SCCM 2007 OSD Image Creation with Hotfixes

March 15, 2013 Leave a comment

Today I decided to setup a little blog about something that has been blogged about very often: SCCM OSD imaging and Windows hotfix integration. The reason for blogging again is to provide all the issues I encountered in the process myself.

I’ll start with describing the prerequisites to come to a working setup, so basically if your setup meets those requirement you shouldn’t run into the issues I had ūüôā

At the time of writing this blog we’re already at SCCM 2012 SP1 availability, but the environment I had to set this up was still running SCCM 2007 R3 Sp2, using the International Client Pack 2 (ICP2) SCCM client. The OSD process used in this customer setup creates a pre-installed system that is a WORKGROUP member, not a domain member.

Environment Prerequisites for the OSD Process:

  • SCCM 2007 R3 SP2 organization;
  • SCCM Client package: the package must include the hotfixes [sccm2007ac-sp2-kb977384-x86-icp2.msp], [sccm2007ac-sp2-kb2509007-x86-icp2.msp] and [sccm2007ac-sp2-kb2586709-x86-icp2.msp] in that order added to the Installation Properties of the “Setup Windows and ConfigMgr” step. Also add the SMSSLP=siteserver.fqdn SMSMP=siteserver.fqdn parameters into the same Installation Properties;
  • Proper setup of the PXE point and possibly IP-helpers on your routers to forward your DHCP and PXE requests to your central DHCP server and SCCM PXE point;
  • All IP-ranges where you wish to build your image need to be added to your Site Boundaries to ensure the WORKGROUP member to be assigned a FAST connection and actually download hotfixes and packages;
  • A logical setup of collections that should contain the various computer resources based on e.g. AD Queries or Direct membership;
  • All OS images and required packages must be distributed to a DP-role and accessible by the configured network access account;
  • Setup SCCM SUP and WSUS properly and create a SUP Deployment Management with approved updates¬†that is linked to a custom SCCM Collection that contains the clients. Also link the Unknown Computers collection in that custom collection. This way you enable a new (unknown) computer that is running OSD to retrieve the list of available updates during the Install Software Updates task. SCCM Client ICP2 Hotfix “kb2509007” makes sure your task sequence doesn’t stall during hotfix deployment;
  • In the Task Sequence make sure you select the option “All Software Updates” in the Install Software Updates task.

Having the above prerequisites in place should really do the trick already and allow you to create an OS installation using the original setup media (MS doesn’t recommend using a patched WIM file and patch that again and re-capture…) and integrate approved Microsoft¬†Updates.

Some issues I encountered:

  • No hotfixes were installed: The “C:\Windows\SysWow64\CCM\logs” logfiles showed the attempt to check for hotfix packages but none found. –> Adding the SMSSLP and SMSMP parameters fixed that;
  • After the above change and restarting the OSD process the hotfix package was found and the Windows Updates related logs showed the available hotfixes but the download of the packages was never started and the task sequence eventually fails. –> adding the IP-based site boundaries for my client as FAST solved that problem for me.
  • If you enabled BITS for all client / DP connectivity you have to make sure you enable anonymous access too (this because of an issue with Kerberos authentication fallback if you’re running Windows 2008R2 as server OS).. I heard about a hotfix for that but haven’t tried that (http://support.microsoft.com/kb/2522623). If you haven’t enabled BITS for you clients the task-sequence will connect to the Hostfix Package(s) using the network access account.
  • Sometimes I had to run a refresh on the hotfix installation package to make sure all updates were present on the DP.
Categories: Uncategorized

Microsoft Script Explorer for Windows PowerShell (pre-release) available

April 13, 2012 Leave a comment

For those that work with powershell regularly and usually search google for examples, this new beta tool comes in handy and provides you with a customizable interface where you can search for certain phrases in online repositories and get code snippets matching that topic.

The repositories to search for also includes the local filesystem, so scripts that are in an area that you specifiy in the tool’s configuration are checked too to refresh your memory.

image

As far as I have checked it out now myself the search isn‚Äôt very intuitive/useful but I guess I‚Äôm not ‚Äėasking‚Äô the right question.. The ‚ÄúBrowse Categories‚ÄĚ feature

image

Is quit thorough and provides many catagories that many admins deal with on a daily basis. Not all categories contain information yet, but where content has been added you get a browseable list of topics to choose from. Once you select a topic you get an article in the bottom-right windowpane that contains the complete powershell code for you to use.

Unfortunately there is no search option available to search the currently selected category. Would be nice to see that in the final release.

