blog by Kim Oppalfens

SccmAutoDoc goes beta1

What is SccmAutoDoc?

SccmAutoDoc is a command-line utility that documents a System Center Configuration Manager 2007 site in a human-readable format. Much effort has been put in making the document resemble closely to what you see in the Configuration Manager admin console. SccmAutodoc in other words documents your Site Configuration.

Additionally the goal is to document only relevant settings, and to not include items that are irrelevant. For example if the software inventory client agent is disabled, than it doesn't make much sense to document the software inventory agent schedule.

What are the software requirements to be able to use SccmAutoDoc?

SccmAutodoc requires a machine with Word 2007 installed and access to the ConfigMgr site server and ConfigMgr Sms Provider. Word 2007 does NOT need to be installed on the Site server/SQL server or Sms Provider computer. The program can perfectly work from a remote machine running windows xp, Vista or Windows 7.

Word 2007 does need to have the primary interop assemblies installed, but these are part of a default word 2007 install. If you don't have the primary interop assemblies for office 2007 installed, you can always download them here: <http://www.microsoft.com/downloads/details.aspx?familyid=59DAEBAA-BED4-4282-A28C-B864D8BFA513&displaylang=en>

What permissions do I need to run SccmAutoDoc?

SccmAutoDoc requires a user with Read permissions on the site object of the Configuration Manager site to be documented. The commandline allows you to optionally pass a user and password as arguments to perform the documentation. If you don't specify a username and password than the currently logged in credentials are used.

Where can I get SccmAutoDoc?

SccmAutoDoc beta1 can be downloaded from http://scug.be/media/g/sccmautodoc/default.aspx

How do I use SccmAutoDoc?

Just unzip the zipfile to a folder (the zip contains sccmautodoc.exe 2 dll's and an xml file).

Then execute SccmAutoDoc from a command prompt, which will display the Usage statement.

Sample commandlines:

Ex1: sccmautodoc -sitecode S01 -server sccm01
     This command documents the site with sitecode S01 on server sccm01 with the user
     account that launched SccmAutodoc
Ex2: sccmautodoc -sitecode S01
     This command documents the site with sitecode S01 when running locally on the server.
Ex3: sccmautodoc -sitecode S01 -server sccm01
       -username Contosso\sccmadmin -password P@ssw0rd
     This command documents the site with sitecode S01 on server sccm01 with the user
     account Contosso\SccmAdmin and password P@ssw0rd

Where can I send bug reports/feature request/suggestions?

All comment/bug reports/suggestsions/feature request are more than welcome at mailto:sccmautodoc@oscc.be .

Unless I am swamped with suggestions, I will do my utmost to respond to any inquires you might have.

If you send a bug report, please include the error you are receiving and a copy of the document created by the execution that errored out.

Is SccmAutoDoc freeware?

SccmAutodoc is not freeware, at present it is beta software, that eventually might end up as a reasonably priced documentation tool.

Preliminary plans around licensing are around creating a ConfigMgr Site, ConfigMgr hierarchy, Consultant/Consultancy firm license.

When does this beta Expire?

This beta version expires on the 15th december 2009. At which point a new version (Beta 1.5 of Beta 2) should be available.

What does SccmAutoDoc currently document?

SccmAutoDoc currently documents everything you see in the ConfigMgr Admin Console underneath the Site Settings node, with some small exceptions listed below:

• Address schedule and Bandwidth limiting configuration.
• Certificates node
• Status Filter Rules

For a sample on what SccmAutoDoc documents have a look at SccmAutoDoc-1.125-Sample at:

http://scug.be/media/g/sccmautodoc/default.aspx

SccmAutodoc currently has no plans to document "volatile" data. In other words, packages, programs, advertisements, ... Will Not be documented. It is determined that this data changes to often, which would require SccmAutoDoc to run several times a day. Additionally the documentation would then become quite large making it lose its purpose as a Site Configuraiton document.

What are some of the known issues so far with SccmAutoDoc?

SccmAutoDoc errors out if you open up a focus-capturing box in Word while the program tries to write data to the document.

How does SccmAutoDoc work?

SccmAutoDoc works by querying WMI and parsing the results to look like they appear in the ConfigMgr Admin console. The main engine behing SccmAutoDoc is the included XML file which lists the queries that are executed.

Share this post:                                       

Upgrading your sms 2003 admin skills to SCCM 2007

Hi all,

As introduced during my presentation at the belgian techdays I will be teaching a custom training class on how-to upgrade you sms 2003 admin skills to SCCM 2007. This class is mainly aimed at current sms 2003 administrators that have transitioned to configmgr 2007 or are in the planning / preparation phase of transitioning.

This class is not about the upgrade / migration itself but on upgrading the administrator's skillset. Quite a number of things have changed from Sms to Sccm and that's what this class will focus on. Based on what you already know from sms2003 this class is meant to bring you up-to-speed with sccm 2007.

The idea is to make this a course that has lots of well-thought out hands-on-labs with clear instructions and examples that are usable in your production environment, mixed with me telling you everything I know about configmgr 2007.

More details on this class can be found here:

http://www.jcacademy.com/courses/_nl/coursesheet.asp?language=NL&country=&course_id=738

Summary:

What: Customized SCCM 2007 training class

Where: Jca Facilities in Louvain, Belgium

When: 28th till the 30th of April

How Much: The attendance fee for this course is 1250€

Instructor: Me, an enthusiastic sms trainer with a lot of training and field experience, and 3 Mvp awards.

Don't wait too long, seats are going fast after the techdays announcement.

"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.scug.be/blogs/sccm

Share this post:                                       

How to transition from sms 2003 to Sccm 2007 - Notes from the field Tips & Tricks

Hi all,

I delivered my session at the Belgian Techdays, and I promised on my blog and during the session that I would share the scripts with all of you. So here they come. Most of these scripts were used during a side-by-side upgrade transition. The side-by-side upgrade transition process looks like this:

1. Install SMS 2003 SP2 on new server
2. Attach new SMS 2003 SP2 site as a child site
3. Let objects replicate
4. Break Parent – Child relationship
5. Upgrade new Site to Configmgr 2007
6. Install KB945898
7. Migrate clients to new site
8. Remove boundaries from original site
9. Add boundaries to new site
10. Decommission original site
11. Migrate non-replicating objects (queries/reports)

Benefits

This method provides a smooth transition without impacting your current sms 2003 infrastructure until your new Sccm 2007 environment is fully up and running and has been tested successfully. This makes it one of the lowest transitioning methods available.

Challenges / manual steps to perform in this method are

1. Verify all objects have migrated
2. Configure Site Settings
3. Migrate Folders and folder membership
4. Make Software distribution functional in new site without boundaries
5. Optional: Modify package source path
6. Migrate hardware inventory customizations (SMS_def.mof)
7. Export / Import queries
8. Export / Import reports
9. Configure security rights
10. Non-Replicating Software Metering Rules

In this section I will go over these challenges, and when available introduce a script to tackle these challenges. If a script is available I will first explain what the script does, give an example command line, and add some comments/remarks.

Challenge 1: See Script1 later in this post

Challenge 2: This is left as manual exercise for the reader

Challenge 3: See Script2 & Script3 later in this post

Challenge 4: See Script5 later in this post

Challenge 5: See Script4 later in this post

Challenge 6: See Challenge 2

Challenge 7: Use the export and import wizard, my experience has been that importing the mof file in one pass tends to be error-prone. I usually cut the mof file into 200KB chunks and import the chunks one by one, this has resulted in a much less error-prone import process. Run the script to move the queries into the correct folder, see script 3 later in this post.

