System Center 2012 and Integration Possibilities

With System Center 2012, Microsoft gathered all of their previous System Center products and gathered it as one large product.
So now in 2012, System Center now contains (Service Manager, Configuration Manager, Operations Manager, Data Protection Manager, Orchestrator, Virtual Machine Manager and App Controller)
It is split in two editions, one for standard and one for datacenter (standard is limited to running 2 OSE)

But all the features are there, and the magic with System Center 2012 is the integration possibilities which I’m going to list down. These integration possibilities are listed on what I know so far, if you have any info about other integrations that are possible please link send me some info Smile

Configuration Manager 2012:
Citrix XenApp (Can connect to XenApp to automate application delivery to XenApp servers, and use XenApp as an deployment type out to the user
Microsofot App-V (Can use Application virtualization as an deployment type out to users)
Citrix XenDesktop (Since you can use Configuration Manager to patch windows systems you can also use SCCM to patch VDI images
Microsoft Exchange (You will use this to manage your mobile devices that are connected to Exchange in SCCM console)
Microoft SCUP (Software Catalog Update Publisher you can use this to update software patches from for instance Adobe, Dell and HP)
Secunia (Corporate Software Inspector you can use this with SCCM to patch all of your software within your enviroment )
Microsoft MDT 2012 (You can integrate this with SCCM 2012 to improve and ease deployment of OS)
Dell Client Integration (For ease of Dell client deployment)
System Center Service Manager (For importing software and hardware information to the CMDB)
System Center Orchestrator (You have an own integration pack for automating SCCM tasks)
RES Workspace Manager (You can integrate with RES Workspace Manager in order to allow for SCCM to deploy applications to RES controlled servers/computers)
AppSense Application Manager (For deployment of UV agents and UV configurations)
Windows Intune (You can connect to your windows Intune account for sentral management)
Windows Azure ( You can deploy distribution Points in Windows Azure)
Wyse Device Manager (It is for 2007, but it will be for 2012 as well)
MDT 2012
Quest Management Xtensions
NOMAD 2012

Operations Manager 2012 (Mostly Management Packs)
System Center Service Manager (For importing of alerts for further investigation in Service Manager)
System Center Virtual Machine Manager (For PRO Performance and resource optimization )
Network Devices with SNMP V3
HP MP (For HP monitoring)
Dell MP (For Dell monitoring)
System Center MP( For System Center monitoring)
Citrix MP via ComTrade (For monitoring of Citrix components)
BIG-IP F5 Monitoring
System Center Orchestrator (For automating of tasks)
NetApp On-command (For monitoring of NetApp solutions)
Cisco USC (For monitoring of UCS solutions )
Brocade (Monitoring of Brocade storage)
IBM Hardware (For monitoring of IBM hardware)
Windows Azure (GSM for application monitoring)
NetApp monitoring

Virtual Machine Manager
Citrix Netscaler (For auto deployment of LB rules and access)
F5 BIG-IP (For auto deployment of LB rules and access )
Brocade ACX (For auto deployment of LB rules and access)
Citrix Xendesktop and PVS (For rapid deployment of vdi machines)
Citrix Xenserver (Allows to use SCVMM to manage XenServers)
Vmware vSphere (Allows to use SCVMM to manage vSphere)
Hyper-V (Allows to use SCVMM to manage Hyper-V
NetApp (Automated rapid provisioning of space-efficient VMs with System Center Virtual Machine Manager (SCVMM) or Windows PowerShell™ rapid provisioning cmdlets)
SMI-S (Is a standard storage API which work for most storage solutions)

Orchestrator (Mostly Integration Packs)
System Center 2012 (All of the products)
vSphere (Integration pack for automating of tasks)
NetApp (Integration pack for automating of tasks)
HP (ilo, Service Manager, Operations Manager) (Integration pack for automating of tasks)
IBM Tivoli ((Integration pack for automating of tasks)
Microsoft Exchange (Integration pack for automating of tasks)
EMC (Integration pack for automating of tasks)
Cisco UCS (Integration pack for automating of tasks)
IBM Tivoli

(This is a post which is under work, so not all the products are listed yet)

#integration, #system-center, #system-center-2012

Integrating XenApp and Configuration Manager 2012

Finally the day has come, as I mentioned in the previous post the TechPreview of XenApp connector for Configuration Manager 2012 is now released on Citrix.
or as they call it “Project Thor” it allows for a flexible application delivery solution that combines the best of both worlds (Configuration Manager and XenApp)
I’ve managed to deploy the connector and give you a demonstration of how it works.

The package consist of the client components ( Reciver etc) PCM (Power and Capacity Management Components ) And the Connector itself.
The Client Component XenAppDTHandler (Has to be installed on all the clients before you can use XenApp published)


And we start by installing the connector on the SCCM server.

Start and accept the license terms,

Include all the roles and extensions, click next and Install!



After the install is finished the setup will run the Integration Configuration itself,
So you should create a separate Service Account for this purpose.
You see the requirements it needs.
Note that if you have created a service account and forgot to add it to “log on as a service” rights Citrix will handle this for you.

