Bloggarkiv
One system to manage them all
Microsoft has seen that all environments aren’t all black and white. Some have Linux/Unix based systems, some have Mac’s and some are just sitting on a terminal such as Wyse or Igel.
And then there are some that just use a tablet (iPad or Android based) Some are lucky enough to have a Windows 8 RT based tablet such as Microsoft Surface or Samsung ATIV.
What problems arise with all these devices and consumerization of IT ?
Management
With all the different components in the mix, IT is having a hard time managing all this different devices. They usually have different systems to manage different devices.
Since they usually have one system that is good on Unix but doesn’t have features that work on Android or IPhones. With the surge of next generation workers people wish to bring their own device within the business.
(This Dilbert comic shows the frustration that IT-people have in many occasions) 
Now Microsoft has been good at managing what they do best, Windows. They have done so since the first release of ConfigMgr in 1994 (Good old SMS) The biggest chance in ConfigMgr 2012 is that the system is now more User-Centric.
Meaning that the system is “aware” of users within the environment, previously it was aimed at just the device.
And with the upcoming release of Service Pack 1 there are multiple news that make the IT-admin work easier.
* Support for Linux/Unix based Systems
* Support for Mac OSX
* Support for Windows Embedded
* Support for Android and IPhones (5 & 6) (Using Windows Intune Connector)
* Support for Windows 8 Phones and Windows RT (Using Windows Intune Connector)
Now if you are missing some devices here, ConfigMgr also has support for devices that support Exchange ActiveSync, so therefore ConfigMgr can be the center of your IT-management infrastructure. It still remains to see what functionality comes with Intune connector to mobile devices. (And if it can compare with other MDM systems on the market.) the main problem with MDM is that people are concerned about their private data on their devices since IT in some forms can manage their devices.
You can read more about it here –> http://www.informationweek.in/mobile/12-12-05/3_factors_to_consider_for_framing_byod_policy.aspx?utm_medium=twitter&utm_source=twitterfeed
You can look at this video interview with Wally Mead which is head of development of ConfigMgr if you wish to know more about Intune and SP1
http://blogs.technet.com/b/keithmayer/archive/2012/12/03/managing-mobile-devices-with-system-center-2012-configuration-manager-sp1-and-windows-intune.aspx#.UL0f3oNQUqx
Since a lot are competition on this front, ConfigMgr might gain the edge because of it’s wast support for devices, low cost and integration with other system center products.
Integration possibilities:
* System Center
* XenApp XenDesktop
* App-V
* Secunia
* RES
* AppSense
* + Much moresyst
With all these possibilities ConfigMgr can become a central point for managing all of your devices.
Automating Configuration Manager 2012 SP1 with PowerShell
First part of this series, I showed how you could run and install all the necessary prerequisites silent and automated, this time I will write a bit more instead of just adding the commands.
In Service Pack 1, Configuration Manager will finally include cmdlets for PowerShell this allows for a scripted and automated setup process. Therefore I took the liberty of creating this post which will show you how-to.
Now with this you can actually create a script for a new customer (If you already have knowledge of the customers infrastructure) with contains all the necessary you need to setup a fully site. Then where you are at the customer, run the script and take the rest of the day of.
Now what do we need in order to setup a fully Configuration Manager site?
We need a boundary group (Which contains a boundary, refer my earlier post –> ) Which again contains a distribution group and is assigned a site.
And we need to activate discovery objects to fetch information such as Users, Group, Computer objects.
We also need to setup AD publish (In case we did a manual ConfigMgr site agent install we wouldn’t have to setup this but for the administration ease we are going to do so)
Next we are going to Create Computer Collection which is going to include our test servers. We are also going to Create User Collection b
After that we are going to Create an application which we are going to deploy to our computer collection
All using PowerShell.
Now in order to start PowerShell against Configuration Manager, just click the file button inside the Console and press the Connect using PowerShell.
You can use the get-command –module ConfigurationManager to show all the commands available for Configuration Manager
You can also use the get-help cmdlets if you are unsure of the parameters that you need to use.
Also you can use the get-help cmdlets –examples if you want to show some examples.
NOTE: Will trying to get this fully automated, I find its hard with the current release of the PowerShell cmdlets but still I’ve gotten far. So this post will be updated periodically.
Create a new Boundary: New-Cmboundary -type ADsite -value “Default-First-Site-Name”
Create a new BoundaryGroup: New-CmboundaryGroup -name Test -DefaultSiteCode TST
Add boundary to group: Add-CMBoundaryToGroup -Boudaryid 16777218 -GroupName “Test”
I got this BoundaryID using Get-CMboundary since the command didn’t parse the value ID properly.
You can use the Get-Cmboundary and Get-CmBoundaryGroup to view the values. And you need to add the site code to the command so it assigns
that as the default site for the boundary group.
Get info from Active Directory Forest: New-CMactiveDirectoryForest -ForestFqdn demo.local -EnableDiscovery $true
Install Configuraiton Manager Agent: Install-CMClient -DeviceName ConfigMgr -includeDomainController $false -AlwaysInstallclient $false -SiteCode TST
Create a new device collection: New-CMdevicecollection -name “My Servers” -LimitingCollectionName “All Systems” -RefreshType Manual
Still more to come
Beta of System Center 2012 Service Pack 1 released!
