SCCM – Fixing things

January 8, 2018January 8, 2018

WSUSpool keeps stopping and console shows reset node

I recently found myself in a situation where WSUS would only work for a few minutes or even seconds at a time. A restart or IISReset could bring it back for a few minutes but it would soon stop again. The Configuration manager console didn’t show any errors but it also could not see any new updates.

The event log contained this message:

The WSUS administration console was unable to connect to the WSUS Server via the remote API.

Eventually the fix was to increase the amount of memory avaliable to the app pool from the default 1843200 KB – you could set this to 0 so there is no limit or to a higher sensible limit. After doing this and running an IISRESET the app pool remained running and I was able to syncronize new updates as well as service updates to clients.

To do this open up IIS and click the plus by your servername, then on “Application pools”. Next right click on WsusPool and then left click on “Advanced Settings”, then scroll down and locate the “Private Memory limit (KB)” near the bottom and edit this value to 0 or something higher.

April 23, 2015April 23, 2015

Task Sequence failed with error code 0x8000FFFF when deploying

When running a task sequence to deploy an operating system I received the above error which doesn’t give much away. Reviewing the SMSts.log file there are a number of errors, all pointing to a problem partitioning the disk.

Partition 2 larger than remaining disk space. Requested partition size: 12737418240, remaining size: 11733401760.

Invalid configuration specified. Please ensure that the task sequence is properly configured.

OSDDiskPart.exe failed: 0x8000ffff

Within the task sequence the partition step was configured to create a fixed partition size which was too large to fit on the disk. Simply edit this step so that it uses 100% of the remaining disk space – your solution may vary from this depending on what you are trying to do with your partitions but in short this is where you need to focus your attention.

April 16, 2015April 16, 2015

SCCM Device Collection WMI Query for computers with IIS installed

If you are looking to dynamically filter a device collection so that only machines with the IIS role enabled are included try using the query below.

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SERVICE.Name = “W3SVC”

Don’t forget you can either limit this device collection to another or create another and limit it to this collection to filter further – e.g. Windows 2012 servers with IIS installed.

June 30, 2014

WMI reset failed

Recently I have found myself in a position where I have needed to reset WMI to resolve various problems such as SCCM client failing to install/detect and disappearing cluster namespaces. Generally resetting the WMI is a last resort and should only be tried when you have tried all other options. e.g. restart WMI service, restart server.

The command to reset the WMI repository must be run in an admin / elevated command prompt:

winmgmt /resetrepository

However sometimes this fails with this error:

C:\Users\adminuser>Winmgmt /resetrepository
WMI repository reset failed
Error code:     0x8007041B
Facility:       Win32
Description:    A stop control has been sent to a service that other running services are dependent on.

While it is possible to work around this by stopping the dependent services manually or even editing the registry so that nothing is dependent on this (as I have seen suggested else where) there is a much easier solution.

1. Launch an elevated (admin) powershell window.

2. Enter the following command.

Stop-Service winmgmt -Force; winmgmt /resetrepository

3. Restart the computer you just reset the WMI repository on.

November 7, 2013November 8, 2013

Upgrading System Center Configuration Manager to 2012 R2

First I would suggest you have a good read of http://technet.microsoft.com/library/gg682075.aspx as this details the compatibility between different versions of configuration manager. Things are a lot simpler if you are only running a single server but even so it is worth a read. It is only possible to upgrade your configuration manager hierarchy to 2012 R2 from 2012 so if you are running an earlier version you will need to upgrade to 2012 first.

There are also a number of pre-upgrade checks and tasks to complete which are detailed here: http://technet.microsoft.com/en-US/library/jj822981.aspx#BKMK_PlanningR2Upgrade I would also strongly suggest you don’t attempt an upgrade unless all site servers are showing as healthy.

Hopefully you will already have an offline copy of the 8.1 ADK to install, but if not you can download it here: http://www.microsoft.com/en-gb/download/details.aspx?id=39982 I would suggest getting the offline download going ahead of the upgrade as it is a large file and could delay your upgrade if you have a slower internet connection.

Any default collections which have been customized will be overwritten with the default collection configuration. Either document their current custom configuration so you can re-apply it later or (my preferred method) is to create new custom collections and leave the default ones alone.

If you have a large Configuration Manager setup with a CAS you will need to do this server first and then work your way down the hierarchy and onto the primary sites.

It would also suggest that you check the connectivity between all of your system center servers, I’m sure you would notice quite quickly if you did have connectivity problems but it does surprise me how often this can be an issue. You can use Powershell to accomplish this e.g. Test-Connection -Source siteserver1, siteserver2, siteserver3 -Computername siteserver1, siteserver2, siteserver3

As documented on TechNet do backup your site SQL databases and do disable all maintenance tasks which may run while the upgrade is in progress. These steps will help you avoid a failed upgrade and assist you in recovering from one if it does fail. The list of maintenance tasks can be found in “Administration” > “Site Configuration” > “Sites” > Highlight your site > and click on “Site Maintenance” on the ribbon. You can click on edit to check the schedule of a task and determine if it is likely to run during your upgrade. I would suggest you document any changes made so that you can revert them after the upgrade.

1. Remove the Windows 8 ADK.

2. Install the Windows 8.1 ADK (See above for download link.) you will only need the Deployment tools, Windows Preinstallation Enviroment (Windows PE) and User State Migration Toolkit (USMT).

3. It is not required but I would suggest you restart the server after the ADK install to clear any pending actions as I have in the past seen upgrades fail due to this.

4. Now you are ready to run setup from the System Center Configuration Manager 2012 R2 Disk. The steps within the wizard are reasonably straight forward. Simply select “Upgrade this Configuration Manager Site” and accept the various terms and conditions.

5. Next I would suggest downloading the required files to a UNC share so you can use them again for future upgrades.

6. Once the files complete downloading, select the required languages and then click next and review any warnings or errors from the pre-requisite checker. If you are performing this upgrade on lower specification machines in a lab you will likely get warnings about available memory. These can be ignored if it is not a production environment.

7. Once the pre-requisite checker is happy you can start the install. I would go and make yourself a cup of tea, go to lunch or carry on with other work as it will likely take some time to complete.

8. If the upgrade is successful you can move on to the post update configuration tasks or upgrading your other primary sites but if you encountered any errors or a failure click the View log button and take appropriate remedial action. I would suggest saving the setup log file even if you had a successful upgrade as it can prove useful later on in troubleshooting or to compare between successful and failed upgrade logs.

Post Upgrade Tasks

1. Upgrade any stand-alone consoles you have installed, for example on management servers or workstations. Don’t worry about the Configuration Manager server itself, this will already be updated.

2. Either let the Automatic Client upgrade process do its stuff and keep a watchful eye on it over the next few days or manually push out the updated client from System Center.

3. Test that some of the core functionality is still working, try deploying some content and check that you are still able to PXE boot and deploy operating systems. Sometimes it is necessary to re-create task sequences.

4. Check the boot images are 6.3.9600.16384 (or later if using a later version of the ADK) as this is required to support 2012 R2 and 8.1 deployments. If not just create and import new boot images.

5. All your remote sites should have been upgraded as well, check that they are still working correctly and if not check your sitecomp.log file.

October 28, 2013October 28, 2013

Configuration Manager 2012 Inventoried software: No items found

It seems to be a fairly common occurrenc: SCCM 2012 is up and running, you have even pushed the client out to all your computers but for some reason the “Inventoried Software” page is empty and stays empty despite waiting long enough for the schedule to have completed several times over.

First make sure that software inventory is enabled in your client policies, it should be by default. Next mare sure that inside “Hardware inventory” you have ticked the various software classes:

Once this has been added it is simply a case of waiting for the policy to apply and for the inventory schedule to collect the necessary information. I find the default 7 day cycle absolutely fine for every day use, but a pain if you have just made a change and want to see quick results. It is possible to force an inventory cycle for an individual client/computer by running ccmsetup.exe /uninstall and then re-installing the client. If this works and the installed software is displayed for this one machine then you should be OK to simply wait and let the other clients roll in as scheduled. If you want/need more instant gratification and features give this tool a go https://sccmclictr.codeplex.com/ If you have checked the Agent policy as above but you still aren’t getting results, it is also worth checking the InventoryAgent.log for SMS_InstalledSoftware and related errors.

May 11, 2013May 21, 2013

System Center 2012 – Inside the Private Cloud

My three favorite parts of the System Center suite are Configuration Manager, Data protection Manager and Endpoint Protection. These three products work well at making most of the chores of running an IT environment lighter

Configuration Manager & Endpoint Protection

This is, in my opinion, the flagship product of the System Center Suite. Management of servers, workstations and even mobile devices is completed here and with Service Pack 1 an impressive list of operating systems and devices are supported including Linux and Mac OS. The mobile device manager has now been brought into Configuration manager as well. It is also within Configuration manager that you should deploy and manage Endpoint Protection. Endpoint Protection was formally known as Forefront Protection, and I really hope this product continues being supported and isn’t eventually dropped like other forefront products have been, such as TMG. If you are lucky enough to have the standard or Enterprise CAL already (and you really should if you are looking at System Center) then it might be that you can save a fair bit of money by ditching your current Antivirus vendor and moving to Endpoint.

Typically in the past I would have used standard windows deployment from a share or USB volume or another vendor’s solution such as Ghost as the configuration manager effort wasn’t always worth the reward. Deployments are now a lot easier and when tied with a decent collection of drivers and task sequences it is simple to quickly cater for a new situation or model of desktop or server.

Data Protection Manager

In my experience no backup solution is perfect and generally each has its strength and weaknesses. With the 2012 iteration of Data protection manager the Microsoft offering is looking to be more of the former and less of the latter.

DPM is great at backing up Microsoft own products and applications and I have been using it to back up nearly 2TB of Exchange data and a large SharePoint Farm as well.

DPM offers many of the features an enterprise backup solution should, such as continuous protection, differential and incremental backups as well as Disk to disk and Disk to Tape backups. I feel that it is only in the scheduling and retention options that DPM starts to fall down. Typically I like to keep daily data for a month, weekly data for 2-6 months, month end for 2 years and year end data for even longer but unfortunately the retention a scheduling options don’t really cater for this approach, you simply have a hard limit on how long you can retain backup data with disk to disk used for short term and a second schedule for long term tape backups. This leads to me using a different product to perform end of month backups simply so that I can keep them for longer than the other tape backups.

Generally DPM performs very well and can perform backups in shockingly fast order but it can have a tendency to occasionally mark replicas as bad or fail a snapshot only for it to succeed later without issue. Quite possibly a quirk of the environment I have evaluated it in but something which seems to happen with other solutions a lot less often. Also on upgrading on to sp1 be prepared to check the consistency of every replica and build the time taken for this into your upgrade plan.

Service pack 1 is definitely worth the upgrade as it sees a number of feature improvements such as support for deduplicated volumes and is the final piece in the puzzle to getting dedupe working on cheap hardware. With Windows Server 2012 and Data Protection Manager you can use deduped volumes without the need to buy expensive storage solutions and licenses. The useful extra features don’t end there, Cluster shared volumes can now be backed up as well as continuous protection of Hyper-V guest machines even while they are being live migrated.

Virtual Machine Manager

Virtual Machine Manager is to Hyper-V as vCentre server is to VMware. VMM is the only real additional software cost you will have to bare if you want to use a full Hyper-V clustered solution. (God help anyone who wants to manage a large cluster of Hyper-V hosts as individual servers) The thought obviously being that if Microsoft gives you the Hyper visor for free you won’t balk at paying for the management tools and I expect a good number of people will buy the System Center Suite simply to be able to run Virtual Machine Manager. If this sounds like you I hope you at least try the other parts of the System Center suite as they are worth a good look.

Orchestrator

Orchestrator is the centre point of the System Center suite and ties all of the other products together to make an intelligent workflow based automation solution. It is based on software Microsoft acquired when it purchased Opalis back in 2009.

Orchestrator makes sense in the larger environments or when a requirement for automation is present such as in managed hosting. It will likely be less use in smaller environments as the time taken to configure and automate tasks won’t have quite the same payback.

With Orchestrator it is possible to automate almost anything from deploying VMs through to recovering from an error condition in a service. You can even find Integration packs from various vendors which lets you control and automate them from Orchestrator.

Operations Manager

Operations Manager is Microsoft monitoring and alerting system and in the latest version it does a lot more than peer into event logs and give you a huge list of errors. As with the rest of the System Center Suite Service Pack 1 introduces support for Linux which enhances the appeal of Operations manager a little and the list of supported applications and devices seems to be constantly growing as well. No doubt pure Linux environments will be running Nagios or something similar but for mixed or pure Microsoft environments Operations manager is definitely one of the best out there.

Service Manager

Service Manager is the System Center component I have spent the least time looking at. It is hard to get excited about help desk solutions, especially when so many spend so long logged into them. Possibly the best feature of Service Manager is the auditing and reporting. If correctly configured with orchestrator Service Manager can help you to identify why problems are occurring or when changed were made which could have contributed to an issue. Service Manager doesn’t feel like the kind of product people would buy on its own, but if you have already paid for the full System Center suite you would have to be silly not to at least try it and as with all of the other solutions mentioned here, generally the longer you use them, the more you come to realise how powerful and they are.

Unified installer

There is a unified installer which is great for quickly deploying the whole System Center Suite and you can read all about my experience here I also urge you to click through some of the categories above for more System Center related posts.

April 8, 2013April 15, 2013

SCCM 2012 Client Package waiting for prestaged content

Clients local to the SCCM site (or all clients for a single site install) fail to deploy the client and the distribution status shows “Distribution Manager is waiting for Package XXX00001 content to be prestaged on the distribution point”

This is a strange one which can crop up after an upgrade to sp1 or on a fresh install. It doesnt appear to be possible to distribute the content manually as the client package is a system one and the option is not avaliable. A work around is to navigate in to Administration, highlight the affected server and right click on the distribution point site system role and then properties. Simply deselect the “Enable this distribution point for prestaged content”

Next locate the package in the software library and click on “Update Distribution Points.” The client should now succeed in distributing and it is safe to re-enable the distribution point for prestaged content if required.

March 6, 2012May 27, 2012

System Centre Operations Manager Release Candidate Setup

Following on from the unified installer for the Microsoft private cloud, the System centre operations manager installation failed and I decided to attempt the installation myself.

Once you have a suitable server setup with windows 2008 R2 the first step is to install the .NET Framework 4, report viewer and all the required IIS roles:

IIS6 Metabase Compatibility role service.
ASP.NET role service.
Windows Authentication role service.
Static Content role service.
Default Document role service.
Directory Browsing role service.
HTTP Errors role service.
HTTP Logging role service.
Request Monitor role service.
Request Filtering role service.
Static Content Compression role service
IIS Management Console role service.

Even with all the correct roles and pre-requisit software installed the validator will still throw up a couple of problems.

You will need to load the IIS Manager and open the ISAPI and CGI Restrictions properties and change the deny to an allow for the ASP.NET v4.0.30319 line.

In addition to the above if you installed the .NET 4 framework before the roles you will get an error message: “The ISAPI and CGI Restrictions are disabled or missing” on validating the pre-requisites and will need to run the following command in a cmd window to resolve the problem.

%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe –r

If all is well the command window should look like this:

Now setup should allow you to proceed with setup and select weather to add a management server to an existing management group or create the first management server in a new management group. I like most people playing with the release candidate chose the latter.

Next you are prompted to supply the SQL server details. In my environment the failed unified installer attempt had left a default SQL instance installed which appeared to be unsuitable as the installer complained I was missing the “Full text indexing” features required. I had used the SQL 2008 R2 express media which does not include this option (and according to tech-net not on the list of supported SQL versions) so my next steps were to remove the currently installed SQL instance and install a full fat version of SQL 2008 R2 Standard with the full text indexing and reporting services options. In a production setup you may well choose to create a new database on an existing server but for the purposes of evaluating this I selected to have a local instance of SQL installed as it makes cleaning up this install later a lot easier as I can just destroy the VM.

With the advanced services options installed the operations manager setup wizard will allow you to continue and adjust the configuration of the operational database (although I just left these at the defaults)

On clicking next you should see a similar screen for the datawarehouse database. Again I accepted the defaults and continued on to choose the reporting services instance I installed earlier with SQL 2008 R2 Standard (don’t forget to run the Reporting Services configuration manager and start the SQL Server agent service)

Next it is time to choose which IIS site to use for the web console. In a production environment it would be prudent to configure a new site and setup SSL however I am sticking with the default website for now.

Next you are prompted to select an authentication mode for use with the web console. I selected Mixed Authentication as it will be an entirely private deployment for evaluation/testing purposes only.

After selecting the authentication mode you are prompted to supply some domain account/s for the various roles to use. I created a single user for this purpose however it would be advisable to separate the data and management accounts so you can fine tune the permissions they are granted.

After this step you can choose to opt-in (or not) to the various customer experience improvement programs. I chose not to as this machine has no Internet access anyway.

Finally you are presented with a page full of the various configuration options set in the previous steps. If all looks well click install, go grab a tea/coffee and you should be able to return to an installed SCOM 2012.

Next I will work on getting a few servers monitored and start evaulating what is avaliable in SCOM 2012.

February 17, 2012May 27, 2012

Evaluating the Microsoft Private Cloud with the System Centre 2012 Unified Installer

After reading a lot about Hyper-V and attending an IT Camp at Microsoft I really wanted to give the new SCCM 2012 a closer look and at the same time get better acquainted with Hyper-V and other related upcoming Microsoft releases such as Data protection Manager and Service Manager.

Getting all the installation files and pre-requisite software downloaded

Sign up and download all the installation files here: http://technet.microsoft.com/en-us/evalcenter/hh505660 (6.6GB) and in addition to this you will need all of the pre-requisite software which is listed here: http://technet.microsoft.com/en-us/library/hh751268.aspx I went through a fair bit of trial and error to get the set-up utility to detect all of the installation files and I recommend making sure to extract each of the products into their own folders. Don’t put all of the products in one folder or share folders as if the installer doesn’t recognize one of the paths/files you wont be able to tell which one (plus its messy and you might end up over writing files) I would also suggest you do the same for all of the pre-requisite software. (also don’t forget to extract all of the zip/exe/iso files as the unified installer wont read them otherwise. I found winrar invaluable for this)

Preparing the installation environment and servers

To get all the products installed you need at least 8 servers (physical or virtual) with a minimum of 2GB of ram each. I set all mine up on a single Hyper-V host as its only for testing purposes and I don’t have loads of servers spare for development/testing work. I would also suggest using a sensible naming convention or it can get pretty confusing quite quickly and bare in mind that the server you choose to initially run the set-up on will become the Orchestrator server.

Aside from the base windows 2008 R2 operating system all the machines need to have a few things configured before they are ready for deployment. To avoid duplication I made sure all of the servers were in a single OU and created a policy to apply the customizations for me rather than individually configuring the local policy on each host.

Computer Config \ Administrative Templates \ System \ Credentials Delegation \ Allow Delegating Fresh Credentials
Set to = Enabled
Server = WSMAN/*

Computer Config \ Administrative Templates \ System \ Credentials Delegation \ Allow Delegating Fresh Credentials with NTLM only server Authentication
Set to = Enabled
Server = WSMAN/*

Computer Config \ Administrative Templates \ Windows Components \ Windows Remote Management (WinRM) \ WinRM Client \ Allow CredSSP authentication
Set to = Enabled

Computer Config \ Administrative Templates \ Windows Components \ Windows Remote Management (WinRM) \ WinRM Client \ Trusted Hosts
Set to = Enabled
TrustedHostList = *

Computer Config \ Administrative Templates \ Windows Components \ Windows Remote Management (WinRM) \ WinRM Service \ Allow Automatic Configuration of listeners
Set to = Enabled
IPv4 filter = *
IPv6 filter = *

Computer Config \ Administrative Templates \ Windows Components \ Windows Remote Management (WinRM) \ WinRM Service \ Allow CredSSP authentication
Set to = Enabled

Computer config \Administrative Templates \ Network \ Network Connection \ Windows firewall \ Standard Profile \ Windows firewall Protect all network connection
Set to = disabled

I then went round each server and ran a gpupdate to ensure they all applied the new policy before I attempted to run the unified set-up.

Running the unified installer

On running the unified set-up and selecting the products you are evaluating (I wanted to try all of them) you are prompted to provide a path to each of the installation files you downloaded earlier. (I bet you are glad you downloaded and extracted each of the products/pre-requisites into their own folders now) if all is well it should be a simple exercise of browsing and selecting each of the folder paths created earlier. Dont be surprised if it doesnt recognize one of the paths or files just make sure you have the right product/version and its extracted, even the iso file for the windows automated installation kit needs to be extracted so its just a normal folder full of files. (UNC or local path names are both OK.)

Once you have completed both this screen and the pre-requisites page that follows it you can select what account you wish to use as the installer account. I created my own domain user for this but you can use any user account which has the required permissions. Following this you can configure other options such as site name etc. and finally you are presented with an install button. Sit back and watch the progress bars.