Challenge 8: See Challenge 7

Challenge 9: See Challenge 2

Challenge 10: Software metering rules can be configured to apply to this site, or to this site and all child sites. If your software metering rules are configured to only apply to the current site than they will obviously not replicate. This setting is unfortunately not configurable after the rule has been created.

Scripts to Tackle the challenges:

Just for the record these Scripts do not come with any form of support or guarantee, the scripts have served me well but should be tested in your environment as your mileage may vary!!! Furthermore the script aren't always the cleanest code, they don't log a lot of data and do use some hardcoded parameters that would be more appropriate in an argument.

Script1: Countobjects.vbs

Description

This script counts the number of Queries, Reports, Packages, Advertisement, Software Metering Rules, Collections and folders.

Example

Usage: Cscript Countobjects.vbs

Remarks

You run this script on both the old and new sms 2003 servers and compare the numbers, once all numbers match up you can perform step 4 and break the parent - child relationship.

Script2: SmsContainers.vbs

Description

This script allows you to export and import the folder structure from one sms 2003 environment to another.

Example

Usage: Cscript SmsContainers.vbs export s01folders.txt or Cscript SmsContainers.vbs import s01folders.txt

Remarks

Because Sms 2003 does not replicate the folder structure to child sites we need a script that duplicates this folder structure. At import time this script creates a file called conversionarray.txt that allows us to translate old folder id's into new folder id's. We will need this file in later scripts to move the objects back into the correct folders.

Script3: xyzfoldermembership.vbs

Description

There are multiple scripts with this filename where xyz is either adv for adertisements, pkg for packages, rprt for reports, qry for queries and swmtr for software metering rules. These script move the respective objects into the correct folder.

Example

Usage: Cscript.exe xyzfoldermembership.vbs export S01xyzfolders.txt or Cscript.exe xyzfoldermembership.vbs import S01xyzfolders.txt

Remarks

These scripts need the conversionarray.txt to be available to find the correct folderid to place the objects in.

Script4: Modifypkgsource.vbs

Description

This script modifies the packagesource of all packages to a new server.

Example

Cscript Modifypkgsource.vbs

Remarks

If the sourcefiles for your packages are stored locally on the site server, you'll need to modify the package sourcepath of all packages to a new server. First copy the source package folder structure to the new server and then edit the script to replace the oldserver and newserver strings with the values needed for your environment.

Script5: ModifyAdverts.vbs

Description

This script configures all advertisements to run from a remote distribution point.

Example

Cscript ModifyAdverts.vbs

Remarks

Because you cannot have overlapping boundaries we can only move the boundaries after all of the clients in a boundary have migrated. Because of this, clients in the new sccm infrastructure will not be able to find a local distribution point. So if you want these clients to be able to run advertisements these advertisements have to be configured to allow run from remote distribution point. If you want to change the value back later just change the bit value. Secondly if you already have some advertisements that are configured to run from remote dp, or download from remote dp, this script does not build a text file to store what it has changed, so the script doesn't allow you to revert back to the original situation. If this is something you require you'll have to adapt the script to save the original configuration.

The scripts can be downloaded here:

http://scug.be/files/folders/sccm/default.aspx

--

Enjoy.

"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.scug.be/blogs/sccm

Share this post:                                       

How to transition from sms 2003 to Sccm 2007 - Notes from the field session at Belgian Techdays

Hi All,

I will be speaking at the Belgian Techdays for the second year in a row. The session is aimed at current SMS 2003 administrators that are looking at transitioning to SCCM 2007.

The session is scheduled for Thursday the 13th of March running from 14:30 till 15:45. Because of time constraints the session will not include any demo's. It will discuss all popular ways to transition from SMS 2003 to Sccm 2007, and introduce you to some scripts that can help you move to Sccm 2007 more smoothly.

Session Abstract:

This session will introduce you to the different methods of transitioning from sms 2003 to sccm 2007. The session will discuss the pro’s and con’s of the Wipe and Load, In-place Upgrade, Side-by-Side Migration and the speakers personal favorite the Side-by-Side upgrade. The session will also show you how you can use scripts to assist you in automating certain tasks during the migration process.

Hope to see you all there.

--

Enjoy.

"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx

Share this post:                                       

Understanding Software Updates in SCCM 2007

Configmgr 2007 comes with a totally new way of deploying software updates. The new method offers some great advantages over the old one(s) available in Sms 2003. It didn't take me too long to see the benefits the new architecture brings, but it did take me quite some effort in understanding how I could create a working operational process to maximize these benefits, it actually took a fellow mvp (Thanks Pannu) and Wally to set things straight in my head (Thanks Wally). This 2 -series post will try to give you some insight in how the Configmgr 2007 solution stacks up with the sms 2003 implementation. The second portion will explain the objects involved and will guide you through a potential implementation of Software updates in Sccm 2007.

Let's start by briefly explaining how the sms 2003 infrastructure operates, followed by the currently known issues. Later in this post we'll review what the Sccm 2007 architecture looks like, and how this new architecture deals with the known issues of the past.

In sms 2003 the backend infrastructure relied on software distribution packages and advertisements to initiate the sofware catalog download, the software update scan and patch installation processes.  The scan process itself, using the final scan engine itmu, was based on the Windows automatic update agent. The scan engines prior to that were sms specific engines like the software update inventory scan tool, the office update inventory scan tool or the extended software update inventory tool. Clients have always reported their software update compliance state based on hardware inventory regardless of the scan engine used.

One of the downsides of the sms 2003 infrastructure was the fact that multiple scan engines were necessary, which complicated the software update management quite a bit. And no matter what engine you used, all engines first downloaded the catalog locally and cached it in a specific folder prior to starting the scan. This caching of the catalog files didn't always work flawlessly resulting in clients scanning with an old catalog which obviously didn't report the expected information. Another issue was the fact that the reporting process relied on hardware inventory to do its reporting, this resulted in a slower and not very flexible reporting process. 

Now let's look at how this all works in sccm 2007. Sofware updates now integrates/relies on a Wsus 3.0 server. The Wsus server is used to download the catalog and to serve as the "scan point" for the Configmgr2007 clients. This eliminates the problem that the sms 2003 engines had with caching the catalog, because the clients now scan directly from a wsus server. Another benefit of this integration is the increased content that can be deployed. The sms 2003 engines only supported security updates whereas wsus 3.0 supports a wide variety of updates ranging from security updates over critical updates, feature pack, service packs, drivers and more. All these benefits come at a fairly low cost, yes you now need to install a wsus server but all management of this wsus server is done from the Sccm 2007 admin console. (This is why you need to install the wsus admin console on the site server if you want to use a remote wsus server).

Another major change afaic is that clients now report their software update compliance state based on state messages. This allows for faster more flexible and more detailed status reporting from the clients to flow up to the server.

That's it for the first post, stay tuned for a follow-up.

"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx

Share this post:                                       

Organize your Digital photos into folders using Powershell and Exif data

This post isn't really systemcenter related directly, but with some creative thinking it does belong on this blog. Although sms is a large portion of my professional life, I still have a somewhat personal life as well. And in that personal life, I occasionally take some pictures. And since photography has progressed into digital pictures, I obviously take digital pictures, mainly of my 3-year old son Lennart. So far so good. The problem is that these digital photos need to be copied to computers to clear the memory cards for taking additional pictures.

