Your going to install a ConfigMgr 2007 with the database stored on a remote SQL Cluster server. During the installation of the database there will be installed a ConfigMgr database backup service on both cluster nodes. This service is named SMS SITE SQL BACKUP. By default during this installation the volume with most free space is used to store the service. This can cause various problems on a cluster. E.g. Systemstate backup fails, as a service running on a shared volume cannot be accessed.
To bypass this behavior there should be created a file named NO_SMS_ON_DRIVE.SMS on the root of each volume of the cluster which shell not be the volume for the service installation.
If the service installation is already done on a shared volume, it's getting difficult.
There are various opinions how this problem could be solved...
For example one is to move the Configmgr database to another server, create the file on the volume and move it back to the server, so that the installation is running once more and the volumes with the file will be skipped. Another option which is discussed is to do a site repair.
Then i've found the following post from Razmus on Microsoft forums. Then i did the following:
Note: X=Wrong drive letter, Servername=Your MgmtPoint
1. I moved the service folder X:\SMS_Servername from the wrong volume to the desired one.
2. In the Management Points registry go to the path HKLM\SOFTWARE\Microsoft\SMS\Components\SMS_SITE_COMPONENT_MANAGER\Multisite Component Servers. Below this key there are listed two subkeys named as both cluster nodes. On each of this key there is a value named Installation Directory. Here should be the driveletter also changed.
3. In the registry of each cluster node go to the path HKLM\SYSTEM\CurrentControlSet\Services\SMS_SITE_SQL_BACKUP_Servername and change the value ImagePath to the new driveletter also
After restarting the service SMS_SITE_SQL_BACKUP_Servername on the cluster node the new execution path should be changed to the new volume. Afterwards i removed the service folder from the wrong volume to make sure that the service is really running on the selected volume. This seems to work. The only problem is still have is, that the folder is still created on the wrong volume when the service is restarted. But it only contains the logfile. I can live with this behaviour, as the executable is running on the correct one.
9/12/2009
Caution when renaming W2k8 Domain Controller
I recently had a problem when renaming a W2K8 Domain Controller.
1. Promoted a W2K8 Server as additional Domain Controller named "DCTempName"
2. Demoted a W2k3 Domain Controller named "DC1" and joined it as "DC1OLD" as default Domain member
3. Renamed the new W2K8 DC "DCTempName" to "DC1"
4. Got an error saying that the object already exists
---> OK i thought i can't rename it, assuming the old DC forces the probem.
5. But locally the W2k8 DC was renamed ("DC1") and it the OU Domain Controller and in DNS Site _msdcs_ it still was listed with the old name ("DCTempName")
6. Tried renaming it or demoting it -> No chance
Solution:
1. dcpromo /forceremoval
2. Renamed the Computer to "DCTempName"
2. Promoted it as Domain Controller with the name "DCTempName"
3. Waiting for replication (repadmin /showrepl)
4. Demoted the DC -> OK now AD was clear
5. Promoted it with the name "DC1"
I assume the problem occured because of the old DC object which was still domain member with the same SID...So be very carefully.
Another solution is an Active Directory metadata cleanup http://support.microsoft.com/kb/216498/en-us
1. Promoted a W2K8 Server as additional Domain Controller named "DCTempName"
2. Demoted a W2k3 Domain Controller named "DC1" and joined it as "DC1OLD" as default Domain member
3. Renamed the new W2K8 DC "DCTempName" to "DC1"
4. Got an error saying that the object already exists
---> OK i thought i can't rename it, assuming the old DC forces the probem.
5. But locally the W2k8 DC was renamed ("DC1") and it the OU Domain Controller and in DNS Site _msdcs_ it still was listed with the old name ("DCTempName")
6. Tried renaming it or demoting it -> No chance
Solution:
1. dcpromo /forceremoval
2. Renamed the Computer to "DCTempName"
2. Promoted it as Domain Controller with the name "DCTempName"
3. Waiting for replication (repadmin /showrepl)
4. Demoted the DC -> OK now AD was clear
5. Promoted it with the name "DC1"
I assume the problem occured because of the old DC object which was still domain member with the same SID...So be very carefully.
Another solution is an Active Directory metadata cleanup http://support.microsoft.com/kb/216498/en-us
8/31/2009
Forest Trust - User/Group Authentication
If you've a forest trust with selective authentication you may get the following error when trying to authenticate with users or groups between the forest domains:
Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.
Error Code: 1935
Either you switch to domainwide authentication in you trust settings (just remcommended when the two forests belongs to the same company...), or you have to explicit allow the specific user or group to authenticate against the computer in the other forest.
To resolve the issue, open Active Directory Users and Computers --> enable Advanced Features on View tab --> Select the Computer Object --> Properties --> Security --> Add the User or Group you want to authenticate and check Allowed to Authenticate
Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.
Error Code: 1935
Either you switch to domainwide authentication in you trust settings (just remcommended when the two forests belongs to the same company...), or you have to explicit allow the specific user or group to authenticate against the computer in the other forest.
To resolve the issue, open Active Directory Users and Computers --> enable Advanced Features on View tab --> Select the Computer Object --> Properties --> Security --> Add the User or Group you want to authenticate and check Allowed to Authenticate
8/13/2009
Failed to run ADAM setup 0x80074e46
If you install ISA Server 2006 EE (no SP) with Configuration Storage Server (CSS) on a Windows 2003 Server SP2 you maybe get the following error:
Failed to run ADAM setup Error Code: 0x80074e46
You maybe can solve the problem by configuring a DNS Server on your interface which is pointing to active directory.
