Search Amazon.com:
Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«74 »
  • Post
  • Reply
FISHMANPET
Mar 3, 2007



Our domain(s) right now is held together with WSUS and GPO installed software, but we're working on SCCM right now. Our Windows guy doesn't know much about SCCM (which he will freely admit), but togheter we're kludging through it. We've got software deployment pretty much figured out (I hope) but we're pretty confused about imaging. Which is to say, we don't even know what the gently caress imaging is yet. We're just building fresh images for our installs so far, even though we both know there's a better way. But we're confused about where drivers go, and I brought up a doozy today: How do we keep an image up to date if it's full of frequently updated software (Firefox, Thunderbird, Adobe Reader, Flash, etc)? I know somebody here has to be way better than we are at this, so I was hoping for some advice.

Also, feel free to hijack this thread for other Enterprisy Windows talk, since there don't seem to be any threads for such things.

Adbot
ADBOT LOVES YOU

The Fool
Oct 16, 2003

"This song is in Rock Band."

Don't do Enterprise level stuff, but we run a WDS server to load customer machines.

WDS has a PXE boot image to "capture" the load of windows on whatever system you boot it with.

We maintain a separate VM for every configuration we need and just update them and then run the capture image about once a month (patch Tuesday, hooray). We run VM's for Windows XP Pro/Home, Vista Basic, Home Premium, and Business, 7 Home Premium, and business. And x64 versions of 7 Business and 7 Ultimate.

Our shop manager spends 4-5 hours a month maintaining those images.

Don't know how SCCM handles the imaging process, but if you have a handful of configurations you need to support, it's hard to beat VMware Workstation or similar.

adorai
Nov 2, 2002

10/27/04 Never forget

wds, wsus, gpo, sccm (not deploying images via sccm yet), and a whole lot of pstools.

No matter how you slice it, workstation management is going to require man hours, there's no way to automate everything.

Dan Landry
Oct 30, 2003
Stone Dead Forever

I've been meaning to check out the WSUS add-ons from EminentWare. They're pricey, but paying someone to take care of the dirty work with Adobe updates almost makes it worth it.

Updating JRE and Flash Player from WSUS? Sounds good to me.

zapateria
Feb 16, 2003


We started using SCCM recently and I've found it pretty neat to work with.

For OS deployment I installed Win 7 on a PC, then ran a capture of that image (tried earlier using the .WIM image on the Win7 install DVD but that defaulted to D: as system drive and you can't change that). That's your base image. You do installation through a "task sequence", which is a set of commands, like "format this drive, apply this image to system drive, add these drivers, install these programs".

So when software in your "image" (task sequence) needs to be updated, you just update the software packages and don't touch the image.

There's a separate "folder" in the CM console for Drivers and you can just drop new drivers in there to be part of the install.

skipdogg
Nov 29, 2004
Resident SRT-4 Expert


Dan Landry posted:

I've been meaning to check out the WSUS add-ons from EminentWare. They're pricey, but paying someone to take care of the dirty work with Adobe updates almost makes it worth it.

Updating JRE and Flash Player from WSUS? Sounds good to me.

That's not really too terrible of pricing to be honest. Hell we paid 16 or 17K for Shavlik to manage 200 servers. I wonder if that's flexible at all?

I could easily sell this to management, but we have SCCM on our roadmap this year since we pay for it as part of our EA.

Thanks for that link though, I've never heard of that company

Misogynist
Jul 14, 2003



we pretty much let users do whatever they want and then hire twice as many techs as we would otherwise need to fix everything

TeMpLaR
Jan 13, 2001

"Not A Crook"

We use SCCM for imaging and deployment. It is a fantastically powerful tool that can be customized so much more than you would expect. Off network images? check. Pre-staging from OEM? yep. How about a group selection screen from the boot CD that means you can pick one of 30 images.

The next version will also do energy management. Its a fantastic product.

devmd01
Mar 7, 2006

This hat isn't the only
thing that's big

WSUS and GPOs for security policies, the rest is handled through Altiris.

Poorly.

I should know, i'm the one that does it.

