|
quackquackquack posted:Stop trying to reinvent the wheel. Look at MDT (with or without WDS). I didn't know I was reinventing the wheel, to be honest.
|
#
?
Jun 7, 2012 01:30
|
|
|
|
| # ? May 5, 2024 05:45 |
|
|
If you run such scripts, they need to be run under the actual "administrator" account. That one ignores all UAC settings and lets scripts run with admin rights by default. So you will need to enable the administrator account in the unattend xml instead of it creating the normal Win7 default account. To get the model name you can use: gwmi win32_computersystem | select model
|
|
#
?
Jun 7, 2012 01:32
|
|
|
peak debt posted:If you run such scripts, they need to be run under the actual "administrator" account. That one ignores all UAC settings and lets scripts run with admin rights by default. So you will need to enable the administrator account in the unattend xml instead of it creating the normal Win7 default account. Cool! How could I feed that model name into the computer description though? That's the part I couldn't figure.
|
|
#
?
Jun 7, 2012 02:01
|
|
|
Powershell is a full programming language, you can do whatever you want with it once you have a text value in a variable somewhere... i.e. $computer = gwmi win32_computersystem $computer.rename($computer.model) This code of course won't make much sense like this because the model name probably contains spaces that you cannot use in the PC name, and you cannot name every PC the same name of course so you will need to do some additional manipulation.
|
|
#
?
Jun 7, 2012 02:15
|
|
|
peak debt posted:Powershell is a full programming language, you can do whatever you want with it once you have a text value in a variable somewhere... Yes, but, what I want to do is give the serial number as the name (which I've already worked out) and then make the description the model number (which I haven't worked out).
|
|
#
?
Jun 7, 2012 02:27
|
|
|
RICHUNCLEPENNYBAGS posted:I didn't know I was reinventing the wheel, to be honest. I wasn't trying to be insulting. MDT has a relatively low learning curve, but will do a lot of what you want to do without writing custom scripts. Why is the computer model important to put in the description?
|
|
#
?
Jun 7, 2012 02:36
|
|
|
quackquackquack posted:I wasn't trying to be insulting. MDT has a relatively low learning curve, but will do a lot of what you want to do without writing custom scripts. It's not absolutely crucial, I guess, but I'd like to be able to see the models at a glance in AD. My boss would appreciate it as well, I think. I mean, yeah, you can get the information through Spiceworks or whatever else too so the world won't collapse if we don't have it. But I didn't imagine it would be very difficult to do. I'm still kind of feeling my way around this stuff; I stumbled into this career basically and went from not having really used Windows for years to all the sudden managing Windows servers and desktops so not everything is obvious to me.
|
|
#
?
Jun 7, 2012 03:19
|
|
|
RICHUNCLEPENNYBAGS posted:It's not absolutely crucial, I guess, but I'd like to be able to see the models at a glance in AD. My boss would appreciate it as well, I think. I mean, yeah, you can get the information through Spiceworks or whatever else too so the world won't collapse if we don't have it. But I didn't imagine it would be very difficult to do. I strongly recommend you dive into MDT, and we'll be happy to answer any questions you might have while implementing it.
|
|
#
?
Jun 7, 2012 03:26
|
|
|
Alright, if that's gonna work better than my homespun scripts I guess that's what I'll do. It's hard to keep straight the wide array of tools you have for this stuff, WAIK, MDT, WDS, etc.
|
|
#
?
Jun 7, 2012 03:35
|
|
|
MDT uses WAIK (although you never really have to launch it), and can use WDS as a delivery mechanism... or you can use a boot CD, or a "thick" DVD (all the data is on the DVD) You want to grab the "print ready documentation", and the "technical reference" (iirc) for when you have specific questions. The "standard client task sequence" (I'm sure I am getting the exact name wrong) has a lot of conditional logic in it, and is a hell of a lot more complicated than it needs to be if you're just deploying new PCs. I'll try and remember to post a screenshot of my pared down task sequence tomorrow.
|
|
#
?
