Category: OpsMgr

run as account cannot log on locally

Sailors,

I’ve set up a new SCOM environment at a customers side. Once the installation and the base configuration was finished, I let the server run and collect alerts for several days. On the next workshop day we had a lot of warnings like these and the customer asked me why:

CLEAN_run_as_account cannot log on locally

I have to admit, I was a litte bit confused in the beginning too, because I’m trying to configure my environments on the least privilege way. But then I recognized, that the customers admin has started to configure Run As Accounts on his own way and it became clearer…

If you create a Run as Account of type “Windows” and set the Distribution of this account to “less secure” this account gets distributed to every system and SCOM trys to autenticate with every “less secure” Run As Account on every system.

 

Run_As_Account_Type_Windows

You shouldn’t use “less secure” accounts at all. Work with more secure accounts and specify the servers on which you want them to be provided to.

 

Aaaaaaaaarrrrr

*Captian

Mutual Authentication for SCOM Part 3: Prepare Gateway /DMZ server for Mutual Authentication

Yo-ho-ho,

this is part 3 of a series about Mutual Authentication for SCOM.

Mutual Authentication for SCOM Part 1: Root CA

Mutual Authentication for SCOM Part 2: Certificate Request

Mutual Authentication for SCOM Part 3: Prepare Gateway /DMZ server for Mutual Authentication

In my previos posts I’ve written about: how to set up root CA for MA and how to request the certificate by the use of templates.

In this short post I’ll try to explain you what you need to do to set up the gateway / DMZ server.

 

Export the certificate on SCOM server.2014-12-17 20_14_07-wwscom000326 - Remote Desktop Connection

Check “Yes, export the private key”

2014-12-17 20_17_08-wwscom000326 - Remote Desktop Connection

 

Make sure that “Include all certificates in the certification path if possible is” checked.

 

2014-12-17 20_17_57-wwscom000326 - Remote Desktop ConnectionType in a password and click on “Next”.

2014-12-17 20_18_50-wwscom000326 - Remote Desktop ConnectionGive it a name and export it.

Copy the certificate.pfx and the “MOMCertImport.exe” to the gateway/DMZ/unjoined server. Start mmc load Certificates for local computer and import the certificate

2014-12-17 20_29_53-wwscom000326 - Remote Desktop Connection

 

Import the certificate to your Personal Certificate Store.

2014-12-17 20_33_07

And finally import the certificate via MOMCertImport.exe like we  did it before (in part 2).

If you are about to set up the connection for a domain unjoined server or a DMZ, server this is the point where you are ready.

If you want to set up a gateway server you need to copy “Microsoft.EnterpriseManagement.GatewayApprovalTool.exe” from SCOM Server “C:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server” to the future gateway server and run the installation, which is pretty much straight forward.

Technet: How to Deploy a Gateway Server

 

 

*Captain

Mutual Authentication for SCOM Part 2: Certificate Request

Yo-ho-ho,

this is part 2 of a series about Mutual Authentication for SCOM.

Mutual Authentication for SCOM Part 1: Root CA

Mutual Authentication for SCOM Part 2: Certificate Request

Mutual Authentication for SCOM Part 3: Prepare Gateway /DMZ server for Mutual Authentication

In my previous post I wrote about what to set up on Root CA. This post is about the certification request on Operations Manager Management Server.

Start mmc and add snap- in for certificates for computer account.

2014-12-17 19_09_07-wwscom000326 - Remote Desktop Connection

“Request New Certificate”2014-12-17 19_10_07-wwscom000326 - Remote Desktop ConnectionSelect your recently created certificate template and hit on “More information is required to enroll for this certificate. Click here to configure”

2014-12-17 19_13_15-wwscom000326 - Remote Desktop ConnectionYou should fill out “Common name” and “DNS” and I recommend to attach more information like Locality or Country.

