[Today’s announcement comes from Brian Huneycutt]

The Sustained Engineering team has released an update to the “Microsoft System Center Configuration Manager 2007 SP2 Management Pack for Microsoft System Center Operations Manager 2007 R2”.

Due to changes in naming convention, this update is now referred to as the “System Center Monitoring Pack for Configuration Manager 2007 SP2 (Converted)”. You can download the new release here.

This is a very limited scope release intended to address top customer issues reported after shipping the last Management Pack (MP). As you can see from the name this is still a converted MP although the Monitoring Pack for Configuration Manager 2012 will be native.

The following changes, also covered in the updated MP guide, are in version 6.0.6000.3.

• Consolidation Event Rules have been disabled to prevent the generation of false alerts.
• Operating system architecture detection logic was updated to determine 64-bit operating systems.
• You no longer have to run the SQL Server query to clean up the localizedtext tables as part of the post-installation cleanup
• Scripts that target site database servers now retrieve time values directly from servers running instances of SQL Server instead of site servers to avoid time-zone discrepancies.
• Site hierarchy discovery now succeeds even if a site or component server does not have a fully qualified domain name (FQDN) configured.
• The AlertLevel property can now be overridden, giving you control over the severity level.
• All monitors and rules are now public.
• The "ConfigMgr 2007 Collection Evaluations Tasks" script has been updated to let you monitor a collection that has a NULL StartTime value.The "ConfigMgr 2007 Collection Evaluations Tasks" script now uses CollectionID instead of Collection Name to track collection tasks.

The prior version of the MP will upgrade directly to the new release.

If you are running an alternate MP, such as one that was unsealed, modified, and then sealed again the upgrade steps will include the following:

1. Export and delete any MP that references the alternate ConfigMgr 2007 MP.
2. Delete the alternate MP.
3. Import the official MP.
4. Open any MP you exported in Step 1 using a text or XML editor and change the public key token in the ConfigMgr 2007 MP reference to match the Microsoft SN key.
5. Re-import referencing MP(s).

--Brian Huneycutt

This posting is provided "AS IS" with no warranties, and confers no rights.

[Today's post is from the Configuration Manager Writing Team]

The Configuration Manager 2012 documentation library has been updated on the web and the latest content has Updated: September 1, 2011 at the top of the topic.

There are no significant updates for the Configuration Manager 2007 documentation library this month.

We will continue to add more information for Configuration Manager 2012 as we get that information from the product group and in response to customer feedback. At the moment, some topics are published without any content to let you know that it’s planned. We also monitor page hits and search results to help us plan when to publish the information. To help you find the right information, use the Configuration Manager 2012 search portal.

Note that we are writing for the released product, rather than for any pre-release version, such as Beta 2. As such, there might be some discrepancies with the pre-release version that you are testing and the documentation.

We value customer feedback and try to incorporate it when possible. Although we can’t promise to make the docs perfect for everybody, we are committed to continual improvement. So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com.

What's New in the Configuration Manager 2012 Documentation Library for September 2011

The following information lists the topics that contain significant changes since the August 2011 update.

Configuring the Application Catalog and Software Center in Configuration Manager

– New topic with the steps and procedures required to install and configure the Application Catalog and Software Center. These elements support user-centric management, a central theme of Configuration Manager 2012.

Prerequisites for Application Management in Configuration Manager

– Updated for the Application Catalog dependencies.

How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager

– Updated to clarify that mobile devices that are enrolled by Configuration Manager always connect to the Internet FQDN of the management point and distribution point in primary sites.

Prerequisites for Client Deployment in Configuration Manager

– Updated for Prerequisites for Mobile Device Clients.

Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority

– Updated the section Deploying the Web Server Certificate for Site Systems that run IIS, to accommodate site system roles that allow connections from the Internet.

Administrator Checklist: Deploying Clients in Configuration Manager

– New topic that lists the steps to deploy clients on computers and mobile devices.

About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager

– Information added about which client installation properties are published to Active Directory Domain Services.

 

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

[Today’s post contributor is Lin Tang]

Overview

Role-based administration (RBA) is a new feature introduced in Configuration Manager 2012. RBA provides Configuration Manager administrators with an easy way to implement the security model that allows them to assign and manage administrative permissions by assigning which actions they are able to perform using security roles, which users and systems they can manage through collections, and which objects they can access using security scopes. Based on their administrative permissions, the Configuration Manager console has been significantly enhanced to provide administrators with a streamlined view that is customized to their specific role—showing only what they need to do their job.

