A collection of thoughts and resources for Microsoft System Center products and the Private Cloud.
Friday 12 September 2008
Capturing OSD/Task Sequence logs
I surfed straight into this little beauty of a post the other day so I thought I'd stick it up on here for reference.
Thanks to Steve Rachui for taking the time to blog this on his site:
http://blogs.msdn.com/steverac/archive/2008/07/15/capturing-logs-during-failed-task-sequence-execution.aspx
SCCM Right-Click-Tools
Computers not seen in 60 Days
It's a handy little bit to have for identifying those potential AWOL systems.
select SMS_R_System.ResourceId, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_WORKSTATION_STATUS on SMS_G_System_WORKSTATION_STATUS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_WORKSTATION_STATUS.LastHardwareScan >= DateAdd(dd,-60,GetDate())
SCOM & SCCM Intergration
In saying that, I put the idea to Rob to create a SCOM task that would spawn a browser and bring up the SCCM client details web report of the selected item in SCOM.
After a slight issue with spaces it's now in and working really well.
You can find it on Rob's blog post here.
Asset Logging
Since our charging is split amongst the different directorates and departments I couldn't just do a count of numbers or I wouldn't be blogging it here ;)
We needed a way to assign a device to a directorate/department and report against that detail.
After popping upstairs to see our resident developers for 5 minutes I returned to my desk with a nice shiny .Net application that needed pushing out to the masses ASAP.
What the dev guy came up with (Thanks Paul!) was a rather nice .Net app that simply popped up on screen and gave the end user two controlled selection lists based off our structure for Directorate and Department with a free form text field for them to populate the section as these tend to differ wildly.
Once this information had been gathered the app simply dumped it out into a registry key... somewhere I knew SCCM could scavenge it from :)
A quick sms_def.mof edit later:
//----------------------------------------------------
// ICT Asset Logger
//----------------------------------------------------
[
SMS_Report (TRUE),
SMS_Group_Name ("ICTAudit"),
SMS_Class_ID ("NELCICT-Asset-Audit1.0") ]
Class ICTAudit : SMS_Class_Template
{
[SMS_Report (TRUE), key]
string KeyName;
[SMS_Report (TRUE)]
string Department;
[SMS_Report (TRUE)]
string Directorate;
[SMS_Report (TRUE)]
string Section;
[SMS_Report (TRUE)]
string LastUpdate;
[SMS_Report (TRUE)]
string LoggedBy;
};
And then a configuration.mof edit:
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("ICTAudit", NOFAIL)
[DYNPROPS]
class ICTAudit
{
[key]
string KeyName;
string Department;
string Directorate;
string Section;
string LastUpdate;
string LoggedBy;
};
[DYNPROPS] instance of ICTAudit
{
KeyName="ICTAuditLogger";
[PropertyContext("localHKEY_LOCAL_MACHINE\\Software\\NELC\\ICTAuditLoggerDepartment"),Dynamic,Provider("RegPropProv")] Department;
[PropertyContext("localHKEY_LOCAL_MACHINE\\Software\\NELC\\ICTAuditLoggerDirectorate"),Dynamic,Provider("RegPropProv")] Directorate;
[PropertyContext("localHKEY_LOCAL_MACHINE\\Software\\NELC\\ICTAuditLoggerSection"),Dynamic,Provider("RegPropProv")] Section;
[PropertyContext("localHKEY_LOCAL_MACHINE\\Software\\NELC\\ICTAuditLoggerLastUpdate"),Dynamic,Provider("RegPropProv")] LastUpdate;
[PropertyContext("localHKEY_LOCAL_MACHINE\\Software\\NELC\\ICTAuditLoggerLoggedBy"),Dynamic,Provider("RegPropProv")] LoggedBy;
};
This now allows us to run a modified Summary of Computers report with these additional fields added so that we can report to finance the exact number of devices per directorate and sit back while watching the money roll in!
Forcibly remove a site
We tried uninstalling the site and re-installing and while it fixed the primary site problems it badly messed up the syncing with the central site.
