Configuration Manager 2007 Antivirus Scan and Exclusion Recommendations

The Configuration Manager support team released a new post about antivirus scan and exclusions. this post cover a lot of fixes and known issues that good configurations of antivirus software solve.

The article cover SCCM side, SQL side, SCCM roles etc.

If you have Microsoft System Center Configuration Manager 2007 (ConfigMgr 2007) installed and are running into the specific issues defined in the Knowledge Base articles below, you should consider excluding the folders/files defined in each…

http://blogs.technet.com/b/configurationmgr/archive/2010/11/30/configmgr-2007-antivirus-scan-and-exclusion-recommendations.aspx

Moving SCCM server to new hardware – Part 2

My last post deals with the procedure taken to move Windows 2003 SCCM SP2 R2 server to a new Windows 2008 R2 hardware. as i wrote, the procedure finished successfully and all components seems to work fine. is it possible ?

Several hours after the hardware migration we started to see some error massages in statview console. the problems divided to clients side and servers side.

Clients Side:The main problem with clients was an SMS Public Key issue. the new server have a new key and the some clients can not retrieve it from the site server. (70% of site server clients!!!). i can not explain way those clients did not refresh the key. i couldn’t find any explanation for that.

Solution: Open statview.exe and filter to message id 10822 “The trusted key, mp certificate and the mp machine have changed on server. The client cannot validate the authentication information.”.
i used this script to delete the TrustedRootKey from client store, the script gets the computer name as variable.

‘on error resume next
Dim ObjWMIService,TrustedRootKey,RootKey,ObjComp,ObjWMI

if wscript.arguments.count < 1 then
wscript.quit
else
objcomp = wscript.arguments(0)
wscript.echo “strarting on computer:” & objcomp
end if

objWMI = “winmgmts:{impersonationlevel=impersonate}!\\” & ObjComp & “\root\ccm\locationservices”

Set ObjWMISErvice = GetObject(objWMI)
Set TrustedRootKeys = ObjWMISErvice.ExecQuery(“select * from TRustedRootKey”)

For Each RootKey in TrustedRootKeys
if Rootkey.TrustedRootKey <> “Insert The New key from site server” Then
wscript.echo “TRusted root key did not match key – delete it”
bFOundERrors=TRUE
RootKey.Delete_
Else
wscript.echo “Root Key match”
End If
Next

wscript.echo “done for computer: ” & objcomp

to get the key do the following:

1. In a text editor, edit the file C:\program files\bin\x86\mobileclient.tcf.

2. Locate the entry SMSPublicRootKey= and write down the key or copy it to the Clipboard.

3. When you install the client, using any client installation method, use the Client.msi property SMSPublicRootKey=<key>, where key is the string you copied from mobileclient.tcf.

more information on TechNet.

 

Server Side: here i needed to deal with more then one problem (and i hope that i can remember them all for future use)

x32 to x64 migration – the old SCCM server installed to “c:\program files”, and when we move to new hardware we must keep the same installation folder. when SCCM start to reinstall components after site repair some new data stored in “c:\program files(x86)”.

R2 – R2 installation failed. the process could not find any SCCM installation on server (!?!?!?)  and that because it looks at “c:\program files(x86)”!!!! I’m still trying to find a solution for that.

Share Permission issue – in windows 2003 the share permissions was “everyone” – Full Control. the site server DP could not create new distribution folder under SMSPKGC$, after we set the permissions the DP start to publish new packages.

Registry Permissions – this problem occurs on all DP’s servers. i found this error massage in smsexec.log. ”Could not connect to the “REGISTRY” inbox source on computer PRIMARY SERVER NAME.  Sleeping for 60 seconds.  The operating system reported error 997: Overlapped I/O operation is in progress.”. to solve this problem i found that all machine accounts do not have access to site server registry. the problematic key is “HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\SMS\inbox source”. the missing permission are for SMS_SiteToSiteServerConnection_<SiteCode> local group. the permissions should look like:

Summery: I think that if SCCM installation folder is  “c:\program files” , you should think about other ways to migrate (new site server with new site code).

Moving SCCM server to new hardware

I needed to move a primary site server to a new hardware include a new OS version.

The old central site – Win2003 SP2 with SCCM2007 R2 SP2 (x86) with no SQL, with the SCCM provider.

The New central site – Win2008R2 with SCCM2007 R2 SP2 (x64)

The Site Database is installed on another server.

While the Site Repair Wizard supports restoring a 32-bit Operating System backup onto a site server running a 64-bit Operating System; it does not support restoring a 64-bit Operating System backup onto a site system running a 32-bit Operating System.

