slice16

Afternoon all! Please can someone point me in the right direction with an SCCM design I am currently contemplating? We are currently running a project where we are automating the deployment and configuration of servers within our on-premise and Azure subscription. There will be significant automation workflows being called from a dedicated Orchestrator instance, that's primary job will be to deploy servers (physical/virtual) and hand over to SCCM for day to day management. This would be a pretty easy design if it was standalone, however we already have a significant investment in SCCM for our desktop estate, with dedicated teams of packagers and admins. I am recommending we utilise existing investments and build out the hierarchy, but there are some interesting questions that have come out of scoping: 1) Would it make sense to build out a new primary site dedicated to the server estate, and have both the desktop and server primary sites report into a CAS? 2) Does it make sense to have a dedicated packaging team/admin that is applied at the CAS layer... or do we split within each site? 3) How do we manage things like SCCM Updates (not wsus, but the infrastructure)... Desktops are pretty agile and moving quickly. With the level of automation and criticality of some servers, we need to be sure upgrades does effect the other. Has anyone got any thoughts on the above? Thanks Paul

Thanks Peter. That is an interesting Powerpoint. We have two key teams within the organisation that will be managing the Compliance within the datacentre, and each have a very different outlook on what tool is best. We have a Support Team (who manage up to the OS) and an Application Team who take it from IIS upwards. The latter are programmers by heart and love tools like Puppet, which is why DSC is so exciting. I suppose to future proof ourselves, who it make sense to use Config Baselines that use DSC style scripts to report back compliance? Or is that over complicating matters?

Morning All, Happy New Year, I trust you have all had a good one? I am wondering if anyone has any experience with utilising the new Powershell DSC stuff into SCCM, and which route people would recommend. The way I see it, we have two ways that we can manage client compliance: 1) Using 'Configuration Baselines'. that has a nice GUI and built in reporting. We can do advanced queries using powershell scripts for any custom components we need. 2) We create Powershell Manifests and use DSC. We could then use task sequnces, packages/applications to actually deploy them and enforce. I imagine monitoring these could be a little more complex (custom report, mof files etc) Thanks, Paul

Hi Anthony, My personal recommendation would be to install new servers into the same site. You can then install the various roles and start to decommission the current box. I am guessing you have SQL installed on your main server? If so, guidance can be found on the Technet blogs http://blogs.technet.com/b/configurationmgr/archive/2013/04/02/how-to-move-the-configmgr-2012-site-database-to-a-new-sql-server.aspx. All configuration data will be stored in the database, so you shouldnt need to export/reimport. Thanks Paul

After some research, it doesn't look as though this is possible:( http://technet.microsoft.com/en-us/library/gg682168.aspx#BKMK_WhatsNew Reading that, all my clients will need access to Windows Update to be able to use the SUP. As my clients aren't 'true internet' based clients (they are being managed over SSL on 443 for multi-tenancy) and may not have true internet access. I can't think of a way round this issue

Morning All, Where can I force my clients to use my Internet Based DP that contains my SCCM updates? I have a large number of internet based machines (members of various untrusted domains) that have the client installed. They connect to SCCM, but when attempting to install updates that automatically go to Windows Update rather than the SCCM DP. SCCM does show up at a second location, but it seems to drop out before trying that. Thanks Paul

Here is my fix: http://tameyourcloud.com/?p=117 I had to create a the routes manually into the relevant SQL instances by running the following: CREATE ROUTE ConfigMgrBGBRoute_Local AUTHORIZATION dbo WITH SERVICE_NAME = 'ConfigMgrBGB_SitePOC', ADDRESS = 'LOCAL'

Sorted Turns out the Service Brokers weren't created. I am writing up the fix now and will get it over here.

