Using a PowerShell Configuration Baseline to Deploy CMTrace

As a Premier Field Engineer, I spend a lot of time with customers coast to coast. One common thing I have seen is customers constantly looking for their favorite log viewer (at least mines 🙂 .

Configuration Baselines to the rescue.

Anyone that knows me knows I am a huge fan of configuration baselines since they can enable so much outside the box thinking, valuable workflows, and automation workflows that can be presented, OMG it’s insane, the fun stuff you can do with Configuration Baselines. Another story for another day Smile

So getting CMTrace out in the infrastructure is fairly straightforward, so let’s get started.

Objective:

  • From an RUN Command, type in CMTRACE and have CMTrace pop up.

To get started here 1st we need to figure out the commands needed to test for the existence of CMTrace. Now before we do that, we need to consider the 1st objective. We need CMTrace in the windows\system32 folder to be able to execute CMTrace from the RUN command line.

Phase One: (Testing for the file)

To test for the existence of CMTrace we can use the Test-Path PowerShell command. Why PowerShell you may ask because POWERSHELL IS KING, and I can further tune this as much as I would like for any scenario.

#look for cmtrace.exe
$cmtrace = Test-Path “c:\windows\System32\cmtrace.exe”
$cmtrace

As you can see I store the results of the Test-Path commandlet as a variable, so I can use that variable to evaluate the True or False from the variable.

The below picture is a negative evaluation. (Meaning CMTrace IS NOT in the tested location)

clip_image002[1]

After I put CMTrace in the tested path you get the picture below showing a good evaluation. (Meaning CMTrace IS in the tested location)

clip_image004[1]

Phase Two: (Remediating the file)

Now that we know how to test for the existence of the file and we also have the extra value of evaluating the file existence on True or False, we can get down to remediation if the value equals false.

#copy cmtrace to c:\temp

Copy-Item -Path “\\scapss\SMS_SCA\tools\cmtrace.exe” -Destination “C:\Windows\System32\cmtrace.exe” -Verbose

Phase Three: (Putting it Together)

Now that we know how to detect for the file and remediate of the file IS NOT there. Off to create our Configuration Item with Remediation and Configuration Baseline to deploy.

Below you will see screenshots of how the Configuration Item is Configured.

clip_image006[1]

clip_image008[1]

clip_image010[1]

clip_image012[1]

Configuration Baseline Configuration:

clip_image014[1]

NOTES:

Change values and locations as needed within the script. This script and Configuration Baselines are meant for testing use only.

 

@SCCMAvenger

Posted in Configuration Baselines, configuration mamanger, configuration manager 2012 | Tagged , , , , , , , , , , , , , , | Leave a comment

Windows Server 2003 as a Distribution Point

I had a project where a client wanted to use a 2003 Server as a distribution point. This blog will explain what is needed to be done to make a 2003 Server a distribution point.

 

So as usual you will need to go through the admin section and setup a site system, and pick the server as a distribution point. Once you make that server a distribution point you will notice the status in the monitoring section (Monitoring –> Overview –> Distribution Status –> Distribution Point Configuration Status) will not turn green. Yes you may have selected to make the server a distribution point and install IIS but; it won’t.

The blow screenshot is what your screen will look like and stay like unless you perform the following steps in this blog:

image

 

If you go to the server and look at the location where the CM12 distribution folders are located you will see this:

image 

If you notice there is A LOT missing here.

 

In the distmgr.log you will also see errors similar to the ones below.

image image image
image image image

 

So exactly how do you get the server to function as a distribution point?

 

So if you look at TechNet.com you will see the requirements for a DP are as follows:

image

 

Notice that the VERY 1st feature is REMOTE DIFFERENTIAL COMPRESSION.

