SmartDeploy is raffling off 50 end-point licenses with 1 year of basic support (value $1610 USD). The deadline for this contest is June 1, 2012. If you want a chance at winning this license, please fill out this form.

SmartDeploy Enterprise is a powerfully simple deployment suite. In fact, it is so simple that the entire process can be summed up in five steps, with steps 1 and 2 being covered in the previous post. In short, the steps are:

1. Building the image
2. Capturing the image
3. Packaging the drivers
4. Creating the PE media
5. Deploying the image

We have already built and captured our image. Now we face a humongous hurdle with driver management. In nearly every organization, model sprawl reigns. Even in organizations where machines are regularly replaced, some department will buy a make and model that wasn’t previously supported. This is the area where SmartDeploy Enterprise really shines.

In the past, most images stored drivers on the local drive in a manually arranged system. Enter the Platform Pack—a completely prepackaged set of drivers for deployment available through their website. To show how much time a Platform Pack will save, I tested our environment. We have 27 different models, including some old POS machines. SmartDeploy had Platform Packs for all of them! Even better, some models (like a Dell Latitude D610) only have Windows XP available for download from Dell’s Support page. SmartDeploy had the Windows 7 drivers already packaged along with the Windows XP drivers.

Platform Packs come in nearly every make and model.

Now that I have finished saturating my bandwidth with Platform Packs, let’s look into altering and merging the downloaded Platform Packs. This is done within the Platform Manager where, once opened, Platform Packs may be added as needed. A Platform Pack could be created for a universal image or as granular as needed. In my environment, the Platform Pack was organized based on make, model, operating system, and hardware type. To make driver updating easier, I left the default driver names that were created in the import process.

Platform Packs are scoped based on automatically configured WMI filters.

A very cool bonus feature is a WMI Filter Wizard, which is included in the Platform Manager. It allows for the quick scoping of drivers to specific make and models. It could also be quite useful when creating WMI filters for a GPO.

In this example, a WMI filter could be created to apply certain drivers when a machine’s memory exceeds a determined amount.

Now that the Platform Pack has been created, altered, and saved, we need to associate it with boot media. Our boot media of choice is a Windows PE image that is WDS compatible. This will allow us to network boot our machines to an imaging server. To do this, we will launch the Media Wizard and proceed through the steps. Because we will be using multicasting, the wizard will enable that option.

If physical media is desired, the Media Wizard can create a completely standalone boot image.

In the Media Wizard, two features stand out. The first is the ability to integrate a VNC service for remote imaging monitoring. This seems similar to DaRT Remote Connection integration in Microsoft Deployment Toolkit 2012. The second feature is the ability to deploy images over disconnected networks. Although I did not have a chance to test this feature, it seems very cool!

For remote or dispersed organizations, the Cloud Services add-on would be a life saver.

Now that we have created the SmartDeploy media, all that is left is to deploy the image to machines. For those familiar with the Out of Box Wizard, SmartDeploy is easy. After booting of deployment media, the machine image can be selected. Other settings, such as resolution or domain information, can also be entered.

If your organization already has a robust imaging solution, SmartDeploy Enterprise may not be a solution for you. For organizations with a smaller IT staff (or those one-man shops) looking for a very simple extendible imaging suite, SmartDeploy Enterprise becomes very appealing.

If you want a chance to win 50 end-point licenses with 1 year of basic support (value $1610 USD), please fill out this form.

• Raffle: SmartDeploy Enterprise – Easy OS deployment – Part 1 (0)
• Windows deployment preflight checks – Part 2: The script (0)
• Windows deployment preflight checks – Part 1: Introduction (2)
• MDT Workbench and Windows deployment (0)
• MDT (Microsoft Deployment Toolkit) prerequisites and add-ons (0)

Remember that first time you tried to fire up a virtual test machine in Windows 7 Virtual PC only to discover that 64-bit operating systems were not supported? How disappointing!

Enable Hyper-V in Windows 8

Fret no more. Windows 8 desktop includes Hyper-V 3.0. I’ve spent some time checking it out and I’m quite impressed. The reason I’m so impressed is that the new feature looks and feels just like the Hyper-V Manager we all grew accustomed to in Windows Server 2008 R1 and R2. It is in fact the exact same tool available in Windows Server 2012.

Please note that you will need Windows 8 Professional to run Client Hyper-V (see edition features). Windows 8 (standard edition) and Windows 8 RT (for ARM processors) won’t support Client Hyper-V. You can try Client Hyper-V by downloading the current Consumer Preview.

Client Hyper-V hardware requirements and Limitations

The added capability also includes new hardware requirements. The good thing is that your typical modern desktop system should support them.

• 4GB of RAM is a requirement. You will probably have at least 4GB if you’re going to be running virtual machines.
• A 64-bit Second Level Address Translation (SLAT) capable system is also required. Intel’s Desktop i-series (i3, i5, i7) supports SLAT. For AMD support see AMD Processors with Rapid Virtualization Indexing Required to Run Hyper-V in Windows 8. Also see Hyper-V: List of SLAT capable CPUs for Hosts for more information.

Although the Hyper-V Manager tool looks identical to what you see in Windows Server 2012, there are a handful of features that cannot be used in Client Hyper-V.

• Remote FX
• Live VM Migration
• Hyper-V Replica
• SR-IOV networking
• Synthetic Fibre Channel

For additional information please see Microsoft Technet Client Hyper-V Survival Guide.

Enable Hyper-V in Windows 8

Enabling Hyper-V is extremely easy in Windows 8.

1. If you are at the Start screen, begin by clicking Desktop.
2. Now move your mouse to the bottom left corner of the screen and right-click when you see the start icon pop up.
3. Click Programs and Features and then click Turn Windows features on or off.
4. From here you can just enable Hyper-V and all other Hyper-V components will be installed. Included are the GUI Management Tools, Module for Windows Powershell, and the Hyper-V Platform.
5. After clicking OK, you’ll have to restart. Once you get to the logon screen, the machine will restart again.

After logging back in, you may have to scroll in the Metro interface all the way to the right to see a new tile labeled Hyper-V Manager. Click the tile and Hyper-V Manager is opened at the Desktop.

Hyper-V in Windows 8 Metro

If you’ve been using Hyper-V Manager in Windows Server 2008, the GUI in Windows 8 will feel very familiar. What really impresses me is that it doesn’t appear that any features have been stripped out that would make the desktop version a “dumbed-down” version with limited usefulness. For example, an important difference is that Windows 8 Client Hyper-V is a bare metal hypervisor (type 1) as opposed to the Windows 7 Virtual PC hypervisor that is hosted (type 2). Thus you can expect better performance and more reliability with Hyper-V in Windows 8.

Two features that stood out to me were the expanded list of processor and virtual NIC options.

Processor settings

• NUMA – NUMA customizations can now be made for each virtual machine. Previously this could be done in the host settings but not per VM.

Hyper-V Windows 8 – Processor settings

Network adapter

• Bandwidth – Enable Bandwidth Management and control the minimum and maximum bandwidth for a virtual network adapter. The settings are in MBps.

Hyper-V Windows 8 – Network settings

Windows 8 Client Hyper-V is definitely a great improvement over Windows 7 Virtual PC.

• FREE: Veeam ONE Free Edition – Real-time Hyper-V and VMware monitoring (0)
• Windows 8 Metro – Disable in Windows Server 2012? (0)
• Domain join behavior in Windows Server 8 (0)
• Hyper-V cluster – Part 7: Custer Shared Volume and manage virtual machines (0)
• Hyper-V cluster – Part 6: Create a cluster (0)

After implementing this in several organizations, I’ve discovered several issues that may be of interest if you’re planning on implementing Folder Redirection.

Test, test, test

If you’ve read other Group Policy articles I’ve read, I harp on testing. Sorry, but way too many people make a change in a production environment before trying it out on test systems first.

Communicate to end users

If Folder Redirection is new for your users, make sure they know the change is coming. Most users will never notice until they accidentally delete a file or have a machine die and you become their hero.

Slow logons after implementation

One of the things you’ll need to communicate with users if you have pre-Windows 7 computers is that they may see slow logons the first time they log into their computers after Folder Redirection is implemented. Not only are everyone’s files being copied to the file server, but the server’s NIC and the network will probably be saturated with file transfer traffic. (Microsoft improved this in Windows 7 with Fast First Logon.

Broken shortcuts and Recent Documents

If users have created shortcuts to documents or folders inside of folders that you’re redirecting, they may end up with broken shortcuts. The same is true for the Recent Documents feature in applications like Word and Excel.

Which folders to redirect

Decide beforehand what you want to redirect vs. what you really need to redirect. Is it really important to redirect Downloads? How about Saved Games? Everything you redirect is going to have an impact on how much storage you need.

Planning storage

For your shared folder, you’ll want to make sure that the share is on a volume that is large enough to handle the amount of data that your users will be storing. There are a few ways to accomplish this, but most of them depend on your server environment. If your file server is a virtual machine, you can always expand your virtual disk and then expand the volume in Windows if you start to run low on disk space later. In the event you’re using a physical server connected to some kind of Fiber Channel or iSCSI SAN, you can do pretty much do the same thing: Expand the volume on the SAN and then expand the volume in Windows.

The amount of storage you’ll need can vary widely depending on the types of users you’re supporting. I’ve seen administrative users (accountants, HR, etc.) users use as little as a few hundred megabytes and engineers use hundreds of gigs. Plan accordingly!

File server configuration

File server configuration can have an impact on Folder Redirection. Just be aware that things like antivirus or an IDS application can impact your users. Also be aware of whether or not File Screening is being used to block files on your file server since this will impact Folder Redirection also.

Consider using DFS

If you’re already using DFS, seriously consider using DFS for your folder redirections. In the event you need to change servers or create a more redundant file server, everything you need is already built in to DFS.

Stopping Folder Redirection for labs and kiosks

If you have training facilities, kiosks, or other computers where you don’t want user folders being redirected, you’ll need to use loopback processing. In most cases, using Replace will be the easiest since it will just ignore all of the User Configuration. In the event you do decide to use Merge, make sure you set a User policy that redirects all of the folders to the local user profile.

Offline Files

In most circumstances, the default settings for Offline files will probably be adequate. In the event you need to change those settings, Offline Files can be configured for the entire computer in the GPMC at Computer Configuration > Policies > Administrative Templates > Network > Offline Files. On the user side, it is located in User Configuration > Policies > Administrative Templates > Network > Offline Files. By default, Redirected Folders will be made available offline. On both sides, you can disable Offline Files by setting “Prevent use of Offline Files” to Enabled.

Folder Redirection – Prevent use of Offline Files

Disabled Offline Files and server availability

In the event you need to disable Offline Files for security reason, you’ll want to make sure that your file server is as highly available as possible. In the event your file server does need to be offline or reboot, just be aware that any logged in users will immediately lose access to their files until the file server becomes available again.