Jun 7, 2012 04:11
|
|
|
MDT will help with adding applications and making editing the unattend file more convenient, but it cannot do everything either. I'm pretty sure if you want to change the description you will still have to do it by a script. But you can find this stuff out on the Internet, as: http://lmgtfy.com/?q=powershell+change+computer+description The first result mentions that you can change the local computer description with: $comp = gwmi win32_operatingsystem $comp.description = "User: $dn Location: $office" $comp.put() So to use the model name, you change this to: $computer = gwmi win32_computersystem $comp = gwmi win32_operatingsystem $comp.description = $computer.model $comp.put()
|
|
#
?
Jun 7, 2012 09:44
|
|
|
peak debt posted:MDT will help with adding applications and making editing the unattend file more convenient, but it cannot do everything either. I'm pretty sure if you want to change the description you will still have to do it by a script. Sick. Thanks. I swear I tried to Google it before asking.
|
|
#
?
Jun 8, 2012 02:12
|
|
|
skipdogg posted:Nothing is wrong with WSUS, we have a WSUS infrastructure in place, but it doesn't meet the objectives of the project I'm working on. Unfortunately I don't have experience with the products you're asking about, but I felt compelled enough to note that I am surprised that WSUS doesn't provide what you're looking for, while SCCM will. The patching is almost exactly the same between the two products, and in my past jobs where I need to comply with auditors I was able to convince them that WSUS did everything they wanted. That being said, I've used other SolarWinds products and they are decent. They have come a long ways in recent years and I would try anything they make now for a low cost alternative to higher end products (given that I don't need high scalability). I think at this point you'd be most concerned with something that meets your audit requirements and you should look for that over all else.
|
|
#
?
Jun 14, 2012 05:02
|
|
|
So a problem I'm having with SCCM deployment. I've been forced to switch to imaging computers rather than build from scratch, because of pesky Broadcom drivers. So I've got a task sequence to make the image which works just fine, except when I deploy the image it doesn't ever checkin properly with the SCCM server. SCCM detects it through AD discovery, but on the client I have to manually run one of the actions (and the only that show up are "Machine Policy Retrieval & Evaluation Cycle" and "User Policy Retrieval & Evaluation Cycle." This creates a new entry for that machine, which I then have to approve in the ConfigMgr console. I never had this problem when I would build machines on bare metal, but I've had it on every computer I've imaged.
|
|
#
?
Jun 14, 2012 22:28
|
|
|
FISHMANPET posted:So a problem I'm having with SCCM deployment. I've been forced to switch to imaging computers rather than build from scratch, because of pesky Broadcom drivers. So I've got a task sequence to make the image which works just fine, except when I deploy the image it doesn't ever checkin properly with the SCCM server. SCCM detects it through AD discovery, but on the client I have to manually run one of the actions (and the only that show up are "Machine Policy Retrieval & Evaluation Cycle" and "User Policy Retrieval & Evaluation Cycle." This creates a new entry for that machine, which I then have to approve in the ConfigMgr console. Is the SCCM client built into the image, or is it part of the task sequence?
|
|
#
?
Jun 15, 2012 05:22
|
|
|
spidoman posted:Is the SCCM client built into the image, or is it part of the task sequence? Um, both? It's applied in both tasks. I know it has to be in the build & capture so it can install the software and updates, should I leave it out of the deploy? The build a task sequence wizard includes them in both tasks.
|
|
#
?
Jun 15, 2012 05:46
|
|
|
Does anybody have DirectAccess implemented and in use? If so do you use Oracle? I'm currently evaluating DirectAccess and in the process of testing different software we use and i just can't seem to get one Oracle Forms application to connect to it's database no matter what i do. I checked tnsnames.ora and sqlnet.ora that all the connectors are made with FQDN names and not with ip's.
|
|
#
?
Jun 19, 2012 16:41
|
|
|
This may not be the thread to post this in, as my work really isn't at Enterprise level, but I couldnt find a more relevant one to ask this question. Right now I have one physical server with 2008R2 standard running one virtual machine (2008r2 standard as well) running on it. The non virtual portion of the server acts as our AD, our file server, and our print server, and the virtual machine takes care of VPN access and WSUS. My company is moving buildings, and the CEO asked me if there was any new tech stuff I needed so he could put it in the budget. I'm planning on getting a decent rack server and converting everything into virtual machines, as well as getting a few copies of Server 2008. Most of my budget will be eaten up by getting our licensing up to MS standards, so I only have about 5-6 grand to work with. My question is, is there a better option out there that I'm not seeing other than give the AD two virtual machine, with one for redundancy, move our files over to a NAS and have two more virtual machines (4 licenses is all I can budget for) that takes care of File Services, VPN, WSUS, and Print Services? The company is only about 35 employees with about 20-25 computers/printers floating around at any point in time, so the load isn't demanding at all, I'd just like to un-gently caress the situation I inherited a year ago when we do the move.
|
|
#
?
Jun 19, 2012 19:10
|
|
|
InfiniteDonkey posted:Does anybody have DirectAccess implemented and in use? If so do you use Oracle? I'm getting ready to set it up, are you using Forefront UAG with it to do NAT64/DNS64? Did you have an existing PKI or did you stand one up just for DirectAccess? I'd love to pick your brain on how you like it.
|
|
#
?
Jun 19, 2012 21:41
|
|
|
Short question, in Config Manager 2012, you can set up subscriptions to reports. How do I create and use a shared schedule for these?
|
|
#
?
Jun 20, 2012 12:44
|
|
|
spidoman posted:Is the SCCM client built into the image, or is it part of the task sequence? So how should I be deploying the client? Right now I've got a build & capture task sequence that installs the client with some properties that allow the machine to install updates without being on the domain. So I'm pretty sure that's required. Then in the deploy image sequence I install it again, should I take it out of that step?
|
|
#
?
Jun 20, 2012 19:41
|
|
|
Nebulis01 posted:I'm getting ready to set it up, are you using Forefront UAG with it to do NAT64/DNS64? Did you have an existing PKI or did you stand one up just for DirectAccess? I'd love to pick your brain on how you like it. Yes, were using Forefront UAG to do the traversal. We also had an existing PKI that we use for authenticating computers that connect to the corporate wireless network. I've now used DirectAccess for about a week. I first had problems with one our DC's not being able to find the NLS site and because of that my computer thought that it was outside the corporate network even thought it wasn't. After that got fixed i have tried it a couple of times at home and it really is fast compared to the old VPN solution we have used (i don't even know the specifics of that VPN solution, it's so old). The bad thing is, that pretty much everything is outsourced to a major international it-corporation and i can only troubleshoot the client side. There's like around 60+ of different software clients that i should test with DirectAccess and in the first 10 that i've tested only 2 have worked. If you have any client software that have been setup using an ip-address instead of a FQDN name, it's time to start changing them. I have tons of those and i'm quite sure i don't know them all. Also, (you probably already know this) make the NLS site fail proof, fail-over cluster it if you can. If the machine's don't find the NLS site in the corporate network they're pretty much screwed.
|
|
#
?
Jun 20, 2012 22:00
|
|
|
InfiniteDonkey posted:Yay Feedback! Thanks for that  I'm forced to stand up a new PKI for this and it needs to happen 'right now' so I've spent the better part of a week brushing up on PKI to see if I can roll that out in the next month or so and then move on to UAG/DirectAccess.
|
|
#
?
Jun 20, 2012 23:03
|
|
|
FISHMANPET posted:So how should I be deploying the client? Right now I've got a build & capture task sequence that installs the client with some properties that allow the machine to install updates without being on the domain. So I'm pretty sure that's required. Then in the deploy image sequence I install it again, should I take it out of that step? Yeah, I've seen it done both ways, but never both ways together. Have it in the captured image (minus certificates) or have it install after your image gets applied to the client machine. Honestly the number of ways to do imaging with SCCM just seems to keep expanding, I can't keep up with which way is best. Although I do know there isn't a single right answer for every environment. I hate imaging.
|
|
#
?
