Microsoft

Posts related to Microsoft products and services.

Using Group Policy Preferences with Older Versions of Windows

http://www.microsoft.com/en-us/download/details.aspx?id=6955I was doing some testing with a newly created GPO that used Group Policy Preferences (GPP) to add a user account to the local administrators group, and I noticed that the policy seemed to apply properly to all of my Server 2012 and 2008 systems but not on any Server 2003 machines.

I did some research and came across an article on Microsoft’s Group Policy blog that shined some light on my issue:

Group Policy Preferences Not Applying on Some Clients: Client-Side Extension, XMLLite

The gist of it is that I needed to install the proper Client-Side  Extensions (CSEs) for Server 2003. All of the links for the individual OSes and versions are in the MS blog post, but the specific one I needed is below.

CSEs for Windows Server 2003 with SP1 or later (32-bit)

You may also need to install XMLLite in addition to the CSEs, but to quote the post:

“XMLLite is not needed if:

· Your clients run Windows Server 2008 or Windows Vista.

· Your clients Windows XP and Windows Server 2003 clients run Internet Explorer 7 and/or the latest service packs.”

After installing the CSEs on my machines, they started processing the GPPs normally.

Drop Down

As a side-note for anyone interested; The GPP to add user accounts to local groups is located under Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups.

To modify a local group, right-click and select New – > Local Group, choose Update as the action, pick a group from the Group Name drop down menu, in my case Administrators (built-in) (make sure to use the drop down and not the ellipses button; see image), and then use the Add button at the bottom of the window to add either local or domain accounts to that group.

Most of the guides I’ve found suggest using Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups to add users to the local administrators group, but this policy acts to replace any existing memberships rather than merge with them, so keep this in mind if you have Group Policy Objects linked at higher OUs which add users to the same groups. If you want to preserve the existing memberships, consider using GPPs to make the modifications instead.

-Rick

Advertisements

Alt Methods to Fix: “The Trust Relationship Between This Workstation and the Primary Domain Failed”

 

For any Windows admin, this error is a familiar sight.

The typical fix, and Microsoft’s recommended resolution, is to log in with a local admin account, join the system to a workgroup, and then rejoin it to the domain.

However, I ran into this blog post a while back which details some cool alternative methods and saved the link in case it should come in handy some day, which it has on several occasions.

DON’T REJOIN TO FIX: The trust relationship between this workstation and the primary domain failed

Basically, he lists two distinct methods for resetting the computer password:

  1. use netdom.exe

netdom.exe resetpwd /s:<server> /ud:<user> /pd:*

<server> = a domain controller in the joined domain

< user> = DOMAIN\User format with rights to change the computer password

“Where you get netdom.exe depends on what version of Windows you’re running.”

“On Windows Vista and Windows 7 you can get it from the Remote Server Administration Tools (RSAT).”

Download RSAT for Windows 7 SP1 here

Download RSAT for Windows 8.1 here

You can read some additional notes about this method in the blog post. (link here)

  1. via Powershell

Reset-ComputerMachinePassword [-Credential <PSCredential>] [-Server <String>]

“You can use the Get-Credential cmdlet for a secure way to generate a PSCredential, which can be stored in a variable and used in a script.  You will want to generate a credential for an Active Directory user with sufficient rights to change the computer’s password.  The Server parameter is the domain controller to use when setting the machine account password.”

Here’s a TechNet article on the Reset-ComputerMachinePassword command for additional reference.

-Rick

SCCM 2012 R2 Client Installation Fails on Windows Server 2003

http://www.microsoft.com/en-us/download/details.aspx?id=4933

If your environment is like mine, you may be forced to manage some legacy systems with Configuration Manager, some of which may be running older operating systems like Windows Server 2003.

You may also find that the SCCM client refuses to install on Server 2003.

Luckily, the fix is easy enough. The SCCM client requires BITS 2.5 to be installed as a prerequisite. You can download BITS 2.5 for Windows Server 2003 here.

After downloading and installing BITS 2.5 on your Windows Server 2003 systems, you should be able to deploy the SCCM client without a problem.

Sources:

SCCM Not installing 2012 SP1 client on Server 2003 clients

SCCM 2012 and Server 2003×64\XPx64

-Rick

SCCM 2012 R2 – Error When Running Reports – UserTokenSIDS: A Specified logon session does not exist

UserTokenSIDs

 

After installing my SCCM 2012 R2 Primary Site, I attempted to test out the reporting feature and kept running into the following error when trying to run any of the built-in reports:

The DefaultValue expression for the report parameter ‘UserTokenSIDs’ contains an error: a specified login session does not exist. It may already have been terminated.

I did some research and eventually tied it back to my SQL Server Reporting Services (SSRS) configuration.

I have SSRS installed on my primary site server with the reporting database sitting on a remote system running SQL Server 2012,  and when I initially set up SSRS I had it using the Local System built-in account as the service account.

SRSLocal

 

After going back and reviewing the documentation and reading over various blog posts, I realized using Local System as the service account wasn’t going to work and I needed to specify a domain resource account to use with the proper permissions set.

Configuring Reporting in Configuration Manager

Configure a Service Account for Reporting Services

Reporting Services Configuration Manager (SSRS)

So I created a new resource account specifically for SCCM and SSRS, named SMSRS, and made sure to add it to the local SMS Admins group on the site server and grant it sysadmin and remote access permissions to the reporting databases on my SQL server. I then reconfigured the SSRS Service Account and Current Report Server Database Credential settings to use this new SMSRS account.

After restarting the service, I was able to run reports in SCCM without any further trouble.

A few quick additional notes:

  • Before changing the service account for SSRS, be sure to back up the encryption key for the original account so you don’t lose the ability to talk to the existing reporting database.
  • After changing the service account, perform a restore of the backed-up encryption key.

Instructions for backing up and restoring SSRS encryption keys for SQL Server 2012 are here:

Back Up and Restore Reporting Services Encryption Keys

SSRSEncryptionKeys

  • The service account used for SSRS must be a member of the domain local security group Windows Authorization Access Group and have Allow Read tokenGroupsGlobalAndUniversal permissions in Active Directory.

SCCM 2012 R2 Upgrade Breaks SSRS with UserTokenSIDs contains an error

-Rick

SCCM 2012 R2 – Configure Software Inventory

SftInv

Shortly after installing SCCM 2012 R2 and getting the client installed on a few test systems, I noticed that the Inventoried Software section under Assets and Compliance\Asset Intelligence was empty and there was no application information showing up in Resource Explorer. I double checked that I had enabled Software Inventory in my client settings, which I had, so I started doing some research.

Turns out that I was missing two key settings to get what I wanted.

First, I neglected to specify any file types for the SCCM client to include in its software inventory.

Configuration Manager 2012 Software Inventory Missing

I had initially made the assumption that there was a built-in process for discovering installed software and that the “Inventory these file types” setting was only to specify additional file types as needed. As the blog post above suggests, in SCCM 2012 this isn’t the case.  If you don’t explicitly tell the client what to look for, it won’t return any results.

To correct this, I added two wild card entries to the client settings for file types:

  1. *.exe in %ProgramFiles%
  2. *.exe in %ProgramFiles(x86)%

FileTypes

After adding these rules and giving my clients time to get the new settings and run another software inventory cycle, I started seeing results in Asset Intelligence.

However, when I opened up Resource Explorer I found that the only information available under Software was simple file names, paths, and the modified date, among a few other minor file details. Useful, but not quite what I was looking for.

I can’t find the article that I came across now (I’ll try to add it later), but after doing some more research I found  out that you can also add software inventory functionality to the Hardware Inventory pass to get more details about installed applications. Luckily, enabling this was easy enough and just required adding a few additional classes to the hardware inventory client settings.

With Hardware Inventory selected click the Set Classes…. button, which brings up a list of the available items to be included in the hardware inventory. To enable additional software inventory functionality, just check the Installed Applications, Installed Executable, and Installed Software classes from the list.

HardwareInv

After doing this, Resource Explorer now has these new classes available and I’m able to see product GUIDs, version numbers, install dates, file hashes, uninstall strings, and more. Much more useful.

ResEx

-Rick

SCCM 2012 R2 – Installation & Configuration

As a follow-up to my System Center 2012 R2 Infrastructure Planning post on SCCM, I’ll use this post to consolidate some of the resources that I found for the installation and configuration of Configuration Manager 2012 R2.

