A couple of years ago I created a post with the major SQL version numbers. While working with a client this morning, I realized that I had not updated it to reflect several updates that have been released since the original post. Here is an updated table of major version numbers. To see all major and minor version numbers (i.e. versions for cumulative update versions), see this post. I’m also using this post to clean up some inconsistency in how the version numbers were listed in my previous post.
|SQL Version||Version Number|
|SQL Server 2012 RTM||11.0.2100.6|
|SQL Server 2012 SP1||11.0.3000.0|
|SQL Server 2008 R2 RTM||10.50.1600.1|
|SQL Server 2008 R2 SP1||10.50.2500.0|
|SQL Server 2008 R2 SP2||10.50.4000|
|SQL Server 2008 RTM||10.0.1600.0|
|SQL Server 2008 SP1||10.0.2531.0|
|SQL Server 2008 SP2||10.0.4000.0|
|SQL Server 2008 SP3||10.0.5500.0|
|SQL Server 2005 RTM||9.00.1399|
|SQL Server 2005 SP1||9.00.2047|
|SQL Server 2005 SP2||9.00.3042.01|
|SQL Server 2005 SP3||9.00.4035|
|SQL Server 2000 RTM||8.00.194.0|
|SQL Server 2000 SP1||8.00.384.0|
|SQL Server 2000 SP2||8.00.534.0|
|SQL Server 2000 SP3||8.00.760|
|SQL Server 2000 SP3a||8.00.760|
|SQL Server 2000 SP4||8.00.2039|
|SQL Server 7.0 RTM||7.00.623|
|SQL Server 7.0 SP1||7.00.699|
|SQL Server 7.0 SP2||7.00.842|
|SQL Server 7.0 SP3||7.00.961|
|SQL Server 7.0 SP4||7.00.1063|
|SQL Server 6.5 RTM||6.50.201|
|SQL Server 6.5 SP1||6.50.213|
|SQL Server 6.5 SP2||6.50.240|
|SQL Server 6.5 SP3||6.50.258|
|SQL Server 6.5 SP4||6.50.281|
|SQL Server 6.5 SP5||6.50.415|
|SQL Server 6.5 SP5a||6.50.416|
|SQL Server 6.5 SP5a Update||6.50.479|
Over time I have talked with numerous people about where the SQL database should be for the Configuration Manager database. Where this conversation typically comes up is when a company has a DBA team that is demanding that all SQL databases be hosted on dedicated (and super powerful) database servers. These servers predominantly will host numerous SQL databases for a variety of applications. The reasoning typically falls into the following arguments:
- Licensing – We don’t want to have to pay for another SQL license, so all DBs will be on our dedicated SQL servers.
- Performance – Our crazy powerful DB servers will give better performance than what you would install locally.
- Security – We need to maintain control over the content of the DB, and the DB integrity in general. Having them on a dedicated SQL server allows us to do that in the best way.
Sounds like some good arguments right? Well…not so much. Let’s take a look at each of the three.
- Licensing – Not an issue at all. Configuration Manager 2012 licensing includes the ability to install SQL Standard…at no additional charge.
- Performance – There have been arguments for years about whether Configuration Manager performed better with remote or on-box SQL. I’ve seen people give great arguments both ways…but haven’t really seen anything definitive either direction. With Configuration Manager 2012, the recommendation from Microsoft is that SQL be local unless you hit certain size limitations. Unless you are over 50,000 clients, then on-box SQL Standard will work just fine for you. If more than 50,000 clients, then a remote SQL Standard will take you to 100,000 clients. SQL Enterprise is only necessary on a Central Administration Site supporting more than 50,000 clients. (For more info.)
- Security – THIS IS THE BIG ONE! It generally takes about a three minute conversation with a DBA before they run away from this argument. Consider the following facts and implications in a remote SQL scenario:
- The Configuration Manager site server must be a member of the local administrators group on the remote SQL server. (See the Configuration Manager documentation.)
- Several people who are not SQL admins will be administrators on the Configuration Manager site server.
- It is trivial for an admin on the Configuration manager site server to run any application (such as a CMD prompt or SQL Server Management Studio) as Local System. (See this post.)
- Since the Configuration Manager server (Local System) has admin rights on the remote SQL server…the non SQL Admin can VERY easily obtain admin rights on the SQL server.
- The DBA has now started sweating, twitching and begging you to keep your weird database away from his/her server. :-)
So, really the only reason to consider doing remote SQL at all is a performance issue…but you have to be a pretty big organization for that one to come into play. And even if you do need to do remote SQL…it should be a SQL server that is dedicated to Configuration Manager.
Note (12/4/2012): I was talking with a friend late in the day yesterday about this blog post. He reminded me that I had already posted about this issue last April. Thanks Phil…I’m a little scatterbrained sometimes! I’m leaving this post up anyway because it is better than the original in my opinion.
A few months ago I wrote about the great peanut butter disaster in our house…Sam’s mad dash through the house flinging peanut butter. Today was what I will now refer to as “Sam Disaster #2”.
While working from home in my office I hear my wife shriek. I quickly run upstairs where I find her in the bathroom with water running everywhere. She had sent Sam to go wash his hands while she fixed his lunch…ironically, a peanut butter sandwich. :-) Sam had washed his hands, plugged the sink, left the water running wide open, closed the bathroom door, and climbed up to the table for lunch. I honestly don’t think he was trying to be bad…he was just completely oblivious to what he had just done.
While not quite as bad as the “Wet Bandit” scene from Home Alone, it was in the same ballpark. Water all over the counter and floor. Heck…one of the drawers in the vanity had even filled up…had to siphon the water out of it to keep from making an even bigger mess. That drawer was the one that used to hold my electric razor…it was submerged. I hadn’t been planning to replace that anytime soon.
Stay tuned for Sam Disaster #3…I’m sure it will come soon enough.
A bit more than a year ago I posted about my wife and I both reaching our weight loss goals. I also stated that the goal was to be within five pounds of our target weight a year later. I never got around to posting the update when a year rolled around, so this is the year + three months update. Julie and I are both hovering right at our target weight…within a pound or two on a given day. Weight lost and maintained for more than a year! I recently had to renew my driver’s license…very cool to see the difference there…the pic below shows a twenty pound difference…but doesn’t show the extra fifteen that I had gained between those two pictures!
Got more really good news this morning. My employer had a health screening at the office. Last year I got a good cholesterol report…down from the 220 range to 179. This morning I was at 132 for my total…with my good cholesterol at 65…VERY good news!
I am off the charts proud of my 13 year old daughter Laurel! The two of us have been running together for the last six months or so. One of our goals was to run the Autumn Woods Classic 5K this October. The AWC route is a pretty tough course with a lot of hills…not a fast/flat course. Not a course that you would ordinarily choose if you are gunning for a personal record (PR). The race was this morning.
Laurel’s goal was to run in the 28 minute range. Her previous official PR was around 29:30, but she had run this route on a training run with me in about 28:30, so she knew it was possible. She crushed her previous PR. Her time was 26:10…which was fourth place in her age category (93rd finisher out of 547 total)! As her Dad and her “coach” I simply could not be more proud of her. I can’t stop smiling. I was expecting in the 28 minute range…and was completely shocked when she came across so much faster. I watched her “kick” at the end of the race…she dug deep to sprint out the end…it was very impressive.
My goal heading into the race was to finish in under an 8:00/mile pace (24:49). I met my goal by finishing in 24:25 (55th overall). As far as I can remember, that is a PR for me as well. VERY cool that we both hit personal records on the same day! This time next year, I’ll probably be fighting to keep up with her!
BTW…a big thanks to Tim Benjamin for coming out this morning and taking pictures of us before, during and after the race! Tim actually ran out on the course to take shots of us with about 3/4 mile left in the race. Then he kept running ahead of Laurel and taking shots of her over the last leg of the race. We got some awesome shots out of that.
The company I work for is in the TAP program for Lync 2013. As a result, a bunch of us have Lync 2013 and Office 2013 installed on our production computers. There are a lot of features I like…here is a very cool one. I opened up a doc that I was working on yesterday…it opens to the first page of the doc like you would expect, then a pop out balloon opens from the bottom right side of the program asking if I’d like to go back to the last page I was working on when I closed the doc. Very nice!
For a while now I have been being annoyed by Java pestering me to update. Each time I went to the app in the system tray and unchecked the “Check for Updates Automatically” box. However, if you immediately went back into the app, the checkbox was still checked. Highly annoying.
I came across a forum post that answers the issue. Basically it is poor programing from Sun. In order for the setting to actually be set, the Java Control Panel has to run with Admin rights. Instead of the app prompting to elevate, it just fails to set the setting. Come on Sun…figure out how to work with a modern operating system. This has been part of the security model since Vista…and you still don’t have it figured out with Windows 8 being deployed? Get with the program!
