Alberto Ortega’s Blog

Before OpsMgr ACS is able to collect token related audit events (Event ID 299), auditing needs to be enabled on each Geneva Server on the farm. This will create a lot of audits, which you may need to filer using Noise Filtering on your assigned Audit Collector Server, I will cover how we achieved noise filtering on our platform on other post, for now, I want to share a couple of easy steps to centrally enable audits on your Geneve Servers,

1)  In Geneva Server MMC for each Geneva Server on the farm

1. Root node
2. Edit Service Properties
3. Check “Success” and “Failure” Events

2) In Active Directory

1. Create a GPO and link to the Geneva Servers OU
2. Enable Audits
   1. Navigate to Security Settings->Local Policies->Audit Policy.
   2. Click on the  “Audit object access” Security Setting on the list view at the right side pane.
   3. On the “Local Security Setting” tab, click the “[ ] Success” and/or “[ ] Failure” check boxes according to your needs.
3. Give Permissions to the account
   1. Click Security Settings -> Local Policies -> User Rights Assignment.
   2. Double click “Generate Security Audits” and add the account of your service to Local Security Settings (you can verify service account by opening “services.msc”, and checking the “Microsoft “Geneva” Server” log on account)

Happy auditing!

Note: (2009-07-21) I added a couple of details to the article.

I just finished the deployment of OpsMgr R2 RC on a lab environment using a multiple server architecture, the deployment was straightforward. Below I blog my experience indicating from which VM I run the commands,

Environment

This reference environment is based on:

• AD: Windows Server 2008 running ADDS.
• RMS: Single Windows Server 2008 EE with Operations Manager R2 RC
  • Management Server Node
  • Audit Collection Server
  • WebUI
• DB: Single Windows Server 2008 EE running SQL Server 2008 (with SSRS)
  • SQL Server Enterprise Edition 2008: Database, Analysis and Reporting services.
  • Opened port 1433 on Firewall for SQL Remote Connections.
  • Operations Manager Database Server
  • Operations Manager Reporting Node
  • Operations Manager DataWarehouse Node
  • ACS DB (On different disk array than Ops Mgr DB)

Accounts

1. (AD) In Active Directory Users and Computers, create five accounts: the Management Server Action account, the SDK and Configuration Service account, the Data Reader account, the Data Warehouse Write Action account, and an Operations Manager Administrator account (for example, OpsMgrAdmin). These can all be domain user accounts. No special privileges are required at the domain level.
   • SCOM_Action_Service
   • SCOM_DataReader_Service
   • SCOM_DW_Service
   • SCOM_SDK_Service
2. (AD) In Active Directory Domain Services, create a Global Security group for the Operations Manager Administrators.
3. (AD) Add the Operations Manager Administrator Account to the Operations Manager Administrators Global Security group.
4. (RMS) On the server that you are going to install Operations Manager on, log on with an account that has local administrator rights.
5. (RMS) In the Computer Management tool, under Local Users and Groups, open the Administrators group and add the Operations Manager Administrators Global Security group that you created in step 2 of “To prepare accounts and groups in Active Directory.” Also add the accounts that you created to use as the Management Server Action account, the SDK and Config account, the Data Reader account, and the Data Warehouse Write Action account.

Validate SQL Server Reporting Services

1. Browse: http://<SERVER>/Reports/Pages/Folder.aspx
2. Browse: http://<SERVER>/ReportServer

Deploy Root Management Server (RMS)

1. (RMS) Added Web Role with ASP.NET + AJAX 1.0
2. (RMS) Deploy Operations Manager RMS
   1. SCOM Action Account: SCOM_Action_Service
   2. SCOM SDK Account: SCOM_SDK_Service (Local administrator of RMS and DB)
3. (RMS) Test deployment importing the SQL management pack and verifying Ops Mgr successfully monitors his database layer
4. (RMS) Installed SCOM Agent con (DB) to monitor SQL.
5. (RMS) Problems discovering computers? http://blogs.technet.com/momteam/archive/2006/10/24/having-trouble-discovering-computers-using-the-opsmgr-2007-discovery-wizard.aspx
6. (DB) Enable the following FW exceptions on monitored computers.
   • Port
     • 135 - TCP
     • 139 - TCP
     • 445 - TCP
     • 5723 - TCP
     • 173 - UDP
     • 138 - UDP
     • 445 - UDP
   • Exception for “File and Print Sharing” for Ops Mgr Agent deployment.

Deploy Operations Manager Reporting

(SQL) If your SSRS 2008 deployment is healthy you will not have problems during this deployent. To guarantee a least privilege scenario use domain specific accounts for running this role services, for example:

• SCOM_DW_Service –> Warehouse write account
• SCOM_DataReader_Service –> Reporting services reader account.

Deploy Audit Collection Services

(RMS) Deploy Audit Collector Server and specify a dedicated disk to host the AC Database on your database server. The auth between the audit collector and the database server occurs via Kerberos.

1. (following the operations manager 2007 deployment guide)
2. Deployed the Audit Collector role on RMS following the wizard
   1. 2 AM in the Morning to do db maintenance tasks
   2. 365 days of data retention
   3. Deployed the Audit Database to DB to a different disk array
3. Imported ACS reports on DB following this procedure: http://blogs.technet.com/smsandmom/archive/2007/08/29/scom2007-audit-collection-services-acs-reports-installation-configuration.aspx
4. Enabled Audit on computers. You can do this through OpsMgr Console –> Moniroting Node –> Operations Manager –> Agents, then when you select an agent on the details pane, the action pane will show the “Enable Audti Collectio” action
5. Create custom reports: http://contoso.se/blog/?p=288

Troubleshooting

• Troubleshooting - Discovery hangs, alerts on Service Broker

The Windows 7×7 campaign is already running, do not miss this opportunity to learn hot new topics about this OS in a 10 minutes screencast format, there are three published with me as a speaker :), enter here! http://www.microsoft.com/latam/windows/7×7/

• Gestión de drivers en Windows 7: http://www.mslatam.com/latam/mediacenter/default.aspx?v=44091f9f-6d9f-45c4-b28e-864e88f0f0cc
• Instalación rápida de Windows 7: http://www.mslatam.com/latam/mediacenter/default.aspx?v=87c813e3-9ef2-4cd6-9bd9-c270f5e321c7
• Mas productividad en el almacenamiento de información con BranchCache: http://www.mslatam.com/latam/mediacenter/default.aspx?v=d82c2973-2d25-4b4e-b7a1-70423c5674bb

This may happened I you use a volume-licensed media to deploy Windows Server 2008 SP2 (this was my case). The resolution is to set-up a KMS server on your LAN or switch the product key to a MAK key, find out more here:

• Volume Activation For Windows Vista: http://support.microsoft.com/default.aspx/kb/929712/
• Error message when you try to activate Windows Vista Enterprise, Windows Vista Business, or Windows Server 2008: “Code 0×8007232b”: http://support.microsoft.com/kb/929826
• Windows Server 2008 KMS Setup Demonstration: http://www.microsoft.com/downloads/details.aspx?FamilyID=bbf2eb61-2b30-4f2d-bccd-df53e220b8e9&displaylang=en

In my case this happened on a Geneva Server machine.

Hope it helps,

Grabá un Screencast de 5 minutos para TechNET y participa!

¡Hay en juego USD1000 en American Express Travelers Cheques, 2 Netbooks Asus EEE y tu oportunidad para hacer famosa tu Demo en los Newsletters, Sitios Web y Eventos de Microsoft! La participación en este concurso supone la aceptación de Bases y Condiciones

Mas información: http://www.puertadeenlace.net/page/Demo.aspx

Windows 7 RC has a little bug regarding Image capturing, it is not big deal but you might have an interrupted sysprep process if you don’t take this into consideration. This is reported and will be fixed on the RTM build, for now you can follow this guide to succesfully get a .WIM image from a Windows 7 RC model machine:

1. Open a command prompt as Administrator.
2. Navigate to c:\windows\system32\sysprep
3. (bug in RC) Make sure the “wmpnetwk.exe” process is not running and the “Windows Media Player Networking Sharing” service is disabled. If not a problem related to the drmv2clt.dll (Digital Rights Management DLL) will abort the sysprep execution.
4. Run sysprep.exe /oobe /generalize /reboot

Now begins the capture process:

1. (~5 mins) Sysprep will go though the foillowing phase
   1. Processing cleanup phase Sysprep plugins
   2. Processing generalize phase Sysprep plugins
2. (~5 mins) Reboot (be aware of this reboot to capture the image, if not you will need to re-run Sysprep)
   1. Press F12 (or manually configure the BIOS to boot from the LAN)
   2. Press F12 again to initiate a session the PXE Server.
   3. Select the Image Capture option as you will be generating a .WIM file for later upload to the MDT Server
   4. Once in the image capture wizard
      1. Choose a name for your image
      2. Capture locally to avoid networking issues and maker sure you will get the .WIM image
      3. Choose a name for the file on the local disk and make sure you specify a .WIM extension for the file
3. (~70 mins) Be patience go somewhere else while the .WIM generation tooks place.
4. (~10 mins) First boot: Now boot again the model workstation and you will get a 1st boot experience.

Resources

1. http://social.technet.microsoft.com/Forums/en-US/w7itproinstall/thread/8f5002e1-95b4-47bf-b031-4b72b3eb388a
2. http://social.technet.microsoft.com/Forums/en-US/w7itproinstall/thread/c469805c-98af-4bb2-9655-c86c294470a9
3. http://technet.microsoft.com/en-us/library/dd744330(WS.10).aspx

I am preparing a couple of Screencast for TechNET LATAM as part of a huge initiative of 49 Screencasts that will be launched the next month. So, I took the time to dive into some new cool Windows 7 features, this time I will share my experience with Branch Cache.

Branch Cache is a cool new feature on Windows 7 and Windows Server 2008 R2, and is now available so early adopters can take advantage of this feature right from the RC build of Windos 7 (Build 7100). The goal is to cache on branch offices workstations content downloaded from the main office to optimize the WAN link load of the branch office were it is not common to rely on high-speed links.

Highlights

• Were straight forward to deploy via GPO.
• Supported protocols are HTTP, HTTPs, streaming and SMB (Web and File server role on Windows 2008 can be configured).
• It is aimed to Intranet traffic only, for example: Documents on a file server, training videos, images in an intranet site.Works with Robocopy and standard copy, it is pretty firewall.

Branch cache supports 2 scenarios for distributed or centralized cache according to the branch office size and networks topology.

• Distributed scenario
  • The branch client access the main office to download the content, first it gets the ID of the content (which is a hash of the content itself), then it leverages WS-Discovery to broadcast a query to every other client in the branch to see if someone else has downloaded the content, if not, the 1st download begins
  • The 2nd client who needs this data from the main office will get again the hash (if the content has changed this hash will be different - in this case lets suppose it has not changed), so, with the has it uses again WS-discovery and finds that another client has already downloaded the content so the content will travel only though the branch office this time.
    
    Pasted from <http://technet.microsoft.com/en-us/library/dd755969(WS.10).aspx>

• Hosted scenario (Centralized cache)
  • Is quite the same with the difference that a dedicated branch cache server exists and every client instead of using WS-Discovery will directly search on this branch cache server, if the hash is not found the content is downloaded from the main office.
  • Then the client advertises the content to the branch cache server, so the server can get the content that might be polled from a 2nd client.
    Pasted from <http://technet.microsoft.com/en-us/library/dd755969(WS.10).aspx>

Distributed cache mode is aimed to less than 50 workstation branch offices as it has can only retrieve cached content from a single subnet. Also take into consideration that hibernated or sleeped laptops cannot server cached content to other clients.

Want to go deeper, check the following links:

Resources:

• Devrim Iyigun giving an executive overview of Branch Cache: http://edge.technet.com/Media/Branch-Cache-in-Windows-7/
• Branch Cache Technical Overview: http://technet.microsoft.com/en-us/library/dd755969(WS.10).aspx
• Branch Cache Early Adopters Guide: http://technet.microsoft.com/en-us/library/dd637762.aspx
• Server Configuration: http://technet.microsoft.com/en-us/library/dd637785(WS.10).aspx
• Client configuration: http://technet.microsoft.com/en-us/library/dd637820(WS.10).aspx

I would like to share a couple of highlights about Windows 7 Printers & Drivers that I were useful for me from an ITPro point of view

1) Set different printers for different locations with Windows7

This let me configure the a PDF writer when my laptop is not connected to any network. Using this feature you have an smart profile about your printing environment, on your home or your secondary office you will never said again “That is not the #”!#!”# printer I want!!”

To do this

1. Start Menu > Device and Printers
2. Select any printer and click on Manage Default Printers.
   
3. Then, for the network No Network select your PDF printer.
   

1) Printer Driver Isolation on Windows 7

How many times did your print spooler crashed? Changes are that many, spooler crashes, the computer gets unresponsive, you cannot send more work to the spool until you restart the spooler and so on. This days of headache of printer drivers finished winth Windows 7. In Windows 2000, the print spooler was moved to be executed on user mode and this was a huge step forward printer drivers stability, complaints from windows users in the world were not ignored on that era and a design decision changed the paradigm.

In Windows 7 the isolation goes further as the OS allows to isolate on different user space processes the printer drivers. So, drivers that are not so reliable can work isolated without interfering on others printers work. This is potentially useful for print server but also applies to workstation as every end-user has the capability to isolate the printer spooler process that run on his own VM. The logical consequence is to isolate printer drivers from each other and/or the spooler. Windows 7 and Server 2008 R2 achieve that by executing printer driver code not from within spoolsv.exe, but from a dedicated process, PrintIsolationHost.exe. In case of a driver causing a crash, only one instance of PrintIsolationHost.exe goes away, but the spooler service itself is left unperturbed.

A layered control of Isolation behavior was injected for IT Pros, you can manage isolation

• via GPOs
• via Driver .INF file
• from the PMC (Printer Management Console)

I will show you the simplest scenario of  configuring on a workstation using the PMC, and let you go further if you need it, to do this:

1. Open the Print Management MMC
2. Go to drivers
3. Right click on a driver and select the isolation mode you need for that driver.
   

Reference
Printer Installation and Driver Management, slide deck from WinHEC 2008 by Shawn Maloney

I followed this procedure from TechNET to configure dynamic updating: http://technet.microsoft.com/en-us/library/dd145315(WS.10).aspx. I want to share my results as it went quite straightforward.

The DHCP server might be configured in one of the following ways, we choose the second to increase our control over the workstations:

• The DHCP server registers and updates client information with the authoritative DNS server of the zone in which the DHCP server is located according to the DHCP client request.
  This is the default configuration for DHCP servers running Windows Server 2008. In this mode, the DHCP client can request the way in which the DHCP server performs updates of its host (A) and pointer (PTR) resource records. If possible, the DHCP server accommodates the client request for handling updates to its name and IP address information in DNS.
  To modify this setting, select the Dynamically update DNS A and PTR records only if requested by the DHCP clients check box, which is located in Properties on the DNS tab on the applicable DHCP server or on one of its scopes.
• The DHCP server always registers and updates client information in DNS.
  This is a modified configuration supported for DHCP servers running Windows Server 2008 and DHCP clients. In this mode, the DHCP server always performs updates of the client’s FQDN, leased IP address information, and both its host (A) and pointer (PTR) resource records, regardless of whether the client has requested to perform its own updates.
  To modify this setting, select the Enable DNS dynamic updates according to the settings below check box and click Always dynamically update DNS A and PTR records, which is located in Properties on the DNS tab on the applicable DHCP server or on one of its scopes.
• The DHCP server never registers and updates client information in DNS.
  To set this behavior, the DHCP server must be configured to disable performance of DHCP/DNS proxied updates. By disabling this feature, no client host (A) or pointer (PTR) resource records are updated in DNS for DHCP clients.
  If necessary, this change in setting can be made at DHCP servers running Windows Server 2008 by clearing the Enable DNS dynamic updates according to the settings below check box, which is located in Properties on the DNS tab on the applicable DHCP server or one of its scopes. By default, updates are always performed for newly installed DHCP servers running Windows Server 2008 and any new scopes created for them.