So just click Yes and move forward,


After that specify a Citrix server that the connector will use. In my case I choose my only Citrix server, (Which has the Data store and the XML service )
Then the setup verifies that I can connect to the server, it not you will get an error message during verification.
After that you need to enter the Configuration Manager site (the Setup will automatically read the local site it is connected to)
And verify the connection.


If you get this error message you need to run the following commands.
Enable-PSremoting –Force
Set-item WSman:\localhost\Client\TrustedHosts hostname.domain.local –Force
Restart-Service winrm –Force

Then press Yes and continue.
Now you get the summary screen, press Apply.
If everything goes as planned you will get this screen Smile
(NOTE: you can also see these applications appear after the installation )


Now you can open the Configuration Manager console and under Software –> Application Management you can now see XenApp.
As you can see here we only have 1 option, which is “Create Publication”
This will create an published application on the XenApp server which is avaliable for Configuration Manager

We can start by publishing an application –>
In this case Notepad (This will by default appear under Applications/ConfigMgr12 on the XenApp console)
Click next –>
Choose a XenApp installed application –>
Choose the Command line click next –>
This wizard is much like the wizard in XenApp same configuration settings and so on. Click finish.


And here you have all the advanced settings like encrytion etc.If you open XenApp AppCenter you can now see the application (This update goes every 10 min but you can force an update to the XenApp server by running the sync tool installed)

so now we can create an deployment type with XenApp.

With the possibility which comes with SP1 (Mac and Linux support we have loads of options!)
Here we can add the newly created Notepad ( I fixed the display name before running the wizard Smile

Click next –> And we can create requirements for this deployment.
ill write more about this feature as soon as I have the time, with integration of SP1 as well, stay tuned Smile

NOTE: If you have some issues with the connector you can review the log files found under C:\Program Files\Citrix\XenApp Connector for ConfigMgr 2012\Connector Service\logs
NOTE: There is also created an Collection which consists of the XenApp servers. Do not edit this, the connector will add all the XenApp servers automatically from the farm.


#citrix, #configuration-manager-2012, #system-center-2012, #xenapp

SCCM 2012 and PKI

This is going to be a huge post, but hopefully someone will find it useful for future references Smile
In my previous SCCM 2012 post, I showed how-to install SCCM, but not how to configure it for encrypted communication.

So out-of-the box SCCM traffic goes unencrypted via HTTP, which is clear text. So if you manage to get inside the LAN, fire up an arpspoof or macof (or any other MITM method) you can
read the traffic going back and fourth from the client to the site servers. So therefore I’m going to show you how to install your very own Microsoft PKI infrastructure and how you enroll the different types of Certificates that you need in order for SCCM to encrypt traffic.

Before I start, I want to show you how I designed my lab for this demo. This is in a fully virtual lab environment, much of the setup I do here is not “Best Practice” but in order to make this post readable, I wanted to keep it as short as I possibly could. I have excluded much of the setup regarding CRL, OSCP and config files (If you are unfamiliar with these terms go to this page )

In my lab I have

1 * SQL Server (Running the Configrmgr site SQL database)
1 * ADCS (Active Directory Certificate Services) Server running Enterprise Subordinate CA (Which we are going to install in this post ) Running Server 2008 R2 Enterprise
1 * ADCS Server running Stand-alone root CA (Is also going to be installed in this post ) Running Server 2008 R2 Enterprise
1 * ConfigrMgr server ( Which was installed in a previous post  )

What we are going to start with is the Stand-alone root CA, this is a server that is not connected to the network (For security reasons, and therefore not domain joined) Since we are going to create a trusted root CA, which the sub CA is going to use to issue certificates. The reason why I setup a two-tier PKI is because this is the most common used setup.

To but we do first, is install a virtual computer with server 2008 r2 ( or regular 2008 ) after the server is finished installing, you start by installing the server role ADCS


Click next and choose Certification Authority


Click next and choose Standalone CA (As you can see Enterprise is unavailable since this server is not a part of a domain )


Click next and choose Root CA,


Click next and choose “Create a new private Key”


Click next, and next again ( Let it stay at the default on Cryptography )  and here by default it uses the hostname of the server (Since this was a fresh install and had the jibber is name WIN-i3ou423io I changed the name to ROOTCA1 (Which is the name that will appear on the trusted root certificate )


Click Next, next and Install.
Now after it is finished installing, go to the folder C:\windows\system32\certsrv\certenroll
There you will now have 2 files.

1 . crt file (Which is the Trusted root certificate)
1 . crl file (Which is the Certification Revocation List, which is basically a list that contains all the certification that have been revoked )

Now we have to export these files and import them on the subordinate server, so we have to install that first before we can continue. But after it is installed open a powershell prompt as a domain admin. Run the following commands.

certutil –dspublish –f filename.crt RootCA

certutil –addstore –f root filename.crt
certutil –addstore –f root ROOTCA1.crl

The first command places the root CA public certificate into the Configuration container of Active Directory. Doing so allows domain client computers to automatically trust the root CA certificate and there is no additional need to distribute that certificate in Group Policy. The second and third commands place the root CA certificate and CRL into the local store of the SUBCA. This provides SUBCA immediate trust of root CA public certificate and knowledge of the root CA CRL. SUBCA could obtain the certificate from Group Policy and the CRL from the CDP location, but publishing these two items to the local store on SUBCA is helpful to speed the configuration of SUBCA as a subordinate CA.