My SCCM environment consists of a Stand-Alone Primary Site Server with a remote SQL Server, both running Windows Server 2012 R2, so much of this information will be geared towards similar environments.

First and foremost I highly recommend bookmarking and reading through the System Center 2012 Configuration Manager Survival Guide and the Windows-noob System Center 2012 Configuration Manager Guides. I’ve found both to be invaluable resources as they contain step-by-step guides for installing and configuring most of the major SCCM 2012 features. Since these guides are fairly exhaustive I wont bother reposting most of what they already cover, so if you don’t see something here check them out.

Pre-Installation Tasks

Again, my SCCM environment will consist of two Windows Server 2012 R2 servers:

Server 1 – SCCM Primary Site Server and SQL Reporting Services

Server 2 – SQL Server for Site and Reporting Databases

  1. Extend the Active Directory Schema

Information on deciding if to extend the AD Schema for SCCM and details of the process:

Extending the Schema in System Center 2012 Configuration Manager

Extending the AD Schema for Configuration Manager 2012

Deploying SCCM 2012 Part 2 – Creating Container, Extending the AD Schema 

  1. Create resource accounts in Active Directory

Some good resources on the common accounts needed for SCCM:

Using System Center 2012 Configuration Manager – Part 1. Installation – CAS

System Center 2012 Service Accounts & Permissions

Technical Reference for Accounts Used in Configuration Manager

These sources list a number of accounts but, for a sake of simplicity in a relatively small environment, I created a single SMSAdmin account that I will be using for just about everything in SCCM. All of the resource accounts listed require little more than domain user and local administrative privileges on the Site and SQL servers.  The only additional step that was needed was to delegate permissions for the SMSAdmin account to join computers to the domain for OSD, which I just did to a single test OU for the time being.

Joining a computer to domain by delegating to domain user

  1. Add Server Roles to Server 1

SCCM 2012 Installation Guide

Configuration Manager 2012 Implementation and Administration

Prepare the Windows Environment for Configuration Manager

  • Installed Windows Server Update Services (WSUS)
  • Installed IIS with the following Role Services:
    • Common HTTP Features
      • Default Document
      • Directory Browsing
      • HTTP Errors
      • Static Content
      • HTTP Redirection
    • Health and Diagnostics
      • HTTP logging
      • Logging tools
      • Request Monitor
      • Tracing
    • Performance
      • Static Content Compression
    • Security
      • Request Filtering
      • Basic Authentication
      • URL Authorization
      • IP and Domain Restrictions
      • Windows Authentication
    • Application Development
      • .NET Extensiblity 3.5
      • .NET Extensiblity 4.5
      • ASP.NET 3.5
      • ASP.NET 4.5
      • ASP
      • ISAPI Extensions
      • ISAPI Filters
    • Management Tools
      • IIS Management Console
        • IIS 6 Management Compatibility
          • IIS 6 Metabase Compatibility
          • IIS 6 Management Console
          • IIS 6 Scripting Tools
          • IIS 6 WMI Compatibility
      • IIS Management Scripts and Tools
      • Management Service
  1. Add Features on Server 1

  • .NET Framework 3.5 Features
    • .NET Framework 3.5
    • HTTP Activation
  • .NET Framework 4.5 Features
    • .NET Framework 4.5
    • ASP.NET 4.5
    • WCF Services
      • TCP Port Sharing
  • Background Intelligent Transfer Service (BITS)
    • IIS Server Extension
  • Remote Differential Compression
  • Remote Server Administration Tools
    • Feature Administration Tools
      • BITS Server Extensions Tools
  • SMB 1.0/CIFS File Sharing Support
  • User Interfaces and Infrastructure
    • Graphical Management Tools and Infrastrucure
    • Server Graphical Shell
  • Windows PowerShell
    • Windows PowerShell 4.0
    • Windows PowerShell 2.0
    • Windows PowerShell ISE
  • WoW64 Support
  1. Download and Install Windows ADK for Windows 8.1 on Server 1

Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1

Installed the following:

  • Deployment Tools
  • Windows PE
  • User State Migration Tool (USMT)
  1. Run SCCM Prerequisite Check on Server 1

http://technet.microsoft.com/library/gg712320.aspx#BKMK_PrerequisiteChecker

To ensure my server was fully prepared for SCCM, I ran the prerequisite checker included on the installation media. With the media mounted, browse to and run “SMSSETUP\BIN\x64\prereqchk.exe /local” to run all checks.