2015-01-05 09_39_31-# Remotedesktopverbindung
I also recommend to fill in the FQDN in “General” “Firendly name”

2014-12-17 19_22_45-wwscom000326 - Remote Desktop ConnectionIn “Extensions” / “Key Usage” make sure that the “Selected options” are “Digital signature” and “Key encipherment” and in “Extend Key Usage (application policies)” “Server Authentication” and “Client Authentication” are checked in.

2014-12-17 19_32_47-wwscom000326 - Remote Desktop Connection

2014-12-17 19_33_34-wwscom000326 - Remote Desktop ConnectionEverything else in Extensions can be left as is.

In “Pricate Key” / “Cryptographic Service Provider” have a look at “Microsoft RSA SChannel Cryptographic Provider (Encryption)” and “Microsoft Enhanced Cryptographic Provider v1.0 (Encryption)” are enabled.

2014-12-17 19_36_49-wwscom000326 - Remote Desktop ConnectionAs well as “Key size” is “2048”, “Make private key exportable” are set.

2014-12-17 19_38_44-wwscom000326 - Remote Desktop ConnectionTake care that your CA is deposited

2014-12-17 19_40_16-wwscom000326 - Remote Desktop ConnectionLeave “Signature” as is and “Enroll” the certificate…2014-12-17 19_42_05-wwscom000326 - Remote Desktop Connection

To make sure the request went fine – double click on the certificate and have a look at certification path. If everything is okay it will look like this or even close…

2014-12-17 19_44_17-wwscom000326 - Remote Desktop ConnectionAs a final step you need to import the certificate with “MOMCertImport.exe” and make it available for Operations Manager.

You can find “MOMCertImport.exe”on the ISO File at “\SupportTools\AMD64”

2014-12-17 19_50_34-wwscom000326 - Remote Desktop ConnectionSelect the Certificate and hit on “OK”

 

Now you need to request the exactly same certificate with the difference to request it for the gateway or DMZ server. So all you’ve got to do is to switch the hostname within the re

 

In the next part I’ll tell you how to make your gateway or DMZ server ready for mutual authentication.

 

*Captain

Mutual Authentication for SCOM Part 1: Root CA

Yo-ho-ho,

This is a 3 part series about Mutual Authentication for SCOM.

Mutual Authentication for SCOM Part 1: Root CA

Mutual Authentication for SCOM Part 2: Certificate Request

Mutual Authentication for SCOM Part 3: Prepare Gateway /DMZ server for Mutual Authentication

 

To be honest this is a big one for me. It took me days to figure out to figure out what I needed to fill in every field and what is required.

So what do you need?

Let’s start with duplicating the required certificate. Go to your root CA and open a new mmc. Hit on “File” and “Add/Remove Snap-in…” Select “Certificate Templates” and add it to the selected snap-ins

2014-10-14 10_38_12-wsysca000301 - Remote Desktop Connection

Search for IPSec (offline request), right -click and duplicate it.

2014-10-14 10_42_10-wsysca000301 - Remote Desktop Connection

Leave “Compatibility” as is

 

2014-12-17 17_51_06-wsysca000301 - Remote Desktop ConnectionIn “General” give it a name – I had good experience with something like: Company Name – Use of the Certificate – Validity period – Version number

2014-12-17 17_53_03-wsysca000301 - Remote Desktop ConnectionCheck “Allow private key to be exported” in “Request Handling” and leave the rest as is.

2014-12-17 18_00_16-wsysca000301 - Remote Desktop ConnectionSet the minimum key size to “2048” and enable “Microsoft RSA SChannel Cryptographic Provider” and “Microsoft Enhanced Cryptographic Provider v.1.0”

2014-12-17 18_04_22-wsysca000301 - Remote Desktop ConnectionThere is nothing to change in “Key Attestation”

2014-12-17 18_08_38-wsysca000301 - Remote Desktop Connectionand “Superseded Templates”

2014-12-17 18_12_20-wsysca000301 - Remote Desktop ConnectionIn “Extensions” edit “Application Policies” remove “IP security IKE intermediate”. Add “Client Authentication” and “Server Authentication”

2014-12-17 18_16_53-wsysca000301 - Remote Desktop ConnectionNext tab is security. You’ve got to give “Authenticated Users” the right to “Enroll”

2014-12-17 18_26_13-wsysca000301 - Remote Desktop Connection

and we need to add “Domain Computers” allow on “Read”, “Write” and “Enroll”.

