Category Archives: SCCM 2012 R2

Securing your new Server 2012 R2 Domain Controllers

No, I’m not writing a book! It could easily be done, there is an enormous amount of information on the Interwebs about AD and Security. Instead, I want to put a couple of links in here for reference.

Firstly, a friend of mine, Laura Robinson, was the Lead Author of a whitepaper specifically dealing with this topic, download the Best Practices for Securing Active Directory.docx. It’s an awesome document well worth reading through.

Secondly, for those also running SCCM 2012 in their environment, here is a link to a very well written post about Windows Server and SCCM 2012  – Compliance Checking. Step by step on how to use SCCM to run a weekly check on *all* your servers, DCs or otherwise, to make sure they are compliant with your internal (or Microsoft’s) Best Practice.

Enjoy the light reading.

 

get IT right

Wayne

Leave a comment

Filed under SCCM 2012 R2, Server 2012 R2

SCCM R2 Cumulative Update 2

was released last month, 24th June. As I’m teaching the 10747 course this week, I thought I’d better refresh myself with what’s in the update. Interesting reading, in fact, a *must* read for those running ConfigMan.

Something I tend to emphasise during the course is the use of options when deploying the SCCM Client, in particular the smscachesize= option. We discuss HDD size, amount of RAM, size of the students SOE, and the size of the largest applications they plan on deploying. As a reminder, the default cache size is set to 5120MB; too small, in my mind, for todays beefy applications, especially if you want to persist content in the cache. I normally suggest 10240MB as a starting point.

The KB article, 2970177, points out a very interesting “undocumented software feature” (well, undocumented until now) about cache size: “If the maximum size of the Configuration Manager client cache is exceeded by a software update package, the cache continues to increase beyond its specified limit.” Interesting, to put it mildly. So, check the cache on selected clients and see if you need this Update.

Also, to assist you managing your ConfigMan environment, Microsoft have released:

System Center 2012 Configuration Manager Servicing Extension has been released to the Configuration Manager Open Beta community! You can download the Beta here:  http://connect.microsoft.com/ConfigurationManagervnext/Downloads/DownloadDetails.aspx?DownloadID=53752.

System Center 2012 Configuration Manager Servicing Extension provides useful information for maintaining a Configuration Manager environment. Servicing Extension provides the following capabilities:

  • Notifies you of Configuration Manager updates as they become available, with the ability to filter updates according to which major release they apply to
  • Provides details on the sites in your environment, including the last major Configuration Manager version installed and the most recently installed Cumulative Update
  • Provides a list of Configuration Manager client versions that may be present in your environment, and makes it easy to create queries to locate these clients
  • Provides a built-in RSS reader to display recent blog postings from the System Center Configuration Manager Team Blog and The Configuration Manager Support Team Blog

get IT right

Wayne

Leave a comment

Filed under SCCM 2012 R2

SCCM 2012 R2 SSRS

What a load of ….. acronyms. One big change from SCCM 2007 is in Reporting. SCCM 2012 now uses SQL Server Reporting Services (SSRS) and SQL Report Builder (SRB). For someone (me!) not entirely comfortable with SSRS and SRB, a friend comes to the rescue with a blog written last year. Russ Rimmerman’s blog on Inventory and Reporting has a bonus mini-primer on SSRS and SRB, plus he describes how it all works much better than I can. Over to you Mr. Russ! Browse to configmgr_geek_speak to read more.

 

get IT right!

Wayne

Leave a comment

Filed under SCCM 2012 R2

Documentation? Who needs it!

Scenario: Monday morning the Boss taps on your cubicle wall and casually informs you that there is a security audit team arriving shortly … oh, did I forget to tell you? Sorry, but your documentation *is* up to date, isn’t it. That was a statement, not a question, so do you smile and reach for a folder (hard copy hasn’t quite died off yet) or does sweat break out on your forehead?