This update includes the following:
The Beta of System Center 2012 Service Pack 1 (“SP1”) enables System Center customers to jointly evaluate System Center 2012 with Windows Server 2012 and Windows 8. The Beta is for evaluation purposes only and not to be used in production as described in the EULAs associated with the product. No license keys are required to do this evaluation. The Beta includes updates and enhancements to the following System Center 2012 components:
- Virtual Machine Manager
- Improved Support for Network Virtualization
- Extend the VMM console with Add-ins
- Support for Windows Standards-Based Storage Management Service, thin provisioning of logical units and discovery of SAS storage
- Ability to convert VHD to VHDX, use VHDX as base Operating System image
- Configuration Manager
- Deployment and management of Windows 8 and Windows Server 2012
- Distribution point for Windows Azure to help reduce infrastructure costs
- Automation of administrative tasks through PowerShell support
- Management of Mac OS X clients and Linux and UNIX servers
- Real-time administrative actions for Endpoint Protection related tasks
- Data Protection Manager
- Improved backup performance of Hyper-V over CSV 2.0
- Protection for Hyper-V over remote SMB share
- Protection for Windows Server 2012 de-duplicated volumes
- Uninterrupted protection for VM live migration
- App Controller
- Service Provider Foundation API to create and operate Virtual Machines
- Support for Azure VM; migrate VHDs from VMM to Windows Azure, manage from on-premise System Center
- Operations Manager
- Support for IIS 8
- Monitoring of WCF, MVC and .NET NT services
- Azure SDK support
- Orchestrator
- Support for Integration Packs, including 3rd party
- Manage VMM self-service User Roles
- Manage multiple VMM ‘stamps’ (scale units), aggregate results from multiple stamps
- Integration with App Controller to consume Hosted clouds
- Service Manager
- Apply price sheets to VMM clouds
- Create chargeback reports
- Pivot by cost center, VMM clouds, Pricesheets
- Server App-V
- Support for applications that create scheduled tasks during packaging
- Create virtual application packages from applications installed remotely on native server
So much interesting stuff here! looking forward to trying it out this week! 
System Center 2012 and Integration Possibilities
With System Center 2012, Microsoft gathered all of their previous System Center products and gathered it as one large product.
So now in 2012, System Center now contains (Service Manager, Configuration Manager, Operations Manager, Data Protection Manager, Orchestrator, Virtual Machine Manager and App Controller)
It is split in two editions, one for standard and one for datacenter (standard is limited to running 2 OSE)
But all the features are there, and the magic with System Center 2012 is the integration possibilities which I’m going to list down. These integration possibilities are listed on what I know so far, if you have any info about other integrations that are possible please link send me some info 
Configuration Manager 2012:
Citrix XenApp (Can connect to XenApp to automate application delivery to XenApp servers, and use XenApp as an deployment type out to the user
Microsofot App-V (Can use Application virtualization as an deployment type out to users)
Citrix XenDesktop (Since you can use Configuration Manager to patch windows systems you can also use SCCM to patch VDI images
Microsoft Exchange (You will use this to manage your mobile devices that are connected to Exchange in SCCM console)
Microoft SCUP (Software Catalog Update Publisher you can use this to update software patches from for instance Adobe, Dell and HP)
Secunia (Corporate Software Inspector you can use this with SCCM to patch all of your software within your enviroment )
Microsoft MDT 2012 (You can integrate this with SCCM 2012 to improve and ease deployment of OS)
Dell Client Integration (For ease of Dell client deployment)
System Center Service Manager (For importing software and hardware information to the CMDB)
System Center Orchestrator (You have an own integration pack for automating SCCM tasks)
RES Workspace Manager (You can integrate with RES Workspace Manager in order to allow for SCCM to deploy applications to RES controlled servers/computers)
AppSense Application Manager (For deployment of UV agents and UV configurations)
Windows Intune (You can connect to your windows Intune account for sentral management)
Windows Azure ( You can deploy distribution Points in Windows Azure)
Wyse Device Manager (It is for 2007, but it will be for 2012 as well)
MDT 2012
Quest Management Xtensions
NOMAD 2012
Operations Manager 2012 (Mostly Management Packs)
System Center Service Manager (For importing of alerts for further investigation in Service Manager)
System Center Virtual Machine Manager (For PRO Performance and resource optimization )
Network Devices with SNMP V3
HP MP (For HP monitoring)
Dell MP (For Dell monitoring)
System Center MP( For System Center monitoring)
Citrix MP via ComTrade (For monitoring of Citrix components)
BIG-IP F5 Monitoring
System Center Orchestrator (For automating of tasks)
NetApp On-command (For monitoring of NetApp solutions)
Cisco USC (For monitoring of UCS solutions )
Brocade (Monitoring of Brocade storage)
IBM Hardware (For monitoring of IBM hardware)
Windows Azure (GSM for application monitoring)
AppSense
NetApp monitoring
Virtual Machine Manager
Citrix Netscaler (For auto deployment of LB rules and access)
F5 BIG-IP (For auto deployment of LB rules and access )
Brocade ACX (For auto deployment of LB rules and access)
Citrix Xendesktop and PVS (For rapid deployment of vdi machines)
Citrix Xenserver (Allows to use SCVMM to manage XenServers)
Vmware vSphere (Allows to use SCVMM to manage vSphere)
Hyper-V (Allows to use SCVMM to manage Hyper-V
NetApp (Automated rapid provisioning of space-efficient VMs with System Center Virtual Machine Manager (SCVMM) or Windows PowerShell™ rapid provisioning cmdlets)
SMI-S (Is a standard storage API which work for most storage solutions)
Orchestrator (Mostly Integration Packs)
System Center 2012 (All of the products)
vSphere (Integration pack for automating of tasks)
NetApp (Integration pack for automating of tasks)
HP (ilo, Service Manager, Operations Manager) (Integration pack for automating of tasks)
IBM Tivoli ((Integration pack for automating of tasks)
Microsoft Exchange (Integration pack for automating of tasks)
EMC (Integration pack for automating of tasks)
Cisco UCS (Integration pack for automating of tasks)
IBM Tivoli
F5 BIG-IP
BMC
(This is a post which is under work, so not all the products are listed yet)
Integrating XenApp and Configuration Manager 2012
Finally the day has come, as I mentioned in the previous post the TechPreview of XenApp connector for Configuration Manager 2012 is now released on Citrix.
or as they call it “Project Thor” it allows for a flexible application delivery solution that combines the best of both worlds (Configuration Manager and XenApp)
I’ve managed to deploy the connector and give you a demonstration of how it works.
