February 2007 - Posts
Just got this.
The Beta 2 of SystemCenter Configuration Manager (the new name for System Management Server (SMS)) has now been posted to http:connect.microsoft.com/
Some highlights of this Beta 2 release of SCCM ’07:
· Admin UI – New MMC3.0 support, Search Folders, Easy Task access, Feature Landing pages and multi select
· OS Deployment – Complete deployment automation for Client and Server
· Desired Configuration Management – Policy based, model driven state management of device roles and regulatory reporting
· Software Update Management – Simplification of Patch Administration for MS, ISV and LoB applications.
· Security integration to Longhorn NAP – Policy based perimeter security integration with NAP services
· Internet Based Management – Manage your desktop, laptop, server or device anywhere anytime.
· Device Management – Over the air management of Windows mobile devices
· Software Distribution – Significant improvements in software distribution, adding granular control functionality to advertisements and collections.
With the release of Beta 2 we are continuing to drive down the cost of running the enterprise. From discovery and inventory through asset intelligence, through OS deployment and into operations - CM ’07 delivers automation to all aspects of the organization. We are continuing to prove we are the best platform for the deployment and management of Windows Vista and Office 2007, through enhancements in OS deployment using the task sequence engine, WinPE boot environment, WIM/WAIK integration and the driver catalogue. Chaining OS deployment for all devices to areas like application distribution, patch management, desired configuration and the soon to be released NAP, System Center Configuration Manager 2007 will prove through a depth and breadth of feature set that this is the strongest tool available to deploy and manage the stack.
We want you to see the power of this major release. Open public beta 2 is now available on the Connect Site. Some mirror sites may not be up to date yet but should be completed by the end of the day 23 Feb 07.
http://www.microsoft.com/technet/sms/2007/evaluate/download.mspx
Just got this from my TAM.
Microsoft has updated two security bulletins: MS07-010 and MS06-058. MS06-058 has just been updated on Feb 21 and should be re-applied.
********************************************************************
Title: Microsoft Security Bulletin Revisions
Issued: February 23, 2007
********************************************************************
Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.
* MS07-010
* MS06-058
Bulletin Information:
=====================
* MS07-010
- http://www.microsoft.com/technet/security/bulletin/ms07-010.mspx
- Reason for Revision: Bulletin updated: "Frequently Asked
Questions (FAQ) Related to This Security Update" section in
"Executive Summary" for WSUS Windows Defender update process.
- Originally posted: February 13, 2007
- Updated: February 22, 2007
- Bulletin Severity Rating: Critical
- Version: 1.1
* MS06-058
- http://www.microsoft.com/technet/security/bulletin/ms06-058.mspx
- Reason for Revision: Bulletin updated: Further investigation of
CVE-2006-3877 as originally revealed that the update was not
effective in removing the vulnerability from affected systems.
The Microsoft Security bulletin, MS07-015 has been issued to
properly address CVE-2006-3877 and customers should apply the
updates in this bulletin immediately.
- Originally posted: October 10, 2006
- Updated: February 21, 2007
- Bulletin Severity Rating: Critical
- Version: 1.1
Anybody know why this blog addes all that extra space to an entry?
When i paste in my larger blog posts it always looks fine in the preview but when it displays the block it looks messed up.
a good example is my last post.
http://myitforum.com/cs2/blogs/cstauffer/archive/2007/02/23/enterprise-patch-management-report.aspx
Explanation Of Request
I was asked to produce a Patch Status Summary report that would display the status of each Department that is presently tracked though SMS. This report was to contain the following:
Agency = Department
Patched = A sum of all Critical Patches installed
Total Requests = A sum of all patches requested/required
Total Clients = Number of clients represented in the scan
Percent Compliant = (Patched / Total Requests ) X 100
Date Ran = Date the report was last run
This report is only supposed to show critical patches that are older than 30 days. This part is addressed in the actual Stored Procedure query for each agency.
This sounds easy but in my environment I am responsible for reporting on 45 agencies.
Here are the problems I saw:
Problems
- Some of the agencies are under our main Domain and some of the agencies are under a resource domain that they control. So the report needed to list each of 45 agencies.
- The second problem is that each row in the report requires that the query for that data be altered to reflect each agencies collection. This isn’t that big of a problem but each row takes 5-6 min to run. So, it would take almost 4 hours to run this report.
