SCCM 2012 – Failed to create SQL Server Certificate

During SCCM 2012 installation you may get “Failed to create SQL Server Certificate” error message in ConfigMgrSetup.log. This is a fatal error and will kill your setup process.

For me, it was a legacy failed SCCM installation that causes the problem. Just navigate to following directory C:ProgramDataMicrosoftCryptoRSAMachineKeys and delete related keys for your legacy installation.

Windows PowerShell ile SCCM 2012 Yönetimi

Windows PowerShell hayatımızı girmesi ile birlikte Windows sistem yöneticileri olarak günlük görevlerin bir çoğunu hazırladığımız PowerShell scriptleri ile gerçekleştirebilir duruma geldik. Ancak PowerShell ile yapılabileceklerin yanında günlük görevler oldukça az kalmaktadır.

Bu blog yazısında Windows PowerShell kullanarak ortamda bulunan System Center Configuration Manager 2012 yapısına nasıl bağlanacağımızı ve yönetimsel aksiyonları nasıl alacağımızı inceleyeceğiz.

Windows PowerShell ile SCCM komutlarını çalıştırmak için iki yöntem bulunuyor.

  1. İlk yöntemde SCCM konsolu içerisinde sol üst menuden “Connect via Windows PowerShell” seçilebilir.


Böylece Windows PowerShell açılacak ve ilgili modül otomatik olarak yüklenecektir.


Görüldüğü gibi komut satırı PRI ismindeki site altına düşerek komutları bekler duruma geçmiştir.,

  1. Bir diğer yöntem ise PowerShell konsolunu açarak ilgili modulü manuel olarak yüklemektir. Özellikle farklı ortamlarda çalışacak scriptlerin başına bu komut satırı konularak SCCM komutları desteklenir duruma getirilebilir.

Bu işlem için C:Program Files (x86)Microsoft Configuration ManagerAdminConsolebin> dizinine inilir ve aşağıdaki komut çalıştırılır.


Modul yükleme başarılı olduktan sonra artık komutlarımızı çalıştırabiliriz.

Get-CMSite ile site bilgileri alınabilir.


İlgili site içerisine girmek için cd komutu kullanılır.


Roller ile ilgili bilgi yine Get komutları ile alınabilir.


Paketler Get-CMPackage komutu ile alınabilir.

ConfigMgr12 – PXE Cache Ayarları

Configuration Manager 2007 sürümünde özellikle OSD senaryolarında karşımıza çıkan bir terimdi PXE Cache. Eğer bir istemci yayınlanan bir OSD task sequence'i kabul edip başlattıysa, belirli bir süre içerisinde ikinci başlatmak istediğinde başarısız olacaktır.

İstemci gelen tüm PXE isteklerini ignore edecektir. Bu davranışın sebebi PXE Cache değeridir. Varsayılan bu değer 60 dakikadır ve eğer tek bir donanım üzerinde OSD testleri yapıyorsanız her test sonrasında bu değeri temizlemeniz gerekmektedir.

Temizleme işlemi “Clear Last PXE Advertisement” ile sağlanabilir.

ConfigMgr12 üzerinde de aynı değer mevcuttur. Yalnızca bu regedit değerini değiştirmek isterseniz 2007'deki aynı yerinde bulamayabilirsiniz.

PXE rolü yeni versiyon ile birlikte DP'lere entegre hale getirildiği için artık ilgili anahtarı DP sunucu üzerinde bulabilirsiniz.

System Center 2012 SP1 Upgrade Sıralaması

Eğer ortamınızda Microsoft System Center 2012 bileşenlerinden iki ya da daha fazlasını barındırıyorsanız System Center 2012 Service Pack 1 Upgrade işleminde izleyeceğiniz sıralamanın önemi, upgrade sonrası bileşenlerin beklendiği gibi çalışması adına oldukça önemli.

Bu sebeple aşağıdaki sıranın izlenmesi MS tarafından test edilmiştir:

1.   Orchestrator

2.   Service Manager

3.   Data Protection Manager (DPM)

4.   Operations Manager

5.   Configuration Manager

6.   Virtual Machine Manager

7.   App Controller

Best Practices for ConfigMgr12 Software Updates

When Configuration Manager and WSUS use the same SQL Server, configure one of these to use a named instance and the other to use the default instance of SQL Server

When the Configuration Manager and WSUS databases use the same SQL Server and share the same instance of SQL Server, you cannot easily determine the resource usage between the two applications. When you use a different SQL Server instance for Configuration Manager and WSUS, it is easier to troubleshoot and diagnose resource usage issues that might occur for each application.

Use a custom website for the WSUS installation

When you install WSUS 3.0, you can specify whether to use the default Internet Information Services (IIS) website or create a WSUS 3.0 website. As a best practice, select Create a Windows Server Update Services 3.0 Web site so that IIS hosts the WSUS 3.0 services in a dedicated website instead of sharing the same website with other Configuration Manager site systems or other software applications. When you use a custom website for WSUS 3.0, WSUS configures port 8530 for HTTP and port 8531 for HTTPS. You must specify these port settings when you create the active software update point for the site.

Specify the Store updates locally setting for the WSUS installation

When you install WSUS 3.0, select Store updates locally so that license terms that are associated with software updates are downloaded during the synchronization process and stored on the local hard drive for the WSUS server. When this setting is not selected, client computers might fail to scan for software updates compliance for software updates that have license terms. When you install the active software update point, WSUS Synchronization Manager verifies that this setting is enabled every 60 minutes, by default.

Create a new software update group each time an automatic deployment rule runs for “Patch Tuesday” and for general deployment

There is a limit of 1000 software updates for a software update deployment. When you create an automatic deployment rule, you specify whether to use an existing update group or create a new update group each time the rule runs. When you specify criteria in an automatic deployment rule that results in many software updates, and the rule runs on a recurring schedule, choose to create a new software update group each time the rule runs to prevent the deployment from surpassing the limit of 1000 software updates per deployment.

Use an existing software update group for automatic deployment rules for Endpoint Protection definition updates

Always use an existing software update group when you use an automatic deployment rule to deploy Endpoint Protection definition updates on a frequent basis. Otherwise, hundreds of software update groups will be created over time. Typically, definition update publishers set definition updates to be expired when they are superseded by 4 newer updates. Therefore, the software update group that is created by the automatic deployment rule will never contain more than 4 definition updates for the publisher (1 active and 3 superseded).

ConfigMgr12 Capture Media–Handle is invalid

If you created Capture Media CD to capture a reference machine, most probably you should execute it from Autorun. If you try to execute it from executable files within media, you will see it under processes but it will not initiate capture wizard.

But one another problem you may face is ‘handle is invalid’ error message.

If you have Symantec Endpoint Protection installed on reference computer and has client management protection enabled, by default it will not allow you to execute programs using AutoRun. Therefore Capture Media will throw “Handle is invalid error”.

To resolve, just disable this specific rule and execute it from scratch.

SCCM – Society of Critical Care Medicine :)

Most of us, even me use SCCM as a official acronym for the Configuration Manager product. But please be aware that it is not official acronym, actually it is owned as a trademark by Society of Critical Care Medicine in USA.

Therefore I will start to replace every SCCM acronym to ConfigMgr in my blog as well Smile

CM12 – SQL 2008 R2 SP2 – Reporting Services Issues

If you are using SQL 2008 R2 SP2 as a database instance for ConfigMgr12, you may face some weird issues regarding SQL Reporting Services.

Very first thing you may face after you update current SQL Server 2008 R2 to Service Pack 2 is timeout problem.

By default SQL will try to start reporting services within 30 seconds which is default timeout value. Therefore if you restart your SQL Server you may see that service did not start with following error:

A timeout was reached (30000 milliseconds) while waiting for the SQL Server Reporting Services (MSSQLSERVER) service to connect

To overcome above timeout problem you can create following Regedit key to increase timeout value:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl

DWORD

ServicesPipeTimeout

Decimal : 120000

That will increase default timeout value to 120 seconds. After you restart service, it will start automatically.

But this regedit hack does not solve CM12 Reporting Services Role Installation problem.

If you start Reporting Services point role installation on SQL Server within ConfigMgr12 console, it will create a root reporting folder, create CM12 related reports and then restart Reporting Services.

That’s where problem starts. CM12 will not use configured timeout value and will try to restart service within 1 min. And if your SQL Server starts SRS service in more than 1 min, Reporting Services Role installation will fail. Here is the log file from srsp.log file.

Starting service 'ReportServer'
Time out has expired and the operation has not been completed

To solve this problem easily, you need to install Cumulative Update 1 for Configuration Manager 2012.

http://support.microsoft.com/kb/2717295

Site Systems
  • A Reporting Services Point may not be installed or start if the SQL Reporting Service does not start within one minute. The srssp.log file may contain entries that resemble the following entry:Starting service 'ReportServer'
    Time out has expired and the operation has not been completed.

Create ConfigMgr12 IP Subnet Boundaries with PowerShell

In one of my ConfigMgr12 projects in Middle East, I faced a minor problem regarding boundaries.

Actually customer has more than 100 remote locations and much more subnets. Therefore we needed to create required boundaries for each subnet. It would be helpful if I could use Active Directory Site subnets as these subnets are discovered and added automatically by Forest Discovery, but in our situation it was not passible as customer had only one single site Smile Don’t ask why..

So I just created a simple excel file that includes all subnets for a specific boundary:

image

And then execute following script on ConfigMgr12 Server:

$excel = Import-csv c:aa.csv
foreach($item in $excel)
{
$Arguments = @{DisplayName = $item.’SUBNET’; BoundaryType = 0; Value = $item.subnet}
Set-WmiInstance -Namespace “RootSMSSite_xxx” -Class SMS_Boundary -Arguments $Arguments
}

This script simply:

  • Imports above excel csv file
  • for each line (item variable) it creates arguments variable. Display Name is the boundary name, 0 is the type of boundary, value is the subnets that will be read from excel file.
  • connects ConfigMgr12 wmi instance using ROOTSMSSite_SiteCode
  • Uses arguments variable for arguments parameter

You can also add additional columns in excel file for the Display Name and boundary type.

And yes, you can manage ConfigMgr with PowerShell easily..

zp8497586rq

ConfigMgr 2012–Make available OSD Task Sequences only via PXE

If you want to make available your OS deployment task sequences only via PXE :

For Configuration Manager 2007/2012 you can specify a client platform that does not exist in your environment in task sequence properties.

clip_image001

 

For Instance if you select Windows Vista SP2(64Bit), this TS will only be available on this platform PC’s. However, Windows PE(network boot) ignores platform restrictions, therefore this TS will be available for every collection/computer in PXE environment.

Also with the upcoming ConfigMgr 2012 Service Pack 1, you can control this settings via configuration on the deployment itself. You will get multiple options:

clip_image001[5]

SP1 still in Beta and will be available soon. Till then, you can use first method.