Has any one got any ideas as to what this may be? I have looked a little more into the SQL configuration and can see that there is a route called ConfigMgrBGBRoute_Local, which is configured for the service ConfigMgrBGB_SitePOC and is set to local: From what I can see, everything is setup correctly? Thanks Paul

Ok after some more research, the broker service relies on Broker routes to manage replication traffic between the various instances. In this case, adding the newly created instance has upset the balance. It appears to be have the [LOCAL] route within the POC instance. Is there a way I can view all the routes? thanks

Afternoon All, I was hoping you guys could point me in the right direction, as I am hitting a bit of a brick wall. I am in the process of building a multiple forest SCCM hierachy that will have two primary sites that report into a CAS. The setup will be the following: SCCM SITE CODES: CAS - Central Administration Site POC - Primary Site in AD.local DEV - Primary in MS.local SCCM Servers: SCCMCAS.ad.local (Central Administration Site) SCCM01.ad.local (First Primary Site) SCCM01.ms.local (Second Primary Site) Database Configuration: SCCMCAS and SCCM01 both sit within ad.local and have a dedicated SQL instance on an SQL 2008 R2 SP1 cluster. SCCM01.ms.local sits within ms.local which is a trust domain with ad.local. This machine has its own dedicated SQL instance. Issue I have successfully added SCCM01.ad.local to the hierachy and replications shows as healthy. The SSB ports are set to 4022 on sccmcas01.ad.local and 4023 on sccm01.ad.local. This also passes the Replication Link Analyser without any issues. When I add SCCM01.ms.local it sets itself to Initializing, which seems to start counting up through the %;s. However, this then fails the CAS to POC replication link. When I check the Link Analyser log file, I get the following error message: </DoesBrokerConfigurationExist> [url="http://www.windows-noob.com/forums/index.php?app=forums&module=post&section=post&do=new_post&f=92#"]-[/url] <DoesBrokerConfigurationExist ssbPort="[b]4023[/b]" SqlInstanceName="[b]ms-sql01.ms.local\SCCM[/b]" SiteCode="[b]POC[/b]"> <Result HasRun="[b]True[/b]" HasPassed="[b]False[/b]" /> [url="http://www.windows-noob.com/forums/index.php?app=forums&module=post&section=post&do=new_post&f=92#"]-[/url] <Description> <Detail Name="[b]isValidEndpointCertificateExists[/b]" Value="[b]True[/b]" /> <Detail Name="[b]isServiceBrokerConfigCorrect[/b]" Value="[b]True[/b]" /> <Detail Name="[b]isServiceBrokerRouteConfigCorrect[/b]" Value="[b]False[/b]" /> <Detail Name="[b]isServiceBrokerLoginConfigCorrect[/b]" Value="[b]True[/b]" /> <Detail Name="[b]result[/b]" Value="[b]Service broker route [ConfigMgrBGBRoute_Local] is missing or has incorrect address [] for service [ConfigMgrBGB_SitePOC]. Expected address [LOCAL].[/b]" /> <Detail Name="[b]isServiceBrokerLoginCertificateCorrect[/b]" Value="[b]True[/b]" /> </Description> As soon as I uninstall the DEV site, everything starts working again. The only think I can think of is a port conflict on the Service Broker connection. I didnt think this would be an issue as the POC and DEV primary sites use different SQL Servers. Is there a best practice available when configuring multiple sites? Thanks in advance, Paul

Ahh, turns out I am being daft! As per the Nialls guide: e: The Endpoint Protection point site system role must be installed before you can use Endpoint Protection or before you can set EndPoint Protection client settings. It must be installed on one site system server only and it must be installed at the top of the hierarchy on a central administration site or a standalone primary site. When all else fails, read the manual haha.

Hi All, I think I may be loosing the plot a little, but I am unable to find the EndPoint Protection site service role. When I go to add a site System Role, I only the roles in the attached .png. I am running SCCM SP1 CTP2 and have a CAS and Primary site. Thanks Paul

Right, think I have sussed it now. This article explains it pretty well: http://technet.microsoft.com/en-us/library/bb680334.aspx Basically, if a client is not in the same forest as the site, it will need to contact the SLP. The SLP will be configured during client installation. If they move to another site at the same level within the hierarchy, it will be unable to locate any content sources within the separate site.

