Académique Documents
Professionnel Documents
Culture Documents
Q. What is ITMU?
SMS 2003 Inventory Tool for Microsoft Updates
Q. Can computers show up in the Configuration Manager console before they have the
Configuration Manager client installed?
Yes. If you use a discovery method, Configuration Manager can find many resources and
create data discovery records (DDRs) for them, and those DDRs are stored in the database.
However, you cannot use Configuration Manager features such as software distribution,
software updates management, and inventory until you install the client components.
Q. Can you install the Configuration Manager Client components without discovering the
computer first?
Yes. Client Push Installation is the only client installation method that requires clients to be
discovered first.
Q. What are the Discovery Methods & DDR available in SCCM 2007 & 2012?
Discovery Data Records:-
When Discovery runs, it creates discovery data records (DDRs). The information contained in
a DDR varies depending upon the discovered resource. For example, it can include the
NetBIOS name of a computer, the IP address and IP subnet of a computer or device, and the
computer operating system name.
The approximate size of an individual DDR is 1 KB. Discovery Methods:-
1. Active Directory System Discovery – Discovers computers from the specified locations in
Active Directory Domain Services.
2. Active Directory User Discovery – Discovers user accounts from the specified locations in
Active Directory Domain Services.
3. Active Directory Security Group Discovery – Discovers security groups, including local,
global, and universal groups from the specified locations in Active Directory Domain
Services.
4. Active Directory System Group Discovery – Discovers additional information about
previously discovered computers from the specified locations in Active Directory Domain
Services. This information includes the OU and group membership of the computer. Active
Directory System Group Discovery does not discover information about new resources that
did not previously exist in the Configuration Manager site database.
5. Heartbeat Discovery – Used by active Configuration Manager clients to update their
discovery records in the database. Because it is initiated by an active client, Heartbeat
Discovery does not discover new resources.
6. Network Discovery – Searches your network infrastructure for network devices that have
an IP address. This allows you to discover devices that might not be found by other
discovery methods, including printers, routers, and bridges.
7. Forest Discovery – SCCM 2012 has a new discovery method which discovers other forest
in the network.
Install System Center 2012 R2 Configuration Manager Toolkit
Q. What is MP, DP, FSP, Reporting Service Point, Application Catalog web service point,
Application Catalog website point?
MP:- It is a primary point of contact between Configuration Manager Clients and the
Configuration Manager Site server.
DP:- It is a point that stores packages for clients to install.
FSP:- A fallback status point helps you monitor client installation and identify the clients that
are unmanaged because they cannot communicate with their management point.
Reporting Service Point:- A reporting services point integrates with SQL Server Reporting
Services to create and manage reports for Configuration ManageApplication Catalog web
service point:- Application Catalog web service point:- It provides software information to
the Application Catalog website from the Software Library.
Application Catalog website point:- Application Catalog website point provides a list of
available software to users.
Q. What is BDP?
Branch distribution points provide an option for efficient package distribution to a small
office with limited bandwidth, Depends on a standard distribution point from which it
receives its content. To function properly, a branch distribution must contact a BITS -
enabled standard distribution.
Explore SCCM Sample Resumes! Download & Edit, Get Noticed by Top Employers!Download
Now!
Q. What should you choose Primary Site vs Secondary Site vs Distribution Point?
Primary Site: Choose a Primary Site when you want to manage Clients Directly.
Distribution point: Choose Distribution point at almost most of the time.
Secondary Site: Scenarios where:
1. You want to manage the Upwards flow of Data Upwards ,
2. You want to have a local SUP ( Software Update Point ) ,
3. You want to have a local Management Point so that Clients Pick up policies and report to
this Local MP, and your low bandwidth site has more than 400 or 500 Client Machines.
Q. Determine If You Need a Server Locator Point for Configuration Manager Clients?
Server locator points are used in a Configuration Manager 2007 hierarchy to complete client
site assignment on the intranet and help clients find management points when they cannot
find that information through Active Directory Domain Services.
Intranet clients use Active Directory Domain Services as their pref- erred method to
complete site assignment and find management points. However, clients must use a server
locator point if,
1. Active Directory schema is not extended for Configuration Manager 2007 or the site is not
published to Active Directory Domain Services, or
2. if clients do not belong to the same Active Directory forest as the site server’s forest.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1. Client may not send/receive any policies and will not run any
advertisements.
Finding the Issue: There are few log files which you should look into,
CCMSETUP.LOG – This log file will have the details about the client installation
ClientLocation.Log – It helps to find out if the client is assigned to the SCCM site
or not.
Open Configuration Manager Properties, switch to Actions tab and check if you
are able to see at least 5 policy agents displaying which means the client is
healthy.
2. Client fails to send inventory data to configuration manager site or
fails to send status messages to the server.
Cause: This issue may occur if the WMI of the client computer is corrupt or not
working.
Solution: Check all the services which are required for the communication with
the server, .eg:
• Computer browser
• Windows installer
• SMS agent host
• BITS
• WMI
All the above mentioned services should be automatic mode and started.
