You are browsing the archive for 2007 April.

Prepare your Environment for Running sms 2003 – Active Directory Part2

3:02 pm in Sms 2003 by The WMI guy

Are you tired of seeing your Active directory system group and active directory user discovery in error all of the time?


Is your status filled with messages like:


SMS Active Directory System Group Discovery Agent reported errors for X objects. DDR’s were generated for Y objects that had errors while reading non-critical properties. DDR’s were not generated for Z objects that had errors while reading critical properties.


Do you see following message in the adsysgrp.log and adusrdis.log:


Could not get property (memberOf) for system XXXXXXXX or


Could not get property (memberOf) for user XXXXXXXX


Then read on, I’ll explain what is happening and more importantly what you can do about it.


 Explaining the Issue (Logs and status messages)


The status message is telling you that it can’t read a critical property of a user or computer object. It is also telling you that this might be a security or replication issue, or that the property might not be available. All suggestions which you probably verified already. The log files are actually telling you the property that couldn’t be read, it is the memberOf property, which contains the group memberships for users and computers.


This memberof property in active directory contains all groups you are a member of, with the exception of the first group you are a member of. This is because the first group is actually stored in the PrimaryGroupId attribute. The issue you are seeing is because the SMS 2003 discovery methods cannot handle an empty memberof attribute. To be technically accurate they can’t distinguish between an empty or unreadable memberof attribute.


As you might have deducted from the information above, the issue you are seeing is because you have users and/or computers in your discovery scope that are only a member of a single group. The fix is easy enough, just add all users and computers to a dummy group to make sure the memberof attribute is no longer empty. The rest of this article will show you the necessary steps to identify which users and/or computers have an empty member of attribute.


Query Users with Empty Memberof attribute (Requires Active Directory 2003)


Open Active Directory Users & Computers


Open Saved queries


Right-click and select new query


Type in a name for the query


Click Define Query


In the Find list box select Custom Search


Click the Field button, select user  and member of


In the condition list box select Not Present, click Add and Ok twice.


 Query Computers with Empty Memberof attribute (Requires Active Directory 2003)


Open Active Directory Users & Computers


Open Saved queries


Right-click and select new query


Type in a name for the query


Click Define Query


In the Find list box select Custom Search


Click the Advanced tab and type in type in the following query:


(&(&(objectCategory=computer)(!memberOf=*)))


Add Users to a group to avoid discovery issue


Create a group called GG_Sms2003dummyusersgroup  (or another namesthat is in line with your naming convention).


Multi select the users you found in the previous query and add them to the GG_Sms2003dummyusersgroup


Multi select the computers you found in the previous query and add them to the GG_Sms2003dummycomputersgroup


Add Computers to a group to avoid discovery issue


Create a group called GG_Sms2003dummycomputersgroup (or another name that is in line with your naming convention).


In the view menu select Users, Groups and computers as containers


Make sure you open up the + signs so that you can see the group you created in the tree pane.


Go back to the results of your query, multi-select all the results and drag them into the group in the tree pane.


You should see a box stating the Add to group operation was succesfully completed.


 


Enjoy




“Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx


 


 

Branch dp’s could make sms admins and firewall admins friends again

2:56 pm in SCCM 2007 by The WMI guy

Sccm 2007 has a brand new feature called branch distribution points. The best-known fact about this feature is that it functions as a distribution point that is supported on any of the operating systems that can run an SCCM 2007 client. In other words it is supported to run a branch office distribution point on Windows 2000 Professional SP4 as well as on Windows XP Professional SP1. This little fact has ment that the feature was quite immediately compared to another 3rd party product that has been providing us with “branch dp’s” since sms 2.0, 1E’s SMS Nomad Branch. And as others have already pointed out, SMS Nomad Branch still has somethings available that branch office dp’s don’t offer. Most importantly the 1E solution for specifying a “branch dp” is dynamic, you as an sms administrator don’t have to designate a branch dp, as it is automagically selected by an election process. Which means you don’t have to leave one machine up and running 24×7 in every branch.


