Welcome to MSDN Blogs Sign in | Join | Help
Saturday, November 14, 2009 5:26 PM

Upcoming ConfigMgr07 topics from my blogging come back…

First of all I would like to answer that where I was so many days and why no updates and what’s next. Actually there have been many instances where I committed myself to come back for blogging with regular updates and sharing my ConfigMgr production experiences and stories. But unfortunately it did not happen as life at work & personal side was going very busy with planning, changes, releases  one after other and did not allowed to focus on my blogging. And after hrs. & weekend  I was busy with my new born cutie Eshaan and going through new parenting experiences…last facebook and twitter was also good excuse for the not being active in blogging.

 

Anyway coming back to the ConfigMgr07 topics, here is what you can expect in upcoming updates from my blogging…

 

·         Best Practices for deploying ConfigMgr07 Management Pack

·         How Microsoft IT is monitoring ConfigMgr07 hierarchy – a 360 degree approach

·         Implementing role based security model in ConfigMgr07 – Part 2

·         ConfigMgr07 SP2 upgrade experiences

·         Microsoft IT ConfigMgr07 Virtualization Story

 

Stay tuned for the updates..

Posted by Shitanshu | 0 Comments
Sunday, June 15, 2008 1:15 PM

WSUS 3.0 SP1 & Software update point upgrade in NLB for ConfigMgr07 SP1 upgrade pre-requisite

If you have ConfigMgr07 and Software update point (SUP) configured in NLB and now planning to upgrade to ConfigMgr SP1 then following are the steps I am proposing for the WSUS 3.0 SP1  upgrade for Software update point as one of the pre-requires for ConfigMgr SP1 upgrade. Also this is known issue with SP1 upgrade that it does not warn for WSUS 3.0 SP1 upgrade as pre-requisite check on remote SUP sites.

 

1.       Please ensure to go through this link. (Ensure that you have a correct NLB setup, if not then please STOP.  Because you might be in unsupported NLB scenario)

2.       Shutdown the NLB service

3.       Shutdown IIS (iisreset /stop) and the WSUS service (net stop wsusservice) on all frontends

4.       Ensure no other services are able to access the database during the upgrade window.  More details here on TechNet.

5.       Backup your database

6.       Upgrade each machine individually

a.       Wsussetup.exe /q /g

b.      Review setup logs to verify upgrade was successful

c.       Make sure that IIS and the WSUS Service are still stopped on this machine (upgrade likes to restart them)

d.      Proceed to the next machine

7.       Start IIS and WSUS service on all the frontends

8.       Start the NLB back up

 

Few observation which don’t matter:

·         Only one machine’s registry has the correct location for the content directory

o   This is the first frontend machine that you ran move content on

o   All other machines have local paths

o   This doesn’t matter because we never use this property for anything, upgrade just persists it in registry, and it is never rewritten back to the database during upgrade

o   The same condition exists even before you start the upgrade

Posted by Shitanshu | 2 Comments
Friday, May 23, 2008 12:05 AM

Lastmile check for ConfigMgr'07 SP1 upgrade

ConfigMgr'07 SP1 is released today and here is link for downloading the SP1 bits http://www.microsoft.com/downloads/details.aspx?FamilyID=5aae62e8-4b7f-4af7-be01-aefaa4bf059a&DisplayLang=en.

As recently we have upgraded our sites to ConfigMgr'07 SP1 and I would like to share some of the key learnings which are also available in the release notes. If you are preparing for ConfigMgr’07 Sp1 upgrade in production, I would highly recommend to go through the latest release notes html file “ConfigMgr07SP1Readme” for the known issues and workaround available for the same.

 

Here is the snippet form the release notes for some the key known issues and their details & workarounds are available in the release notes:

·         Upgrading large site databases to Configuration Manager 2007 SP1 is extremely slow and disk space usage intensive

·         A management point site system installed on a Windows Server 2008 computer in native mode might become unresponsive

·         Cannot display the Configuration Manager 2007 Documentation link on the Start page

·         Extend Active Directory schema for Configuration Manager 2007 if Internet-based clients will be managed on both the Internet and the intranet.