In the end we followed the process below:
- Revert the primary site to a central site
- On the Central Site run:
Preinst /delsite SiteCode ParentSite
Preinst /deljob SiteCode - On the old Primary site run:
Preinst /deljob SiteCode - Convert the old Primary site back to a primary site with the Central as it's parent
- Run Preinst /keyforchild on the central site and copy to \inboxes\hman.box
- Run Preinst /keyforparent on the primary site and copy to \inboxes\hman.box
- Run Preinst /Syncchild:SiteCode on the Central Site
- Run Preinst /syncparent on the primary site
This thankfully brought our sites back to life.
SCCM across UNTRUSTED Forests
But that's not to say it can't be done ;)
We had a case here where we wanted to deliver managed public Internet in various locations (both existing corporate buildings and new purpose built locations).
When designing the solution it was decided to create an entirely new domain to help keep things separate and secure from the corporate side of the business.
The problem came about when I came along and decided that ICT needed to have the same amount of remote administration benefits over it as SCCM had given us on the corporate side.
I'm sure that it would have been much simpler had we been in native mode, but since we aren't I had to tackle it from a Mixed Mode perspective.
First step was to install a new Primary site within the domain/forest that needed managing which is the same as installing SCCM for the first time and the DB was split off to a separate shared SQL box again.
Once the new site is installed and running I needed to give both sites some way to trust each other as each forests AD schema has been extended but because their is no trust they don't know about each others presence or have a security trust.
For this I used the Preinst command to export the site keys.
To manually transfer the Public Forest Primary site public key to the Corporate Central site
- While logged on to the Primary site, open a command prompt and navigate to the location of Preinst.exe. (Microsoft Configuration Manager\bin\i386\00000409)
- Run the following command to export the Primary site’s public key: Preinst /keyforparent
- The Preinst /keyforparent command places the public key of the Primary site in the
.CT4 file located at the root of the system drive. - Move the
.CT4 file to the Central site's \inboxes\hman.box directory.
To manually transfer the Corporate Central site public key to the Public Forest Primary site
- While logged on to the Central site, open a command prompt and navigate to the location of Preinst.exe. (Microsoft Configuration Manager\bin\i386\00000409)
- Run the following command to export the Central site’s public key: Preinst /keyforchild.
- The Preinst /keyforchild command places the public key of the Central site in the
.CT5 file located at the root of the system drive. - Move the
.CT5 file to Primary site’s \inboxes\hman.box directory.
Once that was done accounts were created on both domains/forests for the sender accounts that are required and then addresses created and pointed at each site.
- Central site contains sender address pointing down at Primary site using account created on public domain/forest
- Primary site contains sender address pointing up at Central site using account created on corporate domain/forest
Final thing to do was on the Public forest SCCM server through the console and expand Site Management. Right click on the site and choose properties. Click set parent site, choose the Central Corporate site... and you're done!
Thursday 11 September 2008
What does SCOM think when you remove a drive?
SCOM didn't seem to like this however as the open alert then demonstrated:
Logical Disk Free Space is low
Alert Description
Source:
\\?\Volume{8c740691-15ff-11d8-9b0b-505054503030}
The disk \\?\Volume{8c740691-15ff-11d8-9b0b-505054503030} on computer xxx.xx.xx is running out of disk space. The values that exceeded the threshold are 0% free space and 73 free Mbytes.
Path:
xxx.xx.xx\\\?\Volume{8c740691-15ff-11d8-9b0b-505054503030}
Alert Monitor:
Logical Disk Free Space
Created:
09/09/2008 11:45:38
I'm sure that alert used to say F:\ :)
SMSMap - Helping to conquer boring documentation
One of the best tools I've found for helping document SCCM deployments is a tool by Jeff Tondt.
It allows for easy visio documentation of sites like this:
You can find the application here: http://www.tondtware.com
Many thanks to Jeff Tondt for giving me permission to post his site link in my blog.
