Last week I was deploying an SCCM SW update feature, I did it before a lot of times so I thought I was easy, I did everything, deployment template, package, update list, WSUS gpo, everything, and deployed a security hotfix to a test server and oops. It won’t get deployed.
Some logging revealed the following warning message at the client updatesdeployment.log unable to evaluate assignment GUID as it is not activated yet
I spent 2 hours trying to figure out the problem, then went to launch J, spending other 2 hours at launch J. Then get back to find that the update is deployed, at first glance I thought it was related to the GPO settings as it was scheduled to run at 3 AM and the update deployed at 3 PM exactly so I thought was something is going on.
After some advises from the great SCCM people, I found that the deployment plan is configured to run at UTC time, since I had + 4 hours ahead UtC and I created the package at 11 am it get deployed at 3 PM J.
So to force the update to occur at the specified time you have to make sure that the schedule is set to the local client time, or make sure to calculate the UTC + and -.
Next week I will be deploying SCOM SP1, so we will talk a lot about SCOM… c ya
- I have collected this from here and there, I had the chance to plan a deployment in 4 forest network, SCCM was deployed in central forest, and clients will be distribute across other 3, so I decided to go with mixed mode secondary site in each forest, so here is the design/configuration notes:
- 1.1 External Forests Design:
- Deploying Configuration Manager 2007 across multiple Active Directory forests, plan for the following considerations when designing your Configuration Manager 2007 hierarchy:
- · Communications within a Configuration Manager 2007 site
- · Communications between Configuration Manager 2007 sites
- · Support for clients across forests
- · Configuring clients across Active Directory forests
- · Approving clients (mixed mode) across Active Directory forests
- · Roaming support across Active Directory forests
- · Cross-Forest Communications between Configuration Manager Sites
- Data is sent between sites in a Configuration Manager 2007 hierarchy to enable central administration within a distributed model. For example, advertisements and packages flow down from a primary site to a child primary site, and inventory data from child primary sites are sent up to the central primary site. This information is sent between site servers in the hierarchy when the site communicates with a parent or child site. Data sent between sites is signed by default, and because sites in different Active Directory forests cannot automatically retrieve keys from Active Directory, manual key exchange using the hierarchy maintenance tool (Preinst.exe) is required to configure inter-site communication.
- When one or more sites in the Configuration Manager 2007 hierarchy reside within a different Active Directory forest, Windows user accounts has to be configured to act as addresses for site-to-site communications except in the following scenario:
- 1.1.1 Client assignment in multiple forests:
- If the clients will not roam from one forest to another during the assignment process, then you can extend the AD schema in your new forest and the clients in this forest will find their site and assign successfully (on the assumption that they all domain-joined and not workgroup computers). If the clients are the network in the original forest during assignment, this won’t work – they will need to obtain site information from a SLP.
- Once assigned, clients in the second forest then need to find their default management point. If they are on the second forest network and the schema is extended, they will find their default management point from AD. However, if they are on the original forest network, locating the default management point via AD will probably fail (although I’m not 100% sure of this – could they locate a GC server in their own forest?), and they will need an alternative mechanism – which could be DNS, or SLP, or WINS.
- For the clients in order to be assigned the following must be configured correctly:
- · Boundaries must not overlap between sites.
- · Extended AD in each forest.
- · Make sure that you have a SLP for the hierarchy (central site) and that clients can locate as their backup mechanism for service location (easiest way is to assign it during client installation)
- · Make sure that DNS resolves all server names between the different namespaces (eg forwarders, stub zones, or root hints)
- · Configure DNS publishing for the default management point, and specify the DNS suffix for the client during installation
- With this combination, clients will try to use their local AD for site assignment and locating a management point. If this fails, they will use the SLP for site assignment, and DNS for locating the management point.
- 1.1.2 Accounts and Security requirements:
- In order to allow the communication between sites in different forest the following criteria has to be met:
- · All Active Directory forests are configured for the forest functional level of Windows Server 2003 and have a two-way forest trust.
- · Sender address accounts to use domain user accounts that are valid within the target forest to enable site-to-site communication.
- · The sender account has to be local administrator on each server with child site role installed.
If you have noticed, some of you after applying SP1 will not be able to collect some performance data and get alerts as before, A some DB performance counters has been changed is SP1, this caused performance data not to be collected so here is what is going exactly. As far is reported the only performance counter object that was changed in SP1 was the Database object, which was renamed to the MSExchange Database object (affects mb, hub transport, edge transport roles). A list of where these counters appear is below. the alerts customers could be missing would be the ones generated by the monitors. Obviously the views and data collection rules do not work either.
In terms of workarounds for this, you could disable the 2 rules and monitors and create a separate MP where the rules collect the “right” performance counters and the monitors take configuration from the rules. You’d need to do the proper targeting, but the MP classes are declared as public, so you could refer to them from another MP.
Note that for the updated MP, we will look for the updated (SP1) counters only, i.e. the customers could expect seeing similar types of behavior from their monitored Exchange 2007 RTM servers.
Information_Store__Version_buckets_allocated___Red_2000_._5_Rule.AdvancedAlertCriteriaMonitor (takes data from the rule with the same name)
Information_Store__Version_buckets_allocated___Yellow_1800_._5_Rule.AdvancedAlertCriteriaMonitor (takes data from the rule with the same name)
I am in the airport now, I just wanted to give you a quick ip, the new Exchange management pack for SCOM is not looking for the old customurls key, it is looking for the CustomOwaUrls, so beware of that a it might trick you.
Wish me a safe trip.
Here is a nice tip.
We had a lot of issues where customer is losing the parent/child trust, this is caused by a lot of reasons, either a corrupted TDO object, faulty AD or an admin who is playing with the wrong tools, so here is 2 things to do:
- Search the TDO about similar accounts with the same name that may cause the trust to be lost and remove them:
o Use the ldifde -r (saMAccountName=domainname*)
o Check the ldifde dump for the accounts that has the same SAMACCOUNTNAME of the domain and might be conflicting with the TDO object “don’t ask what causes that”
- Now delete the trust from the parent domain and from the child domain. You might need to delete the TDO object, those are here:
- Make sure that changes has been replicated.
- For the parent domain do the folloing command : netdom trust childdomain.parentdomain.com /domain:ttsl.com UserD:parent_admin /PasswordD:*
/UserO:child_admin /PasswordO:* /add
- Make sure that changes has been replicated.
- Not sure from the restart requirement, in my case I had to reboot the PDC
I just want to highlight to your note a new bug just reported couple of hours ago, if you send digitally signed emails and you have Edge server with attachment filtering enabled, the message will be delivered with “the message cannot be verified” errors, so you will have to disable the attachment filtering to be able to deliver the message successfully.
Just wanted to highlight this as you might get that error, this will be fixed in rollup update 2 for SP1
A recent question has been raised by a lot of consultants and customer, how we seed an SCR target over the WAN, with a huge DB size “whatever the size is”, the clear question is doing offline seeding by taking the DB offline, copy the EDB file to the remote location and mount the DBm, but this poses a new challenge by talking the DB offline during the seeding process which might take ages and ages.
The answer is simple, you don’t have to keep the DB offline, in fact you don’t have to keep the DB offline at all if you use the TargetPath parameter with Update-StorageGroupCopy, you don’t need to take the source offline at all). See http://technet.microsoft.com/en-us/library/aa998853(EXCHG.80).aspx for details on Targetpath.
In general this is how to do it,copy the edb file locally either manually or using the targetpath switch “you don’t need to take the DB offline if you used the switch”, mount the DB, move the edb to the remote location, start the replication and seeding should start.
We had an issue recently where the customer installed SAV mail security 5.0 on his exchange 2007 server, after installing it, OWA stopped working, user’s couldn’t login using outlook anywhere, Answer was Symantec Mail Security 5.0 was using 32 bit, and the server was 64 bit. By installing Symantec Mail Security it moved the OS to a 32 bit and changed all the permission right for IIS, .NET and OWA. Microsoft used a script to covert it back to 64 and recreated IIS, .NET and OWA. All work and still working just fine.
This is an old news “2 weeks actually” but I have gained 300000 points from Experts-exchange.com in the Exchange server zone only, actually I am from the top 15 player but because I am so busy I cannot become from the top 5.
This is so important step looking forward to the sage level. J
By the way I am on the top of the OCS section.
I am afraid this is cannot be done, if you try to do that you will get an error state that you tried to connect to server with version not supported, so you will have to use the RTM console to manage the RTM version and the SP1 versions to manage the SP1 version