December 2007 - Posts
I thought about only documenting the Device Management portion because we have a scheduled task to pick up all Servers and Workstations at 3AM Daily, but because I need instant gratification I thought so would many others.
I don't actually have any other servers or desktops in the SCE Lodge right now so this would actually discover any computers but I want to follow the deployment process for installing a green field.
Cross Posted from http://SMEManaged.com
There has been a good deal of Community conversation about the suitability of System Center Essentials 2007 for installation on Small Business Server 2003 SP1 / R2 and while I maintain the opinion that all SCE 2007 installs in SBS 2003 Networks should be done on dedicated Windows 2003 R2 Standard Edition servers, this build has (so far) not shown to cause significant issues with the Features or Functionality of the SBS 2003 R2 Server.
UPDATE: 1/1/2008 Also Tested on Dual NIC behind a Local Router
This guide has been written with a Default Installation of an un-patched version of SBS 2003 R2 as the base. The configuration is Single NIC with Local Router.
This build does not meet all the prerequisites of a SCE 2007 Installation but does allow me to demonstrate the flexibility of the Install as this entire build was conducted with only one reboot and all items were guided by the Installation Process or the System Center Managed Forums without aborting the Installation.
 | Launch Setup from a Patched SCE 2007 Installation Source |
 | The Installer detects the absence of MS XML Core Services 6.0 and Launches the install automatically |
 | Press Next |
 | Accept the License Agreement;
Press Next |
 | Confirm the Registration Details;
Press Next |
 | Press Install |
 | Press Finish |
 | The SCE 2007 Installer will continue automatically
Press Next |
 | Select the Upgrade WSUS check box;
Press Next |
 | The Installation Prerequisites will fail;
Press the More button next to the .NET Framework 3.0 Components |
 | The Prerequisite Details dialog appears;
Click the X86 version download Link |
 | When the download completes press Open |
 | Carefully read through the license agreement (go on humour me);
Click I have read and ACCEPT the terms of the License Agreement;
We all want to help make better products so check the Send anonymous information box;
Click Install |
 | Press Exit |
 | Your feedback is automatically sent to Microsoft |
 | Click Recheck, Notice the .NET failure is now cleared;
Press the More button next to the Checking for Pending Reboots item |
 | The resolution says to Reboot the Machine;
In every SBS based build I have conducted this DOES NOT clear the issue |
 | Run Regedit.exe;
Delete the HKLM\System\CurrentControlSet\
Control\Session Manager\
PendingFileRenameOperations key |
 | Press Yes |
 | The Installation Prerequisites test now passes;
Press Next |
 | Now I'm pretty sure you didn't read the .NET Framework EULA, Read this one and click "I have read, understood and agree to ..";
Press Next |
 | Check the Name and Organisation Details are correct;
Press Next |
 | Press Next |
 | Choose a Database location, I put mine with the other SBS Database data files;
Press Next |
 | The Installation will now block due to the Self Signed Certificate on the Default web |
 | Select the Default web and Right Click Properties |
 | Select the Directory Security Tab;
Click Server Certificate |
 | Click Next > |
 | Click Remove the current certificate;
Click Next > |
 | Click Next > |
 | Click Finish |
 | Choose an Administration Account;
Click Next > |
 | Select all three check boxes, (why not help improve this great product?);
Click Next > |
 | Click Install |
 | The Installation continues, (not a cut lunch and a 6 Pack, but certainly go make coffee, you deserve it) |
 | Click I do not wish to check for updates, (I modify WSUS to use our upstream WSUS server to Sync the current updates before shipping, we set it back when delivered);
Click Next > |
 | Click OK |
 | Uncheck Launch the Essentials Console and Complete the configuration process, (we need to put back the self signed certificate first);
Click Finish |
 | Click No |
| Select the Default web and Right Click Properties |
| Select the Directory Security Tab;
Click Server Certificate |
| Click Next > |
 | Click Assign and existing certificate;
Click Next > |
 | Click Next > |
 | Click Next > |
 | Click Next > |
 | Click Finish |
 | Reboot the server |
Known Issues
These are the Issues experienced post Installation
WSUS no longer gives a Green Check
Windows Small Business Server (Windows SBS) Update Services is not running because it automatically turns off if you customize Windows Server Update Services (WSUS). For a list of specific settings that cause Windows SBS Update Services to turn off, see the Microsoft Web site. Even if WSUS is managing updates for your network, the accuracy of the status in the Windows SBS monitoring report or on the Update Services home page cannot be guaranteed. To use Windows SBS Update Services, reverse the changes that you have made to WSUS or reinstall Windows SBS 2003 R2.
WSUS Synchronisation Fails
Content download has failed. BITS service is not starting or is stopping during downloads.
- Open a command window.
- Type sc config bits start= auto
- Type net stop bits & net start bits
- Type net stop wsusservice & net start wsusservice
- Start WSUS 3.0: Click Start, click Administrative Tools, then click Microsoft Windows Server Update Services v3.0.
- Click Synchronization Results.
- In the Action pane, click Synchronize Now
Cross Posted from http://SMEManaged.com
I was reading Gwen Zierdt - The Real World Is Messy, in particular an interview with David Mills, a member of the System Center Essentials 2007 Marketing team.
I found this very interesting and of course now want to find a Beta for SP1 so I can check out what else is new.
4) What was the most request feature in Essentials 2007 and why?
I would have to say the feature that came up most in my conversations with customers was a request for Essentials 2007 to manage workgroup-joined computers. Many midsize businesses have computers in a “DMZ” that need to be managed like the rest of their machines, but the current version of Essentials limits management to domain-joined computers only. Fortunately, we are adding this feature in SP1 which will be released in Q1 of CY 2008.
David Mills on Microsoft System Center Essentials 2007 at TechEd IT Forum - The Real World Is Messy
When I start an install task, I try to gather as many of the required tools and fixes as possible. I knew there were some hotfixes available and was pretty happy to see there was a rollup which would save me some time. So I grabbed the executable so I could apply the fixes before I ran the configuration wizard especially since I already had one false start and wanted to get a good vanilla install so I could document it.
Here's the thing had I read the release notes I would have known this rollup patches the Installation Source and is a pre-install fix.
Here is what gets fixed...
Cross Posted from http://SMEManaged.com
I installed SCE 2007 in my lab today, and as I do with all my Lab Machines had installed Logmein Free so I could show people features or builds when out and about. After all you can only share so much RDP in a NAT'ed Config.
After the install, the configuration wizard launched and over 80% of the config items failed. I checked that all the SCE Services were running and found I could not start the OpsMgr Health Service. A quick Live Search and discovered an Issue with Logmein.
I removed the Logmein Remote Control Tool and all is well with the world again.
The only other thing that I think is worth mentioning is when using the Microsoft Managed News Groups it would be cool if people fed back the Solutions to close the case properly.
Cross Posted from http://SMEManaged.com
So on my way back from the Trend Micro / SBSFAQ Security Summit, I started to think about secure authentication to not just mine but my customers networks. I thought about password change frequency and complexity issues and how I might ensure a suitable compromise for the level of risk.
Now many of my customers have their own accounts but set to the same password, and some all use one account because they used it that way when they were peer to peer and when the risk is explained they don't feel it to be an issue for them. These are not people who are ignoring IT security they make a conscious decision that there openness with in the business does not need to be fettered by Access or Audit Controls, the owners make a decision that works for them with their eyes open.
Of course Administrative access to the server is another issue all together and we manage that with frequent changes to the Administrator (500) account and our own Admin Accounts, we also look to use passphrases and there is always ones to use in song lyrics or other bits of our every day lives. As I was thinking about this on my way home, and Canberra is a three hour drive and you guessed it. I had Green Day, TISM and Blink 182 in the CD Stacker
- You're only one drug away from liking techno
- My friends say I should act my age what's my age again?
- I'm just a grouch sitting on the couch, The world owes me, so f#$k you
- My eyes feel like they´re gonna bleed, Dried up and bulging out my skull
- You're only one download from this song's copyright
But these are hard to type albeit quite secure, I had just finished having breakfast with Ryan and Dana so a better way was already in my head. I think AuthAnvil is a great product not because it is two factor but because I can make it multi site two factor, essentially federating our Admin Credentials to all our customers. Admittedly that is not many customers right now so we have yet to invest in the technology, but I am at this point an interested observer.
Of course it is not an IF but WHEN we implement AuthAnvil and on that day we won't care for Passphrases like these because we will have a one time set of credentials which will allow us to be both VERY secure in credentials but also protect our customers from ex-employees unauthorised access.
With Correct Solutions becoming the ANZ Disti I'm sure I will have a chance to look closer and pick Ryan's brain as I determine where to go with it.
With some of the traffic I have seen on some of the Email Groups I get these days, some of us just need to take a breath before sending, but sometimes the urge to push send is so strong.
So to save embarrassment and eating of Pies so Humble, how about creating a rule which enforces a 30 minute send delay? The one I describe here does it for all messages but you can set rules for only some recipients or lists.
I have many times stated that Linux would not be ready for "Prime Time" until I could managed it properly, I usually meant with Group Policy but I have seen a significant step in the right direction with the release of a NAP Agent for Linux.
Avenda Linux NAP Agent [Evaluate Beta 1 Release]
The Linux NAP Agent is a Microsoft NAP compatible client that supports 802.1x enforcement. The agent authenticates and get its health status validated with either Avenda eTIPS or Microsoft NPS.
So now that I can at least do health on Linux Desktops, I am getting more comfortable with the direction we are heading
Supported Platforms
- Redhat Enterprise Linux 4 and above
- CentOS 5 and above
- Fedora Core 6 and above
Also on the Avenda site I notice a Mac OS X client for the eTIPS product so I assume there will be a NAP Client for Mac OS soon too.
So since I have looked at CentOS since I was made aware that it is a Code Compatible Redhat equivalent and now with NAP on the road map, I'm sure we have made a reasonable choice.
Avenda NAP Technologies - Avenda Systems
Here is a mistake that I hope to avoid next year. I kind of liked the template that was downloadable by Microsoft Partners.
We really did want to thank all the people who have helped us or we have helped over the year, and to let people know we really do value the friendships. What could be worse than the 6 people who got to see that I didn't care enough to have the <firstname> field in my outlook contacts populated correctly.
Turns out Susan got two so it even stands out more. While mail merging a template email when it goes wrong is tacky we really do value the relationships with all our friends and colleagues.
Next year I will try not to let it make me out to be a complete *** Clown
Today I went to a Sun Project Blackbox walk through and must say I am pretty impressed, now I have some experience building special purpose transportable networks and have been involved in the creation of some of these types of projects going back to the late 90's. Now one of these pictured right is a little down and dirty in comparison to the very sterile, very polished and may I say well appointed Sun version but it is also 10ish years earlier too, note the now dinosaur looking Compaq Servers, the CRT Monitor etc. Note also the twin Air Conditioners mounted on top.
I remember on of our biggest problems with building a container that scaled was the cooling which the Blackbox seems to have solved in quite an elegant manner. The idea is to use chilled water to enable heat dissipation through heat exchangers mounted between each rack. The first rack of servers get feed with cool air that flows through just like a traditional rack but the warm air is blown through the next heat exchanger which provides cooled air to the next server rack, all the racks are mounted in a straight line 4 racks each side. The absence of front and rear rack doors allows each server to have air flow as the Server Manufacturer designed it, no hotspots, meaning you could easily go floor to ceiling with 1RU Servers for very high density. This is very well thought out.
Sun was talking about some to the deployment scenarios including how some customers put chilled water plants as well as power supply / UPS in a second container delivered next to the Blackbox unit.
With a bit of extra thought you could extend to a situation where an office and / or some accommodation could be mounted on top of the Blackbox and plant room containers. The ones I have pictured here are made by Simply Containers Australia and are made in South Australia.
