|
|
Sr. Systems Engineer at Microsoft based in Redmond. Technical resource in release management for Microsoft Buisness Online Services. Currently working on all feature sets of Configuration Manager 2007 with focus on Network Access Protection, Virtualization and Internet Based Client Management. Previously worked for Warner Bros, NBC Studios, AT&T, 24 Hrs Fitness, State of California, Northrope Grumman, NOS Communications, GE Capital, KLA Tencor, Wells Fargo Mortagage, Dudeworks, TeleTech, TekSystems, etc...
June 2008 - Posts
-
Friday, May 23, 2008 | 5 Comments |  
For a prospect customer there's nothing better than a real-world implementation to realize the potential or a certain technology. And this is very true in an almost unexplored technology like virtualization. Microsoft, which eats its own dog food since the Virtual Server 2005 era, just announced the complete migration of both MSDN and TechNet, two of the most popular web sites in the world, on virtual machines. Microsoft kept the back-end database on physical boxes, but moved 100% of its IIS7 frond-ends on Hyper-V RC0 VMs with 4 virtual CPUs and 10GB RAM.
The virtualization hosts (no mention of the brand obviously) are powered by 2 Intel quad-core CPUs and 32GB RAM (2GB are reserved for the Windows Server 2008 parent partition). Follow the link below to learn more.
http://www.virtualization.info/2008/05/microsoft-migrates-msdn-and-technet-on.html
|
-
Here's some pictures from my visit to MMS 2007 in San Diego. Click the picture to see more.
|
-
System Health Validator Placement I'm writing this post in response to some Configuration Manager 2007 Network Access Protection questions I received during the MMS 2008 conference. "Where to place the System Health Validator Point Role (SHV) be in the ConfigMgr 2007 hierarchy?" The quick simple answer is at the Central Site in the hierarchy, or at the Site where your ConfigMgr administrators will perform daily administrative duties on. Some companies may have a Site or Reporting Site setting on top on the Central Site of the hierarchy, as shown below.
For the above design, you will want to install a System Health Validator Point Role (SHV) from the Central Site just the same as if you do not have a Reporting Site setting over the Central Site of the hierarchy.
Installing a SHV and all subsequent additional SHV’s from the Central Site is recommended and provides centralized management of all SHV settings and configurations for System Health Validator. Below is a list of reasons to install all SHV’s from one Site or the Central Site server.
All SHV settings and configurations are set by modifying the Systems Health Validator Point Component from the Components Configurations Node under Site Settings from within the ConfigMgr Console. Settings and configurations set here applies to all SHV’s that are installed from the same site.
Note: The SHV and the Site server have no bi-directional communication with the Site server it is installed from. So the SHV can actually be installed on any Site within the hierarchy, but will have no benefit or additional functionality by doing so. Please don’t make the mistake in thinking that you will need a SHV per Site. One SHV can facilitate one hierarchy.
You can stage up to 4 NPS/SHV servers that clients can communicate with. Clients will use the first NPS/SHV server in the clients Trusted Server Group. Below shows the configuration settings of the SHV/NPS URL’s that clients will communicate with when send NAP SOH requests.
To see the below list on a client, run the below command line in an elevated command prompt on a Vista system:
C:\> netsh nap client show group Names have been changed to protect the innocent…
Trusted server group configuration:
----------------------------------------------------
Group = MSIT
Require Https = Enabled
URL = https://NPSServer1.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 1
Group = MSIT
Require Https = Enabled
URL = https://NPSServer2.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 2
Group = MSIT
Require Https = Enabled
URL = https://NPSServer3.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 3
Group = MSIT
Require Https = Enabled
URL = https://NPSServer4.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 4
The System Health Validator can be installed on to a Windows Server 2008 running the Network Policy Server service (NPS) that is joined to any domain or forest other than the domain the Site server is joined to. In the case where the NPS server is joined to separate domain forest than the Site server is joined to, the NPS servers, by default the NPS servers will query for client health state reference in the forest the server is joined to.
This means if you have a Site server joined to forest A, and one NPS server joined to forest A, and another NPS server joined to forest B. The NPS/SHV servers will query and validate client’s health state from the domain the NPS server is joined to. The picture below shows this representation.
This can cause your Windows NAP infrastructure to validate only a subset of your clients and will only validate client’s compliance that is in the same forest as the NPS/SHV server. Previously I mentioned modifying SHV properties for the Systems Health Validator Point Component from the Components Configurations Node under Site Settings. On the Health State Reference Tab, you have the option to specify a Domain suffix where you want the SHV/NPS servers to query for client health state reference. When this option is set to a specific Active Directory forest FQDN example: corp.contoso.com, this tells all SHV’s installed from the Site to publish to the same domain forest root.