 A rather less stressed fact about SCCM 2007 branch dp’s though is that the type of network traffic from a standard dp (as this is where branch dp’s get their packages from) to a branch dp is no longer the good old file sharing SMB traffic. SCCM 2007 branch dp’s use http BITS to communicate with branch dp’s. This little gem, according to my personal beliefs, might mean that branch dp’s in SCCM 2007 could be incredibly useful.


 In SMS 2003 my advise for “branch dp’s” used to be, don’t use them, sms 2003 only supported distribution points on a server os, by consequence my advice used to be to install a secondary site instead. Sms 2003 distribution points received their packages from the site server in an unscheduled, unthrottled, uncompressed format. Now that all this has been taken care of, an SCCM 2007 branch dp might actually make sense. They even make perfect sense if you keep my traffic remark in paragraph 2 into mind. One of the downsides/problems I have with secondary sites in SMS2003 is the fact that they rely on SMB traffic, which makes for annoying discussions with the security/firewall team about opening up the file sharing ports. These ports are used for quite a bit more, and because of some historically annoying exploits, most firewall admins are fairly reluctant to open these up.


Net result of this all is that with what I know my advise might shift to using branch dp’s on a server os in the larger sites, and a branch dp on a desktop os for the smaller sites, hoping to brush up my relationship with the security team, as I might need to rely on them for helping me set up the PKI that I need to run in native mode, which I need to get internet based client management rolled out. 


Enjoy.


“Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS


 

Adding a group to the local administrators group

3:24 pm in ConfigMgr 2007, SCCM 2007, SMS, Sms 2003 by The WMI guy

Systems management products often require you to be an administrator on several machines. Sms 2003 and SCCM 2007 are no different in this respect. Microsoft’s systems management product requires administrative privileges on the servers to roll them out as site systems, and on the clients (depending on your client installation method) to push out the client successfully.


Combined with the best practice security principle of “least privilege”, this means creating a group that allows you to easily achieve this permission level without having to be a domain administrator.  You could create a restricted group in group policies for the administrators group and add the members you want to it, but this overwrites all current memberships of the administrators group with the new members you have configured in the gpo. This might be fine on your site servers, where you might exactly know what needs to be in there. But in large environments and on your desktop machines this could become cumbersome.


 Microsoft has updated the restricted group behaviour in Windows 2000 SP4, and has issued a fix for windows xp sp1, to make the “member of” portion of restricted groups more usable. This allows you to create a gpo for a group, and add that group to the local administrators of any machine applying the gpo. It may not be entirely Sms or SCCM related, but I find it is one of these things I do often during my initial installation steps at customer sites, so I think it is a wortwhile topic for a first blog entry.


Step-by-step guide


1) Create 2 groups (I usually use gg_desktopadmins and gg_serveradmins)


2) Create 2 Gpo’s (One to add members to the destkops/laptops and one for the servers (apply the gpo to the relevant ou’s later).


3) Edit the desktop admins gpo


4) Right-click computer configuration\windows settings\restricted groups and select add group


5) Browse for your newly selected group, and click ok a few times.


6) Double click the group in the details pane


7) In the member off section of the dialog box that opens type administrators in the box and press ok a couple of times again.


8) apply the gpo to a test ou.


9) Log into a machine that is a member of the test ou


10) open a dos box and type net localgroup administrators and review the administrators group membership


11) Run gpupdate /force (if it is an xp or 2003, machine or the secedit command if it is an old 2000 machine)


12) Run net localgroup administrators again and if all is well you should see your new group has become a member of the administrators group leaving the old memberships intact.


 More information can be found here: http://support.microsoft.com/kb/810076


Note that if you mix restricted groups with the members property and the member off property that results are inpredictable since there is no way of knowing which section will get executed first.


 Enjoy.


“Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS