News Contact Company



November 28, 2012
Newsletter November 2012
 

Having trouble reading this email? View it in your browser.

TrueSec

News and Geek Stuff

November 2012

Do you want to give yourself an early Christmas gift, then I have 3 suggestions to further sharpen your skills in System Center and OSD:

·        Mastering System Center 2012 Operation Manager in Boston, December 3-6. (Yup, next week that is)

·        MVP Combo – The ultimate MDT 2012 and ConfigMgr 2012 in Orlando December 3-7. (Yup, next week that is)

·        Mastering System Center 2012 Orchestrator in Dallas December 10-12.

 

If you can’t find the time to get away, don’t miss Michael’s and Johan’s free LiveMeeting session December 10 on the subject Windows 8 and Server 2012 OS Deployment - Lessons learnt

In this letter I like to introduce you to another of our specialist’s Thomas Balkeståhl who has been a dedicated SharePoint technician and geek since back in the very early days. Below is the first piece of a series to come. Enjoy!
Per

 

johan-arwidmark-soft-mugshot.png

Johan Arwidmark:

Uber-tips for the MDT 2012 Update 1 Task Sequense template for ConfigMgr 2012

mikael-nystrom-soft-mugshot.png

Mikael Nystrom:

Using RB's as part of a TS - Part 1

Thomas Balkeståhl

Alternate Access Mapping Basics in SharePoint 2013

Kare Rude Andersen

PowersShell script for automation in SCOM


Uber-tips for the MDT 2012 Update 1 Task Sequense template for ConfigMgr 2012

 

I'm a big fan of integrating MDT 2012 Update 1 with ConfigMgr 2007/2012, not only for all the OSD enhancements, but also for the development framework and its ability to call external scripts, databases, web services and much more…

That being said I'm not all that excited about some of the changes that MDT 2012 Update 1 brought in regards to the standard client task sequence template for ConfigMgr. In Update 1 Microsoft merged the UDI client template with the normal client template, and if you thought the old template was big, think again J

Anyway, the new template, that is only good, can be made great!

Here are the changes I propose to a SCCM 2012 SP1 task sequence created by the new MDT 2012 Update 1 standard client template:

1.   Change the OSDPreserveDriveLetter from False to True. That will configure SCCM 2012 SP1 to honor the drive letter setting in your reference image. Meaning if the drive letter was C:, it will still be C: when deployed.
 

 



The OS ending up on the E drive without the OSDPreserveDriveLetter value set to True. New "feature" when deploying with MDT 2012 Update 1 and SCCM 2012 SP1.


 



Setting the OSDPreserveDriveLetter value to True.                                            

1.   Set the password for the local administrator, by default the template enables the admin account and sets it to blank (not good). Please note that UDI requires the administrator account to be enabled, but not if you don't use UDI. Assigning a local password is also useful when setting up the initial deployment solution, so that you for example can login locally to troubleshoot join domain issues etc.

 



Set a password for the local administrator in the task sequence, or disable if not using UDI.

1.   Always configure an OU in Apply Network Settings. MDT can only update the MachineObjectOU value if you set it to something first.

 


Specify an OU in the Apply Network Settings action, and no, the Computers "OU" is not an OU, it's a container. Don't use it, never, ever.


//Johan

 

 

 

 

 

 

 

 

 

 

 

 

 

 

PowersShell script for automation in SCOM

Now you have been working with SCOM 2012 since April and are looking forward to SP1, you have probably tried to create some nice dashboards and started automating SCOM – I would like to show you a nice powershell script you can use for automating by changing the Resolution State and thereby send Notifications or show the Alert in the right View for your Exchange Administrators.

 

This Sample search both in Description for some predefined words but it is also possible to change the state based on the name.

