4sysops

Windows Performance Toolkit – Download and install

Joseph Moody — Fri, 17 May 2013 15:31:31 +0000

Joseph Moody is a desktop administrator for a public school and help manage about 5,500 computers. I specialize in Active Directory, Group Policy, and software deployment.

The Windows Performance Toolkit allows Administrators a keen insight into the startup and login process. In this four part series, we will dive into these tools and fix common performance issues. Part 1 covers downloading and installing the Windows Performance Toolkit.

Ever heard this one, “My computer is slow.” Or how about, “It is taking forever to login.” If you answered no to either of those comments, I envy you! These issues are incredibly frustrating to fix because of the lack of data. Most of the time, you are lucky to get an error code or a log. Instead of brushing these complaints off as user perception or older hardware, let’s dig into some troubleshooting and use the Windows Performance Toolkit!

Download

In the days of old, every single troubleshooting tool (almost) always had its own download and separate installation. Thankfully, Microsoft has combined (almost) all of the tools needed for client Assessment and desktop Deployment into a single Kit named Windows ADK. You can download the Windows ADK here.

Installation

After launching the ADK setup, proceed to the feature selection screen. If you are only using the Performance toolkit, just select the Windows Performance Toolkit option. In my environment, I find that I use the Windows Assessment Toolkit quite a bit as well so I also install it as a default option.

Installing the Windows Performance Toolkit

As a note, if you followed our Deploying Windows 8 Series – you might already have ADK installed. It is perfectly fine to run the Deployment Tools, ACT, or any of the other ADK features with the Performance toolkit.

Now that you have the Windows Performance Toolkit installed on your management machine, you will also want to install it on a test client that exactly mimics your organization. This test client, preferably a virtual machine, is about to undergo a lot of changes!

WPR, WPA, WHY so many acronyms?

After installation, you will now have a few new tools at your disposal. The first tool is the Windows Performance Recorder (WPR).

The Windows Performance Recorder tool

This tool has been streamlined and replaces the functionality of two past tools: Xpref and Xbootmgr. Because a lot of existing performance documentation still reference these two obsolete tools, it is important to substitute WPR in their place.

You will use WPR to capture performance related issues on client machines. Most of the time, we will use the Reboot Cycle performance scenario to test clients. After our information has been captured, WPR will save and compress that information into a single trace file. This file is normally has an .ETL extension.

Your second main tool is the Windows Performance Analyzer (WPA). This tool will be ran on your management machines. Although you can run it on a client, you’ll likely get improved performance on administrative machines (and will find the graphs easier to read).

Let’s launch WPA and see what we get:

Windows Performance Analyzer after first launch

Not much to see here! That’s is because we have to open a trace first. After opening a trace file, we get:

The Windows Performance Analyzer with a Trace Opened

Much more informative! On the left, we have our graph explorer. This areas are broken up into four categories. The first category, System Activity, includes graphs for Services, Processes, phases, etc. It is our high level center where your initial troubleshooting will take place. The next four categories, Computation, Storage, and Memory, address potential resource bottlenecks. The Computation center shows graphs related to CPU usage, Storage shows hard drive/write usage, and memory – well, show memory usage. Later, we are going to look at specific graphs in a lot more detail.

In Part 2, we are going to create a baseline trace and start troubleshooting a slow startup! If you have any questions at all, just leave us a comment.

Related

SCCM 2007 Client Troubleshooting – Part 9: R3 Client Power Management

David Stein — Thu, 16 May 2013 19:52:06 +0000

David Stein - 0 comments

David is an author and consultant, working for Endurance IT Services in Virginia Beach, Virginia, specializing in Microsoft enterprise systems and Business Process Automation.

Configuration Manager 2007 R3 introduced new Power Management features for gaining greater control over device power consumption. While Group Policy provides a fairly robust range of power management options, the additional capabilities 2007 R3 provided add more granularity and flexibility with respect to scheduling and dynamic level control than Group Policy settings alone.

Symptoms

Computers are not adjusting power settings in accordance with expectations

Potential Causes

Client doesn’t have required hotfix KB977384 installed (for Windows XP, Vista, Windows 7), or KB2750782 (for Windows 8)
Minimum Operating System requirements are not met
Conflicting AD Group Policy settings
Incorrect or incompatible BIOS settings
Users power off their computer when leaving work (if WOL is not in use)
Users locking computers with CPU-intensive tasks running overnight

Suggestions

Verify that your clients are at least Windows XP Service Pack 3 or newer. While you can install the Client on Windows 2000 SP4 and above, Power Management features are only available starting with Windows XP SP3.

Verify needed hotfixes and updates are installed.
Review Group Policy settings. Use GPRESULT to generate a report to help trace what policies and policy settings are being applied.
Verify that the device hardware model firmware supports Power Management features
Instruct and re-affirm company-wide policies regarding leaving computers powered on, but logged off, when leaving work each day (or whatever your standard policy happens to be). Communicate it until you’re confident every employee knows what they’re supposed to do. Those that refuse to comply can be dealt with later.
If certain users, or teams of users, are identified as commonly needing to run CPU-intensive tasks overnight, work with them to designate special computers to use and develop custom GPO settings, OU locations and Power Management policies to find a suitable compromise.

Helpful links

Related

Announcing the 4sysops forums

Michael Pietroforte — Wed, 15 May 2013 15:20:52 +0000

Michael Pietroforte - 0 comments

Michael Pietroforte is a Microsoft Most Valuable Professional (MVP) with more than 28 years of experience in system administration.

Today I am excited to announce the 4sysops forum. This post will outline how the new forum for IT professionals differs from forums in other IT communities.

I often receive questions from readers about IT problems, even though I wrote in big letters above the contact form that we can’t give support in emails. I hope that these desperate admins will now ask their questions in the forum and that the 4sysops community will help them.

4sysops Forums

The 4sysops forums differ from other forums in a few ways that you should know about before you start posting. First of all, this forum is for IT professionals only. There are plenty of other forums for end users, and I think it’s important that we stay focused.

This is the only forum rule so far. The rest is open for discussion; I think you already guessed that I created a forum where the community may create their own forum rules. However, the purpose of the 4sysops Community forum is not just about rules. You can use this forum to discuss all kinds of things about 4sysops. For instance, you can make topic suggestions for the blog, ask for new features, complain about things you don’t like, or praise and commend those things you like. If there are enough supporters for a certain suggestion, I will do my best to fulfill the wish.

You can support forum posts by replying to suggestions from others and/or by clicking on the thumbs up symbol. Posts you don’t like deserve a click on the thumbs down icon.

Rate this post

Another difference from other forums is that there are only two 4sysops forums: the 4sysops Community forum I mentioned above and the IT Administration forum. The reason why I didn’t create different forums for different categories, such as Windows Server, Windows Client, System Center, Active Directory, etc., has to do with the experiences I had in other forums.

This situation has probably also happened to you. You post an urgent question and are delighted when only a few minutes later someone replies. The big disappointment is that all you got was an unfriendly complaint from a clever clog that you posted your question in the wrong forum.

In IT, it is often not clear which categories many topics belong to because of the ever-increasing complexity and the fact that everything is intertwined with everything else. If you have a problem on a Windows 8 machine in your network, often a server is involved and several server roles or even a third-party application could be the cause of problem.

This brings me to my second reason why I only created one IT support forum. I don’t want to limit the types of topics at this point. That means that 4sysops is not limited to the Microsoft world. You can ask questions about third-party applications or non-Windows operating systems, cloud management, mobile device configuration, or whatever bothers you as long as it is related to corporate IT management. Creating categories for all those possible forums in advance could be difficult.

The danger of having no clear structure is, of course, that at some point things might get confusing and moderators and committed community members might find it difficult to follow only the topics they are interested in. For this reason, we have what I call “sub forums.” The difference between a regular forum and a sub forum is that a certain post may not belong in just one forum but can appear in multiple sub forums.

Sub Forums

Sub forums are actually tags. You can assign a sub forum at the end of a post. Above the corresponding form field, you will see sub forums that have been used by other members. Keep in mind that whenever you enter a new tag, you actually create a new forum. So please be cautious here. Moderators might change the sub forums you assigned to keep the number of forums as small as possible.

It will probably take a while anyway until the sub forums become important. In the beginning, it should be easy to keep track of what’s going on because there won’t be many posts. This sub forum idea is just an experiment. If it doesn’t turn out well, and if the community wants to have category-based forums, then we can change the structure at any time.

Aside from following the sub forums, you can also subscribe to certain topics if you want to receive an email whenever someone posts a reply. All the posts you subscribed to are listed in your profile. You can unsubscribe at any time. You can also “favorite” a topic to keep track of interesting topics. In this case, the topics will just be listed in your favorite folder, but you won’t receive emails about updates.

Subscribe to a topic

Notice that this favorite feature is in no way related to the rating system (thumbs up and down). By the way, you can not only see how a post (topic or reply) was rated, you can also see how the community rated certain members (by rating their posts) below the avatar on the left hand side.

Another feature you might have seen in other forums is that support questions can be marked as resolved. This can be done by the member who created the topic or by a forum moderator.

Topic resolved

There are a few other features that I didn’t mention today, but I guess you will figure them out.

Since you have read my somewhat lengthy announcement this far, you may share my excitement or are at least not uninterested in participating in the 4sysops forum. You now have the chance to become one of the founding members and help create this community. Registration is now open!

Please note that the forum is currently in beta mode.

Related

How to install File Services on Server Core

Sander Berkouwer — Tue, 14 May 2013 12:52:50 +0000

Sander Berkouwer - 0 comments

Sander Berkouwer is a Microsoft Certified Professional and a Microsoft Most Valuable Professional (MVP) with over a decade of experience in IT.

While you’d think Microsoft is luring organizations into using their cloud services as the main method for sharing files, most organizations have no need to share files beyond their organization’s borders or to access files in a web browser; as such, most organizations rely on file servers to share files among their employees. Today, I’ll show you how to transform a Server Core installation into a Dynamic Access Control-aware file server.

Both file sharing and the File Server role have been an integral part of Server Core installations since their first inceptions.

