Simplifying SMS's application installation across a network

The Package Command Manager (PCM) service that comes with Systems Management Server (SMS) 1.2 helps administrators distribute applications. Unlike the interactive PCM application, which also comes with SMS, the PCM service does not require end users to participate in the installation process. Previous versions of the service had limited functionality because they ran only on SMS logon servers and distributed applications only to SMS site servers. However, the version that ships with SMS Service Pack 2 (SP2) extends the PCM service's reach to user desktops--the service can now run on and distribute applications to any Windows NT workstation or server. Administrators can use the upgraded PCM service to automatically install and upgrade applications on workstations and servers without any user intervention.

Create a PCM Service Account
You need to install the PCM service on every NT workstation and server that you want the service to install software on. You don't need to install the PCM service on SMS logon servers; the SMS Hierarchy Manager automatically installs the service on these machines.

To install the PCM service on machines across your network, you must create an account for the service in NT's User Manager for Domains. This account must be able to connect to the SMS logon server, and it must have administrator rights on every computer you want the PCM service to install software on. You can ensure that the account has both privileges by placing it in the Domain Admins global group, which is a default member of each workstation's local Administrator group. The PCM service account must have domain and local administrator rights, so you can use the PCM service only in a domain (not a workgroup) environment.

Creating a PCM service account opens up a security risk for unwitting administrators. For each service, NT's Service Control Manager makes a Registry entry that includes only the service name, service account name, and executable name. The PCM service associates the pcmsvc32.exe executable with the service account you create. On a system with a PCM service account, clever users who have local administrator rights can stop the service and replace pcmsvc32.exe with their own executable. The substituted executable takes on the rights of a domain administrator application, giving the users open access to most of the domain. For example, they can write an application that deletes files in a directory that only domain administrators can access. To prevent such a security risk, install the PCM service only on workstations where users can't stop services.

Configure an Initialization File
To install the PCM service, you must use a service installation utility. Microsoft Systems Management Server Resource Kit and SMS SP2 include Rservice, a command-line utility that can install, start, and stop services on many remote computers at once.

The Rservice utility requires an initialization file to run. SMS SP2 includes a sample file, pcmx86.ini, which you can modify to meet your needs. Listing 1 shows a modified version of the sample file. The SMS resource kit's documentation explains the initialization file's syntax. The initialization file is a standard .ini file, with one entry on each line and comment lines that begin with a semicolon.

Domain name section. The initialization file must include a domain name section that lists each domain that you want to install the PCM service on. You follow each domain name with acronyms for the types of machines you want to install the service on in that domain: NTWD for an NT workstation, NTSD for an NT server, NTPDC for a Primary Domain Controller (PDC), and NTBDC for a Backup Domain Controller (BDC). For each machine acronym you list for a domain, the initialization file automatically installs the PCM service on every computer of that type in that domain.

You can also specify a list of machines that you want to install the PCM service on, using the Listed option. If you follow the domain name with the =listed entry, Rservice will install the PCM service only on machines you list in the file's machine list section. With this option, you can list a subset of specific machines in the named domain. If you want to install the PCM service on most, but not all, computers of a certain type in a domain, you can use the exclude parameter in the machine list section to exclude particular machines from the installation.

You can use the * character to select multiple machines that match a name. For example, you can enter

HQ*=include

to include all machines that have names beginning with the letters HQ.

The sample initialization file in Listing 1 shows entries for installing Rservice on a whole class of machines (excluding a machine named demoserver) and a list of specific machines. An actual initialization file would contain only one of these entries.

Other initialization file sections. Your initialization file must include several sections after the domain name section. The format for entries in these sections is

<computer_or_file_name>=<parameter>

Because all computers that you install the PCM service on will use the same installation parameters, you can use the * character to specify all computers.

The service account section provides the name of the service account that you created for the PCM service. If you will use this account to distribute applications to machines in multiple domains, you must specify in the service account section the name of the domain that the account resides in. Listing 1 shows a PCM service account called pcm_service that resides in the central domain.

The installation directory section specifies the directory where you want to place pcmsvc32.exe on each of the machines that you're installing the PCM service on. I don't recommend installing the PCM service in the C:\ms\sms\bin directory, which is where you typically install SMS components. When SMS upgrades client files, the SMS logon script automatically updates every client computer. However, the logon script will skip a client and not upgrade its files if the client's C:\ms\sms directory is open. NT starts services before users can log on, so the PCM service starts before the SMS logon script can run. Therefore, if the PCM service executable is in the same directory as the other SMS client components, the SMS logon script will never update the components. Placing the PCM service executable in a different directory avoids these conflicts. The default directory for PCM service installation is C:\pcmsvc\x86.bin. However, to minimize the number of SMS directories off the root directory, I typically install the service in the C:\ms\sms\pcm directory.

