Configuring the Software Distribution Component

You can configure additional settings for the package distribution process if the SMS defaults aren’t appropriate within your environment.

To access these settings, in the SMS Administrator Console, navigate to the Component Configuration folder under the site name, the Site Settings, expand it, right-click Software Distribution, and select Properties to display the Software Distribution Properties dialog box, shown in Figure 12.37.

Figure 12.37: The General tab of the Software Distribution Properties dialog box.

The Package Processing Thread Limit option in the General tab lets you identify how many threads to allocate to Distribution Manager to process packages for the site. The default value is 3, but it can range from 1 through 7. In this case, more is not always better. If your site server were only processing packages— and not performing any other functions—you might bump up this number, monitor the site server’s performance, and determine what value achieves an optimum level of performance between package processing and other server functions. A higher number of allocated threads might be appropriate and assignable.

However, if the site server has all SMS functions enabled—package distribution, Remote Tools, inventory collection, all site system roles, and so on—increasing the number of threads might prove to be detrimental to the site server’s overall performance. The best rule of thumb would be to try adjusting the number if you think you need to improve package processing performance and then use the various tools available to monitor the site server’s performance and its other functions to find the best balance.

Three other options you can configure in the General tab are Location Of Stored Packages, which identifies for SMS the drive on which it should create the compressed package folder (SMSPKG), the Legacy Client Software Installation account, and the Advanced Client Network Access account. When programs are executed at the client computer, they will run under the local user account’s security context unless otherwise noted in the program properties. Since most users are logged on as users and not as administrators, this means that these programs will run under the local user context. As you have probably discovered, most application software installs .DLL files, modifies registry entries, stops and starts services, and performs other tasks that require an administrative security context on the client. For Windows 98 clients, this security context is not usually a big issue. However, it’s a big issue for SMS clients running Windows NT 4.0 or later since they maintain a local account database and provide more security over system modifications.

Security poses a problem when you’re dealing with SMS packages. One of our main objectives here is to be able to remotely install software on clients without the user’s—or the administrator’s—intervention.

SMS 2003, however, does provide solutions to the security issue for both the Legacy Client and the Advanced Client. The first involves the use of an internal account that SMS creates on the Legacy Client when a higher level of security access is required to run a program. This account, named SMSCliToknAcct&, is created automatically and is granted Act As Part Of The Operating System, Log On As A Service, and Replace Process Level Token user rights on the client. The SMSCliToknAcct& account will be sufficient in most cases. However, if the program execution requires that the program connect to network resources other than the distribution point, SMSCliToknAcct& will fail because it’s created as a local account rather than a domain account. In this case you should identify and use the Legacy Client Software Installation account.

You create the Legacy Client Software Installation account in the Windows domain (or domains) your clients are members of. The easiest thing to do, of course, would be to make the account a member of the Domain Admins global group in the domain that the Windows client is a member of. As you know, when a computer running Windows joins a Windows domain, the Domain Admins global group is made a member of the local Administrators group on that computer. Making the account a member of the Domain Admins group would give it the appropriate level of local rights on the Windows client (provided you haven’t altered the local Administrator group memberships to exclude the Domain Admins group), but this arrangement isn’t secure. Ideally, this account should be made a direct member of the local Administrator’s group on each client computer or be given the appropriate level of security access required to run the programs you create.

After you create and configure the account appropriately, identify it to SMS in the General tab of the Software Distribution Properties dialog box by clicking Set next to the Legacy Client Software Installation Account text box and entering the name of the account in the Windows Account dialog box.

Ideally, for Windows 2000 clients and later, you should install the SMS Advanced Client, as this is a more secure SMS client. One of the ways in which this security is manifested is in its use of computer accounts to carry out tasks like installing software on the client. When the client connects to a distribution point, it uses the security context of the local user to do so. You can specify an optional Advanced Client Network Access account to make this connection more secure. Create this account in the domain as you would the Legacy Client Connection account.

After you create and configure the account appropriately in the domain, identify it to SMS in the General tab of the Software Distribution Properties dialog box by clicking Set next to the Advanced Client Network Access Account text box and entering the name of the account in the Windows Account dialog box.

The Retry Settings tab of the Software Distribution Properties dialog box is fairly self-explanatory, as shown in Figure 12.38. It lets you alter the retry settings for Distribution Manager’s attempts to deliver packages and for Advertisement Manager’s attempts to advertise programs and specify the delay between attempts.

Figure 12.38: The Retry Settings tab.