Monthly Archives: April 2012

SCOM 2012, Operation console does not open and gives SDK service error

This is going to be a quick post, got a strange error message on my SCOM server today.
I tried opening the console, it would try to open for a couple of min ( it’s a vm so it takes some time ) and it stops and just hangs.

And I got this error message appearing in the console “the data access service is either not running”
I opened up the services.msc and I saw that the service was actually running.

I saw in the Event log under operations management that It has trouble connecting to the SQL servers (Which is a physical server that resides in another room, turns out It wasn’t connected ) After attaching it back to the lan, the console started.

Not the most informative error message, so be sure to check if the MS has access to the SQL server before you start to debug Smile

System Center Service Manager, part 1

Since as a part of my system center blogging spree, I thought I’d go ahead with the setup of SCSM.

For those that don’t know what Service Manager is.
(Service Manager provides an integrated platform for automating and adapting your organization’s IT service management best practices, such as those found in Microsoft Operations Framework (MOF) and Information Technology Infrastructure Library (ITIL). It provides built-in processes for incident and problem resolution, change control, and asset lifecycle management.)

So, WHAT does that mean ? Like all of other System Center products it has numerous features, much of them will make a lot more sense if  you are familiar with ITIL terms. Much is related to

* Incident and Problem management
* Change Management
* Service Request Management
* Release Management
* CMDB
* Data Warehouse reporting

I like the term “learning by doing” so hopefully you can learn a ’bit from my posts regarding this.

The Service Manager consists of:

Service Manager management server
Contains the main software part of a Service Manager installation. You can use the Service Manager management server to manage incidents, changes, users, and tasks.

Service Manager database
The database that contains Service Manager configuration items (CI) from the IT Enterprise; work items, such as incidents, change requests, and the configuration for the product itself. This is the Service Manager implementation of a Configuration Management Database (CMDB).

Data warehouse management server
The computer that hosts the server piece of the data warehouse.

Data warehouse database
Databases that provide long-term storage of the business data that Service Manager generates. These databases are also used for reporting.

Service Manager console
The user interface (UI) piece that is used by both the help desk analyst and the help desk administrator to perform Service Manager functions, such as incidents, changes, and tasks. This part is installed automatically when you deploy a Service Manager management server. In addition, you can manually install the Service Manager console as a stand-alone part on a computer.

Self-Service Portal
A web-based interface into Service Manager.

So lets continue on with the setup.
NOTE: .Net 3.5.1 Is required to install SCSM so install this using the Add feature wizard.
NOTE: Windows 2008 R2 SP1 is required.

image

As you can see from the Setup, the Management Server and The Data Warehouse server cannot coexist on the same server ( so we will have to install the data warehouse components on another server ) But we start with the Management Server,

 First menu, enter your product key or as In my case trial Smile And Accept the license terms.

image

Next, choose the installation location.

image

Then click next, now the setup will run the prerequisites check.
In my case I forgot a bunch of stuff before I could continue.

image
image

The Report Viewer is avaliable on the installation media,  the other components are available
From Microsoft.com http://www.microsoft.com/download/en/confirmation.aspx?id=8824

After you have installed the missing components you can continue on with the setup.
On the next page, you have the database setup, ulike OpsMgr and ConfigMgr, Service Manager doesn’t like the default collation SQL_Latin1_General_CP1_CI_AS, if you have a clean database server for this purpose choose this collation, Latin1_General_100_CI_AS (but if you are using the previous one, you will get an error message, so we continue on!)

image

After you are done entering the info, click next.
Now you have to enter a Management Group name and a management group administrator group.

NOTE: Management group names must be unique. Do not use the same management group name when you deploy a Service Manager management server and a Service Manager data warehouse management server. Furthermore, do not use the management group name that is used for Operations Manager.

image
Click next, and configure the service account to be used for Service Manager.

image

On the next page you need to setup the Service Manager Workflow account,

image

Click next, and choose a setting for the CEIP Smile (Regardless of whatever you choose here, I recommend that you actually choose yes here. Since Microsoft is actually using the data they gather to make a better product)

Next menu is regarding if you want to use Microsoft Update, in my case I have patch management via SCCM so I choose no.

image

Click next and you get the summary screen, double-check that everything is correct before you install.
NOTE: It’s a pretty small installation to it will only take a couple of minutes.
NOTE: If setup failes, check the logs under Userscurrentuserappdatalocaltemp
NOTE: In the last part of the installation it might say something about importing management packs, don’t get confused and mix it with OpsMgr. This is because Service Manager also uses the term Management Packs Smile
After installation is complete start the console via the start menu –> Service Manager Console.

This is what the console looks like the first time,

image

The graphical user interface is similar to ConfigMgr and Opsmgr, and as you can see in the overview, the console list a whole bunch of objectives that we should do before we start using Service Manager.
Lets just go trough the basics of the console. On the left side we have 4 different options.

Administration –>  

  • Announcements
  • Connectors  
  • Deleted Items
  • Management Packs
  • Notifications
  • Security
  • Service Level Management
  • Settings 
  • Workflows

image

 

Library –>

  • Groups
  • Knowledge
  • Lists
  • Queues
  • Runbooks
  • Service Catalog
  • Service Offerings
  • Tasks
  • Templates

image
 

Work Items

  • Activity Management
  • Change Management
  • Incident Management
  • Problem Managmeent
  • Release Management
  • Service Request Fullfillment

 

image

Configuration Items (Which contains all the CI’s, they typically include Services, hardware, software, buildings, people)

  • Builds
  • Business Services
  • Computers
  • Enviroments
  • Printers
  • Software
  • Software Updates
  • Users

image

All these words, Service Management, Configuration Items, Incident Management, Change Management is directly linked to ITIL & MOF. So It doesn’t make a lot of sense for people who aren’t familiar with the ITIL terminology.
But for the sake of this blog, lets go trough a quick demo.

