Recently we have deployed the ConfigMgr07 SP2 Management Pack in production in Microsoft IT and here are some key lesson learned and best practices.
1. Download latest ConfigMgr07 SP2 Management Pack available on below link which has ConfigMgr07 SP1 known issue fixed, more monitoring scenario covered, enhanced reports and most important it supports site roles on 64bit platform with 64 bit SCOM R2 agent.
http://www.microsoft.com/downloads/details.aspx?FamilyID=a8443173-46c2-4581-b3b8-ce67160f627b&displaylang=en
2. Prepare your pilot & production environment for ConfigMgr07 SP2 Management Pack deployment and validation. I recommend following task to be completed minimum for ConfigMgr07 Management Pack deployment to achieve effective monitoring
a. Validate SCOM R2 agent are installed & healthy on all site roles in scope for monitoring
b. Import and create a custom Management Pack for performing custom overrides
c. If SCOM agent service account does not have admin permission on local site servers then refer ConfigMgr07 SP2 management pack guide released (CM07_OM07_MPGuide.doc) page 17 for details for least access required.
d. Create a SMS Environment Variable to Support Log-Based Rules as there are number of rules which look for log files to check for errors. To do so, create the %SMS_INSTALL_DIR_PATH% system environment variable on a site server so that the SCOM/MOM Agent running under Local System or a local administrator user context has access to the log files in the %SMS_INSTALL_DIR_PATH%\Logs directory
3. Complete the testing tasks of ConfigMgr07 Management pack
a. Verify that the Configuration Manager 2007 computer groups are populated with computers running Configuration Manager 2007.
b. After enabling the relevant rules, ensure that the views and reports in Operations Manager 2007 console are populated as desired such as processing rates and inbox backlogs.
c. Things to be aware of that some rules listed below are disabled by default and can be enabled based on the monitoring level required
4. Rules related to other Management Packs, such as the IIS and SQL Server Management Packs are disabled and if you have deployed other Management, then ensure there is no overlapping for rules to reduce duplicate alerts for same symptom
a. All performance measuring rules are disabled to minimize the impact on the agent’s CPU, memory, and network resources. These rules can be enabled for more in-depth monitoring & troubleshooting.
5. Recommended Customization for ConfigMgr07 SP2 Management Pack
a. Inbox threshold – by default the inbox threshold is 10,000 files and run once per day by default, in 15-minute increments. This threshold is usually meets most of large & medium ConfigMgr client environment but if you have small ConfigMgr client environment (< 5000) then please consider this threshold for change such as 3000
b. Enable/Disable Rule – To avoid unwanted alerts, review all default enabled rules and decide which rules are important for business and level of monitoring required. For example there are some rules for warning/informational and it could be expected for your environment, so disable such informational/warning alerts if no action required. I have also uploaded the list of all default rules available and their default status. I have also added column for rules which Microsoft IT has enabled as reference. Please do not use Microsoft IT enabled rules as baseline because we have unique business requirement. Here is link for the list of rules available and their state - http://cid-80514c55d60387d4.skydrive.live.com/browse.aspx/ConfigMgr07SP2MP
c. Rule of thumb – Enable only those rules which alerts for actionable incidents
d. Please review the alerts on daily basis for first few weeks until you reach the goal that all alerts are actionable and there is no noise or any critical alert is missing.