This provides centralized management of all SHV’s and its settings. And you will want all your SHV’s configured with the same setting and configurations. As clients hit the first SHV/NPS server when sending SOH requests (SOH = Statement of health), they will be validated by the first SHV in the list, and will fail over to the next SHV/NPS in the list with the first NPS server in the list hits maximum connections, and you will want the next SHV/NPS to validate clients with the same validation settings and configurations.
If you setup a SHV at each Site in a hierarchy, you will be actually duplicate administrative work that is not required. You will have to go to each Site and configure the properties for the Systems Health Validator Point Component from the Components Configurations Node under Site Settings.
If you have any questions on SHV setup of placement, please ask.
|
-
There are a lot of questions in newsgroups, forums etc. about how to use Restricted Groups in the right way so I wanted to post a how-to for people to read. Finding Restricted Groups is easy but it only works in a domain with Active Directory so trying to find it within your local GPO on your computer isn’t possible.
 At first you right click on Restricted Groups and select “Add Group”.
What you get is the default window to choose a group, either from your domain or maybe from your local computer depending on what configuration you want.
 Now you have two different choices of what you want to do with the group you selected. Either you use “Members of this group” or “This group is a member of”. The differences of these choices are big so I explain in two steps. Members of this group This is the choice you make when you want to add users to a group. What you select here is what you will see on your computers affected by this policy. So if you for example want to add a user to the local admin group on the computers then don’t forget to add administrator also or the administrator account will be removed from the local administrators group on the computers. As an example can be this picture where you have both the local administrator account and also the built-in Authenticated Users group.
 This group is a member of This choice you can use if you want to add your selected group into another group. So what you can tell is that this is the opposite of what you defined in choice 1 described above. This is also not something that will override any other configuration you have done. So if you in first choice selected “Authenticated Users” and with this option select that it will be added to the “Administrators group” any other user you might have added to the group (manually perhaps) won’t be overwritten by this choice. So this example which you can see in this picture will add the “Power Users group” into the “Administrators group”.
 To summarize this it’s fairly easy to use Restricted Groups and it’s also the easiest way to add/remove users in groups and you can control it in a much better way than you ever can doing this manually. If you are doing this manually today it’s time to stop and using the right way instead.
|
-
Though the building alone covers a whopping 11 acres, you can't even see Microsoft (NSDQ: MSFT)'s new $550 million data center in the hills west of San Antonio until you're practically on top of it. But by that point, you can hardly see anything else. 
Read more here.
|
-
The company says that a better firewall, IPv6 support, better onboard encryption, and network access protection make Windows Server 2008's security a primary selling point. Microsoft is pushing the improved security of its Windows Server 2008 software package as one of the primary reasons why business customers should upgrade to the long-awaited product refresh as quickly as possible. Free IT resource Related Stories » Back to special report: Microsoft's server big bang [ Get the scoop on the entire Windows Server family in our special report ] In addition to being fully designed under Microsoft's SDLC (security development lifecycle) initiative -- a program already credited with allowing Microsoft to ship its products with far fewer vulnerabilities than previous iterations -- Server 2008 has new features that should help customers address a range of important security issues, according to company officials. Microsoft representatives claim that beefed-up firewall technology, support for the emerging IPv6 Internet protocol, improved onboard encryption and further integration with its Active Directory registry system, among other additions, represent a significant step forward for the release formerly-known as Longhorn in terms of its overall security standing. The company has also finally delivered its NAP (network access protection) technology -- Microsoft's flavor of the access control tools identified more widely under the banner of NAC (network access control) -- that many security industry watchers have cited as a potential accelerant for device and user network authentication efforts. Company officials said that the software maker was specifically set on defending the updated infrastructure technology against malware attacks while boosting ID and access control, adding encryption and document protection features, and enhancing the system's reporting and audit functions to handle compliance-related tasks. Read more here.
|
-
Microsoft (NSDQ: MSFT) on Monday introduced its first operating system designed for manufacturers of handheld portable navigation devices. Windows Embedded NavReady 2009, which is based on Windows Embedded CE, includes technologies for connecting PNDs to online services, mobile phones using Bluetooth, and Windows-based PCs. The OS includes online search through Microsoft's Live Search and also includes the software maker's Live Search Map service. Read More here.
