So a few weeks ago, Mr. Joseph Corey at Carnegie Mellon University presented on how they use ConfigMgr to keep their servers in their data centers updated and patched. As one would imagine, they need to be able to tightly control the window of time in which these servers can be patched and rebooted in order for those updates to take effect during prescribed offhour times and therefore rely very heavily on ConfigMgr’s Maintenance Window functionality. One issue that he ran into is that sometimes new servers may get installed into the environment but for various reasons, are not added to the proper Collections that have the maintenance windows set. The result? Those servers will install mandatory updates immediately at any time leading to reboots at any time as there is no Maintenance Window to enforce. ConfigMgr does not have a concept of a default Maintenance Window.
The fix? Create a few cleverly crafted Collections which as a result, will assign a default Maintenance Window if one has not already been assigned to that system. The following are the details and explanation Mr. Corey gave me on how they do just that:
__________________________________________________________________________________________________________
First, you would create a collection that specifies all machines with a maintenance window set (“All Servers with a Specified Maintenance Window”). The items in red are the collection IDs of all collections with a specified maintenance window. I started to create an SCCM query that actually used the SCCM database to list all machines that were in a collection that have a maintenance windows set dynamically, but the logic is much more difficult since the collection contains the maintenance windows data, not the individual resource. I know it’s possible – I just haven’t sat down and hashed out the SQL for this.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where Client = 1 and ClientType = 1 and ResourceId in (select ResourceID from SMS_CM_RES_COLL_PGH00015) or ResourceId in (select ResourceID from SMS_CM_RES_COLL_PGH00016) or ResourceId in (select ResourceID from SMS_CM_RES_COLL_PGH00017) or ResourceId in (select ResourceID from SMS_CM_RES_COLL_PGH00018) or ResourceId in (select ResourceID from SMS_CM_RES_COLL_PGH00019) or ResourceId in (select ResourceID from SMS_CM_RES_COLL_PGH0001A) or ResourceId in (select ResourceID from SMS_CM_RES_COLL_PGH0001F)
Next, you would create the collection below where colID is the collection ID of the above collection (“6 A.M. Maintenance Window”). This will give you a collection that contains machines without explicitly set maintenance windows.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where Client = 1 and ClientType = 1 and ResourceId not in (select ResourceID from SMS_CM_RES_COLL_collD**)
__________________________________________________________________________________________________________
LABMAN 2009 is slated for June 8-10 and will be held at the University of Notre Dame. I have presented/attended at this annual event the past two years and find it to be a very nice (and economical) venue catering specifically to those folks tasked with the management of campus lab environments. If you are interested in attending or would like to nominate yourself to conduct a session, they are currently accepting both!
Although not 100% guaranteed, but yours truly plans to be at this event and may also conduct a session or two as I have done in year’s past!
So I know I blog about once, oh, I don't know, every 2-3 months now! :)
Anyway, I aim to rectify this as I really should blog more and yes do have a lot of half-blog entries that I just never got around to finishing so stay tuned...
In any event, I wanted to let my 10's of fans to this blog know about a very cool conference coming up devoted exclusively to Windows IT folks within Universities and Colleges. This is a great opportunity to network with your peers as well as see some of the best MSFT presenters up close and personal such as MarkRuss and Steve Riley. The details can be found on Mr. Greene's OffCampus blog as he is the main organizer on the MSFT side.
