Friday 12 September 2008

Capturing OSD/Task Sequence logs

I've often banged my head on the desk as for the 5th time in a row a task sequence has failed when I've got back to check on it without really letting me know why.

I surfed straight into this little beauty of a post the other day so I thought I'd stick it up on here for reference.

Thanks to Steve Rachui for taking the time to blog this on his site:
http://blogs.msdn.com/steverac/archive/2008/07/15/capturing-logs-during-failed-task-sequence-execution.aspx

SCCM Right-Click-Tools

I find these right click addons invaluable and also an easy staring point if you want to add your own by dissecting the XML it creates for them.

Computers not seen in 60 Days

I found this post by Matthew Hudson over on his blog but it didn't seem to like the SMS_R_System.ResourceType bit of the SQL so I'm posting the SQL snippet I use.

It's a handy little bit to have for identifying those potential AWOL systems.

select SMS_R_System.ResourceId, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_WORKSTATION_STATUS on SMS_G_System_WORKSTATION_STATUS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_WORKSTATION_STATUS.LastHardwareScan >= DateAdd(dd,-60,GetDate())

SCOM & SCCM Intergration

Got talking to Rob the other day about SCOM & SCCM integration and I must say that I am fairly disappointed that Microsoft didn't put more effort into making these two products work more closely together.

In saying that, I put the idea to Rob to create a SCOM task that would spawn a browser and bring up the SCCM client details web report of the selected item in SCOM.

After a slight issue with spaces it's now in and working really well.

You can find it on Rob's blog post here.

Asset Logging

Since we have a revenue stream based on the number of assets out there I set about thinking how we could utilise SCCM to collect data to make the charging/asset logging process more efficient and accurate.

Since our charging is split amongst the different directorates and departments I couldn't just do a count of numbers or I wouldn't be blogging it here ;)

We needed a way to assign a device to a directorate/department and report against that detail.

After popping upstairs to see our resident developers for 5 minutes I returned to my desk with a nice shiny .Net application that needed pushing out to the masses ASAP.

What the dev guy came up with (Thanks Paul!) was a rather nice .Net app that simply popped up on screen and gave the end user two controlled selection lists based off our structure for Directorate and Department with a free form text field for them to populate the section as these tend to differ wildly.

Once this information had been gathered the app simply dumped it out into a registry key... somewhere I knew SCCM could scavenge it from :)

A quick sms_def.mof edit later:

//----------------------------------------------------
// ICT Asset Logger
//----------------------------------------------------
[

SMS_Report (TRUE),
SMS_Group_Name ("ICTAudit"),
SMS_Class_ID ("NELCICT-Asset-Audit1.0") ]
Class ICTAudit : SMS_Class_Template

{
[SMS_Report (TRUE), key]
string KeyName;
[SMS_Report (TRUE)]
string Department;
[SMS_Report (TRUE)]
string Directorate;
[SMS_Report (TRUE)]
string Section;
[SMS_Report (TRUE)]
string LastUpdate;
[SMS_Report (TRUE)]
string LoggedBy;
};

And then a configuration.mof edit:

#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("ICTAudit", NOFAIL)
[DYNPROPS]

class ICTAudit

{
[key]
string KeyName;
string Department;
string Directorate;
string Section;
string LastUpdate;
string LoggedBy;
};

[DYNPROPS] instance of ICTAudit

{
KeyName="ICTAuditLogger";
[PropertyContext("localHKEY_LOCAL_MACHINE\\Software\\NELC\\ICTAuditLoggerDepartment"),Dynamic,Provider("RegPropProv")] Department;
[PropertyContext("localHKEY_LOCAL_MACHINE\\Software\\NELC\\ICTAuditLoggerDirectorate"),Dynamic,Provider("RegPropProv")] Directorate;
[PropertyContext("localHKEY_LOCAL_MACHINE\\Software\\NELC\\ICTAuditLoggerSection"),Dynamic,Provider("RegPropProv")] Section;
[PropertyContext("localHKEY_LOCAL_MACHINE\\Software\\NELC\\ICTAuditLoggerLastUpdate"),Dynamic,Provider("RegPropProv")] LastUpdate;
[PropertyContext("localHKEY_LOCAL_MACHINE\\Software\\NELC\\ICTAuditLoggerLoggedBy"),Dynamic,Provider("RegPropProv")] LoggedBy;
};

This now allows us to run a modified Summary of Computers report with these additional fields added so that we can report to finance the exact number of devices per directorate and sit back while watching the money roll in!