2014-12-17 18_29_22-wsysca000301 - Remote Desktop Connection“Subject Name”, “Server” and Issurance Requirements can be left in default state.

2014-12-17 18_33_51-wsysca000301 - Remote Desktop Connection 2014-12-17 18_34_03-wsysca000301 - Remote Desktop Connection 2014-12-17 18_34_12-wsysca000301 - Remote Desktop ConnectionOkay. So the template is done. Next step is to Add the “Certification Authority” Snap-in. Go down to “Certificate Templates”, right-click on it and click on “New” “Certificate Template to Issue”.

2014-12-17 18_38_28-wsysca000301 - Remote Desktop Connection

 

The certificate template will appear what means that it is available for requests by now.  So you’re done at the CA. Next step is to request the certificate on your SCOM server. You will find the guide in Part 2.

*Captain

Best Practice for monitoring a Windows Service

Pirate,

this is Part 3 of a SCOM series focussing monitors and rules. In my last post about Monitoring a Windows Service with SCOM 2012 R2 I’ve talked about how to set up a monitor for a specific service and how you can do something like a first level recovery. The way I showed you is a good way if you are about to monitor a specific service on a bunch of same class servers. Maybe you remember that I’ve set up the Monitor target to “Windows Server”

2014-09-03 17_07_29-scom - wwscom000326 - Remote Desktop Connection

Selecting “Windows Server” for new monitors will distribute the monitor to every windows instance in the whole management group respectively whole environment. Saying if you chose “Windows Server” here and check the “Monitor is enabled” box the service will be monitored on every server even though the service doesn’t exist on a server. Please keep your hands off!

Got that so far?

Another way you could set up the monitor is to select “Windows Server” and to leave the “Monitor is enabled” checkbox unchecked, right? Afterwards you could set an override to a specific object of class or for a group.

 

2014-12-16 19_52_40-wwscom000326 - Remote Desktop Connection

Aye… that’s a way to do it but if you are using SCOM Health Explorer you will face into a loooot of white circles because the requirements to monitor that service will be distributed to every Windows Server. No matter if you want to monitor that service on the server or not, as I said.  So thats not a good way to set up your environment, too.

 

So what to do?

The answer in most of these cases is create your own class!

In Operations Manager there are multiple methods that you can use to create a new class that can be used as a target for monitors and rules. I’ll show you what you’ve got to do.

1. Create a new group and add the servers you are about to monitor. Good news here: “Certain monitoring wizards will require a group to be specified. This specifies the group of computers that will be searched to determine if they have the component that the wizard is monitoring. For example, if you run the Windows Service monitoring wizard, you specify the name of a service to monitor. The wizard will search all computers in the target group that have the service installed. Only those computers with the service will be monitored.”

2014-12-16 20_21_06-wwscom000326 - Remote Desktop Connection

 

Just another remark on this point: Pleeeeeease seperate your customizations, rules, monitors, tasks etc. by management pack. Don’t ever, ever, ever, erver put everything together in one ore two managmenet packs. Thats just a mess and you will face into problems when upgrading management packs way quicker than you expect today.

 

So once you’ve created a new group and added the explicit members. Hit on “Management Pack Templates” and click on “Add Monitoring Wizard”.

2014-12-16 20_37_52-wwscom000326 - Remote Desktop Connection

Select “Windows Service”

2014-12-16 20_42_07-wwscom000326 - Remote Desktop Connection

Give it a name and select the Management pack.

2014-12-16 20_43_21-wwscom000326 - Remote Desktop Connection
Chose the service by hitting on “…” and search for the server. Target the group which we’ve installed in the first step.

2014-12-16 20_44_43-wwscom000326 - Remote Desktop Connection

Changes here are not necessary for my stuff so I leave everything as is.

2014-12-16 20_49_51-wwscom000326 - Remote Desktop Connection

And “create”

2014-12-16 20_51_04-wwscom000326 - Remote Desktop Connection

So what we’ve created is a new Class with a Service Running State monitor which is just monitoring the service on the machines in the group.

2014-12-16 21_15_00-wwscom000326 - Remote Desktop Connection
Actually this should cover over need so far but to show you the point I’ll create another unit monitor:

2014-12-16 21_43_49-wwscom000326 - Remote Desktop Connection

 

So here comes the big point: Instead of “Windows Server” we are able to select “IT-Pirate Citrix Print Manager Service” class which only affects systems within our group and this is actually my “Best Practice” advice on how to monitor a windows service.

*Captain.
More infromations:

TechNet: Selecting a target & Creating a new target

 

Monitoring a Windows Service with SCOM 2012 R2

ahoy sailor!

Actually this is Part 2 of a SCOM series focussing monitors and rules. Originally my challenge was to set up a monitor for Citrix Print Manager Service. A customer of mine has a constellation where this service crashes nearly once a week. I’ve spent so many lines in explaining the difference between monitors and rules so I decided to write a second post.

Alright let’s start.

1. Go to Authoring – Management Pack Objects – Monitors

2. Right Click Monitors – Create Monitor – Unit Monitor…

1

3. In Monitor Type open Windows Services node and choose Basic Service Monitor. Select or create a custom Management Pack.

2

 

4. Name the Monitor (my recommendation is a unique prefix which should be a part of every custom rule/monitor/group-Servername-ServiceName) and insert a description.

When selecting the Monitor target do a little brainstorming on where you wanna use this Monitor. If you will only use it for 2008R2 servers only select these machines as monitor target. If you need the monitor working on all OS types select Windows Server like I did.

Parent Monitor could be a aggregate rollup monitor for example as we’ve learned in the previous post.

I chose Availability because what I actually do monitor is the availability for this task. So this fits here. Please undo the Monitor is enabled checkbox by default. If you leave this one enabled SCOM is trying to monitor the service on every machine in your environment.

3

 

5. Ok next is Service Details. It’s freakin’ important to choose the service and not to type in the service name. So do a click on “…”, type in the servername and select the service.

4

5

6. On Configure Health we work with the default, which is a two-state condition monitor setting.

6.

7. We enable alerting for this monitor and write down a custom text and hit on create.

7

8. For testing purposes we set an override for one specific server. So search for the Monitor and hit right on it and choose Overrides > Override the Monitor > For a specific object of class: Windows Server xxx Computer. The upcoming window shows you all servers on where this service is running. Choose one and hit ok.  A second window appears where you do have to check the override checkbox in the line of enabled and need to set the override value to true.

8

9

9.Alright it’s testing time. Go to Monitoring > Windows Computers do a right click on the “test”server and Open>Helath Explorer for [testserver]. Close the very annoying Scope…

10

… and find your newly created monitor under Availabilty – hopefully in a healthy state

11

10. Now stop the service on the server and see if the monitor turns to critical.

 

…ooookay…so what do we need to set up next? A simple recovery task would solve the customers need here so let’s do this.

11. Go back to Authoring > Monitors  – Look for your Monitor do a right click in the correct group and hit on > properties > Diagnostic and Recovery > Configure recovery taks and >Add > Recovery for critical health state

12

12. Run Command

13

13. Type in a Recovery name and a description. If you wanna follow my recommendation you check the “Recalculate monitor state after recovery finishes”. If the recovery is successful the monitor returns to a healthy state the next time that it detects the required information from the destination server(s).

14

14. I recommend you to work with the net services commands.

15

This is it!

16

Next Part of this series is a best practice recommendation for monitoring a Windows Service.

 

Yo Ho, Yo Ho! A pirate’s life for me.

*Captain

Let’s talk about monitors and rules in SCOM 2012 R2

ahoy sailor!

so today’s challenge is to set up a monitor for Citrix Print Manager Service. A customer of mine has this “bug” where this service terminates unexpectedly when one connects to a XenApp server.

So let’s first of all talk about monitors and rules in SCOM 2012R2. Aftewards I’ll show you how to configure a unit monitor with a basic recovery task.

As far as I understand everything right I can tell you this:

When you want to monitor specific occurences with SCOM you’ve got two options to go.

 

On the one hand you’ve got Rules:

Rules collect data from sources like Log Files, Windows Event Logs or if you want to collect performance data . This data gets stored in the Operations Manager database where it replicates with the Data Warehouse (if one exists) and can be used for reporting purposes. So a Rule is kind of a stateless Monitoring element and does not create Alerts about state changes. The result of a rule is always a write action and a rule does not come up in the health explorer.

 

On the other hand we have Monitors:

Monitors provide real-time information So if you want to monitor an object like application components, Windows services, scripts or events, a monitor should be your method of choice. In general we distinguish to kinds manifestations we do have “Two-state” and “Tree-State” Monitors. Thus a monitor can either be in one of thwo /tree states. So here is what the point is: a Monitor is programmed with the intelligence to determine wheter a componenent is healthy or not and (in the best case) has the appropiate command or script to solve the incident.

 

Alright now let’s have deeper look on the tree monitors.

Unit monitors

  • “Unit monitors are often described as the “workhorses” of SCOM monitoring and are the most common kind of monitor out there.” A unit monitor is the fundamental monitoring component and is used to monitor events, scripts, services etc. “These unit monitors can be used at an extremely granular level and provide you with a multitude of ways to monitor even the most minor elements of system stability.”

 

Aggregate rollup monitors

  • An aggregate rollup monitor is a collection of several monitors. Aggregate Monitors should be configured to watch similar items like a group of DNS Servers.  So here’s how an aggregate rollup monitor works: “Suppose you’re using a dependency rollup monitor to watch eight separate DNS servers. You could create a high level monitor that undergoes a state change only once five of the eight DNS servers become unavailable. In this way (i.e. Only raise alert if 5 of 8 DNS servers are down) you can be alerted on your terms. “

So use an aggregate rollup monitor to group multiple Monitors into one.

 

Dependency rollup monitor

  • The dependency rollup monitor, allows the health of one object to directly affect the health of another completely unrelated object. Let’s make an example regarding a SQL Cluster. You would use a dependency rollup monitor to check for the databases. But if one database is offline this does not mean, that the whole SQL is critical so you could configure the monitor in the way to not notice you. If the master database is not available the SQL Environment is down for sure and the dependency rollup monitor would generate alerts. So this construct offers you a bit more flexibility.

 

Please notice:

In the above listed definitions I’ve tried to make the fielding as clear as possible. Unfortunately it’s not always that clear in business. Sometimes there are to possible ways to implement tasks (like checking whether a certain service is up & running) and can be solved with both rules and monitors. But the above definitions should give you a good starting point.

Thanks to Scott D.Lowe for this great article about Introduction to System Center Operations Manager 2012 (Part 6) – Monitors where I’ve copied some fantastic descriptions to my post.

If you need more informations on Monitors and Rules have a look at TechNet!

 

Cheers! And Arghhhhhh! Bring the Rum cask aft.

*Captain

Configuration Manager cannot create the object “SMS-Site-XXX” in Active Directory

Ahoy Sailor,

a few weeks ago I had a case at a customers site where the following event showed up in ConfigMgr Site status.

2014_09_18_14_19_35_P01_wwmmpb000319_Remote_Desktop_Connection

Configuration Manager cannot create the object “cn=SMS-MP-[SiteCode]-[FQDN]” in Active Directory ([DOMAIN]).