The prerequisite check failed for me on the SQL server pass because SQL is not locally installed on the Primary Site Server, but all other checks passed.

  1. Install SQL Server on Server 2

We chose to go with SQL Server 2012, but if you prefer a different version see the requirements chart:

SQL Server versions that are supported by System Center 2012 Configuration Manager

System Center 2012 Configuration Manager Best Practices:

“SQL Collation must be set to ‘SQL_Latin1_General_CP1_CI_AS'”

“Why is it important ? well firstly because it is a setting that most people don’t change (as it’s hidden from view) and secondly it’s set based on your regional settings. When you install SQL Server (which ConfigMgr needs to host it’s database) the SQL Collation is ‘set in stone’ during setup, that’s why knowing what your SQL Collation is and what it should be are important prior to running ConfigMgr setup. To learn how to identify your SQL Collation on a running SQL Server and how to change SQL Collation during SQL Server setup see this post  . Having the wrong SQL Server Collation will require you to reinstall SQL Server from scratch, and that takes time and effort.”

“Best Practices for SQL Server Installation”

“A lot of early adopters of System Center 2012 Configuration Manager are having issues getting SQL Server installed correctly.  Many issues are due to having the wrong supported version or cumulative update applied.  For information on supported versions please see Supported Configurations for Configuration Manager : http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigSQLDBconfig  
SQL server issues can also be seen when having the wrong certificate applied or by misconfiguring the port.  For SQL Server installation and configuration tips see the support blog http://blogs.technet.com/b/configurationmgr/archive/2012/05/03/fix-unable-to-connect-cas-or-primary-to-the-sql-database-during-the-system-center-2012-configuration-manager-setup.aspx 

SQL Server Installation Guides:

Installing SQL Server for SCCM 2012 SP1

See Step 11 here:

Using System Center 2012 Configuration Manager – Part 1. Installation – CAS

These guides are for SQL Server 2008, but still a good reference for setting up 2012.

I used a custom instance name (e.g. OrgSCCM) to help distinguish the SCCM databases and added my SMSAdmin resource account to the local admin group on Server 2.

  1. Install SQL Server Reporting Services on Server 1

To install SSRS, I just ran the SQL Server 2012 installer and selected only the Reporting feature. I also used a custom instance name e.g. SCCMSRS.

After installation, I then just used the Reporting Services Configuration Manager on Server 1 to point it to the SCCM DB instance on Server 2 for the Reporting Server Database location using the SMSAdmin account.

Install and Configure SCCM on Server 1

Now we’re ready to install Configuration Manager. For the installation and basic setup of SCCM components, I generally referred to the two master guides that I mentioned at the start of this post. Some specific guides:

Using SCCM 2012 RC in a LAB – Part 1. Installation

Using SCCM 2012 RC in a LAB – Part 3. Configuring Discovery and Boundaries

Using SCCM 2012 RC in a LAB – Part 4. Configuring Client Settings and adding roles

Using SCCM 2012 RC in a LAB – Part 2. Add SUP and WDS

Once again, they’re  geared towards lab environments but they proved more than adequate to get me up and running and comfortable enough with the basics to make the customizations I needed.

 

I’ll create additional posts in the coming weeks on SCCM 2012 R2 as I get further into my testing to highlight any issues that I run in to and provide solutions.

-Rick

Create a Windows Security Baseline Group Policy Object with Microsoft Security Compliance Manager (SCM)

Security Compliance Manager (SCM) is a tool that I find extremely useful, especially when preparing for a new Windows OS deployment. And best of all, it’s free!

Included in SCM are Microsoft’s recommended baseline security configurations for just about all of their current Operating Systems, including both desktop and server OSes, as well as some of their flagship applications such as Internet Explorer and Office. You can review and modify these configurations directly in SCM, export the configuration to a GPO Backup folder (as well as to a .cab or .xlsm), and then use that export to create a Group Policy Object to be applied to the appropriate systems in your domain.

I recently used this tool to create a security baseline GPO for Windows Server 2012 R2, so I’ll provide you with the basic steps that I used as a reference.

