SCCM 2007 R2: Installation on Windows Server 2008 - AD Preparation

SCCM 2007 R2: Installation on Windows Server 2008 - AD Preparation

To be able to install SCCM 2007 R2 we need to fullfill some pre-requisites and implement some best practices. In this article I will describe those two relartion to Microsoft Active Directory.


1. Active Directory Preparation

To have a save environment for SCCM 2007 R2 as well as for SQL Server 2005 it is a best practice to create server accounts. These accounts need to be created and will be used during the installation of SQL Server 2005 and SCCM 2007 R2. These accounts will have to be high secure as they will have "Domain Admin" permissions form within the Active Directory

1.1 Active Directory Users and Computers
Within the “Active Directory Users and Computers” snap-we need to create two groups. In this article we also create two new active directory OU's in which we will place the to be created accounts and groups.

1.1.1 Admin OU's
The creation of Ou's within the "Active Directory Users and Computers" snap-in:
Select with a right click the root of the domain and select the option: %Domainname%\New\Organizational Unit

From the wizard that appears enter the following value: Admin Groups

Click on à OK to actually create the OU

Repeat the steps but now create an OU with the value: Admin Users

1.1.2 Admin Groups

The creation of Admin Groups within the "Active Directory User and Computer" snap-in:
Select with a right click the the OU named “Admin Groups” en select the option: %Domainname%\New\Group

In the wizard that appears enter the follwing values:

Group Name: SQL-Admins
Group Name (pre-Windows 2000): SQL-Admins
click on à OK to actually create the “Group”
Repeat these steps but now create a group with the values:

Group Name: SCCM-Admins

Group Name (pre-Windows 2000): SCCM-Admins
This will result in having the two groups created:

1.1.3 Add the "Admin Groups to the “Domain Admins” group

To have the correct permissions for user accounts member of the Admin Groups we will add the newly created groups to the "Domain Admins" group.
In the OU “Users” the group “Domain Admins” with a right click and select the option "Properties”

In the properties screen select the tab “Members”

Click “Add” to add the created groups:

· SCCM-Admins

· SQL-Admins
Click on à OK to save changes

1.2 Admin Accounts
Within the installations of SCCM 2007 R2 and MS SQL 2005 we will use admin accounts to be able to logon and manage the different systems therefore we create two accounts. These accounts will have "Domain Admin" permissions as these will be added to the previously created groups. This means that the password used for these accounts will have to high secure.
Creation of the "Admin Accounts” for SCCM 2007 and SQL Server 2005 from within the "Active Directory Users and Computers" snap-in:
Select the OU named “Admin Users” with a right click and select the options: “Admin Users”\New\User

In the wizard that appears enter the following values:

First Name: SQL
Last Name: User
Full Name: SQL Admin
User logon name: SQL-Admin
User logon name (pre-Windows 2000): SQL-Admin
Click on à Next

Enter the password for this user and select the option:

(X) Password never expires
Click on à Next
Click on à Finish to create the account.
Repeat these steps to create anbother account with the following values:
First name: SCCM

Last name: Admin
User logon name: SCCM-Admin
User logon name (pre-Windows 2000): SCCM-Admin

1.2.1 Group Membership "Admin Accounts"
The created accounts will be added to the correspondig groups also created. It is a Microsoft best-practice to assign permissions to groups instead of single user or computer accounts.
Add the "Admin Accounts" to the correct groups:
Open the properties of the group "SCCM-Admins"
Select the tab “Members”
Click on    -- Add to add the follwoing accounts:

SCCM-Admin

· %Computername% of the computer that will be deployed as the SCCM 2007 R2 Server
Click on à OK to save your changes
Open the properties of the group "SQL-Admins"
Selecteer the tab “Members”
Click on à Add to add the following account:

· SQL-Admin

Clik on à OK to save your changes
This concludes the preparation within Active Directory so far. Later, during the installation of SCCM 2007 R2, we will return to do some more AD Preparation. The created groups and user accounts can now be used within the installation of SQL Server 2005 and SCCM 2007 R2.

The Configuration Manager Documentation Library Update for October 2010 is now live on the web

Coming from the System Center Configuration Manager documentation team is news that the Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web with updates from September and R3 content in October. Topics that were updated for September have Updated: September 1, 2010 at the top of the topic and topics that were updated or created for R3 have Updated: October 14, 2010 at the top of the topic.

There will be a new version of the help file available for download with the Help File Updater soon - stay tuned.
-For all the details including What's New in the Configuration Manager Documentation Library for September 2010 see :
http://blogs.technet.com/b/configmgrteam/archive/2010/10/20/announcement-configuration-manager-documentation-library-update-for-october-2010.aspx

-Documentation:
http://blogs.technet.com/b/configmgrteam/archive/tags/documentation/

Configuring SCCM and Branch Cache

Branch cache is a feature introduced with Windows 2008 R2 that allows systems within the same subnet and separated from a content source (such as a WSUS server) to share downloaded content locally rather than each system having to traverse a latent network link back to the content source. Branch cache has two modes of operation – distributed cache mode and hosted cache mode. SCCM only supports distributed cache mode.


As mentioned, branch cache is a function of the OS and not of SCCM but, with the release of SCCM SP2, we now are able to leverage branch cache on enabled servers. When we find branch cache enabled we use it – there is no special SCCM configuration requirements for branch cache other than what is likely in se in most environments anyway. We will highlight those shortly but to start a diagram of a sample configuration might help explain how this is all setup.

In the diagram we have 4 systems. The SCCM SP2 site server, an SCCM distribution point being hosted on a Windows 2008 R2 server that has branch cache enabled and two client systems – one server and one workstation. We have mentioned already that to support branch cache we need to use a Windows 2008 R2 system – but what about clients? From the diagram note that branch cache is supported natively on Windows 2008 R2 and Windows 7 – and with the addition of BITS 4.0 clients can also take advantage of branch cache on Vista SP1 and Windows 2008 SP1/SP2.


The diagram shows how SCCM works with branch cache. The first time content is requested from the distribution point the client has no choice but to retrieve it across the latent network. Once retrieved the content is stored by branch cache. When the second client attempts to retrieve the content it detects a latent network and sends out a request for any peers with the content. The first client responds and serves up the content thus avoiding the need to pull it across from the distribution point.

OK, so we have the general concept of how it works – so how do we set it up? It’s fairly easy. First, what are the requirements in SCCM to make use of branch cache. We need our distribution point to be installed on Windows 2008 R2 and to be BITS enabled.

The only other requirement is that your advertisement be set to download and execute locally.

Both of these settings are common in most environments and are all that is required on the SCCM side. There is no selection in SCCM to ‘enable’ branch cache – with the settings above it just happens.


So how do we configure branch cache on the OS side? Just a few settings to configure. First we need to enable branch cache – let’s start with the distribution point. In Server Manager, select features and add the branch cache feature. There is no configuration here – the feature is either on or off. Once installed you will see it in the feature list.

Next, we have to configure branch cache on our clients. This can be done through local policy on each system or – much easier – through domain policy. On my domain controller I open the group policy management console. In my lab I created an OU for just the systems I want to enable for branch cache and I created a GPO to enable branch cache.

Editing the properties of the GPO we have two places to configure. First, is branch cache policy. Here we enable branch cache, set distributed cache mode, define the speed that we consider to be a latent network (default 80 ms) and configure the percentage of disk space to allocate to branch cache activity.

Note that the one option we did not configure was to enable hosted cache mode. Why? Remember, SCCM only supports distributed cache mode so, for SCCM, there is no need to enabled hosted cache mode.

A word about hosted cache mode. The OS documentation that discusses branch cache discusses both modes of operation and discuses steos to configure SMB file transfers through branch cache. To me, the documentation is a bit fuzz. From what I can tell, configuring branch cache to support SMB requires some additional configuration on the content server – such as enabling a role service called ‘branch cache for network files’ and configuring specific shares to support branch cache using the ‘share and storage management tool’. Since SCCM uses branch cache via BITS there is no need to do this additional configuration to support SMB.

In addition to the above we must configure the windows firewall to allow branch cache specific communication as follows:

Both the inbound and outbound firewall rules are accessible on the predefined list – so configuring them is as easy as selecting from the drop down menu when configuring a new rule.

OK, so all of this is configured – how do we know if it’s working? To test, I setup a package and advertisement. When testing it’s important to understand that once the package is downloaded and cached, you have to either modify the content or setup a new package because unless there is a change, clients will always pull the content from the cache after the first download due to the latent network conditions.

For the test, I start with a fresh package. The client that will download the content first will have to go to the distribution point – nothing will come from the cache since no content has yet been downloaded.

With all of this I’m ready to start the download but to simulate a latent network in my lab I must first start a tool that will ‘inject’ latency into the network connection between the distribution point and my first client. I’ll use a tool we have internally to introduce a 30 ms latency – I will maintain this latency throughout my testing. Note that my policy settings above consider any network more latent than 20 ms to be slow.

With all of this configured, I start my advertisement which initiates a download of content.

At the end of the download I run the advertisement and then move on to my second machine. This second machine is where we expect to see branch cache in action.

I prepare to run the same advertisement on the second machine – note you can tell that this advertisement has never been run before on my system – which is important when testing branch cache.

I’m about to hit run but how can I tell whether branch cache actually fires up? Performance monitor. With performance monitor you can determine whether content is being transferred from the local branch cache or from a branch cache partner vs. the network. The chart below shows a chart of perfmon counters that you get from the branch cache object. The two most interesting are the Bytes from cache and Bytes from server. If content is being retrieved from either a systems local branch cache or a peer systems branch cache, that counter will show activity. In our test case and on the second system, no content for this advertisement has ever been downloaded before so we expect content to be retrieved from our peer client that is branch cache enabled.

We initiate the advertisement as before and downloading begins.

We allow the download to finish, complete the advertisement and then look back at our performance counter numbers to see what happened.

By looking at our counters we can see that we did pull the content from our peer caching partner – so branch cache worked.

Another way we can tell that our package came over from branch cache is by looking in the event log on the system as show below. Look for event 60 and on the detail tab look for the peerProtocolFlags value. If it is set to 1 then branch cache was used to deliver the content. Thanks to my colleague Frank for the tip!

Branch cache is just one more option available to administrators to help deliver content to clients efficiently and reduce load on the network. It’s not difficult to setup and offers notable performance advantage – defiantly worth taking a look.

Microsoft System Center Configuration Manager (SCCM) Dashboard

System Center, in particular Config Manager aka SCCM, is becoming more and more popular with customers and clients at work. People looking to start enhancing and automating tasks such as OS deployment, app distribution, patch management etc as well as those who’ve started down this path, often with Altiris, and are now looking for a more rounded solution, are all asking for/happy to listen to information about SCCM. There’s more info on SCCM as a product here but in this post I specifically want to talk about the Dashboard that’s in beta.




About the Dashboard

System Center Config Manager Dashboard’s aim is to make it even easier for IT administrators to access and digest key information about their network and infrastructure, quickly and effortlessly even when not at the Management Console. The Dashboard lets you:



Track OS & App deployments

Track Security updates

Check the health status of computers

Check compliance with IT regulations

all via a customizable web interface. It’s based on Windows Sharepoint Services (WSS) so it’s key features include:



•Easy access to key information without using the Configuration Manager console

•Centralized view of Configuration Manager data sets

•Data can be viewed in graph, table, or Dundas* gauge formats

•You can create custom dashboards for different departments, based on site user’s group membership.

*I will try and confirm is this is limited to Dundas or whether SAP’s Crystal Xcelsius can be used here too.



Join the Beta Program

Sign up to the English only Beta here.



How it works:

Here’s a great diagram from the technet site:

The Process Flow goes a little something like this:



•An IT Service Manager requests a new data set.

•The IT Administrator uses the Dashboard Configuration Web Part to define the new data set.

•The IT Administrator stores the configuration information for the new data set (the information is saved in the Windows SharePoint Services Content database).

•The IT Administrator adds a new copy of the Dashboard Viewer Web Part to the default Configuration Manager Dashboard and then modifies the Web part to display the new data set.

•The IT Service Manager browses to the Configuration Manager Dashboard site.

•Windows SharePoint Services queries the Configuration Manager site database as specified by the data set configuration.

•Windows SharePoint Services renders the new data set using the Dashboard Viewer Web Part.

The Technet page is here:



http://technet.microsoft.com/en-us/library/ff369719.aspx

Windows 7 Lite Touch Image Build Using Microsoft Deployment Toolkit

Preparing the Environment

To follow along through this walkthrough, make sure you have the following environment (or something similar) set up:

• Reference computer to build the Windows 7 install. 
• Technician computer with MDT 2010 and Windows AIK 2.0 installed.