The Demo
A User (Bill) is sitting on Computer (Computer1) And is having trouble with (Printer1) and he creates an incident using the portal.

First we have to use the Active Directory connector to sync his User to Service Manager. Go to Administration –> Connectors –> Active Directory Connector.

image

Give the sync a valid name and a good description:
image

Choose “Enable this connector” click next –>
image

Choose the default domain you which to sync from and choose which account you want to use to sync the information, click test connection to see if the user info you wrote is valid. Click next –> then import the user and the computer ( In my case ill created the printer as an CI)

image

Click next, double-check the summary and click create.

If you go to the Configuration Items and choose users you will now see that Bill is appear in the list, and if you choose the computers menu you will see that computer1 is appearing. And I have created the printer manually.

image

image

image

Lets say Bill send you an e-mail regarding an incident relating to the printer1 on computer1, then you as an administrator would have to “Create a incident”. If its confusing that you think “Well ain’t that a problem instead of an incident?” Well in terms of ITIL thinking,  a Problem is one that comprises multiple incidents. Since this is a single event, it is a incident. If a lot of people are having trouble with the printer, well then it’s a problem.

Go to the Work items –> Incident Management –> Create Incident

image

Next you have a wealth of info that you need to enter,

First we have to enter the users that is affected, title for the incident with an accurate description, the impact and if its urgent or not. And with the affected items. The console also takes track of time you are using with the incident.
And you also have to provide an owner of the “incident” in my case im going to give it to my Tier 1 support tech-guy SQLuser.

image

 

Click Apply then OK. Then go back to the “all incidents” view you will get the incident that we just created.

image

When the issue is fixed, we can just click on the incident and change the status to resolved Smile
This has been part 1 on SCSM, more to come.

Monitoring SCCM 2012 via SCOM 2012

Monitoring SCCM 2012 via SCOM 2012.

Quick blog, but im going to go trough the setup that is needed in order for your opsmgr to monitor your confmgr site.
First of you can download the MP either via the Console itself ( as we did for SQL server in my previous SCOM blog ) or you can go to this URL http://www.microsoft.com/download/en/details.aspx?id=29267

Easiest is via the console, but when you do that you don’t get the documentation included just the MP files.
So go the the Administration tab –> Management Packs –> choose the add button from catalog.

Here you can just type “Microsoft” in the search menu and all the available MPs from Microsoft will appear,
now I select those MPs I want to download and click OK.

1

I Also downloaded some Active Directory and other MPs for later preference.
After you have downloaded them you have to import them to OpsMgr.

SCCM 2012 consists of 4 files. So I’m going to import them.

2

So after I’ve imported them & they are installed I get a new monitoring view for (System Center Configuration Manager 2012)

3

For the Configuration Manager monitoring pack to discover objects, you must turn on Agent Proxy on every site server except for the primary site and the central administration site.
Then it might take some time before your CM components appear in the Opsmgr site.

image

After that is done, you can go back to the monitoring tab and choose under SCM 2012.
Hierarchy Diagram. This will give you a diagram over your SCCM site.

image

If you right click on one of the component servers and choose health explorer you can get a more detailed view of the OpsMgr monitors.

image

image

If we take a look at one of the components that OpsMgr monitors.

image

We can see that it’s the SMS_COMPONENT_STATUS_SUMMARIZER
Lets see if it works properly, so head over to the Configmgr server and stop the SMS_SITE_COMPONENT_MANAGER and lets see if OpsMgr reports as it should.

image

And there we go, the OpsMgr alert triggered. So we go back to the ConfigMgr server and start the service again, the alert should auto resolve.

News/Changes in Microsoft Certifications

Alot has happend in the Microsoft world of certification lately.
Microsoft has returned with the old certification track know as MCSE (And a new one called MCSA)

Changes?
The old track was known as (Microsoft Certified Systems Engineer) which existed for NT/2000/2003 server and such.
After they retired that track, Microsoft released the a new track (which is the current one) called MCITP (Microsoft Certified IT Professional ) & the MCTS. Now they are going back with the old track and doing some changes in the process.

The previous track will still exist until the products that have an exam attached to it exists. So if you have a certification on Server 2008 (MCITP or MCTS) you will have it as long as you live. Microsoft has released 2 different tracks of MSCA.

MSCA Windows Server 2008.
http://www.microsoft.com/learning/en/us/certification/cert-windows-server-MCSA.aspx
If you have an Server Administrator or Enterprise Administrator you will automaticlly revice this title.

MCSA SQL Server 2012.
http://www.microsoft.com/learning/en/us/certification/cert-sql-server-MCSA.aspx
This is the real first new products using the new certification track.

And note that MCSA is the entry level title, much like MCTS was. And MCSE is the expert level like MCITP was.

Another change is that if you take en exam using the new system you have to recertify every 3 years.

Regarding the MSCE exams ,there are also 2 tracks avaliable.

MSCE: Private Cloud:
http://www.microsoft.com/learning/en/us/certification/cert-private-cloud.aspx
Where you need the MSCA Server 2008 done, and the new exams 246 & 247.

