The Cranium Cabinet

Incase anyone cares:

SCCM - 2007
Virtual Env. 6 VMs
1. Domain Controller
2. Site Server
3. Remote Site Sysmte
4. XP Client
5. Vista Client
6. Bare metal
DC name is ADServer, Server 2003 SP1, DNS and DHCP, member of SMSDomain
Site server is SMSServer, Server 2003 SP2 member of SMSDomain, SQL 2005 SP2 (minimum supported in SCCM 2007)
Member Server, SMSMenber, Server2003 SP2, WSUS and WDS
Install Clients using Client Push, Software Update Point Client Installaion, Group Policy
Comfiguration Packs for compliance can be downloaded.
**Deploying OS via network boot. PXE Boot.
Remote Help, Remote Desktop, Remote Assistance

Preparing AD
Prepare Active Directory, it is needed for SCCM, all members need to be in Active Directory. Extending Schema is recommended. Must be done to implement NAC (Server 2008). 4 Classes and 14 Attributes added in Schema Expansion.
To extended schema, must be a member of Schema Admins. Domain must allow Schema additions.
Errors typically mean you don’t have rights (8202). Don’t need to take Schema Master offline to extend schema. (online doc says to do so).
Must turn on Advanced Features in AD to see Schema Updates. Go to System container and give site server computer account permissions, needs FULL CONTROL RIGHTS. Then you must go to Advanced and give full control to all child objects.
In AD Sties and Services:
Never use Defaul-first-site-name as a boundary for SCCM. Create a new AD site. Bind new site to specific subnets. Then move SCCM server to correct site.
Installing SCCM
Read documentation… mm hmm. Run PreReq Checker. Best performance: Site Server-32bit OS, SQL Server on 64-bit OS, 64-bit SQL. Next version will require all 64-bit. SDK Server = SMS Provider, can be the SCCM Server. Management point is FQDN of SCCM Server, e.g. smsserver.smsdomain.com
If using Server 2008 for SCCM, webdav is not installed in IIS by default. More complicated on Server 2008, sounds like a PITA. Documentation online.
No advantages at this time to using SQL2008 over SQL2005 SP2.
Install using custom settings. Never use Simple Settings. You will lose control over clients, etc., if using Simple Settings.
CEIP insures that developers spend time in the most used areas of the program. Recommended checked.
Choose appropriate drive/install location. Never install to OS drive. Installation can not be moved.
3-Character site code, can never be changed. Alpha-numeric. Site name is more descriptive, not changeable.
2 Site Modes. Native mode supports PKI and is the most secure. Mixed mode doesn’t use PKI, clients create Self-signed cert and send info back to CM Server. Reccomendation: Always install in mixed mode. You can upgrade to Native mode later on, admin console settings and importing certs. Native mode supports clients over the internet via certificates.
Client agents can be turned on/off at any time.
Management point is where web management will be installed.
Clients communicate over HTTP in mixed mode, SSL in Native mode. Can change ports if desired.
Site server must download approximately 80MB of files from internet to complete install. if not internet connectivity, go to command prompt on a computer with internet access, run setup /download [path] from SCCM install media. Then transfer files to non-internet computer and select the option in installation of selecting the files, can be UNC or local.
Entire CM Environment is supported in virtualization.
Managing CM
If some clients are in a different forest, must use a Server Locator Point. Assign this role through the management console.
Site Server must have admin rights on integrated component/site system servers, such as SQL, WSUS, WDS. Add CM computer object as admin in local admins.
Site Systems, add via hostname/FQDN.  If you choose to use a service account instead of computer account to manage systems and services, you may, but it is recommended to use the computer account.
If you are in a DMZ, supporting internet based clients, select “Allow only site server initiated data transfers from this site system”. This will allow the site server to never push data, the CM Server simply pulls data. This means you don’t have to punch any holes in your firewall.
Active software update point is the point which clients scan against. You can synch from Microsoft Update, upstream server.
Hardware and software inventory is available. Schedules are totally customizable. Software, by default, scans executables on all client HD’s and subfolders. You can create custom rules that use wildcard characters as well, such as %programfiles% in case clients install to different hard drives, etc.
Asset Intelligence is disabled by default.  AI has 150,000 different application signatures, a lot better than software inventory. Not recommended to enable all, because 2 are not used.
Manage clients by “Collections” under Computer Management.
Discover systems with Active Directory System Discovery. Disabled by default. Can specify a specific container in AD or all. Automatically assigns to your boundary, not equal to making an approved client.
To push clients, you must have an Admin context/service account. Can either go to each client computer and assign user to local admins, or add to domain admins.  Then tell CM about admin account. Go to client installations and client push installation. This is under site management,site settings. This is not validated by CM, you must validate on your own. to validate, go to command prompt and do a net use [drive] \\[memberserver]\admin$ /u:[domain]\[admin push user] [password]. If it completes successfully, you are good.
2 types on client push, admin and automated. Admin is manual, automated will push a client as soon as it finds a new client in AD. This allows no control over client installation, would recommend admin. This is default, to automate, just go to general tab in client push properties and check the checkbox.
Pay attention to action pane, you can easily install all clients or delete all clients if you are not paying attention.
If you already have WSUS installed, you can publish clients from WSUS. To put in all parameters as you were pushing from SCCM into the client push installation, you need to do nothing if you are publishing active directory. If not, you can use a GP adm template to input the appropriate parameters.
To view inventory for client, right click client, start, Resource Explorer. Allows to see hardware, hardware history, software, etc.
You can create custom categories in Application Intelligence and assign unidentified clients to these categories. You can also search online automatically for correct categories for unidentified software.
You can set requirements for software and then see how many of your computers are out of spec, or, you can set your own products/software and requirements.
Asset Intelligence Certificate is required for an AI Synchronization Point. Fortunately, Microsoft now provides this .pfx for free. Call MS.
To get all system components yo uhave to integrate system type and system ID in your custom query.
2 types of collections: direct membership and query-based. query-based is recommended.
can publish/advertise packages and have the clients download the package from the CM server.
Maintenance windows are configurable so that you can control when those software updates happen on the clients that might cause it to reboot. You create maintenance windows on collections, e.g. All Windows Servers. Modify collection settings, no maintenance windows by default. Any admin, upon creation of an advertisement, can select “ignore maintenance windows” and will over ride your maintenance window.
Must use .msi or .sms for package definitions.
Uses BITS to throttle content download for branch DPs. Standard distro point must be BITS enabled, which it is not by default. You can set schedule for BITS throttling and Kbps as well.
You can set a custom severity level for updates.
Templates can be created for updates to set settings and prevent answering the same questions each month when updates roll out. You can also specify how long updates are optional before they are forced. you can surpress restarts on servers. Can integrate with SCOM to put computer in maintenance mode while updating. Can use WOL to wake a computer to install updates. Can integrate with SMS 2003.
WSUS acts as a catalog and store. Unfortunately, must have WSUS to do updates with CCM.
Configuration items are what you want to scan for on your system. For example, who does not have a required app installed. Detects by product code, not .exe. Therefore, users can not change names to avoid validation.
You can flag updates as NAC compliant. Therefore, if a computer does not have the update, it will be quarantined.
FISMA, SOX, HIPAA, etc are able to download as configuration packs to implement configuration in your enterprise. http://technet.microsoft.com/en-us/configmgr/cc462788.aspx
To deploy using pxe, add role to WDS server, PXE service point. Allow port to be opened. You can create a self-signed cert of import one.
Golden master images are just what it sounds like. Build a system how you want, make it a golden master, then deploy via PXE. IT is best to add applications to golden image than to deploy them via CM. Faster.

Follow me as I “tweet” random thoughts while in LA/@ the conference.
http://twitter.com/craniumcabinet

So, I’m all checked in, lookin like the coolest guy on the planet with my Microsoft lanyard ’round my neck. Getting into the LA Convention Center was a pain, and on the way here, my GPS took me through east Inglewood. I think GPSes should have “safest route” option.
View Larger Map

Anyway, not much going on, gonna grab some grub and explore. I did just spot a guy wearing a sleeveless T-Shirt, so that’s pretty interesting, considering he is at a conference that costs $4000.

Classytown.

edit: On an aside, internet access here is awesome. I’m downloading at a Megabyte per second. Win.

I headed out to Los Angeles today to attend a week-long conference, Microsoft TechEd. I did all my booking via Priceline and didn’t really think of, oh, researching where the hotel would be. I was unpleasantly surprised, and still am, as I sit in my room in Inglewood, CA. Yes, the same “Inglewood, Inglewood, always up to no good” in the California Love song by Dr. Dre and 2Pac. Here’s a brief video to show you what I’m talking about, and by the way, my hotel is 2 blocks from the Inglewood sign in the video:

A brief look at some neighborhood census information tells me that I may just be the only Caucasian here, which is ok, just a little different when you come from Knoxville, TN. As a matter of fact, Caucasians only make up 4% of Inglewoods population. I can certainly attest to this fact now.

After thinking about it, I decided I needed to go out in Inglewood to In-N-Out. I ordered something from the “secret menu”: 3×3 Animal Style and Animal Style fries:

It tasted a lot better than it looks.

After chowing down on that, I went to the gas station because I’m a moron that didn’t order a drink. That’s where I met this lady outside. She asked me for some change, which I didn’t have, but I offered to get her something instead. Well, 7 dollars later, I have made this woman happy. She was giving me hugs and telling me  I touched her heart. It was probably a load of crap, but hey, she made out with some Marlboro 100’s, a Snickers bar, and some “skins” (as she called them) a.k.a. pork rinds. She was trying to convince me to take her to the liqour store and buy her some booze too, but I felt that feeding one addiction was good enough.

So, 1 day down, and how do I feel? Well, I obviously feel I made a mistake in the lodging department.

I’ve just purchased a new domain for a new venture. I really love food, so, I’m going to create a blog about Knoxville’s best, and worst, restaurants.

Look for it in the coming weeks.

It’s ok Obama, I don’t like cats either.

At least he can take responsibility…

The power of general anesthetic on a 7-year-old after a dental procedure.

Remember how Windows Vista had all those different versions that made little to no sense? Well, although Microsoft has learned from some of their mistakes from Windows Vista, it is apparent that they haven’t learned from all of them. The official versions have just been announced:

• Windows 7 Starter: up to 3 concurrent applications, ability to join a Home Group, improved taskbar and JumpLists;
• Windows 7 Home Basic: unlimited applications, live thumbnail previews & enhanced visual experience, advanced networking support (ad-hoc wireless networks and internet connection sharing), and Mobility Center;
• Windows 7 Home Premium: Aero Glass & advanced windows navigation, improved media format support, enhancements to Windows Media Center and media streaming, including Play To, and multi-touch and improved handwriting recognition;
• Windows 7 Professional: ability to join a managed network with Domain Join, data protection with advanced network backup and Encrypting File System, and print to the right printer at home or work with Location Aware Printing;
• Windows 7 Enterprise and Windows 7 Ultimate: bitLocker data protection on internal and external drives, DirectAccess for seamless connectivity to corporate networks based on Windows Server 2008 R2, BranchCache support when on networks based on Windows Server 2008 R2, and lock unauthorized software from running with AppLocker.

So, which one are you going to be pirating buying?

Just like that

I just updated my Word Press to 2.7.1. I would suggest you all do the same.

The new Dashboard is very Web 2.0.