Folder Redirection – Offline Files disabled and file server unavailable

• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (2)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)
• Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM) (0)

Extending Orchestrator 2012

When the standard activities aren’t enough to accomplish the automation you need, the next step is to turn to Integration Packs (IP). Currently there are IPs available from Microsoft for the System Center 2012 suite as well as for earlier SC versions, there is also IPs for HP iLO hardware and HP Operations and Service Manager; IBM Tivoli and VMware vSphere. There are also community IPs available on TechNet Gallery and Codeplex for various tasks (see resources). Configuration management tools such as Remedy and CA are also slated to have integration packs. Today there are also community IPs for SharePoint and VMware’s vSphere but I would expect more IPs, from Microsoft, third parties and the community to be published as SC 2012 gains market share.

Extending Orchestrator with IPs involves several steps: download the IP(s), register them using the Deployment Manager and then deploy them to the relevant Runbook servers. Finally they need to be configured using the Runbook Designer.

Orchestrator 2012 – the glue in System Center 2012

Orchestrator is at the center of the System Center suite – bringing what are essentially separate islands of data and functionality together to work in unison. For proof you need to look no further than the recently added Unified Installer which is an Orchestrator Runbook that automates (to a degree) the installation of all the other components of the SC suite.

Another benefit Orchestrator has over Opalis is the introduction of monitor activities, Opalis used polling monitors that were constantly checking for activity to see if a runbook should be started, with the tighter integration in SC 2012; other parts of the SC suite (particularly SCSM) can notify Orchestrator and initiate runbooks.

The amount of control that Orchestrator runbooks can exert over the other SC 2012 suite programs is remarkable, on the right hand side you can see a few of the activities that are available for SCVMM 2012.

The new Web service – Orchestrator’s secret weapon?

The authoring experience and how you work with Orchestrator is virtually unchanged from Opalis; in contrast the new feature is the Orchestrator web service. This exposes the functionality of Orchestrator through an OData / REST based interface and lets other programs see and use runbooks which may eventually lead to Orchestrator fading into the background and being the engine that orchestrates behind the scenes whilst being controlled by other applications.

Conclusion

System Center 2012 is a major revamp of the whole suite, and whilst the components are still separate, Orchestrator and the SC 2012 IPs bring them closer than ever before. For this reason alone, adding Orchestrator to your list of must have skills for the future is a good idea but when you take into account the extensive reach of Orchestrator to automate across many other disparate systems my conclusion is that getting the hang of it is crucial for the future.

Playing with Orchestrator 2012 is a lot of fun, and I must say that the visual part of me is certainly picking up how to do things quicker than when struggling in the light blue sea of PowerShell.

Resources

• Overall list of Integration Packs available for Orchestrator 2012
• List of System Center (both earlier and 2012 versions) Integration Packs available for Orchestrator 2012
• Detailed Data Manipulation functions descriptions
• Orchestrator open source Integration Pack projects on Codeplex
• SC2012 Solution Runbook Examples on Codeplex
• Orchestrator Integration Pack projects on TechNet
• Orchestrator Jump Start by Pete Zerger – in five parts
• TechNet Virtual Lab: Opalis: Incorporating Advanced Logic into Your Policies
• TechNet Virtual Lab: Opalis: Building Advanced Policies

• System Center 2012 – Orchestrator 2012 – Runbooks best practices (0)
• System Center 2012 – Orchestrator – Creating Runbooks (0)
• System Center 2012 – Orchestrator – Installation (0)
• System Center 2012 – Orchestrator Review (0)
• FREE: SCCM Client Actions Tool (SCCM CAT) – Manage Configuration Manager clients (4)

SmartDeploy is raffling off 50 end-point licenses with 1 year of basic support (value $1610 USD). The deadline for this contest is June 1, 2012. If you want a chance at winning this license, please fill out this form.

SmartDeploy Enterprise Architecture

Let me start off by saying that I am a huge Microsoft Deployment Toolkit (MDT) fan! I love the granular control, the nifty wizards, and the extensive logging. But MDT is a pain to set up and a bear to learn. Between the barrage of terminology, layers of components, and simple confusion over when a deployment share needs to be updated, an overworked admin in an overstretched shop could not dedicate the time needed to master MDT. Simplicity is where SmartDeploy Enterprise succeeds.

The entire image creation and deployment process can be summed up in five steps.

1. Building the image
2. Capturing the image
3. Packaging the drivers
4. Creating the PE media
5. Deploying the image

As we progress through each of these steps, we will cover the actual process, best practices, and some time saving tips.

Step 1: Building the Image

When installing the SmartDeploy Enterprise suite, be sure to use a physical machine. The setup will only continue if the machine is not virtual. A well-known best practice of image creation is the use of virtual machines for the master image. This practice allows for changes, such as software installation or Windows updates, to be captured in snapshots. If problems are found in the image, the image can be reverted instantly to the clean state.

SmartDeploy wisely enforces this best practice in their deployment suite. To simplify the image building process, SmartDeploy Build Wizard allows for the selection of multiple virtualization products. The Build Wizard will even go so far as to automatically create the needed VM files. When building my image, I used VMware Workstation 8, but I selected Workstation 7 as my virtualization platform.

To simplify deployment, the Build Wizard supports a variety of virtualization products.

