Deploy software through AD Groups linked to Collections in SCCM

[jamitupya]

Hi All,

i've been trying to figure this out for a while but keep failing totally and in utter dispair i need to ask how i can do this

 

I want to deploy software through AD Groups linked to Collections in SCCM.

 

Is there an easy way to do this, can somebody give me a basic run down on how this should occur? i want to learn it but it is just one elusive SOB at the moment :S

 

Cheers

[Rajiv]

Hi anyweb,

I implemented an almost exact scenario which you presented above in my environment.

 

I cannot see the "Office 2007" security group in my query. However I do see all other groups such as "domain controllers". Why?

 

I looked at both security group's properties in AD.....they look the same to me. Both are global security groups. Other tabs are identical too.

I also see that in SCCM > queries > all security groups ...I see my "Office 2007" group. Hence SCCM does see my security group in AD.

Only when I try to create a membership query in the collection ...I don't see "Office 2007"

 

Is there something more I need to do?

[Rajiv]

I have some screenshots to share. This may explain what my problem is:

 

This is when I start editing the Query. Notice that the Resource class is the "System Resource"

 

 

Then I click the edit query statement button and I select this option: "System Group Name"

 

 

When I click on "Value" button I expect to see "ASPDEV\Office 2007 computers" in the list, but I dont!

 

 

If you'd rather see the query, here is it:

 

select * from SMS_R_System where SMS_R_System.SystemGroupName = "ASPDEV\\Domain Computers"

 

{I would like to replace "Domain Conputers" in the query to "Office 2007 computers" and I can do that manually by editing the query, but then nothing gets added to the collection}

I think that is because SCCM is not able to see "Office 2007 computers" inside the query.

 

What am I doing wrong?

Someone please help!

[Rajiv]

I found my solution here:

http://social.technet.microsoft.com/Forums/en-CA/configmgrswdist/thread/5a1a64f5-e504-45d8-9097-b72c5ca7fafb

 

Basically, I had to run the "Active Directory System Group Discovery" manually ASAP.

I was mistakenly running the "Active Directory Security Group Discovery" manually and hoping that Office 2007 group will show up.

 

Also, another interesting thread:

http://social.technet.microsoft.com/Forums/en-US/configmgrswdist/thread/d1693ea5-8ce3-455d-bdfc-fcd6f9184d22/

[dirtydom]

Disclaimer… while writing this post I noticed a lot of errors all over the place under system status. These issues I encountered were encountered yesterday without all of these errors occurring. I will start looking into the errors however from first glance they appear to be WSUS related which is not what I’m writing about here. I did notice a management point error explaining it’s not responding to HTTP requests (I just installed the Reporting Point yesterday so there might be a conflict between the two items using port 80?). Anyways I still felt while I look at these errors my post should still be reviewed because It is probably separate.

 

This is my second post... First I want to add to the appreciation of this forum. The information and step by step guids have proven invaluable and I really appreciate it!

 

What I am trying to figure out is why my test machine isn't responding to advertisements... I am trying to figure this out because obviously the software isn't installing from the pack.

 

Here's what I have configured...

 

I followed your instructions to configure SCCM however I did it on a windows 2003 server instead of 2008. It is a virtual Server running on VMWare ESXI. The only thing I have not done is extend the schema for SCCM or manually do anything with AD like ADSI edit. I didn't do that because this is a test environment and I did not want to intrude on AD. If that's all I have to do to resolve this issue please tell me.

 

I have successfully setup deployment of Windows XP for multiple versions of hardware which include software and driver installation specific to the hardware.

 

This software package I created is the first package so far. It is adobe reader 9. I set the package up by creating a transform file through Adobe's Customization Wizard 9.

 

• 
  

Here is the command line which works if I run it manually from a computer... *(I mean from the command line I can run this command but obviously because it is remotely and manual I have to designate the full network paths of the files)

msiexec.exe /i AcroRead.msi TRANSFORMS=AcroRead.mst /qb

 

 

 

• 
  

What I am noticing is that the PC’s Configuration manager does not know what SCCM site it is in.

 

• 
  

I am also not seeing any advertised software from the “Run Advertised Programs”

 

 

I am also getting a lot of warnings on the client when I try to run the “repair” from the configuration manager.

