sim407. boundaries high availability software updates and task sequences wmi health permissions...
TRANSCRIPT
Microsoft System Center Configuration Manager: Hints, Allegations and Other Things Left Unsaid
Jason SandysManaging ConsultantCatapult [email protected]
SIM407
Topics
Boundaries
High Availability
Software Updates and Task
Sequences
WMI Health
Permissions
Client Status
The problems with boundaries
IP Subnet
Cannot use “Super-nets”Based on Subnet/Network IDAre subjective
Subnet IDs are based on IP Address + Subnet Mask
AD Site
“Converted” to IP Subnet IDs192.168.14.0/23 = 192.168.14.0
Cannot use “Super-nets”Workgroup clients aren’t part of an AD Site
Why Subnet IDs are Evil
Classful
IP Address:10.0.151.17Subnet ID: 10.0.0.0Subnet Mask: 255.0.0.0
Subnet ID: 192.168.18.0Subnet Mask: 255.255.255.0Valid IPs: 192.168.18.1 – 192.168.18.254
Classless Internet Domain Routing (CIDR)
IP Address:10.0.151.17Subnet ID: ?Subnet Mask: ?
Subnet ID: 192.168.18.0Subnet Mask: ?Valid IPs: 192.168.18.1 – ?
Super-net example
IP Address: 10.0.1.27/24
AD Site Subnet: 10.0.0.0/8Subnet ID: 10.0.0.0
Subnet ID: 10.0.1.0
IP Subnet: 10.0.0.0Subnet ID: 10.0.0.0
Discovery example
IP Address: 192.168.15.27/24
AD Site Subnet: 192.168.14.0/23Subnet ID: 192.168.14.0
Subnet ID: 192.168.15.0
Discovered IP Address: 192.168.15.27Discovered Subnet ID: 192.168.14.0
Boundaries
IP Address Ranges FTWDo not rely on AD Sites“Super-netting” is fineNo ambiguityWhat you see is what you getVery granular and exactNo subnet calculator needed
High availability and site resiliency
Site Functionality
PoliciesPackagesSite SettingsKey Roles
DatabaseManagement PointSMS ProviderReporting Point (Classic and SSRS)
Client Functionality
InventoryPreviously scheduled actionsRemote ControlKey Roles
Distribution PointPXE Service PointSoftware Update PointState Migration Point
Role Failure ImpactsSite Client
Database Functionality lost Unaffected
Management Point Unable to publish new policy Unable to retrieve new policy or communicate with site
SMS Provider Unable to administer site Unaffected
Reporting Points No reporting available Unaffected
Distribution Point Unaffected Unable to perform Software Distribution, Software Updates, or OSD Tasks
PXE Service Point Unaffected Unaffected
Software Update Point Unable to synch update catalog Unable to retrieve update catalog
State Migration Point Unaffected Unaffected
HA and SR Out of the Box
Failover Cluster
• Database
NLB Cluster
• Management Point
• Software Update Point
Multiple Site Systems
• Distribution Point
• PXE Service Point
• Reporting Point (Classic and SSRS)
• State Migration Point
No Solution
• SMS Provider• Server
Locator Point• Fallback
Status Point
The Easy Button Solution
Out of box solution != Site ResiliencyHyper-V and Quick/Live Migration
Provides both high availability and site resiliencySite Resiliency will require some network “magic”
Software Updates and Task Sequences
Yes, they (mostly) workTarget the same Collection as your OSD AdvertisementClient Agent Install Public Properties
SMSMP and SMSSLP
Install the latest Windows Update Agent7.4.7600.229http://support.microsoft.com/kb/949104
Increase the WSUS maximum XML size per requestUse IP Address Range boundariesWait for the Hotfix
No Magic Bullet
Install the XP HotfixKB 933062
Don’t automatically flush the RepositoryFixes the symptom, not the problemDon’t ever flush the repository on a site server
Fixes
Re-register
Built-in RepairXP SP2+
rundll32 wbemupgd, UpgradeRepository
Vista/7winmgmt /salvagerepository
Delete CCM namespace (Client only)
FOR /f %s in ('dir /b /s *.dll') do regsvr32 /s %s Net stop /y winmgmt FOR /f %s in ('dir /b *.mof *.mfl') do mofcomp %s Net start winmgmt
Fixes
Re-register
Built-in RepairXP SP2+
rundll32 wbemupgd, UpgradeRepository
Vista/7winmgmt /salvagerepository
Delete CCM namespace (Client only)
FOR /f %s in ('dir /b /s *.dll') do regsvr32 /s %s Net stop /y winmgmt FOR /f %s in ('dir /b *.mof *.mfl') do mofcomp %s Net start winmgmt
Program Execution
Local SYSTEM accountCurrent userRun Command-line task in a Task Sequence allows alternate credentials
Network Access Account
Generally a fallback accountUsed to access contentNot used to run programsRequired for Operating System Deployment
The SYSTEM Account
Local Actions -> SYSTEM accountNetwork Actions -> Active Directory computer account
Includes UNCs on local system
All AD computer accounts are automatically members of Domain Computers group
Drivers
Uses system account of server hosting SMS Provider
Driver Source Driver Package Source
SMS Provider Site Server
DP
Software Updates
Uses user account of user running the consoleUses system account of server hosting SMS Provider
Microsoft Update Package Source
SMS ProviderCurrent User
Backup
SMS_SITE_BACKUP Service runs as local SYSTEMSMS_SITE_SQL_BACKUP Service runs as local SYSTEM
SYSTEM
SYSTEM
AD Computer
AD Computer
LocalUNC
Client
Indicative of client agent installation statusNot real-timeCan be cleared by the “Clear Install” maintenance task
Approved
Is a black-box and is not documented in detailMeant to mimic PKI certificate revocationN/A only affects OOB Management
Inactive
When a client is flagged as obsolete it is also marked as inactiveClient Status Reporting (R2 & R3)Deleted resources in child domains
Used in conjunction with Delete Inactive Client Discovery Data task
Obsolete
Resources are marked as obsolete when they are superseded by newer resources
Used in conjunction with Delete Obsolete Client Discovery Data task
Summary
ConfigMgr has a lot of moving parts
Always use IP Address Range BoundariesThere are HA and DR options availableSoftware Updates in OSD are achievableWMI Health is more than nuking the repository
Resource Links
My Blog: http://myITForum.com/cs2/blogs/jsandys
ConfigMgr "Install Software Updates" task failing when building a reference machine: http://coreworx.blogspot.com/2010/08/configmgr-install-software-updates-task.html
Known Issue: Install Software Updates Action Hangs on Windows 7: http://blogs.technet.com/b/configmgrteam/archive/2011/01/28/known-issue-install-software-updates-action-hangs-on-windows-7.aspx
How It Works: Automatic Client Approval in Configuration Manager 2007: http://blogs.technet.com/b/configurationmgr/archive/2010/01/20/how-it-works-automatic-client-approval-in-configuration-manager-2007.aspx
WMI Troubleshooting Tips: http://blogs.technet.com/b/configmgrteam/archive/2009/05/08/wmi-troubleshooting-tips.aspx
Related Content
Breakout Sessions (session codes and titles)
Interactive Sessions (session codes and titles)
Hands-on Labs (session codes and titles)
Product Demo Stations (demo station title and location)
Related Certification Exam
Find Me Later At…
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.