Scenario
During installation of Configuration Manager 2012 RC2 the prerequisite checker lists a warning for the prerequisite: Verify site server permissions to publish to Active Directory although the required permissions are in place.
As the environment might expand and more site servers could be implemented it was opted to grant the permissions using a domain local security group which has the site server computer account added as a member.
Troubleshooting
First check was to verify if the required permissions on the System Management container are implemented for the group. Additionally it was confirmed the site server computer object was added as a member. When running the prerequisite checker it still shows the warning even though permissions are in place.
In a second scenario permissions were implemented on the System Management container using the computer object instead of using groups. When re-running the prerequisite checker it did no longer show the warning and passed the check.
Resolution
According to feedback received this is behaviour as expected.
This was logged earlier as a bug for the RC1 release of Configuration Manager 2012. The bug report mentioned this would be fixed as of build 7688. Apparently at that point the fix was to reword the explanation offered by the prerequisite checker as opposed to implementing a fix that would have to create a dummy object in AD to test actual permissions.
Bottom line: the warning message can safely be ignored as long as the permissions for the group containing the site server(s) are correctly implemented.
Today during a Private Cloud webcast Microsoft has announced their new strategy on System Center. No longer are the System Center products considered as separate entities: System Center 2012 is now a single product. It is a fullblown suite which includes a complete set of System Center products.
An overview of what the suite will include:
- Configuration Manager
- Service Manager
- Virtual Machine Manager
- Operations Manager
- Data Protection Manager
- Orchestrator
- App Controller
- Endpoint Protection
This does not mean all of the above will have to be installed in one shot. Customers will still have the ability to implement and integrate solutions one by one.
The new System Center 2012 product comes in 2 editions:
- The Datacenter edition is licensed per two physical processors and provides use rights for management of an unlimited number of VMs per license.
- The Standard edition is also licensed per two physical processors, and each license gives you management rights of two virtualized servers.
For details on System Center 2012 licensing have a look here.
Also check out the Private Cloud Assessment Tool.
Evaluation software is available for download here.
Now I am off to the (virtual) lab for some quality time!
After being absent for a few of the previous CEP sessions I was happy to be able to attend the PCM and P2V Toolkit session yesterday. Below are some key takeaways from this session. This was the last session for this year, next one is scheduled for January 11th 2012.
Package Conversion Manager (PCM)
PCM is a feature pack for Configuration Manager 2012 which will allow you to prepare and move your packages towards the new app model.
A best practice approach to convert packages would be:
- Migrate Objects
- Create apps in a lab environment
- Test apps in a lab environment
- Export and import
The package migration options from 2007 to 2012 are:
- Do nothing and leave the package and program
- Convert Manually
- Convert using PCM
Selecting conversion candidates:
- Good : App-v, MSI and Executable files (user facing applications)
- Bad: System maintenance tools (defrag, etc …) and end of life applications
Understanding PCM manual vs automatic conversion rules:
- Automatic
- Package contains only 1 MSI
- No unconverted dependencies exist
- Content is accessible
- Manual
- Is a software distribution package
- Contains at least one program
Following up:
- Using the conversion dashboard
- Advanced troubleshooting: using the pcmtrace log in the %temp% folder
PCM is scheduled to be released at the same time as Configuration Manager 2012.
Configuration Manager P2V Migration Toolkit
A utility to help migration to Configuration Manager 2012 in specific scenarios, for example a remote site server migration where the goal is to re-use existing server hardware.
How can the P2V toolkit help:
- Eliminates the need of parallel physical servers at remote sites
- Repurpose existing site server into a virtual instance
- Hosting ConfigMgr 2007 AND ConfigMgr 2012 on the same physical machine using virtualization
- Simplifies and automates creation of a virtualization task sequence
- Simple and intuitive interface to create and deploy the task sequence
- All virtualization tasks sequence steps are built-in
- Limited input needed by remote site administrators
Toolkit options:
- Task Sequence with stand alone media (fully automates the end-to-end process)
- Bootable media only
Offcourse the hardware should meet the necessary prerequisites for virtualization and Hyper-V.
The P2V toolkit will ship at the same time of Configuration Manager 2012 RTM as a separate tool.
The release candicate is already available via Connect.
Some key takeaways from the CMCep session held on the 10th of August. Topic for this session was the ConfigMgr 2012 SDK, presented by Heena Macwan and Martin Dey.
Planning
- After MMS: SDK Beta program started. On invite only.
