Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

Posts Tagged ‘ConfigMgr

SCCM 1606 SQL Server Views Documentation

leave a comment »


If you are working on SCCM custom reports, you may have wished that there should be a reference out that you could use as reference to navigate through the countless database views available in SQL Server for SCCM. There is in fact such a reference, published by Microsoft last November 2016

Download the SCCM ConfigMgr SQL Views reference from here: https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Other useful references

jay paloma  |  26 mar 2017  |  singapore

Advertisements

Written by jpaloma

March 26, 2017 at 6:56 PM

ConfigMgr Automatic Deployment Rule Fails with Error Code 1326 if Source WSUS is not a Domain Member

leave a comment »


Behavior

ConfigMgr infrastructure uses a WSUS server in the DMZ which is not a member of the domain, as shown in the figure below:

SCCM ADR WSUS DMZ

If you use Automatic Deployment Rule, the sync fails with the following:

  • Error code 0X87D20417 in the SCCM Console
  •  “Failed to download the update from UNC content source. Error = 1326” in ruleengine.log.
Console Error annotate

Configuration Manager Console Automatic Deployment Rules showing error code 0X87D20417

 

Error 1326 Bigger

ruleengine.log showing error 1326

Meanwhile, patch metadata is successfully transferred over to ConfigMgr when you sync software updates. Manual patch synchronization by downloading to the Deployment Package is also successful

Cause

The top-level ConfigMgr server attempts to access the shared WsusContent folder in your DMZ WSUS using the computer account of your Primary Site Serveror CAS, and fails because it is denied access. On your DMZ WSUS, you cannot grant access to the CAS or Primary Site Server or make them a member of any local group.

Resolution

You can choose from one of the following options if you intend to use Automatic Deployment Rules

  1. 1. Copy the contents of \\dmz_wsus\WsusContent to a shared location which is accessible to your top-level ConfigMgr server (CAS or Primary Site Server), and sync the ADR from that location
  2. Make the DMZ WSUS server a member of the domain and ensure that the top-level Site Server (CAS or Primary Site Server) is a member either of the local Administrators group or the WSUS Administrators group.

Remember, this is only an issue if you use ADR. I haven’t done testing on a normal non user-initiated SCCM update sync. You might want to give me feedback if this error shows up on non user-initiated update sync.

Products

  • System Center 2012 R2 Configuration Manager SP1
  • Windows Server 2012 R2

jay paloma  |  1 may 2016  |  singapore

This post is provided “AS-IS” and makes no warranties and confers no rights

Written by jpaloma

May 1, 2016 at 9:29 AM

Posted in Configuration Manager, SCCM

Tagged with , ,

My First ConfigMgr Automation with System Center Orchestrator

leave a comment »


Here’s my first System Center 202 R2 Configuration Manager automated task using System Center 2012 R2 Orchestrator

  • Download the required Integration Pack from this link from the Microsoft website.
  • Download the Windows Installer XML (WiX) Toolset (at least v3.5) from this website
  • Install the WiX Toolset
  • Open the System Center 2012 R2 Orchestrator Deployment Manager and Import the Integration Packs

Screen Shot 2016-04-23 at 20.21.21

 

Screen Shot 2016-04-23 at 20.21.53

  • Right-click on the Integration Pack and select Deploy IP to Runbook Server or Runbook Designer. This executes the Integration Pack Deployment Wizard

Screen Shot 2016-04-23 at 20.25.29

 

Screen Shot 2016-04-23 at 20.25.42

 

  • Open the System Center 2012 R2 Orchestrator Runbook Designer, and in Options select SC 2012 Configuration Manager

Screen Shot 2016-04-23 at 20.55.06

  • In Connection, click Add, and enter in the information needed to connect to your ConfigMgr. Server should be a Primary Site Server.