Possible cause: The site server’s machine account may not have full control rights for the “System Management” container in Active Directory
Solution: Give the site server’s machine account full control rights to the “System Management” container, and all child objects in Active Directory.

Possible cause: Another Active Directory object named “cn=SMS-MP-[SiteCode]-[FQDN]” already exists somewhere outside of the “System Management” container
Solution: Locate the other object with the same name, and delete the object from its current location.  Then allow the site to create a new object.

Possible cause: The Active Directory schema has not been extended with the correct ConfigMgr Active Directory classes and attributes.
Solution: Turn off Active Directory publishing for each site in the forest, until the schema can be extended.  The schema can be extended with the tool “extadsch.exe” from the installation media.

2014_09_18_14_23_13_P01_wwmmpb000319_Remote_Desktop_Connection

 

 

Configuration Manager cannot create the object “SMS-Site-[SiteCode]” in Active Directory ([Domain]).

Possible cause: The site server’s machine account may not have full control rights for the “System Management” container in Active Directory
Solution: Give the site server’s machine account full control rights to the “System Management” container, and all child objects in Active Directory.

Possible cause: Another Active Directory object named “SMS-Site-[SiteCode]” already exists somewhere outside of the “System Management” container
Solution: Locate the other object with the same name, and delete the object from its current location.  Then allow the site to create a new object.

Possible cause: The Active Directory schema has not been extended with the correct ConfigMgr Active Directory classes and attributes.
Solution: Turn off Active Directory publishing for each site in the forest, until the schema can be extended.  The schema can be extended with the tool “extadsch.exe” from the installation media.

 

For me the error seemed to be very obvious. So I decided to do the schema extension.

Referring on TechNet the ExtAdSch.exe is a good way to do this so I executed extadsch.exe on a domain controller. Unfortunately this did not work the first time…

 

<09-19-2014 17:21:29> Modifying Active Directory Schema – with SMS extensions.
<09-19-2014 17:21:29> DS Root:CN=Schema,CN=Configuration,DC=sys,DC=net
<09-19-2014 17:21:30> Defined attribute cn=MS-SMS-Site-Code.
<09-19-2014 17:21:30> Defined attribute cn=mS-SMS-Assignment-Site-Code.
<09-19-2014 17:21:30> Defined attribute cn=MS-SMS-Site-Boundaries.
<09-19-2014 17:21:31> Defined attribute cn=MS-SMS-Roaming-Boundaries.
<09-19-2014 17:21:31> Defined attribute cn=MS-SMS-Default-MP.
<09-19-2014 17:21:31> Defined attribute cn=mS-SMS-Device-Management-Point.
<09-19-2014 17:21:31> Defined attribute cn=MS-SMS-MP-Name.
<09-19-2014 17:21:31> Defined attribute cn=MS-SMS-MP-Address.
<09-19-2014 17:21:32> Defined attribute cn=mS-SMS-Health-State.
<09-19-2014 17:21:32> Defined attribute cn=mS-SMS-Source-Forest.
<09-19-2014 17:21:32> Defined attribute cn=MS-SMS-Ranged-IP-Low.
<09-19-2014 17:21:32> Defined attribute cn=MS-SMS-Ranged-IP-High.
<09-19-2014 17:21:32> Defined attribute cn=mS-SMS-Version.
<09-19-2014 17:21:33> Defined attribute cn=mS-SMS-Capabilities.
<09-19-2014 17:21:33> Failed to create class cn=MS-SMS-Management-Point.  Error code = 8202.
<09-19-2014 17:21:33> Failed to create class cn=MS-SMS-Server-Locator-Point.  Error code = 8202.
<09-19-2014 17:21:33> Failed to create class cn=MS-SMS-Site.  Error code = 8202.
<09-19-2014 17:21:33> Failed to create class cn=MS-SMS-Roaming-Boundary-Range.  Error code = 8202.
<09-19-2014 17:21:33> Failed to extend the Active Directory schema, please find details in “C:\ExtADSch.log”.

