Multicasting; not only for operating system deployment
In my work I have the good fortune of presenting a training every once in a while, and for those trainings I normally prepare the classrooms myself. The challenge in previous years was not to deploy the OS (that I know how to do :) ), but rather to distribute all the virtual machines for the class in a timely fashion. Back then I normally used a bunch of external hard drives with an automated scripted that copied and imported my virtual machines into HyperV, but no more...
Why? well, There is a quicker way... The Multicast feature in WDS can be used to transfer any file over the network. This is how you do it.
Step 1 - Create the WDS name space (enabling a folder for multicast)
In this example I have stored compressed (winrar) version of my virtual machines in a folder called D:\Exported_VMs on my server. One of the vm's is named DC01.rar.
So we need to create a new namespace name for files in the D:\Exported_VMs folder (note that the folder needs to exist to create the namespace). Use the following command
WDSUTIL /New-Namespace /NamespaceType:AutoCast /Server:MDT01 /FriendlyName:"Really Large Files" /Namespace:"Really Large Files" /ContentProvider:WDS /ConfigString:D:\Exported_VMs
Step 2 - Get the files via multicast on the client
Then, on the client, to get the large files via multicast First, allow the wdsmcast.exe in the firewall rules (inbound rule), and run the following command.
wdsmcast.exe /verbose /transfer-file /server:MDT01 /namespace:"Really Large Files" /SourceFile:"DC01.rar" /DestinationFile:"C:\VMs\DC01.rar" /Username:TSLAB\BuildAccount /password:"P@ssw0rd"
Note that target folder must exist, otherwise wdsmcast fails.
The wdsmcast client runs best, and is only supported, in WinPE, but you can also start it in the running operating system. That however is not supported and has proven, at least in my testing, not being as reliable as running it in WinPE.
Regards / Johan
-There’s an app for that:
Remote Desktop Manager
Sometimes magic happens, and sometimes someone do a really nice application, nope, not talking about the “apps” that every kid has to have these days.
I’m talking about an application the really, really helps me day in and day out. It is a free download from Microsoft, it has been an internal project and finally some was “allowed” to release it to the web (RTW).
It is called Remote Desktop Manager and it makes it possible to arrange all the different RDP connections in to one tool, you can organize all the different locations into groups, and then you can have different settings per group or per server, you can even over ride settings for different servers.
You download it from Microsoft.com/download and search for RDCman or click this link
First thing you do is to create a file, this is going to contain all settings, servers and maybe also passwords, so keep it save
The you create groups and in groups you then add servers. The big thing about groups is that you can store configuration in the group and that means that the 400 servers that are in the group is inheriting settings like RDSGateway or Name and Passwords and that’s super.
You can also connect and disconnect a group of servers, move them around (not by drag/drop, instead you get properties and you will see object inheritance, just modify that)
Here is a quick look at it
I have done a blog post on this with more screenshots and some more info and details and you will find it here http://itbloggen.se/cs/blogs/micke/archive/2010/09/21/the-application-of-the-year-or-maybe-the-whole-decade.aspx
Mikael Nystrom – TrueSec
MVP Windows Server - Setup/Deployment
New massive vulnerability threatens ASP.NET websites all over the world!
Friday last week Microsoft confirmed a really scary vulnerability in the way ASP.NET encrypts sensitive cookie data.
Some early reports states that 25% of all websites in the world are vulnerable!!
The result is sometimes devastating and in many scenarios hackers can use the bug to get access to sensitive data or impersonate administrators.
What´s even more scary is the fact that the vulnerability was presented in a crypto-conference in year 2002 and it´s more than likely that this has been known in closed circles for many years.
Another important thing to understand is the fact that it’s not a Microsoft-specific bug. The vulnerability itself lies in how various encryption algorithms use padding to fill out blocks of data. I will not explain all the details since you can read a great article about is here: http://blogs.microsoft.co.il/blogs/linqed/archive/2010/09/19/padding-oracle-asp-net-vulnerability-explanation.aspx
The most important thing to understand from an ASP.NET perspective is that you can use this attack to decrypt encrypted data in cookies and encrypt your own modified data. In effect you can for example put ADMINISTRATOR into a session cookie instead of JOE.
We are currently analyzing this vulnerability in our lab and my colleague Johannes is creating tools for identifying the vulnerability on servers over internet and PoC attack tools for demonstration purpose. I think I will demonstrate this in one of my sessions at TechED Europe.
So, I guess you want my recommendations?..
Read the blog post in the link above to understand the issue, and how to mitigate it.
Download this tool to see if your own webservers are vulnerable :)
- Stay tuned for updates in the Microsoft advisory:
Be careful out there!
/Marcus Murray, Security MVP, TrueSec Security Team.
To use Task Sequencer in SCCM 2007 for deployment
Lots of administrators have used the Task Sequence over the last years for operating system deployment. With good reason, the feature is pretty powerful and allows administrators to have full control of almost all aspects of the operating system deployment process. In Configuration Manager 2007 you’ll find the task sequence as part of the Operating system deployment feature.
Starting from vNext (next version of Configuration Manager), the task sequence will be placed as an independent feature in the Software Library Wunderbar. Moving the task sequence feature away from the Operating System deployment feature makes perfectly sense since you can also use the feature for “normal” software deployment scenarios.
I still use the old fashion Software distribution feature in ConfigMgr for the majority of my software deployments. However from time to time I run into scenarios, where a Task Sequence clearly provides we with more control compared to the traditional approach. Some of those scenarios are:
1. Deployment where I need to uninstall an old application prior to installing the new one. Often the challenge is that not all computers have the old application installed.
Create a new empty custom task sequence and add a Install software step.
Select the Uninstall program for the application.
Click Option, click Conditions and select the Install Software condition.
Select the MSI file you want to remove on the client computer and click OK
Add a second Install software step to the task sequence. Select the software package you want all computers to install.
2. Role based deployments, where different departments must have specific software.
Check my previous blog post for that solution
3. Hardware specific deployments, one example is VPN software that only should be deployed to laptops.
- For this solution I recommend creating a MDT toolkit package and run the Gather step prior to the Install VPN software step.
- Click Option, click Conditions and select the Variable condition.
- Type Islaptop as variable name and True as the value
In common for all 3 scenarios is the use of conditions.
Configuration Manager MVP
Where to find us
Come meet us at any of our labs. Below is a where we will hold labs during the next 2 months
Coming Labs in the US
Mastering SCCM 2007 with Kent, Long Beach
|Power Shell Master Class, Thomas Lee, New York City
Zero Touch Deployment with Johan, New York City
Unleash the power of MDT 2010 Lite Touch,
with Johan in New York City
Lite Touch Deployment with Mikael, Boston
Zero Touch Deployment with Johan, Boston
November 29-December 1
November 29- December 1
For complete schedule listing please go to www.truesec.com