Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
quackquackquack
Nov 10, 2002
Haha, no worries. The SCCM console is laid out like Boston city streets.

Adbot
ADBOT LOVES YOU

monkeybounce
Feb 9, 2007

FISHMANPET posted:

gently caress we are such idiots how did we never see this. I thought I'd looked in that section already, but I forgot to actually use my eyes.

Don't worry about that. I've been using SCCM for several years now and I still go "where is that..." and then spend 20 minutes clicking through folders and subfolders only to remember that it's actually in a context menu.

I use PXE so I have an extra step for drivers. For boot required drivers, I have a package called "Boot Drivers"--primarily NIC and HDD controller drivers in both an X64 and i386 version. That makes it really easy to add/remove drivers from the boot image.

Then I have a package for each model of hardware in both 64 and 386 flavors. Like NOEL, I have WMI conditions (SELECT * from Win32_Computer System WHERE chasis LIKE %XW4400%)* that let the task sequence select what driver package to use.

As for advertising task sequences, what I do is create a container for my test machines like "Testing Win 7" and just advertise my test task sequences to those. Then I don't care about losing the advertisements/log history/etc.

As a tip that took me over a year to figure out :smith: : You can create folders under Advertisements. It's a lot easier to keep your permanent advertisements separate from your short term ones/testing ones.


*If someone could give me a cleaner way to write that, I'd love you forever)

Ninja edit: Damnit, didn't realize there was a second page.

Ray_
Sep 15, 2005

It was like the Colosseum in Rome and we were the Christians." - Bobby Dodd, on playing at LSU's Tiger Stadium
I've been messing around with SCE 2010 and it's pretty cool from what I've seen so far, but I'm having the hardest time getting it to recognize anything to do with our Exchange environment.

quackquackquack
Nov 10, 2002
This is what I use for WMI conditions:

SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%OptiPlex 380%"

zero0ne
Jul 20, 2007
Zero to the O N E
devmd01,

what version of Altiris you running? 6.9?


As a NS7 user (NS7.x with DS7.1) I would love to go back to DS6.9.
I guess I could, but at this point i may as well keep trucking through 7.x hoping that we re-license it and get to push it out corp. wide. (~10,000 nodes if we pushed it to the US).

Reporting and compliance are awesome, but the console is slow as hell.

Once the console can be run on a 64bit 2k8 server, it should be speedy as hell (with a 64bit SQL 2008 instance running that is).


We will see though.... long term crap there.

monkeybounce
Feb 9, 2007

Noel posted:

This is what I use for WMI conditions:

SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%OptiPlex 380%"

HPs seem to like to keep their model information in Chasis (or at least the XW 4400s I have) If you query Model you usually get "Hewlett-Packard Desktop" or "Compaq Laptop" Not exactly sure why, but it was one of the most frustrating things trying to figure out. On the plus side, I got a pretty good grasp on WMI thanks to it.

devmd01
Mar 7, 2006

Elektronik
Supersonik

zero0ne posted:

devmd01,

what version of Altiris you running? 6.9?

6.8 Build 378 SP2. We only use the Deployment Console as we have just purchased DS licenses since the initial setup, not NS/DS licenses. Our NS is a total clusterfuck anyway, there's no way to get any useful information out of it short of purging the entire database, uninstalling company wide, and only installing it on machines we need software inventory on. :fail:

Like I said, our CIO is a cheapass and refuses to pay for maintenance support, so we don't have access to upgrades.

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams
I finally managed to get a task sequence all by myself to actually install the loving operating system!
:w00t:

BooDaa
Apr 15, 2004

So is SCCM going to give me anything that I'm not getting in WSUS 3.2 as far as MS updates are concerned?

Vulture Culture
Jul 14, 2003

I was never enjoying it. I only eat it for the nutrients.

BooDaa posted:

So is SCCM going to give me anything that I'm not getting in WSUS 3.2 as far as MS updates are concerned?
Software updates are only a tiny piece of the security picture -- it's just as important to have visibility into your systems and know that their configurations are in compliance with org policy. But if all you need or care about is a single update profile to push out to your hosts, SCCM is probably overkill and wasted money for you and you can probably do most of what you need between WSUS and good use of GPOs.