This is usually were nightmares start happening, it starts with copying them to your laptop, because that is the machine that was in closest proximity when the memory card needed to be emptied. The next time around you put them on your mediacenter directly and so on. The main problem I have is that I usually have to do this in a hurry, because new pictures are going to be taken that day. Which means the files DSC?????.jpg are copied to some folder (usually called ToBeOrganized) without any descriptive name added to it. After taking pictures for a couple of months, getting this ToBeOrganized folder organized seems like a hell of a job. So I decided to call in Windows Powershell to assist.

For those of you that have been living under a rock for the post couple of months, Windows powershell is Microsoft's new dos-box that has everyone running around overly excited. The neat thing about this dos-box is that it can access Dotnet classes, and that is exactly what I figured I would do to get my pictures organized.

I started of my endeavor by reading a blog post from James O'Neill's blog. In his blog post James talks about accessing Exif data from within powershell, and that is exactly what I did, armed with the knowledge of that blog post I created one of my first Powershell scripts. The code isn't really pretty, but it reads the Datapicturetaken property from the Exif data of all pictures in the folder where the script was launched from. Subsequently it copies all these files into a new folder called c:\organizedfotos. Underneath this folder you get a folder per year, followed by a folder per "picture date". So in the end your folders are organized like this.

Now, all I need to do is analyze each folder to see what event triggered the creation of these pictures, rename the folder. Archive each year to Dvd, and finally decide which one we are going to print. How did I do all this will with a simple script. The Script looks like this:

# ==============================================================================================
#
# Microsoft PowerShell Source File -- Created with SAPIEN Technologies PrimalScript 4.1
#
# NAME: OrgFotos.ps1
#
# AUTHOR:  Kim Oppalfens,
# DATE  : 12/2/2007
#
# COMMENT: Helps you organise your digital photos into subdirectory, based on the Exif data
# found inside the picture. Based on the date picture taken property the pictures will be organized into
# c:\organizedfotos\YYYY\DD-MM-YYYY
# ==============================================================================================

[reflection.assembly]::loadfile( "C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll")

$Files = Get-ChildItem -recurse -filter *.jpg
foreach ($file in $Files)
{
  $foo=New-Object -TypeName system.drawing.bitmap -ArgumentList $file.fullname

#each character represents an ascii code number 0-10 is date
#10th character is space separator between date and time
#48 = 0 49 = 1 50 = 2 51 = 3 52 = 4 53 = 5 54 = 6 55 = 7 56 = 8 57 = 9 58 = :
#date is in YYYY/MM/DD format
  $date = $foo.GetPropertyItem(36867).value[0..9]
  $arYear = [Char]$date[0],[Char]$date[1],[Char]$date[2],[Char]$date[3]
  $arMonth = [Char]$date[5],[Char]$date
  $arDay = [Char]$date,[Char]$date[9]
  $strYear = [String]::Join("",$arYear)
  $strMonth = [String]::Join("",$arMonth)
  $strDay = [String]::Join("",$arDay)
  $DateTaken = $strDay + "-" + $strMonth + "-" + $strYear
  $TargetPath = "c:\organizedfotos\" + $strYear + "\" + $DateTaken
If (Test-Path $TargetPath)
  {
    xcopy /Y/Q $file.FullName $TargetPath
  }
  Else
   {
    New-Item $TargetPath -Type Directory
    xcopy /Y/Q $file.FullName $TargetPath
   }
}

The post isn't entirely out-of SystemCenter Scope though, this has freed up quite some time, so I should be able to do some more Sms related posts in the next couple of weeks.

PS: Thomas, for the record, powershell is still just a silly new dos-box. Admitted, a dos-box in which you can do remarkable things every once in a while, but it stays a dos box ;-)

--

Enjoy.

"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx

Share this post:                                       

New SCCM 2007 Resources

It's been a while since I posted something, and I'll try to be more productive again in the next couple of weeks/months. This post is a summary of the newly available resources that I deem as important. When I started this blog, I promised myself I would not be an announcement or a me too blog. By this I mean I didn't want to post things you could find on several other blogs, I never meant to be the only SCCM 2007 blog you read. But since enough new resources have surfaced in the past couple of weeks I decided to publish them here, and add some of my comments. One of the reasons I decided to do this, was to heave all these resources readily available on one page for my own usage.

So here it comes.

Sccm 2007 Toolkit

The new Configuration Manager 2007 toolkit is live. The toolkit comes with the following tools:

Client Spy - A tool to help troubleshoot issues related to software distribution, inventory, and software metering on Configuration Manager 2007 clients.

"This is the Advanced client spy you might now from the sms 2003 toolkit 2"

Policy Spy - A policy viewer to help review and troubleshoot the policy system on Configuration Manager 2007 clients.

"Policy spy is again a tool that was already available in the sms 2003 toolkit 2. It allows you to take a look at the content of the policies that a client has received. This is a GREAT troubleshooting resource, and a terrific tool if you want to do Sccm 2007 deep dives.

Trace32 - A log viewer that provides a way to easily view and monitor log files created and updated by Configuration Manager 2007 clients and servers. "The Sccm 2007 log viewer, and don't let anyone tell you otherwise! This beautiful gem make those Configuration manager logs really readable. Apart from making the logs more readable it also comes with an error lookup tool built-in that lets you convert error numbers to readable error messages. This error lookup tool accepts win32 errors in Decimal and hexadecimal (-2147024891 or 80070005) and Network error messages (53).

Security Configuration Wizard Template for Configuration Manager 2007 - An attack-surface reduction tool for the Microsoft Windows Server 2003 operating system with Service Pack 1 and Service Pack 2 (SP1 and SP2) that determines the minimum functionality required for a server's role or roles, and disables functionality that is not required.

"The template to lock your SCCM 2007 site systems air-tight"

DCM Model Verification - A tool used by desired configuration management content administrators for the validation and testing of configuration items and baselines authored externally from the Configuration Manager console. "DCM authoring assistant, I'll do a separate blog post on DCM in the near future, it wasn't my favorite feature in Sms 2003, were it was a feature-pack, and I wasn't too thrilled with it becoming an integral part of the product. After some recent new things I learnt about it though, I guess I will have to change my mind.

DCM Digest Conversion - A tool used by desired configuration management content administrators to convert existing SMS 2003 Desired Configuration Management Solution templates to Desired Configuration Management 2007 configuration items.

"For the few brave souls out their that decided to get their hands dirty using the Dcm feature pack for Sms 2003"

DCM Substitution Variables - A tool used by desired configuration management content administrators for authoring desired configuration management configuration items that use chained setting and object discovery.

"You know what, I don't know enough about DCM to understand what this does"

http://www.microsoft.com/downloads/details.aspx?FamilyID=948e477e-fd3b-4a09-9015-141683c7ad5f&DisplayLang=en

 

Configuration Packs

As mentioned in the description of the toolkit, I will do another post on DCM, but below you will find some configuration packs to use with DCM in Sccm 2007.

http://www.microsoft.com/technet/prodtechnol/scp/configmgr07.aspx

Microsoft Deployment

Microsoft Deployment has been released as well, this is the successor to the Business desktop deployment accelerator. A lot of the functionality that BDD had, was directly rolled into Sccm 2007. The main reason to use Microsoft Deployment in combination with Configuration manager 2007 according to me is the support for unknown "bare metal" computers, and potentially the dynamic selection of the userstate store depending on statesize, and available local storage. And a more flexible way to slip-stream package installs after the image has been deployed.