6. Perform recommended Daily/Weekly/Monthly task for ConfigMgr07 SP2 based on Management pack guide page 43 – page 49, and don’t forget to check out the new availability reports
7. At last there are some known issues for the Configuration Manager 2007 Management Pack which are listed below
a. Configuration Manager 2007 Might Interfere with the Installation of Non-Microsoft Software That Stops the WMI Service
b. WMI Monitoring
c. Configuration Manager 2007 Management Pack Cannot Detect SMS Secondary Site if SMS Administrator Console Installed on the Same Computer
d. System Restarts Provide Limited Alerts
e. Monitor SMS Status Messages Script in Configuration Manager 2007
f. Monitor Site Summarizer Script in Configuration Manager 2007 Is Offset From the Default Site System Status Summarizer Interval
g. BITS Monitoring Disabled by Default
h. Application Provider Path Is Set to SMS_INSTALL_DIR_PATH% \ Logs by Default, That Might Not be Valid on Every Configuration Manager Site Server
i. Status Message Rules That Monitor Sender Connectivity Have a Dependency on the Sender Functioning
j. Script errors in the Site Topology View Portray Installation Path Instead of Computer Name
k. Agent Required on All Configuration Manager Servers for Site Hierarchy Diagram Support
l. SMS 2003 Tasks Appear in the Configuration Manager 2007 State View
Hope this quick synopsis helps for deploying ConfigMgr07 SP2 Management Pack.
Good Luck for ConfigMgr07 Monitoring!
First of all I would like to answer that where I was so many days and why no updates and what’s next. Actually there have been many instances where I committed myself to come back for blogging with regular updates and sharing my ConfigMgr production experiences and stories. But unfortunately it did not happen as life at work & personal side was going very busy with planning, changes, releases one after other and did not allowed to focus on my blogging. And after hrs. & weekend I was busy with my new born cutie Eshaan and going through new parenting experiences…last facebook and twitter was also good excuse for the not being active in blogging.
Anyway coming back to the ConfigMgr07 topics, here is what you can expect in upcoming updates from my blogging…
· Best Practices for deploying ConfigMgr07 Management Pack
· How Microsoft IT is monitoring ConfigMgr07 hierarchy – a 360 degree approach
· Implementing role based security model in ConfigMgr07 – Part 2
· ConfigMgr07 SP2 upgrade experiences
· Microsoft IT ConfigMgr07 Virtualization Story
Stay tuned for the updates..
If you have ConfigMgr07 and Software update point (SUP) configured in NLB and now planning to upgrade to ConfigMgr SP1 then following are the steps I am proposing for the WSUS 3.0 SP1 upgrade for Software update point as one of the pre-requires for ConfigMgr SP1 upgrade. Also this is known issue with SP1 upgrade that it does not warn for WSUS 3.0 SP1 upgrade as pre-requisite check on remote SUP sites.
1. Please ensure to go through this link. (Ensure that you have a correct NLB setup, if not then please STOP. Because you might be in unsupported NLB scenario)
2. Shutdown the NLB service
3. Shutdown IIS (iisreset /stop) and the WSUS service (net stop wsusservice) on all frontends
4. Ensure no other services are able to access the database during the upgrade window. More details here on TechNet.
5. Backup your database
6. Upgrade each machine individually
a. Wsussetup.exe /q /g
b. Review setup logs to verify upgrade was successful
c. Make sure that IIS and the WSUS Service are still stopped on this machine (upgrade likes to restart them)
d. Proceed to the next machine
7. Start IIS and WSUS service on all the frontends
8. Start the NLB back up
Few observation which don’t matter:
· Only one machine’s registry has the correct location for the content directory
o This is the first frontend machine that you ran move content on
o All other machines have local paths
o This doesn’t matter because we never use this property for anything, upgrade just persists it in registry, and it is never rewritten back to the database during upgrade
o The same condition exists even before you start the upgrade
ConfigMgr'07 SP1 is released today and here is link for downloading the SP1 bits http://www.microsoft.com/downloads/details.aspx?FamilyID=5aae62e8-4b7f-4af7-be01-aefaa4bf059a&DisplayLang=en.
As recently we have upgraded our sites to ConfigMgr'07 SP1 and I would like to share some of the key learnings which are also available in the release notes. If you are preparing for ConfigMgr’07 Sp1 upgrade in production, I would highly recommend to go through the latest release notes html file “ConfigMgr07SP1Readme” for the known issues and workaround available for the same.
