In your System Center Configuration Manager 2007 environment, you may find that a distribution point is not updating and a pck file may appear to be "stuck" or "locked" in the X:\Program Files\Microsoft Configuration Manager\inboxes\despoolr.box\received folder (where X: is the drive where ConfigMgr 2007 is installed) and the file is not able to be renamed or deleted even with the following services stopped:
- WMI
- SMSExecutive
- Component Manager
- BITS
- Antivirus
Cause
The file was locked by a service called dsmcsvc.exe which was from IBM Tivoli backup software (it was named TSM Scheduler in Services). It is possible other software could have a lock on the file as well, this is just one example.
Resolution
Using Process Explorer turn on the handles view (View menu, Lower Pane view, Handles) then from the Find menu, (Find Handles or DLL...) type in the file name that is locked (e.g. X:\Program Files\Microsoft Configuration Manager\inboxes\despoolr.box\received\filename.pck) and it should show you the service that has locked this file. In this case we found it was locked by dsmcsvc.exe (IBM Tivoli backup software). Stopping the TSM Scheduler service (dsmcsvc.exe) caused the packages to start processing again in the despoolr.log.
More Information
This problem could occur with other software locking a file and preventing a package from being updated. Using Process Explorer is a useful way to determine what service has a lock on a file.
Hope this helps,
Clifton Hughes | Senior Support Engineer
I recently came across this issue and thought it might be worth a mention here. If you have some really big packages and don't see any of your changes reflected on the Child Sites then this may be your issue.
Symptoms
Changes made to an SMS 2003 package/program properties for a large package (such as Office 2007) are not reflected on the Child Site.
The Distmgr.log on the Child Site server may show that Package XXX000xx is currently being processed, and it may stay in this state for days, and/or it does not update on the Child Primary Site's view of the package for several days.
It seems any change that is made to this packages properties is not getting updated although other packages and Site settings are getting replicated down to the Child Primary Site properly. When looking at the distmgr logs on the child site you may see the same files trying to be processed for this problem package and not getting processed for some time, even days depending on the size of the problem package.
Cause
This can occur if the package that is being updated is being processed on the Child Primary Site to a remote Distribution Point (DP) share over a slow link, and this package is several GB in size. The large size combined with the slow link merely means that this processing will take a very, very long time. This is why we were seeing the message “Package ID XXX0000XX is currently being processed.” This indicates that the server is processing this package (not the pkg file that is currently in queue) and as a result is busy and not able to process the incoming change right now.
Resolution
Once you're in this situation the best resolution is patience. Once the package processing from the Child Primary to the remote DP finishes, the package changes will be processed normally as expected.
More Information
If you can create a Secondary Site then this process would use a compressed file instead of raw copy to a DP at the remote location. You also have the option to use the Courier Sender method of updating the DP rather than doing this over the wire. Courier Sender allows software to be sent between SMS sites by CD or other media, rather than across the network. This is particularly useful in situations where the available network bandwidth is low or too expensive to use for the delivery of large packages.
For more information regarding methods of Software Distribution, see Chapter 5, "Distributing Software," in the Microsoft Systems Management Server 2003 Operations Guide:
http://www.microsoft.com/downloads/details.aspx?familyid=BD2B3619-4704-4C19-A00B-628E65F6F826&displaylang=en
Hope this helps,
Clifton Hughes | Senior Support Engineer
Consider the following scenario:
- The management point role is installed on a site server that is running Microsoft System Center Configuration Manager 2007 Service Pack 1 (SP1).
- Many content location requests are sent to the management point when the requests contain multiple locations.
In this scenario, the memory usage of the Microsoft Systems Management Server (SMS) Agent Host service (Ccmexec.exe) keeps increasing.
There's a hotfix for this issue and you can read all the details and download it here:
KB973499 - A memory leak occurs when many content location requests are received by a site server that is running System Center Configuration Manager 2007 SP1
J.C. Hornbeck | Manageability Knowledge Engineer
Download an updated version of the Configuration Manager 2007 Documentation Library which contains new material and fixes to documentation problems reported by customers since the last update was published. Refer to the “What’s New in the Documentation Library” topic in each release for a list of topics with significant updates:
========
Configuration Manager 2007 SP2 Content
The following topics in the Documentation Library contain new Configuration Manager 2007 SP2 content:
- What's New in Configuration Manager 2007 SP2
- Out of Band Management in Configuration Manager 2007 SP1 and Later
The following section describes what's new in the Microsoft System Center Configuration Manager 2007 Documentation Library since April 2009. The topics listed in the table are new or contain significant technical changes to Configuration Manager 2007. Topics that contain minor changes to Configuration Manager 2007 are not listed.
Planning and Deploying the Server Infrastructure for Configuration Manager 2007
Certificate Requirements for Native Mode: Updated to reflect that SHA-1 is the only supported hash algorithm for native mode certificates.
Overview of Internet-Based Client Management: Updated to include task sequences as one of the features that are not supported when clients are managed on the Internet.
Out of Band Management and Double-Byte Character Sets: New topic that lists the considerations and limitations for using double-byte character sets and extended ASCII characters when you use the out of band management feature in Configuration Manager 2007 SP1 and later.
Planning and Deploying Clients for Configuration Manager 2007
How to Create a Fallback Status Point in Configuration Manager: Updated with clarifications such as the security best practices for production networks, a reference to installing IIS for Windows Server 2008, a list of log files to check for successful installation, and how to install the fallback status on a new server.
How to Enable or Disable Certificate Revocation Checking (CRL) on Clients: Updated to clarify that the client functions that run as a result of task sequence actions always check the certificate revocation list (CRL) in a native mode site, even after following the procedures to disable CRL checking on clients. This limitation does not apply to Configuration Manager 2007 SP2.
Configuration Manager 2007 Features
Prerequisites for Out of Band Management: Updated to clarify changes that are relevant to Configuration Manager 2007 SP1 and later, including the following:
- Links to the supported configurations documentation for AMT version information.
- A recommendation to disable AMT on computers that cannot be supported by Configuration Manager, such as workgroup computers and computers with a disjointed namespace.
- Information about how the security right of Modify Collection Setting is required to configure in-band provisioning, to remove provisioning information, and to update AMT management controllers.
How to Provision Computers for AMT: Updated with a revised query for the collection that is used for in-band provisioning so that membership contains computers with an AMT status of Detected or Not Provisioned if they are also approved and not blocked.
AMT Provisioning Issues for Out of Band Management: Updated with a reference to the Intel vPro Expert Center: Microsoft vPro Manageability Web site (http://go.microsoft.com/fwlink/?LinkId=132001), which should be checked for issues that are specific to AMT. (Such issues include behavior differences between firmware versions, how to install and configure the Intel translator, and how to configure AMT). Additionally, new troubleshooting information in this topic includes the following scenarios:
- Configuration Manager Fails to Provision Computers with a Disjointed Namespace
- Computers Fail to Provision Out of Band Because the Computer Has Been Discovered by Configuration Manager
Out of Band Management Console Issues: Updated with new troubleshooting information that includes the following scenarios:
- The Out of Band Management Console Running on Windows XP SP2 or Windows Server 2003 SP1 Fails to Connect to AMT-Based Computers
- The Out of Band Management Console Fails to Connect to AMT-Based Computers That Were Successfully Provisioned Out of Band and Do Not Have an Operating System Installed
- IDE Redirection Fails When the Out of Band Management Console Runs as a Low-Rights User
- Unexpected Behavior with Blocked Configuration Manager Clients
- Slow Responses to AMT-Based Computers Using IPv6
Troubleshooting General Operating System Deployment Issues: Updated with the new entry "Security Registry Keys for Native Mode Remain in Captured Images”, which includes the prescribed additional steps to take if you capture an image from a native mode client.
Troubleshooting Task Sequence Initiated Operating System Deployment Issues: Updated with the new entry "Task Sequence Always Performs Certificate Revocation Checking in Native Mode Site", which explains how to identify a known issue with task sequences always checking the certificate revocation list (CRL) in a native mode site, even after following the procedures to disable CRL checking on clients.