Creating a Deployment Share

Open the Deployment Workbench on your technician computer, then right-click on the Deployment Shares node and select New Deployment Share. The New Deployment Share wizard starts. Click the Browse button and create a folder named DeploymentShare$ in the root of your disk volume:

Click Next and the share name will automatically be populated and the UNC path to the share will be displayed:

Click Next and give your deployment share a descriptive name:

Click Next and choose whether you want to be able to capture an image after deploying it to a computer. We will leave this option enabled so we can use it if we deploy a reference (master) computer and capture its image for deployment onto multiple target (end-user) computers:

Click Next and specify whether the user should be allowed to set the password for the local Administrator account on their computer. We'll leave this option unchecked:

Click Next and specify whether the user should be asked to enter a product key. We will leave this unchecked because we are deploying Windows 7 Enterprise, which means that activation is typically performed using Key Management Service (KMS):

Now finish the wizard and review the Confirmation page to ensure everything was done as expected. Figure 7 shows the newly created deployment share and its folder structure in the Deployment Workbench:

Configuring the Deployment Share

To add an operating system, right-click on the Operating Systems node in the deployment share and select Import Operating System. This starts the Import Operating System Wizard. On the first page of the wizard, specify that you want to import a full set of source files:

Insert your Windows 7 Enterprise product media into the DVD drive of your technician computer and browse to select the DVD:

Click Next and the wizard skips ahead to the Destination page. Specify a descriptive name for the folder where the source files will be imported to on your technician computer

Finish the wizard. The import process may take several minutes to complete. Once it is done and you select the Operating Systems folder in your deployment share, the imported OS is displayed.

 

At this point you would add out-of-box drivers, packages and applications to your deployment share as needed.

Creating a Task Sequence

Now let us create a task sequence. A task sequence is a series of steps that are performed during deployment. We want to create a task sequence that will install Windows 7 Enterprise onto a bare-metal target computer. To do this, right-click on the Task Sequences folder in your deployment share and select New Task Sequence. This launches the New Task Sequence Wizard. On the first page of the wizard, specify a task sequence ID (no spaces), task sequence name, and comments as desired:

Click Next and select Standard Client Task Sequence from the list of available task sequence templates:

 Base the new task sequence on the Standard Client template

Click Next and select Windows 7 Enterprise, which is the only imported OS at this point:

Click Next and select the option to not specify a product key in the task sequence:

Do not specify a product key in the task sequence when deploying volume-licensed media and using KMS activation

Click Next and specify the name of the user who will be using the computer and your organization name and website/internet:

Click Next and specify a password for the local Administrator account on the target computer:

Finish the wizard. The new task sequence is displayed in the Task Sequences folder of your deployment point:

Updating the Deployment Share

Now we need to update our deployment share. Updating a deployment share does several things, one of which being the creation of customized version of the Windows Preinstallation Environment (Windows PE) that can be used to deploy the operating system using the task sequence. Specifically, updating the deployment share in this example creates the following Windows PE images in the C:\DeploymentShare$\Boot folder on your technician computer:

• LiteTouchPE_x64.iso – Used to manually deploy Windows 7 Enterprise x64 onto a bare-metal system.
• LiteTouchPE_x64.wim – Used to deploy Windows 7 Enterprise x64 onto a bare-metal system using Windows Deployment Services.
• LiteTouchPE_x86.iso – Used to manually deploy Windows 7 Enterprise x86 onto a bare-metal system.
• LiteTouchPE_x86.wim – Used to deploy Windows 7 Enterprise x86 onto a bare-metal system using Windows Deployment Services.

To update your deployment share, right-click on it and select Update Deployment Share. This launches the Update Deployment Share Wizard:

Leave the default options selected and finish the wizard. It may take some time to create the Windows PE images on your technician computer. Once the wizard finishes, burn the LiteTouchPE_x86.iso file onto a CD as you will need it to deploy Windows 7 Enterprise x86 onto your target computer.

Note:
On the Confirmation page of this wizard (and on all MDT 2010 wizards) there are two buttons:

• Save Output – saves the output of the wizard to a text file (actually it's better to save it as .rtf as it's more readable that way).
• View Script – displays the underlying Windows PowerShell commands that are executed by the wizard.

As an example of the second, the View Script output from the Update Deployment Share Wizard looks like this:

Add-PSSnapIn Microsoft.BDD.PSSnapIn
New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "C:\DeploymentShare$"
update-MDTDeploymentShare -path "DS001:" -Verbose