FISHMANPET
Mar 3, 2007



devmd01 posted:

WSUS and GPOs for security policies, the rest is handled through Altiris.

Poorly.

I should know, i'm the one that does it.

I have no thoughts on Altiris, other than that the people that ran one of these domains used Altiris, were obsessed about patching, and hadn't installed 2.5 year old Windows Updates (or even SP3) and had oodles of old software laying around (Whoo Java 5.0 and Adobe Acrobat Reader 7.0!)

Also the loving hidden Altiris boot partition makes me want to hurt somebody.

I hope you are better with Altiris. Unless your office is now just down the hall from me, in which case, gently caress.

necrobobsledder
Mar 21, 2005
Lay down your soul to the gods rock 'n roll

Anyone know of any good, programmable management (and deployment) tools that handle Windows and Unixes well for server management aside from the usual suspects like MS SCCM / SMS? I'm trying to find something like Puppet, FAI, and cfengine for Windows and I'm basically being driven to (other, likely terrible) enterprise software suites. Because we're using a big ol' mix of Windows from between Windows 2000 up to Windows 2008 R2 for servers, sysprep doesn't seem to work so well for us and we're dissatisfied with the software we have (it's becoming a business liability to use it). It's so bad that if we can't figure out something soon, I'm going to quit right in the middle of the project (not that I wasn't thinking of it already).

Altiris is used for our desktop systems here unfortunately. Let's share in our misery

Dan Landry
Oct 30, 2003
Stone Dead Forever

skipdogg posted:

That's not really too terrible of pricing to be honest. Hell we paid 16 or 17K for Shavlik to manage 200 servers. I wonder if that's flexible at all?

I think you're mostly paying for them to create and deliver the update packages to you. From my understanding, they have a running list of products (like Acrobat Reader, etc.) they support. There's a complete list on their support site, but you need to register to see it.

Even still, it solves a pretty big problem in the application management world right now.

John Kruk
Aug 7, 2004



Is SCCM an addon for the Domain Controller? The place I work at is a bit strange in that we have full control over a section of our AD but we can't make higher level changes. We can put management tools on our servers no problem so I just want to confirm that it is possible.

peak debt
Mar 10, 2001
b& :(

demonachizer posted:

Is SCCM an addon for the Domain Controller? The place I work at is a bit strange in that we have full control over a section of our AD but we can't make higher level changes. We can put management tools on our servers no problem so I just want to confirm that it is possible.

It may need to do a schema modification depending on what has been used before. The SCCM installer has a quick prerequisite checker that will tell you if that needs to be done. If the schema is ok, you can manage software deployment just by having administrative control over the clients, updating with a group policy and image deployment by having admin control over the DHCP server.

John Kruk
Aug 7, 2004



peak debt posted:

It may need to do a schema modification depending on what has been used before. The SCCM installer has a quick prerequisite checker that will tell you if that needs to be done. If the schema is ok, you can manage software deployment just by having administrative control over the clients, updating with a group policy and image deployment by having admin control over the DHCP server.


Bleh no admin control over DHCP. Just over the AD for our area of the university and of course all of our clients. If we are lucky one of the larger groups will have implemented this already and we can ride their coat tails as far as schema changes, otherwise it becomes a way larger pain in the rear end since it is unlikely they will change something that affects 30k machines to make our lives easier with 1500ish.

Are there lots of things that have to be done on the DHCP server to get the deployment end up and running? We have a decent relationship with the network group so if it is a one time configuration issue we might be ok but if it is something that has to be done with each new client probably not. Currently we can request static IP addresses and poo poo from them based on MACs so if that is all that is needed we are ok.

John Kruk fucked around with this message at Jul 13, 2010 around 18:00

FISHMANPET
Mar 3, 2007



demonachizer posted:

Bleh no admin control over DHCP. Just over the AD for our area of the university and of course all of our clients.

Are there lots of things that have to be done on the DHCP server to get the deployment end up and running?

You would only need DHCP to do PXE installs, and you can work around that by creating a task sequence disk that basically contains the boot image that PXE would give you, so that it can pull the rest of the stuff off the server. And once you're going with SCCM you don't need to PXE boot anymore, because you can advertise a reinstall to a running client, and SCCM will just do it.

I have these fantastical visions of reimiging the whole office to Win 7 one night while I sleep, but I know that won't happen. I can dream.

vty
Nov 8, 2007

oh dott, oh dott!


Anyone dealt with rolling out SCCM/SCVMM to a pretty old and stable 2k3/2k8 forest? I'm curious if any issues tend to arise when dumping it into a rolling environment. (Yes, yes, I should be testing)

devmd01
Mar 7, 2006

This hat isn't the only
thing that's big

FISHMANPET posted:

Also the loving hidden Altiris boot partition makes me want to hurt somebody.

I hope you are better with Altiris. Unless your office is now just down the hall from me, in which case, gently caress.

gently caress the hidden boot partition, we don't roll with that poo poo. I'm moderately competent (NS can go to hell and i've convinced everyone we don't need to use it), but God help us if our altiris server ever goes tits-up...our CIO is a cheapass and has refused to get our maintenance contract current, so no access to product downloads, updates, etc...

peak debt
Mar 10, 2001
b& :(

demonachizer posted:

Are there lots of things that have to be done on the DHCP server to get the deployment end up and running? We have a decent relationship with the network group so if it is a one time configuration issue we might be ok but if it is something that has to be done with each new client probably not. Currently we can request static IP addresses and poo poo from them based on MACs so if that is all that is needed we are ok.

It's just a 1 minute change to one of the DHCP options of your scope to enable F12 booting.

TeMpLaR
Jan 13, 2001

"Not A Crook"

vty posted:

Anyone dealt with rolling out SCCM/SCVMM to a pretty old and stable 2k3/2k8 forest? I'm curious if any issues tend to arise when dumping it into a rolling environment. (Yes, yes, I should be testing)

No issues.

monkeybounce
Feb 9, 2007


zapateria posted:

We started using SCCM recently and I've found it pretty neat to work with.

For OS deployment I installed Win 7 on a PC, then ran a capture of that image (tried earlier using the .WIM image on the Win7 install DVD but that defaulted to D: as system drive and you can't change that). That's your base image. You do installation through a "task sequence", which is a set of commands, like "format this drive, apply this image to system drive, add these drivers, install these programs".

So when software in your "image" (task sequence) needs to be updated, you just update the software packages and don't touch the image.

There's a separate "folder" in the CM console for Drivers and you can just drop new drivers in there to be part of the install.

There's (in my opinion) an easier way to do a deployment with SCCM that supports multiple configurations and doesn't require a stock image.

Start a build and capture task sequence using Operating System Installation Files, modify the task sequence to add all of your software/etc then delete the capture part of the sequence.

I've got a series of scripts (if anyone wants them, I'll post them) that will prompt for Username/Department/etc and creates task sequence variables which then drive the rest of the installation.

For example, when I start the task sequence, I get prompted for Username and Department. It creates a variable to name the computer JSMITH-WS and then installs software based upon that department.

There's 1 task sequence for all of my machines, no need to gently caress around with base images and sysprep. I've even allowed end users to rebuild their own machines when they've gotten a virus and I've been out of the office.

It's an amazing product and Microsoft really hit the nail on the head with it. My only complaint is the "welcome" page when any time you start a wizard.

monkeybounce fucked around with this message at Jul 14, 2010 around 15:42

FISHMANPET
Mar 3, 2007



monkeybounce posted:

There's (in my opinion) an easier way to do a deployment with SCCM that supports multiple configurations and doesn't require a stock image.

Start a build and capture task sequence using Operating System Installation Files, modify the task sequence to add all of your software/etc then delete the capture part of the sequence.

I've got a series of scripts (if anyone wants them, I'll post them) that will prompt for Username/Department/etc and creates task sequence variables which then drive the rest of the installation.

For example, when I start the task sequence, I get prompted for Username and Department. It creates a variable to name the computer JSMITH-WS and then installs software based upon that department.

There's 1 task sequence for all of my machines, no need to gently caress around with base images and sysprep. I've even allowed end users to rebuild their own machines when they've gotten a virus and I've been out of the office.

It's an amazing product and Microsoft really hit the nail on the head with it. My only complaint is the "welcome" page when any time you start a wizard.

We're currently trying to figure out if we want to build and capture then image, or just build each time. We don't have a lot of the same hardware (although it's all Dell Optiplex, so it's probably pretty similair) so I'm thinking it might just make more sense to do a new build each time.

skipdogg
Nov 29, 2004
Resident SRT-4 Expert


Anyone running a Zero Touch imaging setup with SCCM?

I'm using Ghost right now, and between the Ghost Console and a batch file we crafted, I'm in a totally zero touch environment right now. The problem is rolling out new packages. Doesn't always work well. Ghost AI packages work well for some things, but not for others.

I'm in a call center, so I have 300 workstations (4 different models) that all need the same software loadout.

monkeybounce
Feb 9, 2007


FISHMANPET posted:

We're currently trying to figure out if we want to build and capture then image, or just build each time. We don't have a lot of the same hardware (although it's all Dell Optiplex, so it's probably pretty similair) so I'm thinking it might just make more sense to do a new build each time.

That's why I'm doing it this way. Not a single piece of our hardware is standardized, so everything is a different configuration/drivers/etc.

The build each time does take marginally longer, but it's way easier in terms of managing poo poo.

skipdogg posted:

Anyone running a Zero Touch imaging setup with SCCM?


SCCM is essentially Zero Touch by its nature. You can add scripts/prompts etc to the TS, but you don't have to.

If you need absolutely no user intervention, you just advertise the task sequence to a collection and set a required flag. If the machine already has the SCCM client installed, it'll start the TS from Windows. If it doesn't, then you'll need to enable PXE booting, but I'm sure you'd have to do that with Ghost as well.

Honestly, SCCM blows Ghost out of the water.

Having never used Ghost AI packages before, I'm not sure how they work, but I'm assuming they're software/settings packaged up and pushed out? If so, package deployment on SCCM is a matter creating a package, add the installation parameters (It will do this automatically for MSIs), and then put it on a Distribution Point. Once it's there you advertise it to whatever collection you want.

When a new version of the software comes out, just update the package. Task sequences that are set to use it will get it and you can advertise the update as you need.

Lyon
Apr 17, 2003


SCCM is pretty awesome, I've also played around with Altiris and LANDesk. I don't actually manage any of these things but SCCM seems like it can do pretty much everything most people will need unless you've got a really massive widespread network to take care of.

I actually work for a "cloud" IT company (thinking about killing myself) that would be a competitor to all of these products but at one point we tested out all of the above and some other small players to see what we could take from them.

Cpt.Wacky
Apr 17, 2005


Unattended for automated Windows installs. WSUS for Windows/Office updates. WPKG for non-MS software updates.

Syano
Jul 13, 2005


Cpt.Wacky posted:

Unattended for automated Windows installs. WSUS for Windows/Office updates. WPKG for non-MS software updates.

I've never seen WPKG. Can you give me a little insider info on how it works for you, maybe some things you like and don't like?

Cpt.Wacky
Apr 17, 2005


Syano posted:

I've never seen WPKG. Can you give me a little insider info on how it works for you, maybe some things you like and don't like?

It's a free open source project so naturally the documentation is garbage. Sorry if this is a bit long, but I've meaning to write some documentation on WPKG and this about as close as I'm going to get for a while.

Basically it's a single javascript file. It reads from 3 XML files from a file server share that define software packages, software profiles, and hosts. On the workstation side you install the WPKG Client which is just a service that runs as SYSTEM. The service pulls runs wpkg.js at start up which then pulls the 3 xml files off a file server share.

Every piece of software you want to potentially install on any machine gets a definition in packages.xml. The package definition has an ID, like a short name that doesn't change with new versions like "pdfcreator" and a full name including version that shows up in event log messages. Then it has a revision number which is different from the software version (although many people put the version in there and it's a bad idea). The revision number is how wpkg.js knows that it needs to update the software from the new package definition. There are some other fields like whether or not reboot is allowed afterwards and a priority level.

The package definition has one or more "checks" to determine the installed version, and then one or more actions for install, update, and remove. The actions are processed in order.