Download details- Microsoft Deployment

SCCM 2007 Documentation

The Configuration manager 2007 technical library has been updated with new content.

http://technet.microsoft.com/en-us/library/bb892811.aspx 

SCCM 2007 Webcasts

There is a great bunch of Configuration Manager webcast available, and quite a few new ones are planned for the near future.

http://www.microsoft.com/events/series/technetmms.aspx?tab=webcasts&id=42364#42364

SCCM 2007 Virtual Lab(s)

We only have one Configuration Manager Virtual lab available for now, but I assume several new ones will be added over the next couple of months.

http://www.microsoft.com/events/series/technetmms.aspx?tab=virtuallabs

--

Enjoy

"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspxS

Share this post:                                       

Search Sccm 2007 docs using a Custom Internet Explorer 7 search provider

In following the instructions on how to better search the Configmgr 2007 documentation library as described over at the Sms writers blog I created a search provider for my personal favorite search engine.

Add Live Search Sccm 2007 docs search provider

Oh, for those of you that haven't adapted to this new great search engine just yet, I created one for this other old, small scale search engine as well.

Add Google SCCM 2007 docs search provider

--

Enjoy.

"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx

Share this post:                                       

Customize SCCM 2007 Admin console

Hi all,

Let's have a show of hands, how many of you like/love the new Configmgr 2007 aka SCCM 2007 admin console? You can lower your hands again now. But I can only assume that a lot of you waved enthusiastically, because the new console is a wonderful thing. 

Let's have a quick overview of the new things I really like about the new console:

• Search folders; Search folders are a great way to organize different objects (Packages, Advertisements, Update repository, boot Images, Computer associations, Os images, Os install packages, Task sequences, drivers, driver packages, Software Metering, Reports, Configuration Baselines, Configuration Items, Queries, Mobile Device mgmt\Configuration packages). This is going to make life a lot easier for people that try and keep their admin console organized.
• Search bar; if your one of those people that does not really believe in keeping things organized but rather search through a pile of objects than you can do that to.
• Sort actually works reliably; You can now sort on any field in the console, and will really sort it :-)
• Drag & Drop; To help you in keeping things organized you can now drag & drop your items in the relevant folder, which beats the old Move folder items wizard, that I never found to be very intuitive.
• Folders replicate down; Folders are replicated down the hierarchy, so if you do organize your items, they will still be in the same folders.
• Homepages; Homepages give you a quick overview of the status of a certain feature if you select the root hive of that feature.
• The direct membership wizard in collections finally defaults to system resources.

Now, one thing I don't like about the new console is that most of the wizards now come with a welcome page, and there is no button to disable this. I am all in favor of some decent hospitality, but I don't need to be welcomed over and over again. One of the most important features of the Sccm 2007 admin console though is the fact that is fully customizable and extendable. The Configmgr 2007 SDK that is currently in beta, has some great info on howto extend the Admin console with new functionality.

The console is also customizable because it stores a lot of its configuration in xml files. What I did was I took advantage of this fact, and edited all xml files that had the word wizard in their filename, and subsequently searched through those to find the wizards that had a Welcome page. I then opened them up one by one and deleted the Welcome page from the wizards XML-File. The files that I adjusted are:

clientpushinstallationwizard.xml
copybootimagepackageswizard.xml
copydevicepackageswizard.xml
copydriverpackageswizard.xml
copyosimagepackageswizard.xml
copypackageswizard.xml
copysoftwareupdatespackageswizard.xml
databaseconnectionwizard.xml
deletecollectionwizard.xml
deleteprogramwizard.xml
delsecsitewizard.xml
devicedistributesoftwarewizard.xml
directrulewizard.xml
distributesoftwarewizard.xml
distributionpointswizard.xml
exportobjectswizard.xml
importobjectswizard.xml
osd_bootimagemanagedistributionpointswizard.xml
osd_managedistributionpointswizard.xml
osd_newdistributionpointswizard.xml
osd_osinstallpackagescopywizard.xml
repairsitewizard.xml

The files were then copied in the C:\Program Files\Microsoft Configuration Manager\AdminUI\XmlStorage\Forms folder. Make sure you close the SCCM 2007 console before you copy these files.

Warning - MAKE SURE YOU TAKE A BACKUP OF THE ORIGINAL XML FILES. The AUTHOR will not be held responsible for any issues that may occur as a result of using these steps to modify the Configmgr admin console!!!

--

Enjoy, and as usual you can find me in the Microsoft.public.sms.* newsgroups!

Everyone is an expert at something"

Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS

Share this post:                                       

Belgian Training market is on a Role

Hi All,

Just last month I posted about our Unique Opsmanager 2007 training event that starts on Monday, (and which is fully booked).

And in about 2 weeks Belgium is hosting another Special training event with Andy Malone about Windows Server 2008. Andy Malone is a Windows Server MVP and has 13 years of training experience. Other things worth mentioning about Andy is that he delivered a session at Windows IT pro connections in Amsterdam about Windows Server 2008 Terminial Services, and last but not least Andy won the Speaker's Idol at Teched It Forum in Barcelona, which means he is qualified to deliver a full Teched It forum this year where he will deliver a session about a security deep dive into Windows Server 2008.

So yet again, we have a Belgian event where you get to spend a full day, with one of those exceptional folks that deliver sessions for a couple of hundreds of people. So without further ado get over to the following pages to learn more about this event.

Overview Page: http://www.globalknowledge.be/whats_new/new_courses/windows_server_2008.aspx

Booking Page + Additional Details: http://www.globalknowledge.be/Default.aspx?page=461&coursecode=GKWS08

Summary: The event will take place in Mechelen on the 26th of September, and will cost 395€.

Please note that I only found out about this event recently, so this is pretty short notice. Number of seats is limited so act now.

PS: Our very own Bart de Smet won that some competition on the devside of things. Bart is on his way to start working for Microsoft in Redmond, so he'll have to fly back over to claim his speaker slot. Have a nice trip Bart.

Share this post:                                       

Figuring out the collectionid for Linked collections in SMS 2003.

This week someone in the newsgroups asked a question about how to create a collection excluding members from another collection. The answer to that question is based on the knowledge that every collection you make in Sms or Configmgr 2007 aka Sccm creates its own wmi class. The class will be named sms_cm_ress_coll_collectionid.

So the answer to the question becomes something like

1) Create your collection

2) Add a query based membership rule to your collection

3) Edit the query statement of the collection

4) On the criteria tab add a criteria

5) For the attribute class select System Resource, and use Resource Id for the attribute

6) For the criteria type use subselect

7) For the operator select "Not In"

8) In the query box type select resourceid from sms_cm_res_coll_collectionid.

EDIT: Janne Mansnerus  kindly pointed out that this didn't work, the original post specified the query as sms_cm_ress_coll_collectionid. In reality the class is called sms_cd_res_coll_collectionid. So res with single s instead or ress.

This all works fine, with one difficulty to overcome, you need to figure out the collection id, and that is not as easy as it could be, especially if you need the collectionid of a linked collection. That's why I have created a prompted query to easily find the collectionid based on the collection name. Here is how you create the query.

1) Go to queries

2) Right-click and select new query

3) Make sure you specify <unspecified> in the Object type dialog.

4) Press the Edit Query button

5) Paste the following query in the Query statement box that opens up:

select collectionid, name from sms_collection where name like ##PRM:SMS_collection.Name##

Note: You can use the _ and % wildcard signs when you input the collection name.

