User state migration fails on a SCCM 2007 SP1 client or on a SCCM 2007 SP2 client after you install security update 974571

http://support.microsoft.com/?scid=kb%3Ben-us%3B977203&x=12&y=6

Important To resolve this issue, install this hotfix on all System Center Configuration Manager 2007 Service Pack 1 (SP1) site servers and on all System Center Configuration Manager 2007 Service Pack 2 (SP2) site servers. Then, deploy this hotfix to all clients.

This hotfix resolves this issue for any new client certificates that are generated. To correct the current certificates, run the CCMCertFix utility that is in this package on all the Configuration Manager SP1 clients and all the Configuration Manager SP2 clients.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)

Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, System Center Configuration Manager 2007 Service Pack 1 (SP1) or System Center Configuration Manager 2007 Service Pack 2 (SP2) must be installed.

How to Manually Publish the Default Management Point to DNS

If your DNS servers do not support automatic updates but do support service location records, and you want to publish the Configuration Manager 2007 default management point to DNS, you can manually publish the default management point. To accomplish this, you must manually specify the service location resource record (SRV RR) in DNS.

Configuration Manager 2007 supports RFC 2782 for service location records, which have the following format:

_Service._Proto.Name TTL Class SRV Priority Weight Port Target

For guidance on entering this DNS record for a site's default management point, follow this procedure.

To manually publish the default management point to DNS

1. In the Configuration Manager console, specify the intranet FQDNs of site systems.

2. In DNS, configure the DNS zone for the site's default management point, and enter host (A) records for the intranet FQDNs of the site systems.

3. Enter an SRV record with the following fields:

   • _Service: Enter _mssms_mp_, where is the management point's site code.
     
     
   • ._Proto: Specify ._tcp.
     
     
   • .Name: Enter the DNS suffix of the management point, for example contoso.com.
     
     
   • TTL: Enter 14400, which is four hours.
     
     
   • Class: Specify IN (in accordance with RFC 1035).
     
     
   • Priority: This field is not used because there is only one management point published for each site.
     
     
   • Weight: This field is not used because there is only one management point published for each site.
     
     
   • Port: Enter the port configured for Configuration Manager 2007 client requests, for example 80 for a mixed mode site and 443 for a native mode site.
     
     
   • Target: Enter the intranet fully qualified domain name specified for the site system configured with the default management point site role.
     

How to configure SCCM in Multiple Active Directory Forests

How to configure SCCM in Multiple Active Directory Forests

How to configure SCCM in Multiple Active Directory Forests

1. Introduction:

Configuration Manager 2007 clients on the intranet use Active Directory Domain Services as their primary method of service location and configuration. If you have clients that reside in a separate forest, they will not be able to retrieve information that is published to Active Directory Domain Services by their assigned site server.

For these clients to be managed, you must ensure that alternative methods are available for the following:

• Site compatibility check to complete site assignment.
• Service location for management points, and the server locator point if this is not directly assigned.
• Native mode configuration (Optional).

We have two domains in diffrient forest, first domain call primary.local domain and this domain will contain SCCM Server, 2nd domain is Domain.com which contain clients that should be managed by SCCM in Primary domain.

To successfully deploy CCM client and allow SCCM server to manage multiple AD forests, we should do the following configuration:

1- Configure Boundaries correctly to allow SCCM client agent distribution to clients which are located in 2nd trusted domain.
2- Configure Push Installation method switches in the client installation properties to allow clients in 2nd domain to find SLP.
3- Configure Discovery method to allow SCCM Server to discover 2nd trusted domain.
4- Add Server Locator Point “SLP” to SCCM site system role.
5- CCM Admin account should be local admin for client computers in 2nd domain.
6- Publish SLP Manually in WINS for 2nd trusted domain.
7- Enable WINS on the client PC's in 2nd domain.

2.Configure Boundaries

In Normal scenario it’s recommended to Active directory Site as boundaries to install CCM Client, but in this case all computers which is located in another forest will not be able to receive CCM client agent from SCCM Server.