Jun 21, 2012 08:00
|
|
|
Does anyone have any good examples of how to correctly configure time services that will allow client systems to sync properly? A while back I inherited a mess of a domain with clocks running 7 minutes fast. After a lot of whining from the network users we recently tried to get our time properly synchronized with a reliable external source. I started by configuring the sync in Group Policy per Microsoft's own examples. On the plus side, everyone's clock became correct, but then we started running into occasional errors with Kerberos authentication when people and automated systems attempted to access some of our shares, typically the error being KRB_AP_ERR_TKT_NYV (the ticket used against that server is not yet valid in relationship to the server's time). After the problems began to appear I found some other blog posts from people saying not to use GP to configure time services because it causes sync errors, and to just manually set the DC to grab its time from a good external source and allow the rest of the computers on the network to grab their time from the DC through Windows' built-in methods of picking the best time source on the network. This seems to be working fine as well, at least for keeping everyone's clocks within about a second of each other, but the sync errors still persist. One thing I have noticed is that most of the machines have been opting to sync from one of the secondary domain controllers (which itself gets its time from the main DC). One item of interest, the DC and its secondaries are all running Server 2003 SP2, most of our client machines are running 2008R2 or Windows 7. I'm happy to go back to configuring this via group policy if that's a better solution but right now we're all kind of stumped.
|
|
#
?
Jun 21, 2012 18:36
|
|
|
Oct, I did the same fricken thing. Tried everything, wanted to get the non-windows devices to sync to the DC's too. Nothing I found worked reliably, and we'd get the same errors as you. I basically put it in the login script for all of the PCs in the company (net time /set \\server /y), and set the other devices to pull from the DC using their built in NTP server settings. I'm running 2003 domain with XP and some 7 boxes now. No more errors.
|
|
#
?
Jun 21, 2012 18:43
|
|
|
Spermy Smurf posted:Oct, I did the same fricken thing. Tried everything, wanted to get the non-windows devices to sync to the DC's too. Nothing I found worked reliably, and we'd get the same errors as you. Awesome, thanks for the reply! I'll see about giving that a shot.
|
|
#
?
Jun 21, 2012 19:12
|
|
|
spidoman posted:Yeah, I've seen it done both ways, but never both ways together. Have it in the captured image (minus certificates) or have it install after your image gets applied to the client machine. Ugh, this is absoluetly insane. I've found blog posts about that, but I think they only describe how to do it if you're deploying an image created in one SCCM instance to a machine managed in another SCCM instance. Every guide I've found about doing doesn't mention any problems, and just has you installing it in both steps. I tried a deploy task sequence where I didn't install the client and it failed because I guess installing the client reboots it into the installed OS, and if you skip that it doesn't reboot, so my install software failed because it was in WinPE. I tried adding a restart and that failed... strangely. My next idea has to do with SCCM hotfixes. I applied two during the build, but I don't apply them in the deploy step, and I imagine that could cause some problems. E: And my last attempt died out because of a hardware failure, ugh this is so annoying. FISHMANPET fucked around with this message at 19:30 on Jun 21, 2012 |
|
#
?
Jun 21, 2012 19:20
|
|
|
If you can only see the two abovementioned tasks, it means it's not getting the policy correctly from the server. So you will probably be missing the SCCM settings published in AD, and the SMSMP option passed to the client installer.
|
|
#
?
Jun 21, 2012 19:47
|
|
|
Oct posted:One item of interest, the DC and its secondaries are all running Server 2003 SP2, most of our client machines are running 2008R2 or Windows 7. I'm happy to go back to configuring this via group policy if that's a better solution but right now we're all kind of stumped. Who has the PDC emulator role, and how is that server configured?
|
|
#
?
Jun 21, 2012 20:00
|
|
|
Maneki Neko posted:Who has the PDC emulator role, and how is that server configured? The emulator role is held by the actual PDC. If you mean how is the time configured on it, it is configured to grab time for itself from the US ntp.org pool in client mode. The internal NtpServer config is set to Enabled.
|
|
#
?