|
-
New customer/partner-ready content from Microsoft IT Microsoft IT Showcase is pleased to announce the publication of Using Configuration Manager 2007 to Extend Software Update Compliance Across Networks, which discusses how Microsoft IT uses Microsoft® System Center Configuration Manager 2007 and Windows Server® 2008 Network Access Protection (NAP) to enforce software update compliance for client computers in the corporate network. Many thanks to Richard Dixon and Michael Kelley for their expertise, knowledge, and dedication in developing this comprehensive technical case study and webcast. Using System Center Configuration Manager 2007 to Extend Network Health
Technical Case Study added: 06/06/08
Microsoft IT uses Microsoft System Center Configuration Manager 2007 and Windows Server 2008 Network Access Protection to enforce software update compliance for client computers in the corporate network. Configuration Manager ensures that computers connecting to the network meet the Microsoft IT software update policy requirements for system health.
Technical Case Study | TDM Webcast | WMA | MP3 | TechNet Radio To learn more about how Microsoft does IT, please visit us! External: www.microsoft.com/technet/itshowcase
Internal: http://itshowcase
|
-
Problems with SMS 2003 updates and Configuration Manager 2007. The WSUS Offline Scan Catalog (wsusscn2.cab) fails to synchronize on a Configuration Manager 2007 or Configuration Manager 2007 SP1 site server using the Inventory Tool for Microsoft Updates (ITMU). This prevents security update deployments to SMS 2003 clients. This is a result of an issue with updated content published for the Office 2003 Service Pack 1 update. The issue can be identified in the Wsyncmgr.log on the ConfigMgr 2007 site server running the Software Update Point role. The below log line entries are form Wsyncmgr.log file... Performing legacy sync
STATMSG: ID=6709 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" …
Started with command line: C:\Program Files\Microsoft Configuration Manager\bin\i386\updatewuscatalog.exe …
Processing security catalog C:\Program Files\Microsoft Updates Inventory Tool\PkgSource\wsusscn2.cab ...
Initializing catalog C:\Program Files\Microsoft Updates Inventory Tool\PkgSource\wsusscn2.cab for synchronization.
Pre-processing updates...
Error 0x80004005, Unexpected DeploymentAction for update 1293995. Returned from CreateUpdateNode
Updates summary: 0 processed, 0 matched, 0 outdated, 0 updated
Microsoft is working on resolving this with the highest priority. For more information.
|
-
Introducing the custom personal Microsoft IT hat. Some people call it a caps, baseball cap. but I call it a Hat. This is the first original custom Microsoft IT hat designed by me. I'm trying to get Microsoft interested in providing or selling these hats for next years MMS 2009. Cost? I don't know what the price will be if we sell them. But personally, I spent $35 for a original NBA baseball cap. $12 for the embroidery for the Microsoft IT and NAP letters. So this is a $47 dollar hat.     
The idea behind wearing the hat back-wards is, I don't need the sun visor in Washington. Where as it's sunny in Los Angeles California. When I have my head down in a laptop working on something in a Star Bucks or some place like that, I can't see when I want to peep up to look at something, the visor is always in the way. So I had to engineer a solution, flip the hat back-wards solved the problem with no additional cost and just a little over head. 
|
-
Microsoft came through for IT administrators. They recently released RSAT (Remote Server Administration Tools) for Windows Vista SP1. RSAT adds GPMC back into Windows Vista SP1 along with DHCP and DNS! (Woo Hoo!)
|
-
Requirements: - Windows Server Update Service (WSUS)
- Configuration Manager Site with Software Update enabled
- Organizational Unit or Security Group
- 2 Configuration Manager ADM Templates
- Active Directory Group Policy Object
- Windows Server Update Service (WSUS)
- Install the WSUS service on a Windows 2003 SP2 server
- Do not configure the WSUS service with the WSUS console at the completion of the WSUS installation.
- Configuration Manager Site with Software Update enabled
- Start your ConfigMgr installation or push a Software Update Point Role on to the WSUS server.
- Organizational Unit (OU) or Security Group (SG)
- Identify a OU or Security Group that will contain all systems expected to be managed by by your ConfigMgr site.
- Note: There can only be one OU or SG designated for 1 ConfigMgr site. You cannot have one OU or SG provisioning clients for multiple site codes.
- 2 Configuration Manager ADM Templates
- Obtain the ADM Templates that comes on the Configuration Manager 2007 CD, located: on the CD\TOOLS\ConfigMgrADMTemplates
- One ADM template is named: "ConfigMgr2007Assignment.adm" and the other is named: "ConfigMgr2007Installation.adm"
- The ADM template named "ConfigMgr2007Assignment.adm" is used to place the ConfigMgr site assignment settings in the clients registry
- Those settings are shown below:
- The "ConfigMgr2007Assignment.adm" template sets the following settings in the registry under: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client
- GPRequestedSiteAssignmentCode = <your site code>
- GPSiteAssignmentRetryDuration(Hour) = <Retry Duration (hours)>
- GPSiteAssignmentRetryInterval(Min) = <Retry Interval>
- The image below shows the settings for the ConfigMgr2007Assignment.adm template after its imported into the GPO.
 Click image to enlarge. - Description and uses of the above settings:
- The "GPRequestedSiteAssignmentCode" is the site code your client should and will be assigned to. When the client is reassigned by any other method to a site code other than the site code specified in the GPO, these GPO policy settings will automatically reassign the client back to the site code you defined in the GPO policy.
- The "GPSiteAssignmentRetryDuration(Hour)" is the amount of hours the client will keep attempting to reassign the client until successful or till reassigned to the site code specified in the GPO.
- The "GPSiteAssignmentRetryInterval(Min)" is the interval the GPO policy will wake up and check to see if the client is assigned to the site code specified in the GPO.
- The "ConfigMgr2007Assignment.adm" template sets the following settings in the registry under:
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ccmsetup in a Value Name: SetupParameters.
- The below settings is a string of the ccmsetup parameters that are to be set for the above setting, which is what the client will use when the installation starts.
- /MP:msserver SMSSLP=smsslp.domain.com SMSSITECODE=XR2 FSP=smsfsp.domain.com CCMLOGMAXSIZE=100000 CCMENABLELOGGING=TRUE CCMLOGLEVEL=0 DISABLESITEOPT=TRUE DISABLECACHEOPT=TRUE CCMLOGMAXHISTORY=5 SMSCACHESIZE=9000
- NOTE: When a client installation starts, ccmsetup.exe will first look to the command-line first for the ccmsetup parameters. If it does not find ccmsetup command-line parameters, the ccmsetup.exe look to the registry for the ccmsetup.exe parameters, if the parameters are not found in the registry, the ccmsetup.exe will use Active Directory and assign the client based on ConfigMgr site boundaries.
- The image below shows the settings for the ConfigMgr2007Installation.adm template after its imported into the GPO.
 Click image to enlarge. - This type of client assignment basically forces the clients to remain assigned to the site of choice.
- Import these ADM templates, into a Group Policy Object targeting your OU or SG of your clients to be managed.
- A additional setting you must add to this GPO is the Windows Update URL the clients will use to scan for required offered updates.
- This setting location can be found with the local GPO Mgr or GPO Management Console. You can find this location for this settings in the path below.
- Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Update
- The image below shows the setting in a GPO object that allows you to set the WSUS/SUP server for clients to use to scan for updates.
-
 Click image to enlarge. - A Got Cha: Watch Out! The policies that these ADM templates places in the clients registry cannot be un-done by removing the GPO from the OU or SG.
- If you ever want to reassign these clients that has been previously assigned and provisioned by the "Client Management GPO's" (I call this solution client management GPOs) You must either manually remove the settings by hand or script. Or you can drop the computer object in another OU or SG having different "Client Management GPOs applying these settings for another ConfigMgr site.
- The reason why these settings don't go away when a GPO is removed, is because these ADM templates are not set in the Policies Hive of the registry. And settings set in the registry out side of the Policies Hive can't be removed with a GPO, Only changed or modified.
- Active Directory Group Policy Object (GPO)
- Apply a Group Policy Object targeting the OU or SG with membership of all the systems you want assigned to a specific site.
- Remember: One Client Management GPO per site.
- Once the above setting and configuration are set, Publish the ConfigMgr client into WSUS.
- To publish the ConfigMgr client to WSUS, from within the ConfigMgr console Navigate to the Site Management node > Then to the Site Settings Node > Then the Client Installation Methods node, Right client on Software Update Point Client Installation and click Properties.
- At this point just simply enable the option "Enable Software Update Point Client Installation" shown below.
 Click image to enlarge. - Also, ensure that no other AD policies are configuring the WSUS URL via any other policies in your environment. If clients receive policies from other GPO's to also configure the WSUS URL, that client will generate AD Group Policy Conflict and fail scanning for ConfigMgr. To ConfigMgr the client would seem broken and not communicating with the Site/MP.
Disclaimer: P.S. When I say 100% I am, of course, referring to compatible online computers in the targeted OU.
|
-
|
|