- The third problem is caused by agencies that have not implemented ITMU yet. So I added a query to show those agencies that do not have ITMU data in the DB as of yet. Once, all of the agencies are reporting, that part of the report can be removed.
Read the attached Document to see how I resolved this issue.
Microsoft has begun Daily Technical Chats with Microsoft experts. We’ll have a Q&A session everyday from 10:00am to 2:00pm PST. To participate in a technical chat with Microsoft subject matter experts on DST please visit our schedule.
http://www.microsoft.com/communities/chats/default.mspx
Or, you can view the technical chat schedule in addition to all of the Live Meeting sessions (live and on-demand) at this location:
http://support.microsoft.com/gp/dst_webcasts
Just got this from my TAM. 
********************************************
Windows Vista is here and customers are beginning to test and deploy it. One of the stumbling blocks for many companies is IT adoption of Vista due to a lack of management tools. Exchange Administrators will still want to use Terminal Services to manage Exchange Servers until Exchange tools are written (no ETA on this yet, I will continue to monitor for an update).
The AdminPak (Windows Server 2003 SP1 Administrators Tool Pack) can be installed on Windows Vista, but following installation it is necessary to register some DLLs in order to get the MMC snap-ins to work. Attached please find a text file which can be renamed to a BAT file.
To install the AdminPak on a Vista machine please do the following.
1. Download and install the executable containing the AdminPak.msi file from: http://download.microsoft.com/download/6/8/1/681c9ba7-380f-4756-ac85-a3323437e6c3/windowsserver2003-kb304718-administrationtoolspack.exe
2. Run the executable and install the Administrative Tools.
3. Run RegisterAdminPak.cmd from an elevated command prompt. To do this, follow these steps:
|
a. |
Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
If you are prompted for an administrator password or for confirmation, type your password, or click Continue. |
|
b. |
At the command prompt, type C:\Users\UserAccountName\RegisterAdminPak.cmd, and then press ENTER.
For more information about the elevated command prompt in Windows Vista, visit the following Microsoft Web site:
http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx (http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx) |
Known issues
When you install the Windows Server 2003 Administration Tools Pack on a Windows Vista-based computer, the following issues occur.
Context-sensitive help
When you click the ? icon in a property dialog box for all the tools that are included in the Administration Tools Pack, context-sensitive help does not appear.
Cluster administration tools are not supported
Administration of Windows Server 2003 clusters is not supported when you use the Windows Server 2003 management tools directly from a Windows Vista-based computer. This is caused by the network transport protocol that is used by failover clustering in Windows Vista. Windows Server 2003 uses remote procedure call (RPC) over User Datagram Protocol (UDP). Windows Vista uses RPC over TCP. No supported workaround is available.
User interface issues that affect Active Directory directory service snap-ins
The following user interface (UI) issues affect Active Directory snap-ins:
|
• |
The icons in the results pane disappear after you click the pane. |
|
• |
The icons in the results pane are displayed as rectangles. |
These UI issues affect the following snap-ins:
|
• |
Active Directory Users and Computers (Dsa.msc) |
|
• |
Active Directory Sites and Services (Dssite.msc) |
|
• |
Active Directory Domains and Trusts (Domain.msc) |
Additional issues that affect the Active Directory Users and Computers (Dsa.msc) snap-in
|
• |
You cannot use the drag-and-drop feature in the Active Directory Users and Computers snap-in or in the Active Directory Sites and Services snap-in. For example, if you create a computer object in the Users OU, and then you drag the object to the Computers OU, the operation fails. |
|
• |
The Properties dialog box for users is missing the Terminal Services Profile tab. |
|
• |
The Terminal Services Profile tab does not appear. |
Certification Authority (Certsrv.msc)
The Certification Authority snap-in cannot display the Certificates Template node.
Microsoft Internet Information Services
The following Microsoft Internet Information Services (IIS) scripts are installed. However, they do not work.
|
• |
Iisapp.vbs |
|
• |
Iisback.vbs |
|
• |
Iiscnfg.vbs |
|
• |
Iisftp.vbs |
|
• |
Iisftpdr.vbs |
|
• |
Iisvdir.vbs |
For more information about how to configure IIS by using command-line tools, visit the following Web site:
http://www.iis.net (http://www.iis.net)
Windows Internet Name Service (WINS) (Winsmgmt.msc)
When you create or edit a static mapping, you receive the following error message:
The stub received bad data
However, you can safely ignore this error message because the operation is successful.