Here's a simple example for Silverlight:

code:
<package
	id="silverlight"
	name="Microsoft Silver Light 4.0.50524.0"
	revision="3"
	reboot="false"
	priority="50">
		
	<check
		type="uninstall"
		condition="versionequalto"
		path="Microsoft Silverlight"
		value="4.0.50524.0" />
		
	<install cmd='"%SOFTWARE%\apps\silverlight\Silverlight-4.0.50524.0.exe" /q /noupdate' />
	<upgrade cmd='"%SOFTWARE%\apps\silverlight\Silverlight-4.0.50524.0.exe" /q /noupdate' />
	<remove cmd='msiexec /qn /x{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}' />
</package>
The website has a wiki full of package definitions for different software packages, but the quality varies, and it's not too hard to make your own.

Once you have your packages defined then you can start making software profiles. I use a default profile that includes the software everyone gets, and then extra profiles for any software that only some machines get. You can make one profile depend on another profile and hosts can be assigned multiple profiles.

code:
<profile id="default">
	<package package-id="firefox" />
	<package package-id="thunderbird" />
	<package package-id="flashplayer_ie" />
	<package package-id="flashplayer_mozilla" />
	<package package-id="reader" />
	<package package-id="java" />
	<package package-id="pdfcreator" />
</profile>

<profile id="Silverlight">
	<depends profile-id="default" />
	<package package-id="silverlight" />
</profile>
Once you have the profiles, then you assign them to hosts based on the Windows computer name. You can give a host one or more software profiles, and use regexes to match computer names.

code:
<host name="foo" profile-id="default">
	<profile id="Reception" />
</host>
	
<host name=".+" profile-id="default" />
I pushed out WPKG client with psexec and then use psservice to start the service on a new install. You can also use psservice to restart the WPKG service which will cause it to check for new updates.

I use a dedicated machine for testing new package definitions. It has a WPKG Client configured to get it's XML files from \\server\WPKG-test instead of \\server\WPKG. When they're ready to deploy I just copy them over to \\server\WPKG.

What I like about it is that it makes sense to my unixy mind. It works a lot like unix-style package systems, and it's all driven by text files. I also like easy and automated it is to use once you figure it out and get it set up. I don't have to spend weekends at work manually updating software anymore. Ugh.

What I don't like is the reporting, which is basically non-existent. You can connect to the remote event viewer logs to see the messages but I find that inconvenient. I rolled my own Python script to find the installed versions of software and report if it's not current. This hasn't been a big issue though, WPKG just works.

FISHMANPET
Mar 3, 2007



SCCM guys, how do you deal with your drivers? Right now we're making a folder for each driver, and then putting the driver in that folder, and then making a package named the same as the folder. I know this is a terrible way to do it, but we just don't know enough about SCCM yet to know how to do it the right way.

CISADMIN PRIVILEGE
Aug 15, 2004

optimized multichannel
campaigns to drive
demand and increase
brand engagement
across web, mobile,
and social touchpoints,
bitch!


We have an awesome GPO thread, a virtualization thread, Cisco thread and a few others, does anyone think perhaps a Windows Server Network Admin Megathread is called for?

FISHMANPET
Mar 3, 2007



bob arctor posted:

We have an awesome GPO thread, a virtualization thread, Cisco thread and a few others, does anyone think perhaps a Windows Server Network Admin Megathread is called for?

I made this thread with the intention of it turning into something like this

CISADMIN PRIVILEGE
Aug 15, 2004

optimized multichannel
campaigns to drive
demand and increase
brand engagement
across web, mobile,
and social touchpoints,
bitch!


FISHMANPET posted:

I made this thread with the intention of it turning into something like this

The good thing about the general megathread format is the whole bunch of links at the top and a good number of people see the megathread name and know that's the good generic place to go.

FISHMANPET
Mar 3, 2007



gently caress, this is killing me. Is there a way to stop advertising a task sequence to a collection?

PUBLIC TOILET
Jun 13, 2009



SCCM to handle remote desktop sessions with client workstations, WSUS to handle updates and WDS 2010 to do imaging of machines.