If you open the Local Certificate store on the server you can see that the Root CA and the Root CA CRL is in the local store.



Now we can continue with the Sub-ordinate install ADCS.
The Setup is basically the same,


Instead we choose Enterprise CA, click next.


Choose Subordinate CA, click next.


Here we choose “Save a certificate request to file” and choose a location. We need to copy this file over to the Root CA and issue a certificate in order to make the CA operational.
Click Next, and install. After you finished installing copy the file to the Root CA. Open a command prompt (ON THE ROOT CA) (PowerShell) And type the command
certreq -submit F:\APP1.corp.contoso.com_corp-App1-CA.req (remember to change the file name to match the one you have)

After you have done that, open the Certification Authority  MMC, Expand  and then click Pending Requests.

Choose the certificate and click “Issue” now we have to copy the certificate back to a removable drive.
Open a powershell promt and run the command certreq –retrieve <RequestId> F:\filename.crt.

You can see the Request ID in the Issued Certificates tab.
Click enter and choose the ROOTCA1 from the List and click OK.

This command, will copy the certificate of the server + the root CA certificate and crl.
(If not go to the Windows\System32\certsrv and copy the other files as well)

After you have copied the files to a removable drive you can turn of the Root CA as it is no longer needed.

Now back to the Subordinate CA, open the Certification Authority mmc. Right click on the server click All Tasks, and then click Install CA Certificate.

In the Select file to complete CA installation, set the file type to X.509 Certificate (*.cer; *.crt) and then navigate to the removable media and select hostname.crt. Click Open, now that we’ve imported the certiciate we can start the service.


Now what did we actually do here ?
First we setup the Root CA, which is the center of trust in this case(Tier 1). We created a Enterprise Root Certificate, we exported the Enterprise Root CA to Active Directory and to the Subordinate CA. And we installed a subordinate CA, made a certificate request, imported that to the root CA and issued the request. What it  basically does is that the sub-ca says to the root “I have a request, I wish to issue certificates” and then the
root ca says to the subordinate. “I trust you, here is your certificate so now you can issue certificates on my behalf”
Since all the domain computers get the Root CA certificate in the trusted root certificate authorities, they will automatically trust all the certificates that the Subordinate CA issues to the domain.

Hopefully that made some sense Smile
Now we are done with the PKI setup, now we have to start with the SCCM part of the certificates.
What kind of certificates do SCCM need ?

In this demo we are going to create two templates that will automatically deployed via AD.

  • ConfigMgr Client Certificate

By default, Configuration Manager looks for computer certificates in the Personal store in the Computer certificate store.
With the exception of the software update point and the Application Catalog website point, this certificate authenticates the client to site system servers that run IIS and that are configured to use HTTPS.

  • ConfigMgr Web Server Certificate

This web server certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers by using Secure Sockets Layer (SSL).

You can see the entire list here.

Lets start with the Client Certificate
On the subordinate root CA open the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console

right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.


In the Duplicate Template ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. (2008 Server is not supported by ConfigMgr 2012)

In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used on Configuration Manager client computers, such as ConfigMgr Client Certificate.

Click the Security tab, select the Domain Computers group, and select the additional permissions of Read and Auto enroll. Do not clear Enroll (This gives domain computers the permission to get this certificate)


Click Ok, and close the Console.

Now back to the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Certificate, and then click OK.


Next we need to create a group policy that allows the clients in the domain to do auto enrollment.

Open the group policy management console, and create a new group policy object.

In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies

Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties.

From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK.


Then close the Group Policy Management Console.

If you have a client computer in the domain, reboot the computer. When the client is finished booting the client will check its policy.
1: See that it has auto enrollment enabled
2: See what certificates it has access to (Since we added Domain computers to the ConfigMgr client certificate, it fill automatically fetch a certificate from the subordinate CA)

You can double check this by opening the local certificate store on the client computer.


Now we need to repeat this for creating a certificate template for the Configmgr server roles.
Follow the same steps as before, but there are some other changes.
Instead of the Workstation template, choose the Webserver template and choose duplicate template.

Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used on Configuration Manager site systems, such as ConfigMgr Web Server Certificate.

Click the Subject Name tab, and make sure that Supply in the request is selected.

Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins. Click Add, enter the name of the configmgr computer names in the text box, and then click OK. Select the Enroll permission for this group or computer account, and do not clear the Read permission. (This gives the ConfigMgr server right to enroll for this template) Then click OK.


In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue

In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Web Server Certificate, and then click OK.

Now head over to the ConfigMgr server.

Open the local Certificate Store on the server, select computer account. Click on the personal store, Right-click Certificates, click All Tasks, and then click Request New Certificate.