Note2: This query is no longer necessary once you migrate to SCCM 2007, the new admin UI in Configmgr 2007 has the collectionid written down on the properties page of every collection. The flexible approach by using the sms_cm_ress_coll_collectionid for building collections is still very valid though. This approach is usually used whenever someone is looking for the reverse option of "collection limiting" collections.

--

Enjoy, and as usual you can find me in the Microsoft.public.sms.* newsgroups!

Everyone is an expert at something"

Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS

Share this post:                                       

Configmgr 2007 Rtm's / Configmgr 2009 Wishlist

Hi all,

UPDATED: Removed DP Decommision, this was apparently fixed from what I can see in my lab, great job.

As you probably have read on several  blogs Configmgr 2007 has Rtm'ed in line with the always publicly announced Summer 2007 release date. So in contrast with most products now-a-days that have slipping release dates our Configmgr 2007 delivered right on time. Hey they are even about a month early, well done.

Bill, I assume this means the team can go on vacation till the 20th of september, right?

You can read the official announcement here:

http://myitforum.com/cs2/blogs/anderson/archive/2007/08/24/news-flash-system-center-configuration-manager-2007-has-left-the-building.aspx

I'll leave it up to someone else to post about the importance of Microsoft using a blog to get the word of this release out.

You can download the evaluation version here:

http://technet.microsoft.com/en-us/configmgr/bb736730.aspx, and in contrast with previous versions the evaluation version will be fully upgradeable to the full version. General availability is expected early november.

Now that we have this Configmgr 2007 thingy out of the way, it is time to compile our Configmgr 2009 aka SMSV5 wishlists compiled. Since the product team is on vacation till the 20th of september we have about a month to get early feed back in. So I'll get the bal rolling by publishing mine.

Site Infrastructure:

Multi-tenancy is on the top of my list here. The ability to host multiple customers on one single site. This requires a great deal of work, but would open up Configmgr 2007 to be used in a real hosting scenario. Stuff that probably needs to be taken care of, are "Site Wide Settings". Easier way of limiting reports to certain collections. Easier way of handling security on sms objects, possibly by using folder security and inheritance.

A way to replicate between Configmgr Sites that does NOT require file sharing. Opening up the Firewall for filesharing usually creates big discussions with the security admins. Please give us an alternate way of connecting sites.

Admin UI:

Object backup & restore to aid in migrating.

Right-click option, to trigger client actions, central way to configure client settings (Client cache size is just one example).

Inventory:

Inventory network devices would be a welcome addition here.

An easier way to add additional information to the inventory of an existing device. EG: be able to add the warranty period by just adding it to resource explorer from with the Admin console.

Software distribution:

Staggering advertisements/ Trickle feed collections, whatever else you want to call this. It is a way to load balance software distributions in a less administration-intensive way.

Postpone software distribution end-user option. This should look closely like the options we have in ITMUv3 where users can postpone the installation of Updates.

Integrate with Vista's Presentation settings to avoid pop-ups and reboots when users are giving presentations.

Disovery:

Some sort of discovery that can browse entire subnets to find devices without the device needing to have snmp enabled.

An easier way to add devices manually into the Configmgr database.

OSD:

Allow Task sequences to run as local logged in user. Task sequences are invaluable for a lot of things, one of them being the ability to control which applications get installed in which order, they only have one limitation, they can only run as localsystem, this limitation has to go.

DMFP:

Windows Mobile 6.0 support needs to be added.

DCM:

Either we change the acronym to be Desired Configuration Monitoring, or we start making work of this actually being Desired Configuration Management. Additional template manifests, to monitor SOx and other regulatory compliancy would be HUGE.

Agree with other Microsoft teams on which SDM/SML version should be used to make sure that these "Manifests" can be used in Configmgr/Opsmgr/Service Manager without any modifications.

Reporting:

Reporting needs to go the SQL Reporting Services route, for consistency with other Microsoft Products and for the added flexibility that SQL Reporting Services brings.

Software Metering:

Complete license management, which means at least the possibility to add the number of licenses you bought to the Config Mgr 2007 database. A way to store the License Keys in a secure fashion would be nice as well.

That's it for now :-)

--

Enjoy

Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS

Share this post:                                       

Planning your CRL Distribution Point for Configmgr 2007 Native mode

Hi all,

Everyone that has ever done an sms roll-out should know that planning is critical to the success of the project. Now one planning part that might easily get overlooked is planning some portions of the PKI infrastructure. And an important part of planning your pki for Configmgr 2007 is planning the location of your Certificate Revocation List Distribution point.

Let me start by Sketching the problem. Configmgr 2007 Native mode relies on certificates to do the client authentication. Certificate authentication is a very strong authentication method, but it comes with some things you should know about it, to properly use it. One of the things that work different with certificate based authentication is how you disable a certain account from being able to authenticate in the future. This might be necessary because you don't want the certificate of an end-of-life machine to be mis-used for communication purposes, or because the certificate was compromised. When you use user accounts you can just disable the account and your done. With certificates you need to revoke the certificate AND publish the certificate on the Certificate Revocation List.

If you use a default Windows 2003 PKI then the Certificate Revocation list is by default published in Active Directory and on The Certificate authority website, which is accessible to all authenticated users (Which includes computer accounts). Now, these defaults are fine for Internal clients, but are not accessible in some instances. Internet based clients for instance will not be able to access either of these Crl distribution points (CDP). And they are not the only ones, clients in untrusted forests, workgroups, or even clients that boot from a Configmgr 2007 Boot Image will not be able to access these CDP's.

The reason why your CDP's need to be carefully planned is because the list of CDP's is actually part of the certificate. So once the certificate is rolled out, there is NO WAY to add another CDP on their in an easily automated way without redistributing all your certificates!!!

Clients that are not able to contact the CDP, will fail to communicate if CRL checking is enabled, and will throw an error in the logs called

WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED.

Now, there are 2 fixes for this:

1) Disable Certificate Revocation List checking. You can do this from within the Configmgr 2007 Console, on the Site Properties Site Mode tab, by clearing the Check Certificate Revocation list checkbox.  (The checkbox is only visible if your site is in Native mode). This obviously is the easiest fix, but lowers your pki, client-certificate based security to an unacceptable level in my humble opinion, and by consequence is only fit for Labo and demonstration purposes.

2) Publish your CDP and make sure it is accessible to Workgroup, internet-based, and untrusted forest clients. This obviously is the proper way of handling this issue. Great, now how de we do that? Well, that could be food for another post. But since the folks over at isaserver.org already created an article about that, which continues into publishing the CDP with Isa Server 2004, I am not going to bother writing it up myself. I will just point you guys to this article http://www.isaserver.org/tutorials/Publishing-Public-Key-Infrastructure-ISA-Server-2004-Part2.html.

--

Enjoy

"

Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS

Share this post:                                       

David, you'll be missed.

http://blogs.technet.com/aralves/archive/2007/08/08/david.aspx

Share this post:                                       

Unique Opsmgr 2007 training event (Belgium)

<UPDATE>

Since the event was a huge success for all parties involved, (The instructory received an 8.6 out of 9 average score.) And because some people keep bugging me about a new date, we have decided to repeat this event once more. The new date is 08-11/01/2008.

Register quickly as half this class is already filled by people on the waiting list from the previous event.

</UPDATE>

Hi all,

I am very proud to be able to announce that we will be able to host a Unique Opsmgr 2007 training event in Belgium.

Is the average training not meeting the depth of technical content you need? Would you like the receive your training from someone that received the prestigious MVP Award? Wished you could receive training from someone that co-authored a book on the topic he is teaching? Are you looking for real 300 - 400 level training? Want training from a consultant with plenty of real-life experience? Ever wished you could receive training from the folks that gave those sessions at Teched (Us or Europe)? Here is your chance.

What is being delivered?

The first two days consist of OpsMgr 2007 Installation and Configuration (more info on the actual content of each day can be found on the link at the bottom of this page)

The following two days consist of OpsMgr 2007 Fundamentals(more info on the actual content of each day can be found on the link at the bottom of this page)

Who is delivering this?

This course will be delivered by Rory McCaw, a multi-year Canadian MVP in the Operations Manager category. Rory co-authored "How to cheat at managing Microsoft Operations Manager 2005" published by Syngress publishing, and runs a popular Operations management blog at http://rorymccaw.spaces.live.com/.

More info on Rory McCaw can be found here:

https://mvp.support.microsoft.com/profile=69F2E866-098F-45AB-ABF1-4CD18FD7077A

When will this take place?

This unique 4day training event will take place from Monday the 17th of September till Thursday the 20th of September 2007.

Class will from 9 AM till 5 PM, with a break before and after noon and a warm lunch at 12:00 AM.

Where Does it take place?

This event will take place at the training facilities of the "John Cordier Academy" http://www.jcacademy.be

John Cordier Academy
Geldenaaksebaan 335
B-3001 Leuven-Heverlee

Belgium

tel: +32 (0)16 38 28 18
0800 92 818 (only for Belgium)
fax: +32 16 40 02 54
e-mail: info@jcacademy.be

What is it going to cost?

The course will cost 2100 € (Excl tva.) for the 4 day training including a hot lunch.

Where do I Sign up?

More info about the event, and details on how to signup for this event can be found here:

http://www.jcacademy.be/courses/_en/coursesheet.asp?language=EN&country=&course_id=697

Please be advised that seats are limited and that there are currently no plans for repeating this event!

"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS

Share this post:                                       

Things you might want to know about the SCCM 2007 Fallback Status Point

Function

The Fallback Status Point is a new Site System role in Configmgr 2007 that serves 2 purposes.

The initial goal of the Fallback Status Point is to serve as a contact point for Configmgr 2007 clients in native security mode that cannot contact their Management Point because of certificate problems. As we will see in Chapter X “Security and Network Access Protection” native mode requires https and client certificates for communication with the Management Point, Distribution Point, Software Update Point and the State Migration Point. This certificate requirement opens up a potential issue where a client’s certificate gets damaged, deleted or corrupted in one way or another essentially orphaning the client from the Configmgr 2007 infrastructure. The Fallback Status Point can be the lifeline for those clients as it will accept S.O.S. state messages from clients that need administrative assistance to get back in working order.

The second purpose of the Fallback Status Point is to allow for monitoring the state of a client rollout from a central location, based on a bunch of Configmgr 2007 reports. Historically the previous versions of SMS used to have a blind spot during the client rollout. System administrators could analyze some individual logs at the client side but didn’t have a full view of the entire installation process from a central location. This made follow-up during the client rollout stage of an SMS project fairly labor intensive for these sysadmins. This lack of central view made it difficult to detect clients that for instance started, and potentially completed the installation but that did not get assigned to an SMS Site. The Fallback Status Point helps system administrators in a Configmgr 2007 environment to avoid these problems. Configmgr 2007 clients send state messages to their Fallback Status Point after successful deployment another one after successful Site assignment, giving you a detailed overview of your client rollout. This functionality obviously assumes that the client knows where to find his Fallback Status Point.

A Configmgr 2007 client can find the Fallback Status Point by querying Active Directory or because a specific Fallback Status Point was defined during the installation.

As you might have concluded by reading the function description of the Fallback Status Point this is not a mandatory Site System role. Although this role is not really required, it is strongly advised to install one, and depending on your setup the necessity for one might be greater than for other setups. If you plan to use Internet Based Client Management or plan to use Native Security Mode than having a Fallback Status Point is not a luxury.

Type of network traffic

Because Fallback Status Points serve, amongst other things, as the lifeline for clients with certificate problems, and are most notorious for their function in an internet based scenario, it should come as no surprise that the communication protocol of choice is http.

Scalability & Availability

Another interesting question is the placement of your Fallback Status Point(s). There are two approaches to this. The first one is to just put a Fallback Status Point in your Central Site at the top of your hierarchy. Given the fact that the amount of network traffic to the Fallback Status Point is fairly limited, and mainly happens during the initial client rollout, this approach is one approach that should work pretty well in most environments. Another approach that is worthwhile to investigate is to put Fallback Status Points in accordance with your administrative model. In other words, put a Fallback Status Point in every location where you have administrative personnel that will follow-up on client rollout and client health. This makes it easy for Site Administrators to keep an eye on their own environment’s client health and rollout.

Note: The Fallback Status Point cannot be installed on a system that already has a Site System role installed that requires https for its communication protocol.

The above note might influence your Fallback Status Point decision quite a bit. This obviously only impacts sites that operate in Native Security Mode, but you might still want to consider it in your designs to minimize the impact of security mode upgrades in the future. The reason that they cannot be co-located is that Configmgr 2007 installs all Site System roles in the same website. Configmgr 2007 has the option of installing in a different website than the default website, but this is a site wide setting, meaning that all Site Systems would then install their websites in this new “SMSWEB” website, which doesn’t solve our http/https problem. Although you could have separate virtual directories with different http/https settings this is generally not accepted as a good security practice. Conclusion, the Fallback Status Point is generally best installed on a machine separate from the Management Point, Software Update Point or Distribution Point which might increase the cost of having the Fallback Status Point locations based on your administrative model.

Security

Because the Fallback Status Point is most important in internet based client management, and is most likely to be installed in a demilitarized zone, it deserves some extra security attention. The Fallback Status Point is the only Site System in Native Security mode that allows anonymous http connections to be mode. Although all other Site Systems are fairly well-protected using https and by requiring mutual authentication based on client certificates, the Fallback Status Point, because of its function cannot have these stringent security requirements in place. This leaves the Fallback Status Point open for attack.

To mitigate the impact of any potential attack Configmgr 2007 has implemented two ways of mitigation. The first one was covered in the configuration section, this is the throttling of the amount of messages you are willing to accept for this Fallback Status Point. The default settings are rather loose, but you could easily trim these numbers down to something that is more in accordance with your environment. The second way of mitigating the impact of an attack on your Fallback Status Point is to make sure that the firewall blocks all traffic from the Fallback Status Point to the intranet. By configuring the option Allow only site server initiated data transfers from this site system as explained in the adding a Site System section, you can make sure that the Fallback Status Point operates in a pull-only mode. So even if the Fallback Status Point would rollover during an attack it cannot be used as a jumphost to attack the rest of the Configmgr 2007 infrastructure. With these two security precautions configured the Fallback Status Point becomes an uninteresting target for most hackers.

Enjoy

--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx

Share this post:                                       

Sccm 2007 client agent deployment using Software updates

Sccm 2007 has a new client deployment method called Software update point based client installation. The idea behind Software update point based client installation is to publish the Sccm 2007 client as a critical update, and hence its name is installed from the Software update point. Most of you will probably now that Software Update management in Sccm 2007 integrates with Wsus 3.0 Sccm 2007 relies on Wsus to synchronize the catalog and to scan clients, but that's food for another post.

Why?

Why does sccm 2007 require a new installation method? What was wrong with the previous installation methods we had in sms 2003? To be honest, not much, but they all had their drawbacks. Let's just have a look at each of the installation methods and their drawbacks before we continue and see what Software update point based installation has in store for us.

Manual installation: This installation method lacks automation and requires the end-user to be a local administrator on the machine which is obviously a big NONO security wise.

Login script installation: Lacks from the same security issue as manual installation and is by consequence a NOGO.

Software Distribution based installation: Good installation method but this is often a chicken or egg kinda problem, you already need to have a software distribution mechanism out there for this to work.

Client Push Installation (Wizard): Great installation method but it has some requirements that could prove to be problematic in a real secure environment. It requires remote local admin privileges which is usually fine. But it also requires remote registry and access to the admin$ share. A secure environment should have file and print sharing disabled on desktops or laptops, or at the very least have them blocked by a personal firewall.

GPO based installation: Nice installation method with very modest requirements on the machine to be installed, but it suffers from its own drawbacks. The main problem with GPO based installation is that it is end-user driven. GPO's software installation only happens at logon or after a restart. Both events normally only happen after the end-user gave their user name and password or powered on the machine. If you have pesky users that just close their laptop lid in the evening and open it back up the next morning then your out of luck with gpo's. With todays more stable os's like Windows XP and Windows Vista It could take a pretty long time before the machine actually needs to be rebooted on the lan.

Software update based client installation: Superb installation method that mixes the benefits of GPO based installation with those of software distribution based installation. In other words it has pretty low requirements on the target machine, even lower as software distribution based installation as it does not require a software distribution solution in place and doesn't require the target machine to be in active directory. (You'll need a different way than adm templates to set the registry keys though). On top of that it offers a Schedule based installation which eliminates the end-user initiated drawback of gpo's. By the way if you install a newer version of the SCCM 2007 beta or install a Service pack after RTM you will be able to update your publication so that you can use this method to easily upgrade your existed install base to the new version.

How?

How do you get this to work? Remarkably easy actually.

 STEP 1 Configure the Windows Update agent GPO:

1. Open a GPO
2. Go to Computer configuration\Windows Components\Windows Update
3. Configure the Configure automatic updates option, Set it to auto download and shedule the install
4. Choose your own schedule
5. Configure the Specify intranet microsoft update service location
6. Configure both options with the value http://Wsusserver

STEP 2 Import the SCCM-2007 adm template:

Download the adm template to configure SCCM 2007 client installation command line parameters http://www.blogcastrepository.com/files/folders/documents/entry15469.aspx

1. Open a GPO
2. In Computer Configuration Right-click on Administrative templates
3. Browse to the SCCM-2007  and add the template.
4. Go to Computer configuration\Windows Components\SCCM 2007\Software Update point client installation
5. Configure the command line with the parameters you want.

STEP 3 Publish the SCCM 2007 client (As documented in the SCCM 2007 help file)

To publish the Configuration Manager 2007 client to the WSUS server:

Enjoy

--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx

Share this post:                                       

Prepare your Environment for Running sms 2003 - Active Directory Part1

Today we'll continue preparing or start cleaning up our Active Directory environment to make implementing/running Sms 2003 as smooth as possible. Sms 2003 introduced a bit of Active Directory integration. Not as much as some people hoped, but there is a certain degree of interaction. In other words having your Active Directory environment sanitized can help a long way in managing SMS 2003. Today we are going to start cleaning up the Active Directory environment to make our Sms 2003 discovery process as happy as a fish in the water.

Dns Scavenging

Before we dive into our cleaning process there is something you should know about active directory system discovery. Cathy Moya from the Sms Product documentation team describes it quite well in Cathy's Fine Faq: http://www.microsoft.com/technet/sms/2003/library/techfaq/default.mspx.

"Active Directory System Discovery will create a DDR for a resource only if it can resolve the name to the IP address by using DNS. If a valid DNS entry does not exist for a computer, SMS does not discover the computer but does create a status message stating there were errors for that computer. You might see these computers referred to as bogus in adsysdis.log."

We are going to take advantage of this little fact to avoid dead weight in Active Directory from making it into our Sms database. What does dns scavenging do? Well it deletes stale resource records. Ever since Windows 2000 the Windows operating systems have supported a feature called Dynamic DNS. Which means the clients dynamically register themselves in dns. Unfortunately unregistering doesn't always work that well. (Because of clients leaving the network without shutting down, amongst other things. (Don't you hate those bad behaving end-users?)).

So by enabling dns scavenging you will delete those stale resource records. Net result: Sms 2003 will no longer discover these resources so they will no longer clog your sms 2003 database, not to mention that they will no longer bring your software distribution success rates down in your reports. 

For those of you looking to get started, you enable dns scavenging in the properties of your dns zone. Right-Click the Zone and on the aging tab enable the Scavenge stale resource records option, and while your at it configure the scavenging process to run daily instead of weekly by executing dnscmd /config /scavenginginterval 24.

 My next post will be about eliminating those dreaded 5503 status messages in Active Directory user and Active Directory System group discovery.

 Enjoy.

"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS

Share this post:                                       

Prepare your environment for running SMS 2003 - Schema

Warning 

It is advised to follow the procedure below, before any schema modifications are made, not just sms 2003 schema extentions. There are no known issues in making the SMS 2003 schema extensions.

This being said, keep in mind that

1) Every forest only has 1 Schema partition.

2) There is no such thing as an AUTHORITATIVE RESTORE for the schema partition.

These 2 things combined spell disaster if something did go wrong. If something does go wrong with the schema extension process and the schema gets replicated to all dc's.

If this happens you have two options

1) Hire a Microsoft PSS consoltant to help clean up your Active Directory Schema mess

2) Restore a backup of the Active Directory on All domain controllers in the Forest. All domain controllers have to be disconnected from the network during this recovery.

Neither of these seem to really appealing to me.

Proper Procedure

1. Locate the server that is the schema master
1. In a command prompt type regsvr32 schmmgmt.dll (You should get a message that the dll was registered succesfully)
2. Type mmc, and add the Active Directory Schema snap-in
3. Right Click Active Directory Schema and select Operations Masters
4. Take note of the current Schema master
2. Back up the schema master.
3. Disconnect the schema master from the network and do not reestablish the connection until the end of this procedure. (This means fysically removing the cable, do not just disable the network interface since some of the tools used later in the procedure require a functional tcp/ip stack.
4. On the schema master, insert the SMS 2003 SP2 Setup CD in the CD-ROM drive.
5. Open a command prompt, change to the CD-ROM drive, and change to the \SMSSETUP\BIN\I386 folder on the CD.
6. On the schema master, at the command prompt, type Extadsch.exe
7. After the preceding command has finished on the schema master, confirm that the preparation of the forest was successful.  Review %SystemDrive%\ExtAdSch.log
8. Evaluate the information you gathered in the previous step and choose accordingly:
1. If extadsch.exe ran without errors, reconnect the schema master to the network and continue with the next step of this procedure.
2. If extadsch.exe ran but error messages provided instructions for additional steps to take, follow the instructions and then return to the confirmation process described in the previous step.
3. If extadsch.exe did not run successfully, restore the schema master from backup and investigate the corrective steps necessary so that extadsch.exe can be run successfully.

Important Note: Extending the Schema will trigger a FULL Global Catalog Synchronization between Windows 2000 Global catalog servers. Windows 2003 Global Catalog servers will use delta replication.

 Enjoy.

"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS

Share this post:                                       

Prepare your Environment for Running sms 2003 - Active Directory Part2

Are you tired of seeing your Active directory system group and active directory user discovery in error all of the time?

Is your status filled with messages like:

SMS Active Directory System Group Discovery Agent reported errors for X objects. DDR's were generated for Y objects that had errors while reading non-critical properties. DDR's were not generated for Z objects that had errors while reading critical properties.

Do you see following message in the adsysgrp.log and adusrdis.log:

Could not get property (memberOf) for system XXXXXXXX or

Could not get property (memberOf) for user XXXXXXXX

Then read on, I'll explain what is happening and more importantly what you can do about it.

 Explaining the Issue (Logs and status messages)

The status message is telling you that it can't read a critical property of a user or computer object. It is also telling you that this might be a security or replication issue, or that the property might not be available. All suggestions which you probably verified already. The log files are actually telling you the property that couldn't be read, it is the memberOf property, which contains the group memberships for users and computers.

This memberof property in active directory contains all groups you are a member of, with the exception of the first group you are a member of. This is because the first group is actually stored in the PrimaryGroupId attribute. The issue you are seeing is because the SMS 2003 discovery methods cannot handle an empty memberof attribute. To be technically accurate they can't distinguish between an empty or unreadable memberof attribute.

As you might have deducted from the information above, the issue you are seeing is because you have users and/or computers in your discovery scope that are only a member of a single group. The fix is easy enough, just add all users and computers to a dummy group to make sure the memberof attribute is no longer empty. The rest of this article will show you the necessary steps to identify which users and/or computers have an empty member of attribute.

Query Users with Empty Memberof attribute (Requires Active Directory 2003)

Open Active Directory Users & Computers

Open Saved queries

Right-click and select new query

Type in a name for the query

Click Define Query

In the Find list box select Custom Search

Click the Field button, select user  and member of

In the condition list box select Not Present, click Add and Ok twice.

 Query Computers with Empty Memberof attribute (Requires Active Directory 2003)

Open Active Directory Users & Computers

Open Saved queries

Right-click and select new query

Type in a name for the query

Click Define Query

In the Find list box select Custom Search

Click the Advanced tab and type in type in the following query:

(&(&(objectCategory=computer)(!memberOf=*)))

Add Users to a group to avoid discovery issue

Create a group called GG_Sms2003dummyusersgroup  (or another namesthat is in line with your naming convention).

Multi select the users you found in the previous query and add them to the GG_Sms2003dummyusersgroup

Multi select the computers you found in the previous query and add them to the GG_Sms2003dummycomputersgroup

Add Computers to a group to avoid discovery issue

Create a group called GG_Sms2003dummycomputersgroup (or another name that is in line with your naming convention).

In the view menu select Users, Groups and computers as containers

Make sure you open up the + signs so that you can see the group you created in the tree pane.

Go back to the results of your query, multi-select all the results and drag them into the group in the tree pane.

You should see a box stating the Add to group operation was succesfully completed.

Enjoy

--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx

Share this post:                                       

Branch dp's could make sms admins and firewall admins friends again

Sccm 2007 has a brand new feature called branch distribution points. The best-known fact about this feature is that it functions as a distribution point that is supported on any of the operating systems that can run an SCCM 2007 client. In other words it is supported to run a branch office distribution point on Windows 2000 Professional SP4 as well as on Windows XP Professional SP1. This little fact has ment that the feature was quite immediately compared to another 3rd party product that has been providing us with "branch dp's" since sms 2.0, 1E's SMS Nomad Branch. And as others have already pointed out, SMS Nomad Branch still has somethings available that branch office dp's don't offer. Most importantly the 1E solution for specifying a "branch dp" is dynamic, you as an sms administrator don't have to designate a branch dp, as it is automagically selected by an election process. Which means you don't have to leave one machine up and running 24x7 in every branch.

 A rather less stressed fact about SCCM 2007 branch dp's though is that the type of network traffic from a standard dp (as this is where branch dp's get their packages from) to a branch dp is no longer the good old file sharing SMB traffic. SCCM 2007 branch dp's use http BITS to communicate with branch dp's. This little gem, according to my personal beliefs, might mean that branch dp's in SCCM 2007 could be incredibly useful.

 In SMS 2003 my advise for "branch dp's" used to be, don't use them, sms 2003 only supported distribution points on a server os, by consequence my advice used to be to install a secondary site instead. Sms 2003 distribution points received their packages from the site server in an unscheduled, unthrottled, uncompressed format. Now that all this has been taken care of, an SCCM 2007 branch dp might actually make sense. They even make perfect sense if you keep my traffic remark in paragraph 2 into mind. One of the downsides/problems I have with secondary sites in SMS2003 is the fact that they rely on SMB traffic, which makes for annoying discussions with the security/firewall team about opening up the file sharing ports. These ports are used for quite a bit more, and because of some historically annoying exploits, most firewall admins are fairly reluctant to open these up.

Net result of this all is that with what I know my advise might shift to using branch dp's on a server os in the larger sites, and a branch dp on a desktop os for the smaller sites, hoping to brush up my relationship with the security team, as I might need to rely on them for helping me set up the PKI that I need to run in native mode, which I need to get internet based client management rolled out. 

Enjoy.

"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS

Share this post:                                       

Adding a group to the local administrators group

Systems management products often require you to be an administrator on several machines. Sms 2003 and SCCM 2007 are no different in this respect. Microsoft's systems management product requires administrative privileges on the servers to roll them out as site systems, and on the clients (depending on your client installation method) to push out the client successfully.

Combined with the best practice security principle of "least privilege", this means creating a group that allows you to easily achieve this permission level without having to be a domain administrator.  You could create a restricted group in group policies for the administrators group and add the members you want to it, but this overwrites all current memberships of the administrators group with the new members you have configured in the gpo. This might be fine on your site servers, where you might exactly know what needs to be in there. But in large environments and on your desktop machines this could become cumbersome.

 Microsoft has updated the restricted group behaviour in Windows 2000 SP4, and has issued a fix for windows xp sp1, to make the "member of" portion of restricted groups more usable. This allows you to create a gpo for a group, and add that group to the local administrators of any machine applying the gpo. It may not be entirely Sms or SCCM related, but I find it is one of these things I do often during my initial installation steps at customer sites, so I think it is a wortwhile topic for a first blog entry.

Step-by-step guide

1) Create 2 groups (I usually use gg_desktopadmins and gg_serveradmins)

2) Create 2 Gpo's (One to add members to the destkops/laptops and one for the servers (apply the gpo to the relevant ou's later).

3) Edit the desktop admins gpo

4) Right-click computer configuration\windows settings\restricted groups and select add group

5) Browse for your newly selected group, and click ok a few times.

6) Double click the group in the details pane

7) In the member off section of the dialog box that opens type administrators in the box and press ok a couple of times again.

8) apply the gpo to a test ou.

9) Log into a machine that is a member of the test ou

10) open a dos box and type net localgroup administrators and review the administrators group membership

11) Run gpupdate /force (if it is an xp or 2003, machine or the secedit command if it is an old 2000 machine)

12) Run net localgroup administrators again and if all is well you should see your new group has become a member of the administrators group leaving the old memberships intact.

 More information can be found here: http://support.microsoft.com/kb/810076

Note that if you mix restricted groups with the members property and the member off property that results are inpredictable since there is no way of knowing which section will get executed first.

 Enjoy.

"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS

Share this post: