The Realm of the Verbal Processor

Jarvis's Ramblings

Microsoft Management Summit 2008

I totally forgot to post this a few weeks ago…I was pretty much laser focused on SCCM implementation at the time…but I found out that I am going to get to go to MMS this year! I went to MMS in 2006 and 2007 in San Diego, and it is hands down the best technical conference I have ever been to. I was concerned because our training budget got slashed this year, but I was able to persuade those who control the $$$ that this is critical to the success of some of the direction that we are heading. Basically I know that I am weak in a couple of areas that we are going to be rapidly moving into, and I will be able to get excellent instruction in these areas at MMS.

To say that I am excited is an understatement. I’m not all that enthusiastic about where it is being held this year (Vegas), but I will get access to probably the best training available, and will get to spend time with a couple of really good friends as well.

March 26, 2008 Posted by | ConfigMgr | , , | 1 Comment

Silent VPN Auto Installer

Years ago a co-worker worked on creating an EXE that we could distribute that would set up a VPN connection for our users in an unattended fashion…no user input other than to click “Yes” and to acknowledge the completion notice.

Well I’ve been looking for a way to make that auto installer completely silent. Because it is a user based setting, I can’t throw it into my SCCM Task Sequence. It needs to run after a user logs in. But I don’t want the user to see it run. It needs to run silently in the background…no user intervention at all.

I knew that Philip had used the Connection Manager Administration Kit (CMAK) to create the original EXE. The auto installer includes a batch file that I co-wrote back in 2000 to remove any HOSTS file entries for our e-mail server as well as another batch file that modifies the routing table. It’s a pretty slick little file. If it didn’t resolve someone’s VPN issue, then there was something else wrong with their computer or internet connection.

When you run CMAK, it creates a folder that contains any files that you added to the package (the batch files I mentioned, logo/icon files, etc), the EXE that is the file you can distribute (named according to what you called the connection profile), and several settings files (.CMP, .CMS, .INF, .SED…also named according to the connection profile).

But…how to make it silent? I finally found the info in an entry in the help file for CMAK. It was buried down in a section of the help file titled, “Including Connection Manager in custom applications.” The syntax listed there is:

ServiceProfileFileName.exe [/q:a] /c:”cmstp.exe ServiceProfileFileName.inf [Parameters]”

Since I am wanting it to be completely silent, and not include a shortcut to the connection on the desktop, this is my command line to throw into SCCM: 

VPN.exe /q:a /c:”cmstp.exe VPN.inf /s /ns”

Works like a charm.

March 26, 2008 Posted by | ConfigMgr | , , | 6 Comments

OS for SCCM Install – revisited

Last October I gathered a lot of info about whether it was better to install SCCM on a 32 bit or 64 bit OS. My post at that time concluded that installing on 64 bit was possibly the better choice, and that was the direction that I went.

Over the last weekend while I was in Bristol with Tim, we got to discussing this issue. He had just uploaded a post to his blog reversing his original opinion that x64 was the best route. His post had some pretty good reasoning in it…in particular the fact that when monitoring SCCM using SCOM, the “SCOM agent will not be able to correctly monitor the 32 bit SCCM processes running on the x64 system.”

Wonderful. At this point, we don’t have SCOM set up in our environment, but I know it is coming. I will probably be looking into transitioning my SCCM install off of the x64 OS as a result. I’m currently downloading the ISO for Windows Server 2008 (32 bit) from our MVLS site. Not a major rush because of monitoring, but I would rather go ahead and make this transition before I move the rest of our clients (approximately 900 workstations) from our SMS 2003 system over to SCCM.

This will also allow me to do a real world test of my disaster recovery plan for my SCCM environment.