Prerequisites for SQL Reporting Services: Updated with information about creating SQL Reporting Services report models by using SQL Server 2008.
Security and Privacy for Configuration Manager 2007
Out of Band Management Security Best Practices and Privacy Information
Updated for revisions that are applicable to Configuration Manager 2007 SP1 and later, including the following security best practices:
- Request customized firmware before purchasing AMT-based computers.
- Manually revoke certificates and delete Active Directory accounts for AMT-based computers that are blocked by a Configuration Manager 2007 SP1 site.
- Use a dedicated certificate template for provisioning AMT-based computers.
- Use a dedicated organizational unit (OU) to publish AMT-based computers.
- Use Group Policy to restrict user rights for the AMT Accounts.
- Use a dedicated collection for in-band provisioning.
- Retrieve and store image files securely when booting from alternative media to use the IDE redirection function.
- Minimize the number of AMT Provisioning and Discovery Accounts.
Maintaining Configuration Manager 2007
How to Back Up a Secondary Site: Updated to remove the procedure to back up a secondary site because you cannot restore this backup by using the Site Repair Wizard. Instead, you must reinstall the secondary site. This information was also added to About the Site Repair Wizard.
For all the details and to download the update see http://www.microsoft.com/downloads/details.aspx?FamilyID=71816b0f-de06-40e0-bce7-ad4b1e4377bb&displaylang=en
Enjoy!
J.C. Hornbeck | Manageability Knowledge Engineer
Looks like the Configuration Manager product team made a couple announcements regarding supported configurations over on their blog. You can read the details yourself but here's the long and short of it:
Windows Storage Server 2008 is now supported on Configuration Manager 2007 SP1 and SP2
System Center Configuration Manager 2007 SP1 and SP2 now support the Windows Storage Server 2008 operating systems for client installation. Site system roles of a standard distribution point and a branch distribution point are supported. Installations of the administrator console or other site system roles are not supported.
No software updates are required.
Windows Remote Management (WinRM) 2.0 is now supported on Configuration Manager 2007 SP1 and SP2
System Center Configuration Manager 2007 SP1 and SP2 now support installing Windows Remote Management 2.0 on site systems running the out of band service point role.
No software updates are required.
The original post can be found here.
Enjoy!
J.C. Hornbeck | Manageability Knowledge Engineer
The Solution Accelerator team is pleased to announce the immediate availability of the Microsoft Assessment and Planning Toolkit 5.0 Community Technical Preview (CTP). Designed to simplify and streamline the IT infrastructure planning process across multiple scenarios through network-wide automated discovery and assessments, this tool provides a quick and complete inventory of the current IT environment of any organization, hardware and device compatibility assessment, and actionable reporting of recommended hardware upgrades for migration.
The MAP Toolkit 5.0 CTP includes these new features:
· Heterogeneous Server Environment Inventory for Technologies including Windows Server, Linux, UNIX and VMware.
· Ability to determine usage of deployed System Center Configuration Manager, a member of the Core Client Access License Suite.
· Readiness assessment for migration or upgrade to Microsoft Office 2010.
Over 800,000 Microsoft customers and partners including Costco Wholesale Corporation, Continental Airlines, and Pella Corporation have already downloaded and used this toolkit to help plan for their server and PC deployments.
Additional MAP Toolkit Features include:
• Windows 7 Hardware and Device Compatibility Assessment.
• Windows Server 2008 R2 Hardware and Device Compatibility Assessment.
• Virtualization Candidates Assessment for Hyper-V Server Consolidation.
• Inventory of VMware Server Hosts and Guests.
• Enhanced Usability and Improved Inventory Performance.
• SQL Server Instance Discovery.
• Desktop Security Assessment for Anti-virus and Anti-malware Programs Installation.
• Forefront Client Security/NAP Readiness Assessment.