MSCE: SQL server 2012 (Which is split up in 2 parts )
http://www.microsoft.com/learning/en/us/certification/cert-sql-server.aspx

New exams (Well not all of them are new but I thought I’d share them anyway)

70-321:  Deploying Office 365
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-321&Locale=en-us

70-323:  Administering Office 365
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-323&Locale=en-us 

(The two next exams are going to be released Q2/Q3 this year)

70-246:  Monitoring and Operating a Private Cloud with System Center 2012
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-246

70-247: Configuring and Deploying a Private Cloud with System Center 2012
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-247#tab2

70-243: Administering and Deploying System Center 2012 Configuration Manager
http://www.microsoft.com/learning/en/us/Exam.aspx?ID=70-243&Locale=en-us

Looke like I have alot to do in the near future 🙂

SCOM 2012, part 1 installation

Since I said in my previous post that I’m working on the whole System Center package ( and I’m getting tired of blogging about SCCM, I thought I would start a bit on SCOM (Operations Manager) Smile

Much has changed since the previous version SCOM 2007 R3 CU5 (Which I believe was the last release )
A lot of new features has entered, including:

* SNMP v3 support ( The previous versions supported only v1 & v2 )
* More PowerShell cmdlets
* Removal of the RMS role (Which was introduced in 2007 ) so all servers are now management servers and distribute the load between the MS servers, which gives HA out-of-the-box
* Agent Control panel applet
* More support Network devices and protocols (Including CDP and LLPD)
* More support for web applications J2EE, .Net

And remember that SCOM consists of the following

* Management Server
* SCOM DB
* SCOM Data warehouse DB
* Gateway Server
* ACS
* ACS Database
* Agent
* Console
* Web Console
* Reporting Server
* Management Packs
* Agents

Now that we covered the basics, we start by installing it.
PS: Remember to install .Net framework 3.5.1

After I start the setup of the SCOM 2012, I get the option to choose what I want to install, in this case since I only have 1 server I choose  Management + Console

image

Next is about installation location, leave it at the default.

image

Next the setup, verifies that you have the required hardware & software in order to run OpsMgr.
In my case I forgot to update my server to2008 R2 SP1 and I forgot to install the Report Viewer Controls.

image

Of course those are pretty easy to fix. (Can’t figure out thou why Microsoft couldn’t put the setup for Report Viewer on the installation media ) So after you’ve installed SP1 and installed the Report Viewer Controls run the setup again.

image
Now that’s done I can continue with the setup, next you create a management group.
This is unique for each instance of OpsMgr so choose a unique name if you have muliple instances.

image

Click next, accept the license terms.

image

Then Click next again, now we come to the DB setup.
Enter the name of your SQL server, and the setup will automatically connect to it.
And will by default try to store the database on the C: drive of the SQL server, to change that to another disk (Pref NAS/SAN)

image

Next we get another database setup, but this is regarding the Data warehouse DB, this is the database that the
reporting services uses & for the long term data storage.

image

After you are done here, click next. Now we get to the service account setup screen.
A little info about the different accounts.

Management server action account:
This account is used to carry out actions on monitored computers across a network connection.
This should be a domain account, which has local administrative rights.

System Center Configuration service and System Center Data Access service account
This account is one set of credentials that is used to update and read information in the operational database. Operations Manager ensures that the credentials used for the System Center Data Access service and System Center Configuration service account are assigned to the sdk_user role in the operational database.
This can be either a domain account or run as local system. For cases where the operational database is hosted on a remote computer that is not a management server, a domain account must be used. For security reasons, don’t use the same account as the MSAA.

Data Warehouse Write account
The Data Warehouse Write account writes data from the management server to the Reporting data warehouse and reads data from the operational database.
This account is assigned write permissions on the Data Warehouse database and read permissions on the operational database.

Data Reader account
The Data Reader account is used to define which account credentials SQL Server Reporting Services uses to run queries against the Operations Manager reporting data warehouse.
Ensure that the account you plan to use for the Data Reader account has SQL Server logon rights and Management Server logon rights.

After you have created the domain accounts, enter the username and passwords click next.

image

Since I choose a domain admin account as my operating manager server action account I got a warning from the installed that this is not recommended. But as I said before, it’s a demo in a closed environment no harm there Smile

Next we have the help improvent and error reporting (choose whatever you want there)

image

Next we have Microsoft update, since we are using SCCM to do patch management I turned this off.

image

Click next and you get the summary screen, double-check the information here that click install.
And then the waiting begins. If you want you can check the logs that the setup stores under C:users(runninguser)appdatalocalscomlogs and the OpsMgrSetupWizard.log
When the setup is finished, mark the “Start the console” and close the installer.

image

Now we are in the console, OpsMgr automatically says that there are tasks that we need to do before we can manage and monitor our network. First thing is that I want to push the OpsMgr information out to Active Directory so that our agents can find what Management Group & Server they need to connect to (of course we don’t need to publish that information in AD, if we want we can manually type that in under the setup parameters of the agent. )

This step needs to be performed as a user with domain rights.
Open the installation media on OpsMgr on a domain controller.  Browse to SUPPORTTOOLSI386 then open MOMADADMIN via cmd. What this tool does it that It
creates an Operations Manager container under the root of the domain specified,
Creates a container under the Operations Manager container the tool just created with the name of the management group specified.
Within the management group container, the tool creates two service connection points (SCP) and one security group.

The syntax is: MomADAdmin ManagementGroupName MOMAdminSecurityGroup RunAsAccount Domain
Example: MomADAdmin MyManagementGroup contosoMOMAdmin contosoActionAccount Contoso

So in my instance MomADAdmin TEST_MG testMOMadmin testadministrator test

Note thou, this only creates the folder in AD, I doesn’t add the Management servers, so the agents still don’t know which server it should contact.

Now we have to enter the console,

Go into the administration tab and into Management Servers, –> right click on the server (which is a MS) and press properties.

image

Next click the Add button under “Auto Agent Assigment”

image
N
ow we come to the Agent Assigment and Failover Wizad,
as you can see here it says that the Momadadmin has to been run before you can continue this wizard.

image

Click next, Select the domain of the computers from the Domain name drop-down list.

