Top Level Limiting Collections for Configuration Manager 2012

Having been through quite a few CM07 to CM12 migrations over the past few years, one of the things that I have seen heavily used in previous versions is nested collections, which had a similar functionality in SCCM as nested groups in Active Directory. However, this option has been removed with CM12, leaving administrators to re-think their collection hierarchy practices. Proper folder management is a large part of that, especially in larger organizations, but top level collections are still just as important, if not more, in the new version of Configuration Manager. The main reason for this is that we use these top level collections to limit the memberships of the operational collections that we (and our support staff) use on a daily basis. We group machines together in large criteria to limit deployments, reports, as well as implement security access for those that use Configuration Manager. When creating collections in Configuration Manager 2012, and when viewing the Membership Rules tab afterwards, there is an option to Use incremental updates for this collection. I strongly caution on the use of this button, as enabling it on more than a hundred collections can create drastic performance issues in your environment. As a general rule, I will use incremental updates for my top level collections only. Here are a few of the top level collections that I like to implement for...

Read More

Dynamic Server Collections for Managed Endpoint Protection in Configuration Manager 2012

One of the reasons why I really like System Center Endpoint Protection is its ease of management. This goes double when we’re using it to manage servers, as we get to leverage all the stuff that Configuration Manager has in its database to target policies. By targeting Antimalware Policies to collections that are based upon dynamic variables, we create an easy to manage environment that automates the provisioning of exclusion and scan policies for new and existing servers. In this post I’m not going to get into the process of creating the exclusion policies. Microsoft has included templates for most of their stuff, which is what we’ll focus on today. What I will show, however, is the collections that we’re going to create and the order of the policies that will be applied. To keep things clean and manageable, I like to keep my Endpoint Protection and Firewall collections together, so in the Assets and Compliance workspace we’ll create a folder called Managed Servers under the Device Collections Node. The first collection we’ll created is for DCs, called Managed Servers – Domain Controller. Configure a Query Rule with the following statement: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.DomainRole >= 4   Next is Managed Servers – DNS with a Query Rule to check for the service: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVICE...

Read More

Patching Images in Configuration Manager 2012 to Reduce Deployment Time

In my previous post, we went through the process of using Automatic Deployment Rules to create a fully automated patching process, complete with a pilot period, ideal for SMB customers. We’re now going to take those same patches and apply them to our Gold Image. This will reduce deployment times and frequency of Gold Image rebuilds, while maintaining a high initial patch level for newly deployed operating systems. Note that in order for the following process to work, you have to have Software Updates configured in your environment, and have used it to patch workstations with a similar OS as the image we wish to service. It will also only work with Microsoft updates, and even those have to be Component Based Servicing updates, so not everything is able to be added with this method. To patch our Gold Image, we need to expand the Operating Systems node in the Software Library and click on Operating System Images, then selecting our Gold Image. From the Ribbon, we’re going to click on the Schedule Updates button. I haven’t patched my Windows 8.1 image yet, so there’s quite a few in the screenshot.   Next, Next, Finish through the rest of the pages, and the servicing process begins. We’ll monitor the process from the OfflineServicingMgr.log file. As we can see, it’s ultimately just using DISM to mount the WIM and inject...

Read More

MVPDays Session – Advanced Windows Deployments

This was a session that I did in Vancouver in September 2014 at MVPDays Session – Advanced Windows Deployments Presenters – Dave Kawula MVP / Emile Cabot You asked for a real world scenario for Advanced Windows Deployments and that is what we have created.   This book is based on Dave/Emile’s new book called Advanced Windows Deployments (On the shelf in early October). You will learn how to trim down SCCM Infrastructure to a Single Server and deploy Windows to branch locations without shipping a single USB Stick or piece of hardware.   Central Management is a key focus of...

Read More

MVPDays Session – Best Practices for Virtualizing and Managing SharePoint with System Center and Hyper-V

This was a session that I did in Vancouver in September 2014 at MVPDays. Session – Best Practices for Virtualizing and Managing SharePoint with System Center 2012 R2 and Hyper-V Presenters – Dave Kawula MVP / Marcos Nogueira MVP SharePoint 2013 is now a company standard, but what is supported, sensible, or even practicable? How do we go about monitoring and managing SharePoint? In this session, we discuss the virtualization path and best practices using Hyper-V for high availability and why virtualization makes sense. With the foundations in place we take a deep dive on how we can monitor...

Read More

MVPDays Session – Designing Hyper-V the Right Way – Building a Cluster in < 20 Minutes

This was a session that I did in Vancouver in September of 2014 at MVPDays.   Session – Designing Hyper-V the Right Way – Building a Hyper-V Cluster in Less than 20 Minutes Presenters -Dave Kawula – MVP / Marcos Nogueira – MVP Have you struggled to find the right architecture for your Hyper-V infrastructure? What is the best storage, networking and backup strategy? There are plenty of ways to design Hyper-V incorrectly, but finding the right way isn’t so easy. Get expert insight with Hyper-V MVP Dave Kawula in this session to learn: · Hyper-V cluster design tips...

Read More

Windows 2003 End of Life (EOL) – Here comes trouble – Our First Windows 2012 R2 Domain Controller (Watch your Hotfixes)

Well we finally got the green light at one of my customers to upgrade them to Windows 2012 R2 Active Directory. We went through all of our due diligence and planned out the project accordingly. We took a phased approach when we would take the following high level steps to complete our Migration:   Create a new Conceptual Design for Active Directory 2012 R2 – Done! Create a new Detailed Design for Active Directory 2012 R2 – Done! Create a test plan to ensure we could validate everything before moving to production – Not Done! Customer didn’t have a...

Read More

Routing Mod for Johan’s Hydration Kit

I wanted to show a really cool routing Modification that I have built to Johan’s Hydration Kit. His kit can be downloaded from and is widely used by ConfigMgr professionals all over the world. One of the challenges I face with these labs that they don’t really emulate production networks (MPLS, Internet, etc). So I have written a very cool little script that takes one of the machines that is built during hydration and turns it into a Router / Firewall using RRAS on Windows 2012 R2. This is version # 1 of my script and I will...

Read More

OSDWeek with Johan Arwidmark and Dave Kawula

There are two main technical factors with implementing a new Operating System across your enterprise: Ensuring you have an infrastructure that can support the migration process, and acquiring the expertise to upgrade your end user workstations with minimal effort. Of course, this transitions into the ever-present “build or buy” question. Regardless of the path an organization chooses to take when initiating an SOE upgrade, it is critical that internal resources be fully trained on the solution. In the past, it was simple enough to send the team on a Microsoft course or bring a trainer in to go through the product. Today however, organizations are reaping the benefits of third party solutions for core products, and have heavily customized environments. Learning the “textbook” method of a product like Configuration Manager does little more than form a baseline from which to start. By incorporating some quality tools, you see a reduction in server, operating, and support costs, while providing a familiar self-service portal to your end users…not just for software requests, but to schedule their OS upgrade as well. Unfortunately, the only third party training typically offered to a team is during product implementation. When the time comes to plan the next SOE upgrade, technology has changed and possibly staff as well. During OSDWeek, Johan teaches you how to optimize your infrastructure to support the migration to Windows 7/8.1. He...

Read More

Deploying Windows 8.1 to SMBs using Nomad Branch Step by Step

In the first post in this series, we created an OSD Task Sequence that is ideal for the SMB market. We touched on some of the automation options available with MDT, and were ultimately able to deploy operating systems to machines at the main office. Our next step is to make this Task Sequence deployable to branch workstations so they don’t need a nearby Distribution Point, PXE Service Point, or State Migration Point. To do that, we’ll update a copy of the Task Sequence with some integrations that come with 1E Nomad. But first, let’s right click on our Task Sequence from the first post and choose Copy. We’ll append -Nomad to the task sequence name, so it looks like this: Once we have our copy, we’ll go in and edit the new sequence. However, before we start adding the Nomad injections, we need to fix a problem that Nomad will have with Bare Metal Deployments. When a brand new computer begins Task Sequence Execution, it will first partition and format the drive. The Task Sequence will perform some actions, and then ultimately format the drive again. This is a problem, as we’ve already started caching packages and created references to files that will be force-removed. Therefore, we need to get all the format stuff taken care of at the beginning. To do that, we’ll simply move the Format...

Read More

Deploying Windows 8.1 to SMBs using Configuration Manager 2012 R2

This is the first post of a series that will walk you through the process to create a Task Sequence in Configuration Manager 2012 R2 that can be deployed for all scenarios (Bare Metal, Refresh, Replace). It uses MDT 2013 to augment the sequence and provide some location-based automation rules. To provide full OSD functionality to branch locations without the need for servers, in the next post we will go through the process to create a second Task Sequence specifically for Nomad-enabled sites. The third post goes over how to configure Automatic Deployment Rules to maximize workstation patching with minimal effort. Though not specifically related to OSD, a solid patching design will eliminate the need to perform Software Updates during a Task Sequence, further reducing execution time. There are a few prerequisites and assumptions that must be in place before we get started with our Task Sequence creation and tuning. The Configuration Manager environment must be healthy, and MDT 2013 installed and integrated with CM12. We also need to have an image to deploy with our new Task Sequence, along with Drivers and Packages. For most small organizations, it’s pretty common to see included in the gold image all the corporate used free apps, like PowerPoint Viewer, and software that has been purchased for the entire company, such as Microsoft Office. Usually the image is created using MDT, as...