The source directory section specifies the installation source directory for pcmsvc32.exe files. SMS services already use this executable for site server communication; list the same pcmsvc32.exe file that SMS uses. SMS installs this file in the site.srv directory under the SMS main directory. List the universal naming convention (UNC) path to this file. In Listing 1, the PCM service's installation source directory is an SMS site.srv directory on the E drive of the smsserv computer.

The access permissions section specifies permissions for the directory you list in the installation directory section. You can list multiple types of permissions, but you need to separate them with a space. Your permissions choices include read, delete, and full. You must give the PCM service account at least read permission for the installation directory. In Listing 1, administrators have full permission, and the PCM service account has read permission for the C:\ms\sms\pcm directory.

The Registry settings section specifies Registry entries that Rservice will create during the PCM service's installation. You don't need to create entries for the NT Service Control Manager; Rservice makes these entries. However, you can define additional parameters for the PCM service in the Registry settings section of the initialization file. If you are defining multiple Registry entries for the PCM service on one set of computers, place all entries on one line with the following format:

*=key:<registry_path> <type>:<name>=<value>

Your Registry path entry must include the appropriate abbreviation for the Registry hive. Abbreviate Registry keys by the first letters of their names (e.g., HKLM for HKEY_LOCAL_MACHINE). If your name or value entries contain spaces, you must enclose the entries in quotation marks. In Listing 1, the Registry settings section enables logging of the PCM service events on the local machine and sets the log file path.

If you enter yes in the automatic start section, as Listing 1 does, the PCM service will start when the system boots. Do not change the default entries in your initialization file's service name or executable file sections. These entries must be the same for every PCM service installation.

Install the Service
After you configure the initialization file, you can use Rservice to install the PCM service. To execute the installation, log on to an NT workstation or server that is a member of any domain that has a trust relationship with the domain your initialization file specifies. To avoid a possible logon credential conflict, disconnect all your local machine's drives that connect to computers you list in the initialization file. The syntax of the command line that starts an Rservice installation is

rservice /install /c /l:<log_file> \[/v\] <initialization_file> \[/t\] \[/m <machine_list>\]

The /c parameter directs Rservice to use the service account that the initialization file specifies, rather than the account of the user who executes the Rservice command. You specify the log file's path after /l, the logging parameter. Be sure to use the full path to the initialization file, including the UNC name of the server and share.

Rservice also includes several optional parameters that you can enter. To see a more detailed command output than the standard Rservice output, include the /v parameter. To specify which machines you want the PCM service to install on (instead of the computers your initialization file lists), use the /m parameter, followed by machine names separated by spaces. To take advantage of Rservice's multithreading capabilities (and run multiple installations for faster completion), you can set a higher number of threads. Enter the /t option and the number of threads you want.

When you execute the PCM service's installation, Rservice prompts you for the password for your PCM service account. After you enter the password, Rservice connects to each computer that the initialization file lists. (If you used the /m parameter in the command line to replace the initialization file's computer list, Rservice connects to the entries on your /m list.) Rservice creates an installation directory on each computer and copies pcmsvc32.exe from the source directory your initialization file specifies to each machine's installation directory. Rservice then makes the Registry entries you specified in the Registry settings section of the initialization file and grants the service account logon-as-service rights to system resources. Rservice registers the PCM service with each computer, but Rservice does not start the service. (The service automatically starts on each computer when the computer reboots. You can manually start the service through the Services applet in the Control Panel.)

Before you install the PCM service on many computers, test your initialization file's syntax. Run the Rservice command, and use the /m option to install the PCM service on your computer. If your initialization file is correct, the service will install on your computer. Run the command in verbose mode with the /v option, and check the command output closely. If you see any errors, check permissions and initialization file syntax. When you are confident that your initialization file is correct, you can perform larger installations.

When you install the PCM service, you might receive error message 203, which says, "The system could not find the environment option that was entered." The message also says that the service did not install. You might receive this message even if the service installs correctly. Therefore, if you receive this error message, check to see whether the service installed correctly before you try to reinstall the service.

You can also use Rservice to stop, start, or uninstall a service. If you use Rservice to uninstall a service, be sure to stop the service first. You can find more information about these Rservice functions in the SMS resource kit and SP2's Rservice documentation.

Create a Package and Job
After you install the PCM service, you can use it to install applications. Creating automated packages is similar to creating packages that require user interaction, except that you have a few different package options.

