Installing SCCM Secondary Site

Thanks to Kent Agerlund at Truesec.com.

Installing a secondary site

Installing a secondary site might seem like a straight forward process; and with a little planning that is not far from the truth. My latest remote site was on a server located on the other side of the world. I had a few challenges:

• Very poor bandwidth
• Large number of packages and images (approx. 150 GB)
• SQL server is configured using a non-standard port

To solve the challenge here is what I had to do.

• Prior to installing I copied all pck files from the central site server to a USB drive and shipped the drive with a colleague to “far far away”.
• Install Windows 2008 R2 server with the latest patches.
• Install and configure IIS according to documentation.
• Install and configure WDS according to documentation.
• Install the Configuration Manager 2007 Toolkit 2 (Yes, you will need Trace32.exe to read log files).
• Install SQL 2008 R2 Client tools
  • Configure a x86 alias for Configuration Manager to use my custom port SQL port
  • Configure a x64 alias for WDS to use my custom SQL port
  • You can use Netstat –a to verify the port being used to establish the connection
  • More info on this can be found in this post.
• Installed and configured the secondary site server.
• Created a small package on my central site server and distributed in to my new secondary site server.
• Copied all compressed PCK packages to d:\SMSPCK on the local secondary site server
• Copied PreloadPkgOnSite.exe from the Configuration Manager v2 toolkit to D:\SMSPKG.
  • The tool will work right out of the box with most packages but, for some packages (where the package source id and compressed package version id is not identical) the tool will write the wrong package id to the database and package replication will fail. For that reason you must identify the packages with unmatched id’s and run preloadpkgonsite.exe /updatepackageid [id number].
• To save some time you can run this PowerShell script (written by Greg Ramsey). The script will check the database for versions and write the correct syntax to a bat file. Before running the script you must replace PROVIDER and Sitecode with the names of your Provider server and sitecode.

$pkgs = get-wmiobject sms_package -computer PROVIDER -namespace root\sms\site_Sitecode
$pkgs | foreach {
    if (test-path @("D:\smspkg\" + $_.PackageID + ".pck"))
    {
        $output +=  @("PreloadPkgOnSite.exe " + $_.PackageID + " /UpdateStoredPkgVersion " +  $_.StoredPkgVersion)
    }
}
$output | out-file -filepath "D:\SCCM Install\preloadpck.bat" -encoding ascii 

• Run the preloadpck.bat to start the package replication
• After the replication is finished you will need to add a distribution point to the new packages. This can easily be done using the Copy packages wizard in the console or by using the DP utility tool from Cory Becht. The cool part about this tool is that it can also be used to remove packages from a DP.
  When packages are added to the DP the compressed pck files will be decompressed locally at the secondary site server using only very little bandwidth. You can monitor this process by reading the distrmgr.log file on the secondary site server.

OCT fails on Office 2010

Are you getting this error message when trying to run OCT on Office 2010? 

"Files necessary to run the Office Customization Tool were not found. Run Setup from the installation point of a qualifying product".

I went to configure the OCT for Office 2010 and came to realize there wasn’t an Admin folder along with the installation files which makes it tough to run OCT! I found this link to a MS webpage where you can download the OCT files and adm/admx templates for the installation. 

http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=64b837b6-0aa0-4c07-bc34-bec3990a7956

Download the version you need (either x86 or x64) and run the executable.  The exe will extract the files and you can cop the admin folder into the Office installation directory and away you go.

SCCM Mixed to Native Mode Migration

I recently worked with a client to migrate their SCCM 2007 SP2 R2 enterprise to Native Mode.  Performing this migration allowed me to focus my attention on PKI as there were 4 certificates that were created for this process to complete securely.  Here are the steps I took and the links for instructions.  There are many different scenarios to choose from and for a cost savings measure, we decided to allow communication through both firewalls.  In this case, we allowed http and https traffic to the MP and DP but were able to create a SSL Bridge using their ISA box so not only do you need to have the correct cert installed on your client, you also need to be a domain computer.  Great learning experience and I’d like to thank the folks on the Microsoft forums, especially Carol Bailey.

Native Mode Migration

1. Prereqs for Native Mode

http://technet.microsoft.com/en-us/library/bb680464.aspx

2. Certificate requirements

http://technet.microsoft.com/en-us/library/bb680733.aspx

3. Supported Scenarios for Native Mode

http://technet.microsoft.com/en-us/library/bb693824.aspx

4. Determine Admin roles for each department

http://technet.microsoft.com/en-us/library/bb694253.aspx

5. Create certificates

http://technet.microsoft.com/en-us/library/bb694035.aspx (Server 2003 CA)

http://technet.microsoft.com/en-us/library/cc872789.aspx (Server 2008 CA)

Don’t forget to add Web Site cert to WSUS Custom Website.