March 20, 2008 Posted by | ConfigMgr | , , , | 2 Comments

Installing Vista Games via CMD Line

By default when you install Vista Business, it does not install the built in games (Chess Titans, Freecell, Hearts, Inkball, Mahjong Titans, Minesweeper, Purble Place, Solitaire, and Spider Solitaire). Many businesses like it that way and want to keep it that way. I don’t. If someone has a laptop and they want to play Chess or Solitaire at home…I don’t care…knock yourself out. What I don’t want is someone coming to me complaining that the games aren’t there. I want the games to be part of our default install. (Other admins can argue that point if they wish…that’s the decision I made for my environment.)

So…with my default install being completely driven by SCCM Task Sequences…I need to find a way to put that in a task sequence. In a Task Sequence, I need to be able to do this with a “Run Command Line” task. So…what is that command line?

First..it’s not easy to locate. I hunted way to long for this bit of info. I found other cryptic webpages about similar items, but nothing specifically addressing this one…imagine that…not many people want to install Vista’s games via the command line…who woulda thunk it? I finally figured it out through a bit of trial and error. That magic command line is:

pkgmgr.exe /iu:InboxGames /quiet

Note: “InboxGames” is case sensitive.

[Note: I have also found another command line for this: “ocsetup.exe InboxGames /quiet”. ]

What I would really like at this point is to have a command line way of uninstalling “Purble Place”. While I don’t mind if our staff play chess, solitaire, etc…I really don’t want them letting their kids play Purble Place on their work laptop. Anyone know how to do this?

Also…the way to point and click to do this is by opening up “Programs and Features” from the Control Panel, then clicking on “Turn Windows features on or off”, then checking the Games checkbox.

March 8, 2008 Posted by | computers, ConfigMgr | , , , , | Leave a comment

SCCM Reference Sites

I’ve spent a ton of time learning SCCM from various resources. I just discovered another one today, and figured there are probably others out there who are also looking for information related to SCCM. Here are the sites that I have found to be the most useful.

myITforum.com

This is a great place to get help from the user community. Response times are typically pretty good, and there are some folks on there that are really brilliant. I try to help when someone asks a question that I know about, but I am by no means one of the experts on the forum. My username on the forum is jdavis375.

Technet Forums

The best thing about this forum is that members of the SCCM product team are answering the questions (at least they are right now). I have gotten very timely definitive answers on the posts that I have left here.

OSD Technet Blog

Just found this one today. Pretty good resource for certain aspects of Operating System Deployment in SCCM.

SCCM Documentation Library

Need to read the manual? Here it is. Personally I have been frustrated with this. The documentation isn’t live updated…updates come in chunks. Also…I’ve had trouble finding the information that I am looking for in the documentation. Most of the time, the info is there…I just can’t locate it. Even searching is of limited use. Maybe I’m missing something, but I haven’t been able to find a way to limit the search to just the SCCM section…it returns results from all of Technet. Still a good resource…I just have issues with it.

Tim’s Blog

Okay..it’s just one post, but it’s a really good post. Tim has lots of knowledge…just not lots of time to put that knowledge on his blog. However, if you have dealt with SPN issues related to using a remote database in an SCCM install, you need to look at this post.

Rod Trent’s Blog

A few of Rod’s articles have helped me. In particular, the one on subselect queries…I no longer fear them.

Sherry Kissinger’s Blog

Sherry is one of the “really brilliant” people that I referred to above. She has responded to a couple of my questions…always with good information. She is a Microsoft MVP for SMS.

If anyone reading this knows of other good resources, leave a comment to let the rest of us know about them.

March 6, 2008 Posted by | ConfigMgr | , , , , | Leave a comment

Build and Capture Task Sequence Failure

I have fought with this before and didn’t figure it out. Been fighting with it again and finally made an educated guess that has since been backed up by finding a thread to support my findings.

I created a Task Sequence in SCCM to “Build and capture a reference operating system image”. I am using the Vista SP1 DVD that I imported into Operating System Install Packages. It gets part of the way through the install, and then fails. By opening a command prompt on the machine running the Task Sequence (F8), I was able to look at the log files. In looking at the x:windowstempsmstslogsmsts.log log file, I saw an entry that stated “Windows Setup Failed, code 31”. That was followed by “Exiting with code 80004005“. Not a lot of help. Then I found the x:\windows\temp\smstslog\windowssetuplogs\setuperr.log log file. That contained the following lines:

Callback_Productkey_Validate: EditionID for product key was NULL.
Callback_Productkey_Validate: An error occurred writing the product key data to the blackboard.
Callback_Productkey_Validate_Unattend:Invalid product key; halting Setup.[gle=0x00000490]
Callback_Productkey_Validate_Unattend: An error occurred preventing setup from being able to validate the product key; hr = 0x80300006[gle=0x00000490]

Now…I know that my volume license product key is good. I’ve been using it for a long time. Just for grins I popped the Vista DVD in a spare computer and confirmed it. Why is it telling me the license key is invalid?

So here comes the educated guess. I modified the Task Sequence to not use a Product Key…just left that field blank. Hmmm…the install works perfectly fine. That led me to search on something different and find this thread. Basic gist is that if you are using a Task Sequence to install an OS using an Operating System Install Package, you should NOT specify a product key. Perhaps that is documented somewhere, but I haven’t seen it. It is however doggone frustrating to have wasted as much time as I have on this problem.

February 27, 2008 Posted by | ConfigMgr | , , , | 16 Comments

Error 80004005

If you have worked with Windows systems for long, at some point you have seen the infamous 80004005 error code. It seems to pop up everywhere. Problem is that it is a bit infuriating to try to figure out what it means.

Last year I was at the Microsoft Management Summit, and Johan Arwidmark was giving a presentation on Operating System Deployment. During the presentation, he mentions that error code. He then asked the audience if we would like to know what it meant. Since all of us had seen it and been frustrated by it, all of our ears perked up. What does that crazy code mean?

Johan then let us know. In his characteristic deadpan delivery he informed us that it means:

“That thing you were trying to do…it didn’t work.”

February 27, 2008 Posted by | comedy, ConfigMgr, tech | , , | Leave a comment

Subselect Query in SCCM

Update (1/30/2010):  We recently discussed subselect queries at the Minnesota System Center User Group. That discussion prompted me to write an updated post on subselect queries.

Please refer to the following post for better information on how to create subselect queries that are faster and more efficient.

https://verbalprocessor.com/2010/01/30/better-subselect-queries/

Original Post:

One of the things that I have fought with in SMS/SCCM is a “NOT” query. Example is needing a query that shows me all computers that do not have Office 2007 installed. If you create your query to look in Add/Remove Programs and find a “Display Name” that is not “Microsoft Office Professional Plus 2007”, you will not get what you might expect. The reason is that it finds a computer that has something like Adobe Acrobat installed. Well…that is a display name in Add/Remove Programs that isn’t Office 2007…so that computer gets returned by the query.

To get the expected results you have to run one query that selects all computers that DO have Office 2007 (or whatever other program you are interested in…for that matter it doesn’t have to be a program…could be anything you want to query on), then you run another query that gives you all of the computers that are NOT in the first query. This is called a subselect query. This query ends up looking like the following:

select SMS_G_System_SYSTEM.Name from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SYSTEM.Name not in (select SMS_G_System_SYSTEM.Name from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = “Microsoft Office Professional Plus 2007”)

I am not a database guy. I am not a really proficient query writer. Subselect queries confuse the heck out of me. I have fought trying to write subselect queries for a couple of years now. I have really struggled with them.

Today while setting up something in SCCM, I needed a subselect query. I need to find computers that are a member of a particular AD OU, and if they don’t already have certain programs, I want the programs to automatically install. That requires a subselect query. They confuse me. I went to myITforum.com to find an example that I could then modify.