In fact, Server Core installations have always been, by default, able to act as file servers after you configure the built-in firewall to allow SMB traffic. This way, you will end up with a functioning file server; however, I would only recommend doing so to transfer files, programs, and utilities to your Server Core installation. If you truly want to benefit from a Server Core installation, install some File Server Role Services on it.

Overview of File Services in Server Core

Just like the Certificate Services Server Role in the previous article, the File Server Server Role offers a couple of Server Role Services in two distinct categories:

File and iSCSI services
- File Server
  The File Server Role Service allows you to manage file shares and enables users to access files on Server Core installations, from the network, using the Server Message Block (SMB) protocol.
- BranchCache for Network Files
  BranchCache is a technology that allows computers in branch offices to cache commonly downloaded files from file and web shares on which BranchCache is enabled, and then provide those files to other computers in the branch office. The BranchCache for Network Files Role Service offers the caching functionality for file shares.
- Data Deduplication
  Installing and configuring the Data Deduplication Role Service helps save disk space by storing a single copy of identical data on an NTFS-formatted volume.
- DFS Namespaces
  DFS Namespaces enable you to group file shares that are located on different servers into one or more logically structured namespaces based on DNS names.
- DFS Replication
  DFS Replication is used to replicate data between multiple servers over limited-bandwidth network connections and local area network connections.
- File Server Resource Manager (FSRM)
  This Role Service enables scheduled storage reports, file classification, file quotas, and screening policies. It is a prerequisite for Dynamic Access Control (DAC).
- File Server VSS Agent Service
  If you’re looking to perform volume shadow copies of applications that store data files on your file server, you’ll need this Role Service.
- iSCSI Target Server and iSCSI Target Storage Provider (VDS and VSS)
  The iSCSI Target Server Role Service enables your Server Core installation to serve data on the iSCSI protocol. The iSCSI Target Storage Provider (VDS and VSS) Role Service allows for remote management through standard programs and for performing volume shadow copies.
- Server for NFS
  If you’d like to share files with UNIX-based computers and other computers that use the network file system (NFS) protocol, this Role Service is for you.
Storage Services
This Role Service enables basic file sharing and remote and local storage management functionality. In addition, it allows for creating storage pools and storage spaces.

By default, the Storage Services Role Service is the only File Server Role Service installed. This explains the ability to access the hidden and administrative shares (for example, C$) on your Server Core installation.

How to install File Services in Server Core

Before you can install any of the File Server Role Services, you’ll need to install the File and iSCSI Services Role Service. This can easily be done by running the following PowerShell one-liner (start off by typing PowerShell first, to get the PowerShell prompt):

Install-WindowsFeature File-Services

This way, the File Server Services Role (FS-Fileserver) will automatically be installed and the Windows Firewall will be configured to allow SMB traffic. Optionally, you can install one of the other Server Role Services. The table below shows the Role Service names you can use in combination with the Install-WindowsFeature PowerShell cmdlet:

File and iSCSI Services Role Description	File and iSCSI Services Role Feature Name
BranchCache for Network Files	FS-BranchCache
Data Deduplication	FS-Data-Deduplication
DFS Namespaces	FS-DFS-Namespace
DFS Replication	FS-DFS-Replication
File Server Resource Manager	FS-Resource-Manager
File Server VSS Agent Service	FS-VSS-Agent
iSCSI Target Server	FS-iSCSITarget-Server
iSCSI Target Storage Provider (VDS and VSS)	iSCSITarget-VSS-VDS
Server for NFS	FS-NFS-Service

Configuring File Services on Server Core

The following three scenarios show you the possibilities of the File Server Role on Server Core installations of Windows Server 2012:

Creating a basic file server

One of the easiest things to do is create a basic file server. In fact, you have already done that by installing the File and iSCSI File Services Role Service above.

Now, to create some file shares for users, you could fire up Computer Management (compmgmt.msc) or the shared folders MMC Snap-in (fsmgmt.msc) from a Windows 8 or a Server with a GUI Windows Server 2012 installation. Alternatively, you can create folders and shares from the command line.

For instance, to create a folder on the E:\ NTFS-formatted volume, give the built-in group Authenticated users “modify NTFS” rights, and share it as Groupdata with modify permissions on the share, use the following commands:

md E:\Groupdata icacls E:\Groupdata /grant "Authenticated Users": (OI)(CI)(M)

PowerShell

New-SmbShare -Name Groupdata -Path E:\Groupdata -FolderEnumerationMode AccessBased -CachingMode Documents -EncryptData $True -FullAccess Everyone

How to create a file share

Oops. By using the New-SMBShare cmdlet, I already created a share with a couple of advanced features like Access-Based Enumeration (ABE), the caching mode, and encryption requirements for the SMB traffic. See how easy that is!

Creating a DAC-aware file server

One of the neat new features of Windows Server 2012 is Dynamic Access Control. DAC allows you to grant access to files and folders, based on attributes of a user’s account in Active Directory or the account of the computer that user is working on.

First, if you haven’t already done so, you will need to make your file server a member of the Active Directory domain. Then, you will need to install the File Server Resource Manager File Server Role Service. The following PowerShell command is particularly useful (and short) to use for this purpose:

Install-WindowsFeature FS-Resource-Manager

Now, you can plan and create your Central Access Policies and automatic file classification, and roll out all this new stuff to your Server Core-based File Server through Group Policies. More information can be found here.

Enabling data deduplication on a file server

Another cool feature that’s new in Windows Server 2012 File Services is data deduplication. This feature allows you to cut up files into storage chunks, store identical chunks of data in the Storage Information folder of an NTFS-formatted volume, and then link to these identical chunks from multiple files, which drastically reduces the storage used over time.

To use this feature, first we’ll need to install the role service. The following PowerShell command will do exactly that:

Install-WindowsFeature FS-Data-Deduplication

Now, we only have to configure the data deduplication policy for the volume. In the example below, we’ll enable data deduplication on E:\ using PowerShell with default settings (you can change these with Set-DedupVolume afterwards):

Enable-DedupVolume E:

To get things rolling, we’ll run the following PowerShell command to start deduplication:

Start-DedupJob -Volume E: -Type Optimization

Enable data deduplication

Concluding

The File Server Role in Server Core installations of Windows Server 2012 is a very modular Server Role, allowing you to create highly available, highly performing File Servers, iSCSI target servers, and NFS servers.

Related

Fixing Microsoft Surface shortcomings

Joseph Moody — Mon, 13 May 2013 17:33:14 +0000

Joseph Moody - 0 comments

Joseph Moody is a desktop administrator for a public school and help manage about 5,500 computers. I specialize in Active Directory, Group Policy, and software deployment.

Microsoft Surface has received a few consistent complaints about shortcomings such as poor battery life and limited storage. In this post I will outline a few fixes that prepared Microsoft’s tablet PC for our corporate environment.

Fix 1: Get Surface Pro

As most know, the Microsoft Surface comes in two models: Surface RT and Surface Pro. Both of these models come with two configurations for storage (32GB/64GB for the Surface RT and 64GB/128GB for the Surface Pro).

Microsoft Surface Pro

Personally, I am not really a fan of RT. It seems like a compromise. If I wanted to compromise, I would buy an iPad. So the answer for me was pretty simple. In our corporate environment, we need devices that can be traditionally managed (joined to the domain) and can keep up with other portable machines (in processing, memory, and storage). In adopting the Surface, our goal wasn’t to add another device to our arsenal but to combine the best of a laptop and tablet. These guidelines ruled out the Surface RT for us.

But what are the actual differences?

	Surface RT	Surface Pro
OS	Windows RT	Windows 8 Pro
Office PreInstalled?	Yes	No
CPU	NVIDIA Tegra 3	Intel Core i5
Memory	2GB	4GB
Storage	32GB/64GB	64GB/128GB
Resolution	1366 x 768	1920 x 1080
Weight	1.5 lbs	2 lbs
Battery Life	8 hours	5 hours
Pen	No	Yes
External Display	HD Video Out	DisplayPort
USB	2.0	3.0

Obviously, the Surface Pro “fixes” quite a few shortcomings of the Surface RT. Thus the Surface Pro is the obvious choice for a corporate environment.

Despite quite a bit of praise, the Surface Pro has received a few consistent complaints. The biggest two are:

Poor battery life compared to other similarly sized devices.
Smaller amount of storage than was anticipated

Fix 2: Extend battery life

Note that the battery life is compared against similarly sized devices – not similar preforming devices. Spec for Spec, a shiny device with a fruit logo just can’t compare.

The battery life on the Surface Pro isn’t the greatest though. Microsoft’s initial configuration doesn’t provide the best out of box power savings though. This is because the default power plan is set to balanced instead of power saving.

The default power options on the Microsoft Surface Pro

In my very informal test, I got 35 minutes of extra life just by switching plans. By changing the advance options on the Power Saver plan (such as decreasing the sleep timeout or the processor power management), I got an additional 10 minutes on the second timed run. That is a total battery life of 5 hours and 45 minutes. Not bad at all for what is essentially a powerful PC and a post PC in one device!

Fix 3: Enhance storage

The fix for the limited storage is actually pretty easy (and fun) to fix. A quick way to gain 8GB of space is to remove the recovery drive on your Surface and to stick it on an extra USB drive!

To remove the recovery partition, search for “Create a Recovery Drive” from the Start Screen. Once the wizard has started, select Copy the recovery partition from the PC to the recovery drive.

Create a recovery drive. You will need to plug in a USB drive before doing this.

After the wizard has successfully copied the recovery drive off, you can either check the corresponding Delete Recovery Drive box or use DiskPart with the override command. You will then need to extend your primary partition using disk management.

Notice the extra 8GB that I now have on the C drive.

Fix 4: Keyboard shortcomings

In my view, Microsoft should have ate the cost and threw in the keyboard/cover for free. As a standout feature and essential component for a laptop replacement, it should be included with the Surface (or at least the Surface Pro).

Personally, I found choosing between the Type and Touch cover more difficult than actual Surface models. If you haven’t played with either keyboard (or still care for physical keyboards for tablets/phones), you would probably be more comfortable with the Type keyboard. I went with the Touch keyboard. While decent on it, I still find myself more comfortable with the tactile feedback a type (or physical) keyboard provides.