If client has ISA, a 4th cert will be used on ISA box for client authentication for SSL bridging. (add cert to Microsoft Firewall service store.) http://technet.microsoft.com/en-us/library/cc707697.aspx

6. Verify Clients are ready for Native Mode

http://technet.microsoft.com/en-us/library/bb680986.aspx

7. Ensure migration to Native mode checklist has been followed

http://technet.microsoft.com/en-us/library/bb632727.aspx

8. Change mode to Native (reboot required)

http://technet.microsoft.com/en-us/library/bb680769.aspx

9. Import root CA for OSD

http://technet.microsoft.com/en-us/library/bb632596.aspx

10. Enable/disable CRL

http://technet.microsoft.com/en-us/library/bb680540.aspx

11. Configure HTTP for roaming and client assignment

http://technet.microsoft.com/en-us/library/bb694220.aspx

12. If you client cert is not in the personal store, follow this procedure

http://technet.microsoft.com/en-us/library/bb632622.aspx

13. If you are using multiple client certificates, configure SCCM to use the correct one

http://technet.microsoft.com/en-us/library/bb632376.aspx

14. Ensure Native Mode migration completed successfully

http://technet.microsoft.com/en-us/library/bb694287.aspx

15. Configure MP for IBC

http://technet.microsoft.com/en-us/library/bb693517.aspx

16. Configure DP for IBC

http://technet.microsoft.com/en-us/library/bb632488.aspx

17. Configure FBSP for IBC

http://technet.microsoft.com/en-us/library/bb680746.aspx

18. Prepare SUP for SSL

http://technet.microsoft.com/en-us/library/bb633246.aspx

19. Configure SUP for IBC

http://technet.microsoft.com/en-us/library/bb694182.aspx

20. Test MP communication through the firewall(s)

• https://INTERNET.FQDN.COM/sms_mp/.sms_aut?MPCERT

• https://INTERNET.FQDN.COM/sms_mp/.sms_aut?MPLIST

Silently Installing a Few Common Apps

Here are the steps and switches used to install some common applications silently.

Filezilla

FileZilla_3.3.1_win32-setup.exe /S

PDF Creator

PDFCreator-0_9_9_setup.exe /verysilent

PDFCreator-0_9_6_setup.exe /verysilent /components=\”!toolbar\” /tasks=\”!desktop_icon\” /f  (disables toolbar and desktop icon install)

I know, as if /silent wasn’t enough, they had to go with /verysilent.  If you use /silent, there are still configurations you can modify and the install screen still apprears so it really isn’t silent.

Adobe Acrobat Reader

(Easy way) AdbeRdr920_en_US.exe /sAll /rs

There trick here is to go ahead and begin the installation of Acrobat Reader but when you get to the Destination Folder page, go to c:\users\useracct\appdata\local\adobe\reader 9.3\setup files and copy those files to another location where you will install the app silently.  Exit the original installation.

Use the acroread.msi file to silently install the application. Here is an example.

msiexec.exe /q ALLUSERS=2 /i acroread.msi”

I will continue to update this list and please write to me with your findings.

VNC

The switches I used:
/SP-
- this gets rid of the message box at the beginning asking if you want to
install it

/SAVEINF=”filename”
- creates the script for the install to follow.  by default it’s saved in
the windows directory.  Haven’t quite got this to do what I want though.  It
doesn’t seem to store the settings on the last selection screen where you
can install VNC as a service

/SILENT or /VERYSILENT
- silent will display nothing except the progress bar.  verysilent displays
nothing at all

/LOADINF=”filename”
- use this to run the script created with /SAVEINF

So to create my silent install I installed VNC on a test machine using:
   vnc-3.3.4-x86_win32.exe /SP- /SAVEINF=”vnc.iss”
This installed VNC 3.3.4 and created the script to follow for reuse.  To run
it install again silently I used:
   vnc-3.3.4-x86_win32.exe /SP- /LOADINF=”vnc.iss” /VERYSILENT

NERO 9

Setupx.exe /i /q SERIALNUMBER=”0000-0000-0000-0000-0000-0000-0000-0000″ EULAACCEPTED=”1″

Substitute the zeros with your liscence key.

This will install nero silently. If you want you can change the /q to /qb for a progress bar and amusing slide show and it will still be automatic.

This works on an extracted full nero 9 package wich is most easily extracted with 7zip since it is a 7zip archive.

The only way I know to remove apps from the package that I don’t want for example “nero recode” which is a folder named “unit_app_12″ is to move them to another folder or delete them.