Set Select Run As Profile to the Run As profile associated with the Run As account that was provided when MOMADAdmin.exe was run for the domain. The default account that is used to perform agent assignment is the computer account for the root management server, also referred to as the Active Directory Based Agent Assignment Account. If this was not the account that was used to run MOMADAdmin.exe, select Use a different account to perform agent assignment in the specified domain, and then select or create the account from the Select Run As Profile drop-down list.

image

On the Inclusion Criteria page, either type the LDAP query for assigning computers to this management server in the text box.

The following LDAP query returns computers with a name starting with scom, (&(sAMAccountType=805306369)(objectCategory=computer)(cn=scom*))

image

On the Exclusion Rule page, type the fully qualified domain name (FQDN) of computers that you explicitly want to prevent from being managed by this management server

image

On the Agent Failover page, either select Automatically manage failoverand click Create or select Manually configure failover.

Now remember that It can take up to one hour for the agent assignment setting to propagate in Active Directory Domain Services.

image

Since it might take some time, we are going to install the agent manually, but before we can do that we have to change the security settings for the scom site.
Because by default, SCOM rejects manually installed agents. So therefore go into Administration tab ->

image
Click the Security tab, and press properties. Here change the value from Reject to automatically approve.

image

Then click OK. After that is done, go to the server that you want to agent to be installed. And run this command in a cmd shell as administrator.

Installing the agent:
%windir%system32msiexec.exe /I dirmomagent.msi /qn USE_MANUALLY_SPECIFIE_SETTINGS=1 MANAGEMENT_GROUP=TEST_MG MANAGEMENT_SERVER_DNS=scom.test.local

NOTE: That the dir here is the installation media of scom

NOTE: Active Directory Integration is disabled for agents that were installed from the Operations console. By default, Active Directory Integration is enabled for agents installed manually by using MOMAgent.msi.

After the installation it might take some time before the agent appears in the console, when it does it will appear, under the administration and Agent Managed tab.

image

You can also check the control panel applet on the server, this displayed info about the agent.
image

And under the event log under Windows logs –> Applications and services logs –> Operations Manager –> and se if you have any error messages appear.

image

When it is finished and you have no error messages, to into the console again, monitoring -> Windows Computers -> you will see the agent appears as Healthy here. So it seems like the agent is working as it should.

image

By the way, the server I installed was an SQL server. By default SCOM doesn’t contain anything useful to monitor SQL servers. Therefore we need to download a management pack for SQL server 2008, inorder for SCOM to manage the server properly.

A Management Pack is a file that contains parameters, values, task, rules, monitors for a known product. So they contain all the information that  scom needs to monitor a certain product.
Microsoft has a lot of free management packs avaliable (for free) for download via their online library. (There are other 3 party vendors also that have published management packs for their products on the website but these usually costs $$)

image

Next I choose to search the online catalog, and I search for the name “SQL”
And a number of Management Packs appear, and I choose the SQL 2008 server MP.

image

image

I choose Add all of these and download them to the desktop of my server.

image

Now after we downloaded them , we have to import them into the OpsMgr site.
Go back to the management pack pane under administration. And on the right side click “import Management Packs”
And browse to those you’ve downloaded and click install.

image

After you’ve done that, another view called SQL server will appear under the monitoring tab ( which was a part of the MP you installed )

image

After OpsMgr has updated the database, and distributed the new SQL MP to the agent, the server will appear here.

image

As you can see that It appears with a critical event, but we will go deeper into the events and rules in a later blog post Smile
Part 1 done!

Windows Intune

For those not attending MMS this year, Microsoft today released information about the new Mobile device management. Which will be included in the future releases of SCCM and in Windows Intune (Bear in mind thou this will not be avaliable before Q1 2013) And Im betting that Windows RT will also be supported in this release )
For those not familiar with Windows Intune, it allows an administrator to manage his/hers client computers from the Cloud. This includes (Patching , Anti-virus/malware services, reporting services, software deployment etc..)

This is all the agents that get installed with the intune setup.

  • Windows Intune Center
  • Microsoft Policy Platform
  • Microsoft Online Management Policy Agent
  • Windows Firewall Configuration Provider
  • Windows Intune Endpoint Protection
  • Windows Intune Endpoint Protection Agent
  • System Center Operations Manager 2007 R2 Agent
  • Windows Intune Monitoring Agent

Today there is a limit of 25 clients via Intune (In the release that is public avaliable today), but Microsoft has stated that it will be integrated with the Office365, and you can also integrate it with your domain.

Integration with Microsoft Active Directory Domain Services*
The full release of Windows Intune will use the same authentication mechanism as Office 365, so that you can integrate Windows Intune with your existing Active Directory Domain Services (AD DS) environment. When you integrate Windows Intune with AD DS, you can synchronize existing security groups and users from AD DS to Windows Intune and manage them with Windows Intune.

Now then, since Im been lucky enough to try the new beta, I thought Id show you a quick demo about it.
The login page looks much like the Office 365 portal. Where you have your basic menus on the top.

image

If I go to the Company Portal, I get to the self-service portal, cleary Metro inspired.
Here I can access applications, my devices. And I can contact IT support.

image

If I go back and open the Admin Console, I come to the familiar Intune console (Silverlight based)

image

The new mobile based management which was annouced at MMS it not public avaliable yet. In order to manage your mobile deviced via Intune you need an Exchange Connector just as you would need in your ConfigMgr site.
And before you can use it, you have to sync your users from the local Active Directory in to the intune management.
Something that I miss is the option to link your Intune site with the Office365 Exchange.

image

image
You can also add administrators as you could before but that also requires sync with AD, of course you can add other types but that needs to be done via the Tenant Administrators.

image

Now im going to install the new Intune agent on one of my servers. First I create a computer group ( just like a collection in SCCM )

image

After I’ve done that, I go to administration –> and push Client Software download.

image

It is a zip file, so unzip and run the setup file.
The setup is pretty much the same as before, next , next , finish.

image

(It might take a while before it is finished installing…) Even when it says its finished installing, the intune is
installing a bunch of agents in the background.

image

If you follow the application log in the event viewer, you can see it is installing Opsmgr agent and online services etc. etc.. So might take a few min before the computer appears in the overview menu.