- ConfigMgr 2012 Beta 2 RTM time: SDK Beta available on Connect). Initial draft SDK, including:
- Coverage for the new AppModel classes and members
- ConfigMgr 2012 RTM time: SDK Update, including:
- Details of all modified classes and members to help port existing solutions
- ConfigMgr 2012 RTM + 6 Months: SDK RTM
- Details on all new members and classes
SDK Extension Areas
- Admin console
- Add right-click options, forms, wizards, nodes and views
- Insert tabs into existing forms
- SMS Provider
- Enabling automation of any UI activity
- Actions achieved through WMI classes, properties and methods
- MP interface
- Allows unsupported clients to be managed through proxy (MP Proxy)
- Provide extra support for windows clients
- Client interfaces
- Exposes interfaces to control panel applet
- Ability to enact custom policies at the client
- Note: client inventory customization no longer required
Porting from 2007 to 2012
- Some areas will require changes to port to 2012
- Guidelines will be made available.
New Extensibility Areas in 2012
- Application model
- Settings Management (formerly DCM)
- RBAC
- Data Warehouse
- Mobile Device Management
- OSD
- Software Update Management
- Client Health
Powershell Support
- Phase 1 available at ConfigMgr 2012 RTM : Drive Namespace context and support for get-item access by Object Type
- Phase 2 at 2 2012 : cmdlets covering key CM WMI namespace objects
In March round 2 of the Configuration Manager 2012 Community Evaluation Program was kicked off. It was announced that during this round the topics of the earlier round would be recycled but based on the Beta 2 release of ConfigMgr 2012. I intend to also participate in this round and share key takeaways for each of the CEP sessions.
Two days ago the session on ConfigMgr Hierarchy was scheduled. Presenter for this session was D.C. Tardy, senior Program Manager. Below you can find some key takeways:
Infrastructure Promises
- Modernized Architecture
- Minimizing infrastructure requirements for remote locations
- Consolidating infrastructure for primary sites
- Improvements related to scalability and data latency
- Being Trustworthy
- Interactions with SQL DBA are consistent with ConfigMgr 2007
- ConfigMgr Admin can monitor and troubleshoot replication approach independently
Hierarchy Simplification
- Clients are managed through primary sites, not the CAS
- CAS is needed when:
- There is more then one primary site in a hierarchy
- There is a requirement to offload reporting and administration from the primary site
- Add primary sites for:
- Scaling (100.000+ clients)
- Reduce impact of site failure
- Local point of connectivity for administration
- Political reasons
- Content Regulation
- Use secondary sites for:
- Managing upward going WAN traffic
- Tiered content rooting for deep topologies
- Location without local administrators
- Add local DP’s for:
- Situations where BITS is not sufficient for controlling WAN traffic
- OSD Multicasting
- App-V Streaming
Distribution Points
- New for DP’s:
- One DP type
- Can be hosted on client and server OS’s
- Throttling and scheduling features
- PXE / Multicast capabilities
- Drive specification for content storage
- Requires IIS feature
Content Prestaging
- New functionality in ConfigMgr 2012
- One feature that can preload on site server or DP
- Supports all package types
- Content library and package share
- Registers package availability with the site server
- Conflict detection to ensure latest package versions are used
Forest Discovery & Boundaries
- Forest Discovery
- Discovery at the site server forest level and any trusted forests
- Ability to manually add forests that are not trusted (eg DMZ scenarios)
- Returns the domains, sites and IP Subnets
- Supports the creation of boundaries (can be automated)
- Boundaries
- Same types are in ConfigMgr 2007
- Simplified management
- Automatic creation as part of forest discovery
- Split between client assignment and content lookuo
- Boundary groups for organizing boundaries in logical containers
- Boundary groups are the primary object for client assignment and content lookup – not the boundaries!
- Auto-create boundary groups when migrating from ConfigMgr 2007
SQL Server
- One site per SQL instance
- All database communication is encrypted
- TCP/IP port for service broker
Client Settings
- Approach change
- Essential to stop use primary sites for different client settings
- Default client settings for the entiry hierarchy and custom settings assigned to collections
- Custom settings overrule default settings. Priority based.