Procedure

This implied the following configuration:

1. [DNS] Configure DNS Zone as Secure Only
2. [DHCP] Configure DHCP Server to Always dynamically update DNS A and PTR records
3. [AD] Make the DHCP server computer account part of the DNSUpdateProxy Security Group
4. [AD] Created a service account “DOMAIN\DNSUpdate”
5. TEST: Run ipconfig /release; ipconfig /renew from my workstation and checked the created record on the DNS record, for my surprise when I tried to check the security of the DNS record I got a permission denied error. What happened here is that the owner of the record is now the “DOMAIN\DNSUpdate” and not mine, regardless I am a Domain Admin.

Source

• http://technet.microsoft.com/en-us/library/dd145315(WS.10).aspx
  • http://technet.microsoft.com/en-us/library/dd183673(WS.10).aspx
• http://technet.microsoft.com/en-us/library/cc753014.aspx
• http://technet.microsoft.com/en-us/library/cc771732(WS.10).aspx

John Howard developed a script (http://code.msdn.microsoft.com/HVRemote) to facilitate client and server configuration to be managed by HyperV, I found this script very useful and I this article is about configuring the client side. Below is a summary and how it worked for me.

Summary

1. Download the HVRemote.wsf script from: http://code.msdn.microsoft.com/HVRemote
2. Allow DCOM access by running (Elevated):  cscript HVRemote.wsf /mode:client /AnonDCOM:grant
3. Allow firewall exceptions for WMI
   1. Open Windows Firewall management: Control Panel\System and Security\Windows Firewall
   2. Allow programs to communicate though Windows Firewall
   3. Select “Windows Management Instrumentation (WMI)” for the Domain network. Click OK.

Troubleshooting: DNS. This is the number one reason why remote management fails. It is vitally important that the client can locate the server by name, and that the server can locate the client by name. Try doing an “nsLookup <othermachinename>” on each machine or “ping <othermachinename> -t”. It should return the IP Address of the other machine as seen when running “ipconfig”. If it doesn’t find the correct IP address, or doesn’t find the other machine at all, fix DNS, or consider editing /windows/system32/drivers/etc/hosts to hard-code an entry for the other machine as needed. But if editing the hosts file, be wary of possible changes should you also be using DHCP in your environment.

Details

D:>cscript HVRemote.wsf /mode:client /AnonDCOM:grant

Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Hyper-V Remote Management Configuration & Checkup Utility
John Howard, Microsoft Corporation.
http://blogs.technet.com/jhoward
Version 0.6 2nd Mar 2009

INFO: Computername is ######
INFO: Computer is in domain ######
INFO: Current user is ######
INFO: Detected Windows 7/Windows Server 2008 R2 OS

INFO: Obtaining current Machine Access Restriction…
INFO: Examining security descriptor
INFO Granted Remote DCOM Access to Anonymous Logon
WARN: See documentation for security implications
INFO: Are running the latest version

The following script did not worked for me, but John Howards seems to use this successfully, this is why I had to manually allow the WMI exception on my Windows Firewall.

D:\>cscript HVRemote.wsf /mode:client /FirewallHyperVClient:Enable
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Hyper-V Remote Management Configuration & Checkup Utility
John Howard, Microsoft Corporation.
http://blogs.technet.com/jhoward
Version 0.6 2nd Mar 2009

INFO: Computername is ######
INFO: Computer is in domain ######
INFO: Current user is######
INFO: Detected Windows 7/Windows Server 2008 R2 OS
WARN: Hyper-V Management Clients - WMI (Async-In) firewall not updated
WARN: Hyper-V Management Clients - WMI (TCP-Out) firewall not updated
WARN: Hyper-V Management Clients - WMI (TCP-In) firewall not updated
WARN: Hyper-V Management Clients - WMI (DCOM-In) firewall not updated
INFO: Are running the latest version

——————————————————————————-
4 warning(s) or error(s) were found in the configuration. Review the
detailed output above to determine whether you need to take further action.
Summary is below.

1: FW Rule Hyper-V Management Clients - WMI (Async-In) was not updated
2: FW Rule Hyper-V Management Clients - WMI (TCP-Out) was not updated
3: FW Rule Hyper-V Management Clients - WMI (TCP-In) was not updated
4: FW Rule Hyper-V Management Clients - WMI (DCOM-In) was not updated

——————————————————————————-