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams
Wow, thanks Ricoh, your drivers suck. The Dell provided driver extracts to... another executable, and that doesn't extract to anything. So I guess no INF for SCCM to push out.
:ughh:

quackquackquack
Nov 10, 2002
When you run the second executable, does anything pop up in a temp folder?

Drighton
Nov 30, 2005

FISHMANPET posted:

Also, feel free to hijack this thread for other Enterprisy Windows talk, since there don't seem to be any threads for such things.

Will do! But seriously, thread title should indicate we have a new Megathread to attract other admins. Anyway, to my problem:


I'm tasked with fixing our backups. I'm supposed to use less space and media while backing up the same amount of data and our slowly growing file server. As one bullet point I suggested using DFS Replication and VSS to (1) eliminate storing multiple daily backups of our 1.5TB and growing file server and (2) provide some redundancy that isn't a USB attached hard drive that sometimes isn't mirrored.

The IT Director apparently had some of this in place previously but ran into issues related to running 32-bit Server 2003. As for DFS-R, he mentioned that "1.5TB is a lot to push through Active Directory".

Now it's been a while, and I somewhat recalled that DFS-R utilized AD in some way, so I left to do some research and find out what he's talking about, but haven't been able to find anything yet. I've got a better idea of how DFS works, but found nothing that would tell me that a AD on a DC is solely tasked with reading and replicating all the files.

Does anyone know what he may be talking about, or can point me to the technical document that will explain it?

zapateria
Feb 16, 2003

Drighton posted:

Will do! But seriously, thread title should indicate we have a new Megathread to attract other admins.

Supporting this.



Anyway,

I'm experimenting with using SCCM to push out Windows Updates. We have a WSUS server we used for this before getting into SCCM and I've added that server as a Software Update Point in SCCM and configured everything else in SCCM. I'm abit confused when it comes to client configuration though.

As far as I've gathered from various google searches, you're supposed to have "Configure Automatic Updates" set to "Disable" in your GPOs and to remove the intranet server (can't remember the policy name right now) and it will be added back as a local policy by SCCM.

I've done this, and communication with the server seems ok. However, I never get the Software Update Agent UI showing up. I've checked the WindowsUpdates.log file in %WinDir% on clients, and it correctly checks for updates from the correct intranet server, except it never starts actually deploying the updates.

If I remove the "Disable" policy and set it to automatically install updates, it still goes to the intranet server and downloads updates - then installs them, but via the Windows Update UI and that's not what I want.

Any tips?

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams
Any suggestions for a thread title? My unimaginitve idea is "Tell me about your Enterprise Windows management, Megathread edition!"

Onto other things, I've figured out how I want to deploy the OS to my clients. Since we have so many hardware types I'm not going to bother to capture an image, just build it on each machine. I'm trying to figure out how to install software. I don't want to put an explicit "install this package" for each of our 10 basic packages into each task sequence (I'm going to have a task sequence for each hardware models) because that makes it a huge pain in the rear end when a new version of Firefox comes out. Right now I'm just advertising everything to the client as regular software and hoping it gets picked up. What I'd really like to do is have a task sequence to install core apps (We already have this actually) and have my deployment task sequence run that task sequence for me, so I would only ever have to update the core apps task sequence and keep all my builds up to date.

zapateria
Feb 16, 2003

FISHMANPET posted:

I don't want to put an explicit "install this package" for each of our 10 basic packages into each task sequence (I'm going to have a task sequence for each hardware models) because that makes it a huge pain in the rear end when a new version of Firefox comes out.

Wouldn't you just update your "Firefox" package and not have to do anything with task sequences since they would just include the updated package?

Drighton
Nov 30, 2005

FISHMANPET posted:

Any suggestions for a thread title? My unimaginitve idea is "Tell me about your Enterprise Windows management, Megathread edition!"

Windows Server Megathread? I don't think it'd have to be too specific and list all the versions we're allowed to talk about or anything like that. Maybe just a little something to set it apart from the Home Server thread.