Here are some links to some useful resources to help you further evaluate System Center and other associated Management solutions as discussed during my workshop session at HECC 2008:
So maybe I am the only one that has done this, but I have been dumb enough to now have done this twice so maybe there is someone else out there that is as 'smart' as I am! In my demo environment, I have an OpsMgr 2007 SP1 RMS on a W03 SP2 server with the Operations DB, Report DB, and ACS DB located on a remote W08 server with SQL 2005 SP2. SQL 2005 Report Services is also located on the W08 server as well. The problem? Well, I have found that if you suffer some type of corruption in your OperationsDW (I suffered a power outage in my environment which somehow put the OperationsDW in a Suspect state. And no, of course I did not have a backup of the DB!!!) DB and/or have a reason to re-install OpsMgr Reporting, the act of uninstalling OpsMgr Reporting renders the instance of SRS unusable - you will continually get errors if you try to re-configure/reset SRS back to a usable state and therefore are SOL if you wish to re-install OpsMgr Reporting on this instance. The following are some of the symptoms I have observed:
- After uninstalling OpsMgr Reporting, you will get errors when trying to navigate to http://server/reports or http://server/reportserver
- The Application Event Log on the SRS server may have entries with event id 18456 saying that "login failed for user...".
Basically, the fix for me was the following:
- Stop the SRS service
- Stop the IIS service
- Delete the OperationsDW, Reports, and other associated TEMP DB's
- Delete the Reports and ReportServer virtual directories via the IIS Manager
- Start SRS
- Start IIS
- Fire up the Reporting Services Configuration Tool
- Connect to the SRS Instance
- Click Web Service Identity Select 'Classic .NET AppPool' for both Reports and ReportServer (you will have to re-create these as you blew them away in the previous step).
- Create a new Report DB
- ***This is what screwed me up - seems that somehow the Rsreportserver.config file gets corrupted somehow. Go to \program files\Microsoft SQL Server\MSSSQL.X\Reporting Services\ReportServer and restore one of the previous versions of this file (should have a .0 or .1 appended to it).
- Proceed and follow all instructions in KB938245 in the section titled "How to configure the Report Web Service or Report Manager to use an application pool that runs under a domain account"
- ***For me, one of the registry keys that they tell you to modify did not exist - I simply created it and modified to use my domain account and this seemed to work
You should then be able to go to http://server/reports or http://reportserver without error now... Therefore, you should ten be able to re-install OpsMgr Reporting.
Oh yeah - I found out that technically we do not support running OpsMgr Reporting on W08 just yet - thus explains why I had to run through a lot of hoops above. However, it seems to work for me with the exception of having to reset SRS if you ever have to reinstall...
Our good partners, SecureVantage are going to be conducting free online seminars starting 7/10. To register for these free courses and to receive more information, go here:
http://www.securevantage.com/ACSTraining.aspx
SecureVantage also maintains a nice Spaces blog full of useful information regarding ACS and how their solutions can further extend its value - the blog can be found here: http://securevantage.spaces.live.com/
Coming off the LABMAN conference from a few weeks ago, I know many in the EDU community rely on disk protection and lock down tools such as Faronic's DeepFreeze and SteadyState. At the end of last week, we made SteadyState 2.5 available for free download - big deal here is now we can lock-down and disk protect Vista workstations. You can get this here. Here is a bullet list of the new features:
New features in SteadyState version 2.5 include the following:
• Full support for Windows Vista
• Full support for Internet Explorer 7 and tabbed browsing
• Overall improved performance
• Faster booting
• Faster system caching
• Remote management of Windows Disk Protection through scripting
• Improved importing & exporting of user information
Also, I thought I blogged about this in the past but apparently I have not (or at least I cannot find the post), but yes, with SteadyState, you do have the ability to control the state of 'Disk Protection' via command line by making calls to the machines WMI interface - KB938355 explains this. Also this old forum post gives some sample scripts to turn WDP on and off as well. For you folks familiar with DeepFreeze this would be going from 'frozen' to 'thaw'. Granted, not as fancy as DeepFreeze as we do not offer a GUI console for SteadyState, but our price is a bit better (free download) if you are comfortable with making changes via script (or better yet, using something like ConfigMgr to modify the protection states when changes are needed).
The ConfigMgr homepage may not be up to date yet but here is the direct download link to download SP1: http://www.microsoft.com/downloads/details.aspx?FamilyId=5AAE62E8-4B7F-4AF7-BE01-AEFAA4BF059A&displaylang=en
This release (among the usual bug fixes) brings forward these new features:
1. More complete support for management of Windows Vista SP1 (Vista SP1)and Windows Server 2008 (Server 2008).
2. Support for SCCM 2007 Server Site roles on Server 2008.
3. Out of band and in band management of Intel AMT devices.
4. Asset Intelligence 1.5 which is our first release with a connection back to System Center Online for regular updates to the Asset catalog
Enjoy!
So I normally do not regurgitate generic technical information that you can find on one of a thousand different blog sites and podcasts unless I feel that there is unique significance to the EDU community. If you attended MMS 2008 or paid attention to the announcements and press releases announced during the Summit, there were three major things and one 'quiet but intriguing thing' that I think will have a HUGE impact in EDU. The three major announcements (and one 'quieter' announcement) were:
- Beta Availability of Operations Manager 2007 Cross Platform Extensions: So an ugly and long title but to put it simply, we are planning to introduce OpsMgr client agents for non-Windows systems including RHEL, Sun Solaris, SLES, HP-UX, and AIX. This is definitely a first and not just for the Management division but for Microsoft as a whole as we will be including actual agents for non-Windows based systems AND these are based on the OpenPegasus initiative which means the agents will be open-sourced. Yes, you read that correctly (read again, if you need to - I know I had to!). Beta 1 of these agents are available now off of the Connect site. For more information on how to obtain these, go here:
http://blogs.technet.com/systemcenter/archive/2008/04/29/operations-manager-2007-goes-cross-platform.aspx
- Beta Availability of Operations Manager 2007 Connectors: This one may not be as shocking as the above as you may have seen this coming when we acquired Engyro a little over a year ago and have since made the Engyro Connectors available 'for free' to licensed OpsMgr customers to connect OpsMgr to their HP OVO, Tivoli management systems and the like. What is significant is that we are basing the connector on the same OpenPegasus stuff and will be open-sourced. Like the extensions above, the beta is publicly available at the same link above.
- Beta Availability of Virtual Machine Manager 2008: Not as big of a surprise as we have been talking about the v.Next version of VMM allowing for management of Hyper-V and VMWare hosts, but very nice to see we are right on track with the public beta availability of this next version. Access to and information on how to get at the bits can be found here: http://www.microsoft.com/systemcenter/scvmm/default.mspx
- Kidaro First Look: Although the acquisition at the time of this writing was not quite complete, there were a few breakout sessions and more detail around the technology that this acquisition will bring. Kidaro will become yet another technology provided to those customers that subscribe to the Desktop Optimization Pack (with no extra price increases planned, BTW) and will allow customers a way to deliver and control virtual OS's to clients via physical media (USB key, DVD, etc.) and/or streaming technologies with complete integration with the end client. Think of it as the best of virtual machines, terminal services, and virtual applications without any of the downsides these technologies have. IMHO, the Kidaro 'stuff' (we still have not picked a formal name for it yet) will solve MANY problems in EDU by allowing you to have a controlled set of OS images complete with your supported applications that can be seamlessly run and delivered to unmanaged machines - such as a student or faculty member's personal machine. Is this VDI? No - it is MUCH, MUCH, better... I am sure more information will be forthcoming once the acquisition is complete but here are some links to check out today:
http://www.kidaro.com
http://blogs.technet.com/james/archive/2008/03/25/mdop-to-get-bigger-more-value-included.aspx
http://blogs.technet.com/virtualization/archive/2008/03/12/Kidaro-to-be-added-to-Microsoft_2700_s-desktop-virtualization-products.aspx
http://blogs.technet.com/technology_trumpet/archive/2008/03/13/i-kidaro-you-not.aspx
So on a topic that is not by any means new, however one in which I have been getting a lot of recurring discussions around lately from my customers...
So there seems to be a lot of different viewpoints on when or whether to re-package software for the purposes of automatic distribution (using ConfigMgr of course!). For years, I have employed the following guidelines - in this order:
1. Does the software natively support MSI? If yes, no need to re-package, use the built-in characteristics of MSI to create a silent install command line (with or without transforms) to get the job done. If not, consider Step 2.