To give you a quick sample, here are a couple MAP 5.0 Inventory and Assessment Wizard screenshots:
Here’s what the System Center Configuration Manager Server Report looks like:
Next Steps
· Register for the MAP Toolkit 5.0 CTP and download. (Live ID required)
· Want to influence the future of MAP? Complete the survey and receive a free 4GB Solution Accelerator branded Memory Stick.* (Live ID required)
· Download other Windows Server 2008 R2 and Windows 7 Solution Accelerators for your IT planning, deployment, and management needs.
Enjoy!
J.C. Hornbeck | Manageability Knowledge Engineer
From our very own Steve Rachui comes another great System Center tip. This one covers how to get a Configuration Manager 2007 Task Sequence to rerun:
There are well known methods to force an advertisement to rerun – including several add-on tools available for the SMS or SCCM console. To date, however, there are not equivalent methods to force a task sequence to rerun. Part of this may be because task sequences are typically thought of as focused on Operating System Deployment (OSD) and rerunning these types of distributions are not as common as rerunning advertisements.
To continue reading see http://blogs.msdn.com/steverac/archive/2009/11/06/sccm-forcing-a-task-sequence-to-rerun.aspx
J.C. Hornbeck | Manageability Knowledge Engineer
I asked the FixIt team for this a while back and they have delivered. Now if you ever run into the symptoms below the chances are good we can automatically fix it with just a few clicks of the mouse:
The Symptoms: When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following:
HTTP 401.1 – Unauthorized: Logon Failed
Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.
Additionally, an event message that resembles the following event message is logged in the Security Event log. This event message includes some strange characters in the value for the Logon Process entry:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: Computer_Name
Description: Logon Failure:
Reason: An error occurred during logon
User Name: User_Name
Domain: Domain_Name
Logon Type: 3
Logon Process: Ðùº
Authentication Package: NTLM
Workstation Name: Computer_Name
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: IP_Address
Source Port: Port_Number
The Cause: This issue occurs when the web site uses Integrated Authentication and has a name that is mapped to the local loopback address.
The Fix: If you happen to come across any symptoms like this then take a look at the following Knowledge Base article:
896861 - You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version
The cool part is that this KB article contains a link to a Wizard that will fix this issue for you automatically. All you have to do is download and run it. This Loopback issue impacts almost any product that uses IIS, including your very own favorite, System Center Configuration Manager2007.
Jarrett Renshaw | Content Quality Program Manager
We’ve seen this issue come up a couple times so I wanted to give it a mention here just in case you run into it. The problem is that you may notice Software Deployments are not working for a small percentage of your Configuration Manager clients and you may notice that the status of the problem clients is Waiting on content. You may also notice that the affected clients are unable to automatically re-discover their site code in the control panel applet.
Troubleshooting:
The last time I saw this, we checked the properties of the affected client's resource in the Configuration Manager 2007 Console and it showed multiple subnets for these clients (e.g. 9.9.0.0 and 9.9.9.0).
The site boundary for these clients was entered as simply 9.9.0.0 on the Site server and these boundaries did not overlap with any other site.
We then found the following error in the CAS.log which seem to point to a boundaries issue:
ctm job suspended
We enabled verbose and debug logging in the registry on one of the affected clients and then created a new advertisement and a test collection to send it to. When we did this we found the following in the LocationServices.log:
Discarding DP with SiteLocality 'FALLBACK'. Accepting only 'LOCAL' DPs. 10/30/2009 1:37:24 PM 164 (0x00A4)
The number of discovered DPs(including Branch DP and Multicast) is 0 10/30/2009 1:37:24 PM 164 (0x00A4)
When we tried to perform automatic site discovery on the client that was failing we saw this”
"LSGetAssignedSiteFromSLP : No site code returned from SLP"
"The number of discovered DPs (including Branch DP and Multicast) is 0"
Everything seemed to point to a Protected Distribution Point but there were none in this case. It also seemed like it could be a boundary issue which was not obvious on the surface since the 9.9.0.0 boundary included all of the affected clients. Also this problem did not affect all clients in these subnets, only some.
Cause:
It turns out that this issue was nonspecific Site Boundaries in the site. 9.9.0.0 is not specific enough to allow the clients to find the site and/or find its Distribution Point servers. This is referred to as super netting, and this will not yield consistent results for your Configuration Manager clients.
Solution:
Once you add a specific 9.9.9.0 subnet and/or the 9.9.8.0 subnet (whichever applies), the clients in these subnets will be able to find their Site ID and Distribution Points without error, so the solution is to add the specific individual subnets to the Site Boundaries.
More Information:
This problem can also manifest itself in other ways such as when an AD Subnet is specified as 9.9.0.0 and the AD site is added as a boundary in SMS or Configuration Manager, then you also add some specific subnets as boundaries like 9.9.1.0 and 9.9.2.0. This can also cause the same symptoms documented above.
The TechNet article below articulates the IP Subnet configuration recommendations of entering each IP subnet individually, however it does not indicate that super netting is not supported so I created this document to help shed more light on this issue since we have seen several cases with this issue.
http://technet.microsoft.com/en-us/library/bb633084.aspx
Hope this helps,
Clifton Hughes | Senior Support Engineer
The updated Configuration Manager 2007 SP2 Management Pack adds support for monitoring Configuration Manager 2007 SP2 in a 64-bit environment with Operations Manager 2007 R2 or Operations Manager 2007 SP1 with hotfix (KB971541) installed. This enables the Configuration Manager 2007 SP2 Management Pack to work with either the 32-bit or the 64-bit Operations Manager 2007 agent. Except for the 64-bit support, the other features and guidance for Configuration Manager 2007 Management Packs remain intact.
Note: As of today, KB971541 is not yet available. This update should be available within the next few days. When it becomes available it should be found here.
For all the details and to download the updated MP see http://www.microsoft.com/downloads/details.aspx?FamilyID=a8443173-46c2-4581-b3b8-ce67160f627b&displaylang=en
J.C. Hornbeck | Manageability Knowledge Engineer
With the release of the Windows 7 and Windows Server 2008 R2 operating systems, new capabilities and usage scenarios are emerging for system management. Economic, regulatory, green IT, and security issues continue to be the challenges organizations face. In this webcast, we provide a technical update and overview for Microsoft System Center Configuration Manager 2007. We focus on Service Pack 2 and R3 enhancements, market capabilities, and describe our near-term release road map.
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032428200&EventCategory=4&culture=en-US&CountryCode=US
J.C. Hornbeck | Manageability Knowledge Engineer
You may find that at some point you need to change the name of the SCCM 2007 database and the steps to do so are below. I worked on a case just like this a few days back and during that time I got the opportunity to confirm that this procedure works and is supported in the lab.
We can change the Site Database name by running Site Reset Wizard but before running the Wizard make sure you have renamed the Database in SQL to your new custom name.
1. Follow the steps mentioned in link below to rename the SQL DB:
http://technet.microsoft.com/en-us/library/ms345378.aspx
2. While running Site reset, select "Modify SQL Server Configuration" and under ConfigMgr Site database option give it the new name.
3. After completing the wizard everything should be working fine except the Display name may be wrong and you’ll probably get some warning messages. For example, the name under "ConfigMgr site database server" site system role will still be pointing to old DB name and you may see the warning below:
“Microsoft SQL Server reported SQL message 911, severity 16: [08004][911][Microsoft][ODBC SQL Server Driver][SQL Server]Could not locate entry in sysdatabases for database <name>. No entry found with that name. Make sure that the name is entered correctly.”
To resolve both of these issues we need to make changes manually to the SiteCtrl file.
1. Stop the SMS_Executive and SMS_Site_Component_Manager services on the Site Server.
2. Backup the SiteCtrl.Ct0 file from the folder %Program Files%\Microsoft Configuration Manager\Inboxes\SiteCtrl.
3. Open the SiteCtrl.Ct0 file in notepad and update the following section. In the example below SMS_BAN is my default database name. Modify the database name to reflect the new name.
BEGIN_SYSTEM_RESOURCE_USE
RESOURCE<Windows NT Server><["Display=\\SCCMSRV2\"]MSWNET:["SMS_SITE=BAN"]\\SCCMSRV2\ <file:///\\SCCMSRV2\>>
ROLE<SMS SQL Server>
BEGIN_PROPERTY_LIST
<Databases>
<SMS Database, SCCMSRV2, SMS_BAN> (Change SMS_BAN to new DB name)
END_PROPERTY_LIST
END_SYSTEM_RESOURCE_USE
4. Save the file and restart the Services.
After making the changes above the display name for the db was correct and the warnings were gone.
Note: Apart from this we noticed that Reporting Point, Reporting Services Point and Custom Maintenance tasks are few of the things need re-configuration. Basically any component which uses static database entry while connecting.
Hope this helps,
Mohammed Tajammul Hussain | Technical Support Lead
Looks like the Configuration Manager content writers posted their October updates last Friday so in case you missed the announcement here’s the skinny:
The following information lists the topics that contain significant changes since the August 2009 update.
Configuration Manager 2007 SP1 Supported Configurations - Updated to include Windows Server 2008 R2 and Windows 7.
Supported Operating Systems and Hard Disk Configurations for Operating System Deployment - Updated with information about the operating systems that are not supported and those which can be deployed only by first capturing a Windows installation image (.wim) file using an image capture task sequence.
Supported Mobile Devices - Updated to remove information about supported mobile device client operating systems so that it is now exclusively in supported configuration topics (Configuration Manager 2007 Supported Configurations). This means that customers have a consistent place to find supported version information and it reduces the risk of inconsistent information between topics.
About Heartbeat Discovery - Updated to remove the incorrect information "Although you can configure Heartbeat Discovery to update client DDRs as frequently as you want, if you configure it to run less than once every 25 hours (the default client refresh cycle) the updated DDR will be reported no less than once every 25 hours". This restriction applied to an earlier version of the product and does not apply to Configuration Manager.
About the Site Repair Wizard and How to Back Up a Secondary Site - Updated with the information that the Site Repair Wizard should not be used to recover a secondary site. The Product Group has confirmed that the recovery procedure doesn't work for secondary sites and will not be supported. If you need to recover a secondary site, reinstall it and secondary site configuration from the primary site will be replicated to it automatically when installation is complete. Because restoring a secondary site is not supported with the product, there is no point in backing up a secondary site by using the Backup Secondary Site Server maintenance task. To help avoid confusion, we have removed the procedural information in How to Back Up a Secondary Site.
For all the details about what’s new see http://blogs.technet.com/configmgrteam/archive/2009/10/23/announcement-configuration-manager-documentation-library-update-for-october-2009.aspx.
Enjoy!
J.C. Hornbeck | Manageability Knowledge Engineer
We had one new Knowledge Base article published last week, this one documenting the hotfixes and updates that are contained in Microsoft System Center Configuration Manager 2007 Service Pack 2 (SP2):
KB971348 - List of hotfixes and updates that are contained in System Center Configuration Manager 2007 Service Pack 2
Enjoy!
J.C. Hornbeck | Manageability Knowledge Engineer
Just in case you missed the big announcement last Friday, Configuration Manager 2007 Service Pack 2 is now released:
SP2 provides:
- Windows 7 and Windows Server 2008 R2 support that enables customers to deploy and manage their Windows 7 client and server based systems.
- New options for Out of Band Management that includes the addition of updated firmware support along with support for key new features such as wireless profile management and 802.1X.
- Branch Cache support that enables customers to significantly reduce WAN utilization in branch office scenarios by leveraging new technology in Windows Server 2008 R2.
- Greater 64-bit support that includes Remote Control, App-V, and the 2007 OpsMgr agent.
For all the details and to download the Service Pack see http://blogs.technet.com/configmgrteam/archive/2009/10/23/configuration-manager-2007-service-pack-2-released.aspx
Enjoy!
J.C. Hornbeck | Manageability Knowledge Engineer