I’ll start using the tool frequently now to see how easy to use it really is and if it can beat google Winking smile

Categories: Uncategorized

Exchange 2007 / 2010 and Outlook 2010 free busy lookup

April 2, 2012 Leave a comment

Currently I am preparing an Exchange 2007 to 2010 transition project where the new Exchange 2010 servers will be placed in the same active directory site as the existing Exchange 2007 CAS and CCR servers. At the same time a new desktop rollout takes place where Outlook 2003 is replaced with Outlook 2010 too, changing the way the clients read the Exchange related information from the Active Directory and IIS-services versus Public Folders.

This setup also brings some challenges to the way you publish your OWA, EAS, OAB and other IIS services you can publish both internally and externally using TMG or other reverse proxy service.

This short post tells something about the impact for users that have a lot of groupmemberships (both direct and via group nesting), and because of that have a Kerberos token that exceeds 16k.
Due to the change from Outlook 2003 (that uses the Public Folder based Free-Busy information) to Outlook 2010 (that uses the Availability Service for Free-Busy information) the user will get an error that the free-busy Information could not be retrieved when adding recipients to an appointment and checking availability.

This error is caused by the fact that the IIS request header is limited to 16k and because of the Kerberos token that already has that size or exceeds that, the request will be denied with a BAD REQUEST error. The solotion to this problem could be:
1] reduce the amount of groupmemberships which results in kerberos tokens below 16k
2] change the IIS resource to fall back to NTLM authentication
3] increase the IIS request header space to enable kerberos authentication for users with large kerberos tokens.

The steps below describe the keys I set to solve it using the above method 3.
Set the following two keys:
reg add \\<CAS_servername>\hklm\SYSTEM\CurrentControlSet\services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534 /f
reg add \\<CAS_servername>\hklm\SYSTEM\CurrentControlSet\services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534 /f

The MaxFieldLength value’s maximum is the proposed 65534 bytes, and the MaxRequestBytes must be equal to or larger than the MaxFieldLength. The LSA Kerberos MaxTokenSize should then be configured accordingly as well to let it all make sense. Usually it will be sufficient to set the value to 32k or even less, but you can check the maximum kerberos token size using the utility TOKENSZ.EXE from Microsoft.

After setting the values you need to restart a number of http and dependant services:
sc \\<CAS-ServerName> stop winrm
sc \\<CAS-ServerName> stop spooler
sc \\<CAS-ServerName> stop iisadmin
sc \\<CAS-ServerName> stop fdphost
sc \\<CAS-ServerName> stop w3svc
ping 1.1.1.1 -n 1 -w 30000 > nul
sc \\<CAS-ServerName> stop http
sc \\<CAS-ServerName> start winrm
sc \\<CAS-ServerName> start spooler
sc \\<CAS-ServerName> start iisadmin
sc \\<CAS-ServerName> start w3svc
sc \\<CAS-ServerName> start fdphost
sc \\<CAS-ServerName> start http

I added the ping -w30000 to introduce a pause because the w3svc service can take long to stop. Adjust the timeout to meet your own environment.

As far as I have tested this right now I see that ofter changing my environment (both Exch 2007 and 2010) I can lookup free-busy information using Outlook 2010 with a user that hase a Kerberos token way larger than the HTTP-header default of 16k. On 64bit CAS servers this is not a problem, but for other 32-bit OS-based web-applications this might be a problem because of the larger amount of system memory that is consumed now and the page pool might get empty, especially when the /3GB switch is used and the system memory space is reduced to 1GB.

The only problem I have left regarding this at the moment is that looking up free-busy between Exchange 2007 and 2010 fails with a BAD REQUEST error, but users residing on the 2007 can see the availability of other 2007 mailboxes, and the same goes for Exchange 2010 based mailboxes, they can see the availability of other Exchange 2010 based mailboxes. Cross-version throws the error. I’m still looking into that issue and will post back when I know more about that.

Categories: Uncategorized

first steps

March 20, 2012 Leave a comment

Hello fellow readers and bloggers. I just started this blog today (2012-03-20) and have the intention to use this blog to keep track of the projects I do and share some proven technology, scripts, theories etc with the rest of the world. I’ve been reading and searching the web for quite a few years now and have very often made use of the knowledge and experience that many others before me have shared and this way I hope to contribute something usefull too.

I hope you enjoy reading the blogs and that it provides you with useful information. I cannot give any guarrantees regarding the information and scripts I post, and where applicable I will refer to the original publications of the product manufacturers.

Cheers,

Eric

Categories: Uncategorized