In this case we have to configure “IP Subnet” or “IP Address Range”, to allow Clients in 2nd domain to receive client agent.

3.Discovery method:

In normal scenario, it’s recommended to enable “Active Directory Site System” and select Local domain, but this settings will discover only MOWASALAT.LOCAL domain.

To discover 2nd domain name we have to make sure that sure Active Directory System discovery is configured with LDAP://DC=domain,DC=COM LADP path. Then run discovery and check adsysdis.log to confirm if it is able to search the domain in other forest.

LDAP Query:

LDAP://DC=domain,DC=com

4.Add Server Locator Point:

Server locator points are used in a Configuration Manager 2007 hierarchy to complete client site assignment on the intranet and help clients find management points when they cannot find that information through Active Directory Domain Services.

So we need to add Server Locator Point to Site System role.

5.Configure Push Installation method switches:

It would also help if you add the following switches in the client installation properties, especially SMSSLP switch as clients in the other forest won’t be able to find SLP in their forest.

DNS and NetBIOS Name resolution should work between forests for this to work.

Switches:

SMSITECODE=S01 SMSMP=SRV-SCCM01.Primary.com
SMSSLP=SRV-SCCM01 FSP=SRV-SCCM01

6.Publish SLP Manually in WINS:

To resolve this issue, manually add an SMS_SLP record and an SMS_MP record to the Windows Internet Name Service (WINS) database. To do this, use one of the following methods, depending on the operating system that you are running:
To manually add the SMS_SLP and SMS_MP records to WINS in Microsoft Windows Server 2003 for 2nd domain, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. Type the following commands at the command prompt, and then press ENTER after each command:
o netsh
o wins
o server
3. Add the SMS_SLP record. To do this, type the following command, and then press ENTER:
add name name=SMS_SLP endchar=1A rectype=0 ip={ip addresses}
Note Make sure that you enclose the IP address in braces ("{ }").
4. Add the MP_SMSSiteCode record. To do this, type the following command, and then press ENTER:
add name name=MP_SMSSiteCode endchar=1A rectype=0 ip={ip addresses}

Note: Make sure that you enclose the IP address in braces ("{ }"). The SMSSiteCode variable represents the three-character string (letters, integers, or a combination of both) that is the code for the SMS site to which the Management Point belongs. It is displayed in the SMS Administrator Console.

7.Publish MP in DNS:

We should publish MP on DNS and make sure MP FQDN is resolvable from the clients in another domain.

To publish the default MP in DNS, Site Management -> S01-Primary -> Properties -> Advanced Tab -> publishes the default Management Point in DNS.

Unable to see Advertisements in SCCM 2007

I had installed an Admin Console version ConfigMgr07 SP1, and since introducing ConfigMgr07 SP2 into the environment, those Admin Consoles no longer list Advertisements". That is a 100% known technical issue, with a technical solution.

For ANY AdminConsole Installations, you need to upgrade those console installations to be Admin Console ConfigMgr07 SP2.

Manually configure Option 60 for PXE boot on a DHCP Server hosting an SCCM PXE Point

While setting up a new PXE point server for SCCM (System Center Configuration Manager), I discovered an interesting problem. Since the servers we have are all Windows 2003 SP 2, I no longer have to walk through from RIS to WDS (Windows Deployment Services) to installing the PXE point. However, this was the first server I’ve done that didn’t start life as a normal WDS server. Normally, since the PXE point would be on a server that is also DHCP, you have to choose the option to set Option 60 on DHCP. Since SCCM handles all the WDS, this is no longer an options. What to do? Well, all you need to do is use the NETSH command. Here’s how:

At a command prompt:

NETSH

NETHSH>DHCP server \\nameofserver

add optiondef 60 PXEClient String 0 comment=”Option added for PXE Support”

set optionvalue 60 STRING PXEClient

show optionvalue all

exit

Remember, replace nameofserver with the name of the DHCP server being modified. The final command lists the value so you can verify your settings.