WDS 2010 is so complex I'd rather be using Clonezilla or Novell Zenworks to image machines. How difficult is it to configure workstation imaging via SCCM?

quackquackquack
Nov 10, 2002


FISHMANPET posted:

gently caress, this is killing me. Is there a way to stop advertising a task sequence to a collection?

As in, "oops, I didn't mean to do that"?

You can remove the read rights from the folder on the deployment point, but that is if you are advertising a package.

Whatever you do, don't delete the advertisement. If you do, you lose all logs about who was affected.

For drivers, I make one driver package for each model computer. In my task sequence, I use installation media instead of a wim. I use WMI conditions on each "apply driver package" to restrict it to the appropriate model.

I prefer using installation media instead of a wim so that if anything changes (new model computer, new version of software) it is a matter of swapping out one step in the task sequence.

We do not have control of DHCP either (woo academia), so we perform DVD media installs. When you create the DVD image, it asks you if you want to specify any task sequence variables. If you specify something like 'Hostname' to have no value, you can then put a step in your task sequence that sets OSDComputerName (or whatever the correct task sequence variable for hostname is) equal to 'Hostname'. When running the deployment DVD, it will prompt you for a value for 'Hostname'. You could also write an HT, or use scripts, but this is a simple way to do it.

During our big Vista rollout a while back, we needed to specify hostname, container, and username (to add to the local admin group, because everyone is an admin on their computer, woo!), but everything else was automated.

FISHMANPET
Mar 3, 2007



Noel posted:

As in, "oops, I didn't mean to do that"?

You can remove the read rights from the folder on the deployment point, but that is if you are advertising a package.

Whatever you do, don't delete the advertisement. If you do, you lose all logs about who was affected.

For drivers, I make one driver package for each model computer. In my task sequence, I use installation media instead of a wim. I use WMI conditions on each "apply driver package" to restrict it to the appropriate model.

I prefer using installation media instead of a wim so that if anything changes (new model computer, new version of software) it is a matter of swapping out one step in the task sequence.

We do not have control of DHCP either (woo academia), so we perform DVD media installs. When you create the DVD image, it asks you if you want to specify any task sequence variables. If you specify something like 'Hostname' to have no value, you can then put a step in your task sequence that sets OSDComputerName (or whatever the correct task sequence variable for hostname is) equal to 'Hostname'. When running the deployment DVD, it will prompt you for a value for 'Hostname'. You could also write an HT, or use scripts, but this is a simple way to do it.

During our big Vista rollout a while back, we needed to specify hostname, container, and username (to add to the local admin group, because everyone is an admin on their computer, woo!), but everything else was automated.

We want to get rid of an advertisement of a task sequence. We're still in testing, so we make a lot of advertisements, and the best we've come up with is to make a new collection for each new iteration of our task sequence.

quackquackquack
Nov 10, 2002


Right click disable? (although that disables each each advertisement of the task sequence)

I'm not sure I quite understand your language.

FISHMANPET
Mar 3, 2007



Noel posted:

Right click disable? (although that disables each each advertisement of the task sequence)

I'm not sure I quite understand your language.

I don't even know where to find a task sequence advertisement.

Let's try it this way I suppose. I've got my task sequence all good to go, and I set it to advertise to a collection. Whoops, I forgot to check the box that says "Advertise this to PXE boots." So, I want to keep the collection, and I want to keep the task sequence, but I don't want to keep that particular advertisement. Does that make sense, or have I gone so far off the deep end that I should go back to playing with blocks?

zapateria
Feb 16, 2003


Just go to Software Distribution -> Advertisements, you'll find your advertised task sequences there. Delete it. Task Sequence is still alive (under Operating System Deployment -> Task Sequences), advertisement is gone.

Adbot
ADBOT LOVES YOU

FISHMANPET
Mar 3, 2007



zapateria posted:

Just go to Software Distribution -> Advertisements, you'll find your advertised task sequences there. Delete it. Task Sequence is still alive (under Operating System Deployment -> Task Sequences), advertisement is gone.

gently caress we are such idiots how did we never see this. I thought I'd looked in that section already, but I forgot to actually use my eyes.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«74 »