On the Before You Begin page, click Next

If you see the Select Certificate Enrollment Policy page, click Next.

On the Request Certificates page, identify the ConfigMgr Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.


In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS.

In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click OK to close the Certificate Properties dialog box.

On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.


Now the ConfigMgr server will have a certificate available which I can use.
Open IIS Manager, Expand Sites, right-click Default Web Site, and then select Edit Bindings.

Click the https entry, and then click Edit. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then click OK. After that is done, close the console.

Since I’ve done this after the SCCM got installed, I have to do some configuration in the console as well. Go to Administration –> Sites –> Right click and choose properties, go to client computer communication –> Choose use HTTPS and import the Root CA crt in the bottom menu.

Now im going to install the SCCM client on a new computer and see that its communicating on port 443. As you can see during the install, the setup looks for a certificate under the Personal Store on the computer, and uses that in order to communicate with the site server.

Now if I open the agent on the client I can see that it says client certificate it says PKI,

Now If I choose a Action like fetch Machine Policy, It should communicate with the Site server using https:
I can also open the Application portal, and it should be using the new certificate.

And Voila there you have it, encrypted communication between client and ConfigMgr site server (Management Point) My next blog will include the Distribution point, which uses a diffenrent type of certificate.
If you choose https mode on DP after you completed this demo you will get some error messages from your client.

#adcs, #certificate, #pki, #sccm-2012, #sccm-and-pki, #system-center-2012

System Center Service Manager, part 1

Since as a part of my system center blogging spree, I thought I’d go ahead with the setup of SCSM.

For those that don’t know what Service Manager is.
(Service Manager provides an integrated platform for automating and adapting your organization’s IT service management best practices, such as those found in Microsoft Operations Framework (MOF) and Information Technology Infrastructure Library (ITIL). It provides built-in processes for incident and problem resolution, change control, and asset lifecycle management.)

So, WHAT does that mean ? Like all of other System Center products it has numerous features, much of them will make a lot more sense if  you are familiar with ITIL terms. Much is related to

  • Incident and Problem management
  • Change Management
  • Service Request Management
  • Release Management
  • CMDB
  • Data Warehouse reporting

I like the term «learning by doing» so hopefully you can learn a ’bit from my posts regarding this.

The Service Manager consists of:

Service Manager management server
Contains the main software part of a Service Manager installation. You can use the Service Manager management server to manage incidents, changes, users, and tasks.

Service Manager database
The database that contains Service Manager configuration items (CI) from the IT Enterprise; work items, such as incidents, change requests, and the configuration for the product itself. This is the Service Manager implementation of a Configuration Management Database (CMDB).

Data warehouse management server
The computer that hosts the server piece of the data warehouse.

Data warehouse database
Databases that provide long-term storage of the business data that Service Manager generates. These databases are also used for reporting.

Service Manager console
The user interface (UI) piece that is used by both the help desk analyst and the help desk administrator to perform Service Manager functions, such as incidents, changes, and tasks. This part is installed automatically when you deploy a Service Manager management server. In addition, you can manually install the Service Manager console as a stand-alone part on a computer.

Self-Service Portal
A web-based interface into Service Manager.

So lets continue on with the setup.
NOTE: .Net 3.5.1 Is required to install SCSM so install this using the Add feature wizard.
NOTE: Windows 2008 R2 SP1 is required.


As you can see from the Setup, the Management Server and The Data Warehouse server cannot coexist on the same server ( so we will have to install the data warehouse components on another server ) But we start with the Management Server,

 First menu, enter your product key or as In my case trial Smile And Accept the license terms.


Next, choose the installation location.


Then click next, now the setup will run the prerequisites check.
In my case I forgot a bunch of stuff before I could continue.


The Report Viewer is avaliable on the installation media,  the other components are available

After you have installed the missing components you can continue on with the setup.
On the next page, you have the database setup, ulike OpsMgr and ConfigMgr, Service Manager doesn’t like the default collation SQL_Latin1_General_CP1_CI_AS, if you have a clean database server for this purpose choose this collation, Latin1_General_100_CI_AS (but if you are using the previous one, you will get an error message, so we continue on!)


After you are done entering the info, click next.
Now you have to enter a Management Group name and a management group administrator group.

NOTE: Management group names must be unique. Do not use the same management group name when you deploy a Service Manager management server and a Service Manager data warehouse management server. Furthermore, do not use the management group name that is used for Operations Manager.

Click next, and configure the service account to be used for Service Manager.


On the next page you need to setup the Service Manager Workflow account,


Click next, and choose a setting for the CEIP Smile (Regardless of whatever you choose here, I recommend that you actually choose yes here. Since Microsoft is actually using the data they gather to make a better product)

Next menu is regarding if you want to use Microsoft Update, in my case I have patch management via SCCM so I choose no.


Click next and you get the summary screen, double-check that everything is correct before you install.
NOTE: It’s a pretty small installation to it will only take a couple of minutes.
NOTE: If setup failes, check the logs under Users\currentuser\appdata\local\temp
NOTE: In the last part of the installation it might say something about importing management packs, don’t get confused and mix it with OpsMgr. This is because Service Manager also uses the term Management Packs Smile
After installation is complete start the console via the start menu –> Service Manager Console.