Anyway, that would at least be a start. Then someone would have to create a better OP for the megathread, perhaps with links to the other specialized megathreads.

quackquackquack
Nov 10, 2002

quote:

I'm going to have a task sequence for each hardware models

Don't do this.

Instead, overload a single task sequence.

Make a driver package for each model, and in the task sequence add a "Apply Driver Package" step for each driver package you made. Use a WMI query as a condition on each "Apply Driver Package" step so that the right computer gets the right drivers.

Here's a page that somewhat describes it: http://blogs.technet.com/b/deploymentguys/archive/2008/02/15/driver-management-part-1-configuration-manager.aspx

This way you only have to modify a single task sequence.

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams

zapateria posted:

Wouldn't you just update your "Firefox" package and not have to do anything with task sequences since they would just include the updated package?
I guess... I'd never thought about it that way. Right now we're making a new package for each version of software. So we'd have a firefox 3.5 package, firefox 3.5.1, etc. We haven't actually upgraded any packages yet though, so this is subject to change. I guess any advice in this department would be welcome as well. I'm guessing it would be a really bad idea to try and stick multiple programs into a single software package?

Noel posted:

Don't do this.

Instead, overload a single task sequence.

:aaaaa:
I never would have thought about that. I'm assuming that WMI data gets pulled from the hardware itself, so I don't have to do anything myself?

quackquackquack
Nov 10, 2002
WinPE can query WMI when running a task sequence. That link I posted goes into pretty fine detail.

So for our staff Vista task sequence, all I ever modify is updating applications, and adding a new driver package when a new model computer comes along. SCCM gets a lot easier once you have the "base" set up.

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams

Noel posted:

WinPE can query WMI when running a task sequence. That link I posted goes into pretty fine detail.

So for our staff Vista task sequence, all I ever modify is updating applications, and adding a new driver package when a new model computer comes along. SCCM gets a lot easier once you have the "base" set up.

Well in that case it wouldn't at all be a big deal to make a new package for software update, because I only update it once.
E: If I have a group for machine specific application installs, and give it a WMI query, it will only run it's sub tasks if the WMI query is true, correct?
E2: A closer reading reveals my assumption to be correct.

FISHMANPET fucked around with this message at 03:01 on Jul 24, 2010

Trinitrotoluene
Dec 25, 2004

Does anyone have any good recommendations or suggestions for mass administration over a hundred seperate domains on completely seperate networks?

SCCM is awesome and I actually used to deal with SMS when I worked for EDS, unfortunately it's not a valid possibility or at a cost that is suitable for our clients (say 100 small businesses). Plus the administration on each domain would take forever.

WSUS we currently keep the configuration on one central machine and push it to all domain servers so patch management isn't too much of an issue.

Keeping things like Firefox/Adobe Reader/Flash Player up to date though is an absolute nightmare so any suggestions would be more than welcome.

Any suggestions to better admin so many domains would be welcome also.

Vulture Culture
Jul 14, 2003

I was never enjoying it. I only eat it for the nutrients.
There's a huge number of multi-tenant management products out there for managed service providers. Kaseya, N-Able, Level Platforms and ManageEngine are the most popular that I'm aware of, though I haven't used any personally, being a Linux admin that does not work for an MSP.

Dyscrasia
Jun 23, 2003
Give Me Hamms Premium Draft or Give Me DEATH!!!!

Trinitrotoluene posted:

Keeping things like Firefox/Adobe Reader/Flash Player up to date though is an absolute nightmare so any suggestions would be more than welcome.

Any suggestions to better admin so many domains would be welcome also.

I would love a better way to go about this too. I have just been doing GPO push installs for Reader, Flash and Java.

Muslim Wookie
Jul 6, 2005

FISHMANPET posted:

Wow, thanks Ricoh, your drivers suck. The Dell provided driver extracts to... another executable, and that doesn't extract to anything. So I guess no INF for SCCM to push out.
:ughh:

Are you sure? One of the best tools I ever had for setting up SCCM "anything" was UniExtract. Universal Extractor. Just right click any installation .exe (or virtually any archive at all) and choose "Extract here". Viola, you have all the files you need without the stupid Temp folder hunting bullshit.

Muslim Wookie
Jul 6, 2005

Dyscrasia posted:

I would love a better way to go about this too. I have just been doing GPO push installs for Reader, Flash and Java.

I'm not sure I understand why SCCM would not be appropriate. You would set up primary site in each customers domain and go from there. SCCM itself isn't that expensive and the client licenses can be had real cheap if you buy a shitload at once from MS...

I'd be doing a real CAPEX if I were in your shoes instead of asking on the net but I know accounting isn't particularly exciting... I find a lot of techs say things like this with confidence but haven't done anything but have some vague thoughts about the matter - doing some sums on paper can actually surprise you sometimes!

Errant Gin Monks
Oct 2, 2009

"Yeah..."
- Marshawn Lynch
:hawksin:
I dont know what the budgets are for everyone out there (mine is smalllllll) but we are using a KASE setup right now (Dell let me borrow it for free for 30 days to dick with it).

Pretty nice setup. Essy web interface. A fuckton easier than SCCM and SCOM.

Lets you set up imaging, network image deployment, upgrading and software pushes. Also has a great option i am quickly falling in love with "Auto-uninstall." So you start listing poo poo like browser tool bars and iTunes. It checks every computer every 15 minutes. IF it sees anything on the no-no list it just uninstalls it.

People keep calling me saying their "MyWebSearch" tool bar keeps disappearing, no matter how many times i have sent out memos saying "DON'T loving INSTALL THAT poo poo."

Anyway price wise its 11K per box to buy and then 250 nodes for 500 bucks a year per box. so 1000 a year for 250 nodes and 22k startup for both boxes. Not too bad compared to SCCM and SCOM.

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams
marketingman, that tool worked for the Ricoh drivers, but not for 2 other drivers. Oh well, every little bit helps.

Anyway, does anybody have a problem with SCCM where it stops advertising to a client? I was all excited to day to troubleshoot this laptop, and after one sucesful reimage, it doesn't get any advertisements anymore. I've had to delete the machine and re-add a computer association, now it sees everything again. What gives?

quackquackquack
Nov 10, 2002
Did you try updating the collection membership?

I recently ran into the same thing - I got an error in the console when I tried to check the properties of a computer. A membership update solved that problem, and the problem of no advertisements being available.

Muslim Wookie
Jul 6, 2005
Yeah SCCM will do that but it all comes down to the settings you have set. Once it thinks the advertisement ran and was successful, it will stop attempting to do it. You need to click the "Force" tickbox in the advertisement to have it rerun.

Also if you haven't already done it or realised, using the inbuild collections for advertisements is foolish at best, and can cause huge headaches at worst.

Create collections that take their membership information from an AD security group. Now, remove anyone but senior admin access to SCCM, and for anyone that wants Firefox deployed to a particular machine tell them to make that computer a member of the Firefox security group. User left and PC needs zeroing? Remove computer object's membership to everything, easy. Take this idea to it's conclusion, this is just the start.

In your dev env you can have SCCM doing an AD discovery every 5 minutes. In Prod it depends on your prod environment but I would still have it fairly often (once every hour or two?).

Muslim Wookie fucked around with this message at 06:26 on Jul 27, 2010

quackquackquack
Nov 10, 2002

marketingman posted:

Create collections that take their membership information from an AD security group.

Yes, this. Even just from a user interface point of view, AD groups are so much better to manage than SCCM collection membership rules.

monkeybounce
Feb 9, 2007

Noel posted:

Yes, this. Even just from a user interface point of view, AD groups are so much better to manage than SCCM collection membership rules.

Nthing this, but you don't need to create sec groups if you're anal about your AD structure. I will agree with marketingman that under no circumstances do you want to use the default collections. I've actually deleted most of them from mine.

The collections in my SCCM pretty much mirror the OUs in my AD structure.

code:
Corp
  ->Servers
    ->Office
    ->Datacenter
  ->Computers
    ->Accounting
    ->Sales
    ->Customer Support
    ->Dev
    ->IT
If I need to advertise firefox to all the machines, I can just advertise it to Computers and include sub-collections. If there's an update for Visual Studio or something, I can just advertise it to DEV. If

Each collection/sub-collection has a membership rule that uses System Container Name, so it creates the collection based on what machines are in what OU. I've got different GPOs that have to go out to different departments, so it was already set.