So Windows 2003 Server DOES NOT have this by default. BUT, if you look in your share of your CM12 server, (\\CM12\SMS_PS1\Client\i386) the client folder under the i386 folder, you will notice the exe msrdcoob.exe. Guess what that is? 🙂

image

Once you execute the EXE you get the below install:

image

 

image 

 

image

 

image

 

Once you install that, you go back and look at your log files and the status and you still see red:

image

 

You need to install IIS on the server manually.

The below screenshot comes directly from TechNet.com, under the same screenshot as above where the requirements are.

image

 

YEAP, you have to install IIS manually on the 2003 Server.

image

 

Once the server has IIS installed and RDC installed, you get a clean log file and a clean green status area.

image

 

I hope this helps someone, and feel free to leave comments

/Ironman

Posted in Uncategorized | 1 Comment

Windows 7 as Distribution Point

Did you know you can turn a windows 7 workstation into a distribution point?

Below you will see I have a small lab setup:

  • Domain Controller (DC01)
  • CM12 Server (CM01)
  • Windows 7 x64 Enterprise Workstation (Win701)

Distribution Point Notes:

  • Individually, each primary site supports up to 250 distribution points and each distribution point can support up to 4,000 clients.
  • Individually, each secondary site supports up to 250 distribution points and each distribution point can support up to the same number of clients as supported by the hardware configuration of the secondary site server, up to no more than 4,000 clients.
  • Each primary site supports a combined total of up to 5,000 distribution points. This total includes all the distribution points at the primary site and all distribution points that belong to the primary site’s child secondary sites.
  • Each distribution point supports a combined total of up to 10,000 packages and applications.
  • Distribution point performance relies most on network I/O and disk I/O.

Distribution Point Requirements:

Features: Minimum Hardware:
  • Remote Differential Compression
  • IIS Configuration:
    • Application Development:
      • ISAPI Extensions
    • Security
      • Windows Authentication
    • IIS 6 Management Compatibility
      • IIS 6 Metabase Compatibility
      • IIS 6 WMI Compatibility
  • 2 cores (Intel Xeon 5140 or comparable CPU)
  • 8 GB of RAM
  • Disk space as required for the operating system and content you deploy to the distribution point.

 

Below are the computer properties of that workstation we will be turning into a distribution point:

2
Here is the screenshot of the c drive & computer before turning this workstation into a distribution point:

3

4

As you can see there’s only 1 disk drive, and there is only 5 folders in the root of the c drive.

Now lets prepare this machine to be a distribution point:

In this step we need to go to the computer management console and add the cm site server “computer name” to the local administrators group.

5 6
BEFORE AFTER

Ok so that’s the workstation part. As you can see its just like any other workstation you have in your office.

Now its time to hit the server side.

So now log into your CM12 Site Server.

You need to get to this area in the administration section, right click and Click “Create Site System Server”

image

You will need to go through a setup wizard. Just follow the screenshots below:

This identifies the workstation to be a distribution point

7

For this example i am NOT using a proxy server so there’s no need to inter information here, but if you are using a proxy server you would need to put that information here

8

Here as you can see were selecting the role the server will consume

9

As you can see a distribution point relies on IIS being on the distribution point. So here you will configure if you want the PSS (Primary Site Server) to install & configure IIS on the targeted workstation. (For this example here the Windows 7 Workstation)

10

In this step you will configure the storage limits and direction for the targeted workstation

11

This step will configure this targeted device to allow other distribution points to pull packages from this distribution points

12

This step will configure the distribution point to be a PXE Service Point. A PXE service point will answer PXE request coming from workstations. If you need this to be configured then this is where you do it

13

This step will configure the distribution point to deploy its contents using multicast

14

You can have the content on the distribution point validated on a schedule

15

This step will configure the boundaries the distribution point will serve. So make sure you pick the correct boundary group

16

Ok so once you finish out the wizard look in the administration section & click on distribution points. You should see the details of the distribution point. You should see the hard disk drives and there sized as shown in the screenshot below:

18

If you look at the monitoring section and go to distribution point configurations you will see some errors. In this lab it looked like this RIGHT after making that system a distribution point through the steps above.