Key Concepts

Security Role

Each security role combines objects with permitted operations that collectively allow a Configuration Manager administrative users to perform a job function such as “Application Administrator”.  Objects are the items in Configuration Manager that you want to protect, such as applications. Operations are what you can do with the objects, like read, modify, and delete.  Administrators who are familiar with Configuration Manager 2007, could view security roles as a set of “Class Permissions”. (reference http://technet.microsoft.com/en-us/library/bb632332.aspx)

Security roles are created for different job functions.  Instead of granting granular permissions to a Configuration Manager administrative user, you assign a particular security role to them. Configuration Manager provides several built-in roles which can meet some popular functions, like Software Update Manager for managing software updates. You also can define customized security roles by copying an existing role and making some modifications, or importing security roles that you have obtained.

Security Scope

Use security scopes to limit an administrative users access to specific secured objects. Security roles grant the class level permission to the user such as “Read Applications”. Security scopes grant instance level permission for which applications they can read. Administrators who are familiar with Configuration Manager 2007, could view security scopes as a way of grouping “Instance Permissions”. (reference http://technet.microsoft.com/en-us/library/bb632332.aspx)

Let’s look at an example:  You have two collections: “All Desktops” and “All Servers”, and you have different asset managers to manage these collections.  According to the security role definition, both of them have the permission to create and modify software metering rules. However, you really don’t want the “All Desktops” administrator to modify the metering rules for the “All Servers” collection.  You can use security scopes to assign the “All Desktops” metering rules to the “Desktop Content” security scope, and server metering rules to the “Server Content” security scope. You then assign the correct security scope to each administrator. Once you configure the security assignments in this way, the “All Desktops” administrator cannot create a rule targeting “All Servers”, nor can they modify a metering rule that the “All Servers” administrator created.  Other examples are where you want to protect other object types such as applications, packages, boundaries, sites, task sequences, etc. You can just assign them to a security scope which is only assigned to the administrative users that need to access them.

When discussing security scopes, we should also discuss the “Default Scope”. The “Default Scope” is a concept that might be confusing at first. When the Configuration Manager site is installed, there are many secured objects already in the system, e.g. site and query. Because all securable object types must have a security scope assigned to them, their default scope is the built-in “Default Scope”.  The “Default Scope” is not a security scope to which new objects are automatically associated. When you create a new object, the security scopes associated with the object depend on the security assignments of the administrative user who creates the object.

Collection

A Collection is the group of devices or users the administrative user can manage. Unlike security roles and security scopes, collections support a hierarchy relationship by using the collection limiting functionality that is new in Configuration Manager 2012.  The Configuration Manager collection features, which include Collection Limiting and the “Exclude” and “Include” membership rules, are very powerful administration tools. If you define a query based collection called “All Desktops”, it can be limited to (a subset of) of the “All Systems” collection.  If you want to ensure that “All Desktops” never contains servers, you can create a membership rule that excludes the “All Servers” collection.  Even if you accidentally add a server as a direct member to “All Desktops”, that server would not be evaluated as “All Desktops” member because the exclude rule takes precedence.

When you add a new Configuration Manager administrative user that has collection creation permissions and they are assigned the “All Desktops” collection, you are ensuring that they cannot manage the servers since any collections they create will always be limited to (a subset of) the “All Desktops” collection. When you assign the “All Desktops” collection to an administrative user, they will automatically have permissions on all collections which are limited to “All Desktops”, and they are restricted from modifying the collection definition for “All Desktops”.

Collection Based Security Partitions

In Configuration Manager 2007, you may have used Configuration Manager sites as administrative boundaries.  If you wanted to assign one administrator exclusive permissions for Europe, and different administrator permissions for North America, you may have set up two different sites that enforced these security limitations.  With Configuration Manager 2012, sites are no longer administrative boundaries and administrative permissions are achieved by assigning collections to administrative users.  This has a few important implications:

1)  If you have multiple Configuration Manager 2007 sites only to serve as administration boundaries, you can now reduce your infrastructure cost by using fewer servers and sites through the use of collections!

2)  When an administrator is assigned to the “All Windows 7” collection, that collection is evaluated across the entire hierarchy, not just within the local site.  This means that if you have a global “Assets and Compliance Manager”, they can manage all systems from one Configuration Manager console.  With Configuration Manager 2007 they would need to sign into each site and repetitively perform their duties.  Now, they can do this once, from one console, from wherever they are located.