To fix this, you will need to open the Java Control Panel with admin rights. First, locate javacpl.exe at one of the following locations:
- c:\Program Files\Java\jre<versionnumber>\bin\javacpl.exe
- c:\Program Files (x86)\Java\jre<versionnumber>\bin\javacpl.exe
Right click javacpl.exe and choose “Run as administrator”:
Go to the “Update” tab, and clear the “Check for Updates Automatically” checkbox.
The setting will actually take effect this time!
This one has annoyed me for years…need to get on my soapbox for a minute.
Let’s talk about the difference between Hardware and Software Inventory in Configuration Manager. Hardware inventory collects data from WMI and the registry. Software inventory looks at file properties. Hardware inventory runs relatively quickly and isn’t very resource intensive. Software inventory can be very resource intensive if not configured correctly. At a high level, here is what is covered by the two:
- Obviously info on system information – Proc, RAM, actual hardware
- Add/Remove Programs information
- File information
- Can be configured to actually collect a copy of a file. (be VERY careful!)
I have talked to numerous clients who are looking at Software Inventory to try to gather data about what software is installed…which it does not gather at all. My pet peeve is not with the way that the system is designed…I think it is a very good design. My issue is with the name. Software inventory is NOT an inventory of software. It is an inventory of FILES. A much better name would be to call it what it actually is…File Inventory.
I have seen very few companies with a real need for information on specific files. Most are simply wanting to know what software is installed on which machines…which Hardware Inventory provides. Some valid uses that I have seen include:
- Locating PST files in an effort to get rid of them.
- Locating password dump files. (Company had experienced internal espionage issues.)
The key to the valid uses of Software inventory is that they had absolutely nothing to do with installed software. They were looking for files.
I have run across this issue when installing both the Cisco AnyConnect VPN client and the “regular” Cisco VPN client. Once the client is installed and you attempt to establish the VPN connection you might get one of the following messages: “Unable to establish VPN” or “The VPN client driver encountered an error.”
The fix is really simple…you simply need to change the Display Name in the registry. Open the following registry key and take out the INF garbage at the front of the Display Name. Note that only one of these may exist depending on which VPN client you have installed…for that matter…I can’t remember the exact key for the regular VPN client…but I’m 99% that it is one of the second two…if the DisplayName has INF garbage in the value…that is the one.
Had a situation this week where I needed to configure IP address, IP Gateway, DNS, Subnet Mask, and DNS Suffix from the command line. Not hard once you have the commands. Putting it here as a reference for myself and others. Here are the three commands for doing this…be careful of line wrapping.
netsh interface ipv4 set address name="local area connection" source=static address=10.10.0.100 mask=255.255.0.0 gateway=10.10.0.254
netsh interface ipv4 add dnsserver name="local area connection" address=10.10.1.1 index=1
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v "SearchList" /d "domain.com" /f
I came across this while helping a client yesterday. Good post by Steve Rachui with links to TONS of info to get you up to speed on Configuration Manager 2012.
Update: This bug has been fixed with the version of MDT 2012 Update 1 that is currently available for download. Update was released on 9/19/2012.
I came across a bug in MDT 2012 Update 1 today. This has been previously reported to the MDT team. They are able to reproduce it and are working on a solution. Here are the details:
- Configuration Manager 2012 installed.
- Configuration Manager 2012 Cumulative Update 1 applied.
- MDT 2012 Update 1 installed.
- MDT/Configuration Manager integration performed.
- Attempted to create an MDT Task Sequence which failed with the following error:
Microsoft.ConfigurationManagement.ManagementProvider.SmsConnectionException: Failed to validate property
The recommendation from the forums is to roll back to MDT 2012. I have confirmed that this does in fact allow you to create an MDT integrated task sequence.
TechNet Posts on this issue:
For a long time I have been a proponent of backing up your personal data to an online location. I know many people will backup data to external hard drives…but that has always caused me concern because of the possibility of losing both the original and the backup in a fire/theft/natural disaster. Over the years I have gone through a number of different backup options and have switched for various reasons. I am in the process of switching again (the initial upload is currently taking place). For a while I was using Mozy.com because it was simple and reasonably cheap ($6/month). About a year or so ago I switched to CrashPlan from Code42.com…mainly because they were significantly cheaper. Both of these products are very easy to use and easily configurable.
My problem with them…and especially with CrashPlan is that it is a memory hog. Mozy is arguably not terrible…but it was still using approximately 70MB or RAM on my wife’s computer..while it was sitting idle. CrashPlan was a LOT worse…it was using between 250-300MB of RAM while doing absolutely nothing. That is simply unacceptable…which got me re-evaluating options again.
Earlier this year, Microsoft did an update to SkyDrive that allows a couple of new features that make it a viable personal backup solution. The key features are:
- A decent amount of free space (existing SkyDrive users could have 25GB for free…new users get 7GB free)
- The ability to purchase up to 100GB of additional space for a very reasonable price
- 20GB added to your free space is $10/year
- 50GB added to your free space is $25/year
- 100GB added to your free space is $50/year
- A desktop app to make copying to/from SkyDrive very very easy
Here is how I implemented it on my computer and my wife’s computer. (Note…do this at your own risk…if you do something wrong…or if I don’t explain it clearly…or whatever else…you take the risk on yourself. If you lose data, don’t blame me…I warned you!)
First…sign up for a Microsoft account at Outlook.com. This will get you both an email address (that you can choose to either use or not) as well as access to your free space. From there you can “Manage Storage” to add additional space. From the SkyDrive site, look in the bottom left corner and click “Get SkyDrive apps” which will take you to a page to install the Windows Desktop app. (Note that they also have apps for Windows Phone, iPhone/iPad and Android.) When installing the app, it will ask for the location to save SkyDrive files into (the default is c:\users\username\SkyDrive). Instead of accepting the default option, I chose to have it use D:\SkyDrive. I then changed all of my “special folders” (My Docs, My Pics, My Music, Favorites) to point to D:\SkyDrive\Documents, D:\SkyDrive\Favorites, etc. Now…I just save as normal to Docs/Pics/Favorites…and they are automatically uploaded to SkyDrive. Nothing to think about…nothing to configure.
To change the location of the special folders, open up the c:\users\username folder, then right click one of the special folders (like “My Music”). Flip to the “Location” tab and select “Move…”. Choose the “d:\SkyDrive\Music” folder (change to reflect where you put the SkyDrive folder). Allow Windows to move the data to the new folder. This could take a while, so be patient and let it continue.
Another way of doing this would be to use the Junction Point feature of Windows. This is basically a pointer to another folder…so you would still create the d:\SkyDrive (or wherever you wanted to put it), then create Junction Points that map “d:\SkyDrive\Music” to “C:\users\username\music”. Then anything you put in to “My Music” (which is really in the C:\users\username\music) would also appear to be in D:\SkyDrive\Music…which means it would get backed up by SkyDrive
There are advantages and disadvantages to this backup method. Some of them are:
- Limited storage if you have more than 100GB of data to back up. I would expect them to expand this later, but right now…you have a max of 107GB (125 if you signed up in time).
- You have to choose one “root” folder to backup…you can’t pick various folders around the drive…although you CAN create “Junction” points to back up other folders…so this isn’t
- Very low footprint…even in the height of backup up 50+GB of data, the RAM used by SkyDrive on my wife’s computer was at most 34MB…it was commonly below 30MB.
- You have full access to the data from you computer as well as your mobile device (Windows Phone, iPhone/iPad, Android).
- You can also configure the SkyDrive app to allow you access to the rest of your computer.
BTW…I did take a screenshot of the RAM usage while both CrashPlan and SkyDrive were running. Any wonder why I didn’t want to continue using CrashPlan?
Would love to know what goes through my son’s mind sometimes…
Yesterday I went upstairs to grab lunch and found my wife and oldest daughter on their hands and knees in the living room with baby wipes in their hands. My younger daughter was making sure that my son stayed IN the bathtub. Turns out that he had gone into the pantry, grabbed the jar of peanut butter, carried it to the living room, stuck his whole hand inside, then ran through the house shaking the peanut butter covered hand.
To say that there was peanut butter on every square foot of the path he ran is not an exaggeration. It took three of us almost an hour to just clean up the worst of the mess. Then Julie went to pick up a carpet cleaner. Many many hours of work caused by a less than thirty second mad dash of a peanut butter spraying three year old.
And I wish I had some hope that he wouldn’t do it again…but unfortunately I don’t.
I saw Jason’s post on this, and had to agree…IP Subnet Boundaries in Configuration Manager are indeed evil. Use IP Range boundaries instead!
Definitely check out Jason’s post for full info.
Very cool to see this today! Microsoft has released the initial offline help file for System Center 2012 Configuration Manager. But…better than that…it comes in three formats.
- a 13MB, 2000+ page PDF
- a 2MB, 2000+ page DOCX
- a CHM file…with an update utility!!!
If you install the ConfigMgr2012HelpUpdate.msi app, you will see the following on your Start Menu.
The first link is the help file…note that it is dated May 2012. The second is the update wizard…which presumably will keep the local copy up to date with the online version when a new offline copy is published. Very nice!
Anyone who works in enterprise IT (and with products such as Configuration Manager) needs to know how to install applications silently…without requiring user intervention. Recently I came across a web page that gives really good info on the various installation types (MSI / InstallShield / Wise / etc) and how to make them silent. It goes beyond the basics and gives background on how each of them work. The page hasn’t been updated in a while, but there is still some very good information there. This could be a good one to bookmark.
Over the weekend I got a final update on the Unknown Computer “bug” in Configuration Manager 2012 that I wrote about recently. This time the update came from John Vintzel who for those who don’t already know him is a Senior Program Manager on the Configuration Manager product team. Basic gist of the update is that they will evaluate a change in this behavior for a future release.
In my opinion (which based on conversations I’ve had I know is shared by many others), this is a necessary change. There should not be a requirement to delete an object when a system doesn’t even begin the task sequence…or when it fails early in the process. A few options for how this could be changed:
- Don’t create the Unknown object at all. (I’m guessing there is a reason behind why it exists though.)
- Create the object after the system becomes a manageable object. (probably the same as #1 though)
- Have logic built into the task sequence process that automatically removed the “unknown” object from the database if the Task Sequence fails before the system becomes a manageable object.
I have had a few discussions over the years about whether a Configuration Manager installation should include SQL “on box” or “remote”. The answer is generally “it depends”. This blog post is not going to dig into all of the reasons why you would choose either local or remote SQL…it is designed to highlight one particular security concern with the remote SQL option. Let’s think through several of the underlying components that are necessary for remote SQL to take place along with a few very common scenarios when this is the case.
- Generally a company will choose remote SQL because they want to have a beefy SQL box that is managed by their DBA team. This SQL box will commonly house several SQL databases…not just the Configuration Manager DB. Which means that any disruption on that SQL server has an impact on much more than just Configuration Manager.
- A requirement for remote SQL with Configuration Manager is that the Configuration Manager server’s computer account must be in the local admin group on the SQL server.
- Commonly there will be a number of Configuration Manager administrators that have admin rights on the Configuration Manager server.
- Commonly there will be a number of those same Configuration Manager administrators that do NOT have admin rights on the remote SQL server.
THAT is where the problem rears it’s head. Let’s connect all of the dots…
- Joe Admin is an admin on the Configuration Manager server…but is not an admin on the SQL server.
- The Configuration Manager server’s computer account is an admin on the SQL server.
- Joe Admin has read my article on how to run a command prompt as local system. Uh oh.
- Joe Admin uses psexec to run a command prompt (or SQL Management Studio…or regedit…or services.msc…or disk management…or whatever else) as local system on the Configuration Manager server.
- Joe Admin then connects that app (running in the “user” context of the Configuration Manager server’s computer account) to the SQL server.
- Joe Admin is now able to do anything that the Configuration Manager server’s computer account has rights to do…which is full Administrator rights…ON THE SQL SERVER!!!
- That security you thought you had…well it didn’t work so well.
Is there anything to keep Joe Admin from (either accidentally or maliciously):
- Stopping services?
- Deleting files?
- Rebooting the server?
- Jacking with the registry?
- Installing (either good or bad) software?
- Copying data off of the SQL server?
- etc (I think you get the picture.)
Now…for some people that doesn’t matter. In many smaller installations the same team is managing Configuration Manager and SQL. However…if you are that small…why take on the extra complexity of the remote SQL scenario?
For others it matters big time! I’ve had conversations with customers who cringe at the very idea that some random Configuration Manager admin could possibly gain full rights to the SQL server that other business critical databases are stored on.
Just a quick update on the potential bug that I reported a couple of weeks ago. I’ve had a few back and forth exchanges via Connect about this issue, and it is being called “by design”. They asked my how I would like for this to work and at what point I would like for the machine to become “known”. Here is my response:
Thinking through the whole scenario…it would be best if the computer is seen as "known" AFTER it becomes a manageable system (i.e. after the Configuration Manager client is installed). Until that time, it is not a system that can be managed…it doesn’t even have an operating system until just before the client install step in the task sequence.
At minimum, I would not expect the computer to be "known" until after the task sequence successfully started. In the scenario I provided (task sequence erroring out at dependency check…which is VERY common), the task sequence has not begun…it is failing during the dependency check. The computer object that is created (named "Unknown") is not a manageable object. It is however an object that will block the computer from being able to run a task sequence that would allow it to be come manageable unless action is taken to remove it from the console.
The final response back from Microsoft via Connect was that this would be submitted to the Product Group as a Design Change Request.
This will be a very welcome change if it is implemented. Until then, be aware of the issue and what you need to do to fix this issue when you run into it in your environment.