Then try repairing the WMI. To repair WMI follow the steps below,
Step 1:
%windir%\system32\wbem\winmgmt /clearadap
%windir%\system32\wbem\winmgmt /kill
%windir%\system32\wbem\winmgmt /unregserver
%windir%\system32\wbem\winmgmt /reserver
%windir%\system32\wbem\winmgmt /resyncperf
Step 2:
net stop winmgmt /y
Step 3:
If exist %windir%\system32\wbem\repository.old rmdir /s /q
%windir%\system32\wbem\repository.old
ren %windir%\system32\wbem\repository repository.old
regsvr32 /s %systemroot%\system32\scecli.dll
regsvr32 /s %systemroot%\system32\userenv.dll
for /f %%s in (‘dir /b /s %windir%\system32\wbem\
Step 4:
net start winmgmt /y
Note: Ensure that the Windows Management Instrumentation service is running
after performing the above steps
If the distribution is failed on group of computers then the failure reason can be
verified by running the report named “All advertisements for a specific package”.
This report can be executed by navigating to Site database->Computer
Management->Reporting->Reports. In the right hand side you can see a report
named “All advertisements for a specific package” right click on this report and
run now you have to enter the package ID of the package which is failed, finally
click on display.
Cause: The software package may not be downloaded into the client computer
cache if the client does not meet the requirement.
Solution: Ensure that the following services are up and running on the client
computer
Check if the client is contacting the DP using LocaitonServices.log file and if not
add the required DP to the package.
There are different reasons for a client computer not being displayed on the
SCCM Console but connected to the network.
If the client is installed, then open services.msc in the client computer and verify
if the SMS_AgentHost service is running, if not start the service.
Check the Firewall enabled or disabled if enabled, allow the ports to talk to site
server
Solution:
Client can be installed manually on a computer by executing the following
command line:
CCMSetup.exe /mp:SMSMP01(MP Name) /logon SMSSITECODE=AUTO.
To run this command open a cmd prompt and change (cd) to the directory
where ccmsetup.exe can be found (most likely in windir%\system32\ccmsetup
on 32bit versions of Windows).
You will be prompted with the below screen. Click Next Select “Always Install”
option. Then click next and finish.
Note:
If the SCCM Client needs to be installed on the domain controllers then the
“Include domain controllers” option should be enabled.
Solution:
The client installation status can be verified using the log file or Control panel
icons.
To check the log file, navigate to C:\Windows\System32\ccmsetup of the client
computer and open the ccmsetup.log and clientmsi.log file. If the installation is
success then you can see a “Installation Succeeded” line updated in the log file.
Also you can navigate to Start->Control panel and look for configuration
manager icon entry (assuming that the control panel view is set to small icons).
Ccmsetup.exe /uninstall
To run this command open a cmd prompt and change (cd) to the directory
where ccmsetup.exe can be found (most likely in windir%\system32\ccmsetup
on 32bit versions of Windows). Then you can run ccmsetup.exe /uninstall.
To confirm the Un-installation of the client, verify that the control panel icon is
gone and ccmExec.exe process will be removed.
Solution:
Open SCCM console, navigate to Site Database->Computer Management-
>Collections->”Select a collection containing the client computer”. On the right
side details pane you can see different tabs as shown below,
Look for the “Active” tab and see if it’s Yes or No. If the status is “Yes” then the
client is active, if it is “No”, then the client is inactive and if it is empty which
means SCCM client has not been installed on the client computer
Solution:
Open SCCM console, navigate to Site Database->Computer Management-
>”Select the collection which contains the required client computer”. Right click
on the client computer->Start->Resources Explorer as shown below.
Expand the client name and you can get the required hardware and software
information.
Note: Windows update Agent, SCCM Client, Windows installer versions can be
found under this resource explorer->Expand Hardware.
12. How to a run a specific web based report to identify any status?
Solution:
Open SCCM console, navigate to Site Database->Computer management-
>Reporting and click on reports. You can a list of default and customized reports
which can be executed by Right click-> run (this runs the query which is being
used to create the report) to view the web reports as shown below.
If the report ID is known then the particular report can be searched using “Look
for” option as shown in the screenshot below.
13. How to export list from SCCM Console and resource explorer?
Solution:
Open SCCM console; navigate to Site Database->Computer Management-> All
Systems, Right Click->View->Export List as shown below. This list contains the
client computer names and it can saved as notepad or in excel format.
Select the client computer for which the list needs to be exported and Right
Click->Start->Resource Explorer. Go to “Action” tab and select export list as
shown below.
Solution:
Open SCCM console, navigate to Site Database->Computer management-
>Reporting and click on reports where all the required reports will be listed.
Right click on any report and click run to execute the report (assuming that the
report is already been created).
In the below screenshot “All advertisements for a Specific computer” has been
executed.
The client computer name has been entered and click on display to run the
query and the advertisement for the specific client will be displayed as shown
below.
Click on “Export” option as shown below to export the result to the excel sheet.
Solution:
You can verify the status of a distribution by checking the execmgr.log file in
c:\windows\system32\ccm\logs folder, and search for the particular software
distribution using the packaged. If the package is success then “installation
succeeded with the exit code 0” will be written into the log file.
You can also verify it by checking the registry key on a client computer, HKLM-
>Software->Microsoft->SMS->Mobile Client->Software Distribution->Execution
History->System-><Package ID>->success or failure code will be written.
17. The client push installation may not work if its account is configured
incorrectly or missing?
Solution:
This can be confirmed from ccm.log file on the site server which says,
On all potential client computers, the Advanced Client Push Installation process
requires that you grant administrator rights and permissions to either of the
following accounts:
• The SMS Service account when the site is running in standard security mode
• The Advanced Client Push Installation account
Clients that are not members of a domain cannot authenticate domain accounts.
For clients that are not members of a domain, you can use a local account on
the client computers.
18. Checking the overall Compliance using Update Lists when deploying
Monthly Updates
Solution:
The overall compliance of a monthly update can be viewed using the
“Compliance 1 – overall compliance” report.
