Topic last updated—November 2007

If you have configured the Microsoft System Center Configuration Manager 2007 distribution point as a standard distribution point, you can choose to enable the distribution point for Background Intelligent Transfer Service (BITS). However, enabling BITS does not guarantee that the client will always download content from the distribution point using BITS. For example, if an advertisement is configured to run from the distribution point, the client computer always uses server message blocks (SMB) instead of BITS. Also, mobile device clients require that the distribution point be BITS-enabled, but they do not actually use BITS when downloading content.

Using BITS-enabled distribution points helps control bandwidth throttling between client computers and distribution points. Also, when a computer is downloading from a BITS-enabled distribution point and is interrupted, it can resume where it left off, even if the client computer connects to a different distribution point.

Note
BITS is never used to transfer content from the site server to the distribution point. The site server always uses SMB to copy packages to distribution points and does not use any throttling or fault tolerance.

A BITS-enabled distribution point must have Internet Information Services (IIS) installed and WebDAV enabled.

BITS-Enabled Distribution Points and Multiple Virtual Directories

If the distribution point is BITS-enabled, Configuration Manager 2007 creates virtual directories for BITS downloading. If you did not configure a custom Web site on the site server properties, the virtual directories are created under the Default Web Site. The virtual directories that Configuration Manager 2007 creates depend on the distribution point and package configuration.

Mixed Mode

In mixed mode, when the distribution point is a server instead of server share, the following virtual directories are created:

  • SMS_DP_SMSSIG$

  • SMS_DP_SMSPKG<driveletter>$

When the distribution point is a server share, instead of the SMS_DP_SMSPKG<driveletter>$ virtual directory, Configuration Manager 2007 creates SMS_DP_<sharedfolder>, where sharedfolder is the name of the folder created for the server share.

If you create a custom shared folder for a package, an additional virtual directory is created called SMS_DP_<CustomShare>.

In mixed mode, client computersare authenticated using Windows authentication.

Native Mode

In native mode, if the distribution point is configured to support intranet clients, the following virtual directories are created on distribution point servers:

  • SMS_DP_SMSSIG$

  • SMS_DP_SMSPKG<driveletter>$

  • NOCERT_SMS_DP_SMSPKG<driveletter>$

  • NOCERT_SMS_DP_SMSSIG$

When the native mode distribution point is a server share, Configuration Manager 2007 creates SMS_DP_<sharedfolder> and NOCERT_SMS_DP_<sharedfolder>, where sharedfolder is the name of the folder created for the server share.

If you create a custom shared folder for a package, the following additional virtual directories are created:

  • SMS_DP_<CustomShare>

  • NOCERT_SMS_DP_<CustomShare>

Clients accessing the NOCERT_SMS_DP virtual directory, such as NOCERT_SMS_DP_SMSPKG<driveletter>$, are authenticated using Windows authentication. Clients accessing the SMS_DP_ virtual directory, such as SMS_DP_SMSPKG<driveletter>$, are authenticated based on their native mode client authentication certificates.

If the distribution point is configured to support only Internet-based clients, the NOCERT_SMS_DP virtual directories are not created and authentication can occur only by using certificates.

Certificate Authentication in Native Mode

For a client to authenticate using the certificate, the authenticating entity must have access to the private key of the client authentication certificate. For example, if the advertisement is run on a schedule with no user logged on, the Local System account has administrative rights and can access the private key of the computer's authentication certificate. However, if a program is advertised to and initiated by a user and that user does not have administrative rights on the computer, the user cannot access the private key of the computer's authentication certificate, assuming the certificate store has the appropriate permissions.

Content Location Requests on the Intranet

When an intranet-only client issues a content location request, the management point returns the virtual directories as though they are separate distribution points. The client evaluates the content location response and selects a distribution point as described in Configuration Manager and Content Location (Package Source Files). While a client might prefer one distribution point over another based on several factors, at a certain point the client will choose randomly from distribution points that meet the same criteria.

In native mode, this means that it is not possible to predict whether the client will connect to the SMS_DP or the NOCERT_SMS_DP virtual directory on a given distribution point. If the client cannot access the package content by using the SMS_DP virtual directory, it will attempt to access the content again by using the NOCERT_SMS_DP virtual directory, and vice versa. If multiple distribution points are returned and are sorted into the same category, it is possible for the client to connect to the SMS_DP_SMSPKG<driveletter>$ on one distribution point, fail to access the content, and then attempt to connect to the NOCERT_SMS_DP_SMSPKG<driveletter>$ virtual directory on a different distribution point.

Content Location Requests from the Internet

When an Internet-based client makes a content location request, the management point returns only the SMS_DP virtual directory on that distribution point, provided that distribution point has been configured to support Internet clients. If the client is unable to authenticate using the client authentication certificate, the client fails to receive the content because Internet-based clients do not receive the NOCERT_SMS_DP virtual directory. If the program is initiated in the context of a user who is not an administrator, the user cannot access the computer certificate's private key and cannot be authenticated by the distribution point, and the advertisement fails. If the program is initiated by a schedule, the Local System account runs the program and can access the computer certificate's private key to authenticate with the distribution point.

See Also