Screen Shot 2016-04-23 at 20.56.21

  • By adding the ConfigMgr Integration Pack, we have new activities pertaining to ConfigMgr available in our Runbook Designer

Screen Shot 2016-04-23 at 21.47.53

  • To test, let’s now create a new Rubook with only the Create Collection action. Here are the parameters of that Create Collection action

Screen Shot 2016-04-23 at 21.50.12

  • Run this Runbook. Check in Log History that it succeeded

Screen Shot 2016-04-23 at 21.26.41

  • Now go to the ConfigMgr console and confirm that the Collection has been created

Screen Shot 2016-04-23 at 21.26.57

That’s it! My first ConfigMgr automation with System Center Orchestrator!

 

jay paloma  |  23 apr 2016  |  singapore

Written by jpaloma

April 23, 2016 at 10:02 PM

Configuration Manager RBAC – Collections

leave a comment »


2nd Jan 2016, continuing with the doing-nothing-while-on-vacation series.

You can assign access Collection access to Administrative Users. However keep in mind the following:

  1. If your objective is to ensure limited visibility of collection results, then see to it that you do not grant access to the All Systems collection. You have to have what I call a Top-Level Collection in lieu of the default collections (including All Systems). Ensure that the membership of this Top-Level collection is limited to the objects you want the specific admin to see. Use specific conditions, e.g., OU membership, computer name, etc., to populate. Also keep in mind that the objects are still available in Queries, so if you really need to ensure non-visibility of objects, deal with Queries as well.
  2. Use this Top-Level collection as the limiting collection for all other collections that you would create. Do not use the All Systems collection because if the user account does not have access to All Systems, then the user account will always see 0 membership. Remember: the user does not have access to the Top Level collection (ergo, 0 members) and you created a collection that limits itself to the All Systems collection (again, 0 members), and you’ll get a collection of 0 members!

So for example you want to create an RBAC role to be able to deploy Applications and Patches to machines from the APAC region:

  1. Create an APAC Top-Level collection, using All Systems as its limiting collection using OU membership as its criteria.
  2. Create a second collection of with APAC Top-Level as its limiting collection, and add the additional conditions that it is a ConfigMgr client and it is a workstation OS . Let’s call this APAC Clients 
  3. Create an AD Group APAC Deployment
  4. Add this group in ConfigMgr Administrative Users, and grant access to the APAC Clients collection. Also assign it the RBAC Role nearest to the deployment role you want, or customize the role further to get the actions you want this role to perform.

Screenshots to follow once I’m back in my lab. Too bad I haven’t installed my ConfigMgr lab in Azure yet at this point in time.

jay paloma  |  02 jan 2016  |  manila

Written by jpaloma

January 2, 2016 at 7:15 PM

Implementing HTTPS on System Center 2012 R2 Configuration Manager – Part 2 Certificate Templates

with one comment


This is Part 2 of the video series on Implementing HTTPS on System Center 2012 R2 Configuration Manager. This discusses the different certificate templates required, creating those templates and then enrolling certificates to  the servers using these templates.

Certificate Templates Required by Configuration Manager

  1. Client Certificate is used by all Configuration Manager clients
  2. Exportable Client Certificate is required for implementing HTTPS on Distribution Points
  3. Web Server Certificate is used by all MPs, DPs, SUPs, RSPs and other Configuration Manager services that use IIS.

Creating the Certificate Templates

  1. Create an Active Directory Global Group and grant Read, Enroll and Autoenroll permissions for each of the 3 templates.
  2. Configure the templates to use Subject Name (not Alternate Name as mentioned in the video) DNS format
  3. Publish the three templates to the CA and restart the Active Directory Certificate Service.

For more details, refer to this article Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority.

 

Written by jpaloma

November 22, 2015 at 8:43 PM

Implementing HTTPS on System Center 2012 R2 Configuration Manager – Part 1 Configure CA

with one comment


This video is the first of a 4-part video series on implementing HTTPS on Microsoft System Center 2012 R2 Configuration Manager.

The video below is details the steps in implementing the Windows AD Certificate Authority required for HTTPS implementation.

In a real world environment, your organization may have already set up the CA.

Written by jpaloma

November 22, 2015 at 3:46 PM