Server Performance
As it stands at the moment with all our 3000 devices reporting into this one server we're seeing the following averages showing up in the performance charts over the last week:
CPU: 202Mhz
Memory: 239Mb
Disk: 73.97 KBps
Network: 60.83KBps
So this server has the following roles:
Site Server
SLP
MP
DMP
SUP
AI Sync Point
So I was worried about it consuming all the resources of our virtual infrastructure and it turns out to be nowhere near as hungry as some of our other servers!
Site Layout
Luckily we are fairly well connected with majority of our network links being 10Mb, 100Mb or 1Gb
Microsoft's recommendation of best practice is to use the smallest number of sites as possible so I decided in the end to go with one central site and just add Distribution Points or Branch DP's as needed during the implementation.
Another decision I had to make was whether to go with physical hardware or go against Microsoft's official advice and virtualise it.
Well I kind of went half way.
I decided to put the Central Site server on our VMware ESX 3 Infrastructure and locate the site database on our physical shared corporate SQL server.
I was sceptical when looking at the recommended specs if it would handle it but I have to say I'm really surprised at just how well it does perform.
Since doing this Microsoft have changed their policy on virtualisation support (which isn't surprising since Hyper-V has been released now) so as long as the problem can be replicated it's now a supported design.
SCCM Planning
For all those of you starting to think about putting SCCM in or are about to and are like me a install, configure and plan as you go guy STOP!
System Center products are some of the few applications I wouldn't ever ever attempt again to install into a production environment without FULL planning and testing.
Before you even pick up the CD head over to SCCM Documentation Library and start pulling the workflows and other associated information down.
Top level items that MUST be considered/planned for if nothing else:
- Active Directory Schema extension.This is a no brainer in my opinion. If you have AD and very good reason for not extending the schema then get planning for when you can do it. The benefits it brings does help with a slicker deployment of SCCM.
- Native mode vs Mixed mode.A new feature in SCCM for those familiar with SMS. I don't think I fully understood the full extent of what Native mode brought to the table when I first looked at it and I saw it more as being a required element to get Internet based clients working.
Do the research on this subject to make your decision as it also brings little things such as PXE boot OSD's not needing the client records merging. But it needs the most configuration out of all the SCCM features, but not within SCCM. Confused? I was. It's down to SCCM's heavy reliance on a PKI infrastructure. If you haven't got that in place then that's another entire project to plan that out first. - Central, Primary, Secondary, Child Primary.......Try to plan out from the start how you would like your SCCM design to look and build it with that in mind. You'll need to consider how many domains, sites, organisation boundaries and maybe even countries (but this blog isn't aimed at that high a level).
- Client deploymentSounds simple but it's an important one. Decide from the start how you are going to achieve client deployment as I can ensure you that as soon as you have your first site up and running you'll be itching to get clients installed and to start playing with them ;)
Deciding how you're going to achieve this will get it running so much sooner.
Last thing..... Get it installed in a test lab. Even if that means rigging 3+ virtual servers up on a machine do it. Just make sure it's an isolated environment so you can play with it do death and test out various solutions knowing your not going to take you're business down while you have fun.
Start
Hi all and welcome.
I'm not entirely sure anymore how I'm going to structure this blog, so bear with me as a random scattering of thoughts starts to hit the virtual paper.
I'll more than likely use this corner of the web to dump out design ideas, problems and solutions of my real world implementation with various bit anonymised for security reasons but feel free to get some insight into how a real world implementation of SCCM and SCOM happens and progresses.
Quick thing to mention on the SCOM side of things. Parts I mention are probably covered in much more detail over on http://msopsmgr.blogspot.com/ by my resident SCOM wielding maniac, I mean professional ;) (Sorry Rob!)
Thursday 14 August 2008
The Start of the Quest
The blog will mainly cover Microsoft Systems Centre Configuration Manager 2007 as this is where my expertise lays, but will have the odd smattering of Operations Manager, Mobile Device Manager and the other Systems Centre products from time to time.
Welcome, and I look forward to putting my often scattered thoughts down in pixels for the community to pick to shreds and from time to time find useful.
SB