This is what the console looks like the first time,


The graphical user interface is similar to ConfigMgr and Opsmgr, and as you can see in the overview, the console list a whole bunch of objectives that we should do before we start using Service Manager.
Lets just go trough the basics of the console. On the left side we have 4 different options.

Administration –>  

  • Announcements
  • Connectors  
  • Deleted Items
  • Management Packs
  • Notifications
  • Security
  • Service Level Management
  • Settings 
  • Workflows



Library –>

  • Groups
  • Knowledge
  • Lists
  • Queues
  • Runbooks
  • Service Catalog
  • Service Offerings
  • Tasks
  • Templates


Work Items

  • Activity Management
  • Change Management
  • Incident Management
  • Problem Managmeent
  • Release Management
  • Service Request Fullfillment



Configuration Items (Which contains all the CI’s, they typically include Services, hardware, software, buildings, people)

  • Builds
  • Business Services
  • Computers
  • Enviroments
  • Printers
  • Software
  • Software Updates
  • Users


All these words, Service Management, Configuration Items, Incident Management, Change Management is directly linked to ITIL & MOF. So It doesn’t make a lot of sense for people who aren’t familiar with the ITIL terminology.
But for the sake of this blog, lets go trough a quick demo.

The Demo
A User (Bill) is sitting on Computer (Computer1) And is having trouble with (Printer1) and he creates an incident using the portal.

First we have to use the Active Directory connector to sync his User to Service Manager. Go to Administration –> Connectors –> Active Directory Connector.


Give the sync a valid name and a good description:

Choose “Enable this connector” click next –>

Choose the default domain you which to sync from and choose which account you want to use to sync the information, click test connection to see if the user info you wrote is valid. Click next –> then import the user and the computer ( In my case ill created the printer as an CI)


Click next, double-check the summary and click create.

If you go to the Configuration Items and choose users you will now see that Bill is appear in the list, and if you choose the computers menu you will see that computer1 is appearing. And I have created the printer manually.




Lets say Bill send you an e-mail regarding an incident relating to the printer1 on computer1, then you as an administrator would have to “Create a incident”. If its confusing that you think “Well ain’t that a problem instead of an incident?” Well in terms of ITIL thinking,  a Problem is one that comprises multiple incidents. Since this is a single event, it is a incident. If a lot of people are having trouble with the printer, well then it’s a problem.

Go to the Work items –> Incident Management –> Create Incident


Next you have a wealth of info that you need to enter,

First we have to enter the users that is affected, title for the incident with an accurate description, the impact and if its urgent or not. And with the affected items. The console also takes track of time you are using with the incident.
And you also have to provide an owner of the “incident” in my case im going to give it to my Tier 1 support tech-guy SQLuser.



Click Apply then OK. Then go back to the “all incidents” view you will get the incident that we just created.


When the issue is fixed, we can just click on the incident and change the status to resolved Smile
This has been part 1 on SCSM, more to come.

#bestfriends, #collation, #scsm, #service-manager, #service-manager-setup, #specialbond, #system-center-2012

SCOM 2012, part 1 installation

Since I said in my previous post that I’m working on the whole System Center package ( and I’m getting tired of blogging about SCCM, I thought I would start a bit on SCOM (Operations Manager) Smile

Much has changed since the previous version SCOM 2007 R3 CU5 (Which I believe was the last release )
A lot of new features has entered, including:

  • SNMP v3 support ( The previous versions supported only v1 & v2 )
  • More PowerShell cmdlets
  • Removal of the RMS role (Which was introduced in 2007 ) so all servers are now management servers and distribute the load between the MS servers, which gives HA out-of-the-box
  • Agent Control panel applet
  • More support Network devices and protocols (Including CDP and LLPD)
  • More support for web applications J2EE, .Net

And remember that SCOM consists of the following

  • Management Server
  • SCOM Data warehouse DB
  • Gateway Server
  • ACS
  • ACS Database
  • Agent
  • Console
  • Web Console
  • Reporting Server
  • Management Packs
  • Agents

Now that we covered the basics, we start by installing it.
PS: Remember to install .Net framework 3.5.1

After I start the setup of the SCOM 2012, I get the option to choose what I want to install, in this case since I only have 1 server I choose  Management + Console


Next is about installation location, leave it at the default.


Next the setup, verifies that you have the required hardware & software in order to run OpsMgr.
In my case I forgot to update my server to2008 R2 SP1 and I forgot to install the Report Viewer Controls.


Of course those are pretty easy to fix. (Can’t figure out thou why Microsoft couldn’t put the setup for Report Viewer on the installation media ) So after you’ve installed SP1 and installed the Report Viewer Controls run the setup again.

Now that’s done I can continue with the setup, next you create a management group.
This is unique for each instance of OpsMgr so choose a unique name if you have muliple instances.


Click next, accept the license terms.


Then Click next again, now we come to the DB setup.
Enter the name of your SQL server, and the setup will automatically connect to it.
And will by default try to store the database on the C:\ drive of the SQL server, to change that to another disk (Pref NAS/SAN)


Next we get another database setup, but this is regarding the Data warehouse DB, this is the database that the
reporting services uses & for the long term data storage.


After you are done here, click next. Now we get to the service account setup screen.
A little info about the different accounts.

Management server action account:
This account is used to carry out actions on monitored computers across a network connection.
This should be a domain account, which has local administrative rights.

System Center Configuration service and System Center Data Access service account
This account is one set of credentials that is used to update and read information in the operational database. Operations Manager ensures that the credentials used for the System Center Data Access service and System Center Configuration service account are assigned to the sdk_user role in the operational database.
This can be either a domain account or run as local system. For cases where the operational database is hosted on a remote computer that is not a management server, a domain account must be used. For security reasons, don’t use the same account as the MSAA.

Data Warehouse Write account
The Data Warehouse Write account writes data from the management server to the Reporting data warehouse and reads data from the operational database.
This account is assigned write permissions on the Data Warehouse database and read permissions on the operational database.

Data Reader account
The Data Reader account is used to define which account credentials SQL Server Reporting Services uses to run queries against the Operations Manager reporting data warehouse.
Ensure that the account you plan to use for the Data Reader account has SQL Server logon rights and Management Server logon rights.

After you have created the domain accounts, enter the username and passwords click next.


Since I choose a domain admin account as my operating manager server action account I got a warning from the installed that this is not recommended. But as I said before, it’s a demo in a closed environment no harm there Smile

Next we have the help improvent and error reporting (choose whatever you want there)


Next we have Microsoft update, since we are using SCCM to do patch management I turned this off.


Click next and you get the summary screen, double-check the information here that click install.
And then the waiting begins. If you want you can check the logs that the setup stores under C:\users\(runninguser)\appdata\local\scom\logs and the OpsMgrSetupWizard.log
When the setup is finished, mark the “Start the console” and close the installer.


Now we are in the console, OpsMgr automatically says that there are tasks that we need to do before we can manage and monitor our network. First thing is that I want to push the OpsMgr information out to Active Directory so that our agents can find what Management Group & Server they need to connect to (of course we don’t need to publish that information in AD, if we want we can manually type that in under the setup parameters of the agent. )

This step needs to be performed as a user with domain rights.
Open the installation media on OpsMgr on a domain controller.  Browse to SUPPORTTOOLS\I386 then open MOMADADMIN via cmd. What this tool does it that It
creates an Operations Manager container under the root of the domain specified,
Creates a container under the Operations Manager container the tool just created with the name of the management group specified.
Within the management group container, the tool creates two service connection points (SCP) and one security group.

The syntax is: MomADAdmin ManagementGroupName MOMAdminSecurityGroup RunAsAccount Domain
Example: MomADAdmin MyManagementGroup contoso\MOMAdmin contoso\ActionAccount Contoso

So in my instance MomADAdmin TEST_MG test\MOMadmin test\administrator test

Note thou, this only creates the folder in AD, I doesn’t add the Management servers, so the agents still don’t know which server it should contact.

Now we have to enter the console,

Go into the administration tab and into Management Servers, –> right click on the server (which is a MS) and press properties.


Next click the Add button under «Auto Agent Assigment»

ow we come to the Agent Assigment and Failover Wizad,
as you can see here it says that the Momadadmin has to been run before you can continue this wizard.


Click next, Select the domain of the computers from the Domain name drop-down list.

Set Select Run As Profile to the Run As profile associated with the Run As account that was provided when MOMADAdmin.exe was run for the domain. The default account that is used to perform agent assignment is the computer account for the root management server, also referred to as the Active Directory Based Agent Assignment Account. If this was not the account that was used to run MOMADAdmin.exe, select Use a different account to perform agent assignment in the specified domain, and then select or create the account from the Select Run As Profile drop-down list.


On the Inclusion Criteria page, either type the LDAP query for assigning computers to this management server in the text box.

The following LDAP query returns computers with a name starting with scom, (&(sAMAccountType=805306369)(objectCategory=computer)(cn=scom*))


On the Exclusion Rule page, type the fully qualified domain name (FQDN) of computers that you explicitly want to prevent from being managed by this management server


On the Agent Failover page, either select Automatically manage failoverand click Create or select Manually configure failover.

Now remember that It can take up to one hour for the agent assignment setting to propagate in Active Directory Domain Services.


Since it might take some time, we are going to install the agent manually, but before we can do that we have to change the security settings for the scom site.
Because by default, SCOM rejects manually installed agents. So therefore go into Administration tab ->

Click the Security tab, and press properties. Here change the value from Reject to automatically approve.


Then click OK. After that is done, go to the server that you want to agent to be installed. And run this command in a cmd shell as administrator.

Installing the agent:
%windir%\system32\msiexec.exe /I dir\momagent.msi /qn USE_MANUALLY_SPECIFIE_SETTINGS=1 MANAGEMENT_GROUP=TEST_MG MANAGEMENT_SERVER_DNS=scom.test.local

NOTE: That the dir here is the installation media of scom

NOTE: Active Directory Integration is disabled for agents that were installed from the Operations console. By default, Active Directory Integration is enabled for agents installed manually by using MOMAgent.msi.

After the installation it might take some time before the agent appears in the console, when it does it will appear, under the administration and Agent Managed tab.


You can also check the control panel applet on the server, this displayed info about the agent.

And under the event log under Windows logs –> Applications and services logs –> Operations Manager –> and se if you have any error messages appear.


When it is finished and you have no error messages, to into the console again, monitoring -> Windows Computers -> you will see the agent appears as Healthy here. So it seems like the agent is working as it should.


By the way, the server I installed was an SQL server. By default SCOM doesn’t contain anything useful to monitor SQL servers. Therefore we need to download a management pack for SQL server 2008, inorder for SCOM to manage the server properly.

A Management Pack is a file that contains parameters, values, task, rules, monitors for a known product. So they contain all the information that  scom needs to monitor a certain product.
Microsoft has a lot of free management packs avaliable (for free) for download via their online library. (There are other 3 party vendors also that have published management packs for their products on the website but these usually costs $$)


Next I choose to search the online catalog, and I search for the name “SQL”
And a number of Management Packs appear, and I choose the SQL 2008 server MP.



I choose Add all of these and download them to the desktop of my server.


Now after we downloaded them , we have to import them into the OpsMgr site.
Go back to the management pack pane under administration. And on the right side click “import Management Packs”
And browse to those you’ve downloaded and click install.


After you’ve done that, another view called SQL server will appear under the monitoring tab ( which was a part of the MP you installed )


After OpsMgr has updated the database, and distributed the new SQL MP to the agent, the server will appear here.


As you can see that It appears with a critical event, but we will go deeper into the events and rules in a later blog post Smile
Part 1 done!

#agent, #managent-groups, #opsmgr, #scom, #scom-2012, #setup, #system-center, #system-center-2012

Windows 8, Windows Server 2012

Since im not attending MMS this year, I am stuck with watching the keynotes and watching twitter, so I still manage to get the latest news Smile

Microsoft has today released its System Center 2012 products worldwide.
And has also released what versions will come of Windows 8.

Microsoft has seen that having to many versions of windows available is confusing for the customer, so it stuck with the basics.

Windows 8 ,Windows 8 Pro, Windows 8 Enterprise and Windows RT (Which is Windows for ARM)
As you can see from the feature list here,

Windows RT does not support Domain join (and x86/64 bits software) and therefore does not support group policies and such. Which I think is a bit disappointing, but how else can Microsoft compete with other tablets in  the enterprise marked on speed, if their tablet needs 5 min to grind a bunch of policies, and other scripts that need to run.

But I think that Microsoft’s strategy will be to implement Windows RT only features in the new ActiveSync protocol that most likely will come with Exchange 2015 (More info coming in September) Or that SCCM comes with enhanced capabilities with managing Windows RT.

Another thing that Microsoft revealed was that Windows 8 Server is now named Windows Server 2012 ( no surprises there )

#sccm, #system-center, #system-center-2012, #windows-rt, #windows8, #windowsserver, #windowsserver2012

SCCM 2012, Part 2 configuration

This part will consist of doing the basic configurations that make ConfigMgr 2012 actually work in a domain.
There are a couple of steps that we need to do before we can distribute the client across our domain.

First of we can start the console ( Usually located on the desktop ) Go into the administration tab.
then from the left menu select Boundaries and right click and select create boundary.


Since I only have 1 domain that I wish to create a boundary for, I choose Active Directory sites from the drop down menu, I choose browse and select
the (Default-first-site-name) And give it a good description.


Click Apply then OK. As of now, you just created a boundary but you haven’t linked it to a ConfigMgr site so It doesn’t do much until we’ve done the rest.
Next we have to create a Boundary group. Go back to the Administration –> Hierarchy Configuration –> Boundary Group. Right click and select create new boundary group.
Start by giving it a valid name, adding the boundary that we created in the previous step. Then click references, then select “Use this boundary group for my site assignment”.
Then click the add button below and choose the site server that you’ve installed Configmgr on.Click apply and OK.

If you go back to the boundary menu and choose properties of that boundary that you created ealier and go onto the “Boundary group” tab you will now see that the group is listed there.

What you’ve done now is create a boundary for this Site. Which means when a client installs the SCCM agent, it will query the system. The System will check “hmm is this client within my boundary?, it sees that it belongs to the Active
directory site that you listed in the boundary and say ok it is part of my boundary so I will give to access to this site”
Next we have to activate Active Directory discovery, so that the configmgr system will find our users, groups and computers from AD.
So Go to the Administration tab again –> Hierarchy Configuration –> Discovery Methods.
What we are looking for now is Active Directory system discovery (Since we want Configmgr to find our computers from the domain)
Right click on system discovery, and choose properties. Press the enable Active Directory system discovery, then press the star button and choose browse. Then choose the OU which your clients are located, then click OK.
go to the polling schedule and change it to 1 day.