Please take note that even though the baselines included in SCM are Microsoft’s recommended configurations for security hardening, many of the settings have the potential of having a negative impact on your systems’ performance  and/or your ability to manage them. Because of this I highly recommend taking the time to carefully review and research each setting within a baseline to make sure it will not conflict with any existing policies or procedures in your environment, and making changes as needed.

  1. Download and install Security Compliance Manager 3.0.
  2. In the left pane, expand Microsoft Baselines.
  3. Expand the desired operating system or application version and then select a role. In my case I chose Windows Server 2012 and the basic Member Server Security Compliance role.

SCM1

  1. With the role selected, click on the Duplicate button in the right pane under the Baseline section.

SCM2

  1. Give the duplicate configuration a new name and modify the description if you wish and then click Save.
  2. Your duplicate configuration will show up at the top of the left pane under Custom Baselines, above Microsoft Baselines. Click on it to open the configuration.

SCM3

  1. Take some time to carefully review the configuration settings included in the baseline in the center of the window. You can make changes as needed by clicking on the setting and then modifying the options shown.

SCM4

  1. When you’re finished making any necessary changes, export the configuration by clicking on the GPO Backup (folder) link in the right pane. Be sure to save it somewhere accessible from the system where you manage your domain group policies.

SCM5

  1. Open up the Group Policy Management console and connect to your domain.
  2. Under Forest -> Domains -> MyDomain -> Group Policy Objects, create a new Group Policy Object and name it according to your organization’s GPO naming convention. If you don’t have one, I recommend basing the name off of the baseline configuration you created to distinguish it and make it easier to find, e.g. Windows Server 2012 Security Baseline.
  3. Once created, right-click on the new GPO and click Import Settings…

SCM6

  1. When the Import Settings Wizard appears click Next >.
  2. If you’re attempting to import the configuration settings into an existing GPO rather than with a newly created one, I recommend using the next screen to create a backup of the GPO first. Otherwise, since there are no existing settings to overwrite, click Next > to continue.
  3. Browse to the location of the GPO Backup folder that you exported from SCM earlier and then click Next >.

SCM7

  1. The wizard should detect the baseline in the backup folder and list it in the next window. Click on it and then click Next >.

SCM8

  1. You may get a warning that the backup contains UNC paths. Select Copying them identically from the source and then click Next >.

SCM9

  1. Click Finish to complete the import.

And there you go, you now have a Group Policy Object containing the recommended baseline security settings for your product. From here you can begin linking the GPO to your OUs as needed. I would highly recommend using security filtering and/or a WMI filter to make sure the GPO is only applied to a few select test systems until you’ve gauged how the new settings will impact your environment.

To use my recent experience as an example, I created a security group in Active Directory named Windows Server 2012 GPO Testing, added a single test server to this group, and then added the group to my baseline GPO’s Security Filtering (make sure you also remove Authenticated Users). To be extra careful, I also created a new WMI filter to only return Windows Server 2012 R2 Member Servers and added this to my GPO as well. These help to ensure that my policy will only be applied to servers which are members of my security group, are running Windows Server 2012 R2,  and are not domain controllers, regardless of the OU that I link the policy to in my Active Directory structure.

If you want to create your own custom WMI filter, the process is very simple.

  1. Open the Group Policy Management console and expand Forest -> Domains -> MyDomain -> WMI Filters.
  2. Right-click the WMI Filter container and click New.
  3. Name the new filter appropriately. In my case, I named it Windows Server 2012 Member Server ONLY. Add a description to help others know exactly what your filter does.
  4. Click the Add button to create a new query.
  5. You can leave the namespace as root\CIMv2 and then enter your custom query. To find and return only Windows Server 2012 R2 Member Servers, I used the following query:

select * from Win32_OperatingSystem where Version like “6.3%” and ProductType=”3″

  1. When finished click Save.
  2. You can now use this filter for any GPO that you wish, simply by using the drop-down at the bottom of the Scope tab (same place where you set Security Filtering)

SCM10

For some help creating your own WMI filters, check out the links below.

