Microsoft System Center Configuration Manager: Hints, Allegations and Other Things Left Unsaid

Jason SandysManaging ConsultantCatapult Systemsb-jasa@microsoft.com

SIM407

“ConfigMgr”

Topics

Boundaries

High Availability

Software Updates and Task

Sequences

WMI Health

Permissions

Client Status

Boundaries

Boundaries

AD Site

IP RangeIP Subnet

The problems with boundaries

IP Subnet

Cannot use “Super-nets”Based on Subnet/Network IDAre subjective

Subnet IDs are based on IP Address + Subnet Mask

AD Site

“Converted” to IP Subnet IDs192.168.14.0/23 = 192.168.14.0

Cannot use “Super-nets”Workgroup clients aren’t part of an AD Site

Why Subnet IDs are Evil

Classful

IP Address:10.0.151.17Subnet ID: 10.0.0.0Subnet Mask: 255.0.0.0

Subnet ID: 192.168.18.0Subnet Mask: 255.255.255.0Valid IPs: 192.168.18.1 – 192.168.18.254

Classless Internet Domain Routing (CIDR)

IP Address:10.0.151.17Subnet ID: ?Subnet Mask: ?

Subnet ID: 192.168.18.0Subnet Mask: ?Valid IPs: 192.168.18.1 – ?

Super-net example

IP Address: 10.0.1.27/24

AD Site Subnet: 10.0.0.0/8Subnet ID: 10.0.0.0

Subnet ID: 10.0.1.0

IP Subnet: 10.0.0.0Subnet ID: 10.0.0.0

Discovery example

IP Address: 192.168.15.27/24

AD Site Subnet: 192.168.14.0/23Subnet ID: 192.168.14.0

Subnet ID: 192.168.15.0

Discovered IP Address: 192.168.15.27Discovered Subnet ID: 192.168.14.0

Boundaries

IP Address Ranges FTWDo not rely on AD Sites“Super-netting” is fineNo ambiguityWhat you see is what you getVery granular and exactNo subnet calculator needed

High Availability and Site Resiliency

High availability and site resiliency

Site Functionality

PoliciesPackagesSite SettingsKey Roles

DatabaseManagement PointSMS ProviderReporting Point (Classic and SSRS)

Client Functionality

InventoryPreviously scheduled actionsRemote ControlKey Roles

Distribution PointPXE Service PointSoftware Update PointState Migration Point

Role Failure ImpactsSite Client

Database Functionality lost Unaffected

Management Point Unable to publish new policy Unable to retrieve new policy or communicate with site

SMS Provider Unable to administer site Unaffected

Reporting Points No reporting available Unaffected

Distribution Point Unaffected Unable to perform Software Distribution, Software Updates, or OSD Tasks

PXE Service Point Unaffected Unaffected

Software Update Point Unable to synch update catalog Unable to retrieve update catalog

State Migration Point Unaffected Unaffected

Three Options for HA

Out of the box Virtualization Boot from

SAN

HA and SR Out of the Box

Failover Cluster

• Database

NLB Cluster

• Management Point

• Software Update Point

Multiple Site Systems

• Distribution Point

• PXE Service Point

• Reporting Point (Classic and SSRS)

• State Migration Point

No Solution

• SMS Provider• Server

Locator Point• Fallback

Status Point

The Easy Button Solution

Out of box solution != Site ResiliencyHyper-V and Quick/Live Migration

Provides both high availability and site resiliencySite Resiliency will require some network “magic”

Software Updates and Task Sequences

Software Updates and Task Sequences

Yes, they (mostly) workTarget the same Collection as your OSD AdvertisementClient Agent Install Public Properties

SMSMP and SMSSLP

Install the latest Windows Update Agent7.4.7600.229http://support.microsoft.com/kb/949104

Increase the WSUS maximum XML size per requestUse IP Address Range boundariesWait for the Hotfix

demo

Software Updates and Task Sequences

WMI Health

WMI Health

ConfigMgr is a WMI aggregator and automator

No Magic Bullet

Install the XP HotfixKB 933062

Don’t automatically flush the RepositoryFixes the symptom, not the problemDon’t ever flush the repository on a site server

Fixes

Re-register

Built-in RepairXP SP2+

rundll32 wbemupgd, UpgradeRepository

Vista/7winmgmt /salvagerepository

Delete CCM namespace (Client only)

FOR /f %s in ('dir /b /s *.dll') do regsvr32 /s %s Net stop /y winmgmt FOR /f %s in ('dir /b *.mof *.mfl') do mofcomp %s Net start winmgmt

Fixes

Re-register

Built-in RepairXP SP2+

rundll32 wbemupgd, UpgradeRepository

Vista/7winmgmt /salvagerepository

Delete CCM namespace (Client only)

FOR /f %s in ('dir /b /s *.dll') do regsvr32 /s %s Net stop /y winmgmt FOR /f %s in ('dir /b *.mof *.mfl') do mofcomp %s Net start winmgmt

demo

WMI Repair

Permissions

Program Execution

Local SYSTEM accountCurrent userRun Command-line task in a Task Sequence allows alternate credentials

Network Access Account

Generally a fallback accountUsed to access contentNot used to run programsRequired for Operating System Deployment

The SYSTEM Account

Local Actions -> SYSTEM accountNetwork Actions -> Active Directory computer account

Includes UNCs on local system

All AD computer accounts are automatically members of Domain Computers group

Drivers

Uses system account of server hosting SMS Provider

Driver Source Driver Package Source

SMS Provider Site Server

DP

Software Updates

Uses user account of user running the consoleUses system account of server hosting SMS Provider

Microsoft Update Package Source

SMS ProviderCurrent User

Backup

SMS_SITE_BACKUP Service runs as local SYSTEMSMS_SITE_SQL_BACKUP Service runs as local SYSTEM

SYSTEM

SYSTEM

AD Computer

AD Computer

LocalUNC

Client Status

Client Status in the Console

Client Approved Inactive Obsolete

Client

Indicative of client agent installation statusNot real-timeCan be cleared by the “Clear Install” maintenance task

Approved

Is a black-box and is not documented in detailMeant to mimic PKI certificate revocationN/A only affects OOB Management

Inactive

When a client is flagged as obsolete it is also marked as inactiveClient Status Reporting (R2 & R3)Deleted resources in child domains

Used in conjunction with Delete Inactive Client Discovery Data task

Obsolete

Resources are marked as obsolete when they are superseded by newer resources

Used in conjunction with Delete Obsolete Client Discovery Data task

demo

Maintenance Tasks and Client Status Reporting

Summary

ConfigMgr has a lot of moving parts

Always use IP Address Range BoundariesThere are HA and DR options availableSoftware Updates in OSD are achievableWMI Health is more than nuking the repository

Resource Links

My Blog: http://myITForum.com/cs2/blogs/jsandys

ConfigMgr "Install Software Updates" task failing when building a reference machine: http://coreworx.blogspot.com/2010/08/configmgr-install-software-updates-task.html

Known Issue: Install Software Updates Action Hangs on Windows 7: http://blogs.technet.com/b/configmgrteam/archive/2011/01/28/known-issue-install-software-updates-action-hangs-on-windows-7.aspx

How It Works: Automatic Client Approval in Configuration Manager 2007: http://blogs.technet.com/b/configurationmgr/archive/2010/01/20/how-it-works-automatic-client-approval-in-configuration-manager-2007.aspx

WMI Troubleshooting Tips: http://blogs.technet.com/b/configmgrteam/archive/2009/05/08/wmi-troubleshooting-tips.aspx

Related Content

Breakout Sessions (session codes and titles)

Interactive Sessions (session codes and titles)

Hands-on Labs (session codes and titles)

Product Demo Stations (demo station title and location)

Related Certification Exam

Find Me Later At…

Track Resources

Resource 1

Resource 2

Resource 3

Resource 4

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.