Windows IT Pro

SCCM Deployment and

Maintenance
John Savill

sponsored by
Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 2

CONTENTS
Microsoft System Center Configuration Manager 2007
Getting Started 3 4 Configuring the SCCM Server for OS Deployment Deploying the OS 5 Hands Off 6

Getting Started with System Center Service Manager 2010

Background 7 Requirements 8 9 Using Service Manager

The Service Manager Console Up Close 9 The Self-Service Portal Up Close 12 More Than Just a Ticketing System 12 13 Microsoft Releases Free SCCM Dashboard

SCCM Deployment and Maintenance FAQs

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 3

Microsoft System Center Configuration Manager 2007

Easy OS deployment By John Savill
I once had an important client who asked me to install Microsoft System Center Configuration Manager 2007 (SCCM) and configure it to deploy Windows Server 2008 and Windows Server 2003all within a day. Although I accomplished the task, I hit some bumps along the way. In this article, I share the process I followed, the problems I encountered, and the solutions I employed. Because this is a high-level overview of OS deployment through SCCM, I dont discuss SCCM installation. The article assumes that you already have SCCM 2007 installed, as well as a working knowledge of it. snap-in to authorize the WDS (SCCM) server in Active Directory (AD) for DHCP. Most likely, the SCCM server isnt the DHCP server. However, you shouldnt need to set scope options on the DHCP server to point to SCCM for PXE. If you have multiple networks and your routers are forwarding packets correctly, your clients should be able to receive responses. Alternatively, you can use DHCP option 67 to set your boot image to a value of \SMSBoot\ x86\wdsnbp.com and option 66 to your SCCM servers Fully Qualified Domain Name (FQDN) to force DHCP to tell clients the SCCM server. Create a standard AD user account for the network access account. Open SCCM and navigate to Site Database, Site Management. Under the sites name, select Site Settings, Client Agents, Computer Client Agent. Configure the account in the Computer Client Agent Properties dialog box, asFigure 2shows. Make sure the account is a local administrator account on the SCCM server, or at least give the account rights to the smspxeimages$ share and make it a member of the SMSAdmins group. Otherwise, when clients boot from PXE they wont have permission to read the Windows Preinstallation Environment (WinPE) files from the share. For more information about best practices for the network access account, see the Microsoft article About the Network Access Account.

Getting Started
Before you try to deploy an OS, you need to ensure that your environment is healthy.

Check for errors in your SCCM site systems. Open SCCM and navigate to Site Database, System Status, Site Status. Under the sites name, view the Compo nent Status and Site System Status areas, asFigure 1shows. If you encounter any problems, view the error messages, then resolve the errors. You can also check C:\Program Files\Microsoft Configuration Manager\ Logs to see detailed messages about many of the components. Make sure you have site boundaries defined. Open SCCM and navigate to Site Database, Site Management. Under the sites name, select Site Settings, Boundaries. Make sure you have a distribution point and management point enabled. Open SCCM and navigate to Site Database, Site Management. Under the sites name, select Site Settings, Site Systems. Install Windows Deployment Services (WDS) on the SCCM server that will be the Preboot Execution Environment (PXE) boot point. Dont try to configure WDS directly; SCCM does all the configuration work. Install WDS with zero configuration. Use the Microsoft Management Console (MMC) DHCP

For more OS deployment tips, see theMicrosoft Operating System Deployment Checklists website.

Figure 1: Checking for errors in SCCM site systems

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 4

In my case, I was deploying to a new computer that didnt have an AD account and wasnt known to SCCM. Therefore, I needed to create an SCCM record and add the computer to a collection. Open SCCM and navigate to Site Database, Computer Management, Operating System Deployment, Computer Associations, Import Computer. Select Manual and enter the computer name and MAC address. Force an update of the All Systems collection (by first selecting the Rebuild action, then the Refresh action) to display the new computer.
Figure 2: Creating an AD user account for the network access account

Configuring the SCCM Server for OS Deployment

The first step in OS deployment is to prepare the server for the OS images. 1. Create a folder and share to store the Windows Imaging Format (WIM) files. Copy the files into this folder, giving them useful names (e.g., vistasp1x86.wim rather than install. wim). 2. Import the WIM files from the share into the Operating System Deployment portion of the SCCM management console. Note that by default, if you import a WIM file that has multiple images in it, SCCM uses the name of the first image (e.g., Windows Vista Business) to name the entire group of imported images. A better alternative is to use a more meaningful name, such as Windows Vista SP1 x86. 3. Add a distribution share for the new images. 4. Add a PXE distribution point for each of the boot images. (By default, SCCM already has the boot images for x86 and x64 that contain the WinPE environment; however, no distribution points are assigned to these images.) 5. Enable PXE boot capability on the SCCM server. Open SCCM and navigate to Site Database, Site Management. Under the sites name, select Site Settings, Site Systems, PXE Service Point. Then, enable the PXE site role to open various ports in your firewall. Although SCCM 2007 R2 can deploy OSs to unknown computers, I recommend deploying only to computers for which you have the MAC address. Deploying to an unknown computer can result in SCCM wiping and reinstalling the computer.