The package consist of the client components ( Reciver etc) PCM (Power and Capacity Management Components ) And the Connector itself.
The Client Component XenAppDTHandler (Has to be installed on all the clients before you can use XenApp published)
And we start by installing the connector on the SCCM server.
Start and accept the license terms, 
Include all the roles and extensions, click next and Install!
After the install is finished the setup will run the Integration Configuration itself,
So you should create a separate Service Account for this purpose.
You see the requirements it needs.
Note that if you have created a service account and forgot to add it to “log on as a service” rights Citrix will handle this for you.
So just click Yes and move forward,
After that specify a Citrix server that the connector will use. In my case I choose my only Citrix server, (Which has the Data store and the XML service )
Then the setup verifies that I can connect to the server, it not you will get an error message during verification. 
After that you need to enter the Configuration Manager site (the Setup will automatically read the local site it is connected to)
And verify the connection.
If you get this error message you need to run the following commands.
Enable-PSremoting –Force
Set-item WSman:\localhost\Client\TrustedHosts hostname.domain.local –Force
Restart-Service winrm –Force
Then press Yes and continue.
Now you get the summary screen, press Apply.
If everything goes as planned you will get this screen 
(NOTE: you can also see these applications appear after the installation )
Now you can open the Configuration Manager console and under Software –> Application Management you can now see XenApp.
As you can see here we only have 1 option, which is “Create Publication”
This will create an published application on the XenApp server which is avaliable for Configuration Manager
We can start by publishing an application –>
In this case Notepad (This will by default appear under Applications/ConfigMgr12 on the XenApp console)
Click next –> 
Choose a XenApp installed application –> 
Choose the Command line click next –> 
This wizard is much like the wizard in XenApp same configuration settings and so on. Click finish.
And here you have all the advanced settings like encrytion etc.If you open XenApp AppCenter you can now see the application (This update goes every 10 min but you can force an update to the XenApp server by running the sync tool installed)
so now we can create an deployment type with XenApp.
With the possibility which comes with SP1 (Mac and Linux support we have loads of options!)
Here we can add the newly created Notepad ( I fixed the display name before running the wizard 
Click next –> And we can create requirements for this deployment.
ill write more about this feature as soon as I have the time, with integration of SP1 as well, stay tuned
NOTE: If you have some issues with the connector you can review the log files found under C:\Program Files\Citrix\XenApp Connector for ConfigMgr 2012\Connector Service\logs
NOTE: There is also created an Collection which consists of the XenApp servers. Do not edit this, the connector will add all the XenApp servers automatically from the farm.
SCCM 2012 and PKI
This is going to be a huge post, but hopefully someone will find it useful for future references 
In my previous SCCM 2012 post, I showed how-to install SCCM, but not how to configure it for encrypted communication.
So out-of-the box SCCM traffic goes unencrypted via HTTP, which is clear text. So if you manage to get inside the LAN, fire up an arpspoof or macof (or any other MITM method) you can
read the traffic going back and fourth from the client to the site servers. So therefore I’m going to show you how to install your very own Microsoft PKI infrastructure and how you enroll the different types of Certificates that you need in order for SCCM to encrypt traffic.
Before I start, I want to show you how I designed my lab for this demo. This is in a fully virtual lab environment, much of the setup I do here is not “Best Practice” but in order to make this post readable, I wanted to keep it as short as I possibly could. I have excluded much of the setup regarding CRL, OSCP and config files (If you are unfamiliar with these terms go to this page http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx )
In my lab I have
1 * SQL Server (Running the Configrmgr site SQL database)
1 * ADCS (Active Directory Certificate Services) Server running Enterprise Subordinate CA (Which we are going to install in this post ) Running Server 2008 R2 Enterprise
1 * ADCS Server running Stand-alone root CA (Is also going to be installed in this post ) Running Server 2008 R2 Enterprise
1 * ConfigrMgr server ( Which was installed in a previous post )
What we are going to start with is the Stand-alone root CA, this is a server that is not connected to the network (For security reasons, and therefore not domain joined) Since we are going to create a trusted root CA, which the sub CA is going to use to issue certificates. The reason why I setup a two-tier PKI is because this is the most common used setup.
To but we do first, is install a virtual computer with server 2008 r2 ( or regular 2008 ) after the server is finished installing, you start by installing the server role ADCS
Click next and choose Certification Authority
Click next and choose Standalone CA (As you can see Enterprise is unavailable since this server is not a part of a domain )
Click next and choose Root CA,
Click next and choose “Create a new private Key”
Click next, and next again ( Let it stay at the default on Cryptography ) and here by default it uses the hostname of the server (Since this was a fresh install and had the jibber is name WIN-i3ou423io I changed the name to ROOTCA1 (Which is the name that will appear on the trusted root certificate )
Click Next, next and Install.
Now after it is finished installing, go to the folder C:\windows\system32\certsrv\certenroll
There you will now have 2 files.
1 . crt file (Which is the Trusted root certificate)
1 . crl file (Which is the Certification Revocation List, which is basically a list that contains all the certification that have been revoked )
Now we have to export these files and import them on the subordinate server, so we have to install that first before we can continue. But after it is installed open a powershell prompt as a domain admin. Run the following commands.
certutil –dspublish –f filename.crt RootCA
certutil –addstore –f root filename.crt
certutil –addstore –f root ROOTCA1.crl
The first command places the root CA public certificate into the Configuration container of Active Directory. Doing so allows domain client computers to automatically trust the root CA certificate and there is no additional need to distribute that certificate in Group Policy. The second and third commands place the root CA certificate and CRL into the local store of the SUBCA. This provides SUBCA immediate trust of root CA public certificate and knowledge of the root CA CRL. SUBCA could obtain the certificate from Group Policy and the CRL from the CDP location, but publishing these two items to the local store on SUBCA is helpful to speed the configuration of SUBCA as a subordinate CA.
If you open the Local Certificate store on the server you can see that the Root CA and the Root CA CRL is in the local store.
Now we can continue with the Sub-ordinate install ADCS.
The Setup is basically the same,
Instead we choose Enterprise CA, click next.
Choose Subordinate CA, click next.
Here we choose “Save a certificate request to file” and choose a location. We need to copy this file over to the Root CA and issue a certificate in order to make the CA operational.
Click Next, and install. After you finished installing copy the file to the Root CA. Open a command prompt (ON THE ROOT CA) (PowerShell) And type the command
certreq -submit F:\APP1.corp.contoso.com_corp-App1-CA.req (remember to change the file name to match the one you have)
After you have done that, open the Certification Authority MMC, Expand and then click Pending Requests.
ROOT CA
Choose the certificate and click “Issue” now we have to copy the certificate back to a removable drive.
Open a powershell promt and run the command certreq –retrieve <RequestId> F:\filename.crt.
You can see the Request ID in the Issued Certificates tab.
Click enter and choose the ROOTCA1 from the List and click OK.
ROOT CA
This command, will copy the certificate of the server + the root CA certificate and crl.
(If not go to the Windows\System32\certsrv and copy the other files as well)
After you have copied the files to a removable drive you can turn of the Root CA as it is no longer needed.
Now back to the Subordinate CA, open the Certification Authority mmc. Right click on the server click All Tasks, and then click Install CA Certificate.
In the Select file to complete CA installation, set the file type to X.509 Certificate (*.cer; *.crt) and then navigate to the removable media and select hostname.crt. Click Open, now that we’ve imported the certiciate we can start the service.
Now what did we actually do here ?
First we setup the Root CA, which is the center of trust in this case(Tier 1). We created a Enterprise Root Certificate, we exported the Enterprise Root CA to Active Directory and to the Subordinate CA. And we installed a subordinate CA, made a certificate request, imported that to the root CA and issued the request. What it basically does is that the sub-ca says to the root “I have a request, I wish to issue certificates” and then the
root ca says to the subordinate. “I trust you, here is your certificate so now you can issue certificates on my behalf”
Since all the domain computers get the Root CA certificate in the trusted root certificate authorities, they will automatically trust all the certificates that the Subordinate CA issues to the domain.
Hopefully that made some sense 
Now we are done with the PKI setup, now we have to start with the SCCM part of the certificates.
What kind of certificates do SCCM need ?
In this demo we are going to create two templates that will automatically deployed via AD.
* ConfigMgr Client Certificate
By default, Configuration Manager looks for computer certificates in the Personal store in the Computer certificate store.
With the exception of the software update point and the Application Catalog website point, this certificate authenticates the client to site system servers that run IIS and that are configured to use HTTPS.
* ConfigMgr Web Server Certificate
This web server certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers by using Secure Sockets Layer (SSL).
You can see the entire list here.
http://technet.microsoft.com/en-us/library/gg699362.aspx
Lets start with the Client Certificate
On the subordinate root CA open the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console
right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.
In the Duplicate Template ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. (2008 Server is not supported by ConfigMgr 2012)
In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used on Configuration Manager client computers, such as ConfigMgr Client Certificate.
Click the Security tab, select the Domain Computers group, and select the additional permissions of Read and Auto enroll. Do not clear Enroll (This gives domain computers the permission to get this certificate)
Click Ok, and close the Console.
Now back to the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Certificate, and then click OK.
Next we need to create a group policy that allows the clients in the domain to do auto enrollment.
Open the group policy management console, and create a new group policy object.
In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies
Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties.
From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK.
Then close the Group Policy Management Console.
If you have a client computer in the domain, reboot the computer. When the client is finished booting the client will check its policy.
1: See that it has auto enrollment enabled
2: See what certificates it has access to (Since we added Domain computers to the ConfigMgr client certificate, it fill automatically fetch a certificate from the subordinate CA)
You can double check this by opening the local certificate store on the client computer.
Now we need to repeat this for creating a certificate template for the Configmgr server roles.
Follow the same steps as before, but there are some other changes.
Instead of the Workstation template, choose the Webserver template and choose duplicate template.
Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used on Configuration Manager site systems, such as ConfigMgr Web Server Certificate.
Click the Subject Name tab, and make sure that Supply in the request is selected.
Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins. Click Add, enter the name of the configmgr computer names in the text box, and then click OK. Select the Enroll permission for this group or computer account, and do not clear the Read permission. (This gives the ConfigMgr server right to enroll for this template) Then click OK.
In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue
In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Web Server Certificate, and then click OK.
Now head over to the ConfigMgr server.
Open the local Certificate Store on the server, select computer account. Click on the personal store, Right-click Certificates, click All Tasks, and then click Request New Certificate.
On the Before You Begin page, click Next
If you see the Select Certificate Enrollment Policy page, click Next.
On the Request Certificates page, identify the ConfigMgr Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.
In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS.
In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click OK to close the Certificate Properties dialog box.
On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.
Now the ConfigMgr server will have a certificate available which I can use.
Open IIS Manager, Expand Sites, right-click Default Web Site, and then select Edit Bindings.
Click the https entry, and then click Edit. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then click OK. After that is done, close the console.
Since I’ve done this after the SCCM got installed, I have to do some configuration in the console as well. Go to Administration –> Sites –> Right click and choose properties, go to client computer communication –> Choose use HTTPS and import the Root CA crt in the bottom menu.
Now im going to install the SCCM client on a new computer and see that its communicating on port 443. As you can see during the install, the setup looks for a certificate under the Personal Store on the computer, and uses that in order to communicate with the site server.
Now if I open the agent on the client I can see that it says client certificate it says PKI,
Now If I choose a Action like fetch Machine Policy, It should communicate with the Site server using https:
I can also open the Application portal, and it should be using the new certificate.
And Voila there you have it, encrypted communication between client and ConfigMgr site server (Management Point) My next blog will include the Distribution point, which uses a diffenrent type of certificate.
If you choose https mode on DP after you completed this demo you will get some error messages from your client.
System Center Service Manager, part 1
Since as a part of my system center blogging spree, I thought I’d go ahead with the setup of SCSM.
For those that don’t know what Service Manager is.
(Service Manager provides an integrated platform for automating and adapting your organization’s IT service management best practices, such as those found in Microsoft Operations Framework (MOF) and Information Technology Infrastructure Library (ITIL). It provides built-in processes for incident and problem resolution, change control, and asset lifecycle management.)
So, WHAT does that mean ? Like all of other System Center products it has numerous features, much of them will make a lot more sense if you are familiar with ITIL terms. Much is related to
* Incident and Problem management
* Change Management
* Service Request Management
* Release Management
* CMDB
* Data Warehouse reporting
I like the term “learning by doing” so hopefully you can learn a ’bit from my posts regarding this.
The Service Manager consists of:
Service Manager management server
Contains the main software part of a Service Manager installation. You can use the Service Manager management server to manage incidents, changes, users, and tasks.
Service Manager database
The database that contains Service Manager configuration items (CI) from the IT Enterprise; work items, such as incidents, change requests, and the configuration for the product itself. This is the Service Manager implementation of a Configuration Management Database (CMDB).
Data warehouse management server
The computer that hosts the server piece of the data warehouse.
Data warehouse database
Databases that provide long-term storage of the business data that Service Manager generates. These databases are also used for reporting.
Service Manager console
The user interface (UI) piece that is used by both the help desk analyst and the help desk administrator to perform Service Manager functions, such as incidents, changes, and tasks. This part is installed automatically when you deploy a Service Manager management server. In addition, you can manually install the Service Manager console as a stand-alone part on a computer.
Self-Service Portal
A web-based interface into Service Manager.
So lets continue on with the setup.
NOTE: .Net 3.5.1 Is required to install SCSM so install this using the Add feature wizard.
NOTE: Windows 2008 R2 SP1 is required.
As you can see from the Setup, the Management Server and The Data Warehouse server cannot coexist on the same server ( so we will have to install the data warehouse components on another server ) But we start with the Management Server,
First menu, enter your product key or as In my case trial 
And Accept the license terms.
Next, choose the installation location.
Then click next, now the setup will run the prerequisites check.
In my case I forgot a bunch of stuff before I could continue.
The Report Viewer is avaliable on the installation media, the other components are available
From Microsoft.com http://www.microsoft.com/download/en/confirmation.aspx?id=8824
After you have installed the missing components you can continue on with the setup.
On the next page, you have the database setup, ulike OpsMgr and ConfigMgr, Service Manager doesn’t like the default collation SQL_Latin1_General_CP1_CI_AS, if you have a clean database server for this purpose choose this collation, Latin1_General_100_CI_AS (but if you are using the previous one, you will get an error message, so we continue on!)
After you are done entering the info, click next.
Now you have to enter a Management Group name and a management group administrator group.
NOTE: Management group names must be unique. Do not use the same management group name when you deploy a Service Manager management server and a Service Manager data warehouse management server. Furthermore, do not use the management group name that is used for Operations Manager.
Click next, and configure the service account to be used for Service Manager.
On the next page you need to setup the Service Manager Workflow account,
Click next, and choose a setting for the CEIP (Regardless of whatever you choose here, I recommend that you actually choose yes here. Since Microsoft is actually using the data they gather to make a better product)
Next menu is regarding if you want to use Microsoft Update, in my case I have patch management via SCCM so I choose no.
Click next and you get the summary screen, double-check that everything is correct before you install.
NOTE: It’s a pretty small installation to it will only take a couple of minutes.
NOTE: If setup failes, check the logs under Users\currentuser\appdata\local\temp
NOTE: In the last part of the installation it might say something about importing management packs, don’t get confused and mix it with OpsMgr. This is because Service Manager also uses the term Management Packs
After installation is complete start the console via the start menu –> Service Manager Console.
This is what the console looks like the first time,
The graphical user interface is similar to ConfigMgr and Opsmgr, and as you can see in the overview, the console list a whole bunch of objectives that we should do before we start using Service Manager.
Lets just go trough the basics of the console. On the left side we have 4 different options.
Administration –>
- Announcements
- Connectors
- Deleted Items
- Management Packs
- Notifications
- Security
- Service Level Management
- Settings
- Workflows
Library –>
- Groups
- Knowledge
- Lists
- Queues
- Runbooks
- Service Catalog
- Service Offerings
- Tasks
- Templates
Work Items
- Activity Management
- Change Management
- Incident Management
- Problem Managmeent
- Release Management
- Service Request Fullfillment
Configuration Items (Which contains all the CI’s, they typically include Services, hardware, software, buildings, people)
- Builds
- Business Services
- Computers
- Enviroments
- Printers
- Software
- Software Updates
- Users
All these words, Service Management, Configuration Items, Incident Management, Change Management is directly linked to ITIL & MOF. So It doesn’t make a lot of sense for people who aren’t familiar with the ITIL terminology.
But for the sake of this blog, lets go trough a quick demo.
The Demo
A User (Bill) is sitting on Computer (Computer1) And is having trouble with (Printer1) and he creates an incident using the portal.
First we have to use the Active Directory connector to sync his User to Service Manager. Go to Administration –> Connectors –> Active Directory Connector.
Give the sync a valid name and a good description:
Choose “Enable this connector” click next –>
Choose the default domain you which to sync from and choose which account you want to use to sync the information, click test connection to see if the user info you wrote is valid. Click next –> then import the user and the computer ( In my case ill created the printer as an CI)
Click next, double-check the summary and click create.
If you go to the Configuration Items and choose users you will now see that Bill is appear in the list, and if you choose the computers menu you will see that computer1 is appearing. And I have created the printer manually.
Lets say Bill send you an e-mail regarding an incident relating to the printer1 on computer1, then you as an administrator would have to “Create a incident”. If its confusing that you think “Well ain’t that a problem instead of an incident?” Well in terms of ITIL thinking, a Problem is one that comprises multiple incidents. Since this is a single event, it is a incident. If a lot of people are having trouble with the printer, well then it’s a problem.
Go to the Work items –> Incident Management –> Create Incident
Next you have a wealth of info that you need to enter,
First we have to enter the users that is affected, title for the incident with an accurate description, the impact and if its urgent or not. And with the affected items. The console also takes track of time you are using with the incident.
And you also have to provide an owner of the “incident” in my case im going to give it to my Tier 1 support tech-guy SQLuser.
Click Apply then OK. Then go back to the “all incidents” view you will get the incident that we just created.
When the issue is fixed, we can just click on the incident and change the status to resolved
This has been part 1 on SCSM, more to come.
SCOM 2012, part 1 installation
Since I said in my previous post that I’m working on the whole System Center package ( and I’m getting tired of blogging about SCCM, I thought I would start a bit on SCOM (Operations Manager) 
Much has changed since the previous version SCOM 2007 R3 CU5 (Which I believe was the last release )
A lot of new features has entered, including:
* SNMP v3 support ( The previous versions supported only v1 & v2 )
* More PowerShell cmdlets
* Removal of the RMS role (Which was introduced in 2007 ) so all servers are now management servers and distribute the load between the MS servers, which gives HA out-of-the-box
* Agent Control panel applet
* More support Network devices and protocols (Including CDP and LLPD)
* More support for web applications J2EE, .Net
And remember that SCOM consists of the following
* Management Server
* SCOM DB
* SCOM Data warehouse DB
* Gateway Server
* ACS
* ACS Database
* Agent
* Console
* Web Console
* Reporting Server
* Management Packs
* Agents
Now that we covered the basics, we start by installing it.
PS: Remember to install .Net framework 3.5.1
After I start the setup of the SCOM 2012, I get the option to choose what I want to install, in this case since I only have 1 server I choose Management + Console
Next is about installation location, leave it at the default.
Next the setup, verifies that you have the required hardware & software in order to run OpsMgr.
In my case I forgot to update my server to2008 R2 SP1 and I forgot to install the Report Viewer Controls.
Of course those are pretty easy to fix. (Can’t figure out thou why Microsoft couldn’t put the setup for Report Viewer on the installation media ) So after you’ve installed SP1 and installed the Report Viewer Controls run the setup again.
Now that’s done I can continue with the setup, next you create a management group.
This is unique for each instance of OpsMgr so choose a unique name if you have muliple instances.
Click next, accept the license terms.
Then Click next again, now we come to the DB setup.
Enter the name of your SQL server, and the setup will automatically connect to it.
And will by default try to store the database on the C:\ drive of the SQL server, to change that to another disk (Pref NAS/SAN)
Next we get another database setup, but this is regarding the Data warehouse DB, this is the database that the
reporting services uses & for the long term data storage.
After you are done here, click next. Now we get to the service account setup screen.
A little info about the different accounts.
Management server action account:
This account is used to carry out actions on monitored computers across a network connection.
This should be a domain account, which has local administrative rights.
System Center Configuration service and System Center Data Access service account
This account is one set of credentials that is used to update and read information in the operational database. Operations Manager ensures that the credentials used for the System Center Data Access service and System Center Configuration service account are assigned to the sdk_user role in the operational database.
This can be either a domain account or run as local system. For cases where the operational database is hosted on a remote computer that is not a management server, a domain account must be used. For security reasons, don’t use the same account as the MSAA.
Data Warehouse Write account
The Data Warehouse Write account writes data from the management server to the Reporting data warehouse and reads data from the operational database.
This account is assigned write permissions on the Data Warehouse database and read permissions on the operational database.
Data Reader account
The Data Reader account is used to define which account credentials SQL Server Reporting Services uses to run queries against the Operations Manager reporting data warehouse.
Ensure that the account you plan to use for the Data Reader account has SQL Server logon rights and Management Server logon rights.
After you have created the domain accounts, enter the username and passwords click next.
Since I choose a domain admin account as my operating manager server action account I got a warning from the installed that this is not recommended. But as I said before, it’s a demo in a closed environment no harm there
Next we have the help improvent and error reporting (choose whatever you want there)
Next we have Microsoft update, since we are using SCCM to do patch management I turned this off.
Click next and you get the summary screen, double-check the information here that click install.
And then the waiting begins. If you want you can check the logs that the setup stores under C:\users\(runninguser)\appdata\local\scom\logs and the OpsMgrSetupWizard.log
When the setup is finished, mark the “Start the console” and close the installer.
Now we are in the console, OpsMgr automatically says that there are tasks that we need to do before we can manage and monitor our network. First thing is that I want to push the OpsMgr information out to Active Directory so that our agents can find what Management Group & Server they need to connect to (of course we don’t need to publish that information in AD, if we want we can manually type that in under the setup parameters of the agent. )
This step needs to be performed as a user with domain rights.
Open the installation media on OpsMgr on a domain controller. Browse to SUPPORTTOOLS\I386 then open MOMADADMIN via cmd. What this tool does it that It
creates an Operations Manager container under the root of the domain specified,
Creates a container under the Operations Manager container the tool just created with the name of the management group specified.
Within the management group container, the tool creates two service connection points (SCP) and one security group.
The syntax is: MomADAdmin ManagementGroupName MOMAdminSecurityGroup RunAsAccount Domain
Example: MomADAdmin MyManagementGroup contoso\MOMAdmin contoso\ActionAccount Contoso
So in my instance MomADAdmin TEST_MG test\MOMadmin test\administrator test
Note thou, this only creates the folder in AD, I doesn’t add the Management servers, so the agents still don’t know which server it should contact.