Script for deleting drivers on mass on sccm Console

Code Snippet

' Connect to the SMS namespace

siteNamespace = GetSiteNamespace()

SET objWMIService = GetObject( "winmgmts:{impersonationLevel=impersonate}!"_

&siteNamespace)

SET drivers = objWMIService.ExecQuery("SELECT * From SMS_Driver")

numDriversDeleted = 0

' Process the results

FOR EACH driver in drivers

driver.Delete_

numDriversDeleted = numDriversDeleted + 1

NEXT

WScript.Echo "Successfully deleted "&numDriversDeleted&" drivers."

'

' Utility function to search for the site namespace

'

FUNCTION GetSiteNamespace()

' Find SMS Provider

SET objSMSNamespace = GetObject("winmgmts:{impersonationLevel="&_

"impersonate}!\\.\root\sms")

SET results = objSMSNamespace.ExecQuery("SELECT * From "&_

"SMS_ProviderLocation WHERE ProviderForLocalSite = true")

' Process the results

FOR EACH r in results

namespacePath = r.NamespacePath

NEXT

' Fail if we did not find the site

IF namespacePath = "" THEN

WScript.Echo "Failed to locate SMS provider."

WScript.Quit 1

END IF

' Return

GetSiteNamespace = namespacePath

END FUNCTION

You must copy this code on a .vbs file...

message: Drivers[The ConfigMgr provider reported an error*]

SCCM 2007 and SQL Server 2008

For fix it:

1) Set compability mode to SMS_sitecode database (Managment Studio --> right click SMS_sitecode database --> Options --> Set Compability level to SQL Server 2005 (90)
2) Restart SCCM server (hardware)

How to Configure Windows Server 2008 for Site System Roles

Here is a blurb I actually found on the Microsoft TechNet forums as I was searching for answers to my Windows 2008/SCCM SP1 RC Lab issues and I thought it was worth repeating again here for those in the same boat.

Here is the blurb from the help information that will be in the RTM release of SP1.

Topics referencing Configuration Manager 2007 SP1 and Configuration Manager 2007 R2 are pre-release documentation and are subject to change in future releases. Blank topics are included as placeholders.

Topic last updated—March 2008

Microsoft System Center Configuration Manager 2007 requires the WebDAV component to be installed and enabled on the management points and BITS-enabled distribution points. The WebDAV component is not included in Windows Server 2008 operating system.

Note

The information in this topic applies only to Configuration Manager 2007 SP1.

You must download, install, and configure WebDAV manually on management points and BITS-enabled distribution points running Windows Server 2008. On BITS-enabled distribution points, you might also have to edit the requestFiltering section of the applicationHost.config file if your packages contain extensions that are blocked.

Important

Enabling WebDAV and modifying the requestFiltering section for the Web site increases the attack surface of the computer. Enable WebDAV only when required for management points and BITS-enabled distribution points. If you enable WebDAV on the default Web site, it is enabled for all applications using the default Web site. If you modify the requestFiltering section, it is modified for all Web sites on that server. The security best practice is to run Configuration Manager 2007 on a dedicated Web server. If you must run other applications on the Web server, use a custom Web site for Configuration Manager 2007.

Site servers and branch distribution points require Remote Differential Compression (RDC) to generate package signatures and perform signature comparison. RDC is not installed by default on computers running Windows Server 2008.

Reporting points running Windows Server 2008 require ASP.NET with Windows Authentication to be enabled.