To run this report open the SCCM console, navigate to Site management-
>Computer management-> Reporting->Reports, in the right pane you can list of
reports from which select the above mentioned report and Right click->run.
When the report appears you will have to give some inputs like update ID and
collection ID and click on display. Now you can view the overall compliance
report of the monthly update.
19. If the operating system deployment through SCCM fails how you do
identify the issue and troubleshoot it?
Solution:
When the client computer boots up with the Boot image and fails during the
installation then there is an option to bring up a Debug command shell by
pressing F8 option. This option is available only if the boot image in the SCCM
server has been configured to “Enable command support”.
After bringing up the Debug command shell you can then check for the basic
network connectivity between client and server, also you can check the
SMSTS.log which is usually stored in X:\Windows\Temp\SMSTSLog\ or
C:\SMSTSLog or C:\_SMSTaskSequence log file using the command prompt.
20. The SCCM client may not be installed properly or some agents won’t
be running on the client computer. This client won’t be receiving any
advertisements due to this issue.
Solution:
This can be verified from the control panel, configuration manager icon. Open
the configuration manager item and swath to Action tab and if you see only
some feature will be available like “User policy retrieval & Machine policy
retrieval.
Look for the Locationserives.log file from c:\windows\system32\ccm\logs and it
will contain the following error messages,
“Failed to refresh trusted key information while refreshing mp list”
“Failed to verify received message 0×80090006”
“Failed to verify received message 0x8009100e”
Follow the below steps to resolve this issue,
• Log on to the SCCM management point computer by using an account that has
administrative permissions.
• Click Start, click Run, type services.msc in the Open box, and then click OK.
• In the Services MMC snap-in, right-click SMS_EXECUTIVE, and then click Stop.
• In the Services MMC snap-in, right-click SMS_SITE_COMPONENT_MANAGER,
and then click Stop.
• Click Start, click Run, type ccmdelcert in the Open box, and then click OK.
• You receive the message: “Successfully deleted cert”.
• In the Services MMC snap-in, right-click SMS_EXECUTIVE, and then click Start.
• In the Services MMC snap-in, right-click SMS_SITE_COMPONENT_MANAGER,
and then click Start.
Solution:
a. Advise user to start the machine up and select the boot menu as soon as
prompted.
i. Many different makes and models have different methods to boot via PXE,
however the most common method is to press F12 on the initial BIOS screen.
b. Once the PXE process has begun it will attempt to connect to the PXE server.
Once a response has been received ask the user to press F12 to continue when
prompted
i. The user has only a couple of seconds to press F12 when prompted so make
them aware prior.
ii. If the PXE fails to respond it could be a number of issues
1. The user’s machine is not located in the OS PXE Deployment collection, or the
collection hasn’t been updated.
2. The Windows Deployment Server (WDS) is failing to respond to client
requests.
3. User has not network connectivity, on this occasion it would be apparent from
the on screen messages when attempting to get a DHCP address at the
initialization of the PXE request.
iii. If successful the user should not see a windows loading bar
iv. Within a couple of minutes the user should see a company background with a
Deployment wizard.
v. Click next
vi. Select “<<Task Sequence Name required>>” and click next
vii. The user will see a progress bar as the wizard checks the deployment point
that all the packages required for the deployment are available.
viii. If this process fails ask the user to read out the name of the package it
failed on and check the distribution status of that package.
ix. The deployment will now commence.
x. Deployments via PXE take roughly around 1hr and 30mins to complete.
Solution:
a. In the Computer Management tree in SCCM ConfigMgr Console expand
System Status.
b. Expand Advertisement Status
c. Click on <<Advertisement name to monitor the status>>
d. In the main contents window Right Click on <<Site name – Database
name>>
e. From the Show Messages menu select All
f. You will now see status messages from all the deployments with the most
recent ones at the top. If the machine hasn’t reported back for a long period e.g.
20mins that contact the user to investigate what is showing on screen as during
the deployment this is your only visibility to the progress.
g. Errors and warnings show in the Status for the advert don’t always mean a
complete failure however each error should be evaluated appropriately.
Solution:
This “Run advertised program” in the control panel will have all the
advertisement queued up in it which can be initiated manually.
Open control panel, navigate to Run advertised program and click on it. You will
see a similar prompt as shown below. Select the advertisement name that is
listed and click run which is located at the bottom right of the window.
Now the selected advertisement will start running on the client computer.
25. How to take remote control of the client computer using SCCM
console?
Solution:
Open SCCM console; navigate to “All systems” collections where your client
computer will be populated. Right click on the client computer->Start->Remote
tools.
You can use a task sequence to deploy applications. However, when you
configure an application deployment rather than use a task sequence, you
benefit from the following:
You can supersede a previous version of the application and can uninstall or
upgrade the previous version.
Yes. System Center 2012 Configuration Manager supports the same client
installation methods that Configuration Manager 2007 supports: client push,
software update-based, group policy, manual, logon script, and image-based.
30. What is the “deployment purpose” and why would I use this?
The deployment purpose defines what the deployment should do and represents
the administrator’s intent. For example, an administrative user might require the
installation of software on client computers or might just make the software
available for users to install themselves. A global condition can be set to check
regularly that required applications are installed and to reinstall them if they
have been removed.
Yes. Users can browse a list of available software in the Application Catalog.
Users can then request an application which, if approved, will be installed on
their computer. To make a deployment optional, configure the deployment
purpose as Available in the applications deployment type.
34. Why would I use a package and program to deploy software rather
than an application deployment?