Now, its about finished ( Just installing the Endpoint Protection )  I can open the Intune Center, and I have the basic options. Pressing the “Get applications” just opens the self-service portal I showed earlier.

image

If I open the Management part of the web interface, I can now see my computer active.  With a bunch of patches that I need to approve, and some alerts. (If you are having some issues with the client not contacting the service, do a restart of the client computer after you installed the agent. )

image

After the restart I wanted to test the Remote assitance funciton, open the Intune Center and press “Request Remote Assistance”, now open the System Overview, you will recive a alert.

image
If you click Approve here, you will get sent to Microsoft Office Live Meeting site…

image

This has been a short blog post, more to follow.

 

SCCM 2012 part 3, client configuration.

In my previous post, we configured some server roles, created boundaries, imported users and computers, and we checked that the installed server roles actually worked Smile

Part 1# System Center 2012, SCCM part 1
Part 2# SCCM 2012, Part 2 configuration

Now we are going to go trough the Client Policy settings, create a new dynamic collection for Windows 8, and distribute a client (Manually and via the console )

We can by checking the Client settings, start the console and go into Administration –> Client Settings

image

Remember that you can have multiple client settings, since we are going to create a new dynamic collection, we can click the button on the top menu called Create Custom Client Device Settings, in pop-up window that appears we have the option to choose what we want this new policy to include. So if we don’t choose for instance “Network Access Protection” , that client will then get the “Network Access Protection” info from the Default client settings.
But you can also see that the Default Client Settings has a priority of 10 000, so If I were to create a NAP policy which has the priority of 10, then that policy would override the default one.

So lets create that custom policy Smile
Which will have these settings, (For best practices give it a unique name and give it a good description )

image

We can start by looking at the Client Policy, this is were you define how often the client should do a policy refresh against the site ( As you can see its 60 min by default, and on internet facing clients it is disabled until they are back on the lan ) Im going to tune that down to 15 min (Since this site will only have a few clients ) Remember that by lowering this will cause a large increase on data to your site so don’t overdo it!

image

Next we go to the Compliance Settings (Which basically just says if the clients so run baselines and return with a compliance (we will get back to that later) By default this is set to true so we will leave it at that,

image

Next is Computer Agent, most of the Client settings are put here. Here we define our Deployment deadlines, and we define the URL of the application catalog (Since this is already installed on the same server, I’ve just set that to automatically detect, and remember to set the “add default app…. to trusted sites” to True so you don’t encounter any issues regarding the portal. And If you want the users to have permission to install software we set that value to true.

image

Now next to computer restart, just leave that to the default.
And then Endpoint protection.

image

As you can see here, the options are greyed out… Why ?
Because we forgot to install the Endpoint protection rule, so we have to install that after, but lets finish the policy first.
(Then we will go back and alter the Endpoint policies ) Hardware inventory this is enabled by default, but we should double-check and se if we want it to report more or less. So push on the “Set classes” The list that you see here is what the ConfigMgr agent will report back to the site regarding hardware.

image

So if you want the Agent to report more regarding hardware just mark the class you want info on. In my case I want the agent to report back if it has a TPM (Trusted Platform Module) chip so I mark that and press OK.

Next we have power management, which basically does is enable power management on the client. And/Or allows your users to exclude their clients from power management.

image

We will get back to that later. So let this stay at the default, so we go into Remote Tools.
By default you have the option to activate Remote Desktop, Remote Assistance and something called
Remote Control (This only works when the clients are connected to the site, so it won’t work on
internet facing clients since it needs Kerberos, but if you are using Direct Access it will work)

But lets start with the first option, enabling Remote Control.

image

Next I add myself as a Remotr control and Remote Assitance viewer and change any other settings I wish.

image

Software inventory, enables the agent to collect information about software installed on the clients.
Here you decide which type of files the agent should get info about, I’m going to just include .exe files here
since this covers most of the applications that I want.

image

Software Metering, allows you to monitor the usage of specific application. Which is useful if you have
concurrent license usage. This option just enables software metering on clients.

image

Software Updates, allows the agent to do software update on the clients, just leave this at the default.
image

Now that we have gone trough the policy settings, click OK and we get back to the Console.
We see that the policy has the priority of 1, but it needs to be deployed to a collection of
computers before it is actually used.