Now we have to enter the console,
Go into the administration tab and into Management Servers, –> right click on the server (which is a MS) and press properties.
Next click the Add button under “Auto Agent Assigment”
Now we come to the Agent Assigment and Failover Wizad,
as you can see here it says that the Momadadmin has to been run before you can continue this wizard.
Click next, Select the domain of the computers from the Domain name drop-down list.
Set Select Run As Profile to the Run As profile associated with the Run As account that was provided when MOMADAdmin.exe was run for the domain. The default account that is used to perform agent assignment is the computer account for the root management server, also referred to as the Active Directory Based Agent Assignment Account. If this was not the account that was used to run MOMADAdmin.exe, select Use a different account to perform agent assignment in the specified domain, and then select or create the account from the Select Run As Profile drop-down list.
On the Inclusion Criteria page, either type the LDAP query for assigning computers to this management server in the text box.
The following LDAP query returns computers with a name starting with scom, (&(sAMAccountType=805306369)(objectCategory=computer)(cn=scom*))
On the Exclusion Rule page, type the fully qualified domain name (FQDN) of computers that you explicitly want to prevent from being managed by this management server
On the Agent Failover page, either select Automatically manage failoverand click Create or select Manually configure failover.
Now remember that It can take up to one hour for the agent assignment setting to propagate in Active Directory Domain Services.
Since it might take some time, we are going to install the agent manually, but before we can do that we have to change the security settings for the scom site.
Because by default, SCOM rejects manually installed agents. So therefore go into Administration tab ->
Click the Security tab, and press properties. Here change the value from Reject to automatically approve.
Then click OK. After that is done, go to the server that you want to agent to be installed. And run this command in a cmd shell as administrator.
Installing the agent:
%windir%\system32\msiexec.exe /I dir\momagent.msi /qn USE_MANUALLY_SPECIFIE_SETTINGS=1 MANAGEMENT_GROUP=TEST_MG MANAGEMENT_SERVER_DNS=scom.test.local
NOTE: That the dir here is the installation media of scom
NOTE: Active Directory Integration is disabled for agents that were installed from the Operations console. By default, Active Directory Integration is enabled for agents installed manually by using MOMAgent.msi.
After the installation it might take some time before the agent appears in the console, when it does it will appear, under the administration and Agent Managed tab.
You can also check the control panel applet on the server, this displayed info about the agent.
And under the event log under Windows logs –> Applications and services logs –> Operations Manager –> and se if you have any error messages appear.
When it is finished and you have no error messages, to into the console again, monitoring -> Windows Computers -> you will see the agent appears as Healthy here. So it seems like the agent is working as it should.
By the way, the server I installed was an SQL server. By default SCOM doesn’t contain anything useful to monitor SQL servers. Therefore we need to download a management pack for SQL server 2008, inorder for SCOM to manage the server properly.
A Management Pack is a file that contains parameters, values, task, rules, monitors for a known product. So they contain all the information that scom needs to monitor a certain product.
Microsoft has a lot of free management packs avaliable (for free) for download via their online library. (There are other 3 party vendors also that have published management packs for their products on the website but these usually costs $$)
Next I choose to search the online catalog, and I search for the name “SQL”
And a number of Management Packs appear, and I choose the SQL 2008 server MP.
I choose Add all of these and download them to the desktop of my server.
Now after we downloaded them , we have to import them into the OpsMgr site.
Go back to the management pack pane under administration. And on the right side click “import Management Packs”
And browse to those you’ve downloaded and click install.
After you’ve done that, another view called SQL server will appear under the monitoring tab ( which was a part of the MP you installed )
After OpsMgr has updated the database, and distributed the new SQL MP to the agent, the server will appear here.
As you can see that It appears with a critical event, but we will go deeper into the events and rules in a later blog post
Part 1 done!
Windows 8, Windows Server 2012
Since im not attending MMS this year, I am stuck with watching the keynotes and watching twitter, so I still manage to get the latest news 
Microsoft has today released its System Center 2012 products worldwide.
And has also released what versions will come of Windows 8.
Microsoft has seen that having to many versions of windows available is confusing for the customer, so it stuck with the basics.
Windows 8 ,Windows 8 Pro, Windows 8 Enterprise and Windows RT (Which is Windows for ARM)
As you can see from the feature list here, http://windowsteamblog.com/windows/b/bloggingwindows/archive/2012/04/16/announcing-the-windows-8-editions.aspx
Windows RT does not support Domain join (and x86/64 bits software) and therefore does not support group policies and such. Which I think is a bit disappointing, but how else can Microsoft compete with other tablets in the enterprise marked on speed, if their tablet needs 5 min to grind a bunch of policies, and other scripts that need to run.
But I think that Microsoft’s strategy will be to implement Windows RT only features in the new ActiveSync protocol that most likely will come with Exchange 2015 (More info coming in September) Or that SCCM comes with enhanced capabilities with managing Windows RT.
Another thing that Microsoft revealed was that Windows 8 Server is now named Windows Server 2012 ( no surprises there )
SCCM 2012, Part 2 configuration
This part will consist of doing the basic configurations that make ConfigMgr 2012 actually work in a domain.
There are a couple of steps that we need to do before we can distribute the client across our domain.
First of we can start the console ( Usually located on the desktop ) Go into the administration tab.
then from the left menu select Boundaries and right click and select create boundary.
Since I only have 1 domain that I wish to create a boundary for, I choose Active Directory sites from the drop down menu, I choose browse and select
the (Default-first-site-name) And give it a good description.
Click Apply then OK. As of now, you just created a boundary but you haven’t linked it to a ConfigMgr site so It doesn’t do much until we’ve done the rest.
Next we have to create a Boundary group. Go back to the Administration –> Hierarchy Configuration –> Boundary Group. Right click and select create new boundary group.
Start by giving it a valid name, adding the boundary that we created in the previous step. Then click references, then select “Use this boundary group for my site assignment”.
Then click the add button below and choose the site server that you’ve installed Configmgr on.Click apply and OK.
If you go back to the boundary menu and choose properties of that boundary that you created ealier and go onto the “Boundary group” tab you will now see that the group is listed there.
What you’ve done now is create a boundary for this Site. Which means when a client installs the SCCM agent, it will query the system. The System will check “hmm is this client within my boundary?, it sees that it belongs to the Active
directory site that you listed in the boundary and say ok it is part of my boundary so I will give to access to this site”
Next we have to activate Active Directory discovery, so that the configmgr system will find our users, groups and computers from AD.
So Go to the Administration tab again –> Hierarchy Configuration –> Discovery Methods.
What we are looking for now is Active Directory system discovery (Since we want Configmgr to find our computers from the domain)
Right click on system discovery, and choose properties. Press the enable Active Directory system discovery, then press the star button and choose browse. Then choose the OU which your clients are located, then click OK.
go to the polling schedule and change it to 1 day.
Click apply, choose yes on the “Run discovery as soon as possible?” question and press OK.
If you go to the Monitoring tab and into the Site system –> component status. And find the SMS_AD_SYSTEM_DISCOVERY_AGENT, right click
show messages, all. And you can see that the discovery process has already run, and according to the log it found 3 valid systems.
If we go into the Assets and compliance menu, then into devices, and all systems we find our 3 computers.
Now we could basically just deploy our client to our computers but we are missing some other pieces that we need to put in place first.
Since of configmgr 2012 Microsoft has labeled it User-centric meaning that we are very interested in the user not so much the computer the user sits on (well we are a little bit interested ) but the
user sitting behind the computer isn’t. He/her wants his/hers software available on every computer they sit on. So in order to deploy software to the user, we have to import our users from AD into ConfigMgr.
So again we go back to Administration tab again –> Hierarchy Configuration –> Discovery Methods. And enable user discovery just as we enabled system discovery (If you want to deploy software to spesific groups, which most are) enable the
group discovery as well.
When you have activated the user discovery, and the process has run, your users will now appear under Assets and compliance –> Users.
If you right-click a user and press properties you will see that it was the discovery that populated this user in to ConfigMgr.
As you can see it says “SMS_AD_USER_DISCOVERY” under agent name.
Now we have done much of the configuration that we need. Next we need to install the other required roles to our site before we start rolling out the agent to our domain. So go to Administration –> Site configuration –> Servers and site system roles, on the right side choose your primary Configrmgr, right click and select Add Site System Role
On the first screen that appears, just leave it as the default. Since this is not a internet facing site we don’t need to enter FQDN.
And Since the computer account still has administrator access I can leave it at that.
The roles I am going to install now are
“Application Catalog Web Service Point” This is the service that the application catalog website Is going to query, if you have a large domain I suggest to install 2 servers with the application catalog website, and 1 dedicated web service point.
”Application Catalog Website Point” This is the self-service portal that users can enter to choose software that they want to install.
”Reporting Services Point” Provides the communication between ConfigMgr server and the SQL reporting services server, and installing the default reports.
”Software update point” Used for patching computers in the SCCM site (Requires WSUS 3.0 SP2) It also required if you wish to deploy Endpoint Protection Point, which we are going to install later.
So click next,
If you don’t have a proxy server just click next here,
Here you have to select if WSUS is already configured on which ports in the IIS,
If you are uncertain start the IIS config and check the bindings to see what ports it is configured to.
In my case it is a custom website, so I choose that and click next.
Now in order to save a lot of screenshots, but its pretty straight forward from here.
On the next pane, choose Synchronize from Microsoft Update, click next, on Synchronization Schedule leave it at the default, on Supersedence Rules leave it at default, on Classifications you choose what patches you are interested in Critical, features, service packs etc, on Products ( Choose those products you are have in your environment ot you might end up with a lot of data that you don’t need. On the Languages pane also choose those languages you have.
Now that we are done with that we continue on to the Reporting Services Point.
The setup automatically chooses the server which has the ConfigMgr Database installed, so click verify.
Under Reporting Services server instance, select the default instance from the drop down menu.
Then click next, during the Application Catalog Web Services just leave it at the default, unless you have a certificate that you want to use for https.
Then click next, now for the Application Web site role, just leave that also at the default.
And click next and you can choose a color theme for your portal and enter a title for it.
Click next, then the summary will appear then click finish. And the server roles will become installed.
Now that the roles are installed, lets check that they are functioning as they should.
Lets start by checking the reporting service, go into monitoring and then choose reporting –> reports (might take a while before the reports appear) Then run a random report (Administration Activity Log)
The report seems to be running fine, so it appears the the reporting service is functioning. I can also doublecheck that the component is reporting as it should by going into Monitoring –> System Status –> Componets status and checking the
SMS_SRS_REPORTING_POINT
Now on to the software updating point, go into the software library –> Software updates –> right click on All Software updates and choose syncronize now.
As you can see down below, it says busy. And if you open Windows Update Services console you will see that it is synchronizing. This might take some time, depending on what products and languages you choosed.
As this is synchronizing, I will check that the role has been installed probably.
It seems to be functioning as it should. After the sync it seems to we working properly. Well this will not be tested until we have some clients to test it on 
Now back to the application web portal, I get an error, I right click on SMS_PORTALWEB_CONTROL_MANAGER and choose show all messages.
In order to fix this, you have to run the command, aspnet_regiis.exe –I from c:\windows\microsoft.net\framework\v4.0.30319 in CMD.
Then I reinstall the Application web role from the server and volia! now It seems to be functioning as it should.
Now open internet explorer to the server http://server/cmapplicationcatalog
Remember that you have to have Silverlight installed in order for it to function.
Voila! I haven’t created any applications that should be avalible yet. But you should always create the framework before you create the content.
Now we are finished with part 2 of this SCCM guide, next one will focus on client settings, endpoint , software update, remote control and how to push your sccm agents out to the domain.