Yes. You can configure multiple deployment types for an application. Rules that
specify which deployment type is run allows you to specify how the application is
made available to the user.
36. Does Configuration Manager help identify which computers a user uses
to support the user device affinity feature?
Yes. Configuration Manager collects usage statistics from client devices that can
be used to automatically define user device affinities or to help you manually
create affinities.
Yes. You can see migrated packages and programs in the Packages node in
the Software Library workspace. You can also use the Import Package from
Definition Wizard to import Configuration Manager 2007 package definition files
into your site.
Yes. In System Center 2012 Configuration Manager, the term software includes
software updates, applications, scripts, task sequences, device drivers,
configuration items, and configuration baselines.
No, you can continue to deploy packages and programs that have been migrated
from your Configuration Manager 2007 site. However, packages and programs
cannot use some of the new features of System Center 2012 Configuration
Manager such as requirement rules, dependencies and supersedence.
If you don’t require HTTPS connections (for example, users will not connect from
the Internet), the quick guide instructions are as follows:
1. Make sure that you have all the prerequisites for the Application Catalog site
roles.
2. Install the following Application Catalog site system roles and select the
default options:
3. Configure the following Computer Agent device client settings by editing the
default client settings, or by creating and assigning custom client settings:
43. Can I use update lists in System Center 2012 Configuration Manager?
No. Software update groups are new in System Center 2012 Configuration
Manager and replace update lists that were used in Configuration Manager 2007.
Software update groups provide a more effective method for you to organize
software updates in your environment. You can manually add software updates
to a software update group or software updates can be automatically added to a
new or existing software update group by using an automatic deployment rule.
You can also deploy a software update group manually or automatically by using
an automatic deployment rule. After you deploy a software update group, you
can add new software updates to the group and they will automatically be
deployed.
45. Does System Center 2012 Configuration Manager have automatic
approval rules like Windows Server Update Services (WSUS)?
Yes. You can create automatic deployment rules to automatically approve and
deploy software updates that meet specified search criteria.
Remote Control:
TCP 2701 is the only port that System Center 2012 Configuration Manager uses
for remote control. When you enable remote control as a client setting, you can
select one of three firewall profiles that automatically configure this port on
Configuration Manager clients; Domain, Private, or Public.
48. What is the difference between a Permitted Viewers List and granting a
user the role-based administration security role of Remote Tools
Operator?
The Permitted Viewers List grants an administrative user the Remote Control
permission for a computer, and the role-based administration security role of
Remote Tools Operator grants an administrative user the ability to connect a
Configuration Manager console to a site so that audit messages are sent when
they manage computers by using remote control.
Yes. In the Configuration Manager remote control window, click Action, and
then click Send Ctrl+Alt+Del.
50. How can I find out how the Help Desk is using remote control?
You can find this out by using the remote control reports: Remote Control –
All computers remote controlled by a specific user and Remote Control –
All remote control information
The remote control settings for System Center 2012 Configuration Manager
clients are now in Software Center, on theRemote Access tab.
Yes. System Center 2012 Configuration Manager includes two new collection
rules, the Include Collections rule and theExclude Collections rule that allow
you to include or exclude the membership of specified collections.
No. Collections configured by using query rules that use certain classes do not
support incremental updates.
Secondary Sites are ALWAYS a Child Site of a Primary Site and can only be
administered via a Primary Site
A Central Site is a Configuration Manager Primary Site that resides at the top of
the Configuration Manager hierarchy. All Database information rolls from the
child to the parent and is collected by the Central Site’s Configuration Manager
Database. The Central Site can administer any site below it in the hierarchy and
can send data down to those sites as well.
What is PRIMARY SITE?
It can be a child of other Primary Sites and can have Child Sites of its own
http://exchangeserverinfo.com/2008/05/02/installation-and-configuration-of-
secondary-site-server.aspx
create an Advertisement for the distribution, linking the package you created to
the collection, decide whether the Adverisement is mandatory (installation
enforced) or not (users have to go to the "Run Advertised Programs" dialog in
Windows and select to install the program)
You need to add the Software Update Point site role to the site, configure the
software update point as active, configure the products, classifications, sync
settings, etc. in the Software Update Point properties. THEN, you can go to the
Update Repository node and run the Run Synchronization action from the central
primary site. Once synchronization completes, you will see the metadata in the
Configuration Manager console.
Right-click the site system server name, and then click New Roles.
Specify whether the site server will use a proxy server when connecting to the
software update point, and then clickNext.
Select Use this server as the active software update point, and then
specify the port settings configured for the WSUS Web site on this site system.
Specify the synchronization source for the active software update point using
one of the following settings: like Synchronize from Microsoft Update or
Synchronize from an upstream update server
Keep the default setting Do not create WSUS reporting events, and then
click Next
Specify the update classifications for which the software updates will be
synchronized, and then click Next.
Specify the products for which the software updates will be synchronized, and
then click Next.
To create a scheduled backup task, expand the Site Settings node and expand
the Site Maintenance node, click on Tasks.
Client Push Installation, Software update point based installation, Group Policy
Installation, Logon Script Installation, Manual Installation, Upgrade Installation
(software Distribution)
Yes.