3)  If you would like to keep your previous administrative boundaries (e.g. Europe and North America), you will need to define a collection for each of these groups and assign them to your administrative users.

Example Scenario

1.    Background

Let’s go through a full user scenario to understand these concepts. Kevin is granted the “Full Administrator” security role with access to all objects and all collections during the installation of the Configuration Manager site. Kevin’s company has two primary locations, North America and Europe. Kevin wants to grant Meg the responsibility of managing applications for the North America desktops. Also, Kevin prefers that Meg can see all of the applications in the Configuration Manager, including those for the Europe desktops.

2.    Create Security Role

Kevin checks all the security roles in system, and the built-in role “Application Administrator” can meet his requirement for Meg to manage applications. He also notices there is no security role he can use for only reading all the applications in Configuration Manager. Therefore, kevin will make a custom security role named Application Auditor that is based on the Application Administrator security role. On the Copy Security Role page, Kevin removes all permissions for modify/delete/create, and keeps onlythe read permissions.

3.    Create Security Scope

Kevin then goes to the Security Scope node of the Configuration Manager console, and adds two new security scopes. He names them as NA and EU. Now he needs to assign related objects to the right security scope based on the objects locations. To make the application deployment scenario work correctly, Kevin not only assigns some applications to the security scopes, but also associates the proper distribution points and distribution point groups into the security scope he created. To do this, Kevin has to go to the Application the Distribution Points node or the Distribution Point Groups node in the Configuration Manager Console, select the objects, and set the security scopes for these objects. There are already two existing collections which include desktops in North American and Europe. Kevin can use them to limit the devices Meg can manage.

  

4.    Create Administrative User

Kevin now goes to Administrative Users node to add Meg’s account to the system. He assigns the Application Administrator security role to Meg and limits Meg’s access only to objects in the NA security scope. Also he assigns the All NA Desktops collection to Meg, which means Meg can manage only the devices in this collection. Instead of granting Meg another security role, Kevin wants to create an Active Directory security group, Application Auditors, which contains the users he wants to grant the read permission to for all the applications. He follows the same steps as he creates Meg’s account to add the security group to the system but with different security role and security scope.  He also adds Meg’s account to the new Active Directory security group he created that was named Application Auditors.

5.    Review Security Configuration

Kevin can go to the Reports node to check the security configuration of Configuration Manager. He runs the report “Security for a specific or multiple Configuration Manager objects” to see what objects he has assigned to the NA security scope. Also, he can run the report “Audit log of Role-Based Access Control objects” to check all the security activities that have occured in the site to see whether there are violations configured by other administrators. There are several other reports under Administrative Security which Configuration Manager provides to help the administrator.

Finally, Kevin notifies Meg that she has access to the Configuration Manager system. Meg installs the Configuration Manager console and now logs in to do her job. Meg opens the Configuration Manager console and finds she has all the permissions to manage applications for NA desktops. She can also see some applications in the EU security scope but cannot modify them.

 

Summary

With RBA feature introduced in Configuration Manager 2012, managing your Configuration Manager administrative permissions becomes more efficient and flexible. Administrators can delegate tasks by assigning the roles, scopes, and collections faster, easier, and with greater confidence.

--Lin Tang

This posting is provided "AS IS" with no warranties, and confers no rights.

9/9/2011 - The script in this posting has been updated to handle assigning a new machine name during the deployment.

[Today’s post comes from Minfang Lv]

This post describes how and when you might see duplicate records when you use unknown computer support with Active Directory Delta-Discovery in Configuration Manager 2007 R3, what problems you might see, and some suggested workarounds.

Unknown computer support is an operating system deployment feature that was introduced in Configuration Manager 2007 R2.  It allows you to find unmanaged computers so that you can install an operating system on them, and optionally, install the Configuration Manager client:

http://technet.microsoft.com/en-us/library/cc431374.aspx. Active Directory Delta Discovery is a new feature in Configuration Manager 2007 R3 that enhances the discovery capabilities of the product by discovering only new or changed resources in Active Directory Domain Services instead of performing a full discovery cycle: http://technet.microsoft.com/en-us/library/ff977086.aspx.

If you use these two features at the same time, you might see duplicate records for the unknown computer in Configuration Manager database.  In this scenario, you will see two records in the Configuration Manager console that have the same name of the computer that installed an operating system by using unknown computer support: One record shows that it is a client and assigned; the other record shows that it is not a client and not assigned.