Failed to run ADAM setup Error Code: 0x80074e46
You maybe can solve the problem by configuring a DNS Server on your interface which is pointing to active directory.
6/05/2009
Certificates for internet-based site systems in SCCM
Internet-based site systems in SCCM needs certifcates which has server authentication purpose e.g. Webserver Certificate. Important for this certificates is the FQDN name of the Server (or the defined DNS Alias) in either the certificate subject name field or the subject alternative name (SAN) field.
For Example: MYSCCM01.MYDOMAIN.LOCAL or SCCM.MYDOMAIN.COM
BUT!!! It's getting difficult if you want to use one certificate for Intranet and Internet usage. In this case both FQDN names must be included in certificate, but only one certificate subject name can be configured. In normal case also a Windows PKI issues only certificates with one SAN name, but this can be changed!
Execute the following command to extend the CA with the SAN2 extension, so that certificated getting issued with this fields:
certutil.exe -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTNAME2
After this stop and start the CA service
net stop certsvc && net start certsvc
Now you can issue certificates with more that one SAN name
To requst the certificate with more SAN names goto to your computer certificates mmc, request a new cetificate, choose your server authentication template and go to the properties page by clicking the details arrow.
Under alternative name select type 'DNS' and type in you FQDN names.
For Example: MYSCCM01.MYDOMAIN.LOCAL or SCCM.MYDOMAIN.COM
BUT!!! It's getting difficult if you want to use one certificate for Intranet and Internet usage. In this case both FQDN names must be included in certificate, but only one certificate subject name can be configured. In normal case also a Windows PKI issues only certificates with one SAN name, but this can be changed!
Execute the following command to extend the CA with the SAN2 extension, so that certificated getting issued with this fields:
certutil.exe -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTNAME2
After this stop and start the CA service
net stop certsvc && net start certsvc
Now you can issue certificates with more that one SAN name
To requst the certificate with more SAN names goto to your computer certificates mmc, request a new cetificate, choose your server authentication template and go to the properties page by clicking the details arrow.
Under alternative name select type 'DNS' and type in you FQDN names.
6/03/2009
Assign Windows PE Boot Image to Client
Windows Deployment Service (WDS) delivers a command line tool named wdsutil.exe, which can be used to prestage computers into Active Directory. I was personally intersted to get a Windows PE Boot Image automatically get choosen from a Client during Windows Boot Manager.
One purpose is for example if there are different Windows PE images for different processor architecture (x86, x64).
The parameter /BootImagePath defines the boot image which will be started by the client after the countdown
Example x86
WDSUTIL /Add-Device /Device:ComputerName /ID:MACAddress /ReferralServer:WDSServerName /BootProgram:boot\x86\pxeboot.com /BootImagePath:boot\x86\images\bootx86.wim
Example x64
WDSUTIL /Add-Device /Device:ComputerName /ID:MACAddress /ReferralServer:WDSServerName /BootProgram:boot\x64\pxeboot.com /BootImagePath:boot\x64\images\bootx64.wim
After executing the command, there's created a computer account in Active Directory which stores the configured options. Once a Client is booting from network now, it gets all information needed to choose the assigned boot image.
Note: Scripting the "WDSUTIL /Add-Device" command is nice for creating mutiple prestaged computer objects very comfortable
Further you can configure your WDS Server to only answer to known clients which delivers more control about the deployment.
One purpose is for example if there are different Windows PE images for different processor architecture (x86, x64).
The parameter /BootImagePath defines the boot image which will be started by the client after the countdown
Example x86
WDSUTIL /Add-Device /Device:ComputerName /ID:MACAddress /ReferralServer:WDSServerName /BootProgram:boot\x86\pxeboot.com /BootImagePath:boot\x86\images\bootx86.wim
Example x64
WDSUTIL /Add-Device /Device:ComputerName /ID:MACAddress /ReferralServer:WDSServerName /BootProgram:boot\x64\pxeboot.com /BootImagePath:boot\x64\images\bootx64.wim
After executing the command, there's created a computer account in Active Directory which stores the configured options. Once a Client is booting from network now, it gets all information needed to choose the assigned boot image.
Note: Scripting the "WDSUTIL /Add-Device" command is nice for creating mutiple prestaged computer objects very comfortable
Further you can configure your WDS Server to only answer to known clients which delivers more control about the deployment.
3/06/2009
SQL SCCM Query to return Advertisements, Programs and Main Users of all Computers
This SCCM SQL Query return each Computer, it's Advertisements & Programs and the Main User
SELECT v_Advertisement.AdvertisementName, v_Advertisement.ProgramName,Netbios_Name0 as Computername,v_GS_SYSTEM_CONSOLE_USER.SystemConsoleUser0 as MainUsername
FROM
(SELECT ResourceID, MAX(TotalUserConsoleMinutes0) as Anmeldezeit
FROM v_GS_SYSTEM_CONSOLE_USER
GROUP BY ResourceID) AS Table1,v_GS_SYSTEM_CONSOLE_USER, v_R_System_Valid, v_ClientAdvertisementStatus, v_Advertisement WHERE Table1.ResourceID = v_GS_SYSTEM_CONSOLE_USER.ResourceID
AND Table1.Anmeldezeit = v_GS_SYSTEM_CONSOLE_USER.TotalUserConsoleMinutes0
AND Table1.ResourceID = v_R_System_Valid.ResourceID
AND Table1.ResourceID = v_ClientAdvertisementStatus.ResourceID
AND v_ClientAdvertisementStatus.AdvertisementID = v_Advertisement.AdvertisementID
Subscribe to:
Posts (Atom)