Internet-based client management, which supports the following site systems
installed in a separate forest to the site server:
Management point
Distribution point
Software update point
Fallback status point
The SMS Provider is a WMI provider that allows both read and write access to
the Configuration Manager 2007 site database. The SMS Provider is used by the
Configuration Manager console
The SMS Provider can be installed on the site database server computer, site
server computer or another server class third computer during Configuration
Manager 2007 Setup. After setup has completed, the current installed location of
the SMS Provider is displayed on the site properties general tab
What's New
Integration with Windows Server Update Services (WSUS) 3.0 for Patch
Management - ConfigMgr now leverages WSUS and it's catalog (which can also
include 3rd party updates), for Patch Management. Once updates are approved
they can be deployed via the new Software Updates Client Agent by means of a
deployment package rather than Advertisements as before.
o Native Mode - More secure as uses PKI and allows Internet-Based Client
Management.
Improved Security - As well as allowing the local system and computer accounts
to be used to run services, connect between Sites and Site Systems, perform
Client-based functions ConfigMgr can use an existing Public Key Infrastructure
(PKI) to further increase security for site-to-site and site-to-client
communications.
Full support for Fully Qualified Domain Names (FQDNs) and IPv6
Clients send new State Messages based on the state of a process at a given time
of changes to their state (compared to Status Messages which provide
information relating to data flow and component behaviour).
A new improved version of the Administrator Console. The console is now split
into three areas like Microsoft Outlook:
o Actions pane (right) displaying actions relevant to the node selected in the
Console Tree.
Introduction of several new Site System Roles:
NOTE: These are explained in the "What are the ConfigMgr 2007 Site System
roles?" article
Support for hosting the Site Database on a clustered SQL Server virtual instance
or SQL Server 2005 named instances.
What's Changed
There have been several changes from SMS 2003 to ConfigMgr
including:
Feature Packs that used to be separate add-ons in SMS 2003 are now
incorporated into the core ConfigMgr product (for example the Administration
Feature Pack, Device Management Feature Pack, Operating System Deployment
Feature Pack Update). Improvements/ enhancements to Feature Packs include:
NOTE: As a result of the above two changes the core product requires a greater
amount of server resources.
Major changes to the way Backup and Recovery works - Volume Shadow
Copy Service (VSS), available with XP, Windows 2003 and later OSs
allowing a capture of a ConfigMgr Site to be made and stored on other
media.
Improved Remote Tools integration with Remote Desktop and Assistance -
RDP is now used to communicate with XP, Vista and Windows 2003 (or
later) Clients (Windows 2000 machines use a modified version of the SMS
2003 Remote Tools Client Agent). Remote Reboot, Chat, File Transfer,
Remote Execute, Ping and Windows 98 diags are no longer available in
ConfigMgr.
Minor improvements to Collections, Software Distribution and Software
Metering compared to SMS 2003.
Senders can only now be installed on Primary or Secondary Site Servers.
Only one Client type (basically the SMS 2003 Advanced Client so no
Legacy Clients).
Only a single Security mode (similar to SMS 2003 Advanced Security
mode).
The Site Server's local boundary is no longer automatically configured as a
Site Boundary - you need to define this post installation.
Site Boundaries are no longer supported - only Roaming Boundaries are
with a choice of "Slow or unreliable" or "Fast (LAN)".
Client Push uses the Site Code of the Primary rather than being set to
"Auto" as in SMS 2003.
Some things have remained the same or have changed very little in ConfigMgr
compared to SMS 2003:
This is required component of software updates, and after it is installed, the SUP
is displayed as a site system role in the Configuration Manager console. The
software update point site system role must be created on a site system server
that has Windows Server Update Services (WSUS) 3.0 installed.
You want specific users\groups to run specific custom reports. What should you
do?
Navigate to “System Center Configuration Manager – Site Database – Security
Rights – Users”
Right click on “Users” and select “Manage ConfigMgr Users”
Navigate to the “SCCM Support” group you created earlier
For “Collection” – “(All Instances)” add the following:
- “Delete resource”
- “Modify resource”
- “Read”
- “Read resource”
- “Use remote tools”
3. Click “Next”
4. Click “Next”
5. Click “Close”
You have been provided with permissions on the SCCM console to create,
distribute, modify and delete packages? However, when distributing a
package there is no Distribution points listed in the Distribution Point Wizard.
What should you do?
To designate a distribution point on a new server or server share
2. Right-click Site Systems, point to New, and then click Server or Server Share,
depending on which you want to create.
3. If you are creating a new server, use the New Site System Server Wizard to
create the site system server, and select the Distribution Point check box from
the Available Roles on the System Role Selection page to designate this
server as a distribution point.
In a forest, there are five FSMO roles that are assigned to one or more domain
controllers. The five FSMO roles are:
Schema Master:
The schema master domain controller controls all updates and modifications to
the schema. Once the Schema update is complete, it is replicated from the
schema master to all other DCs in the directory. To update the schema of a
forest, you must have access to the schema master. There can be only one
schema master in the whole forest.
The domain naming master domain controller controls the addition or removal of
domains in the forest. This DC is the only one that can add or remove a domain
from the directory. It can also add or remove cross references to domains in
external directories. There can be only one domain naming master in the whole
forest.
Infrastructure Master:
Note: The Infrastructure Master (IM) role should be held by a domain controller
that is not a Global Catalog server (GC). If the Infrastructure Master runs on a
Global Catalog server it will stop updating object information because it does not
contain any references to objects that it does not hold. This is because a Global
Catalog server holds a partial replica of every object in the forest. As a result,
cross-domain object references in that domain will not be updated and a warning
to that effect will be logged on that DC's event log. If all the domain controllers
in a domain also host the global catalog, all the domain controllers have the
current data, and it is not important which domain controller holds the
infrastructure master role.
The RID master is responsible for processing RID pool requests from all domain
controllers in a particular domain. When a DC creates a security principal object
such as a user or group, it attaches a unique Security ID (SID) to the object.
This SID consists of a domain SID (the same for all SIDs created in a domain),
and a relative ID (RID) that is unique for each security principal SID created in a
domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to
assign to the security principals it creates. When a DC's allocated RID pool falls
below a threshold, that DC issues a request for additional RIDs to the domain's
RID master. The domain RID master responds to the request by retrieving RIDs
from the domain's unallocated RID pool and assigns them to the pool of the
requesting DC. At any one time, there can be only one domain controller acting
as the RID master in the domain.
PDC Emulator:
The PDC emulator of a domain is authoritative for the domain. The PDC emulator
at the root of the forest becomes authoritative for the enterprise, and should be
configured to gather the time from an external source. All PDC FSMO role
holders follow the hierarchy of domains in the selection of their in-bound time
partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the
following functions:
The PDC emulator performs all of the functionality that a Microsoft Windows NT
4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or
earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations,
member servers, and domain controllers that are running Windows NT 4.0 or
earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs
the other functions as described in a Windows 2000/2003 environment.
At any one time, there can be only one domain controller acting as the PDC
emulator master in each domain in the forest.
You have not installed the specific certificates required by Configuration Manager
2007.
Site systems running Internet Information Services (IIS) are not dedicated to
Configuration Manager, and you cannot configure a custom website.
You must use WINS as the means by which clients can find their default
management point (service location).
If you cannot choose the site mode based on these conditions, consider the
advantages and disadvantages of both site modes to best meet your business
requirements.
The following table outlines the advantages and disadvantages of native-mode
and mixed-mode site configuration to help you choose which site mode to
configure.
Site
Advantage Disadvantage
Mode
Native More secure solution than mixed mode Requires a PKI deployment and
Mode because it provides better specific certificates.
authentication, encryption, and signing
The parent site (if applicable) must
by using standard industry security
be in native mode.
protocols.
Clients that roam into this site from
Supports Internet-based client
a mixed-mode site will not be able
management.
to download content from the site's
More secure service location because distribution points.
does not use WINS as the means by
Must configure a custom website if
which clients locate their default
the site systems running Internet
management point. In this scenario,
Information Services (IIS) are not
blocking WINS as a service location
dedicated to Configuration Manager.
mechanism provides additional security,
although you must ensure that other Might require registering fully
service location mechanisms are qualified domain names (FQDNs) in
configured and working. DNS (FQDNs are a requirement for
Internet-based client management,
Can integrate with existing PKI
and recommended for native mode
deployment, and the security controls
on the intranet).
can be managed independently from the
product. If a mixed-mode client roams into
the site, it will not be able to
download local content.
75. How to Migrate the Site Mode from Mixed Mode to Native Mode?
You should not migrate the site mode from mixed mode to native mode until you
are sure the site is correctly provisioned with the following:
A custom Web site if the default Web sites are being used for anything
other than Configuration Manager 2007
You have verified that there are no SMS 2003 clients assigned to the site
and the site does not contain clients running Microsoft Windows 2000
Professional
Additionally, if the site contains clients that cannot read site settings
published in Active Directory Domain Services, you must also have the
following in place:
A server locator point for the hierarchy if you are using a network load
balanced management point.
o Certificate store
It is optional, but recommended, that you have a fallback status point installed
in the site and that clients are assigned to it. The fallback status point can help
you identify clients that cannot communicate with their management point (and
so are unmanaged) when the site is operating in native mode.
Caution
The migration process that Configuration Manager 2007 undergoes when you perform
this procedure can take some time to complete, and for a sustained period of time,
clients might not be able to communicate with the site. Therefore, plan to perform this
procedure during a quiet period when it is acceptable that the site will be unavailable
because of maintenance downtime.
Note See the Microsoft Deployment Toolkit 2010 Documentation Library for
information on how to upgrade to MDT 2010 from previous versions of MDT or
Business Desktop Deployment (BDD). After you upgrade to MDT 2010, you must
also upgrade any deployment points created using the previous version of MDT
or BDD.
2. On the Path page, specify the path to the folder for your deployment share. The
default path is <drive>\DeploymentShare, where <drive> is the volume with
the most available space. For best performance, you should specify a path to a
separate physical disk that has sufficient free space to hold the operating system
source files, application source files, packages, and out-of-box drivers you use
for your deployments.
3. On the Share page, specify the share name for the deployment share. By default,
this will be a hidden share named DeploymentShare$.
4. On the Descriptive Name page, specify a descriptive name for the deployment
share. By default, this will be MDT Deployment Share.
5. On the Allow Image Capture page, leave the Ask If An Image Should Be
Captured option selected so you will be able to capture an image of your
reference computer.
6. On the Allow Admin Password page, choose whether the user will be prompted to
set the local Administrator password during installation.
7. On the Allow Product Key page, choose whether the user will be prompted to
enter a product key during installation.
Once your deployment share has been created, you can view the hierarchy of
folders under it in the Deployment Workbench.
Note The default view in Deployment Workbench includes the action pane. The
action pane often gets in the way of viewing the entire details pane. You can
remove the action pane by authoring the management console. To author the
console, run C:\Program Files \Microsoft Deployment
Toolkit\Bin\DeploymentWorkbench.msc /a. Click View, click Customize, clear the
Action Pane check box, and then click OK. Save your changes by clicking File and
then clicking Save on the main menu. When prompted whether you want to
display a single window interface, click Yes.