Hi Eswar, Sorry I was adding another reply when you posted. My site boundaries wont be overlapping, but I will have a number of duplicate subnets configured from AD Users and Computers between the forests. My post above should go into a little more detail into my configuration. It isn't the easiest of setups due to the corporate structure. Thanks, Paul

I have been thinking a little more about my predicament, and think I have got my head around the process, and the implications I may face. As an example, I will use the following: Primary Site 1 (PS1) Boundary 192.168.0.0/24 Forest: ForestA.local Primary Site 2 (PS2) Boundary 192.168.1.0/24 Forest: ForestB.local Now say I have 2 clients that are physically located at 192.168.0.0/24. ClientA is a member of ForestA and Client B is a member of ForestB. During site assigment, both clients will be assigned to PS1 due to the subnet location. Client A will gather this information from the AD schema, and ClientB will get it from the SLP. My understanding here will be both clients will have full functionality once assigned from PS1, regardless of their Forest membership? Now, when a client moves to 192.168.1.0/24, they will be using Regional Roaming, and be unable to access any resources in PS2. Is this correct? This is a pretty flat hierarchy where both PS1 and PS2 report to a CEN site. My overall question is, does SCCM care forest membership for the clients, as long as they are trusted? Thanks in advance, Paul

Hello All, I am hoping you can point me in the right direction with a complicated Site Assignment configuration. I am deploying SCCM 2007 R3 across 3 forests that have a two way transistive trust between each. As per MS best supported practice, I will have a primary site for each forest, reporting up to a central site for Administration/Reporting. As per: Central | ----------------------------------- | | | PS1 PS2 PS3 This is fairly straght forward if each forest has dedicated subnets. (e.g. Forest1:Site 1, 192.168.0/24, Forest2:Site1, 192.168.1/24), Each client would sit within their own subnet and automatically assign to the relevant Primary site. The issue I have is one subnet may have clients from all three forests. So I may have a client in Forest 1 that assigns itself to another primary site because of its IP address. What are the implications of this? My main concern is distribution point and policy gathering. Will I need to manually assign the clients? Thanks Paul

Morning All, Recently, I have noticed an issue with Collection Membership on SCCM 2007 R3. This only seems to happen with Direct Membership and is usually related to using the Computer Association feature. When I add a computer object and direct it to the Imaging collection, it shows in the 'Membership Rules' tab. I then do an Update Collection membership and refresh the console. The object does not appear and the advertisments do not show. After a reboot, everything starts working again. I have checked the colleval.log and smsexec and nothing is untoward. Is this a known issue as it has happened on the last 4 installs I have completed? I have seen a hotfix from MS for a similar issue (http://support.microsoft.com/kb/981797), but after checking the smsexec service, all looks ok. Thanks in advance.

After some research, it looks like Sophos doesn't give an option to add exclusions for the relevant applications. There appears to be 2 solutions: 1) Turn of the memory security option for all (not the most secure of solutions ) 2) Recreate the Firewall policy by running the Install in interactive mode on another machine. Once everything has been captured, export the policy and import into the Control Panel.

I cant see anything in the log that points to an error message. By any chance, do you have a Product Key entered in the Apply Windows Settings task? If so, try removing it and re-run. I have had the issue before when entering a KMS key. Thanks, Paul

The 00005 error is usually unspecified and can mean a whole host of things. From experience, I would say your issue is either down to the location of you 'Setup Windows and Config Manager' step (this should be after apply OS, apply drivers etc). Or you are missing a driver. Please can you post your smsts.log file and it should say why it is failing. Thanks, Paul

Afternoon All, I thought I would post this question on here, as after 2 hours on the Phone to Sophos, they don't have an idea as to the issue. I was hoping someone had deployed the SCCM client to machines that are running the Sophos endpoint AV and firewall locally. Here is the issue: After installing the SCCM 2007 R3 client to a small number of XP and Windows 7 machines, all network based programs get blocked by the Sophos firewall. If we turn off all rules, everything starts working again. The applications being blocked are: nslookup.exe rundll32.exe wmiprvse.ece werfault.exe iexplore.exe grpwise.exe almon.exe justched.exe All are marked with an event type of 'Modified Memory' and show the launching application as wmrprvse.exe. We have tried added these alerts to the firewall rules as trusted to no avail. Once we remove the client, all is fine. Any ideas? Thanks, Paul

Hi Eswar, The event log only shows 'Error 816' with no other events or descriptions.

Hello, After installing the PXE Service point, WDS refuses to start. Whenever I try manually I get 'Failed to start with error 816'. WDS works fine until I install the PXE point in SCCM. I have tried the wdsutil /uninitialize to no avail. Am I missing something here? Kind Regards, Paul

Thanks Eswar That's exactly what I was after. I needed to deploy it using a Task Sequence and I needed a number of folders creating etc.