19

After about 5 min the all were green as below:

21

Once there all green this confirms that IIS was configured, installed, and functioning on the distribution point.

You con confirm by viewing the log file on the Site Server (distmgr.log) This will confirm the setup of the distribution point and the package ID’s that went to the distribution point.

You can see once the workstation is configured as distribution point, you get some extra files. keep in mind I only used 1 drive here on this lab. so if you used another drive look at the root of the drive you will find some folders created by CM12

22

/IronMan

Posted in configuration mamanger, configuration manager 2012, configuration manager 2012 sp1, configuration manager distribution point, distribution point, Windows 7 Distribution Point | 2 Comments

MMS 2013 PowerPoint’s

I don’t want any credit for this just sharing what any of us could have figured out.

Using the same script from Stefan Roth, (located here) I was able to run the Create-MMS2013SessionFile to create the session.txt file

Once I opened it I saw all the extensions were .WMV, I just replaced the .WMV extensions with the .PPTX extensions and bam. There goes the PowerPoint’s.

 

As you can see not all sessions are up are the name of the PPTX is NOT the same as the video name. You will need to get those manually are wait until all the PPTX’s are uploaded…

Per the script though you will get a sessions_notavalable.txt file you can refer to.

If your like me you might not get all the videos, to watch but at least you can get the PPTX’s to review while your flying home.

Happy travels everyone

@dguilloryjr

Posted in Uncategorized | Leave a comment

In-place Upgrade to Server 2012

So yesterday I got my hands on a copy of: Windows Server 2012 Datacenter RTM. So I got home and updated my Network at the house. I logged into my DC (Server 2008 R2) and did a upgrade obviously just as with other versions you need to run the:

adprep.exe /forestprep

adprep.exe /domainprep

Once you run the preps above, you should be good to go with the upgrade of your domain controller.

You can follow the steps below in this: short video:

Posted in Uncategorized | Leave a comment

Transfer Server Roles (from 2008 x64 to 2008 R2)

Got a call today from a customer that wanted to phase out a old server. Threes a physical box that’s old as dirt. So they have a virtual setup and i built a domain controller on it and joined it to the domain…

There is a video below but i will roughly go through the steps…

I loaded the ISO of Server 2008 R2 as CD/DVD

Existing Server (Server 2008 X64)

  • Open CMD Prompt
  • C:\Users\Administrator>d:\support\adprep\adprep.exe /forestprep
    • This will prepare the forest
  • C:\Users\Administrator>d:\support\adprep\adprep.exe /domainprep
    • This will prep the Domain

New Server (Server 2008 R2)

  • Built a server 2008 R2
  • Joined it to the domain
  • Promoted the Server to a DC (ran dcpromo)
    • DNS
    • Global Catalog

Transferring the roles (perform these on the 2008 R2 Server)

  1. Open CMD Prompt (type the following commands)
    1. regsvr32 schmmgmt.dll
    2. ntdsutil
    3. roles
    4. connections
    5. connect to server DC02
    6. q
    7. ?
    8. transfer role
    9. Transfer infrastructure master
    10. Transfer naming master
    11. Transfer PDC
    12. Transfer RID master
    13. Transfer schema master
    14. exit
    15. netdom query /domain:contoso fsmo

Notes: (http://support.microsoft.com/kb/255504)

The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain.

We recommend that you transfer FSMO roles in the following scenarios:

  • The current role holder is operational and can be accessed on the network by the new FSMO owner.
  • You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest.
  • The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles.

Video

Posted in Uncategorized | Leave a comment

Who’s the Primary (Find the Primary DC)

 

If you have a environment with a lot of Domain Controller’s are just want to know which one is the primary…

You can run the below command to find who’s the primary dc

nltest /dclist: danny.local

this command will list all DC’s in a environment and accent the Primary DC with [PDC] as you can see from the cmd line below.

image

nltest /dcname: danny

the below command will list only the primary domain controller for the domain you list after dcname:

image

Posted in Uncategorized | Leave a comment

Current Company Migration (Your Feedback)

Ok so I wanted to blog about the current migration, I am going through with my company so that maybe some of you could chime in a give me some ideas, tips, are tricks.

So we have 2 companies that merged together to form Company C. So after the merger I decided to build a new domain (DomainC.local), and migrate DomainA.local & DomainB.local to DomainC.local. 2 different domains and 2 different forest. DomainC.local is in a new forest and new domain. For various security issues in DomainA.local and internal politics with company a & company b, I created the new forest and the new domain with DomainC.local in it.

DomainA.local had a server infrastructure of server 2000 and Exchange 2000, pretty much a complete server 2000/NT infrastructure.

  • Back in December I did a upgrade on the 2000 servers to 2003 to leverage PowerShell for the migration.
  • Biggest of the 2 domains. Approximately 300+ people.
  • Domain Infrastructure 10+ years old.
  • No MS Licensing Agreement
  • Windows XP Professional Desktops
  • BartPE for imaging workstations (when used)
  • VMware 2.0 was upgraded to 4.1 in January, and moved from ESX to ESXi Architecture.
  • Using ScriptLogic Desktop Authority instead of GPO for desktop administration, restriction, and software deployment.

DomainB.local had a MUCH smaller infrastructure but all Server 2008 and Exchange 2007.

  • Exchange 2007 CAS Server and Mailbox Server
  • Several other 2008 Servers and a few 2003 Servers
  • MDT 2007/2010 Workstation imaging
  • Windows Vista & Windows 7 Workstations
  • Group Policy

***************New Domain***************

DomainC.local I built with Server 2008 R2 servers and Exchange 2010 for email

  • The Domains functional level is Windows Server 2008
  • The Forest functional level is Windows Server 2003
  • I have a trust between the 2 domains to assist with authentication migrating users.
  • VMwawre 4.1 host
  • SCCM 2012 (Installed Late April 2012)
  • Lync 2010 w/Edge Server
  • SharePoint 2010 Farm
  • MDT 2012
  • Exchange CAS server & Exchange Mailbox Server
  • Upgraded to SP1
  • Many more Win 2008 R2

Ok so mow, I have been migrating users from the DomainA.local to DomainC.local and so far so good… we run into a few hiccups with an app not being installed are configured but for the most part so far so good. I have not integrated SCCM 2012 into the migration. Still brainstorming on ideas on how to integrate sccm2012 into the migration. (I just added our AV client into the applications and deployed it to the workstations collection group). If anyone has ideas on how to maybe integrate more with CM2012 and use CM2012 to enhance the migration I’m all ears. (Thinking about moving my MDT deployment solution to CM2012, Not sure yet.)

I’ve planned on deploying the software to device collections since each department has specific software, for example cardiology has different peripherals than orthopedics & and so-forth. Again any ideas; kick’em out there.

So far my process seems to be good…

  • Go through Exchange2010 PowerShell to prepare the mailbox:
    • .\Prepare-MoveRequest.Ps1 -Identity “sljones” -RemoteForestDomainController “ISADS02.lcmsc.com” -RemoteForestCredential $Remote -LocalForestDomainController “ICMGDC01.icmg.local” -LocalForestCredential $Local -TargetMailUserOU “OU=The Clinic,OU=Users,OU=ICMG,DC=icmg,DC=local” –UseLocalObject
  • Go through Exchange2010 PowerShell to move the user:
    • New-MoveRequest -Identity “sljones” -RemoteLegacy -TargetDatabase “Mailbox Database 0632030541” -RemoteGlobalCatalog “ISADS02.lcmsc.com” -RemoteCredential $Remote -TargetDeliveryDomain “icmg.local” –BadItemLimit 5
  • The two scripts above also create the user in Active Directory, so after the 2 cmdlets above are ran I use ADMT on the DC to move the users SID information from DomainA.local to DomainC.local

After the above is complete the rest is a manual process of finding the users folder on DomainA.local and copying and dragging it to the file server on DomainC.local, and any PST files the user may have are manually imported into Exchange 2010. (Hopefully someone can help me out with automating this process)

So, how for the biggest challenge. “THE END USERS” so we have a simple document we deliver to the end users before there upgraded from Windows XP to Windows 7 & from Office XP/2000 to Office 2010. Any computers not having 3GB of ram get Windows ThinPC Operating System and RemoteApps get deployed via Group Policy. The GPO is targeting only Windows ThinPC Operating Systems with a WMI filter.

I’ve been doing 1 department at a time which as you can imagine is slow as heck. I’ve started trying to find ways to open up the deployment to consume more workstations and end users but, I seem to be stuck at the end users point, with being able to support the end users after the migration is done and also from the manual processes after the user is migrated using the scripts above.

This is why I decided to blog about it. Maybe someone out there can give me more insight into maybe being able to streamline this more are just confirm that this is as good as it gets.

I know there are tools out there (quest migration toolkit), I’ve looked into the quest tool, but at front it seems expensive and then on top of the tool being expensive it requires consulting hours)

I’ve been doing this 13 years now and I swear everyplace is different and has a certain twist. for this place I swear it seems more of the end users resistance against change.

Any tips are ticks anyone can offer feel free to kick them out there. At this point I feel the process is as good as its going to get. (I’m hoping I’m wrong.)

Thanks

Twitter – @dguillory@icmglc.com

Email – dguillory@icmglc.com

Posted in Uncategorized | Leave a comment

Updating Group Policy Central Store

In this blog we will go through the  process of updating the group policy central store to the latest version of the .admx/.adml files. I see organizations all the time that don’t have the latest updated GPO files. I updated my orgs GPO store and decided to document it for others that may have outdated files also. So if you follow the steps below you should be updated with “0” issues after…

 

1. Navigate to: http://www.microsoft.com/download/en/details.aspx?id=6243

image

2. Click download and download the MSI file to your PC

3. Install the MSI package

4. navigate to the extracted path

  • %Programfiles% (86)\Microsoft Group Policy\win72008r2

5. Copy folder PolicyDefinitions

6. Make a Backup of PolicyDefinitions

  • Right Click PolicyDefinitions
  • Send to
  • Compressed (zipped) folder

7. Paste Folder to location:

Additional Concerns

If you have customized ADMX files in the policy definitions folder you will need to save get these out of the backup you created… (don’t forget the .adml file that goes with you .admx file)

If your totally, 100% confortable with GPO and what your doing then it can be done anytime. Remember by default GPO refreshes every 90min.

Now for me on the other hand, I do this after hours and user specops software to push a GPUPDATE /force to all the workstations in the domain and restart the workstations about 20 min later.

Video – Group Policy Central Store Updating

Danny Guillory Jr
twitter – @dguilloryjr
email – dguilloryjr@msn.com

Posted in Uncategorized | Leave a comment

Group Policy & WMI Filtering

WMI Filtering (Targeting Specific Operating Systems)

So I have been using Group Policy for several years now and I figured I would start Blogging about things I think would be helpful to others.

I am currently migrating a group from Server 2000 infrastructure to a brand new 2008 R2 domain. yes that a mouth full but in the article I am going to focus on the Migration from Script Logic to Group Policy & GPMC.

Obviously there’s the resistance you have to deal with & and educating the staff on troubleshooting and implementation and standardization. Once all that’s done its GPO as usual.

So as a part of the migration SL (ScriptLogic) was targeting specific computers i.e. name, make, model etc.

So You can do the same with Group Policy and WMI. Using WMI can make your Group Policies much more flexible and powerful.

Objective:

  • Change the background of Windows ThinPC to Warcraft Image
  • Change the background of Windows 7 PC to Disney Cars

In case you want to follow the Demo you will need the following:

  • 2008 DC
  • Windows ThinPC
  • Windows 7 PC

So 1st lets get the 2 images we are going to use

disney_cars-207676        illidan-large

Yeap disney “Cars” and “World of Warcraft” Yes I am fans of both Smile

So now that we have what were going to work with lets get going.

Ok so lets go to: http://www.microsoft.com/download/en/details.aspx?id=12028 and download Scriptomatic

copy scriptomatic to both the Windows 7 PC and the Windows ThinPc

once you open scriptomatic it looks like the screenshot below:

image

So you can leave Namespace exactly as it is… (truth be told you, you should not have to change this at all)

WMI Class on the other hand, theirs a ton of stuff in there and well, just about everything about any workstation can be found from here. So lets just select Win32_OperatingSystem Just like the screenshot below.

image

Notice that I have “Plan Text” set so I can see the results of the wmi query in notepad

After running the query the screenshot blow shows you the output:

image

this is all we need at the moment to move forward setting up group policy to filter on WMI

so now time to work in group policy…

We go out to our Domain Controller and Open Group Policy Management Console and select WMI Filters:

image

The right hand side content area should be blank…

Right click in the area and and select new… from the popup window

You will get the screen below…

image

From there click add and you will get the following screen…

Leave the namespace at the root\CIMv2

image

If you r familiar with SQL then this should be really straight forward for ya…

– Your basically running WMI query but the format is just like a SQL query

“Select * from Win32_OperatingSystem where Caption = “Microsoft Windows 7 Enterprise ” OR Caption = “Microsoft Windows 7 Professional “”

Click Ok

image

Click Save

image

You screen should look like this:

image

Now we go through the same steps but add the query below for ThinPC

Select * from Win32_OperatingSystem where Caption = “Microsoft Windows Embedded Standard “

image

So now that we have 2 GPO’s built one to target Windows 7 Pro & Ent and another to target Windows ThinPC

So now lets go create our Group Policies to Set Wallpapers

So 1st lets get the file to the workstation

So well use GPP on each GPO to push the file to the workstation. (Computer Setting)

(as a personal decision I copy the file to the workstation, its perfectly ok for you to skip this step and use a network share)

So the path below is the path were the files are stored

The Path to the warcraft image is:

  • \\WIN-69V0P6DA8TE\temp\wow.jpg

The path to the cars wallpaper is:

  • \\WIN-69V0P6DA8TE\temp\cars.jpg

So using GPP and the settings below we will send the background image we want from the share location to the destinations below:

  • c:\temp\wow.jpg
  • c:\temp\cars.jpg

If you look at the image below you will see the settings I am using for File GPP to push the file to the workstations.

image

Once you add the settings above and hit ok, your screen will look like the one below:

image

Then you should click on the GPO and at the very bottom you will see the WMI Filtering Section.

Click on the dropdown and Select the WMI filter we created earlier, in this case the “Windows 7 Professional & Enterprise”

image

You’ll get a popup that looks like the one below, just hit ok…

image

Your done. Repeat the same steps as above for the second GPO for ThinPC

Now GPO time again…

Open a group policy and go to:

  • User Configuration\Administrative Templates\Desktop\Desktop\

image

Set the value as in the screenshot above.

Click ok…

Now the test go to a workstation that the GPO was applied to.

Open a CMD prompt, on the workstation and run GPUPDATE.

After this has ran you should be able to see the file in the “C:\Temp\”

Now if you setup your GPO correctly and applied it correctly to the container and you user. You should be able to see the Warcraft image displayed as the desktop background.

Repeat the same steps above for the Windows ThinPC image.

Twitter – @dguilloryjr

Email – dguilloryjr@msn.com

Posted in Uncategorized | Leave a comment