A few other complaints floating around include the lack of Function Keys (F1-F12) in the touch keyboard, keyboards breaking. So far, Microsoft has been pretty steady in replying (or fixing) those issues. For example, while unlabeled, you can now press FN + a top shortcut key to enter a Function Key. Although it might be odd to press FN + Search to press F5, it is still a nice feature to have.

Conclusion

The Microsoft Surface is a great piece of hardware that in my opinion is capable of replacing a desktop, laptop, and tablet. If you have a Surface, what do you think of it? Has it added or reduced the devices you have?

Related

Upgrading vCOps 5.6 to 5.7

Jim Jones — Fri, 10 May 2013 19:22:50 +0000

Jim Jones - 0 comments

Jim Jones has been a Windows/Network/Voice Systems administrator for over a decade and currently works as a Sr. Network Administrator in West Virginia, USA.

Last month the fine folks at VMware released an upgrade (5.7) of vCenter Operations Manager (vCOps) 5.6 that we discussed in the last article.

After going through the update process and looking at how VMware has been working its way towards using a web interface for all of its management components instead of the VI client I can only hope that this is how all of these components will be updated in the future. In this article we’ll first look at the new features of 5.7 and then walk through the update steps from version 5.6.

vCOPs update package

vCOps 5.7 features

In our last article we focused on the included, Foundation edition of vCOps. Unfortunately, if that is the edition that you are running (like me) you are not going to be able to make use of the bigger features of this update. What Foundation 5.7 will get you is greater browser support (adding all current versions of IE, Firefox and Chrome), security hardening of the vApp, and the ability to scale vCOps to be able to cover over 10,000 Virtual Machines. As an avid Chrome user I’m pleased by the browser support entry these aren’t anything to write home about.

With all of the paid editions of vCOps what you do get is some great abilities in terms of capacity management. First off you now have the ability to create policies which define thresholds and then apply them to clusters, hosts, VMs, etc. These policies can cover anything from VM CPU usage to network throughput. There are quite a few out of the box policies defined that you can then assign that will cover most everybody’s needs but you also have the capability to create your own.

These policies can now in turn be used for actual management. If a threshold for given host or datastore is exceeded vCenter has the ability to restrict admittance of any new VMs to the managed object until the metric falls below maximum level.

Finally for the Advanced and Enterprise edition crowd there are also new and updated widgets. Widgets in the vCOps world are little boxes for your dashboards that can show more refined pieces of information in a visual manner. Further these levels also now get greater import and export ability.

Upgrading vCOps

So remember in the last article how you went to the vSphere download page and selected the .ova file for vCOps 5.6? Now is when you are going to want the other option, the .pak file. Updates are always done with PAK Updater files. Once downloaded you’ll need to get into the admin page of your main vCOps server which can be accessed at https://IP OF VM/admin. Enter your admin credentials and select the update tab. Here you’ll need to browse to where you download the PAK file and then click the update button. It will then proceed to upload the file for you. Finally, after you accept the EULA and say you really do want to update the updater will take it from there. Once done it will present you with the screen above showing all the component’s status. That’s it!

Related

SCCM 2007 Client troubleshooting – Part 8: Internet Client installation

David Stein — Thu, 09 May 2013 19:32:51 +0000

David Stein - 0 comments

David is an author and consultant, working for Endurance IT Services in Virginia Beach, Virginia, specializing in Microsoft enterprise systems and Business Process Automation.

Internet Clients can be particularly difficult to troubleshoot for several reasons. Foremost, they are usually off-site, so that can present logistical challenges.

Also, because the client agent is essentially identical to an “internal” client agent, you have to perform all of the same diagnostic steps as you would for any other client, in addition to the additional layer of issues inherent with managing a computer outside of your internal network environment.

I will freely admit this is not my strongest area within the Configuration Manager realm. For that reason, I reached out to my customers and colleagues to gather their headaches.

Configuration Manager Properties – Internet

Symptoms

Remote / Off-site devices are not reporting in or showing in the Management console
Remote devices are not getting policy updates, or software installations
Remote devices begin falling out of inventory due to aging records

Potential causes

Based on my experience and learning from customers, the vast majority of Internet-Based Client Management issues are related to one of three basic problems:

Corrupted or Missing Client PKI certificate on Client computer
Improperly configured or faulty PKI environment (also in DMZ)
DNS configuration or publishing issues (in DMZ as well)
Network Connectivity or Firewall configuration issues
The Site Server isn’t joined to an AD domain
Site Server Shares exist on the Site server system managing Internet Clients
Missing or Unavailable CRL in perimeter network (DMZ)
Not testing thoroughly before going to production!

Suggestions

Having a properly-configured, reliable and available PKI environment is essential to both Native Mode operations, as well as Internet Client management. But because PKI is so intertwined with DNS and Active Directory, I would usually start by eliminating the obvious: DNS. The familiar tools like NSLOOKUP and PING, or PATHPING, can be very helpful in diagnosing the most basic DNS configuration or functional issues.

Verify Internet connectivity from remote clients
Verify Name Resolution from outside your network (DNS)
Verify PKI certificates are properly configured, provisioned and installed

Helpful links

Related

FrameFlow MSP – Windows-based server monitoring

Timothy Warner — Wed, 08 May 2013 19:29:15 +0000

Timothy Warner - 0 comments

Timothy Warner is a Windows systems administrator, software developer, author, and technical trainer based in Nashville, TN.

FrameFlow MSP is a Windows-based server monitoring solution that is aimed at managed service providers (MSPs) in multi-site environments. By leveraging standard ports and industry standard protocols, FrameFlow enables network managers to centralize and report on administrative data from Windows servers, Linux servers, and SNMP-compatible routers and switches.

This post was sponsored by FrameFlow.

FrameFlow is a Canadian solutions provider that makes an enterprise server monitor application called, reasonably enough, FrameFlow Server Monitor. FrameFlow Server Monitor is a compact ASP.NET Web application that provides systems administrators with the following server monitoring features:

Dashboards: These are easy-to-read data summaries that provide at-a-glance insight into system status. You can see a representative FrameFlow Dashboard below.

Dashboards provide at-a-glance status info for entire sites or individual servers.

Event Monitors: FrameFlow includes over 65 different types of event monitors that run the gamut in aspects of system performance. Some representative categories of FrameFlow server monitors are the following:

Web site monitoring
Active Directory monitoring
Disk and file monitoring
Virtual machine (VM) monitoring
CPU and process monitoring

Because FrameFlow uses Windows authentication and Windows Remote Management (WinRM) among other standard protocols, you can easily perform remote management on connected agent systems. For instance, the screenshot below shows you the Virtual Command Line feature in action:

FrameFlow enables you to capture a remote command prompt session directly from the Web console.

Reports: FrameFlow gives administrators wide latitude in generating report data. In addition to simply scanning the intuitive Web-based interface, you can also generate PDF or HTML reports for offline analysis.

Alerting: In my opinion, a systems monitoring application is only as good as its ability to proactively alert you when something goes wrong. FrameFlow provides a wide variety of alerting options, including:

SMTP e-mail
SMS text message
Telephone voice mail

About FrameFlow MSP

Wikipedia defines a managed service provider, or MSP, in the following manner:

A managed services provider (MSP) is typically an information technology (IT) services provider that manages and assumes responsibility for providing a defined set of services to their clients either proactively or as they (not the client) determine that the services are needed. Most MSPs bill an upfront setup or Transition and an ongoing flat or near-fixed monthly fee, which benefits their clients by providing them with predictable IT support costs.

To that end, FrameFlow extended the functionality of their FrameFlow Server Monitor for larger shops and MSPs. This version of the software is called FrameFlow MSP.

Here’s the point: if you are a managed service provider, you are providing IT services for your customers. To that end, you are bound by service-level agreements (SLAs) that incur penalties for system downtime. If you don’t have a solution in place to give you immediate insight into monitored servers, then your business model is at grave risk.

All of the core functionality in FrameFlow Server Monitor is contained within FrameFlow MSP. However, MSP includes features intended for multi-site organizations with potentially thousands of monitored systems.

As you can see in the screenshot FrameFlow MSP operates by using the following workflow:

FrameFlow MSP is the multi-site variant of FrameFlow Server Monitor.

Master Console: This is the primary installation of FrameFlow software, and is normally placed in a headquarters location. It’s important to note that the resources footprint of FrameFlow is so low that you can install the software on your administrative workstation.

Monitoring Node: The idea is to install a local instance of FrameFlow MSP at each remote site. The monitoring nodes then gather data locally, and then periodically forward the data to the master console for aggregation.

Protocols/Firewall Rules: FrameFlow operates over the standard HTTP and HTTPS ports (TCP 80 and TCP 443, respectively). Thus, you should not have any problems with firewall rules and FrameFlow-related traffic.

Agent Status: One thing I really like about FrameFlow is that the application and its technology are so lightweight. Specifically, there is no agent component with FrameFlow. Instead, the FrameFlow server uses your administrative credentials and industry standard management protocols such as Simple Network Management Protocol (SNMP) and Windows Management Instrumentation (WMI) to gather data.

As we’ll see in the next section of this review, the FrameFlow Web management console is exceedingly well written and is blazingly fast.

Using FrameFlow MSP

Once you install FrameFlow MSP on your management station, you fire up the Web console and step through a setup wizard that consists of the following steps:

Define your sites. Remember that the MSP edition of FrameFlow is intended for multi-site architectures. It doesn’t matter whether your sites are physical, virtual, divided along geographic lines, or separated only organizationally.

Add your network devices. A “network device” is a node that will be queried by the FrameFlow management server(s). FrameFlow includes built-in support for Windows, Linux, and router/switch hardware.

Set up event monitors. You can see what this interface looks like in the next screenshot. FrameFlow makes it simple to get a grip on any aspect of device status by using over 60 pre-defined templates.

FrameFlow includes a whole bunch of predefined event monitor packages.

Part of the Event Monitor setup involves configuring alert thresholds and actions. As I said earlier, you can have FrameFlow send you an SMS text message or even call your telephone and leave you a message. Pretty cool!

Tweak your reports. In addition to the HTML and PDF reports, you can download the free FrameFlow Mobile iOS app for your iPhone, iPad, or iPod touch. This app presents most of the full Web interface in a pint-sized package.

