You are browsing the archive for 2008 July.

Sccm, Scom, Remote SQL 2005 & the Windows server 2008 firewall

7:49 pm in ConfigMgr 2007, MOM, Operations Manager 2007, Opsmgr 2007, SCCM 2007, SCOM 2007, SMS, Sms 2003 by Kenny Buntinx [MVP]

Hi All,

Let’s start by saying that this blog post is probably more OpsMgr related, but all topics are valid for a remote SQL Install for Sms, SCCM or any of the other System center products, so I guess it’s still ok to post it here.

Look, I am not all that good with popular quotes, never seem to be able to remember them just right. But this is one of them that I have never had trouble remembering. “It is all fun and games until someone throws a firewall into the mix”.


Not sure who the quote is from, but I am pretty sure he was refering to my lab environment. Yesterday, I redeployed my Opsmgr 2007 environment, to test the installation on windows server 2008. I figured, install a new sql server on 2008 on one machine, then install opsmgr 2007 on another, shouldn’t take more than a single evening. I’ll start rolling out agents and importing management packs the day after. Seemed like a plan at the time.


So I installed, powershell, IIS, the II6 compatability tools in short all the requirements to install SQL 2005 reporting services on a Windows Server 2008 as listed here:

Then I installed SQL 2005, the database engine and a default install of SQL reporting services, followed by applying SP2.

Next, I installed the Scom database, no problem at all, I am on a role here.


Then I started the management server and console install on the remote box. Err.

The root management server complained that it couldn’t find the database. I splapped myself on the forehead, sure you silly you still need to enable The Tcp/ip protocol in the SQL Server configuration. I checked, and found that Tcp/ip was already enabled as a listening protocol.

Hum, strange, opened a dos box, and ran netstat -a -n -p tcp to see whether my sql box was listening on port 1433. Lo and behold, it wasn’t. You see, I know it was something like that. Still took me a while to figure out that my SQL Server, which was running in a specific named instance was listening on dynamic ports. (If anyone knows how that could have happened just let me know).

Now, I wasn’t going to let something silly as that stand between me and my plan, so I configured the SQL tcp/ip protocol for this instance to listen on port 1433, and restarted the SQL Server service as listed here:

I subsequently ran netstat -a -n -p tcp again and tada, the server was listening fine on port 1433.


Back to the original task at hand install the OpsMgr management server. Err.

Database still not found, ok, I am getting fed up with this, I download microsoft’s portqry tool, and verified whether I could access port 1433 from the remote machine. The portqry -n sqlserver01-e 1433 came back with a response of Filtered. Another slap on the forehead, you nitwit, you have the Windows Server 2008 firewall running. So I went to the Sql box, and decided NOT to disable the firewall but to configure it to open port 1433, as described here:

Once done, I ran my portqry again, and it showed up as listening, great, we’re back on track.


I launched the Opsmgr management server installation again, and the darn thing failed on me again.

Luckily for me the log file came around telling me that a custom action in the msi had close the handle to soon, and that it should be configured not to do that. _SetRootHealthService_Wizard unexpectedly closed the hInstall handle was the error message at hand. So after telling the setRootHealthService_Wizard that it wasn’t allowed to close the handle so soon, or that I would put it in the naughty corner, I retried the installation.


Apparently my authority, that still works on my 3-Year old soon, didn’t impress the setroothealthservice_wizard. In a illuminated attempt to still get this to work I went back to the Sql server box and configured the firewall to log dropped packets. Retried the installation again, which obviously failed, and went back to analyze the windows server 2008 firewall log on the sql box. This revealed dropped packets on udp port 1434. Oh, now that’s easy enough to fix, let’s just open that port and we’re set. Erm wait a minute, I thought all sql database engine communication went over tcp port 1433, what’s up with this 1434 udp port all of a sudden.


Great after having this miracle idea of deploying sql on a box with the firewall still running, I’ll have curiousity kick in, this is going to set back my planning on this a couple of hours, or at least that’s what I thought, but Live search and Sql Magazine to the rescue the udp port 1434 reportedly is needed to access a named instance:


Now, that I had settled my curiousity, I was free to open udp port 1434 in the SQL Server firewall, and retry the opsmgr root management server installation, and kadadzing the install completed with success.



“Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS

Customize the Sccm 2007 console with additional actions

9:39 pm in AdminUi, ConfigMgr 2007, SCCM 2007 by Kenny Buntinx [MVP]

One of the customization steps no Configmgr administrator should be without, is a set of additional right-click actions.

My personal favorite set, is the set from Rick Houchins, which you can find here:

After you launch the install you need to choose between a server or workstation install


If you install the tools on the server, than the rest is simple next, next finish-follow the wizard stuff.

If you install the tools on a workstation than you still need to fill out the Site code, Site server and management point.



Once installed you will see the configmgr console tools installed in the Add/remove programs control panel snap-in


On the configmgr console you will see a couple of new actions availabe:

You can find these additional actions in the following spots:

  • On Each collection in the tree & details pane
  • On each collection member in the details pane
  • On advertisement instances in the details pane
  • On the Software updates nade in the tree & details pane


These tools can make the life of any sms admin a whole lot easier.


This concludes yet another step in customizing the sccm admin console.

Stay tuned, for the next post when we start doing the customization deep dive.


“Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS

Upgrading the Windows AIK before upgrading to Configuration Manager 2007 SP1

11:35 am in ConfigMgr 2007, migration, SCCM 2007 by Kenny Buntinx [MVP]

Before beginning the upgrade process to Configuration Manager 2007 SP1, the Windows AIK 1.0 should be uninstalled from the SMS Provider computer for the site to allow SP1 Setup to install Windows AIK 1.1 to support SP1 OSD WIM images.

If the Windows AIK 1.0 is not uninstalled prior to beginning SP1 Setup, and a PXE service point is installed in the site running the Windows Deployment Services (WDS) Server service, the upgrade might fail and result in an unexpected restart and post-upgrade SMS Executive service crashes.

The following information has been added to the documentation libary for Configuration Manager 2007, but we won’t be able to publish it to the Web until we refresh the documentation libary when Configuration Manager 2007 R2 is released. In the meantime, I’m making this post to give you the information that you need to successfully upgrade Configuration Manager 2007 sites to SP1 and troubleshoot an issue that you might encounter.(continue at source)

Building a custom Configmgr 2007 admin console

9:15 pm in ConfigMgr 2007, SCCM 2007, SMS, Sms 2003 by Kenny Buntinx [MVP]

The work that needs to be done in the Configuration manager 2007 admin console is often spread out amongst different team members. Not all of these team members require access to the full admin console. Most environments do configure the permission set in a somewhat restrictive member so that team members only have the permission they need, but what is often forgotten is building a custom minimal admin console with just access to the features people need.

This shouldn’t be done from a security point of view, the additional security this brings is neglectable, but more from a usability point of view. It makes the admin console easier to use, and avoids access denied errors, or empty detail panes because someone clicks on a heading in the admin console for which he doesn’t have permission.


Now how do you build such a custom Configmgr 2007 admin console you might ask.

Step 1) You launch mmc.exe

Step 2) In the File menu, you select Add/remove snap-in

Step 3) Add the system center configuration manager snap-in, and select the “Select console tree items to be loaded (custom)” radio button.


Step 4) Select the console tree items you want


Step 5) Click Next, Finish and Ok, below is a screenshot of the tree pane of the custom console I created


Step 6) Select “System Center Configuration manager” in the tree pane, right-click it and select “New Window from here”

Step 7) In the File menu select options

Step 8) Name your console “Custom Configmgr admin console”

Step 9) In the console mode select “User mode – Limited access, single window”

Step 10) Clear the checkbox for “Allow the user to customize view”

Step 11) Tick the checkbox for “Do not save changes to this console”

Step 12) In the file menu save your snap-in

Step 13) In the prompt about multiple windows being open click “Yes”


Step 14) Launch your customized mmc console and verify whether everything looks according to plans.

PS: a similar option was already available in sms.





“Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS

Capturing logs during failed Task Sequence Execution

6:25 pm in ConfigMgr 2007, migration, SCCM 2007 by Kenny Buntinx [MVP]

Steve Rachui: Every OSD administrator knows the feeling of configuring a complex (or even simple) OSD Deployment, testing and releasing – only to have the deployment fail. At failure, OSD will begin a countdown to reboot and, on restart, the logs are often lost and we administrators are left wondering what went wrong. To find out we have to start the deployment again and spend time waiting for the failure. Wouldn’t it be cool if we had a way to automate forcing OSD to collect logs when it fails before exiting? Good news! :)

I have spent some time recently working on just how to do that and we have two examples – both use the same approach but one is for generic task sequences (those sent through advertisements,etc) and the other is for OSD deployments. Lets start with the generic one, explain the needed steps and the show how we incorporate that into OSD.(continue at source)

SCCM : Vista SP1 Installations Deployed Using Operating System Deployment Cannot Hibernate !