These are the important apps and files that must be in your main folder and should not be deleted:
unit_app_30,
unit_app_61,
unit_tpi_directx-9c-redist-d3dx9-30 (unless you already have directx 9),
unit_tpi_msxml-4,
unit_tpi_vcredist-x86-2005Sp1, (unless you already have this or a more recent package oe visual c++)
unit_tpi_windows-installer-3.1 (unless you already have the most recent windows installer)
ipclog.exe
setup.xml
setupx.exe

I recommend that you also include “unit_app_63″ which is the control center where you can change your liscence key although it will work fine without it .

To make a small version of nero burning rom in the main folder you should have the above important apps and files along with unit_app_4, wich is nero burning rom.

JAVA

Here is an example of my latest silent deployment: jre-6u18-windows-x64.exe /s AgreeToLicense=YES IEXPLORER=1 REBOOT=Suppress JAVAUPDATE=0

Supported command argumants from java.com:
ADDLOCAL is either jrecore[,extra][,other_US] or ALL

IEXPLORER=1 indicates that the JRE should be registered with the Internet Explorer browser

NETSCAPE6=1 indicates that the JRE should be registered with Netscape 6 or later browsers

MOZILLA=1 indicates that the JRE should be registered with Mozilla 1.1 and later browsers

INSTALLDIR specifies the drive and path of the installation

REBOOT=Suppress indicates that if locked files are encountered the computer should not be rebooted

JAVAUPDATE=1 indicates that Java Update feature is enabled

EULA=1 indicates that End User License Agreement will be displayed on first use and not during installation

New SCCM Reporting Dashboard

Looks like a great new tool for IT admins to wow their managers with! 

http://technet.microsoft.com/en-us/library/ff369719.aspx

SCCM Client Automatic Approval

Here is the process SCCM uses to automatically approve secure clients.  Great article.

http://blogs.technet.com/configurationmgr/archive/2010/01/20/how-it-works-automatic-client-approval-in-configuration-manager-2007.aspx

KB974571 Breaks USMT 4.0

A client of mine ran into an issue where USMT began to fail with the following errors in the SMSTS.log file:

Failed to import the client certificate store (0×80092024) OSDSMPClient 
ClientRequestToMP::DoRequest failed (0×80092024). OSDSMPClient 
ExecuteCaptureRequestMP failed (0×80092024). OSDSMPClient 
ExecuteCaptureRequest failed (0×80092024). OSDSMPClient

—————————————————————-

Failed to run the action: Request User State Storage.
The administrative limit for this request was exceeded. (Error: 00002024; Source: Windows) TSManager

I found a couple sites saying KB974571 broke the SMS certificates on the client and uninstalling the patch on the client should resolve your issue.  If you don’t want to uninstall the patch on all machines, here is a workaround:

http://social.technet.microsoft.com/Forums/en-US/configmgrosd/thread/53e310aa-3dfc-44ea-8e41-3ae1374d9437

A workaround would be to logon to your client and follow these steps:

1. On a target agent, run "mmc.exe", click File> Add/Remove Snap-in, click Add,
highlight the Certificates snap-in, and click Add.
2. In the Certificates snap-in dialog box, choose "Computer account", click Next,
and click Finish.
3. Click Close to close the Add Standalone Snap-in dialog box, and click OK to
close the Add/Remove Snap-in dialog box.
4. Browse to Certificates (Local Computer)> SMS> Certificates. You will have two
certificates in the right pane — SMS Encryption Certificate and SMS Signing
Certificate.
5. Double-click to open one of the certificates, say SMS Encryption Certificate.
6. On the Details tab, click Edit Properties.
7. Edit the Friendly name to make it something like SMS Encryption Certificate1.
8. Click OK to close the two dialog boxes.
9. Double-click to open the certificate again. Edit the Friendly name back to SMS
Encryption Certificate. Click OK to close the two dialog boxes.
10. Repeat the steps 5 – 9 on the other certificate.

SCCM OSD using Multicast

Here is a great article explaining Multicast and how to deploy it for OSD.

http://blogs.msdn.com/steverac/archive/2008/10/19/setting-up-multicasting-in-sccm.aspx

Thanks to Steve Rachui.

SCCM 2007 WDS and PXE Troubleshooting

I found this information very handy when I ran into an issue deploying WDS and PXE on SCCM 2007.

http://blogs.technet.com/smsandmom/archive/2008/09/17/configmgr-2007-troubleshooting-pxe-service-point-issues-and-wds-service-not-starting.aspx

Thanks to the Manageability Team!

SCCM 2007 Maintenance Windows

Great article explaining, in-depth, maintenance windows in ConfigMgr.

http://myitforum.com/cs2/blogs/socal/archive/2007/12/03/configmgr_2D00_maintenance_2D00_windows_2D00_explained.aspx