Getting Started with FIM 2010

The following resources are available for Getting Started with FIM 2010

• Introduction to Configuring the FIM Portal
• Introduction to the Configuration Migration Tool
• Introduction to User and Group Management
• Introduction to Security Group Management
• Introduction to Distribution Group Management
• Introduction to Workflow Management
• Introduction to Set Management
• Introduction to Password Reset
• Introduction to Management Policy Rules
• Introduction to Schema Management
• Introduction to Inbound Synchronization
• Introduction to Outbound Synchronization
• Introduction to Resource Control Display Configurations
• Introduction to Request Management
• Introduction to FIM Add-in for Outlook
• Introduction to Certificate Management
• Introduction to Certificate Management Smartcards

OSD Task Sequence: “There are not task sequences available for this computer”

OSD Task Sequence fails with "There are no task sequences available for this computer" if multiple machines have the same SMBIOS GUID

 

Issue: 

When attempting to deploy an operating system using OSD in System Center Configuration Manager 2007, the Task Sequence may fail with the following error:

There are no task sequences available for this computer.

If you look in the SMSTS.log you may also see the following error:

No assigned task sequence.

Setting wizard error: There are no task sequences available for this computer.

The SMSTS.log may also show the SMBIOS GUID as follows:

Setting SMBIOS GUID = 4C4C4544-0000-2010-8020-80C04F202020.

or

Setting SMBIOS GUID = 03000200-0400-0500-0006-000700080009.

Note: Analyzing the Advertisement and the Collection confirms that the target computer is in the proper Collection that the Advertisement is pointing to. Deleting the computer from the SCCM database and re-adding it back to the SCCM and the Collection via the Import Computer Information wizard using the MAC address or SMBIOS GUID does not resolve the problem.

Cause:

The issue can be caused by there being more than one computer in the environment with the same SMBIOS GUID (aka System UUID). Similar to MAC Addresses, SMBIOS GUIDs should be unique on each computer and no two computers should have the same SMBIOS GUID. The SMBIOS GUID is stored in the computer's BIOS. Do not confuse the SMBIOS GUID with the SMS GUID. These are two separate, different, and distinct items.

The problem occurs because when the SCCM database is queried for available Task Sequences that are advertised to that PC, it does so first by using the computers SMBIOS GUID. Each record in the SCCM database records the computers SMBIOS GUID under the field System UUID. If it does not match a record with the SMBIOS GUID, it then uses the MAC Address.

However, if multiple computers exist in the environment and are in the SCCM database with the same SMBIOS GUID, it may find the record for a PC other than the one where the Task Sequence is trying to be initiated. It will then query policy for that other PC, and if that other PC does not have a Task Sequence advertised to it, it will return back that there are no task sequences available for this computer.

Resolution: 

To see if this problem exists in your environment, create a query or collection in SCCM based on the suspected duplicate SMBIOS GUID. If more than one computer has the same SMBIOS GUID then the problem exists in the environment and needs to be fixed at a hardware level. You will need to contact the OEM vendor for a fix.

I Have found the following to resolve the problem (If you are doing a Build and Capture):

• Verify the Reference machine does not already exist in a computer collection (Agent was once installed, etc…)
  • If so remove it.

• Create a collection using the SMBIOS GUID located in the SMSTS.log "Setting SMBIOS GUID".
  • System Resource
  • System UUID
  • <Guid Value>

• Advertise your task sequence to "Unknown Computers" Collection.

Additional Information:  The SMBIOS GUID SMBIOS GUID (aka System UUID) can be found in the SMSTS.log in the line:

"Setting SMBIOS GUID = "

It can also be found by inspecting the SMSPXE.log as the PC tries to PXE boot. In addition, it can also be obtained by hitting the Pause/Break key on the keyboard on the affected PC at the PXE boot screen. The SMBIOS GUID should be displayed somewhere on that screen.

SCCM OSD/PXE Issues in Native Mode

There have been many posts out there trying to address the issue behind Native Mode and PXE and/or Boot Media problems.  This posting publishes information I found in the following article and additions which I have made to clarify some certificate configurations.