Create WMI Filters for the GPO

Operating System Version Numbers

-Rick

System Center 2012 R2 Infrastructure Planning (Part 2) (SCCM)

This is part 2 of my System Center 2012 R2 Infrastructure Planning series, which aims to serve as a central resource to aid you in your System Center deployments.

This part focuses on Configuration Manager. Once again, in no particular order:

Configuration Manager

Supported Configurations for Configuration Manager
http://technet.microsoft.com/en-us/library/gg682077.aspx

“Configuration Manager requires several prerequisites to support deploying operating systems. The following prerequisites are required on the site server of each central administration site or primary site before you can install the site or upgrade the site to a new version of Configuration Manager. This requirement applies even when you do not plan to use operating system deployments:

  • For System Center 2012 Configuration Manager with no service pack: Automated Installation Kit (Windows AIK)
  • For System Center 2012 Configuration Manager with service pack 1: Windows Assessment and Deployment Kit 8.0 (Windows ADK)
  • For System Center 2012 R2 Configuration Manager: Windows Assessment and Deployment Kit 8.1″

Planning for Sites and Hierarchies in Configuration Manager
http://technet.microsoft.com/en-us/library/gg712681.aspx

Configuration Manager 2012 Sizing Considerations
http://blogs.msdn.com/b/scstr/archive/2012/05/31/configuration_2d00_manager_2d00_2012_2d00_sizing_2d00_considerations.aspx

Planning for Hardware Configurations for Configuration Manager
http://technet.microsoft.com/en-us/library/hh846235.aspx

“For best performance, use RAID 10 configurations for all data drives and 1Gbps Ethernet network connectivity between site system servers, including the database server.”

“…consider the following general guidelines when you plan for disk space requirements:

  • Each client requires approximately 3 MB of space in the database
  • When planning for the size of the Temp database for a primary site, plan for a size that is 25% to 30% of the site database .mdf file. The actual size can be significantly smaller, or larger, and depends on the performance of the site server and the volume of incoming data over both short and long periods of time.
  • The Temp database size for a central administration site is typically much smaller than that for a primary site.
  • The secondary site database is limited in size to the following:
    • SQL Server 2008 Express: 4 GB
    • SQL Server 2008 R2 Express: 10 GB”

Determine How to Manage Mobile Devices in Configuration Manager
http://technet.microsoft.com/en-us/library/gg682022.aspx

“System Center 2012 Configuration Manager offers limited management for mobile devices when you use the Exchange Server connector for Exchange Active Sync (EAS) capable devices that connect to a server running Exchange Server or Exchange Online.”

System Center 2012 Configuration Manager Best Practices
http://social.technet.microsoft.com/wiki/contents/articles/11215.system-center-2012-configuration-manager-best-practices.aspx

“SQL Collation must be set to “SQL_Latin1_General_CP1_CI_AS”

“Why is it important ? well firstly because it is a setting that most people don’t change (as it’s hidden from view) and secondly it’s set based on your regional settings. When you install SQL Server (which ConfigMgr needs to host it’s database) the SQL Collation is ‘set in stone’ during setup, that’s why knowing what your SQL Collation is and what it should be are important prior to running ConfigMgr setup.”

Determining Whether to Extend the Active Directory Schema for Configuration Manager
http://technet.microsoft.com/en-us/library/gg712272.aspx

Install and Configure Site System Roles for Configuration Manager
http://technet.microsoft.com/en-us/library/hh272770.aspx

About the Asset Intelligence Synchronization Point
http://technet.microsoft.com/en-us/library/cc161864.aspx

Technical Reference for Ports Used in Configuration Manager
http://technet.microsoft.com/en-us/library/hh427328.aspx

SCCM 2012 SP1 SQL Reporting Services on the same server
http://social.technet.microsoft.com/Forums/en-US/5e8d5790-fdce-4c9d-a0c0-f48f9af35b14/sccm-2012-sp1-sql-reporting-services-install-on-same-server?forum=configmanagergeneral

Configure Reporting in Configuration Manager
http://technet.microsoft.com/en-us/library/gg712698.aspx

-Rick

System Center 2012 R2 Infrastructure Planning (Part 1) (SCOM)

So I’ve spent most of this week working on an infrastructure plan and design for System Center 2012 R2 and I wanted to share with you the resources that I found helpful in this endeavor.