To install and configure WebDAV for BITS-enabled distribution points and management points

1. In Server Manager, on the Features node, start the Add Features Wizard.
* On the Select Features page, select BITS Server Extensions.
* When prompted, click Add Required Role Services to add the dependent components, including the Web Server (IIS) role.
* On the Select Features page, select Remote Differential Compression, and then click Next.
* On the Web Server (IIS) page, click Next.
* On the Select Role Services page, under IIS 6 Management Compatibility, select IIS 6 WMI Compatibility.
* Under Application Development, select ASP.NET and, when prompted, click Add Required Role Services to add the dependent components.
* Under Security, select Windows Authentication, and then click Next.
* On the Confirmation page, click Install, and then complete the rest of the wizard.
2. Download the x86 or x64 version of WebDAV at http://go.microsoft.com/fwlink/?LinkId=108052.
3. Run either webdav_x86_golive.msi or webdav_x64_golive.msi, depending on your processor.
4. Enable WebDAV and create an Authoring Rule, as follows:
* Open Internet Information Services (IIS) Manager.
* In the Connections pane, expand the Sites node in the tree, and then click SMSWEB if you are using a custom Web site or click Default Web Site if you are using the default Web site for the site system.
* In the Features View, double-click WebDAV Authoring Rules.
* When the WebDAV Authoring Rules page is displayed, in the Actions pane, click Enable WebDAV.
* After WebDAV has been enabled, in the Actions pane, click Add Authoring Rule.
* In the Add Authoring Rule dialog box, under Allow access to, click All content.
* Under Allow access to this content to, click All users.
* Under Permissions, click Read, and then click OK.
5. Change the property behavior as follows:
* In the WebDAV Authoring Rules page, in the Actions pane, click WebDAV Settings.
* In the WebDAV Settings page, under Property Behavior, set Allow anonymous property queries to True.
* Set Allow Custom Properties to False.
* Set Allow property queries with infinite depth to True.
* If this is a BITS-enabled distribution point, under WebDAV Behavior, set Allow access to hidden files to True.

Important

Allow access to hidden files is not required for management points and should not be configured.

* In the Action pane, click Apply.
1. Close Internet Information Services (IIS) Manager.
2. Verify that there are no error messages for the distribution point or management point role, as follows:
* In the Configuration Manager console, navigate to System Center Configuration Manager / System Status / Site Status / - / Site System Status.
* Check the status of the management point and distribution point roles.
* If you see any errors, right-click the role, click Show Messages, and then click All to see more detail.

To modify the requestFiltering section on BITS-enabled distribution points

1. On the BITS-enabled distribution points, open %windir%\System32\inetsrv\config\applicationHost.config.
2. Search for the section.
3. Determine the file extensions that you will have in the packages on that distribution point. For each file extension that you require, change allowed to true.
4. For example, if your package will contain a file with an .mdb extension, change the line to .

Important

Allow only the file extensions required for your packages.

1. Save and close applicationHost.config.

To add Remote Differential Compression to site servers and branch distribution points

1. In Server Manager, on the Features node, start the Add Features Wizard.
2. On the Select Features page, select Remote Differential Compression, and then click Next.
3. Complete the rest of the wizard.

To enable ASP.NET and Windows Authentication on the reporting point

1. In Server Manager, on the Roles node, start the Add Roles Wizard.
2. On the Select Server Roles page, select Web Server (IIS).
3. When prompted, click Add Required Role Services to add the dependent components.
4. On the Select Server Roles page, click Next.
5. Under Application Development, select ASP.NET and, when prompted, click Add Required Role Services to add the dependent components.
6. Under Security, select Windows Authentication, and then click Next.
7. On the Confirmation page, click Install, and then complete the rest of the wizard.

Deploy ConfigMgr packages based on Active Directory Group Membership

When your group contains computer / system objects, use the following query for the collection:
select SMS_R_SYSTEM.Name from SMS_R_System where SMS_R_System.SystemGroupName = "yourdomain\\Microsoft Office 2007"

When your group contains user objects, use the following query for the collection:
“select * from sms_r_user where sms_r_user.usergroupname = "yourdomain\\Microsoft Office 2007"