Next, you need to create a collection where you can target your OS deployments. Create a collection called OSDeployment, and use a static rule to add to the collection any computers that need the OS. (If youre just doing initial testing and need a controlled environment, add only your test machines.) Another option for bulk deployments is to create dynamic collections with membership based on attributes such as existing OS and computer locations. Finally, create an application package as follows, so you can actually deploy the SCCM client to new installations. 1. Navigate to Site Database, Computer Management, Software Distribution, Packages, New Package. 2. Configure the package so that it has source files. The source should be \\sccmserver\sms_site code\Client. 3. Select the optionsAlways obtain files from a source directoryandAccess distribution folder through common ConfigMgr package share.Accept all the other default settings. 4. Create a program under the package. Set the value for the command line as ccmsetup.exe. 5. Under Requirements, selectRun on any platform. 6. Under Environment, set theProgram can runoption toWhether or not a user is logged on,and set theDrive modeoption toRuns with UNC name. 7. Make sure all the advanced options are unchecked. 8. Add a distribution point. Next, you need to create a task sequence to deploy the OS and SCCM client package. (For more information about deploying images, see the Microsoft TechNet article How to Deploy Operating System Images to a Computer ; for more information about creating a task sequence, see How to Create a Task Sequence to Install an Existing Operating System Image Package.

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 5

1. Navigate to Site Database, Computer Management, Operating System Deployment, Task Sequences. 2. SelectInstall an existing image package. 3. Enter a name for the task sequence and select the optionBoot image matching OS deploy type.(Alternatively, you can select the x86 option, which covers both x86 and and 64 architectures.) 4. Specify the OS image, partitioning, product key, licensing, and administrator password action, asFigure 3shows. 5. Continue through the options for configuring the workgroup and domain to join. 6. Under Install ConfigMgr, select the package you created for the SCCM client. 7. Click through the rest of the screens. Note that you can configure patch and application deployments and can later change these settings through Task Sequences.

Next, advertise the task sequence to the collection you created, by adding a mandatory advertisement. In my case, I wanted the advertisement take place immediately because I had a controlled test collection. In a live environment, you might want to set a certain time to start the advertisement. You could advertise to the unknown computers collection, to allow OS deployment on unknown computers. However, you should be careful doing this, as I discussed previously. In fact, you should be careful with this advertisement in general, because if you create the advertisement to the wrong collection of computers, you could end up rebuilding all the computers in your company.

Deploying the OS
If you configured everything correctly, your test machine will boot over the network and install the OS when you turn it on. Although I used a Vista image for illustration purposes, you can use any OS for which you have a WIM. I later prepared a Windows Server 2003 WIM for the client by installing Server 2003 on a virtual machine (VM). I patched the Server 2003 installation, making sure not to install virtual additions. I downloaded the correct version of Sysprep, ran Sysprep with the /generalize, /oobe, / shutdown, and /reseal switches, then booted into WinPE and captured a WIM file. I then imported the WIM file in SCCM and followed the steps I outline in this article. If you encounter problems, view SCCMs message and log files for help. Additional troubleshooting tips include the following:

Figure 3: Configuring task sequence options

By default, the disk formatting portion of the OS deployment is quite slow. To improve the speed, you can change the disk partition to theformat and partitionoption, which has a fast format option. Add the rule to prevent formatting of the disk if a cache exists that SCCM created by default, as Figure 4shows.
Figure 5: Clearing the PXE advertisement

Figure 4: Preventing disk formatting

If you have a problem with PXE, open the collection and clear the last PXE advertisement, asFigure 5shows. You can then retest the computer with the full advertise ment.

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 6

If you have a problem with WinPE, try enabling the command prompt in the boot images. Navigate to Site Database, Computer Management, Operating System Deployment, Boot Images, then right-click the boot image and select Properties. On the Windows PE tab, select theEnable command supportoption. After you update the boot images, be sure to refresh their distribution points. If WinPE fails to partition or format the disk, use the DiskPart utility (diskpart.exe) to partition and format the disk from the command line, then try deploying the OS again. This action will create the log file smsts.log, which will

store failure information. I initially had problems accessing the SMSPXEIMAGES$ share, because the network access account lacked permission. When I tried to use the Net Use command on the \\sccm server\SMSPXEIMAGES$ share, the command failed.

Hands Off
Now that you have an environment capable of deploying an OS contained in a WIM file, you can build on it to perform more automated OS configuration, services and application deployment, patch deployment, and driver deployment. Once SCCM is fully configured, you have a complete zero-touch deployment solution.