The initial plan focuses around Configuration Manager and Operations Manager only, and rather than dump everything into a single post I’ve decided to break them up; so stay tuned for future posts on this topic. Once SCCM and SCOM have been implemented I’ll likely be exploring the other System Center products as well and will continue the series accordingly.

Everyone’s environment is different so I won’t make any specific recommendations, but hopefully this will serve as a useful resource to help you plan your own System Center deployments.

This first post in the System Center 2012 R2 Infrastructure Planning series focuses on Operations Manager and a few SQL Server references that I found handy.

In no particular order….

Operations Manager

Key Concepts
http://technet.microsoft.com/library/hh230741.aspx

System Requirements/Firewall Exceptions
http://technet.microsoft.com/en-us/library/dn249696.aspx

“Operations Manager does not support hosting its databases or SQL Server Reporting Services on a 32-bit edition of SQL Server.”

“SQL Server collation settings for all databases must be one of the following: SQL_Latin1_General_CP1_CI_AS; Latin1_General_100_CI_AS, // EN, IT, DE, PT-BR, NE, PT-PT; French_CI_AS; French_100_CI_AS; Cyrillic_General_CI_AS; Chinese_PRC_CI_AS; Chinese_Simplified_Pinyin_100_CI_AS, // CN simplified; Chinese_Traditional_Stroke_Count_100_CI_AS, // CN traditional, CN-HKJapanese;_CI_AS; Japanese_XJIS_100_CI_AS; Traditional_Spanish_CI_AS; Modern_Spanish_100_CI_AS; or Latin1_General_CI_AS; Cyrillic_General_100_CI_AS, // RU; Korean_100_CI_AS; Czech_100_CI_AS; Hungarian_100_CI_AS; olish_100_CI_AS; and Finnish_Swedish_100_CI_AS. No other collation settings are supported.”

“If you plan to use the Network Monitoring features of System Center 2012 R2 Operations Manager, you should move the tempdb database to a separate disk that has multiple spindles.”

Distributed Deployment of Operations Manager
http://technet.microsoft.com/en-us/library/hh298610.aspx

Single Server Deployment of Operations Manager
http://technet.microsoft.com/en-us/library/hh298612.aspx

Considerations for High Availability and Disaster Recovery
http://technet.microsoft.com/en-us/library/hh920812.aspx

“You should always have two management servers in ANY environment. A second management server allows for failover and easy restore, and a second management server can take on the load if one fails. All management servers are members of the All Management Servers Resource pool, which balances the monitoring load of your management group as new management servers are added, and provides automatic failover for monitoring. The impact of failure of a management server in a distributed environment is minimized, but it increases the workload on additional management servers in the management group until the failed management server is restored.”

Security Considerations
http://technet.microsoft.com/en-us/library/hh487288.aspx

System & Database Sizing Helper Tool
http://blogs.technet.com/b/momteam/archive/2012/04/02/operations-manager-2012-sizing-helper-tool.aspx

Audit Collection (ACS) Database Size Calculator
https://blogs.technet.com/b/momteam/archive/2008/07/02/audit-collection-acs-database-and-disk-sizing-calculator-for-opsmgr-2007.aspx

Operations Manager and VMware…
http://social.technet.microsoft.com/Forums/systemcenter/en-US/51b2d19d-b783-4828-9b7d-bc59f4a44c2b/operations-manager-2012-and-vmware-virtual-hosts-supported-for-installation?forum=operationsmanagerdeployment

“Microsoft supports running all System Center 2012 – Operations Manager server features in any physical or virtual environment that meets the minimum requirements that are stated in this document. However, for performance reasons, we recommend that you store the operational database and data warehouse database on a directly attached physical hard drive, and not on a virtual disk. Specifically, virtual computers that are running any Operations Manager server feature must not use any functionality that does not immediately commit all activity on the virtual computer to the virtual hard drive. This includes making use of point-in-time snapshots and writing changes to a temporary virtual hard drive. This is true for every virtualization technology that is used with Operations Manager.”