The Technical Details

When you install an operating system by using unknown computer support, the following processes happen:

1. A record that represents that computer is added to the Configuration Manager database so that the computer can receive the operating system deployment advertisement and run it.
2. The computer successfully installs the operating system and joins the domain, which creates a computer object in Active Directory Domain Services.
3. Configuration Manager Active Directory System Discovery finds the computer object in Active Directory Domain Services and creates a discovery data record (DDR) for Configuration Manager.
4. The computer installs the Configuration Manager client, registers with the Configuration Manager site, and updates the record that was created by unknown computer support.

If the DDR is created (number 3) after the computer installs (number 4), you won’t see a duplicate record because Configuration Manager has enough information to merge the Active Directory DDR with the computer record.  However, if the DDR is created before the computer installs and registers (in the order listed above), Configuration Manager cannot match and merge the two records, which results in the duplicate record.

This problem is a timing issue, which has always existed in the product.  However, the introduction of Active Directory Delta Discovery in Configuration Manager 2007 R3 means that you are now more likely to see the duplicate records.

Potential Issues

There are two potential issues as a result of this problem:

• You will see two records in the Configuration Manager database: The correct record that is created by unknown computer support, which shows the client to be installed and assigned; and the incorrect record that is created by Active Directory Delta Discovery, which shows no client installed and not assigned:
  • Active Directory discovery updates the incorrect record rather than the correct record, with the result that correct record is not associated with any Active Directory groups.
  • If you create a query-based collection that uses the data collected by Active Directory discovery, the newly installed computer will not be included and so will not receive any advertisements that are configured for this collection.
• The two records will always remain in the Configuration Manager database and the Delete Aged Discovery Data task does not delete either of them when you use default settings (the delete time is longer than the heartbeat interval and the Active Directory full discovery schedule):
  • The correct record is updated by registration and heartbeat discovery.
  • The incorrect record is updated by Active Directory discovery.

Workarounds

Use one of the two workarounds for Configuration Manager 2007 R3:

• Manually delete the incorrect records that show that the client is not installed and not assigned, and then run a full discovery cycle for Active Directory discovery. This workaround is recommended because it is the simplest, but requires manual intervention.  
• Automatically delete the incorrect records and run a full discovery cycle for Active Directory discovery by configuring a status filter rule that runs a script.  This workaround requires scripting and additional configuration steps but it might be appropriate if you must install software as soon as possible on the newly installed computers and you use Active Directory discovery data for the query-based collections.

Use the following steps:

1. Create and then copy CMDWrapper.bat and DeleteDuplicatedRecord.vbs files to your C drive.  To create these files, see the follow samples that use the Configuration Manager SDK.
2. Use the following procedure to create the status filter rule:

A.   In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site name> / Site Settings / Status Filter Rules.

B.   Right-click Status Filter Rules, click New, and then click New Status Filter Rule.

C.   On the General page of the New Status Filter Rule Wizard, specify a name for the new status filter rule and configure the following for the message-matching criteria:

• Set Source: ConfigMgr Client
• Site code:  <Site Code>
• Message ID: 11171
• Property:  AdvertisID
• Property Value:  <ID of the task sequence that is assigned to the unknown computers>

 D.  On the Actions page of the New Status Filter Rule Wizard, specify the following action:

• Run a program
• Program: c:\CMDWrapper.bat %msgsc %msgsys %sitesvr

Sample scripts

Disclaimer: These are sample scripts that use the Configuration Manager 207 SDK. Make sure that you test your scripts in a test environment before you run them on a production network.

CMDWrapper.bat

call cscript c:\DeleteDuplicatedRecord.vbs %1 %2 %3

DeleteDuplicatedRecord.vbs

'======Delete duplicate recorde

'======Usage DeleteDuplicateRecords <sitecode> <SystemNetBIOSName> <servername>

Const ForAppending = 8

Const Interval = 30	'in minutes, only support 30 and 60. Please 

Const Tolerent = 10	'in minutes, make sure the good record has the name now.