Here is the snippet form the release notes for some the key known issues and their details & workarounds are available in the release notes:
· Upgrading large site databases to Configuration Manager 2007 SP1 is extremely slow and disk space usage intensive
· A management point site system installed on a Windows Server 2008 computer in native mode might become unresponsive
· Cannot display the Configuration Manager 2007 Documentation link on the Start page
· Extend Active Directory schema for Configuration Manager 2007 if Internet-based clients will be managed on both the Internet and the intranet.
· Distribution point reinstallation on 64-bit installations of Windows Server 2008 might fail after changing client communication ports.
· After running the Security Configuration Wizard on the site server, clients are unable to download content from the software update point
· Update classification and product information is reset after upgrade
· Extend Active Directory schema for Configuration Manager 2007 if Internet-based clients will be managed on both the Internet and the intranet.
· Report “List of NAP-capable and NAP-upgradable computers” does not include computers running Windows XP Service Pack 3
Also one of the pre-requisite for ConfigMgr’07 SP1 is that WSUS 3.0 SP1 is required on Primary site as well as on all SUP sites. And when you “Run the prerequisite checker” wizard it will fail if WSUS 3.0 SP1 is not installed on Primary site but will not fail if it is not installed on remote SUP site, so it is recommended to upgrade WSUS 3.0 SP1 on remote SUP sites prior to ConfigMgr’07 SP1 upgrade.
ConfigMgr'07 site server database is one of the only supported site role in clustered configuration in ConfigMgr'07. Though I have not configured clustered DB in production so far, as we did not have critical business requirement for having clustered ConfigMgr'07 site server DB and having extra hardware for the same, but since it is supported and may be needed for other customer so sharing some references and to do list for considering this in production which will increase high availability and reduce single point of failures.
1. Use the setspn.exe (part of suptools.msi from the Windows Server 2003 Installation media) to publish the SPN of your virtual SQL Server cluster (Important: Publish both the NetBIOS and the FQDN) - http://technet.microsoft.com/en-us/library/bb735885.aspx
2. Add the machine account of the primary site server machine to the Local Administrators group of each Windows Server cluster node computer. This is required to allow the site server to install and configure settings later.
3. Check the Database collation settings of the tempdb database on the SQL Cluster (ensure you have the same settings like on the site server which hosts the DB at present). This is very important to check this before you move the database to the cluster.
4. If the Microsoft Systems Management Server (SMS) Provider is located on a remote SQL server, the SMS provider must be moved to the local site server or another computer not hosting a SQL Server cluster node before moving the site database.
5. To move the database finally check the link How to Migrate the Site Database to a SQL Server Cluster Instance http://technet.microsoft.com/en-us/library/bb632383.aspx
More information available:
SQL Server Preparation for Setup
http://technet.microsoft.com/en-us/library/bb632649.aspx
How to Configure an SPN for SQL Server Site Database Servers
http://technet.microsoft.com/en-us/library/bb735885.aspx
How to Install Configuration Manager Using a Clustered SQL Server Instance
http://technet.microsoft.com/en-us/library/bb693612.aspx
How to Migrate the Site Database to a SQL Server Cluster Instance
http://technet.microsoft.com/en-us/library/bb632383.aspx
As we are aware that ConfigMgr'07 admin full access provide a lot of privilege to manage all desktop in an enterprise so it’s critical to manage the ConfigMgr admin access with role based security model. And recently we have introduced the new security group model for managing ConfigMgr operations and having least admin access on ConfigMgr as role based which is very much align to ConfigMgr out of box security classes.
Below are the list of sample security groups we provisioned in AD and same configured in ConfigMgr admin console with equivalent access rights to manage the role based security in ConfigMgr'07.
Hope this helps in your planning for securing ConfigMgr'07 admin access with role based security model.