Of course this isn’t an issue, we all keep our documentation up to date, filed on the server and hard copy, don’t we 🙂

System Center 2012 R2 Configuration Manager has 15 Security Roles, each has permissions that can be assigned to securable objects. You can also copy the default Roles and create your own, customized permission profile. Recording and create documentation for a large organization could become a nightmare. Let’s look at an updated (Dec 2013) spreadsheet that will make a life so much easier for you. Simply download the spreadsheet from http://gallery.technet.microsoft.com/Matrix-of-Role-Based-d6318b96 and start filling in your Administrative Groups and their associated Roles. It will take time, but nowhere near as much if you started from scratch!

Now, where did I put that folder …

get IT right

Wayne

Leave a comment

Filed under SCCM 2012 R2

Interesting people you meet when ..

over in the US, working at a large conference. One of those was the ConfigMgr Guy, Russ Rimmerman. Nice bloke, very knowledgeable and, most importantly, a fantastic blog! As an MCT, knowing where to direct students for answer to their particular questions, or unique situations, is paramount. I do not know everything (funny that!) but I usually know someone, or somewhere, to get an answer. In this case, for my 10747 and 10748 System Center 2012 R2 Configuration Manager courses, Russ is a goldmine! For those people upgrading from SCCM 2012 sp1 to SCCM 2012 R2, Mr. Rimmerman has a step by step (using screen shots – bonus points Russ!) guide. Invaluable. As I said, interesting people you meet … glad I said “G’day” Russ, see you next year.

get IT right!

Wayne

Leave a comment

Filed under SCCM 2012 R2

Communication Breakdown!

No, not the Big O’s hit (if you don’t know who the Big O is, ask your parents <g>), but the dreaded:

test1

Hmmm, lost/corrupted/hosed the secure channel. What next? I know, logon locally, take the computer out of the domain, put it into a workgroup, then restart, rejoin the domain, restart yet again; all is sweet! Nope, bzzzzt! Fail. It looks like it has worked, but what you have most probably done in the background is destroyed the original SID (Security IDentifier) of the computer and created a new computer object in the domain; all group memberships, ou membership, SCCM 2012 object history … gone!

The more correct way? Read on. First, go to your Admin tools; either ADUC (Active Directory Users and Computers) or ADAC (Active Directory Admin Center – new from Windows Server 2008R2 on), right-click the offending Computer object and Reset Account! This sets the computer password to computername$ and allows the computer to reset that password when the secure channel is restored. Next, logon locally:

test2

Then, open an Administrative PowerShell prompt:

test3

Uh oh … more red hints, I see lots of these, deliberate errors I tell my students (well, that’s what my old sergeant said in the Army!). Lets try that using the correct command:

test4

That’s better! Supply the correct credentials, and:

test5

The returned value is Boolean, True means all is working, we’ve rejoined the domain and have preserved the SID, the object history in SCCM and all is sweet, until next time.

If you want to do this remotely (certainly saves walking, or in the worst case, driving to the workstation, refer to this TechNet tip: http://technet.microsoft.com/en-us/magazine/ff700227.aspx

get IT right!

Wayne

Leave a comment

Filed under SCCM 2012 R2, Server 2012 R2

SCCM 2012 R2 – Start Using PowerShell

Import-Module ConfigurationManager ? Nope, won’t work, at least not without jumping through a few hoops. Looking at the helpful red hints (I get lots of these!), the module is not found in the default path.

ps_cm1_e

From a PowerShell prompt, you need to change to the ….\bin directory, then import a .psd1. Using the -verbose shows the import progress, much better than staring at a screen, wondering what’s happening in the background 🙂

ps_cm2_e

Ready to go? Not quite. As you can see, we must now connect to the drive that represents the site, in this case, S01.

ps_cm3_e

Last thing to do, update the help file:

PS SO1:\>update-help -module configurationmanager

Adding the -module makes sure I only update the cm module, not all modules.

Now we can start using the new Cmdlts. Not too hard, just a bit fiddly. Good luck with the more than 470 cmdlts available.

Oh, and don’t forget, you need PowerShell 3.0 (or above) and the SCCM 2012 R2 console installed on the machine as well. Time for you to play!

get IT right

Wayne

1 Comment

Filed under SCCM 2012 R2, Server 2012 R2