 

*************************************** ResolutionChange.ps1 **************************************** 

Import-Module OperationsManager

$Alerts = get-scomalert -ResolutionState 0

 

if ($Alerts)

{

   foreach($Alert in $Alerts)

   {     

   $newState = $null

   switch -wildcard ($Alert.Description)

      {

      "*Active directory*" { $newState = 10 }

      "*Exchange*"         { $newState = 20 }

      "*DNS*"              { $newState = 30 }

      "*Cisco*"            { $newState = 100 }

      "*HP*"               { $newState = 110 }

      "*Printer*"          { $newState = 120 }

      "*EMC*"              { $newState = 130 }

      "*RunAs*"            { $newState = 200 }

      }

 

   switch -wildcard ($Alert.Name)

      {

      "Cannot start SQL Server Service Broker on Database" { $newState = 40 }

      "Machine account policy failure - Active Directory GPO lookup failure" { $newState = 10 }

      }

      if($newState -ne $null)

         {

         $Alert.ResolutionState = $newState

         $Alert.Update(“Resolution State changed automatically by the notificator”)

         }

     }

}

*************************************************************************************

 

// Kare


Alternate Access Mapping Basics in SharePoint 2013

 

 

Explains how you should look at Alternate Access Mappings – left to right.

Note:  This is part 1 in a series, the next part will show how to configure DNS and a simple scenario adding a new NetBIOS name as URL to a Web Application.

Alternate Access Mappings is something that most SharePoint engineers or administrators struggles with. More often than not, you get it right in the end but we are not really sure why it works or if it really works the way we want it to.
This, is my attempt to make it easy to understand. Start with this simple table:

Left area              Internal URL’s
Right area           Public URL’s with a zone
Middle area        Zones, is what connects Internal URL’s to Public URL’s, many to one.

‘Internal URL’ redirects or transforms to a Public URL, from left, to right. The URL on the left, is what you enter in the address field in your browser, the Public URL on the right is what you will see once there, this goes for visible and invisible links as well.
Internal URL format: Protocol + URL (+non default port)

‘Public URL’ is the address of the Web Application for one of the five zones available. The ‘Default’ must be filled out and has some special properties/uses, the other four are optional. You can only have five Public URL’s per Web Application.
This is the URL that the browser will be redirected to in the end.
Public URL format: Protocol + URL (+non default port)

‘Zone’ is a label representing a Public URL, the zone is used to ‘connect’ an Internal URL to a Public URL. The zone names has no relation what so ever with the four Internet Explorer security zones (Internet, Local Intranet, Trusted sites and Restricted sites) and could just as easily been named 1,2,3,4 and 5. A zone can also represent an authentication provider.
Zones: Default, Intranet, Internet, Custom, Extranet

Example:

Left Area

Middle area

Middle Area

Right Area

Internal URL

Internal URL zone

Public URL zone

Public URL

http://intranetportal

Default

Default

http://intranetportal

http://sharepoint15

Intranet

Intranet

http://sharepoint15

http://blksthl-sp017

Intranet

 

 

https://intranet.blksthl.com

Internet

Internet

https://intranet.blksthl.com

http://intranet.blksthl.com

Internet

 

 

 

 

Custom

Not used

 

 

Extranet

Not used


Note: Based on the ‘Zone’ selected for every ‘Internal URL’, they will be connected to a ‘Public URL’.

From left – to right…






The zones might as well be represented by numbers:

Left Area

Middle area

Middle Area

Right Area

Internal URL

Internal URL zone

Public URL zone

Public URL

http://intranetportal

1 (Default)

1 (Default)

http://intranetportal

http://sharepoint15

2

2

http://sharepoint15

http://blksthl-sp017

2

 

 

https://intranet.blksthl.com

3

3

https://intranet.blksthl.com

http://intranet.blksthl.com

3

 

 

 

 

4

Not used

 

 

5

Not used

Note: Try to always use the most used URL as the default Public URL. This is what will be used by other services, like crawl and in certain other links.