Microsoft has a recovery information posted in their online support docs (http://technet.microsoft.com/en-us/library/bb680474.aspx), but site recovery is still a confusing and frustrating task.

I’ve taken some notes for an operation to move a central site server to a new hardware. (This was done using several site recoveries discussed in SCCM forum, TechNet and Microsoft Backup and Recovery SuperFlow for SCCM2007).

Note! We need a functioning site server with the same setup parameters like the old server before we can start the recovery process. Somehow this isn’t mentioned in any TechNet articles (at least not that I can found).

So before starting the process we need to review the original site server setup (ensure that the hardware configuration is identical – drives, names, paths, etc. http://social.technet.microsoft.com/Forums/en-US/configmgrbackup/thread/40220f24-1fcb-4139-a307-2b0a183e4736)

Steps Taken

1. Take notes for the OLD Server name, Site Code, Drive layout, the SCCM Install Location, site server roles (SU, DP’s etc), SCCM Provider,WSUS configurations if exists, SCCM hotfixes.

2. Perform Backup of SCCM2007 using maintenance wizard. http://technet.microsoft.com/en-us/library/bb633003.aspx
Note: Only site backup created using Backup ConfigMgr site server maintenance task is supported for recovering sites by the site repair wizard.
If you do this on a Central Site you must backup manually the site control file.
to start the backup manually we must start the service from command line with “NET START SMS_SITE_BACKUP”, we cannot start it from services console. The service writes all actions to smsbkup.log.

3. To ensure that the backup was successfully, we can check the status messages of the component SMS_SITE_BACKUP

4. Copy the Backup folder to a network drive. (You can ignore this step if you set the backup folder in the previous step to a UNC path.)

5. Stop all SCCM services on the OLD computer, shutdown the server and disconnect from network.

6. Delete the machine account for the OLD computer in AD.

7. Give the NEW OS the old server name and join the computer to the domain.

8. Add permissions in AD for the new site server.

a. Open AD users and Computers -> System

b. Right click the “System Management” and choose properties.

c. On the security tab give site server full control on Systems Management container.

d. Open advance properties and change permissions so that they apply to “This object and all descendant objects”

9. Give the machine account admin rights on the SQL server.

10. On the SQL server add the new site server machine to local administrators and remove the old site server (if applicable).

11. Add the primary site server account to the local administrators group of all secondary sites.

12. Backup the SMS_XXX DB from the management studio (just in case…)

13. Now it’s time to install the new server with the same configuration as the old one.

14. Install WSUS 3.0 (if needed.)

a. Do not use the default website.

b. During the install point it to the remote SQL server (if you use a remote SQL server to host WSUS metadata).

c. Do not overwrite the contents of the database.

d. Do not use the configuration wizard to setup WSUS.

15. Copy the backup files (steps 3-4) to the new server.

16. Install the same version of SCCM with the same SCCM hotfixes as the old server.

a. Make sure to use the same install path. (even when you move from x32 to x64, this step is crucial for the success of the recovery procedure)

b. If the new system do not pass prerequisite check. Double click on each item to see how to resolve the issue.

c. Create new DB with the same site code on the SQL server, you will get an error:

The answer should be YES
(we have a backup and this is the only way to continue)

17. Add system to the SMS_SITESYSTEMTOSITESERVER_<SITECODE> local group, this group should contain any parent or child site that needs to write to the site’s DB.

18. Add users or groups to “SMS REPORTING USERS”, this group should contain any domain accounts that have reporting rights.

19. Add users or groups to “SMS ADMINS” this group should contain all users that have access to SMS provider.

20. After the setup has completed successfully run the site recovery wizard.

a. Close any opened consoles.

b. Click Start ->All Programs ->Microsoft System Center ->ConfigMgr 2007 -> ConfigMgr Site Repair Wizard.

c. Check the package verification option.

When the recovery procedure finished, the site start a reinstallation steps automatically for all components, this is done in the background. We can check the status of all steps in the application log or wait to the end of the bootstrap service.

OK, now it’s time to wait until all background process will end, at last a coffee break…..

But not for long the site status is getting red with a lot of warnings and errors. It seems that the MP is not functioning, a little check verify this.

http://<MP name>/sms_mp/.sms_aut?mplist

I checked the NTFS permissions on all SMS folder and it seems that something is messy here! I’ve installed all components to the old location (c:\program files) and now several components are located in c:\program files (x86)? SCCM is 32 bit so the reinstall process write all new data to “c:\program files (x86)”. But this is not the reason why the MP reinstallation is failed. Looking closer at the MPMSI.log & MPSetup.log verify that the MP fails because a SCCM client installation on the site server, this is very odd, I didn’t installed any client on this computer! The client push install is off and there is no GPO for client installation!?!?!?

