Pissed off at NT SERVICE\ALL SERVICES not being able to grant Log on as a service role because the Local Security Policy “cannot find it?” Here’s an unelegant but working quickie:
- Grant EVERYONE Log on as a service rights
- Install the service you need
- If the service uses an NT SERVICE\* as its service account, create a LOCAL ACCOUNT and grant it Log on as a service right. Replace the NT SERVICE\* service account in services.msc.
- Reboot the machine. The service you installed should still be there. (the problem manifests itself when you reboot the machine and the service you installed gets uninstalled).
- Remove EVERYONE from Log on as a service right
- Reboot the machine again. verify that the service is still present.
NOTE: Be aware of the security repercussions of this post before following anything you read online!
These are my favorite resources for SCCM 2012 R2
Technical Reference for Ports Used in Configuration Manager http://technet.microsoft.com/en-us/library/hh427328.aspx
Technical Reference for Accounts Used in Configuration Manager http://technet.microsoft.com/en-us/library/hh427337.aspx
Supported Configurations for Configuration Manager http://technet.microsoft.com/en-us/library/gg682077.aspx
- How to configure WSUS on SCCM 2012 http://www.windows-noob.com/forums/index.php?/topic/9030-how-to-configure-wsus-on-sccm-2012-win-server-2012/?p=36633 (somewhere in the replies someone did this: config WSUS location and DB by opening the console and NOT configure eventually, will write something about this soon)
More to follow
Problem: You are tasked with coming up with a huge organization’s role-based access control for System Center 2012 Configuration Manager during early deployment. You already have the strategy, but you are very much aware that given the hundreds of Active Directory Groups, Collections, Security Scopes and Custom Security Roles. You need a tool to test all possible security combinations.
To make it worse: because of the thousands of objects that need to be created, you know you will deploy via PowerShell to make it easier. Unfortunately in automation, one does not make small mistakes — you either make no mistake or a massive one. You need a tool to test out your strategy in small scale, and then after creation of all those objects using PowerShell, ensure that as far as the security settings is concerned, everything’s properly in place.
Solution: Good thing there’s the Role Based Administration Modelling and Auditing Tool for Microsoft System Center 2012 Configuration Manager.
- Compare your custom groups with the default ones
- Ensure that user accounts could only access the intended collections, scopes, etc.
- Test out how the Console behaves based on different user accounts logged on.
- And more!
The Role Based Auditing and Modelling Tool is available as part of the System Center 2012 Configuration Manager Component Add-ons and Extensions. Download it now!
Testing against a user account
It’s really sad that while people are excited whenever community leads announce new events, everyone keeps quiet whenever speaker or demoer volunteers are needed. They say they would rather defer to the “experts” i technology and delivery.
Well, let me say that these “experts” also started somewhere. And we all have our terrifying experiences. Let me share with you mine.
This was during the DevDays Manila in November 1999. I was two months in Microsoft Philippines. The event was at the Philippine International Convention Center (PICC). And for those of us too young to know, that same building houses the Office of the Vice President of the Republic of the Philippines. And guess who was VP that time? The lady known for her Presidential temper. That one is another story.
Anyway, I was to demo dev stuff on Windows 2000 (message queueing?). I did my due diligence and prepared like mad. However when you hear your name being called out by the plenary session speaker (yes it was a plenary session with an audience of 1500 or so), all you’ve prepared for goes down the drain. I went in there, did my demo (yes, only demo, no PPT), and my hand is trembling like mad to the point that my mouse clicks don’t hit their mark. My trembling may not be noticeable on my monitor, but projected on a big screen it is very obvious. People noticed, and began laughing. This was were the plenary speaker had to do his thing to maintain contact with the audience and calm me down in the process.
To cut the story short, yes, I was trembling, and yes the audience saw the nervousness, but pull through. The people called “experts” also started with terrifying stage experiences. We should be frightened onstage, because if not, we won’t be careful and we would not take what we’re doing seriously!
So, if your community lead comes knocking at your door to assist as a speaker or demoer, GRAB THE OPPORTUNITY, since at least one would be speaking in a small community event. You mess up, what could go wrong? You won’t get fired, right? The fact that you became a speaker may reflect on your CV, but your mess-up won’t. Anyway, at least participate in the smaller events to gain confidence little by little and prepare you for the bigger events.
This is not work, you are a volunteer, and as such your community leads only ask for your participation. They would not ask for perfection.
On the side note re: the VP? Well to add to the tension, we were at the receiving end of the Vice Presidential temper due to the noise. It was an experience!
CALL TO ACTION: PHIWUG is building up its speaker pool. Do help out, and use the experience and connections. Yes, PHIWUG can actually help you get better at your technical career!
Central Administration Site (CAS)
- Needed if you have more than one Primary Site
- Database should be in a SQL Server instance
- Does not support roles that involve servicing clients
- Can support up to 25 child primary sites
Primary Site Server
- Database should be in a SQL Server instance
- Avoid placing client-servicing roles in this server
- Each primary site can support up to 250 secondary sites
- If co-hosted on a SQL Server, a primary site can support up to 50,000 clients.
- If a dedicated SQL Server is used, the primary site can support 100,000 clients.
Secondary Site Server
- In SCCM 2012, this requires its own database
- Database can be in a SQL Express or SQL Server
- Database should be co-located with the Secondary Site server
- Management Point on a primary site can support 25,000 clients.
- Management Point on a secondary site can support 2,500 clients
- Ensure Distribution Points are available per client location
- Distribution Point supports up to 4,000 clients. Add more DP as needed
- Client-facing roles should not be assigned to site servers, especially if servicing Internet-based clients
- Do not co-locate SCCM and SQL if the database is clustered.
- Better performance is achieved if SCCM site server is co-located with its SQL Server. If this is not possible, then ensure good connectivity between SQL Server and SCCM
- Software Update Point (SUP) running WSUS 3.0 SP2 can support up to 100,000 clients
Here is my compilation of Microsoft SCCM important links
Learning Microsoft SCCM
- Microsoft Virtual Academy: System Center 2012 Configuration Manager (SCCM)
- Planning for Configuration Manager Sites and Hierarchy
System Center Updates Publisher
Free TRAINING and EXAM from Microsoft! If you pass the exam, you earn the Microsoft Certified Specialist: Server Virtualization title.
- Step 1: Read up on the skills measured in exam 74-409
- Step 2: Take the free online training
- Step 3: Request a free exam voucher for 74-409*
- Step 4: Schedule your exam at http://www.register.prometric.com/, take it and pass it!
- Step 5: Get your shiny new certification, add it to your CV and LinkedIn profile, and begin exercising your bragging rights!
Get the full story here. Good luck!