So now we can go to create the dynamic computer collection.
Since we want a collection that includes ONLY Windows 7 computers, go into Assets and Compliance ->
Device Collection -> there you have the option to create a new device collection.

image

So Give it a name and choose a limiting collection (This means that the query will run on the limiting collection and say “Hey windows 7 computers I want you to join my collection as well”)

image

Click next, and here is were we choose a query rule.

image

In the query rule , we can enter this query.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from sms_r_system where OperatingSystemNameandVersion like ‘%Workstation 6%’
So now it looks like this

image

Tthis query will only include workstation computers that have version 6%. FYI you have tons of options regarding queries here. You can for instance, create a dynamic collection that checks if the client has Office installed, if it hasn’t it will join that collection you create and you can have office as a required software deployment for that collection, and when the application is installed and the next time the query is run the computer is going to be removed from that collection.
Now we can just finish the Query wizard, and create the collection. So now we turn to the client. We can install the client manually, group policy, push install via console. For this demo we are going to use the client push.
I just want to include that if you are going to install the client manually you have a lot of parameters available.
You can see all the switch parameters for the setup here –> http://technet.microsoft.com/en-us/library/cc181242.aspx
For instance if you haven’t expanded the AD schema with the SCCM update, you will need to add the parameter ccmsetup.exe /MP:10.0.0.0(IP) SMSSITECODE=TST (If you set the SMSSITECODE=AUTO) It will try to get the site code from AD.
So ill just add my Windows 7 computer to the domain, and the AD sync will automatically add it to the SITE. As you can see it appears in the collection.

image

It also says Site code = TST even thou I haven’t installed the client yet, why ?
Because this computer is part of the TST boundary. Now before we install we need to install the Endpoint protection role.

So go to the administration –> Servers and site system roles –> right click on your primary server and choose add site system role. Then we choose the Endpoint protection role. this time we can continue with the setup.

image

Basically just accept the terms, choose “Do not join MAPS” , next , next finish. We go back to the Client policy settings we created and alter the “Endpoint Protection settings.” Choose enable on the “Manage endpoint protection client” and leave the rest to default, and choose OK.

image

Now, go back to the collection, right click on the client and choose install client.
Mark the last part, next , next , finish.

image 

If you now open the log ccm.log in the configuration manager folder. You can see it tries to install the agentimage

But since it doesn’t have admin access on that computer we have to give it that.
After we done that, try installing the agent again.
Now when you’ve done that, open task manager and choose processes on the client.
You can now see that its trying to install the agent.

image

If you want to check the progress, there are some setup logs created in the C:windowsccmsetup folder.
ccmsetup.log and client.msi.log

When the installation is complete you will get a new application called Software center in your start menu.

image

And a new option in the control panel called, Configuration Manager Properties.

image

Since this just recently finished installing not all the configuration items are displaying yet (will cover that in my next post) But you can see that my agent is now connected to the MP Configmgr.test.local and assigned to the site TST.
And is now appearing in my ConfigrMgr console as active.

Windows 8, Windows Server 2012

Since im not attending MMS this year, I am stuck with watching the keynotes and watching twitter, so I still manage to get the latest news Smile

Microsoft has today released its System Center 2012 products worldwide.
And has also released what versions will come of Windows 8.

Microsoft has seen that having to many versions of windows available is confusing for the customer, so it stuck with the basics.

Windows 8 ,Windows 8 Pro, Windows 8 Enterprise and Windows RT (Which is Windows for ARM)
As you can see from the feature list here, http://windowsteamblog.com/windows/b/bloggingwindows/archive/2012/04/16/announcing-the-windows-8-editions.aspx

Windows RT does not support Domain join (and x86/64 bits software) and therefore does not support group policies and such. Which I think is a bit disappointing, but how else can Microsoft compete with other tablets in  the enterprise marked on speed, if their tablet needs 5 min to grind a bunch of policies, and other scripts that need to run.

But I think that Microsoft’s strategy will be to implement Windows RT only features in the new ActiveSync protocol that most likely will come with Exchange 2015 (More info coming in September) Or that SCCM comes with enhanced capabilities with managing Windows RT.

Another thing that Microsoft revealed was that Windows 8 Server is now named Windows Server 2012 ( no surprises there )

SCCM 2012, Part 2 configuration

This part will consist of doing the basic configurations that make ConfigMgr 2012 actually work in a domain.
There are a couple of steps that we need to do before we can distribute the client across our domain.

First of we can start the console ( Usually located on the desktop ) Go into the administration tab.
then from the left menu select Boundaries and right click and select create boundary.

image

Since I only have 1 domain that I wish to create a boundary for, I choose Active Directory sites from the drop down menu, I choose browse and select
the (Default-first-site-name) And give it a good description.

image

Click Apply then OK. As of now, you just created a boundary but you haven’t linked it to a ConfigMgr site so It doesn’t do much until we’ve done the rest.
Next we have to create a Boundary group. Go back to the Administration –> Hierarchy Configuration –> Boundary Group. Right click and select create new boundary group.
Start by giving it a valid name, adding the boundary that we created in the previous step. Then click references, then select “Use this boundary group for my site assignment”.
Then click the add button below and choose the site server that you’ve installed Configmgr on.Click apply and OK.

If you go back to the boundary menu and choose properties of that boundary that you created ealier and go onto the “Boundary group” tab you will now see that the group is listed there.
image

What you’ve done now is create a boundary for this Site. Which means when a client installs the SCCM agent, it will query the system. The System will check “hmm is this client within my boundary?, it sees that it belongs to the Active
directory site that you listed in the boundary and say ok it is part of my boundary so I will give to access to this site”
Next we have to activate Active Directory discovery, so that the configmgr system will find our users, groups and computers from AD.
So Go to the Administration tab again –> Hierarchy Configuration –> Discovery Methods.
What we are looking for now is Active Directory system discovery (Since we want Configmgr to find our computers from the domain)
Right click on system discovery, and choose properties. Press the enable Active Directory system discovery, then press the star button and choose browse. Then choose the OU which your clients are located, then click OK.
go to the polling schedule and change it to 1 day.

image

Click apply, choose yes on the “Run discovery as soon as possible?” question and press OK.
If you go to the Monitoring tab and into the Site system –> component status. And find the SMS_AD_SYSTEM_DISCOVERY_AGENT, right click
show messages, all. And you can see that the discovery process has already run, and according to the log it found 3 valid systems.

image

If we go into the Assets and compliance menu, then into devices, and all systems we find our 3 computers.

image

Now we could basically just deploy our client to our computers but we are missing some other pieces that we need to put in place first.
Since of configmgr 2012 Microsoft has labeled it User-centric meaning that we are very interested in the user not so much the computer the user sits on (well we are a little bit interested ) but the
user sitting behind the computer isn’t. He/her wants his/hers software available on every computer they sit on. So in order to deploy software to the user, we have to import our users from AD into ConfigMgr.
So again we go back to Administration tab again –> Hierarchy Configuration –> Discovery Methods. And enable user discovery just as we enabled system discovery (If you want to deploy software to spesific groups, which most are) enable the
group discovery as well.