Terminal Services Licensing (Licmgr.exe)
When you try to start a Terminal Server license server, you receive the following error message:
The License Server Activation Wizard cannot start. Close one or more programs, and then retry the operation.
Terminal Server Administrator (Tsadmin.exe)
The Terminal Server Administrator tool does not work on a Windows Vista-based computer because of an access violation. To work around this issue, run Remote Desktop from a Windows Vista-based computer, and connect to another computer that can use Tsadmin.exe. For example, connect to a Microsoft Windows XP-based or a Windows Server 2003-based computer that has the Administration Tools Pack installed.
Remote Storage Remote Administration tool
The Remote Storage Remote Administration tool (RSAdmin.msc) is not supported in Windows Vista.
The Connection Manager Administration Kit
In the Administration Tools Pack, you must start the Connection Manager Administration Kit (CMAK) by using one of the following methods:
|
• |
Run CMAK from an elevated command prompt. To do this, follow these steps:
|
1. |
Click Start, type cmd in the Start Search box, right-click cmd.exe in the Programs list, and then click Run as administrator.
If you are prompted for an administrator password or for confirmation, type your password, or click Continue. |
|
2. |
At the command prompt, type CMAK, and then press ENTER.
For more information about the elevated command prompt in Windows Vista, visit the following Microsoft Web site:
http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx (http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx) | |
|
• |
Right-click the CMAK command or icon, and then click Run as Administrator. |
Note If you start CMAK from a non-elevated command prompt or by double-clicking the CMAK icon, you receive the following error message:
To continue you must have read/write permissions to the directory Program Files\CMAK\Profiles.
I need a report that would show all of the server that are located in SMS and it needed to tell me how many server had the client and how many where missing.
This sounds easy but in my environment I am responsible for reporting on 42 agencies. Some of the agencies are under our main Domain and some of the agencies are under a resource domain that they control. So the report needed to list each of 42 agencies.
So how do I do it if there are additional domains?
I create a collection for each agency using the following criteria.
- Domain name
- OU location
- Site code
This allows me to get an accurate count for each agency even if they are in different domains.
I created all of the collections under a head collection called Agencies.
So it looks like this
All Agencies
àDOH
àDPW
àL&I
àetc….
So now I have a structure that I can use in SMS to control my reports.
In all of the reports that I have posted you may have noticed the variable for collid points to a query like this:
SELECT v_Collection.CollectionID, v_Collection.Name
FROM v_CollectToSubCollect INNER JOIN
v_Collection ON v_CollectToSubCollect.subCollectionID = v_Collection.CollectionID
WHERE (v_CollectToSubCollect.parentCollectionID = 'PAC0004A')
ORDER BY v_Collection.Name
Basically what I am doing with this query is saying show me all of the collections listed under “All Agencies”
In order to get a count of servers I used this same type of query to give me the list of clients that are servers in each of these collections.
I want to thank Garth Jones for this next part.
He provided the knowledge for the basis of this report
http://smsug.ca/blogs/garth_jones/archive/2007/02/08/149.aspx
He also added a part to get rid of the temp table so it doesn’t view in SMS Web Reports.
http://smsug.ca/blogs/garth_jones/archive/2007/02/09/150.aspx
So now that I have a way to determine what agencies that I want to report on I needed a way to show how many server had a client and how many didn’t. I used a temp table based on what Garth posted above.
Here is the working report.
