Permissions. Then click Edit.
5. Add SMS Reporting Users and give them (enable) the following permissions
a. Local Launch
b. Remote Launch
c. Local Activation
d. Remote Activation
[Steve T] Note: may only need options 5.b and 5.d, test to confirm.
6. Click OK twice and close dcomcnfg”
There have been reports of the Windows Server 2003 SP1 upgrade causing failures when the Management Point is on a server separate from the SMS Site server.
From Zubair Rajah
“I upgraded one of my MPs to w2k3 SP1, my MP and Site server are 2 separate servers. After the upgrade on the MP server, I started getting "error 997: Overlapped I/O operation in progress" on the site server. The MP was servicing clients, just that the Site server could not access the necessary registry keys. I then uninstalled SP1 and the problem disappeared. Did some poking around and couldn't find anything helpful, I contacted MS who said that this is known issue, the work around is to upgrade both site server and MP to w2k3 SP1.
I then upgraded both servers to w2k3 SP1, problem appeared again. Spoke to MS again, then say that their DEV team is working on a fix for this. Seems like the system account does not have the necessary rights to access the remote MP registry, although each machines account is in each others local admin group.”
Update a couple of days later:
“Seems like after w2k3 SP1, connections to the registry of a remote computer are made in anonymous security context, prior to SP1 this connection was done in the security context of the computer account credentials. You will not experience this issue if you have SMS running with a service account.
The good news is, I just received the fix, KB906570 (not sure if it is posted yet, you probably will have to speak to your TAM to get it).”
Zubair later reported that this hotfix did resolve his issue. In my own investigation with Microsoft, I’ve been told if both SMS site server and MP are upgraded to SP1 at the same time this issue should not surface. On 8/29/05 I updated 12 SMS servers to Server 2003 SP1, 4 of these servers had MP’s separate from the site server, running in advanced security mode. I did find that each of the SMS site server did required the DCOM permission revision (above) to allow SMS administrators that were not server administrators to connect via the SMS MMC. However, I did not see the issue mitigated by 906570 -- this may be a situation of “your mileage may vary”.
Pasted from <http://www.myitforum.com/articles/15/view.asp?id=8753>
Steps to Upgrade Windows 2003 and SMS
These steps involve upgrading the site servers to Windows 2003 SP1 and SMS 2003 SP2. If the site server is not running Windows 2003 or already has SP1 for 2003 installed those steps (1 – 7) can be skipped.
1. Download Windows 2003 SP1 to each site server.
2. Close all programs.
3. Beginning with the Central site, run the executable to launch the setup of SP1.
4. Select the uninstall location to provide a roll back option.
5. Allow install to run.
6. Reboot the servers after the install is completed.
7. Reset DCOM settings for SLP and RP's.
a. Start --> run dcomcnf.exe
b. In Component Services, click Console root, click Component Services, click Computers, click My Computer, click DCOM Config, and then click SMS_REPORTING_POINT. On the Action menu, click Properties.
c. In the SMS Reporting Point Properties dialog box, on the Security tab, in the Launch and Activation Permissions section, select customize click Edit.
d. In the Launch and Activation Permissions dialog box, add the local group SMS Reporting Users and then select the check box to allow Local Activation for SMS Reporting Users Group.
8. To test the SMS 2003 site database by using /testdbupgrade
a. Back up your SMS site database.
b. Obtain a copy of the SMS site database backup created by a recent SMS backup task.
- OR -
Stop all SMS services on the SMS site server and SQL Server, and then use SQL Server Enterprise Manager to back up the SMS site database.
|
Note |
|
Setup /testdbupgrade fails on SMS site databases that are restored from an SMS 2003 site database with SQL Server database replication enabled. |
Disable publishing on the SMS 2003 site database before you back up the SMS site database.
- On another computer running the same version of SQL Server, restore the database you just backed up as follows:
1. Manually create a new database with the same name as the one you backed up. Default data/log file sizes of 1 MB are adequate.