When you have activated the user discovery, and the process has run, your users will now appear under Assets and compliance –> Users.
If you right-click a user and press properties you will see that it was the discovery that populated this user in to ConfigMgr.

image

As you can see it says “SMS_AD_USER_DISCOVERY” under agent name.

image

Now we have done much of the configuration that we need. Next we need to install the other required roles to our site before we start rolling out the agent to our domain. So go to Administration –> Site configuration –> Servers and site system roles, on the right side choose your primary Configrmgr, right click and select Add Site System Role

image

On the first screen that appears, just leave it as the default. Since this is not a internet facing site we don’t need to enter FQDN.
And Since the computer account still has administrator access I can leave it at that.

image

The roles I am going to install now are
“Application Catalog Web Service Point” This is the service that the application catalog website Is going to query, if you have a large domain I suggest to install 2 servers with the application catalog website, and 1 dedicated web service point.
”Application Catalog Website Point” This is the self-service portal that users can enter to choose software that they want to install.
”Reporting Services Point” Provides the communication between ConfigMgr server and the SQL reporting services server, and installing the default reports.
”Software update point” Used for patching computers in the SCCM site (Requires WSUS 3.0 SP2) It also required if you wish to deploy Endpoint Protection Point, which we are going to install later.
So click next,

image

If you don’t have a proxy server just click next here,

image

Here you have to select if WSUS is already configured on which ports in the IIS,
If you are uncertain start the IIS config and check the bindings to see what ports it is configured to.
In my case it is a custom website, so I choose that and click next.

Now in order to save a lot of screenshots, but its pretty straight forward from here.

On the next pane, choose Synchronize from Microsoft Update, click next, on Synchronization Schedule leave it at the default, on Supersedence Rules leave it at default, on Classifications you choose what patches you are interested in Critical, features, service packs etc, on Products ( Choose those products you are have in your environment ot you might end up with a lot of data that you don’t need. On the Languages pane also choose those languages you have.
Now that we are done with that we continue on to the Reporting Services Point.

The setup automatically chooses the server which has the ConfigMgr Database installed, so click verify.
Under Reporting Services server instance, select the default instance from the drop down menu.
image

Then click next, during the Application Catalog Web Services just leave it at the default, unless you have a certificate that you want to use for https.

image

Then click next, now for the Application Web site role, just leave that also at the default.

Untitled

And click next and you can choose a color theme for your portal and enter a title for it.

2

Click next, then the summary will appear then click finish. And the server roles will become installed.
Now that the roles are installed, lets check that they are functioning as they should.
Lets start by checking the reporting service, go into monitoring and then choose reporting –> reports (might take a while before the reports appear) Then run a random report (Administration Activity Log)

 image

The report seems to be running fine, so it appears the the reporting service is functioning. I can also doublecheck that the component is reporting as it should by going into Monitoring –> System Status –> Componets status and checking the
SMS_SRS_REPORTING_POINT

image

Now on to the software updating point, go into the software library –> Software updates –> right click on All Software updates and choose syncronize now.

image

As you can see down below,  it says busy. And if you open Windows Update Services console you will see that it is synchronizing. This might take some time, depending on what products and languages you choosed.

image

As this is synchronizing, I will check that the role has been installed probably.

image

It seems to be functioning as it should. After the sync it seems to we working properly. Well this will not be tested until we have some clients to test it on Smile

image

Now back to the application web portal, I get an error, I right click on SMS_PORTALWEB_CONTROL_MANAGER and choose show all messages.

image

image

In order to fix this, you have to run the command, aspnet_regiis.exe –I from c:windowsmicrosoft.netframeworkv4.0.30319 in CMD.
Then I reinstall the Application web role from the server and volia! now It seems to be functioning as it should.

image

Now open internet explorer to the server http://server/cmapplicationcatalog
Remember that you have to have Silverlight installed in order for it to function.

image

Voila! I haven’t created any applications that should be avalible yet. But you should always create the framework before you create the content.
Now we are finished with part 2 of this SCCM guide, next one will focus on client settings, endpoint , software update, remote control and how to push your sccm agents out to the domain.

System Center 2012, SCCM part 1

Phuh! This easter has been alot to do, reading for my MCP exam and setting up my new home lab enviroment. So far I have setup most of the servers, they consist of:
1: AD + DNS
2:  SQL w/Reporting Services
3: SCCM w/DP, MP, Application web site point, PXE role, Reporting point (all in one)
4: SCVMM Management + Self Service Portal
5: SCOM w/Management Server
6: SCSM

So im going to start with the innstallation of SCCM 2012. I presume that you have a basic understanding of what SCCM is, if not I suggest heading over to Microsoft -> http://www.microsoft.com/en-us/server-cloud/system-center/configuration-manager-2012.aspx In short it is a system management framework, used to manage computers (Software deployment, patching, OSD, AV, Baselines and compliance, reporting ++++ )
Before we start with the installation be sure to check that you have either of these versions of SQL server installed.

  • SQL Server 2008 SP2 with Cumulative Update 9
  • SQL Server 2008 SP3 with Cumulative Update 4
  • SQL Server 2008 R2 with SP1 and Cumulative Update 4
  • The instance of SQL Server in use at each site must use the following collation: SQL_Latin1_General_CP1_CI_AS

To check what version of SQL server you have installed start SMSS, and then click About on the Help menu.
sccm1-sql
You can download the SCCM 2012 RC from here http://www.microsoft.com/en-us/server-cloud/system-center/configuration-manager-2012-trial.aspx

And then the Server that  is going to have SCCM installed needs
.Net 4.0 (http://www.microsoft.com/download/en/details.aspx?id=17851)
.Net 3.5 SP1 (servermanagercmd -install Net-Framework)
Remote Differencial Compression (Servermanagercmd -Install Rdc)
WSUS 3.0 SP2 If you are going to use it for Patch Management (Which im going to do )You also need to do some changes in Active Directory (You need a user with domain admin access to change this )  This is because SCCM will publish information in AD that the clients will access later (more info on that later). (You don’t have to to this if you want to but it makes it easier for the clients to find what server the agent should communicate to)

Perform this on a  Active Directory Domain Controller as a Domain Administrator

Open ADSI Edit, click on Action, Connect To and click Ok, Double Click on Default Naming Context and the DC= that appears below it. Click on the + and scroll down to CN=System.

Right Click on CN=System and choose New, Object
sccm-ad1

Choose Container from the options,
sccm-ad2
click Next and enter System Management as the value.
sccm-ad3
Click Next and Finish .Open Active Directory Users and Computers. Click on view, select Advanced Features.Select the System Management Container, and right click it, choose All Tasks and Delegate Control
sccm-ad4
When the Welcome to Delegation of Control Wizard appears click next, then click Add. click on Object Types, select Computers. Type in your SCCM server name and click on Check Names (It my case my server name is SCCM (I changed it later to configmgr) so therefore enter the name of your server here)
sccm-ad5

Click Ok, then Next. Choose Create a Custom Task to Delegate, click next, make sure This folder, existing objects in this folder and creation of new objects in this folder is selected.
click next, select the 3 permissions General, Property-Specific and Creation-deletion of specific child objectsare selected then place a check mark in FULL CONTROL, and click next then Finish.
If you don’t do this, you will recive some errors from the SCCM server and the agents  (Since by default SCCM tries to publish its information to AD)
Next we need to extended the AD schema, do this on your Active Directory server as well, browse the network to your sccm server \sccmisodrive$ and locate the folder where you uncompressed SCCM 2012 and find SMSSetupBinx64Extadsch.exe, right click and choose Run As Administrator,
sccm-ad6
sccm-ad7
 
after you have done this there will be generated a log file on your c: ExtADSch.log so please check this for error before continuing, if it is successful it should look like this.
sccm-ad8

Now when you start the wizard, you have the option to download the prerequisites,  I suggest you start by download those to a local folder on the server since we need them later in the setup. 
sccm2

After they are downloaded continue with the install.

Since this is a new install, We choose the Install a Configuration Manager primary site (The other option, install Configuration Manager Central administration site also known as a CAS is used to centrally manage multiple CM sites. more on that later)
sccm-setup2
Since I don’t have a product key I choose evaluation
sccm-setup3
Accept the license terms
sccm-setup4
Accept more license terms
sccm-setup5

Browse the path to the previous downloaded prerequisites
sccm-setup6

I choose english here

sccm-setup7-language

Same here

sccm-setup8-language

Here we enter a site code, which consists of 3 letters, this site code is used as a boundary so the clients know that when it belongs to that particular site it should contact these servers. Much like when you live in Oslo, you know that you need to contact the local police station in case something happens 🙂
In the site name just type something relevant, this information will also appear in the application web portal we are going to install later.

sccm-setup9

Next I choose, install the primary site as a standalone site ( Since this is a singel domain )

sccm-setup10

Now enter the name of the SQL server (Need to make sure that port 1433, and 4022 is open in order for it to work ) (Also you need to give the computer account administrative access on the SQL server and on the server you are installing SCCM on. )

sccm-setup11-dba

 

review the SMS provider settings,

sccm-setup13

Client computer communication settings, select Configure the Communication method on each site system, since I don’t have a Root CA I need to choose http,

sccm-setup14

Next I choose to install a Management Point & Distribution Point on this site, that will communicate via http

sccm-setup15

Now you get the summary screen just doublecheck that this is correct and continue,

Next, now its going to check the prerequisites.  This consists of checking if the server has rights to publish information to AD, if the AD schema is populated with the new SCCM schema, if the SQL server is responding, if WSUS and/or AIK (You don’t need to have these installed since you might be using some other solution for patch management, so these will just give you a warning if you don’t have it installed) + some more. You can check the setup log file on C: drive and you can see what checks the setup does.

In my case I forgot to install WSUS, and I forgot to give the server administrative rights on the server, so I need to fix that before we continue (As you can see, we can’t continue until we fixed the problems that are listed as critical, you can have multiple warnings but still continue with the install )

sccm-setup16
sccm-setup17

Now that I’ve the previous steps, we only got some warning messages, So I continue with the installation (Since my SQL server is running on a low specced Virtual machine I get those error messages)

Voila, installation if complete, if I check in Active Directory now you can see that it has automaticly published information about that site.
sccm-setup19
sccm-setup20

PS: IF something went wrong during the installation doublecheck the log C:ConfigMgrSetup.log it might contain information what went wrong.
In case you might want to install cmtrace which is a log viewing tool which resides on the installation media of configmgr under Tools.

Now I can open the console so we can continue with the configuration, so stay tuned for part 2 of this SCCM blogathon.