More details for ConfigMgr security planning are available on following link : http://technet.microsoft.com/en-us/library/bb680768.aspx
|
Sample Security Group |
Security Group Definition |
|
ConfigMgr_Web_Reporting_Consumers |
This group contains members who needs to view ConfigMgr reports. |
|
ConfigMgr_SQLDB_Consumers |
This group contains members who need to have read access ConfigMgr Database for data feed or reporting purpose. |
|
ConfigMgr_Detail_Consumers |
This group contains members who need to read all details about a given SMS/ConfigMgr site. |
|
ConfigMgr_Monitoring_Providers |
This group contains members which perform monitoring functions on the ConfigMgr servers |
|
ConfigMgr_Software_Deployment_Providers |
This group contains members who that need to write package deployment items. |
|
ConfigMgr_Patch_Management_Providers |
This group contains the members who need to create patch deployments. |
|
ConfigMgr_Collection_Providers |
This group contains the members that need to create & manage collections. |
|
ConfigMgr_Advertisement_Providers |
This group contains the members who that need to create & manage advertisements. |
|
ConfigMgr_OSD_Provider |
This group contains the members who need to create ConfigMgr OSD objects. |
|
ConfigMgr_DCM_Provider |
This group contains members who need to create ConfigMgr DCM objects. |
|
ConfigMgr_Software_Metering_Provider |
This group contains the members that need to create ConfigMgr Software Metering objects. |
|
ConfigMgr_DeviceMgmt_Provider |
This group contains members who need to create ConfigMgr DMP objects. |
|
ConfigMgr_Report_Provider |
This group contains the objects that need to create ConfigMgr web reports. |
|
ConfigMgr_Client_Troubleshooting_Provider |
This group contains objects that need to access ConfigMgr client logs. |
|
ConfigMgr_Infrastructure_Providers |
This group contains the members who need to change ConfigMgr site settings and have full access for ConfigMgr |
|
ConfigMgr_Troubleshooting_Providers |
This group contains the troubleshooting teams that provide escalation and resolution services. |
ConfigMgr'07 SUP & WSUS configurations in NLB
Here are the steps we have followed during ConfigMgr SUP & WSUS setup in NLB in production. Please refer the below links for more updated information for WSUS NLB & SUP configuration.
http://technet2.microsoft.com/windowsserver/en/library/b17d7555-81fd-4e32-8e8b-92b4c79221161033.mspx?mfr=true
http://technet2.microsoft.com/windowsserver/en/library/94d1385f-4872-4c29-8822-3a4ec5e45ae41033.mspx?mfr=true
http://technet.microsoft.com/en-us/library/bb633165.aspx
A sample ConfigMgr SUP configuration in NLB but same can implemented with less hardware based on business requirement
For configuring WSUS as per supported standard we need 1 server for hosting SQLDB & WSUS content and 2 servers for SUP roles at minimum for more than 25K clients in NLB configurations (one SUP server can scale up to 25K clients)
Prior to start with please add all server systems accounts in ConfigMgr primary site and add all service accounts in local admin group.
WSUS DB & content server for SUP
Sample server drive requirements for hosting WSUS DB & content for SUP.
|
DRIVE |
DESCRIPTION |
DIRECTORY/PURPOSE |
|
C |
System |
C:\WINNT; C:\ |
|
D |
SQL and SQL Tools |
D:\MSSQL; D:\SQLTools |
|
E |
User Database Backups |
E:\MSSQL\BAK |
|
F |
Log Backups |
F:\MSSQL\TRAN |
|
G |
Content Location |
G:\WSUS\WSUSContent |
|
H |
Data Files / SUPDB |
H:\MSSQL\DATA |
|
O |
Log Files |
O:\MSSQL\DATA |
|
T |
Tempdb Files |
T:\MSSQL\DATA |
· This is the server that will host the SQL Back-End database and Software Update content for the WSUS service WSUS NLB cluster.
· Create a standard network shared folder that is available to all of the WSUS servers on this server that will be part of the software update point network load balancing cluster to be used as the WSUS resource content share. Each of the remote WSUS servers should be given change permissions on the root of the shared folder (all standard NTFS permissions except for full control). If the share is created on one of the site systems that will be part of the network load balancing cluster, the site system computer's Network Access account must have change permissions on the root of the shared folder. The user account used to run WSUS Setup should also have these permissions to the share created.
· A SQL Server 2005 database server is installed on this server identified to host the WSUS database.
· The UNC address to be used for the WSUS resource content share:
o \\<FQDN>\WsusContent\
Follow below steps on each SUP server in NLB node
1. Install WSUS 3.0 on the servers using bellow steps.
a. On the Welcome page, click Next.
b. On the Installation Mode Selection page, select the Full server installation including Administration Console check box, and then click Next.
c. Read the terms of the license agreement carefully. Click I accept the terms of the License agreement, and then click Next.
d. On the Select Update Source page, select the Store updates locally check box and enter the path <Program Files directory>\Update Services. You will use the tool wsusutil.exe to move the content source location to point to the content source share on the Back-End SQL server after the WSUS installation is complete.
e. On the Database Options page, For the first WSUS installation on a server that will be configured to use the NLB cluster, Select Use an existing database server on a remote computer and enter the FQDN of the SQL Server that will host the WSUS database followed by the instance name (if not using the default instance).
Important note: On Second SUP server installation will prompt one more step there we need to select option for use existing database.
f. On the Web Site Selection page, specify whether to use the existing Internet Information Service (IID) Default Web site.
Important: After the WSUS installation completes the Windows Serve Update Services Configuration Wizard Starts, Do not use the wizard to configure the WSUS installation and click Cancel to close the Wizard. All WSUS server configuration is managed from within the Configuration Manager console
2. Add the Software Update Point NLB Network Connection Account to each WSUS Administrators group on the server.
3. Configure Internet Information Services (IIS) to enable content share access.
a. Start, point at All Programs, point at Administrative Tools, and click Internet Information Services (IIS) Manager.
b. Expand <wsus server name>, expand Web Sites, and then expand the Web Site node for the WSUS Web site (either Default Web Site or WSUS Administration).
c. Right-click Content node and click Properties.
d. On the Virtual Directory tab, select the A share located on another computer option for the resource content and fill in the UNC share name with “\\FQDN\Wsus\” as the share.
e. Click Connect As, and enter the user name and password of the Software Update Point Connection account. Click OK to close the Content node properties.
Important: This step must be followed for each of the Front-End WSUS servers.
f. Open a command window and navigate to the WSUS tools directory on the WSUS server: Install Drive\Program Files\Update Services\Tools
g. On the first WSUS server to be configured, at the command prompt, type the following command:
wsusutil movecontent <WSUSContentsharename> < logfilename >
Note: there is a space in between each parameter above.
Where <WSUSContentsharename> is the name of the WSUS content resource location share to which the content should be moved
h. On the successive WSUS servers to be configured, at the command prompt type the following command:
wsusutil movecontent <WSUSContentsharename> <logfilename> /skipcopy
Ø Tip: To verify that the content move was successful, review the log file created during the procedure and use registry editor to review the HKLM\Software\Microsoft\Update Services\Server\Setup|ContentDir registry key to ensure that the value has been changed to the WSUS content resource location share name you specified.
4. Install SUP points on both the NLB server through SCCM console and refer the following
Configure the Software Update Point Component Properties as follows:
|
Tab |
Property |
Setting |
|
General |
Software Update Point |
Use Network Load Balancing cluster, Port 80, SSL 443 |
|
|
Network Load Balancing Settings |
IP V4 /NLB address |
|
|
Cross Forest Access Account |
SMS service account |
|
|
Allow intranet-only client connections |
Selected |
|
Sync Source |
Source |
Synchronize from upstream update server |
|
Language Settings |
Languages |
Select following languages.
Chinese (Hong Kong S.A.R.), Chinese (People’s Republic of China, Chinese (Taiwan), English, French, German, Italian, Japanese (Japan), Korean, Spanish. |
Additional steps for Native mode configuration only.
1. At the command prompt, change the directory to Install Drive\Program Files\Update Services\Tools.
2. Execute the following command:
wsusutil.exe configuressl <Machine FQDN>
3. Ensure SSL is enabled on the virtual directories listed below:
· ApiRemoting30
· ClientWebService
· DssAuthWebService
· ServerSyncWebService
· SimpleAuthWebService
4. Ensure SSL is not enabled on Content virtual directory.
Monitor WCM.log and WSYNCMGR.log to ensure WSUS sync is done successfully.
Additional info
In case of WSUS un-installation in NLB
To uninstall WSUS on first NLB node server, perform the following steps:
1. Log on to the NODE server.
2. Execute WSUSSetup.exe. The Windows Server Update Services 3.0 Setup Wizard appears.
3. Select to remove only logs and click the Next button.
4. When done, click the Finish button.
5. Reboot the server to remove any files in process.
To uninstall WSUS on Second NODE server, perform the following steps:
1. Log on to the NODE server.
2. Execute WSUSSetup.exe. The Windows Server Update Services 3.0 Setup Wizard appears.
3. Select to remove all items (database, logs, and downloaded files) and click the Next button.
4. When done, click the Finish button.
5. Reboot the server to remove any files in process.
As we are aware that there is ConfigMgr Technologist specialist certification (70-401) available. So I would like to share the share some of the learning’s based on my colleague’s feedback who had passed this recently and said that it’s a very easy test to go about it.
ConfigMgr Technologist specialist certification (70-401) exam details are available on below link.
http://www.microsoft.com/learning/exams/70-401.mspx#top
From glancing at the above certification website it appears MOC course 6451A is what you need in order to prepare and the following skills measured breakdown.
Skills measured by Exam 70-401
· Deploying a System Center Configuration Manager 2007 Server (9 percent)
· Configuring an SCCM Infrastructure (19 percent)
· Managing Resources (14 percent)
· Distributing Applications (17 percent)
· Deploying Operating Systems (13 percent)
· Securing a Network Infrastructure (13 percent)
· Managing and Maintaining an SCCM Infrastructure (15 percent)
Microsoft Official Curriculum (MOC) course for Planning, Deploying and Managing Microsoft Systems Center Configuration Manager 2007
http://www.microsoft.com/learning/syllabi/en-us/6451afinal.mspx
TechNet Virtual Lab: Introduction to System Center Configuration Manager (ConfigMgr '07)
http://msevents.microsoft.com/cui/webcasteventdetails.aspx?eventid=1032343963&eventcategory=3&culture=en-us&countrycode=us
Also other suggestion is to refer the ConfigMgr CHM file & TechNet for more details and browse the console multiple times to familiarize as much as for all option and wizard.
Hope this is useful for ready to go J
I was looking for some info and came to know about SMS/ConfigMgr'07 release dates aka birthdates so far, and found interesting to share with everyone…and I have worked on all version so far except SMS 1.0.
· SMS 1.0 – 11/7/94
o SMS 1.1 – 7/28/95
o SMS 1.2 – 7/29/96
· SMS 2.0 – 1/11/99
o SMS 2.0 SP1 - ?
o SMS 2.0 SP2 - 6/21/2000
o SMS 2.0 SP3 - ?
o SMS 2.0 SP4 - ?
o SMS 2.0 SP5 – 4/3/2003
· SMS 2003 – 10/22/03
o SMS 2003 SP1 - 11/1/2004
o SMS 2003 SP2 - 6/27/2006
o SMS 2003 SP3 - 7/6/2007
· ConfigMgr'07 - 8/24/2007
o ConfigMgr'07 SP1 - 5/30/2008
o ConfigMgr'07 R2 – 9/2/2008
o ConfigMgr'07 SP2 – 10/22/2009
o ConfigMgr'07 R3 – expected to be released in March/April 2010
?- release date not able to find so will add it as soon as I have it.