Understanding and modifying Data Warehouse Retention and Grooming
http://blogs.technet.com/b/kevinholman/archive/2010/01/05/understanding-and-modifying-data-warehouse-retention-and-grooming.aspx

How to Configure Grooming Settings for the Reporting Data Warehouse Database
http://technet.microsoft.com/en-us/library/hh212806.aspx

Database Size Limits…
http://social.technet.microsoft.com/Forums/systemcenter/en-US/22efc287-a77d-4534-8d68-eb1b32d53b3a/database-size-limits-for-operations-manager-and-operations-manager-data-warehouse

Network Bandwidth Utilization for OpsMan 2007
http://blogs.technet.com/b/momteam/archive/2007/10/22/network-bandwidth-utilization-for-the-various-opsmgr-2007-roles.aspx

Audit Collection Services Capacity Planning
http://technet.microsoft.com/en-us/library/hh212872.aspx

Collecting Security Events Using Audit Collection Services in Operations Manager
http://technet.microsoft.com/en-us/library/hh212908.aspx

How to Install the Operations Manager Reporting Server
http://technet.microsoft.com/en-us/library/hh298611.aspx

Management Packs Installed with Operations Manager
http://technet.microsoft.com/en-us/library/hh212701.aspx

ACS Configuration Help
http://social.technet.microsoft.com/Forums/systemcenter/en-US/e8682287-a4ac-4ebe-942a-b4a71c894a94/scomacs-configuration?forum=operationsmanagergeneral

SQL Server

Hardware and Software Requirements for Installing SQL Server
http://msdn.microsoft.com/en-us/library/ms143506.aspx

Managing SQL Server Workloads with Resource Governor
http://technet.microsoft.com/en-us/library/bb933866(v=sql.105).aspx

Considerations for Installing Reporting Services
http://msdn.microsoft.com/en-us/library/ms143736(v=sql.100).aspx

-Rick

Outlook Prompts for Autodiscover Credentials Mid-Session

This one is for a very specific and probably uncommon scenario, but it drove me (and everyone else) up a wall and took a ton of man, and Microsoft Support, hours to finally resolve, so hopefully this will save some headaches.

Some background; We were in the middle of a migration to a new Exchange Server that sat on a separate domain from our Windows desktop clients with no trust relationship established (long story). We were successfully able to update our users’ Outlook clients to point to the new server address, and when launched Outlook prompted for authentication credentials to connect. This worked well enough, aside from our users being forced to use different credentials to log into their computers and to access their email, and everything functioned pretty much normally once authenticated. To help streamline the process of opening Outlook by avoiding the login prompt on launch, many of our users took to storing their secondary credentials locally using Windows Credentials Manager.

However, we started getting reports from users who used these cached credentials that they were being frequently prompted while Outlook was open, mid-session, to authenticate with an Autodiscover.domain server address. The Autodiscover address was displayed as being on the same domain as the workstation despite no Exchange Server residing there, and the prompt could be cleared by either hitting cancel or using credentials for the new Exchange Server’s domain. Regardless, the prompt would continue to reappear every few hours.

We were banging our heads against the wall for several days, trying everything we could think of and any suggestion we could find on the web, including wild-carding both domain addresses in Credentials Manager (for example *.contoso.com, to borrow from Microsoft), but absolutely nothing worked. Finally we stumbled upon the somewhat counter-intuitive solution with Microsoft Support’s help.

To prevent the Autodiscover prompt from appearing, we effectively had to bypass the use of cached credentials by forcing the prompt for logon credentials on launch via a setting in the user’s Outlook profile. Instructions for doing this are below.
 
In Outlook 2007:
1. Click Tools -> Account Settings
2. On the E-mail tab, highlight the Microsoft Exchange account and click on the Change button
3. Click the More Settings button
4. Click the Security tab
5. Check the box next to Always prompt for logon credentials
6. Click Apply and then OK
7. Click Next and then Finish

In Outlook 2010:
1. Click File -> Info -> Account Settings
2. On the E-mail tab, highlight the Microsoft Exchange account and click on the Change button
3. Click the More Settings button
4. Click the Security tab
5. Check the box next to Always prompt for logon credentials
6. Click Apply and then OK.
7. Click Next and then Finish.

So, again, this had the effect of forcing the prompt for credentials to connect to the Exchange Server when Outlook is first run, even if credentials are cached for that address. Still an inconvenience but, since most of our users would open Outlook and leave it running in the background, many found a single prompt at first was preferable to periodic prompts throughout the day.

-Rick