Click apply, choose yes on the “Run discovery as soon as possible?” question and press OK.
If you go to the Monitoring tab and into the Site system –> component status. And find the SMS_AD_SYSTEM_DISCOVERY_AGENT, right click
show messages, all. And you can see that the discovery process has already run, and according to the log it found 3 valid systems.


If we go into the Assets and compliance menu, then into devices, and all systems we find our 3 computers.


Now we could basically just deploy our client to our computers but we are missing some other pieces that we need to put in place first.
Since of configmgr 2012 Microsoft has labeled it User-centric meaning that we are very interested in the user not so much the computer the user sits on (well we are a little bit interested ) but the
user sitting behind the computer isn’t. He/her wants his/hers software available on every computer they sit on. So in order to deploy software to the user, we have to import our users from AD into ConfigMgr.
So again we go back to Administration tab again –> Hierarchy Configuration –> Discovery Methods. And enable user discovery just as we enabled system discovery (If you want to deploy software to spesific groups, which most are) enable the
group discovery as well.

When you have activated the user discovery, and the process has run, your users will now appear under Assets and compliance –> Users.
If you right-click a user and press properties you will see that it was the discovery that populated this user in to ConfigMgr.


As you can see it says “SMS_AD_USER_DISCOVERY” under agent name.


Now we have done much of the configuration that we need. Next we need to install the other required roles to our site before we start rolling out the agent to our domain. So go to Administration –> Site configuration –> Servers and site system roles, on the right side choose your primary Configrmgr, right click and select Add Site System Role


On the first screen that appears, just leave it as the default. Since this is not a internet facing site we don’t need to enter FQDN.
And Since the computer account still has administrator access I can leave it at that.


The roles I am going to install now are
“Application Catalog Web Service Point” This is the service that the application catalog website Is going to query, if you have a large domain I suggest to install 2 servers with the application catalog website, and 1 dedicated web service point.
”Application Catalog Website Point” This is the self-service portal that users can enter to choose software that they want to install.
”Reporting Services Point” Provides the communication between ConfigMgr server and the SQL reporting services server, and installing the default reports.
”Software update point” Used for patching computers in the SCCM site (Requires WSUS 3.0 SP2) It also required if you wish to deploy Endpoint Protection Point, which we are going to install later.
So click next,


If you don’t have a proxy server just click next here,


Here you have to select if WSUS is already configured on which ports in the IIS,
If you are uncertain start the IIS config and check the bindings to see what ports it is configured to.
In my case it is a custom website, so I choose that and click next.

Now in order to save a lot of screenshots, but its pretty straight forward from here.

On the next pane, choose Synchronize from Microsoft Update, click next, on Synchronization Schedule leave it at the default, on Supersedence Rules leave it at default, on Classifications you choose what patches you are interested in Critical, features, service packs etc, on Products ( Choose those products you are have in your environment ot you might end up with a lot of data that you don’t need. On the Languages pane also choose those languages you have.
Now that we are done with that we continue on to the Reporting Services Point.

The setup automatically chooses the server which has the ConfigMgr Database installed, so click verify.
Under Reporting Services server instance, select the default instance from the drop down menu.

Then click next, during the Application Catalog Web Services just leave it at the default, unless you have a certificate that you want to use for https.


Then click next, now for the Application Web site role, just leave that also at the default.


And click next and you can choose a color theme for your portal and enter a title for it.


Click next, then the summary will appear then click finish. And the server roles will become installed.
Now that the roles are installed, lets check that they are functioning as they should.
Lets start by checking the reporting service, go into monitoring and then choose reporting –> reports (might take a while before the reports appear) Then run a random report (Administration Activity Log)


The report seems to be running fine, so it appears the the reporting service is functioning. I can also doublecheck that the component is reporting as it should by going into Monitoring –> System Status –> Componets status and checking the


Now on to the software updating point, go into the software library –> Software updates –> right click on All Software updates and choose syncronize now.


As you can see down below,  it says busy. And if you open Windows Update Services console you will see that it is synchronizing. This might take some time, depending on what products and languages you choosed.


As this is synchronizing, I will check that the role has been installed probably.


It seems to be functioning as it should. After the sync it seems to we working properly. Well this will not be tested until we have some clients to test it on Smile


Now back to the application web portal, I get an error, I right click on SMS_PORTALWEB_CONTROL_MANAGER and choose show all messages.



In order to fix this, you have to run the command, aspnet_regiis.exe –I from c:\windows\\framework\v4.0.30319 in CMD.
Then I reinstall the Application web role from the server and volia! now It seems to be functioning as it should.


Now open internet explorer to the server http://server/cmapplicationcatalog
Remember that you have to have Silverlight installed in order for it to function.


Voila! I haven’t created any applications that should be avalible yet. But you should always create the framework before you create the content.
Now we are finished with part 2 of this SCCM guide, next one will focus on client settings, endpoint , software update, remote control and how to push your sccm agents out to the domain.

#configmgr2012, #sccm, #system-center, #system-center-2012