FrameFlow Mobile for iOS.

Learning more

The FrameFlow license model is based upon the number of devices you wish to monitor with FrameFlow. Here are the quick details for those who are interested:

MSP 50 Edition: $1,995
MSP 100 Edition: $3,995
MSP 200 Edition: $5,995
MSP 500 Edition: $8,995
MSP Unlimited Edition: $14,995

I’m sure I don’t have to tell you this, but the 50, 100, 200, and 500 in the previous licensing model refers to 50, 100, 200, and 500 managed systems. Just wanted to be as explicit as possible.

You can (and should) download a fully functional 30-day demo of FrameFlow MSP and try the software out for yourself. I will leave you with some hand-selected links that should help you in your due diligence process.

Related

How to install a DHCP Server on Server Core

Sander Berkouwer — Tue, 07 May 2013 19:10:19 +0000

Sander Berkouwer - 0 comments

Sander Berkouwer is a Microsoft Certified Professional and a Microsoft Most Valuable Professional (MVP) with over a decade of experience in IT.

To make life easier as an admin, several network protocols have been introduced to help manage TCP/IP. One of these protocols is the Dynamic Host Configuration Protocol (DHCP).

DHCP Servers hand out IP addressing information to DHCP clients to make it easy for people using these devices to connect to the network without making changes to their networking configuration. In dynamically scaling environments, DHCP clients are increasingly becoming DHCP clients with the DHCP Server maintaining DHCP reservations; this practice ensures that certain DHCP clients get the same IP address every time, based on their MAC address.

History of the DHCP Server Role in Server Core

The DHCP Server Server Role has been included in Server Core since Windows Server 2008. Server Core installations of Windows Server 2012 support failover DHCP scopes. This new feature, which is found in both Server Core and Server with a GUI installations of Windows Server 2012, adds redundancy to DHCP Servers without failover clustering, shared storage, and multiple network interconnects between two (or more) DHCP Servers. This also replaces the practice where admins needed to place 80% of their leases on one DHCP Server and 20% on another DHCP Server (and maintain reservations and DHCP options on both servers) to achieve DHCP Server redundancy.

Configuring Server Core as a DHCP Server

Just like the other Server Roles and Features on Server Core installations, you can install them using three methods. The first method features the dism.exe command line tool. The second method features PowerShell, specifically the Install-WindowsFeature cmdlet. A third way to install Server Roles and Features on Server Core installations is through Server Manager remoting, but since this is done through the Graphical User Interface (GUI), it’s not for real men like us.

To install the DHCP Server Role on a Server Core installation with dism.exe, use the following command:

dism.exe online /enable-feature /featurename:DHCPServer

To install the DHCP Server Role on a Server Core installation with Install-WindowsFeature, first start PowerShell on the command line (by typing it) and then use the following command:

Install-WindowsFeature DHCP -IncludeManagementTools

Install a DHCP Server with PowerShell

Configuring Basic DHCP Scopes

To hand out IP information to clients requesting them, you will need to create one or more DHCP scopes. To benefit most from your DHCP Servers, you will want to specify not only IP ranges to hand out but also DHCP options, like the default gateway address and addresses for DNS Servers. These DHCP options can be configured at the DHCP scope level and at the server level.

For this purpose, we’ll configure an example Server Core installation with IP address 192.168.0.9SC2, using the range of IP addresses from 192.168.0.10 through 192.168.0.250, with a Default Gateway address of 192.168.0.254. The installation also has a DNS Server, available at 192.168.0.1 for the domain demo.servercore.net. In this example, the commands to configure the DHCP scope look like this:

Add-DhcpServerv4Scope -Name "Internal" -StartRange 192.168.0.10 -EndRange 192.168.0.250 -SubnetMask 255.255.255.0 -Description "Internal Network"

Set-DhcpServerv4OptionValue -ScopeID "Internal " -DNSServer 192.168.0.1
-DNSDomain demo.servercore.net -Router 192.168.0.254

If you’d rather define these options as Server options, replace the Set command with the following:

Set-DhcpServerv4OptionValue -DNSServer 192.168.0.1 -DNSDomain demo.servercore.net
-Router 192.168.0.254

Authorizing DHCP Servers in Active Directory

Now, your DHCP Server may not be handing out IP information just yet. One reason for this is that your Server Core Domain Controller saw another DHCP Server on the network when it tried to activate its DHCP scope. Another situation might be that your Server Core Domain Controller is a member of an Active Directory domain and is not yet authorized in Active Directory to hand out IP addresses.

Note: DHCP Servers on Domain Controllers are authorized in Active Directory automatically.

To authorize your Server Core DHCP Server in Active Directory, use the following command:

Add-DhcpServerInDC -DNSName demo.servercore.net

DHCP Server High Availability through DHCP Scope Failover

Let’s get back to the failover DHCP scopes I mentioned earlier. Once again, this feature can be deployed through PowerShell as well as in the DHCP Server MMC Snap-in. I recommend using PowerShell in this case, however, since it’s harder to click the wrong buttons on the command line.

Requirements

To use DHCP scope failover, you should have two Windows Server 2012 installations with the DHCP Server Role installed on them. It is recommended to make these two DHCP Servers members of the same Active Directory Forest to accommodate authentication and time synchronization. In this case, both DHCP Servers need to be authorized in Active Directory, and you should log on with domain admin credentials for these steps.

Example

To explain how DHCP failover works, we will look at it in an example environment. Building upon the earlier example, two DHCP Servers named SC2 and SC3, with IP addresses 192.168.0.2 and 192.168.0.3, will host the (admittedly tiny) DHCP 192.168.0.10 to 192.168.0.250 scope. The two DHCP Servers will be configured in Load Balance mode, essentially creating an Active-Active configuration wherein both DHCP Servers serve client requests with 50%/50% load distribution percentages.

Configuring DHCP failover

Of course, SC2 is already configured with the DHCP scope. To configure DHCP failover for this scope, use the following commands on SC2:

Add-DhcpServerv4Failover -Name "Failover" -PartnerServer sc3.demo.servercore.net -ScopeId 192.168.0.0 -LoadBalancePercent 50 -SharedSecret "Passw0rd" -MaxClientLeadTime 2:00:00 -AutoStateTransition $true -StateSwitchInterval 2:00:00

To see statistics on the replication of the DHCP scope, use the following command:

Get-DhcpServerv4ScopeStatistics -ScopeID "Internal" -failover

Concluding

The DHCP Server Server Role in Server Core installations of Windows Server 2012 is as full-fledged as on Server with a GUI installations. You can configure all the nitty-gritty DHCP Server configuration options straight from PowerShell or remotely through the Remote Server Administration Tools (RSAT) on either Windows 8 or Windows Server 2012 installations.

Windows Server 2012–based Server Core DHCP Servers offer the best DHCP Server performance of all Windows Server installations to date.

Related

NIC Teaming with PowerShell

Jeffery Hicks — Mon, 06 May 2013 18:41:58 +0000

Jeffery Hicks - 0 comments

Jeffery Hicks is a Microsoft MVP in Windows PowerShell, Microsoft Certified Trainer and an IT veteran with 20 years of experience. Follow his blog.

Teaming network adapters, or NICs, is a great way of providing load-balancing and failover capabilities for mission critical services. Windows Server 2012 allows up to 32 network adapters in a single team. You can create a team in the graphical server manager, or through PowerShell, which is very useful if you are automating server build or configurations.

In Windows Server 2012, we’ll use the NetLBFO module. You can also manage the team remotely from a Windows 8 computer that has Remote Server Administration Tools (RSAT) installed. For the sake of simplicity I’ll create a new team on a Windows Server 2012 system. When you look at help for the cmdlets I’m using, which you should, if you wanted to do this remotely you would use the CimSession parameter.

Creating a new team

To create a new team you should have similar, if not identical network adapters. You will need to know the names of your adapters as they are displayed in Control Panel\Network and Internet\Network Connections. You will want to decide what load balancing algorithm to use.

TransportPorts: Assign traffic to an interface based on a hash of source and destination TCP ports and the IP addresses.
IPAddresses: Assign traffic to an interface based on a hash of the source and destination IP addresses.
MacAddresses: Assign traffic to an interface based on a hash of source and destination MAC addresses.
HyperVPort: Distributes network traffic based on the source virtual machine Hyper-V switch port identifier. This only makes sense if configuring within a VM.

The default value is TransportPorts. You’ll also want to consider the TeamingMode:

LACP: Uses the IEEE 802.1ax Link Aggregation Control Protocol (LACP) to dynamically identify links that are connected between the host and a given switch. (This protocol was formerly known as IEEE 802.3ad draft)
Static: Requires configuration on both the switch and the host to identify which links form the team.
SwitchIndependent: Specifies that a network switch configuration is not needed for the NIC team. When configuring teaming within a Hyper-V virtual machine, you must select this choice. This is also the default.

Once you’ve made your decisions, creating the team is really quite simple.

PS C:\> $teamA = New-NetLbfoTeam -Name TeamA -TeamMembers "Ethernet 2","Ethernet 3" -TeamingMode SwitchIndependent

PS C:\> $teama

Name                   : TeamA
Members                : {Ethernet 2, Ethernet 3}
TeamNics               : TeamA
TeamingMode            : SwitchIndependent
LoadBalancingAlgorithm : TransportPorts
Status                 : Up

The new team shows up as a new adapter.

I can also retrieve the team with PowerShell.

PS C:\> get-netlbfoteam
Name                   : TeamA
Members                : {Ethernet 2, Ethernet 3}
TeamNics               : TeamA
TeamingMode            : SwitchIndependent
LoadBalancingAlgorithm : TransportPorts
Status                 : Up

Configuring the Team

The new team will pick up an IP address from DHCP. You can manually set it through Control Panel, or assign settings with PowerShell. First, I’ll verify I can even find the new team.

PS C:\> get-netlbfoteam
Name                   : TeamA
Members                : {Ethernet 2, Ethernet 3}
TeamNics               : TeamA
TeamingMode            : SwitchIndependent
LoadBalancingAlgorithm : TransportPorts
Status                 : Up

View the NIC Team with PowerShell

Good. This means I can pipe this to Set-NetAdapter and configure its IP address. First, I’ll delete the existing IPV4 address, confirming the action when prompted.

PS C:\> get-netadapter teama | get-netipaddress –addressfamily ipv4 | remove-netipaddress

Then I can define a new address.

PS C:\> get-netadapter teama | New-NetIPAddress -IPAddress '172.16.30.203' -AddressFamily IPv4 -PrefixLength 16 –defaultgateway '172.16.10.254'

Define new IP address

At this point, all that remains is to set DNS.

PS C:\> Get-NetAdapter teama | Set-DnsClientServerAddress -ServerAddresses '172.16.30.200','172.16.30.203'

The team is now ready for business.

Summary

Configuring a network team with PowerShell only takes a little practice to understand how the cmdlets work. If anything, creating the team is the easy part. Configuring IP settings is sometimes a bit more complicated. But now if you are considering automating server deployments, this is a great tool to add to your kit.

Also read: How to create NIC Team in Server Manager

Related

vCenter Operations Manager

Jim Jones — Sat, 04 May 2013 03:56:19 +0000

Jim Jones - 0 comments

Jim Jones has been a Windows/Network/Voice Systems administrator for over a decade and currently works as a Sr. Network Administrator in West Virginia, USA.

For the past few weeks we’ve been looking at the array of included resources in vSphere 5.1 to manage your virtual infrastructure. In this article we’ll look at the latest addition to this, vCenter Operations Manager, Foundation Edition.

vCenter Operations Manager

Operating and managing a virtualized system can be a complex and arduous task. You not only need to keep track of the health of your various hypervisors, but also the underlying storage and networking components as well as the individual Virtual Machines themselves. Doing these tasks manually, while possible, is in and of itself a full time job; never mind the fact that your boss most likely wants you to actually do things as well as just monitor. For this reason VMware (as well as other vendors) have been bringing management dashboard applications to market to consolidate your view of all of these various items.

vCenter Operations Manager (vCOps or vCO for short) uses a system of “badges” to display various system health states. Green badges are good, red badges are bad, etc. Further there is a numeric score overlaid to allow you to quantify. Further these health measures can be seen throughout the hierarchy, ranging from the overall “world” health down to the individual VM or datastore. The goal of this is to let you see where your issues are and then go out and fix them. Views of this information once setup is available not only from the vCOps UI webpage but also from within the VI client once you install and enable the plugin.

Keep in mind that what you get with your vSphere Essentials Plus license (and up) is the Foundation edition, which has a greatly reduced toolset when compared to more feature rich, paid versions. The way I look at it the free edition lets you see what’s wrong whereas the paid editions will not only let you see what’s wrong but actually fix them on the fly. For a full side by side comparison of the 4 version please see the VMware supplied Editions Comparison.

Installation and setup

Prior to beginning your installation you will need to create an IP Pool for the virtual network you wish to deploy vCOps to. How to do this has been covered in a previous article.

Setup of vCOps is done via an OVA you download from VMware’s vSphere download page. Notice there are two possible files you can download; the OVA and the PAK file. Only use the PAK file in the case of an update of an in place installation. Support for the included version began with vCOps version 5.6 (which this article is based on) but version 5.7 has been recently announced. The steps below should be valid for either version.

Once you download your Virtual Appliance files you begin deployment in the normal way from the VI Client (File>Deploy OVF Template). This will begin a simple wizard toward deployment. Pay particular attention to the Deployment Configuration, Network Mapping, and IP Address Allocation screens to make sure these settings are optimized for your particular environment. After you complete the wizard you will notice you have a new vApp in your VI client. For the next step of setup start your vApp and then point a browser at https://IPOFUIVM/admin.

Now you will be in a new wizard where you set things like the login information for your vCenter, IP of the Analytics VM, passwords for local accounts, and which vCenters to monitor. All of this information is specific to your given installation. When finished simply drop the /admin from the URL and you can then login with your AD credentials to see what’s going on.

Conclusion

vCenter Operations Manager Foundation Edition is quite helpful in letting you see where the issues are in your VMware vSphere environment as long as you have sufficient technical resources to go with this information and fix the issues for yourself, but it is free which goes a long way. If you need guidance as to how to fix the issues or need support for multiple hypervisors (i.e. Hyper-V) you’ll need to look at either the bigger, expensive editions in the vCOps product line or third party products such as VeeamONE.

Resources

Editions Comparison

vCOps 5.7 Release Notes

Related

Security Auditing Enhancements in Windows Server 2012

Timothy Warner — Fri, 03 May 2013 17:19:35 +0000

Timothy Warner - 0 comments

Timothy Warner is a Windows systems administrator, software developer, author, and technical trainer based in Nashville, TN.

Microsoft made incremental changes to security auditing in Windows Server 2012. These enhancements include the ability to audit removable drive usage, to create expression-based audit policies, and to retrieve more detailed and meaningful audit log entries.

Depending upon your industry, security auditing may be one of those “nice to have, but I’ll get around to it someday” things, or it may simply be mandated by law and therefore require your compliance.

To this latter point, we’ve had the ability to audit events in Windows Server for several years now. For instance, the workflow for auditing file system access events in Windows Server 2008 R2 looks like this:

Specify your auditing scope in a Group Policy Object (GPO)
Mark selected file system resources for auditing
Review security audit entries in the Windows event logs

Windows 7 and Windows Server 2008 R2 introduced Global Object Access Auditing, which made it leagues easier to audit multiple file system and/or Registry resources for audit tracking on a per-computer basis.

Windows Server 2008 R2 also gave us Advanced Security Audit Policy, which greatly broadens and deepens the types of audit policy we can create.

Windows Server 2012 doesn’t give us any ground-breaking new features like we saw in Windows Server 2008. Instead, we find that Microsoft tweaked existing functionality to give us administrators even more flexibility with our in-box auditing policy.

Of course, large enterprises should be concerned with setting audit policy by using Group Policy. Instead, these shops should take a look at Microsoft System Center 2012 Audit Collection Services.

In this blog post I want to walk you through the security auditing enhancements in Windows Server 2012; in a nutshell, these improvements are as follows:

We can now audit removable devices
We can now create expression-based audit polices
We can reduce audit volume and glean additional data from audit events

Let’s take a look at each of those enhancements in turn.

Auditing removable drives

Removable storage, such as USB flash drives or external hard drives, can represent a very real security risk for an enterprise. For instance, how can we prevent a disgruntled employee from transferring sensitive data to his or her USB thumb drive?

To be sure, we had Removable Storage Access Policy in Windows Server 2008 R2 to deny usage of removable devices. However, in 2008 we had no way to track attempts to use removable drives.

As you can see in Figure 1, we have audit policies that target and track removable drive access attempts. Failure audits generate Event 4656, and Success audits generate Event 4663.

Auditing removable device access

The two policies in question are Audit Removable Storage and Audit Handle Manipulation; these are located in the Group Policy path Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Object Access.

Using expression-based audit policies

Dynamic Access Control (DAC) is a new feature in Windows Server 2012 that enables us administrators to granularly control access to filter server resources by using expression-based logic.

For instance, we can share out a folder that grants access to marketing department employees located in the Los Angeles office for files that are marked as high-priority. This security access method is powerful, flexible, and makes it easier to manage hundreds or thousands of shared folders.

We can also apply conditional logic to our Global Object Access Auditing policy. Create a GPO, navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Global Object Access Auditing, and double-click the File system policy. Enable the policy and click Configure.

As you can see in Figure 2, the Advanced Security Settings for Global File SACL dialog box allows us to define audit entries that embrace claims and resource properties.

Expression-based audit policy

In the previous screenshot, we monitor successful reads by authenticated users who work from the Marketing department in the Nashville office. That’s pretty powerful, isn’t it? These expression-based polices give us much more targeted audit log feedback.

Reviewing detailed audit log data

You already know that Windows writes Success and Failure audit events to the Windows Security log. In Windows Server 2012 we still have the trusty Event Viewer tool with which we can review our log entries.

However, Windows Server 2012 gives us more information in logon and object access events. For instance, check out Figure 3. Observe that the audit log entry now provides reasons for access in addition to detailed file attribute data. For my money, this is a very valuable addition to Windows Server 2012.

Detailed audit entry data

Specifically, be on the lookout for the following audit entries if you’ve configured advanced audit policy in Windows Server 2012:

File Access Event 4656
File Access Event 4663
User Logon Event 4624
User Logon Event 4626

Related

Altiris Symantec Management Platform – Part 3: Computer imaging

Andrew Jacops — Thu, 02 May 2013 19:24:18 +0000

Andrew Jacops - 0 comments

Andrew Jacops is a system/network administrator with over ten years experience managing Windows environments and the network infrastructures they run on.

In this final article of the Altiris Symantec Management Platform series, I chose to cover computer imaging.

For many admins, imaging has been a blessing and a curse. On one hand, several computers can be imaged at the same time saving hundreds of hours over manually installing the OS and every single software application. On the other hand, a new build has to be created for each and every different computer; laptops, desktops, separate revisions of the same model, all have to have their own specific images.

Yes, there are programs out there including the latest version of Ghost that can create hardware-independent images, however they’re buggy at best and all of the drivers and applications still have to be installed.

SMP computer imaging simplifies and streamlines the process using only a single, generic image for each OS.

Basics

SMP uses a PXE based environment utilizing Windows Preinstallation Environment (WinPE), and it takes a phased approach to imaging a device. The summarized steps are as follows:

PXE into WinPE
Lay down the generic OS image
Install drivers and perform tasks in unattended install
Push software packages based on SMP group

The best part of this process is step four. The package admin has already created all of the software policies and packages needed in the company’s environment and has assigned them to whatever groups need that particular software. It would be redundant and inefficient to install the software after the task has already been completed.

The other great thing about this is the fact that all of the drivers are installed during the unattended install. This however does take a little bit of work. Of course SMP makes it as easy as possible. It is important to note that due to security, Microsoft does not allow unsigned drivers to be installed during an unattended install. An effort does need to be made to locate signed drivers.

Acquiring drivers

As I have mentioned, SMP makes it easy to get the drivers from the devices. How? Jobs and Tasks. And a little help from a wonderful freeware program called Double Driver.