Now it’s time to look at the notes I’ve taken before I started the procedure, I realized that I didn’t notice that the old server have a SMS Client installed. So the recovery procedure is responsible for the client installation.

OK,

I will try to remove the client and then to remove the MP, reboot the server and then install the MP again.

The SMS client cannot be uninstalled, I used the ccmsetup.exe \uninstall.

The MP is not removed. The MPMSI.log & MPSetup.log do not show any progress!?!?!?

Did I mention that this process is frustrating?

A site reset didn’t helped either.

Now I’m stuck! What is my next step? I decided to perform the recovery process again.

After the recovery finished, the MP worked perfectly. I’ve successfully installed a new client, and all the basic advertisements started on the client.

SMS site status is O.K all site components are functioning.

SCCM and Operating System Deployment – Task Sequence process

Operating System Deployment allows us to create operating system images and deploy those images to computers. Operating System Deployment also provides task sequences which help smooth the progress of the the deployment.

I recently needed to perform a shutdown at the end of the a task sequence. the process started but never ends and the shutdown process didn’t occur.
i try to check it thru the smsts.log and found that the command executed (“shutdown /t 0 /s”) but OSD has suppressed the shutdown.

after some research i found that Task Sequence prevent any “outside” operations like reboot or shutdown unless we use the built in task.

if you wish to override this you can use the following http://blogs.technet.com/b/deploymentguys/archive/2008/05/23/osd-forcing-a-reboot.aspx

SCCM Reports against a large collection

Couple of days ago one of my customers asked me to help him with a report problem. the report return an error when he targets the report against a collection with high numbers of computers. when he ran the report against a small collection everything is fine.

“An error occurred on the server when processing the URL.  Please contact the system administrator.
If you are the system administrator please click here to find out more about this error.”

The first thing i suggested was to change the row limit in SCCM report.

http://technet.microsoft.com/en-us/library/bb680885.aspx

Report Viewer in Configuration Manager 2007 limits the result set returned by a report query to 10,000 rows. The maximum number of rows that are returned when running a report query can be modified by creating a registry key and setting a value on site system computers that have the reporting point role.

Navigate to HKEY_LOCAL_MACHINESoftwareMicrosoftSMSReporting and create a DWORD value named Rowcount, and then set its value to the number of rows that you want returned in the report query. If you want to return all rows, set the value to 0xffffffff, which is the hexadecimal equivalent of –1.

But it seems it wasn’t just that, the reporting point (windows Server 2008) need some adjusting in the IIS role.

1. How to Configure Connection and Command Timeout Settings.
2. How to Configure the ASP Script Timeout Setting.
3. and finally we needed to set the ASPBufferingLimit.

In IIS 6.0, settings are set to aggressive and secure defaults to minimize attacks due to time-outs and limits that were previously too generous. IIS enforces the following time-outs at the connection level: Limits on Response Buffering: The default value for the ASPBufferingLimit metabase property is 4 MB. If ASP scripts buffer more than this, they error-out. There was no limit to buffering prior to IIS 6.0.
we changed the ASPBufferingLimit to 50Mb.

ConfigMgr 2007 Console options for Non English Characters

The SMS Provider is a WMI provider that allows access (read and write) to the Configuration Manager 2007 site database.
The SMS Provider is used by the Configuration Manager console, Resource Explorer, tools, and custom scripts used by Configuration Manager 2007 administrators to access site information stored in the site database.

In multi-language Configuration Manager 2007 site hierarchies, the SMS Provider determines the installed operating system language of the requesting computerand formats data returned from the site database to the requesting computer in a matching language format. The provider is not capable of translating information from one language to another, but it is capable of providing data stored in different languages in the site database to requesting computers.

In my Test Environment the site database is installed on a computer with a English language operating system , and the stored information in the site database is formatted in the same language codepage. all consoles installed on OS with Hebrew Locale, in this case the SMS Provider would return information formatted for the English language code page instead of Hebrew, the resulting information returned would not be readable.

To resolve this issue, change the Locale of the SCCM site server and Provider to the same locale as your Console clients and then use the Command Line Options for Running the Configuration Manager Consoleto open it with your language support.

Example: “C:\Program Files\Microsoft Configuration Manager\AdminUI\binadminconsole.msc  /SMS:providerlocale=040d”

the locale code page ID’s can be found here: http://msdn.microsoft.com/en-us/goglobal/bb895996.aspx