 

 

Translated to SharePoint GUI, this same setup would look like this:

 


Note: Filtered on this Web Applications Alternate Access Mapping Collection only.
Same Alternate Access Mappings as in the Example table above

 

You will see that if you click on any of the ‘Internal URLs’ that you can select zone, and with the zone, the Public URL it will be connected to:

 

In addition to the actual Alternate Access Mapping in SharePoint Central Administration, you also have to add a Binding in IIS, contrary to what many believe, except for the initial hostname when you create the web application, SharePoint does not do that for you so you have to do it manually.
The example above would show up in IIS Bindings like this:

 

As you can see, in IIS 8.0 and Windows Server 2012, the https binding does show up as a hostname, in IIS 7.5 and Windows Server 2008 R2, the hostname is determined by the name configured in certificate used when adding that binding and hidden in this view.

That’s it! When you have configured your AAM’s and Bindings correctly, given that you have name resolution and IP addresses in order and connectivity from the client to the server(s) and all other aspects in order, you can now start to use the URL’s you want.

Enjoy!
Regards - Thomas Balkeståhl – Senior Executive Consultanting many Operations Manager

 

 

 

 

 

 

 

 

Using RB's as part of a TS - Part 1

Johan and I have been doing the new setup of GeekWeek and for every time we do it we try to figure out new and fun Runbooks we can use as a part of OSD. The last time we did the GeekWeek I where in Berlin, Germany and we came up with the idea of something that we face from time to time and that is to check Active Directory for group membership of the computer and based on that decide if we should perform a backup before we refresh the machine. There is a simple rule here and that is if the owner of the computer has a higher pay grade then yours, if they have you should absolutely perform backup, or if the work for HR it is also a good idea. It is possible to create a VB script that runs locally, but that means that we need to use ADSI components in WinPE and that works but it is a bit nasty and unsupported. You could also use a web services, but that might not work for any kind of reasons. So, if you have the access to System Center 2012 Orchestrator you could use that instead.

So I have made up my mind, I’ll try to create a long series of fun and practical runbooks that you then can use in your OSdeployment and this one is the first.

The Runbook:                                                 

In this case we need a runbook that checks computer group membership and returns the value of ComputerBackupLocation, either set to NONE or to AUTO and here it is:

The Task Sequence:

We also need to add the Runbook into the task sequence, pretty easy, just pick the right “spot” in the task sequence and insert the Orchestrator Runbook like this:

Adding Properties:

We also need to be able to inject the property of VIPComputerGroup, so we also need to a new Property to customsettings.ini like this:

Verify function in BDD.log

You need to verify this before you start deploying and that is easily done using a custom task sequence that only contains the correct property and then you rung the lighttouch.vbs script and then you check bdd.log, like this:

So, if you think this is fun and you would like to try this out you can read more about the small details and download the script here:

http://deploymentbunny.com/2012/11/28/using-runbooks-as-part-of-a-task-sequencepart-1/

BTW: If you have any other ideas on runbooks that you would like to have to solve issues, send me an email at Mikael.nystrom@truesec.se and it might show up on Internet near you.

/Mike 

Where to find us......

 

Mastering System Center Operations Manager 2012 (SCOM) with Kare Rude Andersen

Boston, MA

December 3-6

 Mastering System Center 2012 ConfigMgr SP1 with Kent Agerlund      Denver, CO   January 11

Deployment Geek Week with Johan Arwidmark and Mikael Nystrom

Redmond, WA

February 25

Mastering System Center Orchestrator 2012(SCORCH) with Jakob Gottlieb Svendsen

Dallas, TX

December 10

MVP Combo-The ultimate MDT2012 and ConfigMgr2012 training
with Johan Arwidmark and Kent Agerlund

Irvine, CA

February 11

Full schedule at http://www.truesec.com

 

 

 

 

 

 

 

This message was intended for '%%emailaddress%%'
Unsubscribe | To contact us please email info@truesec.com

TrueSec Inc.
8201 164th Ave NE, Redmond, WA 98052


 




TrueSec Inc    |     +1(425) 285-4477     |     info[at]truesec.com    |     Infrastructure    |     Security    |     Pentesting    |     TrueSec Inc. Website Privacy Statement