Step 2: Capturing the Image

After the image has been created, configured, and finalized, the image can now be captured. Unlike some image management tools, SmartDeploy will automatically scan your virtual hard disks (which were created in Step 1) for operating systems. If your virtual hard disk contains multiple partitions, be sure to uncheck all but the primary partition if WDS will be used.

Direct integration with Windows Deployment Services is provided in the Capture Wizard.

When manually managing an image, one would normally alter the Unattended.XML file to enter the product key or default local administrator password. The Capture Wizard provides the ability to directly inject this information.

The Capture Wizard simplifies the management of the Unattended.xml file.

A feature that sets SmartDeploy apart from the pack of deployment suites is the ability to deploy a standard image or a differencing image. A standard image is a normal captured image in a .WIM format. A differencing image is a captured image that only deploys the differences between the new captured image and a previously captured image. For example, an organization could create a differencing image on a quarterly basis that wraps up all updates published. This granular approach cuts down on wasted space by only capturing the changes to an image. It also safeguards the original clean image by adding distinct layers.

If capturing as a differencing image, you have to select an existing previous image.

After the image has been named and the save location selected, the Capture Wizard will generate the image file.

One of the most challenging portions of image creation is driver management. To ease the pain of driver management, SmartDeploy has an innovative solution using prepackaged platform packs.

In the next post, we will cover driver management (Platform Packs), deployment media, and deployment.

If you want a chance to win 50 end-point licenses with 1 year of basic support (value $1610 USD), please fill out this form.

• Windows deployment preflight checks – Part 2: The script (0)
• Windows deployment preflight checks – Part 1: Introduction (2)
• MDT Workbench and Windows deployment (0)
• MDT (Microsoft Deployment Toolkit) prerequisites and add-ons (0)
• Introduction to the Microsoft Deployment Toolkit (MDT) (0)

Now that we have a server with a share configured, we’re ready to set up the Folder Redirection in Group Policy. Folder Redirection is User configuration. Because of that, you’ll need to either create a new Group Policy Object (GPO) or edit an existing GPO that is linked to an OU for your users. Go to User Configuration > Policies > Windows Settings > Folder Redirection.

GPMC in Windows 7 Showing Folder Redirection

Right-click on one of the folder names and click Properties. In my example, I’ll be using Documents. The first thing you’ll want to set in the Target tab is how you want to redirect folders: Basic or Advanced. If you’re planning on directing every user to your new User share, then Basic will probably do for you. If you have multiple shares for Folder Redirection (possibly for departments or geographical locations), you can choose Advanced and assign specific folders for groups.

Folder Redirection Properties

Next, you’ll need to determine where you want to redirect the user folders. In most circumstances, you’ll probably want to use “Create a folder for each user under the root path.” However, you can also use a user’s home directory (if you have that attribute configured in AD), a specific path (for labs or common area computers where every user should share certain folders), and the local user profile (useful if you don’t want users reconfiguring folder locations).

Target folder location

Type in the name of your server and the path to your Users share. If you used the option to create a folder for each user under the path, you’ll see that your folder structure should be in the format \\fileserver\Users\%username%\redirectefoldername for each Folder Redirection you configure.

Root Path setting

Go to the Settings tab. Uncheck the checkbox by “Grant the user exclusive rights to Documents.” If you don’t uncheck this setting, the permissions will be configured so that even Administrators won’t be able to access the files without changing the folder permissions.

Settings Tab

Choose the settings for the remaining options that work for your environment and click OK.

That’s it! All you need to do is go to your test system, refresh Group Policy, log off, and log back in. Just be aware that when you run gpupdate, you’ll get a reminder that you need to log out and back in for the changes to take place.

In the last post of this Folder Redirection series I will share some best practices tips.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 3: Explanation of folder permissions (2)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)
• Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM) (0)

Considerations for creating a good runbook include knowing when and how often it’s going to run, which steps to include, how it’s going to start, what data is passed along from activity to activity and what’s the end result as well as how you are going to report on the results? Good design includes handling failures and warnings of activities, clear naming conventions, using link colors wisely and splitting long and complex runbooks into parent and child tasks that pass data to each other. Establishing a good naming convention and an agreed upon folder structure will minimize confusion and exporting your runbooks regularly for backup purposes is prudent.

Permissions can be set at the individual runbook level or you can group runbooks together and control security at the folder level. Read permissions let a user run and view runbooks, write makes changing possible and with full control users can alter the permissions. Security can also be controlled at the IP level, for instance you could have three different configurations for connecting to a ticketing system to match permissions for level 1, 2 and 3 help desk staff. Orchestrator provides simple version control; once a particular user has checked out a runbook for editing, no one else can alter it until it’s checked in again.

To control what systems are targeted by a runbook you can use Computer Groups in Orchestrator and these in turn can be based on AD queries, ensuring that new Exchange servers end up in the right group for example.

An example Runbook that’s part of a set of SC 2012 runbooks recently published on Codeplex.

There are several types of logging to see how Runbooks and Orchestrator is doing, I find that turning on object level logging for a Runbook gives enough insight when I’m creating and testing Runbooks. There’s both a Real time log for currently executing runbooks as well as a historic log. For each runbook you can set logging to include the values of the Published Data; either Activity specific data and / or Common Published data. There are also the Audit Trail text log files that detail the interaction of Orchestrator with external systems; this is not enabled by default. Logging can add substantial amounts of information in your database, a scheduled job can either purge this data regularly or you can manually purge runbook logs.