SET NOCOUNT ON
(SELECT v_Collection.Name AS 'Department', COUNT(v_FullCollectionMembership.Name) as 'NOTok' into #SMSCliNot1
FROM v_CollectToSubCollect INNER JOIN
v_Collection ON v_CollectToSubCollect.subCollectionID = v_Collection.CollectionID INNER JOIN
v_FullCollectionMembership ON v_Collection.CollectionID = v_FullCollectionMembership.CollectionID INNER JOIN
v_R_System ON v_FullCollectionMembership.ResourceID = v_R_System.ResourceID
WHERE (v_CollectToSubCollect.parentCollectionID = 'PAC0004A') AND (v_R_System.Operating_System_Name_and0 LIKE '%Server%') AND
(v_R_System.Client0 is null )
GROUP BY v_Collection.CollectionID, v_Collection.Name)
(SELECT v_Collection.Name AS 'Department', COUNT(v_FullCollectionMembership.Name) as 'CliOK' into #SMSCli1
FROM v_CollectToSubCollect INNER JOIN
v_Collection ON v_CollectToSubCollect.subCollectionID = v_Collection.CollectionID INNER JOIN
v_FullCollectionMembership ON v_Collection.CollectionID = v_FullCollectionMembership.CollectionID INNER JOIN
v_R_System ON v_FullCollectionMembership.ResourceID = v_R_System.ResourceID
WHERE (v_CollectToSubCollect.parentCollectionID = 'PAC0004A') AND (v_R_System.Operating_System_Name_and0 LIKE '%Server%') AND
(v_R_System.Client0 = '1' )
GROUP BY v_Collection.CollectionID, v_Collection.Name)
Select #SMSCli1.Department as 'Department'
, CliOk as 'Clients installed'
, NOTok as 'Clients missing'
From
#SMSCli1 Full outer join #SMSCliNot1 on #SMSCli1.Department = #SMSCliNot1.Department
Where #SMSCli1.Department is not null
order by #SMSCli1.Department
drop table #SMSCli1
drop table #SMSCliNot1
I’ve had a problem with the ITMU reporting for some time. The problem was associated with MS06-014. This patch was showing 10-15 times the numbers it should have been showing. I almost open a ticket with MS today because I needed to get my numbers correct because I had to make a new report that shows the overall status of the Different Departments. But since the numbers for MS06-014 are way off it was adding about a 5-10 % difference to them. So if the status showed they were at 80% they where actually 70-75% .
This is what I was seeing:
As you can see I only have 18926 clients in this report but it list 209650 requesting the patch
The problem was cause by MS releasing a language pack for each of the languages that it supports. To resolve this I added the located ID for location 0 and 9 to the ITMU reports temp table “where” statement.
As you can see this fixed the issue.
I attached my new reports incase anybody was using the old ones.
Note: you will need to change the Collection ID query to reflect your environment.
I also included my new Critical patch report. I will blog on that seporate.
The change is in red below.
SELECT DISTINCT
ps.Bulletin AS Bulletin_No,
ps.Retrying + ps.PreSuccess + ps.Uninstalled + ps.PendReboot + ps.Verified + ps.NoStatus + ps.Failed - ps.Verified AS Unpatched,
ps.Retrying + ps.PreSuccess + ps.Uninstalled + ps.PendReboot + ps.Verified + ps.NoStatus + ps.Failed AS 'Total with Status',
ROUND((100 * (ps.Verified + .00000001)) / (.00000001 + ps.Retrying + ps.PreSuccess + ps.Uninstalled + ps.PendReboot + ps.Verified + ps.NoStatus + ps.Failed), 0) AS '% Compliant',
ps.Verified, ps.NoStatus, ps.Retrying, ps.PreSuccess, ps.Uninstalled, ps.PendReboot, ps.Failed, real_total.total, ps.CollectionID
FROM (
SELECT fcm.CollectionID,
pse.ID AS Bulletin,
SUM(CASE WHEN pse.LastStateName = 'No Status' THEN 1 ELSE 0 END) AS NoStatus,
SUM(CASE WHEN pse.LastStateName = 'Install Verified' THEN 1 ELSE 0 END) / 2 AS Verified,
SUM(CASE WHEN pse.LastStateName = 'Retrying' THEN 1 ELSE 0 END) AS Retrying,
SUM(CASE WHEN pse.LastStateName = 'Preliminary Success' THEN 1 ELSE 0 END) AS PreSuccess,
SUM(CASE WHEN pse.LastStateName = 'Uninstalled' THEN 1 ELSE 0 END) AS Uninstalled,
SUM(CASE WHEN pse.LastStateName = 'Reboot pending' THEN 1 ELSE 0 END) AS PendReboot,
SUM(CASE WHEN pse.LastStateName = 'Failed' THEN 1 ELSE 0 END) AS Failed