Jump to content


Established Members
  • Posts

  • Joined

  • Last visited

Posts posted by draker

  1. Hello!


    We have an SCCM 2012r2 (No CUs) environment setup in a single AD site. It consists of a single primary site server, one DP, and a dedicated MSSQL box. No PKI configured. We are using self signed certs that are created as part of the wizard. We have delegated admin rights for other users.


    The problem we are having is these delegated admins are no longer able to create Task Sequence Media. No longer, meaning this used to work.


    When a delegated admin is attempting to create bootable media, they are prompted for credentials after the Summary step in the wizard.


    These credentials will fail and leave the following in the logs:




    Failed to open to WMI namespace '\\oursccmsite.com\root\SMS\site_101' (80070005)

    Failed to open WMI namespace '\\oursccmsite.com\root\SMS\site_101' (0x80070005)

    CreateTsMedia failed with error 0x80070005, details=''


    80070005 = access denied.


    Media creation does work with my credentials, which has local admin on all site servers. This leads me to believe the issue is actually related to WMI permissions on the primary site server? Are there some additional permission I need to check on the server side to allow for media creation? Do I need read access to WMI on the primary site server or write access as well?



    Things I've tested:

    Disable host firewalls = Test failed

    Create test user with full global admin permissions within SCCM = Test failed

    Added test user to local admins group on primary site server = Test Failed


    In all of these scenarios, using my admin credentials will allow for media creation.



    Any feedback would be appreciated.


    Thank you!



  2. We are experience a strange issue with some application deployments. It appears application deployments containing a large number of files are very slow to deploy. Examples being Adobe products and Autodesk products, but not limited to these applications.


    Initially, I thought perhaps network bandwidth might be the issue however, if I download a file directly from the DP via http, it downloads at normal speed. On the flipside, if we deploy autodesk, the download will sit at 0% on the client for a very long time. Hours even or days even..


    As a test we zipped the files and did a test deployment transferring a large zip, and it downloaded quickly.


    Looking at the IIS logs I see files downloading to the client, but at a very slow rate. Generally I'll see a 401 - not authorized, followed by a 200 right after with domain\computeraccount$ for credentials.


    Smaller deployments work great. There are no bits throttling settings specified. No 404 errors seen in the IIS logs. No bandwidth throttling in IIS. bitsadmin /list /allusers usually shows 'CONNECTING' state.



    I am at a loss about where to look next to troubleshoot this issue.

  3. Hello,


    I have read several articles on WSUS and SCCM. Many articles don't mention the fact that WSUS if not maintained will eventually slow to a grinding halt because it needs monthly maintenance ran on the DB.


    This article actually describes what I am trying to avoid pretty well!




    I've also been told that no changes should be made to WSUS because SCCM controls the WSUS server.





    At this point I have edited the membership on all expired and superseded updates. I would like to run the cleanup wizard on the WSUS server.. and if it fails I would like to run manual obsolete update queries on the DB as described in the linked article above. I have ran these on our standalone WSUS instances with great success.


    My concern here is that somehow SUP will break because updates are missing or something.


    I have read the articles on manual cleanups of the source directory etc, that's not what I am looking to do. I am looking to maintain WSUS so my nightly syncs don't start failing.. etc.


    Can anyone speak to what is described in the linked article above? Is running the wsus cleanup wizards monthly safe?




  4. Also, I'm trying to find info about SMB shares on the site server.


    What other servers need access to these shares? I am going to firewall them off as needed.


    I am guessing OU admins may want access to the \\site-server\SMS_101\Logs directory at least and possibly a few more. Any advise here?




  5. Hello,


    I am looking for a bit of help with admin delegation in SCCM 2012 r2. I think I've got a good amount of the delegation done but I'm really looking for a how-to or a reference article that could better explain what components should be delegated.



    What I am trying to achieve:


    We are offering SCCM as a service to other administrators in our forest. Administrators will be granted full access to administrate workstations and servers that reside in there specific OU in Active Directory. This means create collections, import computers, deploy software, OSD, install clients, reporting, inventory.. etc. Basically anything an administrator would need to manage computers and servers.


    Stuff like site integration and boundary groups etc, will be done by the service sysadmins.



    What I've done so far:


    I've used RBAviewer to create two new rolls: OU Read Only Admin, OU Admins Specific Scope


    Imported all computers in each of the OU's to ORG collections (ORG - OU Systems), and assigned admin users and scoped them to the ORG collections.


    Created security scopes for each OU and associated users to those scopes.



    This all seems to be working well so far, but I know I am missing a few things for example client settings. Another thing I am trying to figure out is how I can scope 'Import Computer Information' so that when someone imports information it will actually go to their OU. Right now, even if I select a specific collection the computer information always ends up in All Systems and/or Devices.



    I know I can't be the first one setting this up. If anyone has a good write-up or a list of permissions that one would typically delegate in this situation that would be great!



    As always, if I left anything out let me know and I can provide more information.


    Thank you.

  6. Hi, I've been using some of the SCCM guides to setup our new environment. I'm pretty new to SCCM and they have been very helpful!


    We are in the process of rolling out SCCM 2012 R2. We will be managing < 25k clients. We will be running one primary site, a dedicated MSSQL box, and a single DP.


    Our first goal is to use it to automate patching in our test/dev environments. The issue we are running up against is our prod SCCM environment is in one domain and out dev environments span multiple domains. I'm trying figure out the best way to manage all of these servers without creating a service account at the root domain level for security scope reasons.


    Here is an example of the domains.



    rootdomain.com - root domain

    ad.rootdomain.com - Prod AD domain



    adlab.rootdomain.com - Dev

    tritest.adlab.rootdomain.com - Dev

    devad.adlab.rootdomain.com - Dev

    devid.rootdomain.com - Dev

    devcv.rootdomain.com - Dev



    What would be the best way to handle managing these servers?






  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.