Manually create System Management Container in Active Directory Domain Services

SMS 2003 and SCCM 2007 does not create the System Management container in Active Directory Domain Services when the schema is extended. The container need to be prepared for each domain that includes SMS 2003 or SCCM 2007 site server that will publish site information to Active Directory Domain Services. There are two method to prepare the System Management container inside Active Directory Domain Services.

Method 1:

Grant the Site Server computer account full control permission on the System container in Active Directory Domain Services. (This method is not recommended. It is more secure to create the System Management Container manually)

Method 2:

Manually create the System Management container in Active Directory Domain Services using ADSIEdit. ADSIEdit is part of Windows Server Support Tools. Windows Server Support Tools can be found in Windows 2000 Server or Windows 2003 Server CD.

1. Install Windows Server Support Tools.
2. Open ADSIEdit snap-in using MMC, and connect to domain which you would like to create the System Management Container.
3. In the console pane, expand Domain [computer fully qualified domain name], expand , and right-click CN=System. On the context menu, click New and then click Object.
4. In the Create Object dialog box, select Container and click Next.
5. In the Value field, type System Management and click Next, and then click Finish.

Now, your Site Server is able to publish site information in the Active Directory once the System Management container is created.

SMS 2003 & SCCM 2007 Security Mode

Everyone know there is 2 security modes in SMS 2003, which is Standard Security mode and Advanced Security mode. But what is the different between this 2 security mode? Let us share on this.

Standard security uses user accounts to run services, configure computers, and connect between computers. Advanced security make use of Active Directory. It uses the Local System Account (which is computer account) to run services, configure computers, and connect between computers. It is more secure, but it requires Active Directory and it does not require the schema to be extended.

You can switch from standard security mode to advanced security mode, but it cannot change back to standard security mode once the security mode is switch over to advanced security mode.

How about SCCM 2007, what is the different between SCCM 2007 and SMS 2003 on security mode? well, SCCM 2007 also provided 2 types of security modes, which is SMS 2003 compatibility security mode (Mixed Mode) and another is SCCM 2007 security mode (Native Mode).

Native mode is a higher level of security mode by integrating with a public key infrastructure (PKI) to help protect client-to-server communication. With this security mode enable, you are able to manage Internet-based client, which the client computer connect to your site server through public WAN connection. Thus, extra security is needed in order to implement this and you need to get a valid Certificate from certificate authority in order to accomplish this task.

Mixed mode provides backwards compatibility for hierarchies that have both SMS 2003 sites and Configuration Manager 2007 sites. With this security mode, you are unable to manage Internet-based client. You are allow to switch from Mixed mode to Native mode once all your site servers is migrated to SCCM 2007 and it is also possible to revert back to Mixed mode from Native mode. This is really a good fall back feature if you would like to perform a migration for your SMS 2003 to SCCM 2007.

How to Remove SMS Advanced Client using Msiexec /x

We had meet one scenario from one of the customer, we are trying to remove SMS Advanced Client from one of the Windows XP machine using Ccmclean tool (Ccmclean tool can be found in SMS toolkit). But unfortunately, it failed to remove the client by using Ccmclean.

There is another method to remove the SMS Advanced Client from the machine which is msiexec /x command.

Before executing that command, you must know what is the GUID for the SMS Advanced Client, the GUID value can be found inside the Registry editor under following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Uninstall

The correct GUID has SMS Advanced Client as the Display Name value.

After you get the SMS Advanced Client GUID value, execute the msiexec /x command at command prompt.

Msiexec /x {D8EF2D11-47CF-45E5-B423-47B29706DE12}
(the value behind Msiexec /x indicate the GUID of SMS Advanced Client)

After you execute the Msiexec /x on the machine, you may need to manually remove the VPCache folder for SMS Advanced Client. Below is the step by step how to complete the task:

1. Locate the following registry key in registry editor:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\VPCache

2. The Path value for VPCache is the location of the VPCache folder on the system drive. For example, %Windir%\System32\VPCache.

3. Locate the VPCache folder and then delete it from the hard drive.

4. Lastly, delete VPCache registry key from the registry editor.

Although this method need to spend more time to complete it, but it is a alternative for you to remove the SMS Advanced Client from the machine, no harm to have a try. :)


P/S: Please use Registry Editor with extra careful, or else it may crash your system. :)