I've got an overloaded single image which plops the computer in the OU for the department it's being imaged for.

To go along with KenMorningStar comments on uninstalling software, you can do that with the software baseline configuration. If I move it to a different OU (sales person moves to customer service), it'll apply the baseline for CS which will remove the Sales software and add the CS software--all based on OU. It is a bit more complicated than Kase, but there's not a single toolbar on my network.

Muslim Wookie
Jul 6, 2005
I use security groups with SCCM because we tend to attach licenses to usernames. This also means one user can jump onto another computer and install all their "usual" suite of software. I usually put in some mechanism to prevent users using software that's installed that they aren't cleared for.

If everyone in a department used the exact same set up then I might go for the collections only method.

devmd01
Mar 7, 2006

Elektronik
Supersonik
Alright, who has messed with WDS and DISM? I am trying to get nic drivers integrated into capture/deploy PE images.

Using Windows 7 32Bit boot.wim. Followed the updated tutorials in the documentation and others I found online.

I have the correct drivers, as manually loading them once pxe booted works just fine. Once I go through the integration steps to update the image, nothing.

Any ideas?

quackquackquack
Nov 10, 2002
I have a SCCM OSD Task Sequence in which I want to set DNS in the resulting OS, but otherwise use DHCP. During the OSD I am happy to use the DHCP settings.

The 'Apply Network Settings' step does not seem to do anything if I stick an extra one at the end of my Task Sequence (ie: not within WinPE) and tell it to configure the adapter with static DNS settings, even though Technet implies this is possible. In the smsts.log everything looks great, but when I check the settings post OSD they are not changed.

Thoughts?

quackquackquack fucked around with this message at 18:12 on Aug 3, 2010

quackquackquack
Nov 10, 2002
netsh: 1, SCCM Technet documentation: 0

quackquackquack
Nov 10, 2002
The tools I have available for these questions are SCCM and a Server2008 domain.

I want to discover the size of the local profiles on the desktops in my organization - I'm curious how much storage we would need if we used roaming profiles. I know that in the System control panel it tells me, but I'm not sure where that is stored. I suppose I could use a script + mof edit. Or File Collection.

I also want to parse the contents of each computer's local administrators group. Preferably this would be stored with each computer in SCCM (in the same way it currently shows what AD groups each computer is in). This one might also turn out to be a script + mof edit.

Muslim Wookie
Jul 6, 2005
For option number 2 download Hyena and use that - it will make life a lot easier.

For option number 1, you can use Hyena or you can use the inbuilt SCCM reports, either option will need some customisation ie scripting.

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams
Here's a fun fact that stumped me:
Each Driver package needs a unique data source. The guy who set it up assumed that SCCM would be smart enough to segregate the driver files, and only download the right stuff to the client. Wrong. It just blindly downloads whatever is in that directory to the client and tries to apply it all. Also, it looks like if you delete a driver from the database without first deleting it from the package, it stays in the package forever. So make sure each of your driver packages has a unique data source folder.

Now a question:
Is there a way to rename the advertised name of packages? I love that you can be super specific with the name, but nobody really cares that they're installing "Skype Technologies S.A. SkypeTM 4.2 4.2.169 Enlish (United States) - Per-system unattended." They just want Skype.

Adbot
ADBOT LOVES YOU

quackquackquack
Nov 10, 2002
Use "Apply Driver Package" instead of "Auto Apply Drivers". Better to have control over what is happening.

I think SCCM should just handle the driver package location in the same way it does for other packages. That did seem a bit strange. I have not seen your issue with drivers sticking around forever after they are deleted. It just disappears from the driver package for me, and when I tell the driver package to update, it's no longer there, either.

I was unable to find a way to rename advertisements. I agree, it is annoying. I try and make a Task Sequence for just about everything I deploy. It gives the end user a pretty window to look at without having to allow interaction with the program installer. It allows me to name it whatever I wants.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply