RSS

Monthly Archives: November 2012

SCCM 2012: KB2468097 applies to 2012 as well

Just a quick one,

At a current project the customer requested to import a number of Task Sequences which have been exported in a different SCCM 2012 Site. Both SCCM 2012 Sites have MDT 2012 integration. Unfortunately, importing the Task Sequences failed. During investigation I found the following KB article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;2468097

Unfortunately, the article refers to SCCM 2007 but I decided to give it a try and follow the steps mentioned in the article…

Well, it works…

 

Advertisements
 

SCCM 2012 SP1 Beta: To image or not to image, deploying Windows 8 or Windows Server 2012

Hi everyone,

This blog or more or less an opinion. You might have a different opinion for this so feel free to comment on this…

The beta for SCCM 2012 SP1 is out there for a while. This allows me to familiarize myself with the new features in a lab environment. It also allows me to think about a strategy for working with image files for deploying an Operating System.

In many projects implementing SCCM 2012, there’s much debate about using images and how they should be managed. In my opinion, you always have two (extreme) strategies that to work with images:

  1. Image deployment should be as fast as possible
  2. Image deployment should have maximum flexibility

Deploying an image as fast possible basically means that all base applications and updates should be inside the image. You need to build this image with all the required applications in order to reach this objective. This strategy works great if you’re certain your baseline rarely changes. If your baseline changes, however, for example a new version of an application must be inside the image file then you need to build one image again…

The other extreme is that you want maximum flexibility. In this scenario you create either an empty image and install the applications afterwards. Installation of applications is part of your deployment. This strategy works great if your baseline changes frequently or you have almost no baseline applications at all. This gives you great freedom and allows your Task Sequence to be modified easily. There’s also no need for rebuilding an image at all. The downside of this strategy is that deployment takes longer.

Many times a compromise

One major challenge is deploying updates. While the Offline Servicing feature is really great (I love it), your images grow bigger from time to time and you have a big chance that updates become superseded. It’s best to make sure that superseded updates are no longer circulating in your organization so this means that eventually new images must be built anyway.

In an earlier blog post (https://mwesterink.wordpress.com/2012/10/09/sccm-2012-sp1-beta-building-images-from-operating-system-installer-package-not-available-2/) I discovered that SCCM 2012 SP1 doesn’t provide an option anymore in the wizard to build images from scratch, so you must build it yourself. Integrating MDT 2012 in SCCM 2012 does provide you a workaround so you don’t need to build it yourself. One nice feature MDT 2012 offers is to install updates offline. A convenient description was written by Chris Nackers which is available here (thanks Chris): http://www.chrisnackers.com/2011/08/19/configmgr-building-a-reference-image-installing-hotfixes-updates-offline/

I have a feeling that Microsoft might want to encourage administrators to say goodbye to all the image building and use unattended installations only.

I’ve tested a few Windows 8 deployments in my test environment and I must admit that maintaining maximum flexibility is the strategy to go for. I’d recommend this scenario for Windows 7 as well. Windows 7 and 8 are more stable than earlier versions which means that reinstalling a machine is happening less frequently than before. The cost of deployment speed to simplify administration is a price I wouldn’t mind paying…

 

 

 

 

SCCM 2012 SP1 Beta: using Advanced Security for client communications and its implications…

Hi everyone,

Recently I had some time to build an SCCM 2012 SP1 Beta Site in my lab environment, I destroyed my existing environment to allow me to start again using Advanced Security.

I used Justin Gao’s excellent guide to build an environment using Advanced Security for client communications, many customers are not using Advanced Security with the RTM so I needed to familiarize myself with this approach. To me, it was a great eye opener.

In a nutshell, only HTTPS communications are allowed and you have to do something with certificates. You need to use HTTPS if you want to use mobile devices or access from the internet.

The guide is available at the following website: http://blogs.technet.com/b/justin_gao/archive/2012/09/22/system-center-2012-configuration-manager-sp1-beta-deployment.aspx

With this guide you should succeed in building the environment yourself, this blog is not going to discuss the deployment itself. As usual, SCCM 2012 SP1 is still in Beta so do not install this in a production environment.

One passage caught my attention. The guide explains that you need to configure all SQL services to run under the LOCAL SYSTEM account instead of a domain user account or the NETWORK SERVICE account or database replication will fail with certificate issues which is mentioned on page 7 of the guide.

This contradicts an SQL best practice which is mentioned at TechNet: http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigSQLDBconfig

Please understand that I’m not challenging Justin’s document at all, I’d like to thank Justin for writing this document in the first place. Challenging this document is completely up to yourself.

While the technical implications may not be a big deal, I expect many political challenges when offering organizations this solution. Many companies have DBA Admins. Not applying best practices might be very confronting to them and to other system administrators, security officers and even the CIO as well.

SCCM 2012 SP1 is still in Beta, however this feature is also available in the RTM. It makes me curious how security related specialists look into this issue. On the other hand, most organizations use a dedicated SQL instance for SCCM 2012 and no other databases are installed on that instance. To a certain point, I don’t think it’s really a big deal.

 

SCCM 2012: Migrating packages from SCCM 2007 to SCCM 2012, beware…

SCCM 2012 is available for a while. While most customers ask me to introduce SCCM 2012 they start from scratch. Many organizations use the already infamous combination of WDS, WSUS and GPO for software distribution. Others use a 3rd party tool and want to replace them by SCCM 2012. The third group have an existing SCCM 2007 environment and want to migrate to SCCM 2012 to use its new features.

It’s not possible to initiate an in-place upgrade from SCCM 2007 to SCCM 2012, so you need to build an SCCM 2012 infrastructure that will temporarily coexist so it allows you to migrate content from SCCM 2007 to SCCM 2012. Once the migration is completed you can uninstall the SCCM 2007 Site.

An SCCM 2012 Site can connect to an SCCM 2007 Site which will scan for available content to be migrated.

From that point you can migrate existing packages to SCCM 2012. This is all very straightforward…

However, one critical setting in each package can turn this into a success or a true nightmare: the application source path.

If the application source is pointed a directory on a disk, ie. D:\source\application\…, then SCCM 2012 will attempt to search for the source on its own machine and not to the original SCCM 2007 location. Distributing the content to all distribution points will fail because SCCM 2012 cannot locate the content because it doesn’t exist.

If you’re in such a situation, then you have no other choice than changing the application source path manually (make sure that the content is available at the new source path).

Numerous scripts can be found to have source directory paths modified but all are created for UNC paths only.

It is always a best practice to use UNC paths for application source directories because it gives you a bit more freedom to modify them. Using a DFS Namespace is in my opinion the most elegant solution since it completely eliminates any dependencies on content locations. You don’t need to so anything if you decide to move the share to a different file server and have the DFS Namespace point to the new server share.

I would not consider copying the content to your SCCM 2012 Site server and still use local paths…

 

 

 
 
Steve Thompson [MVP]

The automation specialist

Boudewijn Plomp

Cloud and related stuff...

Anything about IT

by Alex Verboon

MDTGuy.WordPress.com

Deployment Made Simple

Modern Workplace

Azure, Hybrid Identity & Enterprise Mobility + Security

Daan Weda

This WordPress.com site is all about System Center and PowerShell

IT And Management by Abheek

Microsoft certified Trainer -Abheek

Heading To The Clouds

by Marthijn van Rheenen