Event Type: Warning

Event Source: WinMgmt

Event Category: None

Event ID: 63

Date: 11/16/2009

Time: 4:47:30 PM

User: NT AUTHORITY\SYSTEM

Computer: THIRDIMAGE

Description:

A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, root\ccm\Policy\S_1_5_21_1504005034_1371222036_1539857752_8570, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Type: Warning

Event Source: WinMgmt

Event Category: None

Event ID: 63

Date: 11/16/2009

Time: 4:47:30 PM

User: NT AUTHORITY\SYSTEM

Computer: THIRDIMAGE

Description:

A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, root\ccm\Policy\Machine, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

 

Event Type: Warning

Event Source: WinMgmt

Event Category: None

Event ID: 63

Date: 11/16/2009

Time: 4:47:30 PM

User: NT AUTHORITY\SYSTEM

Computer: THIRDIMAGE

Description:

A provider, AMTInvProvider, has been registered in the WMI namespace, root\cimv2\SMS, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Type: Warning

Event Source: WinMgmt

Event Category: None

Event ID: 63

Date: 11/16/2009

Time: 4:47:29 PM

User: NT AUTHORITY\SYSTEM

Computer: THIRDIMAGE

Description:

A provider, AMTProvisionProvider, has been registered in the WMI namespace, root\CCM, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

 

 

 

Event Type: Warning

Event Source: WinMgmt

Event Category: None

Event ID: 5603

Date: 11/16/2009

Time: 4:47:29 PM

User: NT AUTHORITY\SYSTEM

Computer: THIRDIMAGE

Description:

A provider, BcdProv, has been registered in the WMI namespace, root\wmi, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Type: Warning

Event Source: WinMgmt

Event Category: None

Event ID: 63

Date: 11/16/2009

Time: 4:47:27 PM

User: NT AUTHORITY\SYSTEM

Computer: THIRDIMAGE

Description:

A provider, AAInstProv, has been registered in the WMI namespace, root\cimv2\sms, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

 

Now from the server side

• 
  

what I did was create a collection with this query to designate the security group I created for this package named adobe reader 9.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "RMS\\Adobe Reader 9"

 

 

This is what I am seeing with regard to the Advertisement status for this package.

 

When I look at a report of the active advertisements I see this

Report Name: Status of a specific advertisement

Category: Software Distribution - Advertisement Status

Comment: This report shows the status summary of all resources that have been targeted by an advertisement. The summary is broken into two parts. Acceptance status will summarize how many resources have received, rejected, or not yet received the advertisement. Delivery status will summarize the resources that have run or attempted to run the program being advertised.

Parameters: Advertisement ID RG62000B

 

Status of a specific advertisement

11/17/2009 9:31:34 AM (Number of Records: 0)

No matching records could be found.

11/17/2009 9:31:34 AM (Number of Records: 0)

 

Any ideas for which direction to take? I am sure I am missing something, sometimes all it takes is another set of eyes. This is the work I did all day yesterday so I figured I would stop wasting time and finally ask for help.

 

Thank you!

[anyweb]

have you correctly configured the boundaries for your site ?

[dirtydom]

have you correctly configured the boundaries for your site ?

 

Here is how I configured the boundary... I pointed to the single AD site we have in place for now.

 

 

Here is how I configured the discovery methods...

 

I pointed to an OU named laptops, all the machines i'm testing with as well as the security groups for software distribution are here.

[dirtydom]

any ideas? i'm mainly looking for a direction on isolating the root cause.

[Peter van der Woude]

Did you also extend the AD?

[dirtydom]

Did you also extend the AD?

 

 

No I didn't... do I need to do that in order for the software deployment to work? During my investigation I noticed this;

 

"Four actions need to be taken in order to successfully enable Configuration Manager Clients to query Active Directory Domain Services to locate site resources:

 

Extend the Active Directory schema.

Create the System Management container.

Set security permissions on the System Management container.

Enable Active Directory publishing for the Configuration Manager site." from

 

That appears to be the reason the client can't figure out what site it's in. Is the cause of this issue rooted from this not being done? I speculated that was the case and even mentioned to my boss we probably need to proceed with the more intrusive parts of testing this product. I just hated the idea of trying something out and performing an "irreversible action". I put that in quotes because that's mentioned a lot however that is not the case if you do it carefully it is not irreversible.(rant)

 

anyways thanks for the reply... I'll look forward to another one!

[jamitupya]

You nailed it, SCCM pulls data from the systems management container in order to pick up boundary and site data.

You will need to extend the schema if you wish to test further...

 

its not that scary of a process though can break... i recommend before you extend, ensure that all your replication has completed successfully using:

repadmin /replsummary or repadmin /showrepl

 

sample below....

 

C:\Users\XXXXXXXXX>repadmin /replsummary

Replication Summary Start Time: 2009-11-20 14:00:44

 

Beginning data collection for replication summary, this may take awhile:

.......

 

 

Source DSA largest delta fails/total %% error

DOMAIN1DC1 10m:43s 0 / 10 0

DOMAIN1DC2 08m:33s 0 / 10 0

SUBDOMAIN1DC1 11m:44s 0 / 14 0

SUBDOMAIN1DC2 10m:44s 0 / 8 0

 

 

Destination DSA largest delta fails/total %% error

DOMAIN1DC1 08m:39s 0 / 14 0

DOMAIN1DC2 11m:52s 0 / 14 0

SUBDOMAIN1DC2 04m:30s 0 / 14 0

 

 

Experienced the following operational errors trying to retrieve replication info

rmation:

58 - SUBDOMAIN1DC1.SUBDOMAIN1.DOMAIN.COM