|
I'm doing some housecleaning of our 2003 AD in preparation for a move to 2008 and I've come across some old Certificate Authority leftovers in the Public Key Services sections of the Sites and Services mmc. It refers to an old CA server that was installed by a contractor (for a short-lived Altiris project I believe) and later decommissioned around two years ago and doesn't exist anymore. We don't have any other CA servers here. Bearing in mind this server hasn't existed for a couple years and we've had no ill effects is it safe for me to just go ahead and follow KB 555151 to remove the entries from AD or is there anything else I need to be aware of or check for? This is the output of certutil on a random workstation here: code:ozmunkeh fucked around with this message at 20:59 on Feb 10, 2012 |
#
?
Feb 10, 2012 18:32
|
|
|
|
| # ? Apr 26, 2024 15:06 |
|
|
Does anyone else out there work for a cheap as gently caress company? And by cheap as gently caress, I mean does anyone out there use robocopy or similar to
|
|
#
?
Feb 13, 2012 21:31
|
|
|
IT Guy posted:Does anyone else out there work for a cheap as gently caress company? And by cheap as gently caress, I mean does anyone out there use robocopy or similar to Yep. I have a robocopy script that backs up our accountant in the UK's Shitbooks stuff and My Documents folder to our data server here in NY so it's ready for the backups that trigger at 6PM local time. It runs when she shuts down her computer using the local policy shutdown script.
|
|
#
?
Feb 13, 2012 21:34
|
|
|
LmaoTheKid posted:Yep. I have a robocopy script that backs up our accountant in the UK's Shitbooks stuff and My Documents folder to our data server here in NY so it's ready for the backups that trigger at 6PM local time. Do you have it just syncing (not copying files that haven't changed) or do you have it creating a new backup every time?
|
|
#
?
Feb 13, 2012 21:37
|
|
|
IT Guy posted:Do you have it just syncing (not copying files that haven't changed) or do you have it creating a new backup every time? Sync only. Because it has to copy over the full QBW file which is the majority of the backup (and tbh, the only thing I care about being backed up).
|
|
#
?
Feb 13, 2012 21:38
|
|
|
LmaoTheKid posted:Sync only. Because it has to copy over the full QBW file which is the majority of the backup (and tbh, the only thing I care about being backed up). Thanks. It looks like I'll be setting this up for our 12 branches since we're too loving cheap to use tapes. It's going to be terrible especially over connections that range from 5000/800 DSL to 3000/300 lovely wireless links.
|
|
#
?
Feb 13, 2012 21:43
|
|
|
IT Guy posted:Thanks. It looks like I'll be setting this up for our 12 branches since we're too loving cheap to use tapes. Depending on how far they are, I'd do an initial sync with a hard drive.
|
|
#
?
Feb 13, 2012 21:45
|
|
|
LmaoTheKid posted:Depending on how far they are, I'd do an initial sync with a hard drive. That's the plan. I can't imagine how long it would take to transfer 80ish gigabyte at 40kB/s (too lazy to math).
|
|
#
?
Feb 13, 2012 21:46
|
|
|
Cpt.Wacky posted:I've been testing out WDS today. With MDT I was able to use OSDComputerName=%SerialNumber% to set the computer name to the serial number. Is that possible to do with WDS? Would running the tests in a VM cause it to fail for lack of a serial number? No, the %serialnumber% variable is an MDT specific thing. You would have to hack something using powershell and code:
|
|
#
?
Feb 13, 2012 22:01
|
|
|
Does anyone know of a fast and reliable software audit tool? Boss is asking me to get a full count of MS Office 2010 installs by tomorrow for our license true up. I would have used altiris but our server just took a massive poo poo and we need to rebuild it.
|
|
#
?
Feb 13, 2012 23:08
|
|
|
Icesler posted:Does anyone know of a fast and reliable software audit tool? Boss is asking me to get a full count of MS Office 2010 installs by tomorrow for our license true up. I would have used altiris but our server just took a massive poo poo and we need to rebuild it. Spiceworks will do a software inventory for you. Throw a quick install up somewhere and you should get your data in time.
|
|
#
?
Feb 13, 2012 23:19
|
|
|
peak debt posted:No, the %serialnumber% variable is an MDT specific thing. Thanks, I settled on WDS with an unattended domain join and a single Admin autologin to rename the PC.
|
|
#
?
Feb 13, 2012 23:22
|
|
|
Cpt.Wacky posted:Thanks, I settled on WDS with an unattended domain join and a single Admin autologin to rename the PC. What are you using to rename? I ask because my efforts to find a way to rename a computer via a script after it has joined the domain came up with nothing when I was trying to figure it out last year.
|
|
#
?
Feb 14, 2012 01:07
|
|
|
It's not automated. Maybe I'll look into it in the future, but right now the FNG can do it.
|
|
#
?
Feb 14, 2012 01:48
|
|
|
Icesler posted:Does anyone know of a fast and reliable software audit tool? Boss is asking me to get a full count of MS Office 2010 installs by tomorrow for our license true up. I would have used altiris but our server just took a massive poo poo and we need to rebuild it. Both of these will do the trick nicely. http://www.microsoft.com/sam/en/us/map.aspx http://www.microsoft.com/sam/en/ca/msia.aspx
|
|
#
?
Feb 14, 2012 08:04
|
|
|
Anyone else's offices not using "Run Advertised Programs" and instead opt for Third-Party (I believe Dell) Right click tools to re-run advertisements from SCCM? Am I alone in thinking that it's absolutely stupid to completely ignore the "Run Advertised Programs" applet that SCCM is basically based around? The explanation is "Well we don't want users to be able to rerun advertisements." Then why not just hide the option from them in the control panel?
|
|
#
?
Feb 15, 2012 07:49
|
|
|
spidoman posted:Anyone else's offices not using "Run Advertised Programs" and instead opt for Third-Party (I believe Dell) Right click tools to re-run advertisements from SCCM? If you hide it from users I'm not sure how admins would be able to use it. To be honest it makes mostly perfect sense, though it's way easier to have mandatory assignments for basic frequently failed programs be available for users to run. If users couldn't run Plugin flash or Firefox by themselves I'd be pretty pissed. And right click tools aren't made by Dell, they're just a bunch of random guys online that made them, but they're loving sweet.
|
|
#
?
Feb 15, 2012 15:33
|
|
|
I would address "failed installs" separately from "user-initiated installs". Failed installs should be taken care of by someone in IT (using the right click tools, or other creative advertisement tricks) Or make the item that fails appear in 'Run Advertised Programs' (PS- worst name ever?) only after it has failed... I'm sure there's some logic to do that.
|
|
#
?
Feb 16, 2012 17:35
|
|
|
My team lead yesterday: "Hey I need to uninstall the sccm administrator console from my machine. It didn't install correctly." Okay, just uninstall then reinstall it. I come in the next morning to find that the SCCM site has been removed from the server. "His machine" turned out to be our main test server. Installing the console on secondary site servers isn't supported. And trying to uninstall the console uninstalled all of sccm. It's definitely partially my fault but come on!
|
|
#
?
Feb 16, 2012 19:04
|
|
|
We are currently having this issue while trying to build an image; http://blogs.technet.com/b/configmgrteam/archive/2011/01/28/known-issue-install-software-updates-action-hangs-on-windows-7.aspx Problem is that have tried the hotfix, and i have verified that it gets applied by looking at the MSI logs. Still doesn't help. Anyone had the same issue? Any hints?
|
|
#
?
Feb 16, 2012 20:49
|
|
|
Why aren't you installing the updates in the image before you capture it?
|
|
#
?
Feb 16, 2012 22:06
|
|
|
spidoman posted:It's definitely partially my fault but come on! No, it isn't your fault. He shouldn't have been running the test instance on his machine. This is what VMs are for. I was not a fan of using the SCCM console on a workstation. I found it behaved poorly. I preferred to RDP into the server and run the console there. Yes, I realize that has security issues. quote:Why aren't you installing the updates in the image before you capture it? If ease of maintenance is more important that speed of machine imaging (or if you're using build+capture), having MDT install Windows Updates to Windows a source installation (instead of a WIM) can be very helpful.
|
|
#
?
Feb 16, 2012 22:49
|
|
|
peak debt posted:Why aren't you installing the updates in the image before you capture it? That's what were trying to do. We apply a clean OS image with an unattend.xml, then set some OS and network settings, install the configmgr client, then a bunch of software and then finally an Install software updates step (updates gets pulled from the SCCM Software Updates thingy). Finally we capture the image. This has been working for a long time, but now that we have a lot of updates it just gets stuck at "Downloading update 1 of 97 (0%)". Reducing the amount of updates makes the build go through without issues, but that would negate the point of actually building the image because that would increase the time we use to deploy the image (we have a step for install updates in there aswell). quackquackquack posted:If ease of maintenance is more important that speed of machine imaging (or if you're using build+capture), having MDT install Windows Updates to Windows a source installation (instead of a WIM) can be very helpful. That would be a workaround, yes, albeit not a good one. We build 6 images about every 3-4 months. Having to do this for every source (Win7 x64, Win7 x86 and WinXP) would be tedious and troublesome. Right now everything is fully automatic, and we intend on keeping the building process like it is. All i have to do is to add our latest software packages to the TS, boot the VM, press f12 twice and select the correct build sequence. What I'm really out after is to know if someone has/have had the same problems and if they somehow managed to fix it. I feel i have tried everything and need some input. We have been using google-fu, and we have an ongoing case with MS premier support aswell. Ifan fucked around with this message at 23:14 on Feb 16, 2012 |
|
#
?
Feb 16, 2012 23:00
|
|
|
Ah ok, I admit I skimmed the link you posted, mostly looked at the picture, and mistook it for an MDT window instead of a SCCM window. Replace 'MDT' with 'SCCM' in my previous post. Your build+capture is definitely a very efficient way to do it. A crappy workaround could be to perform chained build+captures. Slightly better would be to make your current build+capture output WIM the base WIM for a new build+capture, instead of using source files. At least until SP2 comes out. One of the linked workarounds (putting Office updates into the Updates folder in the Office package) is a bit of a hassle, but if you can stuff enough in to get below the magic number of Windows Updates where it works again it could be worth it, at least until PSS figures it out. But sorry, no experience with that specific issue. It was never considered high enough priority to integrate WSUS into SCCM (since SCCM would not be performing windows updates except during imaging) in my environment.
|
|
#
?
Feb 17, 2012 00:26
|
|
|
I intigrated the office 2010 updates into the installer. It was really easy, just put the updates into an "update" folder in the office installer. I also explicitly install SP1 (because the kms ISO we use doesn't have SP1 integrated) with a software package before the install software updates step.
|
|
#
?
Feb 17, 2012 00:44
|
|
|
Is there a good walk-through online for creating and capturing an image that includes software in the capture? (Updates, Adobe Reader, and Office are my first thoughts.) It's something that my boss wants but everyone on the team insists "It's too haaaaard.  Let's just ignore what the boss is asking for and do it the way we're comfortable with. " I understand there is some difficulty in getting a perfect capture, but I refuse to believe that it should be completely written off.
|
|
#
?