Jun 21, 2012 20:52
|
|
|
Oct posted:The emulator role is held by the actual PDC. No such thing as an actual PDC in 2003 R2. Netdom query fsmo says "PDC" for the PDC emulator. I redid our time setup about a year ago when we virtualized everything, and I think I did it as you said. The primary time server is 2008 R2, though, but I had some 2003 R2 physical DCs at the time. I configured the primary time server to sync to an external source manually, and everything else fell into place. I don't think I've seen any of the errors you're seeing. Were there symptoms (like, they can't access the share), or just errors in event viewer?
|
|
#
?
Jun 21, 2012 22:59
|
|
|
Erwin posted:No such thing as an actual PDC in 2003 R2. Netdom query fsmo says "PDC" for the PDC emulator. Gotcha. The use of the word 'emulator' has been confusing when reading some docs (some poo poo seems to get way too contradictory). But yeah, there are obvious symptoms that line up with the errors, users can't access the various shares they need to access. The funny thing is, when that happens to users they can actually hit the shares on their second attempt. Unfortunately while it's just annoying for human users, our automated systems that run into this aren't as forgiving. In all honesty this network probably wasn't configured correctly from the very beginning, so it's entirely possible that that is contributing to the problems as well.
|
|
#
?
Jun 21, 2012 23:31
|
|
|
Oct posted:Unfortunately while it's just annoying for human users, our automated systems that run into this aren't as forgiving. 95+% of our NTFS events are automated systems, so I can definitely say we never had the issue you described. Sorry man 
|
|
#
?
Jun 22, 2012 00:32
|
|
|
Hey, can't win 'em all. I still appreciate the help from everyone. Hopefully we get the go-ahead to rebuild this thing from scratch sooner rather than later and make this a non-issue.
|
|
#
?
Jun 22, 2012 03:20
|
|
|
Does anyone have a good method of checking 150+ servers for what accounts are logged in a services on them?
|
|
#
?
Jun 27, 2012 18:26
|
|
|
Gravitom posted:Does anyone have a good method of checking 150+ servers for what accounts are logged in a services on them? http://techibee.com/tag/query-service-logon-account-using-powershell You can run that or modify it as needed. Should do what you want I think.
|
|
#
?
Jun 27, 2012 18:43
|
|
|
If we're still talking about DirectAccess, I just finished an implementation at my company. It's a Forefront UAG server with DirectAccess. One obstacle was that our Oracle is hosted off-site at an IP address outside our subnet. In the initial DirectAccess configuration I only had routes defined to our internal resources at 10.0.0.0. Our host had an IP outside that range which confused me until I realized we just had to set up additional static routes on the UAG server itself. This is just to get to the Oracle web portal though, I really doubt our tnsnames.ora has FQDN for everything so I don't have a lot of hope. Can't help on that front.
|
|
#
?
Jun 28, 2012 00:43
|
|
|
OK, I'm stumped on this one: Clean image onto a computer, the SCCM client is installed, it checks in with the SCCM server, all is well. Except I can't run any of the SCCM tools form the control panel (Configuration Manger, Run Advertised Programs, Program Download Monitor, or Remote Control). The names are there, with blank icons rather than the proper ones. If I click them nothing happens. I know they're installed, because I got a popup of the "Run Advertised Programs" offering some new programs I can install. If I go into "Install a program from the network" nothing shows up, even though I know things are advertised to it. I've tried googling but I don't even know what to look for. I've tried uninstalling and reinstalling the client, I've tried reimaging the machine. The logs look fine to me, but again I'm really not sure what to look for. Any idea what I can do to fix this? E: And the SMS*.cpl files are in %windir%\syswow64\ccm so I don't even know what the gently caress. FISHMANPET fucked around with this message at 16:58 on Jun 29, 2012 |
|
#
?
Jun 29, 2012 16:53
|
|
|
|
| # ? May 5, 2024 05:45 |
|
|
You using trace32 for the logs? It should highlight any errors for you and at least give you something to google.
|
|
#
?
Jun 29, 2012 16:59
|
|