Step 1

In the site properties , check that you have imported your Root CA certificates. If you have subordinate CA servers , import them as well as I have seen issues arriving when not importing them .The picture below will give you the idea :

Step 2

Create your OSD PXE service point Certificate & export it . Go to your certificate authority and duplicate the Computer certificate , name it Configmgr OSD certificate and make sure that you could export the private key !

My Comments:  

MAKE SURE SUBJECT NAME TAB CONTAINS: SUPPLY IN REQUEST. When the request is made, give the certificate the following Attributes:

• CommonName: <FQDN> (i.e. OSDpxeBootCert.<domain>.Com)
• Alternate name: <Fqdn> OSDpxeBootCert.<domain>.com
• Friendly name: Any descriptive name.

Note:  Because certificates are Required through out the native mode deployment.  FQDNs are also required for certificate Subject name and Alt Subject Names.

When you have created the certificate , export it to a DER format by going to MMC - Certificates - personal - Request new certificate . Select the Configmgr OSD certificate and install it on your machine . When done , right click on the certificate and select export . Export the certificate with private key and when exported , delete the certificate you have requested .

Step 3

Import you in the PXE role configuration pane .

Now we go to the SCCM console and go to Site systems - PXE Role , import the certificate you just exported . The picture below explains it :

You will get the following warning when you exported the certificate on the Site server itself . This is no problem and you should select "yes" to continue

Check the PXE Certificate in the SCCM console.  Verify that the Root CA is trusted.

Try opening the Certificates | PXE node in SCCM.  Find the certificate that is not "blocked" and right-click to Open it.  Check the status of the CA Certificate.  I found that it was "Not Trusted" in my environment. 

When I clicked the Install button and selected the Trusted Root CA Authorities, the certificate was then "valid" when I reopened the certificate.  My SMSPXE.log no longer reflected that the certificate was not set.

Step 4

Check that the following things below are set correctly

Network Access Account Not Set

Go into the Client Policy in SCCM and set a Network Access Account.  It sometimes "disappears" even after everything has been working fine. And then the OSD Task sequence cannot access the content on the Distribution point !

Task Sequence Error 0x80004005

Issue: During an Operating System Build / Capture task, you receive the following error upon the Configure Windows task.
Task Sequence:  %TaskName% has failed with the error code (0x80004005).  For more information, please contact your system administrator or helpdesk operator.

Resolution: This might be the product activation code for Windows Vista/Win7. Try once without any activation code and if that works add the activation code to the file \source\pid.txt

Exchange 2007 SP1 – Rollup 5 installation Issue (OWA)

There have been quite a few incidents reported out there regarding installation issues with application of Rollup 5 (and other versions) to Exchange 2007.  Granted many incidents have been reported with the Rollup 5 install for Exchange 2007 RTM; however there are also incidents with Exchange 2007 SP1 as well.  Below I will provide a brief overview of a incident I have experienced and action taken to remediate.

Scenario:

   Server State Pre-Installation of Exchange 2007 SP1 Rollup 5: 

• Exchange 2007 SP1 (w/ Rollup 3 applied). 
• No interim hotfixes for Exchange 2007 applied.
• Antivirus services stopped
• Backend servers have applied the rollup successfully

Problem(s):

• Installation of Rollup 5 takes LONG time (30-60 min) – Hangs on .NET assemblies portion of installation
• Exchange related services are left in a “DISABLED” state following installation as well as Reboot.
• Exchange related service will not start up.
• Users accessing OWA images are not displayed properly and pageNotFound for reading pane, etc…..

Symptoms:

• Visible Symptoms:
  • MSExchangeOWAAppPool does not exist for Rollup 5 version.  (MSExchangeOWAAppPool > OWA 8.1.336.0)
    Problem Server
    
    
    Good Server
    
    
    
    
• OWA does not display correctly when accessed.  Images are replaced with a “X”.
• *exe.config (C:\<drive>\Microsoft\Exchange Servers\Bin files have not been “recreated/updated” (reflecting Rollup application date)
  

Solution:

The installation of the rollup issue was not consistent across the board with the Client Access Servers.  Some servers installed successfully and other did not.  So the root cause was not determined; however the fix was the same across the board for problem servers.  