You can set up a runbook to notify you when it takes longer to execute than a threshold you’ve specified as well as control how many instances of a specific runbook is allowed to run simultaneously. Be careful if your runbook has a modify counter activity not to run several instances at the same time. For robustness it’s also a good idea to have an activity early in a runbook that detects if there was an earlier instance of the runbook that was terminated (server crash or other mishap) so this can be handled smoothly.

A key consideration in automation is that when things “just happen by themselves” it’s crucial to keep an eye on the environment through monitoring and reporting; there’s an Orchestrator management pack for Operations Manager that’ll help in this regard.

In this part four of five we looked at best practices for runbook creation, in the next and final part we’ll look at extending Orchestrator with Integration Packs as well as how Orchestrator fits into the System Center 2012 suite.

• System Center 2012 – Orchestrator 2012 – Integration Packs (0)
• System Center 2012 – Orchestrator – Creating Runbooks (0)
• System Center 2012 – Orchestrator – Installation (0)
• System Center 2012 – Orchestrator Review (0)
• FREE: SCCM Client Actions Tool (SCCM CAT) – Manage Configuration Manager clients (4)

At this point, you may have noticed that we didn’t give our users very many permissions on the Users folder. First and foremost, we made sure that one user can’t see inside of another user’s folder. It’s also pretty obvious that we don’t want to give users the ability to do things like take ownership, delete files/folders, or change permissions, but a few of the other missing permissions take a little more explanation.

First off, you don’t want users to have Create files/write data permissions or they can save files into the root of the shared folder. Since we’re redirecting folders, we only want the users to be able to create folders in the root Users folder, but not individual files. Once the user creates a folder named %username%, the CREATOR OWNER permission will take over (since it is a sub-folder of Users) and will give the account full control over the %username% folder and everything inside of it.

Second, List folder/read data is also missing because we don’t want users to be able to enumerate folders in the share. Here’s what it will look like to the end user if they try to go to \\fileserver\Users:

User can’t enumerate folders

However, if the user tries to go to \\fileserver\Users\%username%, he can see all of his folders:

User CAN see inside username folder

To the Administrator, you’ll still be able to see everything on the server:

Redirected folders on server

Why would you want to do it this way? The biggest reason is that we’re giving the user the ability to create folders in the Users share. That means that there is nothing to stop a user from creating a few hundred folders and then saving files into those folders inside of Users. By removing the ability to enumerate folders in the Users share, you eliminate the ability of the user to see what is in the folder. It doesn’t stop the user from being able to create other folders or copy data into them, but it makes is much more difficult to use should they decide to try.

The other big benefit you get is that users can’t see the other user account folders that are stored in the Users share. Can’t I do that with Access Based Enumeration? Yes… Access Based Enumeration will essentially hide any files/folders to a user that he/she doesn’t have permissions to see; but, it doesn’t solve the problem of the user being able to create new folders in your Users share. If you enable Access Based Enumeration and allow users to enumerate the contents of the share, they’ll just see their %username% folder and all of the other folders they’ve created there.

In the next post I will show you how to configure folder redirection in Group Policy.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)
• Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM) (0)

I recently attended the Microsoft Management Summit in Last Vegas with 5,000 fellow admins and engineers who specialize in the System Center product line. In its 14th year, MMS is still a unique Microsoft conference for sysadmins in that it’s focused exclusively on systems management using a pure Microsoft stack.

Good News! If you missed MMS, nearly all the sessions and keynotes are free online at the Digital MMS site (over 150 hours worth!). If you want to take the videos offline, someone’s written a PowerShell script to download them. Common topics beyond System Center 2012 include Hyper-V, PowerShell, Windows 7 deployment, MDT, and many more.

When you see session ID’s like EC-B101 in this article, search that ID on the Digital MMS site to watch it.

System Center 2012 is now a suite of eight products, but licensed as one suite. Even though Microsoft would like you to think it’s one product, they are still deployed as separate server apps… that is, you don’t have to deploy all of System Center 2012 to use just one component:

• Configuration Manager (SCCM. getting started: CD-B207, what’s new: CD-B330)
• Operations Manager (SCOM, what’s new: FI-B317)
• Virtual Machine Manager (SCVMM, what’s new: SV-B206)
• Data Protection Manager (SCDPM, what’s new: FI-B405)
• App Controller (VMM self-service portal plus. intro session: AM-B305)
• Orchestrator (task/job automation)
• Service Manager (user service desk)
• Endpoint Protection (previously Forefront. what’s new: CD-B332)

The Private Cloud

Microsoft is claiming that if you implement most of these products, then you’ll be on your way to enabling the “Private Cloud” in your sever room. Checkout session SV-B308 where Young Chou details what the private cloud really entails, which I found enlightening. The key takeaway for me is that virtualization of your servers is just the first piece in making your own Cloud infrastructure. You also need:

• Self-Service (Limited number of clicks to deploy a new system, high level of OS and server app deployment automation)
• Resource Pooling (Standardization plus optimization plus systems management)
• Elasticity (Grow and shrink number of virtual machines based on demand)

If you’ve ever seen the 4 stages of the Infrastructure Optimization Model (Basic, Standardized, Rationalized, Dynamic) which is a way to rate the maturity of your systems and processes, then just know that Private Cloud likely starts in the Rationalized stage. If your shop spends most of your days controlled by support tickets (reactive), and it takes you a day or more to set up a new virtual machine, then you’re likely in Basic (hey we all start there). Implementing the System Center suite could be one of the steps you take to mature your IT org toward the more advanced and automated stages where system admin life gets easier.

A few popular sessions

Are you a SCCM guru? Then Configuration Manager “State of the Union” CD-B102 will catch you up, and they also pitted common scenarios in SCCM 2007 R3 against SCCM 2012 (spoiler: 2012 killed it). A little quirky and fun.

• For OS deployment, a good bet is to search sessions by Michael Niehaus and Johan “I write a script” Arwidmark.
• In the troubleshooting arena (a skill I am always trying to hone) you want to check out Laura Chappell’s SV-B407 “Top 10 Reasons the Network is Slow” for some Wireshark kung-fu, and CD-B347 Troubleshooting Windows 7 Deployments for a exhaustive list of MDT and SCCM log locations and tips by Ben Hunter.
• Vlad Joanvic and Matt McSpirit have a unique session “Understand How Hyper-V and System Center Stand Up against the Competition” AM-B323.

The key takeaway is that all these products are “better together” as Microsoft likes to say: Data Protection Manager uses Operations Manager as a Central Console for multiple DPM servers. Orchestrator makes heavy use of Service Manager and Operations Manager. Service Manager pulls data from Configuration Manager for support tickets and some automation. The list goes on and on.

Further learning

Microsoft has a Virtual Academy with a growing System Center syllabus of documents and videos.

“How do I evaluate System Center now?” you might ask. Microsoft has an Eval Center where you can download a trial of System Center 2012 and get a summary of all the pieces to this expanding puzzle. The bundled download includes a Unified Installer that lets you run the System Center suite installer on one server, and remotely installs the components on other servers. MS says the Unified Installer is only for simplifying test environment installs.

Each product requires its own Windows Server OS (or more) so you’re looking at a minimum of 9 (yep) lab virtual machines to test out the full suite. The User’s Guide and MMS Sessions FI-B330 “System Center 2012 Unified Installer” and FI-B328 “How to Build a Microsoft Private Cloud…” can help you out.

Have you been at the MMS 2012? Please share your impressions!

• Will Windows 8 be a mess or a success? Vista or Windows 95 successor? (14)
• The evolution of Microsoft certification (2)
• What does the ‘R2′ mean in Windows Server 2008 R2? (1)
• Windows 8: The PC is dead, long live the PC (5)
• Windows Server 2008 Certification – A quick guide (0)

VMware vCenter and ESX(i) monitoring – Veeam ONE Free Edition

If you’re working on a budget, you can take it for a test drive with no commitment. Unlike other quote on quote “Free” management application out there, Veeam ONE Free Edition does include all of the core functionality of the full version. Those Core capabilities include:

• Full Data Collection
• Multi-User support
• Microsoft SQL Server backend

Not to mention that it comes with 125 pre-built alarms for real-time monitoring and alerting. All of these alarms are tied to an extensive knowledge base that will help you troubleshoot and pinpoint the root causes of alarms and resolve any potential issues you may find. I highly recommend their built-in storage alarms. They can notify you of any possible capacity issues when V-Disks reach their configured limit, and another good one is their datastore load alarms that can notify of disk utilization of all hosts and VMs using a particular datastore. All alerts generated from these essential alarms can be routed via email and SNMP, ensuring the right people are notified not matter where they are.

VMware monitoring – Veeam ONE Free Edition

Another key function of the Veeam ONE is its ability to produce near real-time documentation of your entire virtual infrastructure. Once installed and configured Veeam ONE Free Editon will automatically discover your virtual environments, and then you can start churning up documentation on your topology and performance of your entire virtual infrastructure. This is often a necessary task that gets thrown on the back burner while we tend to other fires.

If that isn’t enough, why not whip out some reports for management that you can use to summarize your environments workload and utilization. If there is one thing I learned, it is that management likes pretty pictures of graphs and charts “metrics”. So, one way to really make them happy is to give them access to Veeam ONE’s customizable dashboard. It’s a web based interface, so it will be a snap for them to pop open a browser and enjoy all the goodness. It is customizable, so you can control what they see just in case you take the less information is better approach with management.

Veeam ONE Free Edition – Dashboard

It is free so there are going to be some limitations. You can go take look at the detailed difference on Veeam’s site Veeam ONE: Free vs Full, but here are some of capabilities that won’t be available in the free version unless you upgrade that I chose to highlight:

• Alarm modeling and custom alarms
• Full access to the knowledge base
• Management of guest, host and vCenter processes
• Historical change management beyond the most recent 24 hours
• Microsoft Visio reports for multipathing, network, vMotion and datastore utilization
• Automated report generation and distribution

If you do choose to upgrade to their full version, however, it’s just as simple as installing a purchased license key. You don’t have to reinstall the application or worry about losing your configurations and historical data.

Like I mentioned before there are no limits at all on the number of hosts, virtual machines, users, or your data archive. On top of that, they are also going to be adding full support of Microsoft’s Hyper-V in the 2^nd quarter of 2012 with Veeam ONE version 6. This will be huge and give customers a single management pane for both of their virtualized infrastructures.

Veeam ONE Free Edition

• Windows 8 Hyper-V (0)
• FREE: FrameFlow – Web-based Windows monitoring (1)
• Hyper-V cluster – Part 7: Custer Shared Volume and manage virtual machines (0)
• Hyper-V cluster – Part 6: Create a cluster (0)
• Hyper-V cluster – Part 5: Quorums and disk configuration (0)

Before you set up Group Policy for Folder Redirection, you need a properly configured file server. In my examples, I’ll be using Windows Server 2008 R2, but earlier versions will have the same settings, more or less.