Read More

Upgrading to Windows 2012 Hyper-V – DR Site to Server 2012 and configuring Veeam Backup and Replication 7x for DR Replicas

For today’s mission I was tasked with building a DR Site for Hyper-V using Veeam Backup and Replication 7.x. I wanted to walk you through the steps that I took in order to accomplish this task.   The Current Configuration consists of the following:   First of all let’s talk a little bit about the hardware for the new DR Site   I was given a couple of re-purposed servers: HP DL 380P Gen 8 Server 128 GB RAM 2 x Processors 2 x 4(x) NIC’s one BroadCom and one Intel     1 x 4 Port – HP Ethernet 1 Gb 4-port 331FLR     1 x 4 Port – HP NC365T PCIe Quad Port Gigabit Server Adapter Currently Running Windows 2008 R2   Well first of all I had already upgraded this farm to Server 2012 with Hyper-V so step one will be to simply: Upgrade the Operating System to Server 2012 Install the latest Support Packs from HP Install all of the Hyper-V Hotfixes and Patches Run all of the Windows Updates   The design that I envision will look like below:   It will include 2 x standalone Hyper-V Servers that will run in this companies DR Location.   For the Provisioning I used the HP Intelligent Provisioning Software that was embedded in the server.   A couple of notes for this configuration are: QUICK Configs: Changed from Balanced...

Read More

Upgrading from Windows 2008 R2 Hyper-V to 2012 R2 – NIC Configuration

In this post I will show you how to move a Hyper-V Virtual Machine from one Hyper-V Server to another without the use of Live Migrations. If find this technique very useful when I am swapping out hardware and just need a simple process to follow to get the guest instances stood up on the new farm. This can of course be fully automated but the purpose of this exercise will be to show how to do it manually. Here are the steps I generally follow: Build the new Windows 2012 or R2 Hyper-V Server Download and Patch with all updates from Microsoft (The purpose of this is not to show all the updates) Download and install the latest Firmware and Drivers for the Hypervisor Run this NIC Configuration Script. I run this on all of my Hyper-V implementations in production Here is the source for the script: <# Script name: Hyper-V_ProductionScript_V1.0.ps1 Created:     2014-04-03 Version:     1.0 Author Dave Kawula Homepage: Comming soon … / / Homepage: Disclaimer: This script is provided “AS IS” with no warranties, confers no rights and is not supported by the authors or DeploymentArtist. Author – Dave Kawula Twitter: @DaveKawula Blog : (Coming Soon) / This Script will perform a base configuration of the Network Adapters on a new Hyper-V Host Server THis Script has been used in production and...

Read More

Upgrading to Windows 2012 Hyper-V – IO Accelerator IOPS Testing

In this post I will show a server that we have taken from Server 2008 R2 and upgraded to Server 2012. This particular server had been in production for the past 2 years and ran all production workloads for this company. Now it is being refurbished and will be used for DEV / Stagging as bigger and better servers have replaced it since. It still has some decent hardware in it including a pair of: HP 160GB Single Level Cell PCIe ioDrive for ProLiant Servers   These IO Accelerators from HP offer amazing performance and we will do some testing after the Build with SQLIO to see just how well they perform. With Windows 2012 De-Deduplication these things go a lot farther than what they used to. The hardware is the early model HPDL380 G8’s with 256GB of RAM This customer wasn’t ready for Server 2012 R2 just yet so we went with 2012   So here is the order we did the upgrade:   Download the latest and greatest firmware from: Run the IO Accelerator Console Installer first… We update the firmware from this console after. We performed the steps in the following order: Run the HP_IO_Accelerator_3.2.6.1212_x64_WinServer 2008R2_2012_Win7_8.exe Click Run Accept the EULA It is a small installer for the HP IO Accelerator Complete the Setup Logon via the App that is loaded for the IO Accelerator...

Read More

Deploying Active Directory Replica DC to Azure

A lot of us have been setting up Hybrid Cloud (Azure) environments and one of the first things that needs to be done is setup a Replica Domain Controller. This post will show the steps that I followed to get this done.   Before we get started it is important to note that the following steps have already been completed: Created a Virtual Network ( Connected the Virtual Network to a S2S (Site to Site) VPN to my On-Premise Network ( Created a Local Network which defined the On-Premise Network and my External IP from that location Configured an on premise Windows 2012 R2 RRAS Server to act as the other end of the VPN On-Premise Ran the downloaded 2012 RRAS Configuration Script from the Virtual Network / Gateway Dashboard Page Validated routing from my On-Premise Network to my Azure Virtual Network Azure PowerShell Module downloaded and installed   Where we will get started today is the build out of the new Azure Replica Domain Controller   Step # 1 – We need to a new Azure VM for this (We will use the smallest one to save costs) From the Azure Management Portal, Add a Custom Virtual Machine, Select Windows 2012 R2 DataCenter On the Virtual Machine Configuration Page Configure with the following options: Virtual Machine Name: TC-AZ-DC01TIER: BASICSIZE: A0 (shared core, 768 MB Memory)NEW USER Name: Administrator_<XXX>...

Read More

Translate our Blog

Subscribe to our Blog


Microsoft MVP

Cisco Champion


Veeam Vanguard

Follow me on Twitter

Follow @SuperCristal1 on Twitter