'implement if you want another value

Const sFileName = "c:\DeleteDuplicatedRecordsLog.log"

'======Create/Append Log Files

Dim oFilesys, oFiletxt, sPath 

Set oFilesys = CreateObject("Scripting.FileSystemObject") 

if (oFilesys.FileExists(sFileName)) Then

    Set oFiletxt = oFileSys.OpenTextFile(sFileName, ForAppending, True)

  else

    Set oFiletxt = oFilesys.CreateTextFile(sFileName, False) 

End if

oFiletxt.WriteLine("DeleteDuplicatedRecordsLog") 

oFiletxt.WriteLine("============" &Now())

'======Check Parameters

if (WScript.arguments.count <> 3) then

 oFiletxt.WriteLine("Usage DeleteDuplicatedRecords <sitecode> <SystemNetBIOSName> <servername>")

 WScript.Quit

else

 oFiletxt.WriteLine("SiteCode = " & WSCript.arguments(0))

 oFiletxt.WriteLine("Machine name = " & WSCript.arguments(1))

 oFiletxt.WriteLine("ServerName = " & WSCript.arguments(2))

end if

SiteCode=WSCript.arguments(0)

MachineName=WSCript.arguments(1)

ServerName=WSCript.arguments(2)

'======Connect to SMS Provider

Set lLocator = CreateObject("WbemScripting.SWbemLocator")

Set gService = lLocator.ConnectServer(".","root\sms\site_" + SiteCode)

Set swbemContext = CreateObject("WbemScripting.SWbemNamedValueSet")

swbemContext.Add "SessionHandle", gService.ExecMethod("SMS_SiteControlFile", "GetSessionHandle").SessionHandle

'===============================================================================================================================================

'======If you give the computer a new machine name, you need to query for the new machine name

oFiletxt.WriteLine("Wait for 5 minutes for the client to register successfully")

WScript.Sleep 1000*60*5

oFiletxt.WriteLine("wake up: " &Now())

oFiletxt.WriteLine("Check to see if the machine name has been changed")

statusMessageQuery = "select RecordID from SMS_StatMsg where MessageID = 11171 and MachineName = '" & MachineName & "' order by RecordID desc"

Set statusMessages = gService.ExecQuery(statusMessageQuery)

if (statusMessages.Count < 1) then

  oFiletxt.WriteLine("No Status Message with ID = 11171 and MachineName = " & MachineName & ", exiting...")

  WScript.Quit

end if

For each statusMessage in statusMessages

  RecordID = statusMessage.RecordID

  exit for

Next

oFiletxt.WriteLine("Status Message RecordID = " & RecordID)

statusMessageAttributeQuery = "select AttributeValue from SMS_StatMsgAttributes where RecordID = '" & RecordID & "' and AttributeID = 408"

Set statusMessagesAttributes = gService.ExecQuery(statusMessageAttributeQuery)

if (statusMessagesAttributes.Count < 1) then

  oFiletxt.WriteLine("No Status Message Attribute with AttributeID = 408 and RecordID = " & RecordID & ", exiting...")

  WScript.Quit

end if

For each statusMessagesAttribute in statusMessagesAttributes

  GUID = statusMessagesAttribute.AttributeValue

  exit for

Next

oFiletxt.WriteLine("SMS Client GUID = " & GUID)

machineNameQuery = "select NetbiosName from SMS_R_System where SMSUniqueIdentifier = '" & GUID & "'"

Set machineNames = gService.ExecQuery(machineNameQuery)

if (statusMessagesAttributes.Count < 1) then

  oFiletxt.WriteLine("No Systems with SMSGUID = " & GUID & ", using the Machine Name in the status message")

else

  For each newMachineName in machineNames

    MachineName= newMachineName.NetbiosName

    exit for

  Next

  oFiletxt.WriteLine("New MachineName = " & MachineName)

end if

'=================================================================================================================================================

'======Find the system with the specific machine name.

duplicateRecordsQuery = "select * from SMS_R_System where NetBIOSName = '" + MachineName + "'"

Set duplicatedRecords = gService.ExecQuery(duplicateRecordsQuery)

if (duplicatedRecords.Count < 1) then

  oFiletxt.WriteLine("Didn't find the machine, exiting...")

  WScript.Quit

end if

'======Delete if the Client, Client Type, Hardware ID, SMBIOSGUID, SMSUniqueIdentifier is null

Deleted = 0

for each item in duplicatedRecords

  Active = item.Properties_.Item("Active") 

  AgentName= item.Properties_.Item("AgentName")

  Client = item.Properties_.Item("Client") 

  ClientType = item.Properties_.Item("ClientType")

  HardwareID = item.Properties_.Item("HardwareID") 

  Name = item.Properties_.Item("Name")

  NetbiosName = item.Properties_.Item("NetbiosName") 

  ResourceId = item.Properties_.Item("ResourceId")

  SMBIOSGUID = item.Properties_.Item("SMBIOSGUID") 