7:21 pm in ConfigMgr 2007, migration, SCCM 2007 by Kenny Buntinx [MVP]


When the Configuration Manager 2007 operating system deployment feature is used to deploy a Vista SP1 image, a new boot configuration data (BCD) store is created using the BCD template.  Configuration Manager 2007 explicitly creates the Boot Manger and Operating System objects from the BCD template, but allows the Resume object to be created implicitly by Windows Vista when it goes through mini-setup.  Vista SP1 correctly generates the Resume object during mini-setup but the associated Resume settings objects are not generated. Because there are no Resume settings objects, hibernate functionality does not work.


To resolve this issue, run the following script on Vista SP1 computers deployed using Configuration Manager 2007 operating system deployment to create the missing Resume settings objects. To run the script type the following at a command prompt

cscript.exe /nologo scriptname.vbs

This script can be deployed in two scenarios:

· Run as part of the Vista SP1 deployment: Incorporate the script into the operating system deployment task sequence as a Run Command Line step once the new operating system is installed.  

· Run after Vista SP installation: Incorporate the script into a software distribution package/program and then advertise it to existing computers previously deployed with Vista SP1 using Configuration Manager 2007 SP1. 

Code Snippet:

‘ Connect to WMI
set oLocator = CreateObject( “WbemScripting.SWbemLocator” )
set oRootWMI = oLocator.ConnectServer( “.”, “root\wmi” )
oRootWMI.Security_.ImpersonationLevel = 3

‘ Connect to BCD
set oBCD = GetObject( “winmgmts:{impersonationlevel=Impersonate,(Backup,Restore)}!root/wmi:BcdStore”)
if Err.number <> 0 then
    WScript.Echo “ERROR: Failed to connect to BCD”
end if

‘ Open the system store
if not oBCD.OpenStore( “”, oBcdStore ) then
    WScript.Echo “ERROR: Failed to open the system BCD store”
end if
set oBCD = nothing

const ResumeLoaderSettingsBcdObject = “{1afa9c49-16ab-4a5c-901b-212802da9460}”
const GlobalSettingsBcdObject = “{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}”

‘ Check to see if the {resumeloadersettings} object already exists
if oBcdStore.OpenObject( ResumeLoaderSettingsBcdObject, objWBM ) then
    WScript.Echo “Resume Loader Settings object already exists in BCD”
    WScript.Echo “No changes have been made to the system”
end if

WScript.Echo “Creating new {resumeloadersettings} object…”
if not oBcdStore.CreateObject( ResumeLoaderSettingsBcdObject, &h20200004, oResumeSettings) then
    WScript.Echo “ERROR: Failed to create the BCD object”
end if

if not oResumeSettings.SetObjectListElement(&h14000006, Array(GlobalSettingsBcdObject )) then
    WScript.Echo “ERROR: Failed to set the Inherit element”
end if

WScript.Echo “Finished updating BCD”


You can read the original post here.  Enjoy!

Using Task Sequence Variables to customize deployments by Ronni Pedersen

7:53 pm in ConfigMgr 2007, SCCM 2007 by Kenny Buntinx [MVP]

Hey Guys ,

Got this from Ronni Pedersen blog  and look very handy for people dealing with different keyboard/regional settings in a country like belgium.


Living in a non-english speaking country like Denmark, I often have to deal with deploying English versions of Windows XP and/or Windows Vista, with other Regional Settings, Keyboard Settings, Time Zones etc.

In the past I’ve created a VBScript to modify the sysprep.inf or the unattend.xml, after laying down the image on the client. The values were configured with Collection Variables or Computer Variables. The script collected the value during deployment, and replaced the value in the sysprep.inf or unattend.xml file before restarting into mini setup.