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 7

Getting Started with System Center Service Manager 2010

Drive the implementation of four complementary concepts: standardization, compliance, automation, and self-service By John Savill
System Center Service Manager 2010 is a mystery to most people. Is it a ticketing system? Is it a change management system? Is it a workflow engine? Its all of these and more. In most organizations, IT operations are trying to reduce costs, improve the end-user experience, deliver services faster, and achieve better reporting and data sharing to meet internal and regulatory compliance requirements. To help meet these goals, Service Manager drives the implementation of four key concepts: standardization, compliance, automation, and self-service. These concepts complement each other. If you want to have compliant systems, you need to standardize the environment and the easiest way to standardize is through automating processes. Automation is the key to enabling self-service for end users and facilitates users triggering a certain workflow, which is completed without further human intervention unless desired. Before looking at Service Manager in detail, its important to understand that its built around key IT Infrastructure Library (ITIL) concepts. Although not required, I recommend gaining a basic understanding of the ITIL fundamentals before implementing Service Manager. Right now, Ill just focus on a few key ITIL terms youll need to know:

an object, such as a computer or user. Work items: A work item is ITILs term for something that needs some work performed, such as an incident, change request, or problem.

Now that youre familiar with the terms used in Service Manager, lets look at what it is, what you need to deploy it, and how to use it.

Background
Service Managers power comes from its configuration management database (CMDB) and its integration with other IT systems. CMDB links to IT systems and stores information about them. Service Manager provides various portals and workflows to access the information in CMDB. Out of the box, Service Manager integrates with Active Directory (AD), System Center Operations Manager, and System Center Configuration Manager (SCCM), which gives Service Manager knowledge about your systems, people, hardware, and software. You can also integrate Service Manager with other products in the System Center family (e.g., Opalis) and Microsoft Exchange. Plus, you can use PowerShell to connect to third-party systems. Figure 1 shows Service Managers complete architecture and integration.

Incident management: An incident is an event that isnt part of standard operations and might impact service delivery. The incident management process returns service to normal as quickly as possible, minimizing the incidents impact. A user or system reports (i.e., raises) incidents. The incident might lead to a change request or problem ticket. Change management: The change management process ensures standard methods and procedures are used for any change activity. Change requests are managed through the change management process. Problem management: The problem management process identifies the causes of incidents and prevents recurrences of the issue. Configuration items: A configuration item is ITILs term for

Figure 1: Service Managers main component

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 8

Integrating with other systems is great for collecting information and reportingand a whole lot more. A powerful workflow engine lets Service Manager initiate complex sequences of actions on connected systems across multiple platforms. The actions can be initiated by users through web-based portals or in response to alerts generated by connected systems. Here are some examples:

If Operations Manager triggers an alert, Service Manager can automatically generate an incident, then follow a predefined workflow. The workflow might entail a number of steps, such as notifying groups by email about the alert, requesting input from an analyst, and using SCCM to perform an action. You can automate as little or as much as you want. More automation means better standardization, less administrator overhead, and better compliance with requirements. Even if automation isnt used, you can use the Service Manager console to manage Operations Manager alerts and see information related to the incident. Being able to obtain information from all the management systems (e.g., AD, SCCM) rather than just the information from Operations Manager might expose details that will aid in the resolution of the incident. When Service Manager is integrated with SCCM, all of the inventory and packaged application information is available to Service Manager. Thus, you can implement workflows that allow users to access the Service Manager self-service portal to request a software installation. Users are presented with a software list thats automatically populated using the inventory and packaged application information in SCCM. If a user selects software that requires a license, Service Manager can send an email to the users manager, asking him or her approve the software installation. Once approved, the Service Manager workflow adds the user or the users primary computer (which is known based on SCCM asset intelligence) to a SCCM collection (i.e., a group of defined computers in SCCM that are used as the targets of deployments) to facilitate the installation of the software. SCCM has a great feature named Desired Configuration Management. It allows a baseline to be created on how a system should look, which can be defined in terms of files, registry settings, software packages, and configurations. The baseline enables standardization and compliance on applied systems. If a system deviates from the baseline,

SCCM reports on this deviation. However, it doesnt take action to make the system compliant with the desired state. Service Manager fills this gap. For instance, when a machine falls out of the desired configuration, Service Manager can create an incident, which triggers workflows that will make the machine complaint again. Making the machine compliant is typically achieved by interacting with SCCM to re-install software or reset configurations.