  SMSUniqueIdentifier = item.Properties_.Item("SMSUniqueIdentifier")

  oFiletxt.WriteLine("Active: " & Active)

  for each AgentNameInstance in AgentName

    oFiletxt.WriteLine("AgentName: " & AgentNameInstance)

  Next

  oFiletxt.WriteLine("Client: " & Client)

  oFiletxt.WriteLine("ClientType: " & ClientType)

  oFiletxt.WriteLine("HardwareID: " & HardwareID)

  oFiletxt.WriteLine("Name: " & Name)

  oFiletxt.WriteLine("NetbiosName: " & NetbiosName)

  oFiletxt.WriteLine("RecourceId: " & ResourceId)

  oFiletxt.WriteLine("SMBIOSGUID: " & SMBIOSGUID)

  oFiletxt.WriteLine("SMSUniqueIdentifier: " & SMSUniqueIdentifier)

  if (IsNull(Active) and IsNull(Client) and IsNull(ClientType) and IsNull(HardwareID) and IsNull(SMBIOSGUID) and IsNull(SMSUniqueIdentifier)) then

    oFiletxt.WriteLine("Delete this one: ResourceId = " & ResourceId)

    'Delete Record when there's duplicate and it's active/SMBIOSGUID, etc is null

    item.Delete_

    oFiletxt.WriteLine("Deleted item: ResourceId = " & ResourceId)

    Deleted = 1

  end if

Next

if (Deleted <> 1) then

  oFiletxt.WriteLine("Didn't delete anything, exiting...")

  WScript.Quit

end if 

'======If there's delete operation, trigger a full AD Group/SG discovery in no later than half hour.

'======Get the Current Time & Calculate Next full schedule time.

CurrentTime = Now

CurrentTime = DateAdd("n", Tolerent, CurrentTime)

oFiletxt.WriteLine("Defined Interval: " & Interval)

oFiletxt.WriteLine("Current Time: "& CurrentTime)

MinusSec = 0 - Second(CurrentTime)

MinusMin = 0 - Minute(CurrentTime)

CurrentTime = DateAdd("s",MinusSec,CurrentTime)

if (Interval = 60) then

    CurrentTime = DateAdd("n",MinusMin,CurrentTime)

    CurrentTime = DateAdd("h",1,CurrentTime)

else 

    if (Interval = 30) then

        if (Minute(CurrentTime) <= 30) then

            CurrentTime = DateAdd("n", 30 + MinusMin, CurrentTime)

        else

            CurrentTime = DateAdd("n", MinusMin,CurrentTime)

            CurrentTime = DateAdd("h",1,CurrentTime)

        end if

    end if

end if

NextPlannedTime = CreateWMITime(CurrentTime)

oFiletxt.WriteLine("Next Planned Full Sync Time: "& NextPlannedTime)

'======Set the Startup Time of the next full discovery

Call ScheduleFullSync("SMS_AD_SYSTEM_GROUP_DISCOVERY_AGENT", SiteCode, ServerName, NextPlannedTime)

Call ScheduleFullSync("SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT", SiteCode, ServerName, NextPlannedTime)

oFiletxt.WriteLine("Successfully Configured, exiting...")

wScript.Quit

'======End of the script

Function ScheduleFullSync(DiscoveryMethodName, SiteCode, ServerName, NextPlannedTime)

    oFiletxt.WriteLine("Now Configure " & DiscoveryMethodName)

    Dim DeltaEnabled	'Whether the delta discovery is enabled

    Dim StartupPropertyName	'Startup Schedule or Full Sync Schedule depends on whether delta discovery is enabled or not.

    Dim StartUpTime

    DeltaEnabled = false

    Query = "SELECT * FROM SMS_SCI_Component " & _

    	"WHERE ItemName = '" & DiscoveryMethodName & "|" & ucase(serverName) & "' " &  _

    	"AND SiteCode = '" & siteCode & "'"           

    oFiletxt.WriteLine("[Debug]Query = " & Query)

    'Get the Discovery Agent properties.

    Set SCIComponentSet = gService.ExecQuery(Query, ,wbemFlagForwardOnly Or wbemFlagReturnImmediately, swbemContext)

    'First Loop to see if delta discovery is enabled

    For Each SCIComponent In SCIComponentSet

    ' Loop through the array of embedded SMS_EmbeddedProperty instances.

        For Each vProperty In SCIComponent.Props

            ' Setting: Delta Discovery Enabled or not

            if (vProperty.PropertyName = "Enable Incremental Sync") then

                oFiletxt.WriteLine ("Delte Discovery value: " & vProperty.value)

                DeltaEnabled = vProperty.Value 

            end if

            ' Setting: if full schedule is enabled or not

            if (vProperty.PropertyName = "SETTINGS") then

                oFiletxt.WriteLine ("Active: " & vProperty.value1)

                if (vProperty.value1 = "INACTIVE") then

                   oFiletxt.WriteLine ("Discovery not enabled, exist Function")

                   exit Function

                end if

            end if            

        Next

    Next

    '======If Delta Discovery is enabled, then PropertyName is "Startup Schedule", else, it's "Full Sync Schedule".

    if (DeltaEnabled = false) then

        StartupPropertyName = "Startup Schedule"

    else

        StartupPropertyName = "Full Sync Schedule"

    end if

    'Second loop to get the Startup time

    For Each SCIComponent In SCIComponentSet

        ' Loop through the array of embedded SMS_EmbeddedProperty instances.

        For Each vProperty In SCIComponent.Props

            oFiletxt.WriteLine("check Property Name: " & StartupPropertyName)

            ' Setting: Startup Schedule

            If vProperty.PropertyName = StartupPropertyName Then

	        StartUpScheduleToken = vProperty.Value1

                oFiletxt.WriteLine("Original StartUpScheduleToken: " & StartUpScheduleToken)

		Set InParams = gService.Get("SMS_ScheduleMethods").Methods_("ReadFromString").InParameters.SpawnInstance_

                InParams.StringData = StartUpScheduleToken

                set outParams = gService.ExecMethod("SMS_ScheduleMethods","ReadFromString",InParams,,swbemContext)

                oFiletxt.WriteLine("**DayDuration:" & outParams.TokenData(0).DayDuration)

                oFiletxt.WriteLine("**HourDuration:" & outParams.TokenData(0).HourDuration)

                oFiletxt.WriteLine("**MinuteDuration:" & outParams.TokenData(0).MinuteDuration)

                oFiletxt.WriteLine("**DaySpan:" & outParams.TokenData(0).DaySpan)

                oFiletxt.WriteLine("**HourSpan:" & outParams.TokenData(0).HourSpan)

                oFiletxt.WriteLine("**MinuteSpan:" & outParams.TokenData(0).MinuteSpan)

                oFiletxt.WriteLine("**StartTime:" & outParams.TokenData(0).StartTime)

                oFiletxt.WriteLine("**IsGMT:" & outParams.TokenData(0).IsGMT)

		StartUpTime = outParams.TokenData(0).StartTime

	        'If Startup Time not equal to planned next schedule time, update is.

	        if (StartUpTime <> NextPlannedTime) then

 		    oFiletxt.WriteLine("Original Startup time != Planned time, update it")

	            outParams.TokenData(0).StartTime = NextPlannedTime                    

		    Set clsScheduleMethod = gService.Get("SMS_ScheduleMethods")

                    clsScheduleMethod.WriteToString Array(outParams.TokenData(0)), NextPlannedTimeScheduleToken

		    oFiletxt.WriteLine("NextPlannedTimeScheduleToken:" & NextPlannedTimeScheduleToken)

		    vProperty.value1 = NextPlannedTimeScheduleToken

                    Set SCICompPath = SCIComponent.Put_(wbemChangeFlagUpdateOnly, swbemContext)

    		    ' Commit the change to the actual site control file.

                    Set InParams = gService.Get("SMS_SiteControlFile").Methods_("CommitSCF").InParameters.SpawnInstance_

                    InParams.SiteCode = siteCode

                    gService.ExecMethod "SMS_SiteControlFile", "CommitSCF", InParams, , swbemContext

		else

                    oFiletxt.WriteLine("Next schedule time is within 30 minutes, will not change")

                End If  

            End If              

        Next

    Next

End Function

Function CreateWMITime(StringTime)

    Dim iYear,iMonth, iDay, iHour, iMinute, iSecond

    iYear = Year(StringTime)

    iMonth = Month(StringTime)

    iDay = Day(StringTime)

    iHour = Hour(StringTime)

    iMinute = Minute(StringTime)

    iSecond = Second(StringTime)

    if len(iMonth)<2 then

        iMonth = "0" & iMonth

    End if

    if len(iDay)<2 then

        iDay = "0" & iDay

    End if

    if len(iHour)<2 then

        iHour = "0" & iHour

    End if

    if len(iMinute)<2 then

        iMinute = "0" & iMinute

    End if

    if len(iSecond)<2 then

        iSecond = "0" & iSecond

    End if

    CreateWMITime = iYear & iMonth & iDay & iHour & iMinute & iSecond & ".000000+***"

    if len(CreateWMITime)<25 or len(CreateWMITime)>25 then

        CreateWMITime = ""

    end if

End Function

--Minfang Lv

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post comes from Harini Muralidharan]

We are announcing support changes for the following releases. Please look for these changes to be reflected in the Supported Configuration pages within a few months.

Configuration Manager 2007 supports Microsoft SQL Server 2008 R2 SP1 and Microsoft SQL Server 2008 SP3.

System Center Configuration Manager 2007 SP2, R2 and R3 now supports Microsoft SQL Server 2008 R2 SP1 and Microsoft SQL Server 2008 SP3 as a Configuration Manager 2007 site database. 

The Reporting Service Point site system role and Client Status Reporting feature found in System Center Configuration Manager 2007 R2 and R3, are also supported with these versions of SQL Server.

No software updates are required.

--Harini Muralidharan

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Brian Huneycutt provides today’s blog post]

An issue with the client patch process was recently discovered, which might lead to Configuration Manager 2007 R3 clients failing to load power policy.

Affected clients are those that have applied the Configuration Manager 2007 SP2 prerequisite hotfix for R3 (KB977384) followed by any of the later client hotfixes from the list below.  The cause of the issue has to do with un-versioned files (.MOF files in this specific case) added during the patch process.

The result is compilation of the wrong version of CollectionSettings.MOF on clients, removing data from the CCM_PowerConfig class that is required to process power policy.

Affected hotfixes:

2392488: Advertisement is not scheduled to run on a System Center Configuration Manager 2007 SP2 client if the client computer starts or awakens within the maintenance window

2444668: Hotfix rollup for Asset Intelligence compatibility issues in System Center Configuration Manager 2007 SP2 with other Microsoft volume license products: November 2010

2481567: Asset Intelligence "License 01A" report incorrectly reports the MSDN editions of Windows Server 2008 as Windows XP in System Center Configuration Manager 2007 SP2 if MAK keys are used

If any of the 3 hotfixes above have been applied after the R3 prerequisite hotfix you will see errors similar to the following in the client PolicyEvaluator log file:

//

Applying policy ABC0000F-{916a12bb-a67c-4602-a393-ee6972925a05}

Failed to load policies from XML.

Not found (Error: 80041002; Source: WMI)

Bad policy dumped to C:\WINDOWS\system32\CCM\Temp\badpolicy-SMS_ABC-ABC0000F-{916a12bb-a67c-4602-a393-ee6972925a05}-1.00-{1d0e0aab-4c97-426a-9f58-05b1b773ffeb}.txt

Already sent a policy rule application failure status message within the last 6 hours, not sending.

Failed to apply policy rule {1d0e0aab-4c97-426a-9f58-05b1b773ffeb}.

The policy CCM_Policy_Policy4.PolicyID="ABC0000F-{916a12bb-a67c-4602-a393-ee6972925a05}",PolicySource="SMS:ABC",PolicyVersion="1.00" failed to compile. State has been set to 'Inactive' and policy will be rolled back.

Failed to update policy CCM_Policy_Policy4.PolicyID="ABC0000F-{916a12bb-a67c-4602-a393-ee6972925a05}",PolicySource="SMS:ABC",PolicyVersion="1.00"

//

Note the policyID and associated GUID's will vary from site to site.

The affected hotfixes listed above were re-released as of Tuesday April 26, 2011.  If you previously downloaded but have not installed one of these fixes, you should download the new version instead. Simply check the date modified on the file that was downloaded to compare dates.

If you have already installed one of the hotfixes and have clients that are unable to process power policy, you can recover using any of the following methods:

 

Method 1:

Install the updated version of an affected hotfix.  These hotfixes can be reapplied over prior installations to correct the MOF file issue.

In the case of KB2444668 (Asset Intelligence Hotfix Rollup), that is replaced by the most recent AI rollup, KB2536089

 

Method 2:

Manually correct the Power Management class in WMI.  The correct version of the MOF file is attached to this posting.  This file can be distributed to clients and compiled using a command line with the following syntax:

mofcomp <path to mof file>

The path should be one that is accessible to the local system account, and the command does need to be run with administrative rights.

 

Thank you,

--Brian Huneycutt

This posting is provided "AS IS" with no warranties, and confers no rights.