Query builder Values box cannot display large item list

When you create a query in Systems Management Server (SMS) 2.0, the Values box in the query builder may be empty. This may occur if the hotfix for Q245648 is installed, and there is either a very large value (approximately 9,500; the actual number varies based on available memory) or a value of 0 (a value of 0 requests that all records be returned) specified in:

HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\AdminUI\QueryBuilder\ValueLimit

The hotfix for Q245648 (both for Service Pack 1 and Service Pack 2) allows for more than 2,000 records to be listed in the query builder criteria section. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

245648 (http://support.microsoft.com/kb/245648/ ) Values list from Query Builder not always sorted and limited to first 2000 records


RESOLUTION:

Registry subkey information

In SMS 2.0 and in SMS 2003, the registry key is as follows:

HKEY_LOCAL_MACHINE\SMS\AdminUI\QueryBuilder\ValueLimit

In Microsoft System Center Configuration Manager (SCCM) 2007, the registry key is as follows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ConfigMgr\AdminUI\QueryProcessors\ValueLimit

SCCM Clients can't get IP from the DHCP server

When you deploy OS image in the network with SCCM Os deployment PXE Image , Clients may have problem to get IP from the DHCP server.
No message is reported and the SCCM background appear a while and the computer restart...

The cause:
Using advanced network protocols or multi-homed client may create delay to receive DHCP offer message. The delay creates a timeout error, and the client is stopped from waiting to IP offer.

Resolution:
1. Consider disable "STP" (Spanning Tree Protocol) support on the local switches.

2. Setup the local switch ports that doesn’t use for up-link with "PortFast" or "Fast-Start" feature enable. By enable this option, you may eliminate the need to disable "STP" (Spanning Tree Protocol) support on the local switches

3. Consider disable "PAgP" (Port Aggregation Protocol) support on the local switches.

4. Change the Auto network speed detection mechanism to manual. Configure static speed setting (For example 100 MB Full-Duplex) on the local ports switches.

5. If you are using multi-homed computer that connect to the local network, leave only one network adapter connect to the network.

6. If you are using PXE client, considerer to upgrade the PXE boot version to the latest one.

How to mount a WIM image with ImageX in Windows Vista

For every installation of Windows Vista, you need an image in the WIM format. One great feature of WIM images is that you can mount and inject them with device drivers or other files. In this post, I will be explaining how to mount an image in a WIM file with ImageX. ImageX is the tool for capturing and applying images. But it can also be used to modify an image. This article is based on Windows Vista Beta 2.

ImageX is part of the Windows Automated Installation Kit (WAIK) , which is a part of Business Desktop Deployment (BDD 2007). You can download it at Microsoft Connect . After installing BDD 2007, you have to install WAIK. You find the WAIK installation folder in the BDD Vista folder. There is the WAIK setup file for every CPU type. For a 32-bit Intel CPU you can start waikx86.msi, for example.

To be able to mount an image, you have to install the WIM filter first. Start the Windows Explorer with Administrator rights. To do so, you have to right click on its icon. Then, go to C:\Program Files\Windows AIK\tools. There, you can choose the correct folder for your CPU type. To install the WIM filter, right click on wimfltr.inf and then click on “install”. Now, you have to reboot.

You will find the ImageX tool in the same folder as wimfltr.inf. As it is command line tool, you have to open this folder on the Command Prompt. Don’t forget to start the Command Prompt with Administrator rights.

Before you can mount an image, you have to find out the image number within the WIM file since it can contain more than one image. The WIM file of my Windows Vista Beta 2 DVD contains seven images; for every Windows edition, one image. Enter “imagex /info img_file“, where “img_file” represents the location of the WIM file. You should see now the description of the WIM file as an XML file. The name of the tag for the image number is IMAGE INDEX.

One last step is necessary before we can finally mount the image. Create a new folder where the image shall be mounted. This is the image path. Now, you can mount the image:

imagex /mount img_file img_number img_path

With this command, you only have read access to the image. If you want to inject a device driver or a file, you also need write access. The command for this looks like this:

imagex /mountrw img_file img_number img_path