<09-19-2014 17:25:47> Modifying Active Directory Schema – with SMS extensions.
<09-19-2014 17:25:47> DS Root:CN=Schema,CN=Configuration,DC=sys,DC=net
<09-19-2014 17:25:47> Attribute cn=MS-SMS-Site-Code already exists.
<09-19-2014 17:25:47> Attribute cn=mS-SMS-Assignment-Site-Code already exists.
<09-19-2014 17:25:48> Attribute cn=MS-SMS-Site-Boundaries already exists.
<09-19-2014 17:25:48> Attribute cn=MS-SMS-Roaming-Boundaries already exists.
<09-19-2014 17:25:48> Attribute cn=MS-SMS-Default-MP already exists.
<09-19-2014 17:25:48> Attribute cn=mS-SMS-Device-Management-Point already exists.
<09-19-2014 17:25:48> Attribute cn=MS-SMS-MP-Name already exists.
<09-19-2014 17:25:49> Attribute cn=MS-SMS-MP-Address already exists.
<09-19-2014 17:25:49> Attribute cn=mS-SMS-Health-State already exists.
<09-19-2014 17:25:49> Attribute cn=mS-SMS-Source-Forest already exists.
<09-19-2014 17:25:49> Attribute cn=MS-SMS-Ranged-IP-Low already exists.
<09-19-2014 17:25:49> Attribute cn=MS-SMS-Ranged-IP-High already exists.
<09-19-2014 17:25:49> Attribute cn=mS-SMS-Version already exists.
<09-19-2014 17:25:50> Attribute cn=mS-SMS-Capabilities already exists.
<09-19-2014 17:25:50> Failed to create class cn=MS-SMS-Management-Point.  Error code = 8202.
<09-19-2014 17:25:50> Failed to create class cn=MS-SMS-Server-Locator-Point.  Error code = 8202.
<09-19-2014 17:25:50> Failed to create class cn=MS-SMS-Site.  Error code = 8202.
<09-19-2014 17:25:50> Failed to create class cn=MS-SMS-Roaming-Boundary-Range.  Error code = 8202.
<09-19-2014 17:25:50> Failed to extend the Active Directory schema, please find details in “C:\ExtADSch.log”.

 

Turned out that I didn’t pick the schema master. So I had to figure out which server the schema admin is. Therefore I used the following command…

netdom /query fsmo

2014_09_19_17_53_44_MyDesk_Desktop_Viewer

Executing the extadsch.exe on the schema master and everything was fine…

<09-19-2014 17:46:19> Modifying Active Directory Schema – with SMS extensions.
<09-19-2014 17:46:19> DS Root:CN=Schema,CN=Configuration,DC=sys,DC=net
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Site-Code already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Assignment-Site-Code already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Site-Boundaries already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Roaming-Boundaries already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Default-MP already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Device-Management-Point already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-MP-Name already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-MP-Address already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Health-State already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Source-Forest already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Ranged-IP-Low already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Ranged-IP-High already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Version already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Capabilities already exists.
<09-19-2014 17:46:20> Defined class cn=MS-SMS-Management-Point.
<09-19-2014 17:46:21> Defined class cn=MS-SMS-Server-Locator-Point.
<09-19-2014 17:46:21> Defined class cn=MS-SMS-Site.
<09-19-2014 17:46:21> Defined class cn=MS-SMS-Roaming-Boundary-Range.
<09-19-2014 17:46:21> Successfully extended the Active Directory schema.

<09-19-2014 17:46:21> Please refer to the ConfigMgr documentation for instructions on the manual
<09-19-2014 17:46:21> configuration of access rights in active directory which may still
<09-19-2014 17:46:21> need to be performed. (Although the AD schema has now be extended,
<09-19-2014 17:46:21> AD must be configured to allow each ConfigMgr Site security rights to
<09-19-2014 17:46:21> publish in each of their domains.)

 

*Captain

© 2022 IT-Pirate