After creating a deployment share, you can configure it in the following ways (at
minimum, you must add the Windows 7 source files to deploy Windows 7):
Add, remove, and configure operating system packages, including updates and
language packs.
When you add operating systems, applications, operating system packages, and
out-of-box device drivers to a deployment share, Deployment Workbench stores
the source files in the deployment share folder specified when you create the
deployment share. You will associate these source files and other files with task
sequences later in the development process.
The following table displays the change of protocol communication from HTTP to
HTTPS for the different site modes when a client is communicating with site
systems in its assigned site.
Note
In native mode, client computers must be configured for HTTP communication for
roaming and site assignment to communicate with a server locator point. If native-
mode client computers are not configured with this option, they cannot communicate
with a server locator point in native mode. Mobile device clients do not communicate
with a server locator point, and do not support roaming capability.
The following picture shows this change of protocol communication from HTTP to
HTTPS for the different site modes when a client is communicating with site
systems in its assigned site.
The following site system communications are not affected by the by site mode,
because these are initiated by the Microsoft Windows operating system or
browser rather the Configuration Manager 2007 client:
PXE Service point: The computer uses the PXE protocol to boot the
computer and install an operating system.
Reporting point: The computer uses the selected Web browser to connect
to the reporting point. You can configure the reporting point for HTTP or
HTTPS independently from the site mode.
Additionally, branch distribution points will always use the server message block
(SMB) protocol in both mixed mode and native mode, and standard distribution
points will also use SMB if they are not configured with the following
option: Allow clients to transfer content from this distribution point
using BITS, HTTP, and HTTPS (required for device clients and Internet-
based clients.
There are also some situations where clients can communicate with standard
distribution points over SMB rather than HTTP or HTTPS, such as when
advertisements are configured with the option Run program from distribution
point, and also if HTTP fails in mixed mode or HTTPS fails on the intranet in
native mode.
Client-to-Server Communication When Roaming Between Sites in Different
Modes
When a mixed mode client roams into a native mode site, the mixed mode client
will not be able to communicate with the resident native mode management
point or with any native mode distribution points in that site. In this scenario,
roaming does not work, and the client will communicate with its assigned
management point and download content from distribution points in its own site.
When a native mode client computer roams into a mixed mode site, the behavior
varies depending on whether the native mode client computer is configured for
HTTP communication for roaming and site assignment. The following table
displays this difference.
The following picture shows the roaming behavior for a native-mode client
computer if the option for HTTP communication for roaming and site assignment
is not configured.
The following picture shows the roaming behavior for a native-mode client
computer if the option for HTTP communication for roaming and site assignment
is configured.
78. What is BDP? How Data Replicates?
You do not have a computer running Windows Server 2003 that can
function as a distribution point in a branch location, but you want to allow
clients in that office to access content from a local distribution point.
You want to use a client operating system to provide the distribution point
function and do not need more than the supported number of concurrent
connections (for example, 10 concurrent connections for Windows XP and
Windows Vista, and 20 concurrent connections for Windows 7).
You want the package to be copied to the distribution point only when a
client actually requests to install the package.
Do not configure a distribution point as a branch distribution point if any
of the following conditions are true:
The computer does not yet have the Configuration Manager 2007 client
installed or it is not assigned to the site.
You have not yet configured one standard distribution point for the branch
distribution point to retrieve content.
Note
Configuring a distribution point for BITS does not guarantee that the download will use
BITS. However, clients always use server message blocks (SMBs) when communicating
with a branch distribution point, even when the site is configured for native mode.
Branch distribution points download their content using BITS from a BITS-enabled
distribution point, but they cannot be BITS-enabled themselves.
1. Remove all distribution package folders and the SMSPKGSIG signature folder
from the branch distribution point computer.
Important
You must manually remove these components before removing the branch distribution
point role.
2. In the Configuration Manager console, navigate to System
CenterConfiguration Manager / Site Database / Site Management / <site
name> / Site Settings / Site Systems.
3. Click the specific branch distribution point to be removed.
4. Right-click the ConfigMgr distribution point role in the results pane, and then
click Delete.
5. Click Yes in the Confirm Delete dialog box.
Examples
In the following diagram, the subnet 192.168.11.0 is in a branch office in
Naperville but is part of the Chicago site. The branch distribution point in the
branch office is protected so that only clients in 192.168.11.0 can access it. The
standard distribution point in the main office is not protected. Clients on the
network 192.168.10.0 cannot access packages on the protected branch
distribution point on 192.168.11.0. The default configuration for an
advertisement is to Allow clients to fallback to unprotected distribution
points when the content is not available on the protected distribution
point. So clients on the 192.168.11.0 network can get the package from either
distribution point. If you change the setting, the clients in 192.168.11.0 will
attempt to retrieve the package only from the protected branch distribution
point, even if the package has not been copied to that distribution point. (If you
configure the package for on-demand package distribution, the management
point will notify Distribution Manager to copy the package to the distribution
point.) If a client from ORD roams to the LON site and an advertised package is
not available on the LON distribution point, the client can fall back to using the
distribution point on 192.168.10.0 (assuming the package is copied to that
distribution point), but it can never access the protected distribution point
because it is not on the 192.168.11.0 network.
It is possible to protect every distribution point in the site, but doing so
eliminates the redundancy provided by multiple distribution points. In the
following diagram, if the distribution point in Milpitas is unreachable, the clients
in the Milpitas branch office cannot retrieve the content because all other
distribution points are protected.