·         Distribution point reinstallation on 64-bit installations of Windows Server 2008 might fail after changing client communication ports.

·         After running the Security Configuration Wizard on the site server, clients are unable to download content from the software update point

·         Update classification and product information is reset after upgrade

·         Extend Active Directory schema for Configuration Manager 2007 if Internet-based clients will be managed on both the Internet and the intranet.

·         Report “List of NAP-capable and NAP-upgradable computers” does not include computers running Windows XP Service Pack 3

 

Also one of the pre-requisite for ConfigMgr’07 SP1 is that WSUS 3.0 SP1 is required on Primary site as well as on all SUP sites. And when you Run the prerequisite checker” wizard it will fail if WSUS 3.0 SP1 is not installed on Primary site but will not fail if it is not installed on remote SUP site, so it is recommended to upgrade WSUS 3.0 SP1 on remote SUP sites prior to ConfigMgr’07 SP1 upgrade.
Posted by Shitanshu | 1 Comments
Monday, May 19, 2008 11:40 PM

Provisioning ConfigMgr'07 Site Database server role in cluster for high availability

ConfigMgr'07 site server database is one of the only supported site role in clustered configuration in ConfigMgr'07. Though I have not configured clustered DB in production so far, as we did not have critical business requirement for having clustered ConfigMgr'07 site server DB and having extra hardware for the same, but since it is supported and may be needed for other customer so sharing some references and to do list for considering this in production which will increase high availability and reduce single point of failures.

  

1.       Use the setspn.exe (part of suptools.msi from the Windows Server 2003 Installation media) to publish the SPN of your virtual SQL Server cluster (Important: Publish both the NetBIOS and the FQDN) - http://technet.microsoft.com/en-us/library/bb735885.aspx

2.       Add the machine account of the primary site server machine to the Local Administrators group of each Windows Server cluster node computer. This is required to allow the site server to install and configure settings later.

3.       Check the Database collation settings of the tempdb database on the SQL Cluster (ensure you have the same settings like on the site server which hosts the DB at present). This is very important to check this before you move the database to the cluster.

4.       If the Microsoft Systems Management Server (SMS) Provider is located on a remote SQL server, the SMS provider must be moved to the local site server or another computer not hosting a SQL Server cluster node before moving the site database.

5.       To move the database finally check the link How to Migrate the Site Database to a SQL Server Cluster Instance http://technet.microsoft.com/en-us/library/bb632383.aspx

 

More information available:

SQL Server Preparation for Setup

http://technet.microsoft.com/en-us/library/bb632649.aspx

How to Configure an SPN for SQL Server Site Database Servers

http://technet.microsoft.com/en-us/library/bb735885.aspx

How to Install Configuration Manager Using a Clustered SQL Server Instance

http://technet.microsoft.com/en-us/library/bb693612.aspx

How to Migrate the Site Database to a SQL Server Cluster Instance

http://technet.microsoft.com/en-us/library/bb632383.aspx

Posted by Shitanshu | 1 Comments
Thursday, May 15, 2008 1:31 AM

How to go about ConfigMgr'07 role based security model?

As we are aware that ConfigMgr'07 admin full access provide a lot of privilege to manage all desktop in an enterprise so it’s critical to manage the ConfigMgr admin access with role based security model. And recently we have introduced the new security group model for managing ConfigMgr operations and having least admin access on ConfigMgr as role based which is very much align to ConfigMgr out of box security classes.

 

Below are the list of sample security groups we provisioned in AD and same configured in ConfigMgr admin console with equivalent access rights to manage the role based security in ConfigMgr'07.

 

Hope this helps in your planning for securing ConfigMgr'07 admin access with role based security model.