Or detach the db if testing on the same server and then create the db and restore.
2. Copy the database backup file from the SQL Server database to a local drive on the test computer running SQL Server.
3. Restore the database using SQL Server Enterprise Manager. Because the drive letters might be different on your test computer that is running SQL Server, you might need to modify the destination drive and file properties during the restore operation.
4. On the restored SQL Server database, type the following at the command prompt: setup.exe /testdbupgrade <database name>.
5. Review test results in SMSSETUP.log on the root of the C drive.
9. Run autorun.exe to start the install of SP2.
Determining That SMS Setup Has Completed
After you apply SP2, wait at least 30 minutes before opening the SMS Administrator console, running a site reset, or performing any other site configuration change or operation. This waiting period allows the initial SMS configuration processes, carried out by the SMS Executive and SMS Site Component Manager services, to complete. You can verify whether these processes are completed by checking the level of CPU activity on your computer or Task Manager for running upgrade processes during the SMS service installation. When the activity level returns to normal, you can open the SMS Administrator console.
You can check the C:\SMSSetup log for the SMS Setup completed successfully entry. This entry indicates that SMS Setup.exe has completed its tasks. However, this does not always mean that other SMS processes have completed their own tasks associated with setup or site reset. In addition, you can check the following logs in SMS/logs for specific activity.
SMS Site Component Manager log (Sitecomp.log)
This log verifies that SMS components have been reinstalled.
· Search for Processing site shutdown transaction.
In the case of a site reset, this entry represents the first occurrence of the site being shut down. Subsequent lines in the log indicate that other individual services were stopped and that status messages were generated to indicate that the service stopped.
· Search for Site shutdown complete.
This entry represents the first occurrence of the site shut down having completed. This occurred when the update installation signaled SMS to perform the site reset. Subsequent lines in the log indicate that other individual services were being reinstalled. This might take several minutes to complete.
· Search for Waiting for changes to the “C:\SMS\Inboxes\Sitectrl.box” or “C:\SMS\Inboxes\Sitecomp.box” directories.
This entry indicates that the Site Component Manager has completed its work for the site upgrade.
Hierarchy Manager log (Hman.log)
This log verifies that SMS site information is published in Active Directory (in an extended Active Directory schema environment).
· Search for Wait for site control changes for maximum 3600 seconds.
This entry indicates that Hierarchy Manager has completed its work for the site upgrade. In the lines prior to this entry, you will see entries related to publishing SMS site data to Active Directory.
SMS Inbox Manager log (Inboxmgr.log)
This log verifies that inboxes have been successfully created on the SMS site server and the SMS client access point (CAP).
· Search for Waiting for changes inbox definition, inbox rules and inbox replication files, max wait = 3600 seconds.
This entry indicates that SMS Inbox Manager has completed its work for the site upgrade. In the lines prior to this entry, you will see entries indicating that files were copied to the client access point and that some inboxes were updated. In general, the last inbox to be created on the client access point is CAP_xxx\Clicomp.box.
Upgrading Advanced Clients
Unlike the Legacy Client, SMS Advanced Clients do not automatically upgrade to a newer version. Consequently, you must determine how to upgrade existing SMS 2003 Advanced Clients to SMS 2003 SP2. One way is for the SMS administrator to use the Client Push Installation Wizard, by selecting the option Always install (repair or upgrade existing client) on the Client Installation Options Wizard page. The SMS Administrator can also use SMS software distribution to advertise the upgrade to clients in a collection.
Windows 2000, Service Pack 4 and Windows XP, Service Pack 1 are the earliest supported version of a Windows operating system for the SMS 2003 SP2 Advanced Client. For more information about installing and upgrading Advanced Clients, refer to Appendix 1, “Installing and Configuring SMS Clients,” in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment.
If you have any questions or comments you can email me.
Anthony Clendenen
18:35 - Nov 19, 2006
Trackbacks
Comments