Double Driver

Double driver has a command line interface that can be utilized to harvest drivers from a machine. It’s also a stand-alone executable so it does not need to be installed. Therefore, a task can easily be created to copy the exe over and run it all without any impact to the user.

Driver Harvest

Here I have created a task called Driver Harvest that runs a VBScript. In this script, I copy Double Driver to the remote machine, invoke it, backup the drivers, create a folder with the computer’s model on a remote file share, and copy the newly backed up drivers. I can schedule the easily created task and run it on whatever machines in the environment I want. Simple!

WindowsAIK, ImageX, and WIMs

Another freely available software tool that SMP imaging takes advantage of is WindowsAIK. Although covering the usage of this is out of the scope of this article, utilizing WAIK Tools are how the generic Windows images are created. The basic processes for creating the WIM files are as follows:

Install a Windows OS
Install any updates required
Install the Symantec Client
Run Sysprep
Boot into WinPE
Capture the image with ImageX
Build sysprep

Probably the most important step in the list above is installing the Symantec Client. With it all of the newly imaged machines will immediately check into the SMP server for the first time and start pulling the packages it needs.

WIM Manager

The greatest thing about using WIMs is that they can be updated on the fly with the latest Windows patches using basic DISM commands that are not exclusive to Symantec. There is no longer a need to create a new image or waste hours installing all of the newest patches after laying down the image; just update the WIM on Microsoft’s Patch Tuesday.

Deploying the image

Deploying the image is as simple as creating another job or task and scheduling it to push to the machines. Just select the WIM file and go.

WIM deployment

Alternatively, an admin may choose to create all of their own tasks manually to deploy the image and not use Symantec’s built-in process which would just consist of script files. In this way, there is greater visibility into which step the process has failed on. The most important thing to realize is that SMP is still the product being used to deploy the images. Of course it’s all about preference, but SMP tries to make it as simple and easy to manage as possible.

Summary

This concludes the three part series covering Altiris Symantec Management Platform. This is an extremely robust software solution that contains many more features than the handful I have gone over. I encourage all of the readers to experiment with this software as much as possible to see if it’s right for their organization. The customizations and possibilities for this product are practically endless.

Thanks for reading!

Related

SCCM 2007 Client Troubleshooting – Part 7: Mobile device clients installation

David Stein — Thu, 02 May 2013 16:50:04 +0000

David Stein - 0 comments

David is an author and consultant, working for Endurance IT Services in Virginia Beach, Virginia, specializing in Microsoft enterprise systems and Business Process Automation.

Mobile device support in Configuration Manager 2007 is not as robust as it is with Configuration Manager 2012, but there are customers who depend on this in their 2007 sites.

The toughest aspect of managing mobile devices is that they’re mobile. This presents logistical challenges as it pertains to scheduled maintenance, deploying software applications and updates, and maintaining current inventory data.

Symptoms

Devices are not communicating with a Management Point
Devices are not able to resolve the name for the CRL (if used)
Devices are unusually slower to connect to the MP or processing of policy updates
Devices indicate having expired Site certificates when they shouldn’t

Potential causes

Device has an unsupported mobile OS or OS version
Expired or corrupted PKI certificates
Missing hotfixes on the Site Servers which deploy the client
Device is unable to resolve FQDN for CRL server

Configuration Manager 2007 R3 only supports mobile devices running on Windows Mobile, Windows Mobile for Pocket PC, or Windows CE, and only specific client OS versions. Some hotfixes may also be required prior to client installation, in some cases on the Site Server.

Windows CE 4.2 only supports a Mixed-Mode client installation, and only on ARM processor devices. Windows CE 5.x and 6.x are supported on ARM and x86 processors.

Suggestions

Verify mobile device hardware models and confirm OS compatibility specs
Verify that needed hotfixes are installed on Site Servers, as well as mobile devices
Verify Internet connectivity from affected mobile devices.
Verify connectivity back to your Internet-facing Site Servers and CRL server (if applicable).
Verify certificates are configured, provisioned and installed properly.

Helpful links

Related

Active Directory-based management of Apple iOS iDevices

Timothy Warner — Wed, 01 May 2013 21:50:03 +0000

Timothy Warner - 0 comments

Timothy Warner is a Windows systems administrator, software developer, author, and technical trainer based in Nashville, TN.

Some Windows systems administrators are faced with deploying and supporting Apple iDevices running iOS. What first- and third-party options exist for these sysadmins?

Here at 4sysops we’ve covered how to manage Active Directory from your Apple iOS-based devices such as iPhones, iPads, and iPod touches. However, this blog post turns that paradigm around 180 degrees: How can we manage a fleet of iDevices from within Active Directory?

Microsoft provides a framework for managing their own mobile hardware; specifically Windows Phone-based smartphones and Windows RT-based tablet devices. On the other hand, Microsoft gives administrators little to no help if we find ourselves having to apply security policies to Apple mobile hardware.

In this blog post I will present your primary options for solving this problem. We’ll spend most of our time discussing Apple’s own solution, as it is cost-effective and gives Active Directory administrators as much control as possible over the iDevice deployment. We’ll finish up with some third-party competitors in this space.

Apple, Microsoft, and the “magic triangle”

For $999 Apple will sell you a Mac mini computer with OS X 10.8 “Mountain Lion” Server pre-installed. As an alternative, you can install Mountain Lion Server on any Intel Apple computer from the Apple App Store for $20. I show you the latest Mac mini model in the screenshot below.

Unfortunately, Apple no longer manufactures rack-mounted servers.

Now that you have an OS X Server machine up and running in your network, what next? Well, the metaphor of the “magic triangle” was developed as a way to describe the interrelationship between Microsoft’s Active Directory with Apple’s Open Directory directory service.

Think of the Apple iDevice as one point of the triangle, Active Directory as the second point, and Open Directory as the third. In this mixed environment, the iOS device hardware is managed from Open Directory, and the logged-on user is an Active Directory user who is trusted by the Open Directory realm.

The inner details of the magic triangle configuration are beyond the scope of this article. However, let me give you the abbreviated summary:

Set up the OS X Server computer as an Open Directory master
Bind the OS X Server computer to the Active Directory domain; this creates a computer account for the Mac computer in AD (although you can’t manage the Mac using Group Policy for obvious reasons)
Use the Workgroup Manager tool on your Open Directory server to retrieve a list of Active Directory user and group accounts

Profile Manager

Are you with me so far? Mountain Lion Server includes a cool Web application called Profile Manager that enables you to centrally manage all of your network’s iDevice hardware. You can control literally every aspect of the iDevices–what actions are allowed, what actions are disallowed, and so forth. You can even perform a remote wipe if a company-owned iDevice is stolen. I show you the Profile Manager interface in the screenshot below.

You can control all aspects of your company’s iDevices by using Apple Profile Manager.

Again, walking you through the full Profile Manager setup would take an entire article unto itself. Here is the “CliffsNotes version” of the process:

Install an SSL digital certificate on the OS X Server computer
Create and populate Open Directory groups for your managed iOS devices
Create and deploy management profiles to your iDevice groups
Enroll managed iDevices with the OS X Server

The iDevice enrollment process occurs on the iDevice itself; this process can be completed by the administrator or the end-user. Once the iDevice has been added to the server group, you can view the managed iDevice through the Profile Manager Web portal.

Administrators can manage iDevices through a mobile-friendly Web console.

Third-party alternatives

As nifty as the Apple Profile Manager system is, some Windows systems administrators won’t or can’t be bothered to introduce more Apple technology in their environment than is absolutely necessary.

To that point, there are several third-party vendors who sell iOS device management solutions that are based in a more traditional Active Directory context.

Perhaps the most well-known of these solution providers is Centrify, who offers a tool called Centrify for Mobile.

What’s so cool about Centrify is that you can manage your iOS devices completely from within Active Directory with (a) in-box Active Directory management tools such as the Group Policy Object Editor and Active Directory Users and Computers; and (b) there is utterly no need for additional Apple hardware.

Centrify means you can manage Apple hardware with Group Policy.

Here are some additional companies who offer AD-centric or cloud-centric iOS device management tools:

Related

Microsoft Management Summit 2013 recap

Kyle Beckman — Wed, 01 May 2013 16:25:46 +0000

Kyle Beckman - 0 comments

Kyle Beckman works as a systems administrator in Higher Education in the Southeast United States. He is an MCSE and specializes in Group Policy, Windows Server, and client support.

This year’s Microsoft Management Summit in Las Vegas, NV started off with more excitement than I’m sure the everyone was hoping for

In addition to a rare morning thunderstorm on the Las Vegas Strip (insert your own “cloud” jokes here), the convention center was hit with an Internet outage right before Corporate Vice President Brad Anderson was to take the stage for the keynote. You can see where this would cause some alarm since all the demos were live and running from remote data centers. Ultimately, this only caused a delay of slightly over 20 minutes while the issues were resolved then the keynote was able to start.

As far as keynotes go, the 2013 MMS keynote, Cloud Optimize Your Business with Microsoft Management Solutions, didn’t offer many surprises. The two biggest themes were Microsoft cloud services (Azure, Office 365, InTune, etc.), consumerization of IT, the number of Microsoft customers moving from VMware to Hyper-V for their virtualization… err… private cloud needs. If you’re interested in watching the full keynote:

Here are a few of the high points and interesting facts:

“Microsoft workloads – SQL, SharePoint, Exchange – run best on the Microsoft operating system, on the Microsoft hypervisor, on the Microsoft cloud.” – Brad Anderson
More than 20% of businesses worldwide are using Office 365.
There are 420,000 unique domains in Azure AD.
Azure AD has handled 200 billion authentications since it was made available.
Microsoft announced their participation in Open Daylight: an open source framework for software defined networking.
99% of SQL workloads can be virtualized now.
Microsoft demoed Storsimple (acquired last year) a product that lets you transparently use both local and cloud-based storage.

No products announcements were made, but attendees were encouraged to either come in person or tune in to TechEd in June to “the next wave of investments that we’ve been making in the server and tools business.”

I found picking sessions for MMS just as hard as picking sessions for TechEd last year. Since Microsoft knows you can’t be in two places at once, many of the breakout sessions are available online in video form along with the PowerPoint files. There’s no way I can possibly cover every session, but here are a few I enjoyed that I hope you can also find useful:

Advanced Microsoft Deployment Toolkit 2012 Update 1 Customizations presented by Johan Arwidmark and Mikael Nystrom. Individually, Johan and Mikael are both awesome speakers… so, if you get the chance to see them co-present, you’re in for a treat and will definitely learn something you didn’t know. In this session, they discuss a number of things you can do to customize your MDT deployment including creating rules in CustomSessings.ini, using a database with MDT, and using System Center Orchestrator runbooks.

Windows 8 Security Internals by Chris Jackson. In this session, Chris Jackson goes deep into the security internals of Windows 8 including tokens/elevated tokens, integrity levels, User Interface Privilege Isolation and how they relate to desktop and Windows 8 Metro/Modern apps.

Orchestrator Best Practices: Lessons Learned at Cargill by Vaughn Nerdahl. In this session, Vaughn Nerdahl from Cargill discussed some of the things his organization has learned using System Center Orchestrator. Topics covered included error handling, sanitizing runbooks when moving them between test and production servers, documenting runbooks with Visio, and decisions you should make when designing runbooks.

Becoming a Windows Intune Administrator: A Real-World Perspective by Erdal Ozkaya. In this session, Erdal Ozkaya discussing using Intune for managing both PC’s, tablets, and phones. Topics covered include setting up Intune, adding users, deploying software, and general administration.

Links

Keynote Demo Deconstruction

MMS 2013 Session Videos

Related

How to install a DNS Server on Server Core

Sander Berkouwer — Tue, 30 Apr 2013 19:00:53 +0000

Sander Berkouwer - 0 comments

Sander Berkouwer is a Microsoft Certified Professional and a Microsoft Most Valuable Professional (MVP) with over a decade of experience in IT.

In the previous article in this series, I showed you how to promote a Windows Server 2012-based Server Core installation to a Domain Controller. In this article, I’ll discuss configuring your Server Core installation to a Domain Name System (DNS) Server

Although most DNS Servers run on Domain Controllers with Active Directory-integrated DNS zones, I’ll show you some other implementation scenarios where Server Core DNS Servers might save your day!

The DNS Server Server Role has been included in Server Core since Windows Server 2008. The DNS Server in Server Core installations of Windows Server 2008 R2 was the first Server Core DNS Server implementation that supports DNSSEC.

Configuring Server Core as a DNS Server

Installing the DNS Server Server Role on Domain Controllers is as easy as selecting the option to install DNS in the Active Directory Domain Services Configuration Wizard, typing InstallDNS = Yes in a DCPromo unattend answer file, and accepting the defaults when you promote a new Domain Controller for a new domain with dcpromo.exe, Add-Domain, or Add-Forest.

Besides serving DNS name resolution from Server Core Domain Controllers, the following two scenarios, however, also seem plausible for Server Core DNS Servers.

Configuring a DNS Server in the DMZ

Server Core installations are less vulnerable to attacks, so placing them in your perimeter network or Demilitarized Zone (DMZ) to provide DNS sounds like a better idea than placing Server with a GUI installations there. With Server Core DNS Servers, you can still manage the DNS Servers with the command line and graphical tools you’re used to, but you gain some of the security, availability, and modularity benefits you’d normally only be able to gain with Linux- or UNIX-based DNS Servers.

To configure a Server Core installation as a DNS Server in the DMZ, start by giving it a network connection in the network segment of the DMZ. Next, provide it with a meaningful hostname and IP addresses in the DMZ network segment. You can perform all these configuration steps through sconfig.cmd, netsh.exe, netdom.exe, and/or Rename-Computer and New-NetIPAddress.

The next step is to install the DNS Server Server Role. To do so, perform a Server Core installation and provide it with a meaningful hostname and appropriate IP addresses. Next, install the DNS Server Server Role on the Server Core installation. Since we used the PowerShell command the last time, this time we’ll use the almost deprecated command line alternative:

Dism.exe /online /enable-feature /featurename:DNS-Server-Full-Role /featurename:DNS-Server-Tools

Now, depending on your preferences, you can configure the DNS Server with either dnscmd.exe or one or more of the 99 DNS Server-related PowerShell cmdlets.

For instance, to add a Primary DNS Forward Lookup Zone and Primary DNS Reverse Lookup Zone for dmz.servercore.net on the 85.17.209.0/24 network, use the following two dnscmd.exe commands:

dnscmd.exe localhost /ZoneAdd DMZ.ServerCore.Net /Primary /file dmz.servercore.net.dns

dnscmd.exe localhost /ZoneAdd 0.209.17.85.in-addr.arpa /Primary /file 209.17.85.in-addr.arpa.dns

To configure the same settings with PowerShell, the following two commands can be used:

Add-DnsServerPrimaryZone -Name "DMZ.ServerCore.Net" -ZoneFile "dmz.servercore.net.dns"

Add-DnsServerPrimaryZone -NetworkID 85.17.209.0/24 -ZoneFile "209.17.85.in-addr.arpa.dns"

Since a DNS Server in a DMZ used by hosts in the same network would rarely be used without DNS Forwarders, the following command will add the public Google DNS Servers as forwarders:

dnscmd.exe localhost /ResetForwarders 8.8.8.8 8.8.4.4

In PowerShell, the following two commands configure the same settings:

Add-DnsServerForwarder -IPAddress 8.8.8.8 -PassThru

Add-DnsServerForwarder -IPAddress 8.8.4.4 –PassThru

That’s it! Your Server Core DNS Server is up and running. To add an A record and an associated PTR record to the Forward and Reverse DNS zones on the server (for instance, for mail.dmz.servercore.net with IP address 209.17.85.74), you can use the following commands:

Add-DnsServerResourceRecordA -Name "mail" -ZoneName "dmz.servercore.net"

Add-DnsServerResourceRecord -Name "74" -Ptr -ZoneName "209.17.85.in-addr.arpa.dns" -PtrDomainName "mail.dmz.servercore.net"

Configuring secondary DNS zones

In traditionally highly secure environments, the Domain Name System services would be hosted on Linux- or UNIX-based hosts with BIND DNS Server software. For ease of management, conformity, or migration purposes, you could opt to configure a Server Core installation to host secondary DNS zones to the BIND primary DNS zones. In this example, we’ll migrate a BIND-based DNS Server environment to Windows Server 2012-based Server Core DNS Servers.

You can use the following short PowerShell command to do that:

Install-WindowsFeature DNS -IncludeManagementTools

The next step is to add secondary zones for all the DNS zones hosted on the BIND-based DNS servers. Depending on the number of DNS domain zones these servers are hosting, you will need a couple of PowerShell lines. With the BIND host running on 85.17.209.1, the lines would look like these:

Add-DnsServerSecondaryZone -Name "servercore.net" -ZoneFile "servercore.net.dns" -MasterServers 85.17.209.1

Add-DnsServerSecondaryZone -Name "dirteam.com" -ZoneFile "dirteam.com.dns" -MasterServers 85.17.209.1

Add-DnsServerSecondaryZone -Name "berkouwer.org" -ZoneFile "berkouwer.org.dns" -MasterServers 85.17.209.1

Now, sync the DNS zones, with commands like these:

Sync-DNSServerZone -Name "servercore.net" -PassThru -Verbose

Sync-DNSServerZone -Name "dirteam.com" -PassThru –Verbose

Sync-DNSServerZone -Name "berkouwer.org" -PassThru –Verbose

After completing the zone transfers, convert any of the secondary zones to primary zones:

ConvertTo-DNSServerPrimaryZone -Name "servercore.net" -PassThru -Verbose -ZoneFile "servercore.net.dns"

ConvertTo-DNSServerPrimaryZone -Name "dirteam.com" -PassThru -Verbose -ZoneFile "dirteam.com.dns"

ConvertTo-DNSServerPrimaryZone -Name "berkouwer.org" -PassThru -Verbose -ZoneFile "berkouwer.org.dns"

On the BIND Servers, of course, configure the previously primary DNS servers to be secondary DNS servers for the migrated zones or demote them. Also, when other secondary DNS Zones existed on other DNS Servers, update their configuration to point to the new Server Core DNS Server to use as their master servers.

Managing the DNS Server Role remotely

Besides using dnscmd.exe and the 99 DNS Server-related PowerShell cmdlets, both of which are available on the command line of your Server Core DNS Server, you can also manage the DNS Server Server Role remotely.

On a Windows Server 2012 Server with a GUI, you can add the DNS Server Tools.

Start the Power User Start Menu with Win+X. Select Programs and Features from the menu. In the Programs and Features screen, click Turn Windows features on or off in the left action pane. In the Add Roles and Features Wizard, click Next in the Before you begin screen. Select Role-based or feature-based installation in the Select installation type screen and click Next. On the next screen, select the server where you want to install the DNS Server Tools from the list and click Next. Click Next in the Select server roles screen. In the list of available features, select the DNS Server Tools:

DNS Server Tools

Click Next. On the next screen, click Install.

On Windows 8 installations, you need to install the Remote Server Administration Tools (RSAT). After you download and install RSAT, all the Tools will be installed by default. The DNS Server Tool is accessible through the Administrative Tools shortcut to the far right in the Start Screen.

Concluding

Server Core DNS Servers have become a viable alternative to UNIX- and Linux-based BIND DNS Servers because of their smaller attack surface, higher availability, better performance, and increased modularity, when compared to Server with a GUI installations.

Related

SCCM 2007 Client troubleshooting – Part 6: Wake-On-LAN

David Stein — Tue, 30 Apr 2013 13:48:27 +0000

David Stein - 0 comments

David is an author and consultant, working for Endurance IT Services in Virginia Beach, Virginia, specializing in Microsoft enterprise systems and Business Process Automation.

Configuration Manager uses Wake-On-LAN (WOL) to awaken a powered-off device, perform requested actions (install or remove applications, install updates, etc.) and then power the computer OFF again, if desired. It’s a compromise between energy efficiency and management efficiency, and if configured correctly, does a great job in most cases. In Part 6 of my SCCM 2007 Client troubleshooting series I cover WOL problems.

If you’re not really clear on what Wake-On LAN (WOL) is, and how it works, you should start by reading up on that first. Essentially (and this is not intended as a substitute for doing your homework), WOL is a mix of technologies, protocols and network communication that allows a computer to be powered OFF, but not completely. One small part of it remains awake, and listens to the network port for a special incoming request packet that says (roughly) “wake up!” This causes the machine to power ON and boot into the operating system environment. This is the theory. Unfortunately, some times things don’t work as they are supposed to.

Symptoms

Powered-off clients do not respond to WOL “wake-up” requests
Clients which are often powered-off are not getting Advertisements or Updates

Potential causes

Incorrect Client Agent settings
Firewall port exceptions
Router and Switch configuration settings
Client BIOS firmware, or driver compatibility issues

Suggestions

It’s important to understand that WOL is not simply a matter of configuring clients and servers. The network layer is a vital component in the overall process. In many environments, routers and switches are not configured to allow WOL to work between LAN segments. Make sure the appropriate ports are opened and that everything is configured in accordance with standard guidelines.

I like to emphasize “patterns” when performing any troubleshooting effort. For example, if you find only specific computers within a given LAN segment are not responding to WOL requests, it doesn’t likely point to a network (switch or router) configuration issue. That would usually point to machine-specific issues, such as BIOS settings, firmware capability, and drivers. However, it could also point to bad network cabling or bad connectors.

If it appears that all computers on a given LAN segment are not responding, then I would suggest looking at the routers or switches which serve those computers.
If the computers are in Active Directory OU locations which share common Group Policy Object links, check for common/unique Group Policy settings as well.
Verify Configuration Manager Client Agent settings.
Verify Clients are getting policy updates and are reporting discovery and inventory data properly.

Helpful links

Related

Access-Denied Assistance in Windows Server 2012

Timothy Warner — Mon, 29 Apr 2013 19:07:16 +0000

Timothy Warner - 0 comments

Timothy Warner is a Windows systems administrator, software developer, author, and technical trainer based in Nashville, TN.

Access-Denied Assistance is a new feature in Windows Server 2012 that makes it easier for users to get help for “access denied” errors with shared file resources. On the other side of the equation, administrators are given clear information to resolve such permissions problems.

Access-Denied Assistance is a new role service of the File Server role in Windows Server 2012. The technology is intended to make it easier for both users and administrators to resolve permissions problems with shared file resources. For instance, consider the following all-too-familiar conversation between an end user and his systems admin:

User: Can you please help me? I need to open an important marketing report and it says “access denied.”

Sys Admin: Where is the file?

User: Huh?

Sys Admin: How are you trying to access the file?

User: I have no idea. I just go to my H: drive and the file is there.

Sys Admin: What is the name of the file?

User: How do I find that out?

Sys Admin: Sigh…

To make use of Access-Denied Assistance, we must fir connect to each of our Windows Server 2012 file servers and install the File Server and File Server Resource Manager role services of the File and Storage Services role:

We need to install the prerequisites for Access-Denied Assistance.

Because Access-Denied Assistance relies up on e-mail notifications, we also need to configure each relevant file server with a Simple Mail Transfer Protocol (SMTP) server address. Let’s do that quickly with Windows PowerShell:

Set-FSRMSetting -SMTPServer “mailserver.nuggetlab.com” -AdminEmailAddress “admingroup@nuggetlab.com” -FromEmailAddress “admingroup@nuggetlab.com”

It’s important to perform as much front-end configuration on your file servers as possible, because a we’ll see in a moment, Group Policy takes over Access Denied settings in each server’s local instance of File Server Resource Manager (FSRM).

Creating the policy

You can enable Access-Denied Assistance either on a per-server basis or centrally via Group Policy. To my mind, the latter approach is infinitely preferable from an administration standpoint.

Create a new GPO and make sure to target the GPO at your file servers’ Active Directory computer accounts as well as those of your AD client computers. In the Group Policy Object Editor, we are looking for the following path to configure Access-Denied Assistance:

\Computer Configuration\Policies\Administrative Templates\System\Access-Denied Assistance

I show you the Group Policy path in Figure 2.

We should use Group Policy to configure Access-Denied Assistance.

The Customize message for Access Denied errors policy, shown in the screenshot brlow, enables us to create the actual message box shown to users when they access a shared file to which their user account has no access.

We can create a custom, personalized Access Denied message for our AD users.

What’s cool about this policy is that we can “personalize” the e-mail notifications to give us administrators (and, optionally, file owners) the details they need to resolve the permissions issue quickly and easily.

For instance, we can insert pre-defined macros to swap in the full path to the target file, the administrator e-mail address, and so forth. See this example:

Whoops! It looks like you’re having trouble accessing [Original File Path]. Please click Request Assistance to send [Admin Email] a help request e-mail message. Thanks!

You should find that your users prefer these human-readable, informative error messages to the cryptic, non-descript error dialogs they are accustomed to dealing with.

The Enable access-denied assistance on client for all file types policy should be enabled to force client computers to participate in Access-Denied Assistance. Again, you must make sure to target your GPO scope accordingly to “hit” your domain workstations as well as your Windows Server 2012 file servers.

Testing the configuration

This should come as no surprise to you, but Access-Denied Assistance works only with Windows Server 2012 and Windows 8 computers. More specifically, you must enable the Desktop Experience feature on your servers to see Access-Denied Assistance messages on server computers.

When a Windows 8 client computer attempts to open a file to which the user has no access, the custom Access-Denied Assistance message should appear:

The custom Access-Denied Assistance message box.

If the user clicks Request Assistance in the Network Access dialog box, they see a secondary message:

The user is prompted to specify details of their help request.

At the end of this process, the administrator(s) will receive an e-mail message that contains the key information they need in order to resolve the access problem:

The user’s Active Directory identity
The full path to the problematic file
A user-generated explanation of the problem

So that’s it, friends! Access-Denied Assistance presents Windows systems administrators with an easy-to-manage method for more efficiently resolving user access problems on shared file system resources. Of course, the key caveat is that your file servers must run Windows Server 2012 and your client devices must run Windows 8, but other than that, this is a great technology that should save admins extra work and end-users extra headaches.

Relevant links

Related

Altiris Symantec Management Platform – Part 2: Patch Management, PCAnywhere, and reporting

Andrew Jacops — Fri, 26 Apr 2013 20:25:17 +0000

Andrew Jacops - 0 comments

Andrew Jacops is a system/network administrator with over ten years experience managing Windows environments and the network infrastructures they run on.

In the last part of this three part series over Altiris Symantec Management Platform I gave an overview of the Symantec Management Console, Computer Management, and Software Management. In this part we will be going over Patch Management, remote desktop with PCAnywhere, and the different types of reporting available in SMP

Patch Management

Patch Management is the Symantec equivalent of Microsoft’s Windows Server Update Services. Patch Management exceeds WSUS by offering:

Popular Software Updates and Microsoft Updates
Finer Deployment Control
Throttling via the Symantec Client
Package Pushing
Supreme Reporting

Patch Management is similar to Software Management in many ways. Packages for new patches are created and pushed out to the client machines via scheduled policies or tasks, and they can be reported on for compliance, saturation, and utilization. The major difference between the two is how the installations are obtained.

In Patch Management updates are downloaded to the server through the Vendors and Software area of the SMC. Shown below is a small list of the many software vendors that updates can be downloaded for.

Patch Management vendors

When expanded, the different software titles from the vendors are shown. There are even different versions of the same titles that patches can be obtained for. Symantec has gone to great lengths to keep this list of software updated in order to make management much easier for the admin.

Patch Management vendors expanded

Once downloaded, tasks and policies can be created for the patch and then pushed to any machines that require it.

I’ll write more on reporting shortly, however, I think it’s pertinent to mention at this point of the article that finding what devices need a patch is as easy as running a report in the Reporting section of SMC. Symantec has a whole list of reports that can be run for updates.

Patch Management reporting

This particular report conveys how many devices need an update, what the compliancy percentage is, what type of patch it is, and a slew of other important information. Creating a package to deploy may not even be worthwhile as only a few computers need it.

Patch Management reporting info

PCAnywhere

A must have in any admin’s tool belt is a way to remotely connect to and control a user’s computer to teach, fix, or just to get a clearer idea of the problem. Symantec Management Platform comes with one of the best remote desktop tools available: PCAnywhere.

PCAnywhere connection

As a quick side note, I would like to mention SMC also supports opening via RDP and VNC if they are installed and configured on both the client and administrator machines.

When the Symantec Client is deployed onto a device, as an option, PCAnywhere can be automatically installed with it. Permissions can then be given to certain groups or people to access these devices. Groups and users can include:

Any LDAP/AD Group or User
Any Group or User on the SMP Server
Manually Created Users

Permissions can include:

View Only
Full Control
Lock the Host Keyboard and Mouse
Completely Blank the Host Screen
Accepted by Client Only

PCAnywhere Permissions

Using these permissions, users can be set up to allow view only permissions so someone in the finance department can show someone in the credit department how they use an application; or full control can be given so that an admin can fix a nagging issue on the user’s machine.

Just as the Patch Management solution has reporting, so does PCAnywhere. Reports can be pulled to see who connected to what computer, when, and for how long. These are paramount when it comes to PCI or any other auditing.

Reporting

Reporting is one of the major selling points of this software platform in my opinion. Reports can be generated and created for just about anything in the database. Out of the box examples include:

Software and Update Compliancy
Server and Desktop OS’s
Primary Users for a Device
Power Scheme Settings

And the list goes on and on.

Reporting categories

Custom reports can also be created and ran against specific groups of devices, users, or a hybrid of both. A quick example would be creating a report to find out which computers are needed for a motherboard recall by using the serial number field and who they belong to by the primary user field.

Custom reports can be as simple as selecting items that you want to report on or creating custom SQL queries to run inside the report.

Custom reports

Summary

This concludes the second part of this three part series over Altiris Symantec Management Platform. So far Computer Management, Software Management, Patch Management, PCAnywhere, and several aspects of reporting have been covered for various pieces of the SMP.

The next and final article in this series will cover computer imaging and what Symantec Management Platform brings to the table that Ghost and others don’t.

Until then, thanks for reading!

Related