Role Based Administration
- Remove clutter: goal is to only display what is relevant to the current user
- Security roles determine what objects a user can see and what he can do with them
- Security scope: what instances can I see and interact with
- Collections: which resource can I interact with
Collection limiting
- Assigning a collection to an administrator automatically assigns all limited collections
- Product ships with only 2 read only root collections
- Every collection is limited by another
Some key takeaways from the CEP session on migrating from Configuration Manager 2007 to Configuration Manager 2012. Session hosted by Eric Orman and Jeroen van Eesteren, both from Microsoft.
How migrations were commonly handled in ConfigMgr 2007:
- Clients were reassigned and updated
- Objects were migrated using scripts and custom tools
- Infrastructure was implemented side by side
- Inventory data was either regenerated or preserved
What ConfigMgr 2012 will offer in regards of migration:
- Assistance for migrating objects and clients
- Minimizing WAN impact
- Flattening the ConfigMgr hierarchy
- Maximizing the re-usability of x64 hardware
Migration functionality will come out-of-the-box with ConfigMgr 2012:
- Automated object migration (collections, packages, boundaries, metering rules, etc …)
- DP sharing: fallback to ConfigMgr 2007 DP for obtaining migrated content
- Content prestaging (similar functionality as the PkgPreLoadOnSite utility)
- Distribution point upgrade to reduce requirement to redistribute content
High-level migration steps:
- Enable migration by specifying a ConfigMgr 2007 source central site
- Enable DP Sharing
- Define migration jobs
- Upgrade and re-assign clients to a ConfigMgr 2012 site
- Distribute or leverage DP sharing for deployment of migrated objects to new 2012 clients
- After client migration start distributing content to ConfigMgr 2012 DP
- Decommission ConfigMgr 2007 Infrastructure
Objects supported for migration:
- Collections
- Advertisements
- Boundaries
- Software Packages and Virtual App packages
- Software update objects: deployments, deployment packages, templates and update lists
- OSD objects: boot images, driver packages, drivers, images, packages and task sequences
- DCM / Settings Management elements: Baselines and CI’s
- Asset Intelligence customizations
- Software Metering Rules
How to prepare your environment for migration:
- Get to the ConfigMgr 2007 SP2 level as a minimum
- Collections best practices:
- Avoid using mixed collections containing users and devices
- Avoid collections using multiple query rules which limit to different collections
- Use UNC paths for defining package sources. Avoid using local paths.
- Site codes must remain unique between ConfigMgr 2007 and ConfigMgr 2012 sites
Just a few days ahead of the next Configuration Manager CEP session I’m publishing my notes from the previous session on Mobile Device Management. Session presented by Hassen Karaa, Program Manager at Microsoft.
Microsoft Mobile Device Mgmt summary
- Formerly accomplished using Configuration Manager 2007 R3 and Mobile Device Manager 2008 SP1
- Functionality now unified in Configuration Manager 2012
- ConfigMgr will become the "single pane of glass" for managing servers, desktops and mobile devices.
- Using Exchange connector
- Depth Management of WinCE 6.0 Windows Mobile 6.x, WP 6.5 and Nokia Symbian based devices
- Secure enrollment
- Monitoring and remediation on device compliance
- Deployment of applications and configuration policies
Exchange connector
- Provides the single pane of glass for all assets in the enterprise
- Transfers management aspect of mobile devices from the Exchange admin to Configuration Manager
- Supports Exchange 2010 (and hosted Exchange)
- Supports all EAS capable devices (WP7, iOS, Symbian, Android, Palm, Etc …)
Management
- Overview:
Device Enrollment
- Secure over-the-air enrollment to simplify the end-user experience
- Establishes mutual trust between the device and the management server
Remote Device Wipe
- Administrator can wipe devices from the console
- Users can wipe devices from the application catalog
New features for Software Distribution:
- Application model
- Incorporates all supported Software types (MSI, Script, Etc …)
- Dependency handling improvements
- Requirement rules for installation
- Application supersedence and uninstall
- UDA (User Device Affinity)
- Unified monitoring experience
- Content Management (DP Groups and content library)
My notes from the CMCep Theme 8 session on Software Update Management (SUM).
Session from January 26th, hosted by Jason Githens. Jason is a Senior Program Manager at Microsoft and will also be presenting at the upcoming MMS 2011 event.
Configuration
- Superseded Update support
- Persist SCCM 2007 behavior and automatically expire superseded updates
- Or Configure SCCM 2012 not to automatically expire them
- Supersedence expiration setting can go up to 99 months (3 is common at most customers)
- RBA
- Specific roles and scopes for Software Update Management
- Agent Settings
- Client agent settings per collection (eg. Workstations vs Servers scenarios)
- Ability to define collections to which software updates do not get applied
- Migration support (SCCM 2007)
- Migrate templates and searches built in SCCM 2007
- Preserve existing Update Lists or Deployments
- Important: SUP configuration for products & classifications must be idential on SCCM 2007 and SCCM 2012
With some delay I finally managed to wrap up my notes from the last ConfigMgr 2012 CEP session. Topic for Theme 7 is Compliance and Settings Management, formerly known as Desired Configuration Management (or DCM) in Configuration Manager 2007.
The session is presented by Onur Koc, Senior Program Manager at Microsoft. Next to Compliance and Settings Management he is also responsible for the Power Management features in Configuration Manager 2012.
Vision:
- Provide a unified platform for customers and partners to define, monitor, enforce and report configuration compliance in the enterprise for users accross all supported ConfigMgr devices.
Key TakeAways:
Simplified Administration Experience
- Role Based Access Control (RBAC): builtin role for Compliance Settings Management
- CI Creation by browsing a master (or gold) system
- Baseline creation is simplified
Baseline Deployment
- Terminology change: "Assignment" as known in ConfigMgr 2007 is no longer used.
- This is consistent throughout other ConfigMgr features.
User & Device targetting
- Compliance SLA’s and Alerting
- Per user evaluation and remediation
Monitoring Compliance status
- From within the SCCM console
- Report on remediation, conflict and errors
Monitoring vs Remediation
- Automated Remediation for registry, WMI and script based settings
- Remediation reporting to identify what settings were reconfigured
CI Revisioning and Audit tracking
- CI Versioning capabilities
- Audit changes (eg who modified what and when)
Support for mobile phones
- Support for WM 6.1 and WP 6.5.x
- Windows Phone 7 not supported
Migration from SCCM 2007
- Investments on v4 config packs will be maintained
- Import CI’s and Baselines into ConfigMgr 2012
- Migration tool will automatically convert v4 schemas to v5
Noteworthy items from the Q&A:
- Monitoring compliance status will also be possible using a new Management Pack for System Center Operations manager.
- Configuration Manager 2012 Beta 2 release still on schedule for H1 release. Quality driven so if needed some slip will be allowed.
Below are some key takeaways from the Configuration Manager 2012 CEP session on OSD, which took place on December 15th. Session speaker for this topic was John Vintzel, Senior Program Manager in the Configuration Manager team.
Offline servicing:
- A feature allowing to update an OS stored in the Configuration Manager library, eliminating the need to redeploy and recapture it.
- Beneficial for reducing deployment time and exposure to vulnerabilities during deployment
- Allows for scheduled updating at any time
- Based on the DISM tool (from the WAIK)
- Works for Vista SP1 and Windows Server 2008 and later OS’s, for all CBS based updates
Media Updates:
- Prestart command (used to be pre-execution hook) improvements
- No more complex steps to add prestart command to media
- Ability to include files and add media specific variables
- Available with prestaged, bootable and standalone media
- Automation improvements
- Improvements to help with Zero Touch deployments. No more "click Next".
- Unattended boot media mode, eliminating most forms of user intervention
- Deployment selection from prestart command (scripts, custom HTA …)
- Hierarchy-wide Media
- Media no longer tied to a specific site
- Media will dynamically find site and MP based on boundaries
- Overrides and site specific media are also available
USMT 4.0 Integration:
- Easy and integrated way to use USMT 4.0 features with Configuration Manager
Application Integration:
- New SWD features can also be used for OSD
- Install application for Applications or install Packages for classic packages and programs
- Real time requirement evaluation and honoring of dependencies
- Applications do require installation mode for systems
User Device Affinity (UDA):
- Define user and device relationship during rollout of the machine
- Administrator defines the setting for UDA (do not allow, require approval or auto-approve)
- Associated to certificate, which can be revoked at any time
- Available to boot media, prestaged media and PXE
Apps and UDA new features allow different approach and specific usage scenarios:
- Use applications for complex software installations
- Use task sequence for the deployment of an OS
Centralized Management:
- Improved experience for centralized administration
- Components used for OSD can be managed from the CAS or primary site
- Also Task Sequences are global data which can be deployed from the CAS or primary site
- Computer Import and Association can occur from CAS or primary site
(Association requires 2 systems from the same site)
- OSD related roles like Distribution Point, PXE Service Point and State Migration point can only be installed at a site, as no client are managed directly from the CAS.