First, you must define your package in the SMS Administrator. In the Packages window, select New from the File menu to create a new package. In the Package Properties dialog box that appears, click the Workstation button to get to the Command Line Properties dialog box, which Screen 1, page 203, shows. The dialog box displays a list of installation commands you can choose from. SMS executes a command line to install applications, as a user would type a command at a command prompt, and manages package installations with Package Definition Files (PDFs), which contain information about the application you want to install. Your package's PDF contains command lines, each of which includes several options. SMS SP2 includes new PDFs that take advantage of the PCM service. In the Command Line Properties dialog box, select a script that doesn't require user interaction. (To find out which scripts require no user interaction, consult your PDFs' documentation.) Also, select the Automated Command Line and System (Background) Task check boxes, and remove your non-NT operating systems (OSs) from the Supported Platforms field.

Second, you must create a job for this package. In the SMS Administrator's Sites window, select the package that you just created, and drag it onto a computer or machine group. This action automatically opens the Job Properties dialog box. To make the job mandatory, click the Details button of the Job Properties dialog box and set the Mandatory After date to be equal to the Offer After date, as Screen 2 shows. The PCM service doesn't install jobs until they are mandatory.

When you send a package that will run as a System Task (i.e., one that will install automatically), keep in mind that it will run only on systems that have the PCM service. When you create the job, limit the job target to NT machines with the service. You can design an SMS query to look for pcmsvc32.exe and send the job only to machines that have this file. If you send the job to machines without the PCM service, the job will not run. The job will remain incomplete until you delete it through the SMS Administrator.

Test the System
Before you use the PCM service to install applications on all your SMS machines, test your system thoroughly. If you can, test the service on an isolated SMS network that includes a server and several workstations. If you don't have an isolated SMS network available, you can follow a test plan I developed to minimize the PCM service's impact on my network.

You can run SMS's Audit package job to audit all the software on a computer. This package scans the files on a computer and compares them to the files in an Audit rule file. If SMS finds matching files in both places, it stores the results in the SMS database on the SMS site server. The Audit job is a good test of your SMS configuration, because it is simple and can run quickly. The Audit rule file that comes with SMS contains entries for more than 5000 applications. To make my test run more quickly, I configured an Audit rule file that contained information about only one application; I checked my computer's hard disk for Word 95. I created an Audit package and sent the job through the PCM service to my workstation. Then, I used SMS to upgrade my workstation to Office 97. These tests let me see the problems with my PCM service configuration before I installed the service on all my network's SMS computers.

When I was satisfied with the results of my PCM installation on my workstation, I targeted a group of power users in the IS department to test my Audit and Office 97 packages. These users understand computers and know the Audit and Office 97 software, so they provided me with thorough, invaluable feedback about the PCM installations.

Only after testing the PCM service on my workstation and my IS department did I use it to distribute applications to groups of general users. Because I had tested the service so carefully, my PCM service installations to my general user population proceeded smoothly.

Head Off Potential Problems
The PCM service can cause several problems for you and your users. You can easily bypass these problems if you properly plan your installations and anticipate conflicts the PCM service might have with other applications.

Jobs that the PCM service distributes use the PCM service account to access resources. These jobs can cause problems if the PCM service attempts to access resources while a logged-on user is using those resources. For example, when you install an application through the PCM service on a machine running an NT version earlier than 4.0, the PCM service uses a Dynamic Data Exchange (DDE) interface to create Program Manager groups for program icons. However, when users are logged on to their computers, they have exclusive rights to the Program Manager interface. Therefore, the application's setup program won't create desktop icons because the user's NT system denies the PCM service access to the Program Manager. To avoid this problem, send jobs that require access to the Program Manager only when users are logged off their machines.

The PCM application also causes problems if it executes at the same time as the PCM service. If a user attempts to install an application or upgrade software at the same time that the PCM service is executing an installation, the user will receive an error message. To avoid this conflict, distribute applications through the PCM service when users are unlikely to execute the PCM application.

Make Your Life Easier
The PCM service for SMS is valuable for systems administrators. One of my clients has a large SMS infrastructure, but before the release of SMS SP2, the company preferred not to use SMS to distribute applications to users. Users had difficulty understanding the PCM application, and the company noticed a spike in the number of calls to the internal Help desk after every software distribution. Rather than engage users in the installation process, the company sent a technician to every desktop to install applications manually.

Now the company uses the PCM service to distribute software to user desktops. The number of calls to the Help desk has fallen, and every desktop has a standard set of applications. Total administration time on the system has dropped dramatically.

The newly improved PCM service does much to ease systems administrators' headaches. You can now distribute packages in the evening, and users can return to their desks in the morning to find a new set of applications on their machines. If only the PCM service could teach users how to operate the new applications.