 

More details for ConfigMgr security planning are available on following link : http://technet.microsoft.com/en-us/library/bb680768.aspx 

 

Sample Security Group

Security Group Definition

ConfigMgr_Web_Reporting_Consumers

This group contains members who needs to view ConfigMgr reports.

ConfigMgr_SQLDB_Consumers

This group contains members who need to have read access ConfigMgr Database for data feed or reporting purpose.

ConfigMgr_Detail_Consumers

This group contains members who need to read all details about a given SMS/ConfigMgr site.

ConfigMgr_Monitoring_Providers

This group contains members which perform monitoring functions on the ConfigMgr servers

ConfigMgr_Software_Deployment_Providers

This group contains members who that need to write package deployment items.

ConfigMgr_Patch_Management_Providers

This group contains the members who need to create patch deployments.

ConfigMgr_Collection_Providers

This group contains the members that need to create & manage collections.

ConfigMgr_Advertisement_Providers

This group contains the members who that need to create & manage advertisements.

ConfigMgr_OSD_Provider

This group contains the members who need to create ConfigMgr OSD objects.

ConfigMgr_DCM_Provider

This group contains members who need to create ConfigMgr DCM objects.

ConfigMgr_Software_Metering_Provider

This group contains the members that need to create ConfigMgr Software Metering objects.

ConfigMgr_DeviceMgmt_Provider

This group contains members who need to create ConfigMgr DMP objects.

ConfigMgr_Report_Provider

This group contains the objects that need to create ConfigMgr web reports.

ConfigMgr_Client_Troubleshooting_Provider

This group contains objects that need to access ConfigMgr client logs.

ConfigMgr_Infrastructure_Providers

This group contains the members who need to change ConfigMgr site settings and have full access for ConfigMgr

ConfigMgr_Troubleshooting_Providers

This group contains the troubleshooting teams that provide escalation and resolution services.

Posted by Shitanshu | 6 Comments
Tuesday, May 13, 2008 11:35 PM

How to setup WSUS & SUP role in NLB in ConfigMgr'07?

ConfigMgr'07 SUP & WSUS configurations in NLB

 

Here are the steps we have followed during ConfigMgr SUP & WSUS setup in NLB in production. Please refer the below links for more updated information for WSUS NLB & SUP configuration.

http://technet2.microsoft.com/windowsserver/en/library/b17d7555-81fd-4e32-8e8b-92b4c79221161033.mspx?mfr=true

http://technet2.microsoft.com/windowsserver/en/library/94d1385f-4872-4c29-8822-3a4ec5e45ae41033.mspx?mfr=true

http://technet.microsoft.com/en-us/library/bb633165.aspx

 

A sample ConfigMgr SUP configuration in NLB but same can implemented with less hardware based on business requirement

 

 

 

For configuring WSUS as per supported standard we need 1 server for hosting SQLDB & WSUS content and 2 servers for SUP roles at minimum for more than 25K clients in NLB configurations (one SUP server can scale up to 25K clients)

 

Prior to start with please add all server systems accounts in ConfigMgr primary site and add all service accounts in local admin group.

 

WSUS DB & content server for SUP

Sample server drive requirements for hosting WSUS DB & content for SUP.

 

DRIVE

DESCRIPTION

DIRECTORY/PURPOSE

C

System

C:\WINNT; C:\

D

SQL and SQL Tools

D:\MSSQL; D:\SQLTools

E

User Database Backups

E:\MSSQL\BAK

F

Log Backups

F:\MSSQL\TRAN

G

Content Location

G:\WSUS\WSUSContent

H

Data Files / SUPDB

H:\MSSQL\DATA

O

Log Files

O:\MSSQL\DATA

T

Tempdb Files

T:\MSSQL\DATA

 

 

·         This is the server that will host the SQL Back-End database and Software Update content for the WSUS service WSUS NLB cluster.

·         Create a standard network shared folder that is available to all of the WSUS servers on this server that will be part of the software update point network load balancing cluster to be used as the WSUS resource content share. Each of the remote WSUS servers should be given change permissions on the root of the shared folder (all standard NTFS permissions except for full control). If the share is created on one of the site systems that will be part of the network load balancing cluster, the site system computer's Network Access account must have change permissions on the root of the shared folder. The user account used to run WSUS Setup should also have these permissions to the share created.

·         A SQL Server 2005 database server is installed on this server identified to host the WSUS database.

·         The UNC address to be used for the WSUS resource content share:

o    \\<FQDN>\WsusContent\

 

Follow below steps on each SUP server in NLB node

1.    Install WSUS 3.0 on the servers using bellow steps.

a.    On the Welcome page, click Next.

b.    On the Installation Mode Selection page, select the Full server installation including Administration Console check box, and then click Next.

c.    Read the terms of the license agreement carefully. Click I accept the terms of the License agreement, and then click Next.

d.    On the Select Update Source page, select the Store updates locally check box and enter the path <Program Files directory>\Update Services. You will use the tool wsusutil.exe to move the content source location to point to the content source share on the Back-End SQL server after the WSUS installation is complete.

e.    On the Database Options page, For the first WSUS installation on a server that will be configured to use the NLB cluster, Select Use an existing database server on a remote computer and enter the FQDN of the SQL Server that will host the WSUS database followed by the instance name (if not using the default instance). 

 

Important note: On Second SUP server installation will prompt one more step there we need to select option for use existing database.

f.     On the Web Site Selection page, specify whether to use the existing Internet Information Service (IID) Default Web site.

Important: After the WSUS installation completes the Windows Serve Update Services Configuration Wizard Starts, Do not use the wizard to configure the WSUS installation and click Cancel to close the Wizard. All WSUS server configuration is managed from within the Configuration Manager console

 

2.    Add the Software Update Point NLB Network Connection Account to each WSUS Administrators group on the server.

3.    Configure Internet Information Services (IIS) to enable content share access.

a.    Start, point at All Programs, point at Administrative Tools, and click Internet Information Services (IIS) Manager.

b.    Expand <wsus server name>, expand Web Sites, and then expand the Web Site node for the WSUS Web site (either Default Web Site or WSUS Administration).

c.    Right-click Content node and click Properties.

d.    On the Virtual Directory tab, select the A share located on another computer option for the resource content and fill in the UNC share name with “\\FQDN\Wsus\” as the share.

e.    Click Connect As, and enter the user name and password of the Software Update Point Connection account. Click OK to close the Content node properties.

Important: This step must be followed for each of the Front-End WSUS servers.

f.     Open a command window and navigate to the WSUS tools directory on the WSUS server: Install Drive\Program Files\Update Services\Tools

g.    On the first WSUS server to be configured, at the command prompt, type the following command:

wsusutil movecontent <WSUSContentsharename> < logfilename >
Note: there is a space in between each parameter above.

Where <WSUSContentsharename> is the name of the WSUS content resource location share to which the content should be moved

h.    On the successive WSUS servers to be configured, at the command prompt type the following command:

wsusutil movecontent <WSUSContentsharename> <logfilename> /skipcopy


Ø  Tip: To verify that the content move was successful, review the log file created during the procedure and use registry editor to review the HKLM\Software\Microsoft\Update Services\Server\Setup|ContentDir registry key to ensure that the value has been changed to the WSUS content resource location share name you specified.

4.    Install SUP points on both the NLB server through SCCM console and refer the following

 

Configure the Software Update Point Component Properties as follows:

Tab

Property

Setting

General

Software Update Point

Use Network Load Balancing cluster, Port 80, SSL 443

 

Network Load Balancing Settings

IP V4 /NLB address

 

Cross Forest Access Account

SMS service account

 

Allow intranet-only client connections

Selected

Sync Source

Source

Synchronize from upstream update server

Language Settings

Languages

Select following languages.

Chinese (Hong Kong S.A.R.), Chinese (People’s Republic of China, Chinese (Taiwan), English, French, German, Italian, Japanese (Japan), Korean, Spanish.