The first decision you’ll need to make is on the share name. My preference is typically to use “Users” since we’ll be redirecting user folders. As an added step, you can make this a hidden share (by adding a $ to the end of the share name) if you think that is necessary for your file server. It is fairly easy for users to discover where their folders are being redirected. Personally, I’m not a big fan of hiding shares unless they are being used in DFS or there is another good reason to hide them; but, that is typically a personal (or organizational) preference.

Starting with the Sharing tab, you’ll want to share the folder by clicking the Advanced Sharing button. Click the “Share this folder” checkbox and the share name should fill in automatically. Caching should default to “Only the files and programs that users specify are available offline.” Click the Permissions tab. In Permissions, you can probably check the Full Control checkbox and OK, but make sure that works for your environment. If you provision Guest accounts or have users that don’t need access to the Folder Redirection share, consider limiting the share to Domain Users or smaller groups of users.

Share permissions

The easiest method for provisioning new folders for users is to allow the logon process to create all of the folders automatically as they are redirected to the file server. To do this, you’ll need to set the file permissions so that users can create folders, but not access the folders of other users. This can all be done in the GUI, but I prefer using the icacls.exe utility to set the file permissions for something like this so I can be sure I don’t miss something. Here are the commands you’ll need:

icacls.exe C:\Shares\Users /inheritance:d

This removes inheritance on the folder and copies the existing permissions. We want to do this for two reasons: first off, any permission changes to the volume or top-level folder will propagate down to your shared folder which we don’t want. Second, the default file permissions will give “Users” access to read everything in the folder… we don’t want that either.

icacls.exe C:\Shares\Users /remove:g Users

Remove “Users” access to the folder so that users can’t get nosey and go through other users’ files.

icacls.exe C:\Shares\Users /grant Everyone:(x,ra,ad)

• Give “Everyone” execute/traverse (x), read attributes (ra), and append data/add subdirectory (ad). After running the command, your permissions should look like this:
• Administrators (Full Control) – This folder, sub-folders, and files
• SYSTEM (Full Control) – This folder, sub-folders, and files
• CREATOR OWNER (Full Control) – Sub-folders, and files
• Everyone (Special – Traverse Folder/Execute File, Read Attributes, Create Folders/Append Data) – This folder only

File permissions

In my next post I will discuss folder permissions.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (2)
• Folder Redirection – Part 1: Introduction (0)
• Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM) (0)

Once you’ve worked through with the business which processes to automate the actual steps in Orchestrator are easy and the user experience is almost identical to Opalis. You drag Activities from panes on the right into your workspace. These activities are either Standard Activities (known as Foundation Objects in Opalis) that are available out of the box or they come from Integration Packs (IPs) that you’ve installed.

You then configure each activity to accomplish what you want and link the activities together, taking into account branching for different outcomes. Activities can also take into account variables and counters that you’ve configured as well as perform manipulation of data; this is then passed onto the next activity on the shared data bus as Published Data.

Once you have created a runbook you’ll want to test it and the Runbook Tester provides the ability to debug, including setting breakpoints. Be aware that the Tester isn’t a simulated environment, the activities are actually executing on your live data. Another gotcha is that runbooks run under your account in the Runbook Designer but in the Tester they run under the Runbook Server service account.

The Runbook Tester lets you step through your runbooks activities and make sure it’s all working as expected. Remember, it’s a live environment, not a simulated test!

Standard Activities are available for system process and SNMP, scheduling, monitoring, file management, email and other notification options along with utilities for invoking web services or querying databases. For Linux integration Orchestrator comes with standard activities for Telnet and SSH workflows. The .Net script activity can run scripts in VB.Net, Jscript, C# and PowerShell.

The links between activities can be formatted with colors and widths as well as letting you control the data that flows between activities with Include and Exclude options (with the latter taking precedence over the former) to filter out data for the next activity. For branching logic you can control what happens for success, warning and failed conditions in activities. You can also use regular expressions to filter the output data as well as perform functions and calculations on numerical values. Activities can be looped with precise control over the exit condition.

Runbooks can be scheduled with control over when they’re allowed to execute (perhaps some should never execute during business hours), and each Runbook can be associated with a particular schedule. Within a runbook, you can use the Check Schedule activity to retrieve time data for individual activities. Monitors are a type of activity that waits for a particular event to happen to start the processing of a runbook and these runbooks “run” continuously, waiting for the event to happen.

In this part three of five we looked at the steps involved in creating runbooks, in part four we’ll cover permissions for runbooks as well as best practices for creating them.

• System Center 2012 – Orchestrator 2012 – Integration Packs (0)
• System Center 2012 – Orchestrator 2012 – Runbooks best practices (0)
• System Center 2012 – Orchestrator – Installation (0)
• System Center 2012 – Orchestrator Review (0)
• FREE: SCCM Client Actions Tool (SCCM CAT) – Manage Configuration Manager clients (4)

If you’re like me, you’ve probably gotten a frantic call from a customer because they have a computer that won’t boot and they have irreplaceable files on their local hard drive. Try adding clicking or grinding sounds coming from that computer along with no recent backup to the mixture. Sound familiar? That combination can add up to a very upset customer and possibly a very expensive bill if you have to get data restored from that failed hard drive.

The good news is that there is something you can start doing today to start combatting that problem: Folder Redirection in Group Policy. To get started with Folder Redirection, you’ll need to be running Active Directory (any functional level), have an available file server, and a management station running the Group Policy Management Console. As with most Group Policy, the latest version of the GPMC is preferred, but most of these settings are available in older versions.