2. Does the software support any documented way to deploy the software silently? If yes, great, use what the vendor gives you to get the job done. If not, or it is not very clear, consider Step 3.
3. Conduct research on sites such as www.appdeploy.com (one of my favorites, btw) to see if someone in the community has posted steps/tips on your software that allows for silent and automated deployment. If so, employ these in the lab to confirm they work and then deploy. If not, consider Step 4.
4. Utilize your favorite MSI re-packager. ConfigMgr users can use Macrovision's AdminStudio: Configuration Manager Edition to get the job done. But if you have purchased the Wise Installer and like their interface better, go nuts!
As a rule, I always attempt to go down the past of least resistance yet maximizing supportability. I see Step 4 as the worse case and most expensive as it is the most time consuming and you run the risk of the vendor no supporting your deployment if they do not support the re-packaging of their application. IMHO, if the app is not native MSI but has a documented way of silently deploying, I say use it - supportability to speed far outweigh some of the ability built into an MSI wrapper...
Anyway, that's my $.02 - I will stop rambling now...
Finally - the extensions to manage non-windows clients with SMS has now released for ConfigMgr! For more information go here: http://www.quest.com/quest-management-xtensions-configuration-manager/.
I know more than a few of my customers in EDU will be interested in this...
So starting this month, my associates and I on the EDU technology team (Michael Greene - http://blogs.technet.com/offcampus and Steve Straub) are starting to hit the road and meet with various EDU customers to spread the good word about System Center, W08, and Hyper-V. We have completed one such event in the CT/NY area and plan to travel to other parts of the Northeast as well as the St. Louis area and other parts within the Midwest in the next month or so.
We will be posting slide and link information from these events. So far, you can take a look at these:
Slides – http://tinyurl.com/2rvmx5
Links – http://tinyurl.com/3azpxv
We MAY publish video from some of these but have not figured all that out yet...
Finally, if you happen to be in the New Jersey/Washington area, we have our next three events scheduled for early April and you can go here to register for these:
Iselin
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032372199&culture=en-US
Malvern
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032372200&culture=en-US
Washington
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032372201&culture=en-US
Stay tuned on information about Midwest events...
So I don't know if this is documented anywhere, but a customer of mine was looking for a way to implement tighter security within their SoftGrid environment. Specifically, they were looking for a way to thwart a user who has access to SoftGrid applications from copying down their SFT files (which contain the bits of a sequenced app) and using them for their own purposes. In theory, one could essentially 'steal' an SFT file that they have Read access to from the content share (which is essentially what they have by default) and use it in their own SoftGrid Infrastructure without authorization. Or worse, use the MSI Utility to create a portable virtual application ready for use. The following is a way you can protect your SFT assets:
- Leave the content share permissions to at least Read for Everyone.
- Leave the NTFS permissions for all files in the content share to Users, Admins, and System to at least Read (i.e. default or whatever)
- Directly on the SFT file or files you wish to lock down, un-check the ‘Inherit NTFS permissions’ check box and remove all NTFS permissions from this SFT file except for SYSTEM and Administrators.
Now, typical users will be able to stream applications from the content folder, they will be able to ‘see’ the SFT files but they will not be able to copy off the SFT files (should get an Access Denied)… This is how it worked in my lab, anyway…
ENJOY!
Go here for more info and a link to download the MSI utility: http://blogs.technet.com/softgrid/archive/2008/01/03/the-msi-utility-for-microsoft-application-virtualization-and-hfru1-are-now-available.aspx.
This will now give you the ability to un-tether SoftGrid applications from the need for SG Server infrastructure... They can be installed as normal MSI packages (assuming that the SG client is installed on the target and is configured NOT to talk to any SG server).
I have posted a new article that is more 'RTM-friendly' which may help in quickly building up the base components of SCCM in a lab situation for evaluations purposes. Go here for the article.