Requirements
Before I go any further, I want to talk about the servers and software youll need to implement Service Manager. To begin, youll need at least two Service Manager servers, which can be physical or virtual. The Service Manager servers take on different roles: One becomes the Service Manager management server, and the other becomes the data warehouse management server. Both servers require the 64-bit version of Windows Server 2008 SP1 or later. The Service Manager management server is Service Managers brain. It manages connections, manages the integration with other systems, executes workflows, and performs any other action thats required. This server has its own database, which must be hosted on the 64-bit version of SQL Server 2008 SP1 or later. Typically, a Service Manager management server can handle around 80 concurrent active console sessions. To handle more active console sessions, you can add additional servers to form a Service Manager management group. The servers in the group can share the same database. The data warehouse management server houses and manages the data warehouse, which consists of three databases hosted on the 64-bit version of SQL Server 2008 SP1 or later. The data warehouse is used for the long-term archival of the information that Service Manager generates or gathers. In addition, all reports are run against the data warehouse. After you create the data warehouse management server, you connect it to the Service Manager management server to enable the transfer of data into the data warehouse and establish the link to the Service Manager console. Service Manager usesSQL Server Reporting Services (SSRS)for reports. SSRS typically runs on the data warehouse management

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 9

server, but this doesnt have to be the case. Reports can be run from the Service Manager console or through the browser-accessible SSRS interface. In test environments, the data warehouse management server doesnt have to be running all the time. You can run it once a day to trigger the jobs that pull data from the Service Manager database into the data warehouse and when you want to run reports. When data is pulled into the data warehouse, it isnt deleted from the Service Manager database because that data is needed for other Service Manager operations. Grooming processes run periodically on the Service Manager database, deleting data based on the status of the work items and the date and time of the last modification. You can find detailed instructions for installing Service Manager in the System Center Service Manager 2010 SP1 Deployment Guide (http://technet.microsoft.com/en-us/library/ff460909.aspx).

Using Service Manager

There are three main types of Service Manager users:

not the Microsoft Management Console (MMC). The big advantages with the Service Manager UI framework are its flexibility and its ability to only show items that a user has permission to access, which gives a much cleaner interface to users who have been granted specific rights to specific groups of objects. The Service Manager console is primarily used by administrators, analysts, and people who run reports. IIS-based self-service portal. This self-service portal provides two separate websites. The first website is for end users. On this website, end users can search the knowledge base, check the status of change requests, raise new incidents, and more. The second website is for analysts. On it, analysts can approve change requests, view work items assigned to them, and more. SharePoint-based self-service portal. This portal provides the same functionality as the IIS-based self-service portal. However, it uses SharePoint Web Parts, which enable the Service Manager web interface to integrate with the existing SharePoint infrastructure.

Service Manager architects and administrators.They design and implement the Service Manager installation, customize workflows and forms, and manage Service Managers integration with other systems in the IT infrastructure. Analysts.They use Service Manager to manage and work on incidents and change requests. They often work in the IT department or man Help desks. Sometimes theyre managers or HR staff members who need to authorize certain types of actions. End users.They use Service Manager to request software, change their passwords, search the knowledge base (i.e., a collection of articles that can aid in the resolution of incidents and problems), log new incidents, look at announcements, and perform other actions.

Other interfaces are available, but theyre primarily used for custom forms and workflows. You can create custom forms, workflows, and other components with the Service Manager Authoring Tool. To use this tool, you dont need a huge amount of training because it uses drag-and-drop functionality. You can download theAuthoring Tool here. For more information about customizing Service Manager, see theSystem Center Service Manager 2010 SP1 Authoring Guide

The Service Manager Console Up Close

The easiest way to get a feel for the use and capability of Service Manager is to look at the Service Manager console. As Figure 2 shows, there are six workspaces in the console, which reflect Service Managers six main functionality areas: Administration, Library, Work Items, Configuration Items, Data Ware house, and Reporting. Before I highlight the key points in each workspace, I want to point out that in Figure 2 Im logged on as a full administrator so all the workspaces and options are displayed. If I were running the console as an end user, I would only see the workspaces and options I have permission to access. Role-based access control is a big feature of Service Manager and the rest of the System Center products.

Coincidentally, Service Manager provides three UIs out of the box:

Service Manager console. Like the consoles for the other System Center products, the Service Manager console is built on the common Service Manager UI framework and

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 10

workspace. This is also where you configure incident settings. For example, you can attach a prefix to the incident IDs that will be generated, specify how the priority should be calculated for an incident, and set limits for files that users can affix to incidents they raise (e.g., allow only two attachments up to 512KB each). Making configurations isnt the only thing you can do in the Administration workspace. You can perform a variety of other tasks, such as creating announcements and importing management packs. The Announcement area is where you create announcements that will appear on the self-service portal. You have the option of setting an expiration date, so you dont have to worry about removing announcements once theyre no longer valid. Management packs are .xml files that define forms, workflows, classes, views, and reports in Service Manager. When you create a new workflow, for example, youre creating a new manage ment pack. To import that management pack into Service Manager, you use the import functionality in the Administration workspace. Library.The Library workspace exposes the various configuration data elements of the Service Manager system, which are used throughout the product. For example, all the options shown when creating an incident can be easily changed by modifying the relevant list item, which Ill elaborate on shortly. You can define groups of configuration items, much like you can create containers for objects in AD. The Library workspaces Knowledge area is where you can create and maintain the knowledge base. The knowledge base articles are the primary vehicle for sharing knowledge. When users access the self-service portal, a list of the top knowledge base articles is automatically generated and shown on the start page. Another key part of the Library workspace is the Lists area. When users create and modify work items, there are often drop-down lists they can use to select the type of problem theyre having and what system its affecting. If you want to change what options are displayed in the drop-down list, you go into the appropriate list and add or remove items, as Figure 3 shows. Figure 4 shows this drop-down list in a form.

Figure 2: The Service Manager console

Administration.The Administration workspace will be the starting point for any new Service Manager deployment. In it, you can configure Service Managers integration with other systems, such as AD, SCCM, and Operations Manager. Youll definitely want to connect Service Manager to AD, as this will allow you to import your user, group, printer, and computer objects, along with any attributes youve set for them. Note that the connector to AD is one-way. Thus, if you modify the attributes of configuration items (aka objects) in Service Manager, you also need to change the attributes in AD. Otherwise, the next time AD synchronizes with Service Manager, AD will overwrite the changes you made. You can have Service Manager synchronize with the entire AD namespace or a subset of it (in which case, you specify the types of objects that should be synchronized). Besides configuring integration, youll need to assign user roles to users in the Security area of the Administration workspace. By default, there are 11 roles: Activity Implementers, Administrators, Advanced Operators, Change Initiators, End Users, Read-Only Operators, Authors, Problem Analysts, Workflows, Incident Resolvers, and Change Managers. If these roles dont meet your organizations needs, you can create custom user roles. Another configuration youll probably want to make is setting the retention times for the data in the Service Manager database. You do this in the Settings area of the Administration

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 11

there are many available tasks for incidents. For example, analysts can change an incidents status, create a change request based on an incident, escalate an incident, and even perform certain tasks to help resolve an incident, such as perform a ping. Any task performed is automatically logged in the incidents history, giving a full account of the actions taken and progress made. By default, end users can see the history for the incidents they create. However, analysts have the option to mark certain items in the history (e.g., comments) as private so they wont be visible to end users. Analysts also have the ability to create custom views.
Figure 3: The Incident Classification list

Figure 5: The Incident Management default views Figure 4: The Incident Classification list in a form

Templates are another great feature in the Library workspace. Besides using the self-service portal, users can submit incidents and changes by email or phone. Rather than have the analyst waste time repeatedly typing in the same information and settings, they can quickly apply a template that populates most of the common fields for various types of common requests. Templates can also be automatically applied by workflows to route and classify work items based on certain conditions. Work items.Analysts often use the Work Items workspace, as it contains the incident, problem, change, and activity items they work on. In each workspace area (e.g., Change Management area, Incident Management area), there are a number of default views. For example, Figure 5 shows the default views for Incident Management (e.g., All Incidents, All Open Incidents, All Open Portal Incidents). On the right, note the tasks pane. Each view includes the tasks that are available for that type of work item. In this case,

Conguration items.The Configuration Items workspace gives you access to the computers, printers, users, software, software updates, business services, and any other type of defined or imported configuration item within your organization. In most environments, there isnt a lot of manual management of configuration items in Service Manager. Instead, the configuration items are managed through their respective connected systems (e.g., AD, SCCM, Operations Manager). The Configuration Items workspace doesnt provide a dumb view of the configuration items replicated from different sources. Because the configuration items from the connected systems are consolidated in CMDB, relationships are ascertained. So, when you examine a configuration item in the workspace, youll see AD, SCCM, and Operations Manager information about that item as a single entity, which helps with analyses. For example, if youre examining a software package, youll see any related change requests or incidents that involved that piece of software.

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 12

Data warehouse.In the Data Warehouse workspace, you perform the tasks that relate to populating, managing, and securing the data warehouse management server. Reporting.The Reporting workspace exposes all the available reports, which actually run on the SSRS instance. You can also run the reports directly on the SSRS instance, as Figure 6 shows. You can create your own custom reports and display them in the Reporting workspace by following the instructions in the SCSM Engineering Team blog,How to create a custom report and display it in the console.

it. For more information on the customizations possible, see Service Manager Portal Source Code Released!

Figure 7: I IS-based self-service portal

Figure 6: Service Manager reporting on the SSRS instance

The Self-Service Portal Up Close

End users and analysts interact with Service Manager through the self-service portal. On the end user website, end users can easily raise an incident, request new software, and request other types of changes. Once submitted, they can use the portal to easily see the state of all their open and resolved incidents and requests. The ability for end users to self-resolve problems by searching for known issues in the knowledge base can cut down on the number of incidents the users actually raise, reducing the overhead for the Help desk team. On the analyst website, analysts can view and manage the incidents and change requests assigned to them. This site could also be used by managers who need to approve a change for an employee or sign-off on a document. Figure 7 shows the IIS-based portal out of the box, with no changes made to it. The source code for the self-service portal is available, so you can customize the look, feel, and functionality of

As I previously mentioned, if you use SharePoint, you dont need to use the IIS-hosted portal. Instead, you can use the SharePointbased portal. You can even place Service Manager Web Parts on users My Sites to give them easy access to Service Manager information.

More Than Just a Ticketing System

Its important not to think of Service Manager as a ticketing system. Yes, it has great ticket-management features, but its true power lies in its integration with the rest of the IT infrastructure and in the CMDB, which enables workflows to get separate systems working together. Although Service Manager is in its first released version, it already has a rich partner network, including a key partnership with Provance, which adds asset-management capabilities to Service Manager. Ive spoken to a number of Service Manager adopters, and the common message from all of them is just how quickly they were able to achieve great results. TheSCSM Engineering Team Bloghas been instrumental in a number of successful Service Manager rollouts and has a lot of great content about implementing Service Manager.

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 13

Microsoft Releases Free SCCM Dashboard

If you use System Center Configuration Manager, it might be worth your time to check out the Microsoft System Center Configuration Manager 2007 Dashboard, now available as a free download. From Microsofts site, the key benefits of the dashboard are:

Actionable information out of the box. The dashboard comes with valuable, built-in datasets that IT managers can access
without using the Configuration Manager console. Centralized, near-real-time access to key information. The graphical dashboard lets customers view any Configuration Manager data set in near-real timewithout leaving their desk. Easy to build and configure. The dashboards wizard-based tools let customers easily create new dashboards in minutes. Easy to customize. The dashboard can easily be customized to meet the needs of different departments and other groups. Any data set in the Configuration Manager database can be presented on the dashboard, in chart, gauge, and table formats. Flexible & interactive. Users can easily filter data and create ad hoc, custom views. Filters allow users to quickly drill down from high-level to more specific data.

Check the announcement in Microsoft IT Pro Evangelist Kevin Remdes blog for more information, or just go to the dashboards site to read more or download it.

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 14

SCCM Deployment and Maintenance FAQs

Q. How do I allow System Center Configuration Manager (SCCM) to deploy Microsoft Application Virtualization (App-V) virtualized applications?
A.SCCM 2007 R2 adds support for delivering App-V virtualized applications. To enable this deployment, you need to make the following changes:

Launch the Configuration Manager Console. Navigate to Site Database, Site Management, <Site>, Site Settings, Client Agents. Right-click Advertised Programs Client Agent and select Properties. Under the General tab, selectAllow virtual application package advertisementand click OK.

You can now deploy applications using Computer Management, Software Distribution, Packages, New, Virtual Application Package. Select the XML manifest from the generated virtual application package.

Q. How can I check the value of Microsoft System Center Configuration Manager 2007 (SCCM) task sequence variables during a deployment?

Navigate to Site Database, Site Management, <Site>, Site Settings, Site Systems, <Site Server>. Right-clickConfigMgr distribution pointand select Properties. Make sureAllow clients to transfer content from this distribution point using BITS, HTTP, and HTTPSis enabled on the General tab. Select the Virtual Applications tab in the same dialog and select Enable virtual application streaming.Click OK.

A.Assuming the boot image has enabled command line support during the Windows Preinstallation Environment (WinPE) boot, you can press F8 then run commands to view variables. I created the following script to view the _SMSTSInWinPE and _SMSTSLaunchMode variables in a test environment.

Dim env : set env = CreateObject(Microsoft.SMS.TSEnvironment) wscript.echo env(_SMSTSInWinPE) wscript.echo env(_SMSTSLaunchMode)

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 15

I then ran the above script with the command cscript showvar. vbs If you want to list all TS environment variables, use the following script instead.

A.You need several ports open on the clients for SCCM to be able to remotely connect from the SCCM Management Console. The ports and exception rules needed are:

Dim env : set env = CreateObject (Microsoft.SMS.TSEnvironment) For Each envVar In env.GetVariables WScript.Echo envVar & = & env(envVar) Next

Remote Assistance Remote Desktop TCP Port 135 (RPC) TCP Ports 2701-2702

The best way to enable these exceptions is using Group Policy for the domain-joined machines.

Q: I was using System Center Configuration Manager (SCCM) 2007 for software updates, but Ive disabled it. How do I reset the clients to the Windows Update defaults?
A:When a client is configured to use SCCM 2007 for software updates, the policy of the machine is configured with the SCCM software update point as an intranet Microsoft update service location. To undo this, just use Group Policy to set that policy to Not Configured. Navigate to Computer Configuration, Administrative Templates, Windows Components, Windows Update and setSpecify intranet Microsoft update service locationto Not Configured, as shown below. Windows Update will use the Microsoft servers again.

Q. Where can I get the SCCM Toolkit?

A. The address for the SCCM Toolkit will change over time as newer versions are released. As of this writing, the latest version for SCCM 2007 (version 2) is available here . The easiest way to find it is to use Bing to search for SCCM 2007 Toolkit. If you use SCCM, its highly recommended that you use this toolkit. One tool youll use a lot is Trace32, which makes the SCCM logs easy to read. The first time you launch Trace32, it will prompt if it should be used as the default viewer for SCCM logs. I suggest you say Yes, as shown here.

Q. Does SCCM 2007 have to use the default SQL Server instance? Q. Im trying to use remote tools from System Center Configuration Manager (SCCM) 2007 but I get an error when I try to connect. Whats wrong?
A. Unlike previous versions of SMS, SCCM 2007 lets you specify a named instance during the SCCM 2007 installation. Therefore, SCCM 2007 can use a clustered SQL Server instance without it needing to be the default

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 16

Q. Is System Center Configuration Manager 2007 (SCCM) 64-bit compatible?

A. Yes, System Center Configuration Manager 2007 is 32-bit code, but it runs on a 64-bit platform. A native 64-bit version isnt expected until the next major release (not a service pack or R2 release).

Defined attribute cn=mS-SMS-Version. Defined attribute cn=mS-SMS-Capabilities. Defined class cn=MS-SMS-Management-Point. Defined class cn=MS-SMS-Server-Locator-Point. Defined class cn=MS-SMS-Site. Defined class cn=MS-SMS-Roaming-Boundary-Range. Successfully extended the Active Directory schema.Please refer to the SMS documentation for instructions on the manual configuration of access rights in active directory which may still need to be performed. (Although the AD schema has now be extended, AD must be configured to allow each SMS Site security rights to publish in each of their domains.)

Q. Will the next version of System Center Configuration Manger (SCCM) be 32 bit?
A. No. The next version of SCCM will be 64-bit only, except for distribution points, which can still be 32-bit.

Q. How do I update the AD schema with the SCCM 2007 updates?

A. Previously, you had to perform schema changes with SMS from within the SMS installation wizard. Microsoft has changed this procedure in SCCM 2007, based on customer feedback. Now, you perform the AD schema update via the extadsch.exe tool, which youll find in the SCCM 2007 medias \SMSSETUP\BIN\I386 folder. The only file you need is extadsch.exe, which you can copy to the schema master domain controller (DC). To get the detail about the schema-update process, navigate to the root of the drive where the tool was executed and open the extadsch.log file, which should look like the following: Modifying Active Directory Schema - with SMS extensions. DS Root:CN=Schema,CN=Configuration,DC=lab,DC=savilltech,D C=net Defined attribute cn=MS-SMS-Site-Code. Defined attribute cn=mS-SMS-Assignment-Site-Code. Defined attribute cn=MS-SMS-Site-Boundaries. Defined attribute cn=MS-SMS-Roaming-Boundaries. Defined attribute cn=MS-SMS-Default-MP. Defined attribute cn=mS-SMS-Device-Management-Point. Defined attribute cn=MS-SMS-MP-Name. Defined attribute cn=MS-SMS-MP-Address. Defined attribute cn=mS-SMS-Health-State. Defined attribute cn=mS-SMS-Source-Forest. Defined attribute cn=MS-SMS-Ranged-IP-Low. Defined attribute cn=MS-SMS-Ranged-IP-High.

Q. How can I move a secondary Systems Management Server (SMS)/ Microsoft System Center Configuration Manager (SCCM) site to a new primary site?
A.You cannot move a secondary site to a new parent; you can only uninstall, then reinstall the secondary sites. If you do not delete the SMSPKG and SMSPKGx$ folders, you can use the preloadpkgonsite.exe tool that is part of the SMS toolkit to avoid having to resend packages down the network for SMS sites. SCCM has the population capability built-in for packages.

Q. How can I change the organization name thats displayed in OS deployments, software updates, and other places within System Center Configuration Manger (SCCM) 2007?
A.When deployments are performed from SCCM 2007, the organization name is displayed, as shown in this OS deployment.

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 17

To set this name, use the Configuration Manager Console and navigate to Site Database (site), Site Management, <site>, Site Settings, Client Agents and select properties of the Computer Client Agent. Select the Customization tab and change the organization name, as shown here.

Management Instrumentation (WMI) firewall exceptions on the clients. Additionally, clients need HTTP/HTTPS exceptions for communication to the SCCM site systems and TCP ports 2701, 2702, and 135 for remote control.Microsoft has a full list available. The easiest way to create these exceptions is to define a Group Policy Object (GPO), as Ill describe here.

Create a new GPO. Navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security, Windows Firewall with Advanced Security <LDAP>, Inbound Rules. Select New Rule. Select Predefined then File and Printer Sharing and then click Next.

Q. Does System Center Configuration Manager (SCCM) have to be in native mode to provide zerotouch deployment of OSs?
A.No. Native mode predominantly relates to security, more specifically to the use of certificates. Native mode isnt a requirement for zero-touch OS installation using SCCM.

Q. Can I deploy updates to non-Microsoft applications using System Center Configuration Manager (SCCM)?
A.Microsoft has released System Center Updates Publisher 2011, which lets you deploy and track third party and in-house application updatesusing SCCM 2007, 2012 Beta 2, or System Center Essentials 2007. Now you can use SCCM to manage updates for all applications within your organization, the same technologies that have enabled rich update management for Microsoft OSs and applications.

Q. How can I enable the firewall exceptions for deploying the System Center Configuration Manager (SCCM) 2007 client using Group Policy?
A.To deploy the SCCM 2007 client by pushing the client from SCCM, you need the File and Printer Sharing and Windows

Select all the rules and click Next. Select Allow the connection then click Finish Repeat the above steps for WMI, World Wide Web Services (HTTP Traffic-In), and World Wide Web Services (HTTPS Traffic-In). For remote control, you need to create a Port rule specifying protocol type TCP and ports 2701, 2702, and 135.

Apply this GPO to your SCCM client computers. Once group policy has refreshed, you should be able to push the SCCM client (providing youve correctly configured SCCM).

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 18

Q. I have some general System Center Configuration Manager (SCCM) 2007 R2 OS deployment pains. Any hints?
A.This weekend I configured SCCM 2007 R2 from scratch to deploy a Windows 7 image that would automatically join the domain. I hit a number of fun issues that I wanted to share, and how to resolve them. 1. First, I wanted to change the organization name thats displayed during the OS deployment from IT Organization to something custom. You wont find it under the preinstallation environment, the task sequence or anywhere else. To change the organization name, you have to change the Computer Access Account properties, which you find at Site Database, Site Management, <Site>, Client Agents. Select the Computer Client Agent and the Customization tab to change the name shown. 2. My next problem was that I had to press F12 on the machine where I was installing Windows 7 to select to boot over the network. This is an easy fixjust make sure to set SCCM so that the advertisement of the new OS is mandatory and you wont have to hit F12. You could also rename pxeboot.n12 to pxeboot.com under architecture in the RemoteInstall folder, but this isnt recommended, because if you rename the file it will make the user boot from the network every time the computer turns on. You only want to boot over the network if the user has toif its mandatory. 3. I tried to set a custom background, but the image I set was ignored. The problem was that I used a JPG. You have to pass a BMP and it will work fine, as shown here.

Make sure your images are published to the PXE distribution points and not the standard distribution points. Deploy to the \\<PXE Service Point>\SMSPXEIMAGES$ distribution point. 4. Intermittently, clients couldnt boot to the preinstallation environment. I had checked that the previous advertisement had been cleared, but it still didnt work. The SMSPXE.log file showed the following:

ProcessDatabaseReply: No Advertisement found in Db for device

After some investigation, I found that it was a problem with Windows Deployment Services (WDS). Restarting the WDS Server service from Server Manager solved this problem. 5. My domain join task sequence action was failing. I had specified the default Computers container as the target for the object, but this isnt supported. If you want the object created in the default container, leave the target field blank. You can only specific OUs as valid data.

Q. How do I enable pushing the System Center Configuration Manager (SCCM) 2007 client to discovered systems?
A.By default, SCCM will try to use its own computer account to deploy the SCCM client to systems. However, its unlikely that this account will be a member of the clients local administrators group, so its best to configure the account to use for client deployment. Do the following:

Navigate to Site Database, Site Management, <site>, Site Settings, Client Installation Methods. Right-click Client Push Installation and select Properties. DoNOTcheckEnable Client Push Installation to assigned resources. This would automatically deploy the agent to any system discovered that meets the selected system types, such as servers and workstations. (Obviously, if you do want this automatic deployment, then check the option.) Select the Accounts tab. Click New and enter the domain account that has administrative rights on the client, and then its password twice.

Brought to you by Windows IT Pro

Tech Advisor Windows IT Pro | p. 19

Note that you can specify multiple accounts and set the order in which they should be used. SCCM will go down the list in order until it finds an account with administrative rights on the client. If no accounts are listed or none of them work, the SCCM computer account will be used. Take care which account you use, because you dont really want to use the main domain administrator account. You just need an account that has administrator rights on the target systems, which you could do by adding the account to the local administrators group through Group Policy Restricted Groups settings.

Click OK.

You can now deploy clients using the Install Client action for discovered systems

If you have problems deploying the client, look at the ccm.log file on the SCCM server, found in the C:\Program Files [(x86)]\ Microsoft Configuration Manager\Logs folder. Use the SMS Trace utility, which is part of the SCCM 2007 Toolkit, to view the log files for easier reading (you could use Notepad). In the example below, you can see an attempt that failed because no account was specified. It tried to use the SCCM computer account, which didnt have the necessary permissions.

Note that the Client tab allows you to configure the site code to use for the deployed clients. However, the site code is normally automatically discovered, so make sure your clients are within the boundary of your SCCM sites.

If you need to troubleshoot at the client level based on information on the server, look at ccmsetup.log on the client (found in the C:\Windows\ccmsetup folder). It will give more detail if the problem is client-side. You can also check the event log.

Brought to you by Windows IT Pro