 Additional steps for Native mode configuration only.

1.    At the command prompt, change the directory to Install Drive\Program Files\Update Services\Tools.

2.    Execute the following command:

wsusutil.exe configuressl <Machine FQDN>

3.    Ensure SSL is enabled on the virtual directories listed below:

·         ApiRemoting30

·         ClientWebService

·         DssAuthWebService

·         ServerSyncWebService

·         SimpleAuthWebService

4.    Ensure SSL is not enabled on Content virtual directory.

 

Monitor WCM.log and WSYNCMGR.log to ensure WSUS sync is done successfully.

 Additional info

In case of WSUS un-installation in NLB

To uninstall WSUS on first NLB node server, perform the following steps:

1.    Log on to the NODE server.

2.    Execute WSUSSetup.exe. The Windows Server Update Services 3.0 Setup Wizard appears.

3.    Select to remove only logs and click the Next button.

4.    When done, click the Finish button.

5.    Reboot the server to remove any files in process.

To uninstall WSUS on Second NODE server, perform the following steps:

1.    Log on to the NODE server.

2.    Execute WSUSSetup.exe. The Windows Server Update Services 3.0 Setup Wizard appears.

3.    Select to remove all items (database, logs, and downloaded files) and click the Next button.

4.    When done, click the Finish button.

5.    Reboot the server to remove any files in process.

 

Posted by Shitanshu | 1 Comments
Saturday, May 03, 2008 10:56 PM

It’s time to go for ConfigMgr'07 Technologist specialist certification (70-401)

 As we are aware that there is ConfigMgr Technologist specialist certification (70-401) available. So I would like to share the share some of the learning’s based on my colleague’s feedback who had passed this recently and said that it’s a very easy test to go about it.

 

ConfigMgr Technologist specialist certification (70-401) exam details are available on below link.

http://www.microsoft.com/learning/exams/70-401.mspx#top

 

From glancing at the above certification website it appears MOC course 6451A is what you need in order to prepare and the following skills measured breakdown.

 

Skills measured by Exam 70-401

·         Deploying a System Center Configuration Manager 2007 Server (9 percent)

·         Configuring an SCCM Infrastructure (19 percent)

·         Managing Resources (14 percent)

·         Distributing Applications (17 percent)

·         Deploying Operating Systems (13 percent)

·         Securing a Network Infrastructure (13 percent)

·         Managing and Maintaining an SCCM Infrastructure (15 percent)

 

Microsoft Official Curriculum (MOC) course for Planning, Deploying and Managing Microsoft Systems Center Configuration Manager 2007

http://www.microsoft.com/learning/syllabi/en-us/6451afinal.mspx

 

 

TechNet Virtual Lab: Introduction to System Center Configuration Manager (ConfigMgr '07)

http://msevents.microsoft.com/cui/webcasteventdetails.aspx?eventid=1032343963&eventcategory=3&culture=en-us&countrycode=us

 

Also other suggestion is to refer the ConfigMgr CHM file & TechNet for more details and browse the console multiple times to familiarize as much as  for all option and wizard.

 

Hope this is useful for ready to go J

Posted by Shitanshu | 0 Comments
Wednesday, November 29, 2006 1:31 AM

SMS/ConfigMgr'07 birthdates aka SMS/ConfigMgr'07 release dates

I was looking for some info and came to know about SMS birthdates aka SMS release dates so far, and found interesting to share with everyone…

 

SMS 1.0 – 11/7/94

SMS 1.1 – 7/28/95

SMS 1.2 – 7/29/96

SMS 2.0 – 1/11/99

SMS 2003 – 10/22/03

ConfigMgr'07 (SMS v4) - 8/24/2007

ConfigMgr'07 SP1 - 5/30/2008

ConfigMgr'07 R2 - ?

 

? = The release date for ConfigMgr'07 R2 be available as soon as we get it released :)

 

Posted by Shitanshu | 1 Comments
 
Page view tracker