So what exactly does Folder Redirection do? Folder Redirection takes common user profile folders from C:\Users (or C:\Documents and Settings\ in Windows XP) like the Desktop or Documents and puts them on a UNC path instead of the local hard drive of the computer. I

In addition to the immediate benefit of having that data on a file server that is much easier to keep backed up, the user also gets the benefit of being able to go to multiple computers in your organization and still have access to their data. Using the default Windows settings and the default share settings on your file server, these redirections will be even made available offline automatically for your users. (Don’t worry, this can be controlled separately in Group Policy, which we’ll cover in a later article.)

Documents Redirected in Windows 7

In the GPMC, the Folder Redirection settings can be found in User Configuration > Policies > Windows Settings > Folder Redirection. If you’re using the GPMC in Windows XP, you can redirect Application Data, Desktop, My Documents, and the Start Menu. In addition, folders in Windows XP that are inside the My Documents folder like My Music and My Pictures will follow My Documents when it is redirected.

GPMC in Windows XP Showing Folder Redirection

If you’re using the GPMC in either Windows 7 or Windows Server 2008 R2, you’ll see that the list of folders that can be redirected is much longer. AppData (Roaming), Desktop, Start Menu, Documents, Pictures, Music, Videos, Favorites, Contacts, Downloads, Links, Searches, and Saved Games can all be redirected in Vista, 7, Server 2008, and Server 2008 R2.

GPMC in Windows 7 Showing Folder Redirection

In the next post of this series I will explain how to set up Folder Redirection.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (2)
• Folder Redirection – Part 2: Setting up your file server (0)
• Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM) (0)

Orchestrator 2012 Overview

Orchestrator is made up of the Runbook Designer, where IT Pros create runbooks by dragging activities into the workspace, configuring and linking them, in a similar way to how Visio works. The Runbook Server is the central hub that runs the actual tasks, the Orchestration Console is a web based interface that tracks the execution of runbooks and the new web service lets you access Orchestrator functionality from other programs. The Deployment Manager is used for registering Integration Packs (IPs) as well as deploying them to your runbook servers.

The Orchestration Console, for checking on Runbooks and their statistics as well as executing of runbooks by non-administrators.

Orchestrator caters for different roles of people in IT organizations; IT Professionals will spend their time in the Runbook Designer (known as the Operator Client in Opalis) creating workflows whereas IT Managers will visit the Orchestration web console (known as the Operator Console in Opalis) to check statistics on how the runbooks (known as Policies in Opalis) are performing. Certain end users might approach Orchestrator as a one button “fix” for something – running a clean-up job in an ERP system for example– again through the Orchestration console. Developers on the other hand use the Orchestrator Integration Toolkit (known as the Quick Integration Kit, QIK, in Opalis) to create custom activities and Integration Packs to integrate with other systems.

Orchestrator lets you connect to web services and systems across platforms and then execute system level tasks in those systems or execute scripts (PowerShell, .NET, Jscript, VB etc) and then communicate results via email or published notifications.

Scalability for Orchestrator is difficult to gauge, the overall rule is that if you expect to have more than 50 runbooks executing concurrently, you need another server as the jobs will queue up. You can create a very processor and memory intensive runbook with only a few activities or a very light runbook with many complex tasks involved, it all depends on exactly what the runbook does. Specific runbooks can be assigned to a particular server if necessary. As your IT team come to rely more and more on Orchestrator you’ll definitely want to add more Runbook servers (called Action servers in Opalis) to provide availability. When a Runbook server is unavailable, runbooks will automatically run on the next available server.

There’s a bit of overlap between the Service Manager 2012 (SCSM) and Orchestrator 2012 products but the way to understand the difference is that SCSM is all about automating and standardizing business processes whereas Orchestrator is about IT processes and workflows.

Installation of Orchestrator 2012

You need a machine with at least 1 GB of memory, 2 GB or more is recommended, with a dual core CPU, and at least 200 MB of free disk space. All components require Windows Server 2008 R2; you also need to have IIS (for the Orchestration Console); the install program can enable this automatically, along with .NET Framework 3.5 SP1. You also need to install .NET Framework 4. Orchestrator requires a SQL 2008 R2 database, either local or remote. Finally the Orchestration Console relies on Silverlight 4 which you’ll be asked to install the first time you open the Console if it’s not installed. The Runbook Designer can be installed on a Windows 7 client as well as on the server.

As in the other System Center 2012 installers, Orchestrator comes with a pre-requisite checker and a simple installer that makes installation a snap.

For old hands with Opalis 6.3 the installation is a lot smoother, compared to the many steps involved in downloading the Java components / JBoss for the Opalis installation. If you already have Opalis in your environment the “upgrade” to Orchestrator 2012 is a matter of exporting your runbooks from Opalis and importing them into Orchestrator.

In this second part of five in the overview of Orchestrator 2012 we looked at the components of Orchestrator and the installation experience. In part three we’ll look at the steps involved in creating Runbooks.

• System Center 2012 – Orchestrator 2012 – Integration Packs (0)
• System Center 2012 – Orchestrator 2012 – Runbooks best practices (0)
• System Center 2012 – Orchestrator – Creating Runbooks (0)
• System Center 2012 – Orchestrator Review (0)
• FREE: SCCM Client Actions Tool (SCCM CAT) – Manage Configuration Manager clients (4)