Feb 17, 2012 03:56
|
|
|
spidoman posted:Is there a good walk-through online for creating and capturing an image that includes software in the capture? (Updates, Adobe Reader, and Office are my first thoughts.) It's something that my boss wants but everyone on the team insists "It's too haaaaard. That's what I call "thick imaging", and I recommend avoiding it. Assuming I understand what you're asking. It's actually the easiest of the types of imaging to do: create your 'master' machine, make it absolutely perfect, sysprep it and create an image. The downsides: Like you said, it's difficult to get it "perfect". You also have to figure out drivers. Any time there's an update, you have to update the master image/machine and grab a new copy. Hope that you don't realize a fatal flaw in the master image that can't be fixed. Time to start from scratch! What are your people currently doing? And with what tools? Of course to create something more automated, you need the skill and knowledge of how to do it. Sounds like you already have the tools (SCCM, although your previous story has me worried). If all you want is windows updates, office and adobe reader, that's not too hard (although the windows update part is easier in MDT). Create a task sequence that installs the OS, installs office (MS has a guide), installs adobe reader as an administrative install (or install the patches one by one in the task sequence) using adobe's customization tool, then installs windows updates. Violin. If you make a mistake when creating the task sequence, it's like lego to fix, and just as lego to update. New reader patch? Add it to the admin install or add the patch to the task sequence and you're done. Office/windows updates? Never have to think about it, they're all installed automatically. Takes longer to deploy than a thick image (although you can change that by doing build+capture, but that makes the setup a but more complex) Now, tell me that you want to get AutoCAD 2009 and Matlab automatically installed, and I'll buy you a bottle of advil from an online pharmacy. For certain packages, a bottle of vicodin. It all boils down to this: it's a balancing act between admin time setting up the deployment system and tech/user time setting up the individual computer. Every environment is different, it's important to make a business case that it's worth spending the time to learn the deployment skills. And once you get a year or more experience deploying operating systems and software with SCCM, go make a lot of money somewhere else.
|
|
#
?
Feb 17, 2012 04:51
|
|
|
quackquackquack posted:That's what I call "thick imaging", and I recommend avoiding it. Assuming I understand what you're asking. It's actually the easiest of the types of imaging to do: create your 'master' machine, make it absolutely perfect, sysprep it and create an image. Thanks for the tips. It basically comes down to this: Management has given us an expectation that a computer can be reimaged from nothing (or broken) to ready to go with all the software that is needed in an hour and a half. Right now we've got it setup that we can do it. But it requires us to delete and recreate the computer record in SCCM before reimaging. We can go into the specifics of it (I think I addressed it a little bit in previous posts?) but basically it's the fastest way for us to get the process done smoothly. The new issue arrives that management has also requested that onsite technicians be able to reimage machines without any help from the deployment team. The same onsite technicians who are famous for accidentally deleting nearly 3500 computers from the SCCM database, and accidentally reimaging managers machines in the middle of presentations. So we give them rights to delete and create machines in SCCM in order to meet the 1.5 hour reimaging deadline. Seriously, it's time to start looking for another job. 5 years of SCCM done correctly, and 6 months of SCCM done incorrectly has made me hate this more than I can describe.
|
|
#
?
Feb 17, 2012 05:04
|
|
|
Oh, that was you. From what I remember of that, I still advise you figure out why you're having to delete the computer from SCCM and fix that, instead of creating workarounds. Or get a new job.
|
|
#
?
Feb 17, 2012 05:13
|
|
|
Alternative option: create a pre-execution hook in WinPE that queries the SCCM database to find a computer with the same MAC address, and deletes it using a service account. But my previous post stands.
|
|
#
?
Feb 17, 2012 05:28
|
|
|
I glanced back to see what you're talking about in regards to deleting the computer, and we have the same thing happen with us. Thankfully all the "core" apps are installed in the task sequence, and eventually the collections take care of themselves.
|
|
#
?
Feb 17, 2012 05:40
|
|
|
quackquackquack posted:Oh, that was you. Yeah, I'm going to start looking into it once things slow down a little bit. Right now I'm stuck going through all of our task sequences to test Win7 compatibility, creating new powershell scripts for those 300 task sequences, and creating collections and advertisements for each of those task sequences. Gotta figure out a way to automate some of this.
|
|
#
?
Feb 17, 2012 06:50
|
|
|
spidoman posted:Thanks for the tips. You could do it like us. We have a base image with stuff everyone has (office 2010, frontmotion firefox, flash player etc.) Then, during deployment drivers gets applied based on the computer model, and other software and remaining updates not in the image gets deployed based on what collection you have the computer in. Collection variables works like a charm  Software updates for imaged computers you just push out with mandatory updates based on queries. This requires that you have someone who knows how to customize/repackage/script/automate software installs, or you could subscribe to a service for the most usual crap. You still need to make a repository of deployment scripts though (or risk having a shitton of cases where $program doesn't work because the software ran during update and it won't get fully installed before a reboot). Personally we usually pop up a dialog box that tells the user to close $program(s) (if it's running) within 90 minutes or it will get killed for them. We have had great success with this. The latest Flash Player update i deployed has ~11k succeeded clients and 31 failed.
|
|
#
?
Feb 17, 2012 10:21
|
|
|
I have the hope that SCCM 2012 is finally automatable with Powershell instead of having to develop stuff in C# .NET
|
|
#
?
Feb 17, 2012 10:28
|
|
|
peak debt posted:I have the hope that SCCM 2012 is finally automatable with Powershell instead of having to develop stuff in C# .NET What kind of tasks are you thinking about?
|
|
#
?
Feb 17, 2012 12:02
|
|
|
Ifan posted:We are currently having this issue while trying to build an image; So you are definitely applying it to the client install by modifying the task sequence? I've installed it without issue on a couple of sites. It is awful getting the syntax right but it will work if you do it right.
|
|
#
?
Feb 17, 2012 18:04
|
|
|
Ifan posted:What kind of tasks are you thinking about? A big plus would be the ability to add users to collections to publish software. One of the more stupid things about SCCM is that you can publish software to AD groups, but if you do it like that, the user has to logoff/logon again for the software to show up. If you just stick them into a collection, they get their software within 15 minutes.
|
|
#
?
Feb 17, 2012 23:11
|
|
|
Although I hear this has changed some in SCCM 2012, I early on stopped trying to have SCCM be an immediate tool. Having to wait on system discovery for AD group membership, then wait on the collection update interval, then wait on the client to check in... could mean a decent bit of time. More suited to proper planning than panic. Which we all know works reeeally well in most environments. Reminds me of a story! Another admin is screwing in SCCM, wants to deploy a new program. Accidentally scopes it to 'All Systems'. Starts pushing out, and he freaks out and deletes the advertisement. Classic lack of understanding how SCCM works! Not only does that delete any record of who actually had the software pushed to them, it still does not stop it from installing on computers that have already checked in. And I thought you could use Powershell to update collection membership? (and then refresh the collection)
|
|
#
?
Feb 17, 2012 23:29
|
|
|
MyLightyear posted:So you are definitely applying it to the client install by modifying the task sequence? Yes. Triple checked the MSI logs, the property gets set and the MSP transforms the MSI (I'm the resident software repackaging/deployment guy, our main image dude went on vacation so i had to take this case over). Microsoft Support confirmed it aswell by looking at some dumps. peak debt posted:A big plus would be the ability to add users to collections to publish software. Ah crap, never thought of that. All of our software is on a per-machine basis to avoid licensing issues. Are you sure it isn't possible to make something that asks you the specify AD group, put all the usernames into an array and then add it to a collection? Problem then would be if the AD group changes... There must be some other functionality that lets you refresh your users group membership so that the advertisement pops up without logging on and off? I'll do a test monday if i have the time to see if that behaviour is consistent with my environment. It just sounds wrong... quackquackquack posted:Reminds me of a story! Another admin is screwing in SCCM, wants to deploy a new program. Accidentally scopes it to 'All Systems'. Starts pushing out, and he freaks out and deletes the advertisement. Poor thing... That's why only me and one other guy are the only people allowed to push out stuff 
Ifan fucked around with this message at 00:22 on Feb 18, 2012 |
|
#
?
Feb 18, 2012 00:18
|
|
|
|
| # ? Apr 26, 2024 15:06 |
|
|
Per user stuff is the reason why AppV in conjunction with SCCM is an absolute dream. Speaking of dreams, wouldn't it be cool to have environments setup to be proactive instead of reactive?  quackquackquack posted:Although I hear this has changed some in SCCM 2012, I early on stopped trying to have SCCM be an immediate tool. I wish I could somehow get management to understand this.
|
|
#
?
Feb 18, 2012 09:04
|
|