This year at TechEd in Orlando, I attened a great session on Windows Deployment with Configuration Manager (Part 1 of 4) with Michael Kelly. In this session he showed a demo, where he created a custom variable (“XRes” and “YRes”), and typed the variable direct in sysprep.inf like this:


This was a simple example, but it gave me a lot of ideas to work with. And as a result of this, I no longer need my “fancy” script to take care of my deployments anymore. This is how I do it now (example):

For my Windows XP deployments I’ve created a sysprep.inf that looks like this:
(This can also be done with Windows Vista deployments, but you’ll need to use the unattend.xml and the format should be in XML).


The sysprep.inf file should be place in a package in order to use it from the task sequence.

Click to read the rest

 Kenny Buntinx

Configuration Manager 2007 R2 hits RC

5:44 pm in ConfigMgr 2007, SCCM 2007 by Kenny Buntinx [MVP]

The Release Candidate of ConfigMgr 2007 R2 has been posted to the Microsoft Connect site today.

SCCM 2007 R2 requires a ConfigMgr 2007 SP1.

What does R2 add to ConfigMgr 2007 as an extra :

  1. Application Virtualization management support

  2. Forefront Client Security Integration

  3. SQL Reporting Services Reporting – Allows you to report on Configuration Manager activity using SQL Reporting Services

  4. Client Status Reporting

  5. Unknown computer support : In Configuration Manager 2007 R2, you can deploy operating systems to computers using a PXE service point without first adding the computer to the Configuration Manager database.

  6. Multicast deployment :Previously, all operating system deployments used unicast. Multicast can make more efficient use of network bandwidth when deploying large images to several computers at the same time.

  7. Running command lines in task sequences with credentials other than the local system account.

Rgds ,

 Kenny Buntinx

Making ISA server working with Internet Managed Based Client

6:46 pm in ConfigMgr 2007, SCCM 2007 by Kenny Buntinx [MVP]

Just to let you know that the ISA Server documentation team has just published How to Configure ISA SSL Bridging for System Center Configuration Manager Internet-Based Client Management.

 This article has step-by-step instructions for publishing an Internet-based site system server behind ISA, and using SSL to SSL bridging (also known as symmetric bridging). It lists the requirements for the instructions to be successful, and then takes you through the processes of creating a security group for ISA to use, deploying a client certificate for the Internet-based clients, deploying the certificates for ISA, and configuring ISA for Web publishing on ISA Server 2006.  The appendixes have additional information for how to create a certificate template, the equivalent configuration steps for ISA Server 2004, and how to configure server publishing (SSL tunneling) as an alternative solution to SSL bridging.  Kenny Buntinx

PSP Role in SCCM & WDS issues

11:08 am in ConfigMgr 2007, migration, SCCM 2007 by Kenny Buntinx [MVP]

Hey ,

 I already wrote a previous blog post about this marverlous problem that al the sudden you can’t boot anymore from PXE . It says PXE-T01 No boot File found . If you dig deeper into the c:\windows\temp folder there is a  hidden PXEBootfiles folder to see…

The problem were goofy ACLs on the c:Windows\temp\pxebootfiles. When I attempted to revised security, I got an Access is Denied message. Once the above directory was deleted, the SMSBoot folder would populate when the bootimage was refreshed on the PXE point. If you get this error, you need to locate the folder (it is hidden), take ownership of it, and delete it. The folder will be at %temp%/PXEBootfiles.

 This worked BEFORE SCCM SP1 !!

 After I applied SP1 @ customer site , it did not work … What the hell ?

 The solution was simple & logic , but hard to find out why  :

If you put an operating system image an select the SMSPXEIMAGES$ Distribution point instead of the normal Distribution point , you will receive an access denied error and the ownership on the %temp%/PXEBootfiles is taken by a goofy SID account that does not resolve. The error occurs because the permissions from the WIM file are applied to the PXE temp folder used for extracting binaries, and the logged in user does not have permissions to delete those folders. Therefore, the PXE service point fails to extract binaries because it cannot delete or access the temp folders for extracting purposes.

Make sure that you do not have an OS Image or OS Package being distributed to your \\YOURSERVER\SMSPXEIMAGES$ ! After this step you need to locate the folder (it is hidden), take ownership of it, and delete it. The folder will be at %temp%/PXEBootfiles.Restart the WDS services and the SMSBoot folder would populate automaticaly.

PXE boot will work again!

Kenny Buntinx