Forcibly remove a site

I got into a situation a while back where our primary site became corrupted and we didn't have a backup for some reason.

We tried uninstalling the site and re-installing and while it fixed the primary site problems it badly messed up the syncing with the central site.

In the end we followed the process below:
  1. Revert the primary site to a central site
  2. On the Central Site run:
    Preinst /delsite SiteCode ParentSite
    Preinst /deljob SiteCode
  3. On the old Primary site run:
    Preinst /deljob SiteCode
  4. Convert the old Primary site back to a primary site with the Central as it's parent
  5. Run Preinst /keyforchild on the central site and copy to \inboxes\hman.box
  6. Run Preinst /keyforparent on the primary site and copy to \inboxes\hman.box
  7. Run Preinst /Syncchild:SiteCode on the Central Site
  8. Run Preinst /syncparent on the primary site

This thankfully brought our sites back to life.

SCCM across UNTRUSTED Forests

Before I type anything more I must warn you that the following article is against Microsoft's published best practices as it breaches administrative boundaries which should end with a within a forest.

But that's not to say it can't be done ;)

We had a case here where we wanted to deliver managed public Internet in various locations (both existing corporate buildings and new purpose built locations).

When designing the solution it was decided to create an entirely new domain to help keep things separate and secure from the corporate side of the business.

The problem came about when I came along and decided that ICT needed to have the same amount of remote administration benefits over it as SCCM had given us on the corporate side.

I'm sure that it would have been much simpler had we been in native mode, but since we aren't I had to tackle it from a Mixed Mode perspective.

First step was to install a new Primary site within the domain/forest that needed managing which is the same as installing SCCM for the first time and the DB was split off to a separate shared SQL box again.

Once the new site is installed and running I needed to give both sites some way to trust each other as each forests AD schema has been extended but because their is no trust they don't know about each others presence or have a security trust.

For this I used the Preinst command to export the site keys.

To manually transfer the Public Forest Primary site public key to the Corporate Central site
  1. While logged on to the Primary site, open a command prompt and navigate to the location of Preinst.exe. (Microsoft Configuration Manager\bin\i386\00000409)
  2. Run the following command to export the Primary site’s public key: Preinst /keyforparent
  3. The Preinst /keyforparent command places the public key of the Primary site in the .CT4 file located at the root of the system drive.
  4. Move the .CT4 file to the Central site's \inboxes\hman.box directory.

To manually transfer the Corporate Central site public key to the Public Forest Primary site

  1. While logged on to the Central site, open a command prompt and navigate to the location of Preinst.exe. (Microsoft Configuration Manager\bin\i386\00000409)
  2. Run the following command to export the Central site’s public key: Preinst /keyforchild.
  3. The Preinst /keyforchild command places the public key of the Central site in the .CT5 file located at the root of the system drive.
  4. Move the .CT5 file to Primary site’s \inboxes\hman.box directory.

Once that was done accounts were created on both domains/forests for the sender accounts that are required and then addresses created and pointed at each site.

  • Central site contains sender address pointing down at Primary site using account created on public domain/forest
  • Primary site contains sender address pointing up at Central site using account created on corporate domain/forest

Final thing to do was on the Public forest SCCM server through the console and expand Site Management. Right click on the site and choose properties. Click set parent site, choose the Central Corporate site... and you're done!

Thursday 11 September 2008

What does SCOM think when you remove a drive?

We ran out of space on one of our old (And I do stress the old part) data servers the other day so we took the chance to add a LUN on the SAN and migrate the data across. To make things simple for us we just stopped the server service and juggled the old and new drive letters around and then removed the old partition.

SCOM didn't seem to like this however as the open alert then demonstrated:


Logical Disk Free Space is low
Alert Description
Source:
\\?\Volume{8c740691-15ff-11d8-9b0b-505054503030}
The disk \\?\Volume{8c740691-15ff-11d8-9b0b-505054503030} on computer xxx.xx.xx is running out of disk space. The values that exceeded the threshold are 0% free space and 73 free Mbytes.
Path:
xxx.xx.xx\\\?\Volume{8c740691-15ff-11d8-9b0b-505054503030}
Alert Monitor:
Logical Disk Free Space
Created:
09/09/2008 11:45:38


I'm sure that alert used to say F:\ :)

SMSMap - Helping to conquer boring documentation

I've always been one of them people that go out of their way to spend time to find tools that help automate documentation as it's the least glamorous part of implementing systems.

One of the best tools I've found for helping document SCCM deployments is a tool by Jeff Tondt.

It allows for easy visio documentation of sites like this:



You can find the application here: http://www.tondtware.com

Many thanks to Jeff Tondt for giving me permission to post his site link in my blog.

Server Performance

Just to pick up on the point I mentioned below on the performance of our central site running under VMWare.

As it stands at the moment with all our 3000 devices reporting into this one server we're seeing the following averages showing up in the performance charts over the last week:

CPU: 202Mhz
Memory: 239Mb
Disk: 73.97 KBps
Network: 60.83KBps

So this server has the following roles:
Site Server
SLP
MP
DMP
SUP
AI Sync Point

So I was worried about it consuming all the resources of our virtual infrastructure and it turns out to be nowhere near as hungry as some of our other servers!

Site Layout

We're not an overly large organisation (around 3000 end user devices and about 180 servers) but we are quite spread out over the regional area with some 46 different sites.

Luckily we are fairly well connected with majority of our network links being 10Mb, 100Mb or 1Gb

Microsoft's recommendation of best practice is to use the smallest number of sites as possible so I decided in the end to go with one central site and just add Distribution Points or Branch DP's as needed during the implementation.

Another decision I had to make was whether to go with physical hardware or go against Microsoft's official advice and virtualise it.

Well I kind of went half way.

I decided to put the Central Site server on our VMware ESX 3 Infrastructure and locate the site database on our physical shared corporate SQL server.

I was sceptical when looking at the recommended specs if it would handle it but I have to say I'm really surprised at just how well it does perform.

Since doing this Microsoft have changed their policy on virtualisation support (which isn't surprising since Hyper-V has been released now) so as long as the problem can be replicated it's now a supported design.

SCCM Planning

Dam I wish someone had given me more time to do this.

For all those of you starting to think about putting SCCM in or are about to and are like me a install, configure and plan as you go guy STOP!

System Center products are some of the few applications I wouldn't ever ever attempt again to install into a production environment without FULL planning and testing.

Before you even pick up the CD head over to SCCM Documentation Library and start pulling the workflows and other associated information down.

Top level items that MUST be considered/planned for if nothing else:
  1. Active Directory Schema extension.This is a no brainer in my opinion. If you have AD and very good reason for not extending the schema then get planning for when you can do it. The benefits it brings does help with a slicker deployment of SCCM.
  2. Native mode vs Mixed mode.A new feature in SCCM for those familiar with SMS. I don't think I fully understood the full extent of what Native mode brought to the table when I first looked at it and I saw it more as being a required element to get Internet based clients working.
    Do the research on this subject to make your decision as it also brings little things such as PXE boot OSD's not needing the client records merging. But it needs the most configuration out of all the SCCM features, but not within SCCM. Confused? I was. It's down to SCCM's heavy reliance on a PKI infrastructure. If you haven't got that in place then that's another entire project to plan that out first.
  3. Central, Primary, Secondary, Child Primary.......Try to plan out from the start how you would like your SCCM design to look and build it with that in mind. You'll need to consider how many domains, sites, organisation boundaries and maybe even countries (but this blog isn't aimed at that high a level).
  4. Client deploymentSounds simple but it's an important one. Decide from the start how you are going to achieve client deployment as I can ensure you that as soon as you have your first site up and running you'll be itching to get clients installed and to start playing with them ;)
    Deciding how you're going to achieve this will get it running so much sooner.
I could go on and I'll probably come back every now and then and revise, add or clarify bits but this too me is the very very very bare minimum amount of planning you should do just to get it into a test lab. If you tried putting SCCM into a live environment with only just this amount of planning then it's most likely to fail, or you're just very very lucky.
Last thing..... Get it installed in a test lab. Even if that means rigging 3+ virtual servers up on a machine do it. Just make sure it's an isolated environment so you can play with it do death and test out various solutions knowing your not going to take you're business down while you have fun.

Start

Right, a bit more of a delay than I had hoped for but the dreadful thing called work has been getting in the way a lot recently.

Hi all and welcome.

I'm not entirely sure anymore how I'm going to structure this blog, so bear with me as a random scattering of thoughts starts to hit the virtual paper.

I'll more than likely use this corner of the web to dump out design ideas, problems and solutions of my real world implementation with various bit anonymised for security reasons but feel free to get some insight into how a real world implementation of SCCM and SCOM happens and progresses.

Quick thing to mention on the SCOM side of things. Parts I mention are probably covered in much more detail over on http://msopsmgr.blogspot.com/ by my resident SCOM wielding maniac, I mean professional ;) (Sorry Rob!)