In my searching, I came across this thread. In that thread, someone linked to an article written by Rod Trent about how to create subselect queries. WOW is that a good article! What makes me feel really stupid though is that there has been a way since SMS 2003 to create a subselect query by pointing and clicking…I had no idea and wish I had known before today. It made me really happy to find it and see it work. I actually got out of my chair and started dancing in the office. The people around me looked at me funny, but honestly I was happy enough that I didn’t care!

And for those of you who know me…go ahead and try to get that image of me doing the happy dance out of your head! Good Luck! :-)

February 26, 2008 Posted by | ConfigMgr | , , , | 11 Comments

SCCM SQL Cluster Problem

Earlier this week I had an issue with backing up SCCM that was because Kerberos was not enabled on the cluster. Got that fixed, but I was noticing other things on my SCCM server that just didn’t seem right. (Instructions for how to enable Kerberos are in the link above.) In particular I noticed that my Site System Status was red. In looking into this I saw where SCCM was referencing the SQL cluster nodes directly…not the SQL cluster. That’s not good. So I took a look at the Site Systems (under Site Settings), and here is what I saw:

Bad SQL 

What you see here is that the SQL cluster does NOT hold the site database role. That role is held directly by the SQL nodes. What happened was that although Kerberos must be enabled on the cluster for normal SCCM operation, the pre-req checker apparently does not check for this. As a result it allowed the install to go through and ended up installing directly to the nodes instead of to the SQL cluster…because it could not see the cluster since Kerberos was not enabled on it. Anyway…all of that said…it’s a major problem. Site Status is red. Who knows what would happen in the event of a SQL node failover.

So I got to thinking. I’m pretty sure the problem is a result of the database being created on the SQL server before Kerberos was enabled. In theory, I should be able to move the DB elsewhere, then move it back (now that Kerberos is enabled) and everything would be lovely again. Nice theory. But will it work? Enough thinking…let’s find out.

I moved the DB to a SQL named instance on the same server using the instructions found here. [Note…at the time of this writing there is a mistake in the instructions. Between steps 2 and 3 should be a step about actually going into SQL server and detaching and attaching the site DB. I reported it, and Microsoft acknowledged that it is missing and it will be fixed in the next update of the documentation.] After bringing up SCCM on the named instance, I shut it back down and used the same process to move it back to the default instance. Here is what it looks like now:

Good SQL 

Note that the site database role is on the SQL cluster now. The two nodes are still in the list, but they have no roles associated with them. Right clicking them does not give an option to delete. According to Wally Mead and Stan White, those two should age out of the system after 30 days. The very nice thing is that my Site Status is now a lovely shade of green.

I reported this issue as a bug in SCCM. Got a great response from Wally Mead. He assigned it to the SCCM SP1 team for possible inclusion in SP1. Very cool!

February 1, 2008 Posted by | ConfigMgr | , , , | 6 Comments

SCCM Backup Issues

For the last week I have been attempting to back up my SCCM server before it goes into production. The backup has been failing, so I have been in major “trouble shoot” mode. Basic scenario is this… SCCM is installed on a VMWare virtual machine. The SQL database is offloaded to a clustered SQL server. When the backup ran, it would fail after about five seconds and leave the following four lines in the smsbkup.log.

>>>>>>>>>>>>
Info: Sending message to start the SQL Backup…
Couldn’t connect to \\SQLcluster registry
STATMSG: ID=5049 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_SITE_BACKUP” SYS=SCCMserver SITE=LHT PID=3400 TID=924 GMTDATE=Wed Jan 23 19:21:16.539 2008 ISTR0=”” ISTR1=”” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0
Error: Failed to send start message to the SqlBackup.
>>>>>>>>>>>>

I re-confirmed that the SCCM server’s machine account was in the admin group on the SQL server. I also knew that I had already taken care of the SPN registration issue, so I posted on the Technet SCCM forum. In hindsight, Stan White (a moderator on the forum) nailed the answer on his first reply…I just misunderstood what he was saying. After much other troubleshooting, I realized that if I started a cmd prompt as local system, I was able to map a drive to the administrative shares on the SQL server nodes as local system, but I was NOT able to map a drive to the cluster. (i.e. SQLcluster is made up of SQLserver1 and SQLserver2. I was able to map to \\SQLserver1\c$, but was not able to map to \\SQLcluster\c$.) This led me to search Google and found this thread (and Ragnar’s post in particular) which put me in the right direction…the direction that Stan specifically pointed to.

The root problem is that Kerberos authentication was not enabled on the cluster. When Kerberos is enabled on the cluster, it publishes the cluster name to Active Directory. Until that is done, the server name “SQLcluster” does not exist in AD…so it can’t be communicated with via Kerberos. I found a few articles that talk in more detail about how to enable Kerberos on the cluster here, here, and here.

After our DBA enabled Kerberos on the cluster last night, I was able to get a successful backup. Now I can move on to other things.

I’d like to acknowledge that my friend Tim is the one who asked a couple of key questions about authentication that caused me to find Ragnar’s post above.

January 30, 2008 Posted by | ConfigMgr | , , , , , | 2 Comments

Running a CMD prompt as System (XP/Vista/Win7/Win8)

From time to time I have had a need to run a program in the context of the Local System account instead of my user account. Typically this is in troubleshooting a program…a program that runs as Local System. It doesn’t do me much good to troubleshoot that program if the program is running under my user account’s security context. I need it to run as System…which has more rights…most of the time. I have had to use this a few times while working with SMS 2003 and SCCM 2007. Both of them run as the local system account.

So…how do we do that? In XP, 2000, Server 2003…you can do this very simply. You will need to be logged in with an account that has administrator privileges. Open a command prompt (Start, Run, CMD). At the command prompt type the following line. Replace 01:23 with the current time in 24 hour format + one minute. i.e. if it is 3:42 in the afternoon, enter it as 15:43.

at 01:23 /interactive cmd.exe

This schedules a task to run cmd.exe at the time you specify. When the CMD prompt pops up, it will be running as Local System. Be very careful. Note: you will only see this if you are at the console of the computer…so if you are connected to a server via Remote Desktop, you will not see the prompt come up unless you are connected to the console. I’ve been bit by that more than once…today as a matter of fact.

Now…what about Vista? I was bummed to see that this did not work in Vista. Good for security…bummer for me. So tonight I set out to find a way to do this. Cool thing is that the answer was actually pretty easy…and can be found on Microsoft’s site. Download PSTools from SysInternals. Microsoft bought SysInternals in 2006. Extract the files. You will use the file named PSexec.exe.

You still need a CMD prompt, but there’s an extra step… You will need to find the shortcut to the CMD prompt (Start, type CMD in the search box and wait for it to locate it…should be pretty fast). Once it locates it, right click it and choose to “Run as administrator”. (Do this even if your user account is an admin.) Once this opens, change directory til you get to the folder that contains PSexec (unless psexec is in a folder in your PATH already). This is where the magic happens…type the following line. (-i is for interactive, -s is to run as system)

psexec -i -s cmd.exe

The command prompt will look like:

Once you hit enter, another command prompt will open that will be running as the system account (NT Authority\System).

NOTE: you can use these instructions to run any program as System. If you had a dire need to run Calculator or Solitaire as Local System…you could do that…just replace cmd.exe with the executable file for the program you want to run. I will also say again…be careful. Don’t do this unless you really need to…and unless you are prepared to take responsibility for anything you might mess up by doing so!

Have fun! Actually…who am I kidding? This isn’t meant to be fun…it’s meant to be useful. Now…go get some work done. ;-)

December 5, 2007 Posted by | ConfigMgr, tech | 47 Comments

OS for SCCM Install. 32bit or 64bit?

[NOTE: I have revisited this thought process in a more recent blog post. I no longer recommend what I wrote below.] 

Over the last week, I have been emailing a few people and have been hitting various newsgroups, etc looking for info on whether it is best to install SCCM on 32bit Windows Server 2003, or to put it on x64 Windows. Let’s just say that there is room for discussion.

First, SCCM is a 32bit server application. It is not native x64. So you will not be getting a performance bump directly in SCCM by installing it on x64 Windows…matter of fact you will have the overhead of the x64 OS having to operate the 32bit program.

However…SCCM isn’t the only component that will be operating on the box that will impact performance. Depending on what your SCCM architecture looks like Continue reading

October 31, 2007 Posted by | ConfigMgr | 1 Comment

Office 2007 Silent Deployment

Wrote an e-mail to a friend who was asking about Office 2007 Deployment yesterday. Figured it would make a good post on how to go about creating a silent/unattended install of Office 2007.

In previous versions of Office…specifically I’m thinking of 2003…a silent custom install involved a long hairy command line such as:

setuppro.exe /Settings Files\Custom\Custom_Setup.ini TRANSFORMS=custom.MST /qb!-  /m off11

Yes…that is the actual command line from the SMS 2003 program for Office 2003 that we have used. Now…on to Office 2007. Boy did Microsoft make this easier. Customizations in Office 2007 are handled essentially the same as patches. They are an MSP file that you apply to the installation. And how do you go about creating the MSP? Simple…go to the CD or folder where the Office installation files are and run “setup.exe /admin”. This runs the “Office Customization Tool“. With this tool you can modify most Office setting before a user ever sees the program. You can also control the installation process…entering the product key as well as controlling what level of interaction a user has during the install. You can make it completely interactive or completely hidden…along with several levels in between.

Specifically Joey’s question yesterday was about settings to use when installing Office 2007 via a Task Sequence in SCCM. There are three pre-requisites to a program running in a TS. Continue reading

October 25, 2007 Posted by | ConfigMgr | 11 Comments

SCCM and WSUS issues

[Update June 3, 2008: Refer to this post for issues related to SCCM and WSUS as well. The info in it might be more relevant.]

Lately I have been working with System Center Configuration Manager 2007 (SCCM)…the latest version of Systems Management Server from Microsoft. Wow is this thing powerful. I enjoyed SMS 2003, but SCCM is a huge improvement. The process has not been without speed bumps, but overall it is just simply an awesome framework for computer management.

The most significant speed bump I have had lately has been in the area of computer patching. SCCM uses WSUS (Windows Server Update Services) for its patching component. Basically you install WSUS and SCCM manages WSUS. There are several settings that need to be lined up for this to operate. Links to those settings can be found here, here, and here.

A couple of the things to make sure are in order are:

  1. Proxy settings on the SUP properties are set correctly. (Use it or not, and if so make sure it is pointing to the right place.)
  2. On the SUP component configuration, ensure that the port numbers are correct. If WSUS is installed to the default web site, the ports should be 80/443. If it is using a custom web site, it defaults to 8530/8531…unless you told it something different. Open IIS Administration to check the properties on the WSUS Administration web site to see what it is set to. Make sure the ports in IIS and the SUP component match.

I had all of those settings lined up per the documentation (no proxy required…ports configured correctly), but was still getting errors. I first reported these issues on myITforum.com and a TechNet forum.

Basic gist is that after setting things up per documentation, SCCM was not able to successfully connect to WSUS and manage the WSUS settings. The SMS_WSUS_SYNC_MANAGER log shows that the synchronization failed because of an HTTP 401 “unauthorized” message. This is followed by another log entry that states “SMS WSUS Synchronization failed” because “WSUS Server not configured”. It also gave the incredibly helpful [sarcasm] error code of “214500037: Unspecified error”.

Continue reading

October 23, 2007 Posted by | ConfigMgr, tech | 19 Comments

    Next Entries »