C:\_SMSTaskSequence
C:\SafeFolder\Logs
C:\WINDOWS\Modena
C:\WINDOWS\System32\CCM\Logs or C:\WINDOWS\SysWOW64\CCM\Logs
Client Log Files
CAS - Content Access Service. Maintains the local package cache.
Ccmexec.log - Records activities of the client and the SMS Agent Host service.
Cidm.log - Records changes to the client settings by the Client Install Data
Manager (CIDM).
Colleval.log - Logs when collections are created, changed, and deleted by the
Collection Evaluator.
Inboxast.log - Records files that are moved from the management point to the
corresponding SMS\INBOXES folder.
Invproc.log - Records the processing of delta MIF files for the Dataloader
component from client inventory files.
Sender.log - Records files that are sent to other child and parent sites.
Srvacct.log - Records the maintenance of accounts when the site uses standard
security.
MP_Ddr.log - Records the conversion of XML.ddr records from clients, and copies
them to the site server.
MP_Sinv.log - Converts XML hardware inventory records from clients and copies
them to the site server.
MP_Status.log - Converts XML.svf status message files from clients and copies
them to the site server.
DmClientHealth.log - Records the GUIDs of all the mobile device clients that are
communicating with the Device Management Point.
DmpDatastore.log - Records all the site database connections and queries made
by the Device Management Point.
DmpDiscovery.log - Records all the discovery data from the mobile device clients
on the Device Management Point.
dmpMSI.log - Records the MSI data for Device Management Point setup.
PXEMsi.log - Provides information about the PXE service point and is generated
when the PXE service point site server has been created.
Smsts.log - General location for all operating system deployment and task
sequence log events.
USMT Log loadstate.log - Provides information about the User State Migration
Tool (USMT) regarding the restore of user state data.
USMT Log scanstate.log - Provides information about the USMT regarding the
capture of user state data.
SmsSHV.log - The main log file for the System Health Validator point; logs the
basic operations of the System Health Validator service, such as the initialization
progress.
ScanWrapper - Provides information about the prerequisite checks and the scan
process initialization for the Inventory Tool for Microsoft Updates on Systems
Management Server (SMS) 2003 clients.
SmsWusHandler - Provides information about the scan process for the Inventory
Tool for Microsoft Updates on SMS 2003 client computers.
The following table shows the important tools that are included with the
Windows AIK.
Tool Description
Windows System The tool used to open Windows images, create answer files, and
Image Manager manage distribution shares and configuration sets.
(Windows SIM)
ImageX The tool used to capture, create, modify, and apply Windows
images.
Deployment Image The tool used to apply updates, drivers, and language packs to a
Servicing and Windows image. DISM is available in all installations of Windows 7
Management and Windows Server 2008 R2.
(DISM)
Following are details about four recommended deployment strategies. After you
choose a strategy, you can read the detailed information about it later in this
document.
High Touch with Standard Image. This strategy is similar to the High Touch
with Retail Media strategy, but it uses an operating system image that includes
your customizations and application configurations. We recommend this strategy
if your organization has at least one IT pro (with or without prior deployment
experience) on staff, and a small or distributed network with 100–200 client
computers.
The strategy table below shows guidelines for choosing a strategy based on
many factors, including the skill level of your organization’s IT staff members,
your organization’s license agreement, the number of client computers, and your
infrastructure.
To use the strategy table, choose the column that best matches your
organization’s network scenario. In cases where you identify with multiple
columns, start with the leftmost column. As you move to the right on the chart,
the solutions require more skills and investment to implement, and they provide
for quicker, more thorough and more automated deployments.
As you plan to deploy more computers, consider improving your scenario to
enable you to move right in the strategy table. For example, if the only criterion
preventing you from performing a Lite-Touch, high-volume deployment is that
you are using retail media, consider purchasing a volume license. Click the link
in the heading of the chosen column to read more about implementing that
particular strategy.
High Touch
High-Touch Lite-Touch, High- Zero-Touch, High-
with
with Retail Volume Volume
Standard
Media Deployment Deployment
Image
Distributed
Infrastructure Distributed Managed networks Managed network
locations locations
At least one office At least one office wi
Small, Small networks with more than 25 over 25 users
unmanaged users
Standardized Windows Server
networks
configurations,
Windows Server® products
Manual client including products
Configuration Manag
computer applications
Configuration 2007 R2
configuration
Manager 2007 R2
(optional)
Application Manually Manually Automatically Automatically
support installed installed installed commercial installed commercia
commercial commercial or or LOB applications or LOB applications
applications line-of-
business
(LOB)
applications
Note
You can deploy and configure multiple PXE service point servers depending on
your network topology.
3. On the General page of the wizard, optionally provide the fully qualified host
name (FQDN) for the server, and then specify which account credentials should
be used to install the site system role.
4. On the System Role Selection page, select PXE Service Point.
5. On the PXE-General page, specify whether the PXE service point is enabled to
respond to incoming PXE requests.
Note
This option will temporarily disable this PXE server and should be selected only if there
are conflicting PXE servers on the network.
Important
7. Specify whether this server will respond to PXE service requests on all network
interface adapters or a specific network interface adapter in the
Interfaces section by entering the MAC address for all applicable interfaces.
If multiple PXE service points are used, enter the number of seconds the PXE
service point should wait before responding to PXE requests in the Delay box.
Use this option only when there are multiple PXE servers on the same subnet.
8. On the PXE-Database page, specify the account the PXE service point should
use to connect with the Configuration Manager 2007 database. The account
specified must have the necessary permissions on the client computers running
Microsoft SQL Server and Configuration Manager 2007 client permissions.