1. If stopped > Start IISAdmin
2. Modify the properties of the OWA 8.1.336 virtual Directory (Default Web Site > OWA > OWA 8.1.336) and assign Application Name and Application Pool (MSExchangeOWAAppPool)
3. Start Exchange Related Services
4. If services do not start, Verify *exe.config file contents for the following files.
5. Start Exchange Related Services
6. Verify OWA Authentication and set accordingly
7. Verify OWA Connectivity

Start IISAdmin (if stopped/disabled)

1.  Open command Exchange Management Shell.

If Disabled Type:  Set-Service “IISAdmin” –startupType Automatic
If Stopped Type:  Start-Service “IISAdmin”

Note:  Verify W3SVC and HTTPSSL service as well.

Verify MSExchangeOWAAppPool virtual Directory for Rollup 5 (owa 8.1.336)

1.  Open IIS Manager > ServerName > Application Pools >

MSExchangeOWAAppPool > owa/<RollupVersion>   (ex.  <default web site>/owa/8.1.336)

2. If version does not exist that matches the rollup version (Rollup 5 for Exchange 2007 SP1 = 8.1.336), navigate down to the Web Sites > Default Web Site > OWA > <rollup version>. 

3.  Right click the virtual directory that matches the rollup version, select Properties > Application Name click “Create”.  Enter “owa” text.  and then for Application Pool select MSExchangeOWAAppPool.

4.  Select OK and verify that the MSExchangeOWAAppPool > owa/<rollupVersion> exists.  (Procedure in Step 1.)

5. From command prompt, run:    IISRESET /NoForce

If Exchange Services do not startup normally or hang.   Verify the Exchange   *.exe.config File Content of the following files:

Reference Article:  http://msexchangeteam.com/archive/2008/07/08/449159.aspx

**Advise following the reference article for procedure.  However the gist of it is listed below.

1.  Check to see if the configuration files within the <Drive>\Microsoft\Exchange Server\bin directory contain the following key entry.  If not backup the existing files and either create or modify existing files.  List of files is below as well.

<configuration>

  <runtime>


          <generatePublisherEvidence enabled="false"/>


  </runtime>


</configuration>

*.exe.config files:  (exe.config versions of these files; so EdgeTransport.exe will have a EdgeTransport.exe.config file)

Bin\EdgeTransport.exe Bin\ExBPA.exe Bin\ExBPACmd.exe Bin\ExTRA.exe Bin\Microsoft.Exchange.Cluster.ReplayService.exe Bin\Microsoft.Exchange.EdgeSyncSvc.exe Bin\Microsoft.Exchange.Monitoring.exe Bin\Microsoft.Exchange.Search.ExSearch.exe Bin\Microsoft.Exchange.ServiceHost.exe Bin\MSExchangeMailboxAssistants.exe Bin\MSExchangeMailSubmission.exe Bin\MSExchangeTransportLogSearch.exe ClientAccess\PopImap\Microsoft.Exchange.Imap4.Exe ClientAccess\PopImap\Microsoft.Exchange.Pop3.Exe

2.  After the configuration files have been modified.  Try to startup the Exchange services.

Verify OWA Authentication:

1.  First check to see if the authentication method is set correctly for the OWA virtual directory.

get-owavirtualdirectoy -identity "msgexsv23004\owa (default web site)" | fl *authenti*

InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : False
DigestAuthentication          : False
WindowsAuthentication         : False
FormsAuthentication           : False

2.  If authentication is not set correctly then set it according to your standards.  Below is an example of enabling WIndows Integrated and Basic Authentication.

Set OWA Virtual Directory authentication (Integrated and Basic):

set-owavirtualdirectoy -identity "msgexsv23004\owa (default web site)"  -WindowsAuthentication $true -BasicAuthentication $true

3. Next you will want to reset IIS.  Open a command prompt and run the following command.


 IISRESET /NOFORCE

4. Finally, verify authentication settings and open a browser and test OWA access/connectivit. (Internal and External URLS).   The command below is the same verification command issued in step 1.

get-owavirtualdirectoy -identity "msgexsv23004\owa (default web site)" | fl *authenti*